SlideShare ist ein Scribd-Unternehmen logo

Don't Get Stung

Als PPTX, PDF herunterladen
Barry Dorrans
Barry Dorrans

An introduction to the OWASP Top Ten Vulnerability List.

Technologie
1 von 29
Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans MVP – Developer Security
Contents • OWASP Top Ten • http://www.owasp.org • A worldwide free and open community focused on improving the security of application software
Introduction • Do not try this at home. Or at work. • These are not just ASP.NET vulnerabilities • If you don’t want to ask public questions ... barryd@idunno.org / http://idunno.org
10 – Failure to restrict URI access
Failure to restrict URI access • Security by obscurity is useless • Restrict via ASP.NET • Integrated pipeline restricts everything • Use [PrincipalPermission] to protect yourself
9 – Insecure Communications
Insecure Communications • Use SSL • Protection communications between web server and backend systems (SSL, IPSEC etc.) • Replay attacks
8 – Insecure Cryptographic Storage
Insecure Cryptographic Storage • Symmetric – same key • Asymmetric – public/private keys • Use safe algorithms – Hashing : SHA256 Symmetric: AES Asymmetric: CMS/PKCS#7 • Encrypt then sign
Insecure Cryptographic Storage • Use symmetric when – All systems are under your control – No need to identify who did the encryption • Use asymmetric when – Talking/accepting from external systems – Non-repudiation on who encrypted/signed (X509) – All in memory! • Combine the two for speed and security
Insecure Cryptographic Storage • Do not reuse keys for different purposes • Store keys outside the main database • Use CryptGenRandom for random numbers • Use & rotate salts • Use unique IVs • DAPI can provide a key store
7 - Broken Authentication/Sessions
Broken Authentication/Sessions • Don’t roll your own! • Validate sessions on every request Check the browser string
6 – Information Leakage
Information Leakage • Don’t show raw errors • Catch errors “properly” • Don’t upload PDBs or debug assemblies • Encrypt web.config parts • Encrypt ViewState - • Watch your CSS! • For Ajax UpdatePanels are more secure • Turn off meta data in web services
5 – Cross Site Request Forgery
Cross Site Request Forgery • Lock ViewState using ViewStateUserKey – Needs a way to identify user – Set in Page_Init • Use a CSRF token – http://anticsrf.codeplex.com • Encourage users to log out • GET requests must be idempotent • When is a postback not a postback?
4 – Insecure Direct Object Reference
Insecure Direct Object Reference • Use indirect objection references • Always check access permissions
3 – Malicious File Execution
Malicious File Execution • Remove Scripting IIS permission • Store outside of application root • Never believe the MIME type for uploads
2 – Injection Flaws
Injection Flaws • SQL – Use SQL parameters – Remove direct SQL table access • Xpath – Use XsltContext – http://mvpxml.codeplex.com/
1 – Cross Site Scripting
XSS • <IMG SRC=javascript:alert('XSS')> • <IMG SRC=JaVaScRiPt:alert('XSS')> • <IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99; &#114;&#105;&#112;&#116;&#58;&#97;&#1 08;&#101;&#114;&#116;&#40;&#39;&#88;&# 83;&#83;&#39;&#41;>
XSS • All input is evil • Work from white-lists not black-lists. • Store un-encoded data in your database • Use HttpOnly cookies • AntiXSS project http://antixss.codeplex.com – Better HTML/URL Encoding – Adds HTML Attribute,Javascript,JSON,VBScript • XSS Cheat Sheet http://ha.ckers.org/xss.html
The OWASP Top Ten • Failure to restrict URL access • Insecure Communications • Insecure Cryptographic Storage • Broken Authentication / Session Management • Information Leakage • Cross Site Request Forgery • Insecure Direct Object Reference • Malicious File Execution • Injection Flaws • Cross Site Scripting
Resources • AntiXSS - http://www.codeplex.com/AntiXSS • AntiCSRF - http://www.codeplex.com/AntiCSRF • P&P Guidance Explorer - http://www.codeplex.com/guidanceExplorer • Fiddler – http://www.fiddlertool.com • TamperData – https://addons.mozilla.org/en-US/firefox/addon/966
Questions

Empfohlen

5 TIPS TO SECURE YOUR VPS AND DEDICATED SERVER
5 TIPS TO SECURE YOUR VPS AND DEDICATED SERVER5 TIPS TO SECURE YOUR VPS AND DEDICATED SERVER
5 TIPS TO SECURE YOUR VPS AND DEDICATED SERVEREpicHosts UK
 
Lets exploit Injection and XSS
Lets exploit Injection and XSSLets exploit Injection and XSS
Lets exploit Injection and XSSlethalduck
 
Owning the bad guys
Owning the bad guys Owning the bad guys
Owning the bad guys Santhosh Kumar
 
Node.JS security
Node.JS securityNode.JS security
Node.JS securityDeepu S Nath
 
Cqcon2015
Cqcon2015Cqcon2015
Cqcon2015Antonio Sanso
 
Wordpress Security Tips
Wordpress Security TipsWordpress Security Tips
Wordpress Security TipsLalit Nama
 
Two scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesTwo scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesSpin Lai
 
Bünyamin Demir - Secure YourApp
Bünyamin Demir - Secure YourAppBünyamin Demir - Secure YourApp
Bünyamin Demir - Secure YourAppCypSec - Siber Güvenlik Konferansı
 

Empfohlen

5 TIPS TO SECURE YOUR VPS AND DEDICATED SERVER
5 TIPS TO SECURE YOUR VPS AND DEDICATED SERVER5 TIPS TO SECURE YOUR VPS AND DEDICATED SERVER
5 TIPS TO SECURE YOUR VPS AND DEDICATED SERVEREpicHosts UK
 
Lets exploit Injection and XSS
Lets exploit Injection and XSSLets exploit Injection and XSS
Lets exploit Injection and XSSlethalduck
 
Owning the bad guys
Owning the bad guys Owning the bad guys
Owning the bad guys Santhosh Kumar
 
Node.JS security
Node.JS securityNode.JS security
Node.JS securityDeepu S Nath
 
Cqcon2015
Cqcon2015Cqcon2015
Cqcon2015Antonio Sanso
 
Wordpress Security Tips
Wordpress Security TipsWordpress Security Tips
Wordpress Security TipsLalit Nama
 
Two scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesTwo scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesSpin Lai
 
Bünyamin Demir - Secure YourApp
Bünyamin Demir - Secure YourAppBünyamin Demir - Secure YourApp
Bünyamin Demir - Secure YourAppCypSec - Siber Güvenlik Konferansı
 
installing-and-setting-up-your-zap-environment-slides.pdf
installing-and-setting-up-your-zap-environment-slides.pdfinstalling-and-setting-up-your-zap-environment-slides.pdf
installing-and-setting-up-your-zap-environment-slides.pdfMarcelo Cunha
 
How to defend from an attacker armed with a mathematician
How to defend from an attacker armed with a mathematician How to defend from an attacker armed with a mathematician
How to defend from an attacker armed with a mathematician Antonio Sanso
 
Web Uygulama Güvenliği (Akademik Bilişim 2016)
Web Uygulama Güvenliği (Akademik Bilişim 2016)Web Uygulama Güvenliği (Akademik Bilişim 2016)
Web Uygulama Güvenliği (Akademik Bilişim 2016)Ömer Çıtak
 
Comment se crasher avec classe pendant un pic d'audience, a.k.a #effetcapital
Comment se crasher avec classe pendant un pic d'audience, a.k.a #effetcapitalComment se crasher avec classe pendant un pic d'audience, a.k.a #effetcapital
Comment se crasher avec classe pendant un pic d'audience, a.k.a #effetcapitalGuillaume Marchand
 
ResellerClub Ctrl+F5 - WordPress Security session
ResellerClub Ctrl+F5 - WordPress Security sessionResellerClub Ctrl+F5 - WordPress Security session
ResellerClub Ctrl+F5 - WordPress Security sessionPratik Jagdishwala
 
Memcache Injection (Hacktrick'15)
Memcache Injection (Hacktrick'15)Memcache Injection (Hacktrick'15)
Memcache Injection (Hacktrick'15)Ömer Çıtak
 
Content Security Policy
Content Security PolicyContent Security Policy
Content Security PolicyRyan LaBouve
 
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptIntegrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptFrancois Marier
 
Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Francois Marier
 
Xss mitigation php [Repaired]
Xss mitigation php [Repaired]Xss mitigation php [Repaired]
Xss mitigation php [Repaired]Tinashe Makuti
 
Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015Francois Marier
 
Bünyamin Demir - 10 Adımda Yazılım Güvenliği
Bünyamin Demir - 10 Adımda Yazılım GüvenliğiBünyamin Demir - 10 Adımda Yazılım Güvenliği
Bünyamin Demir - 10 Adımda Yazılım GüvenliğiCypSec - Siber Güvenlik Konferansı
 
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptIntegrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptFrancois Marier
 
Content Security Policy - The application security Swiss Army Knife
Content Security Policy - The application security Swiss Army KnifeContent Security Policy - The application security Swiss Army Knife
Content Security Policy - The application security Swiss Army KnifeScott Helme
 
Defeating Cross-Site Scripting with Content Security Policy
Defeating Cross-Site Scripting with Content Security PolicyDefeating Cross-Site Scripting with Content Security Policy
Defeating Cross-Site Scripting with Content Security PolicyFrancois Marier
 
Preventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyPreventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyKsenia Peguero
 
Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaultsMatias Korhonen
 
12 Rocking Apache .htaccess Tutorial ...
12 Rocking Apache .htaccess Tutorial ...12 Rocking Apache .htaccess Tutorial ...
12 Rocking Apache .htaccess Tutorial ...wensheng wei
 
Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web AppsFrank Kim
 
Slides
SlidesSlides
Slidesvti
 
Question 3:- What have you learned from your audience feedback?
Question 3:- What have you learned from your audience feedback?Question 3:- What have you learned from your audience feedback?
Question 3:- What have you learned from your audience feedback?David Wooldridge
 
Presentación Programa Superior de #ContactCenter
Presentación Programa Superior de #ContactCenterPresentación Programa Superior de #ContactCenter
Presentación Programa Superior de #ContactCenterRaquel1704
 

Weitere ähnliche Inhalte

Was ist angesagt?

installing-and-setting-up-your-zap-environment-slides.pdf
installing-and-setting-up-your-zap-environment-slides.pdfinstalling-and-setting-up-your-zap-environment-slides.pdf
installing-and-setting-up-your-zap-environment-slides.pdfMarcelo Cunha
 
How to defend from an attacker armed with a mathematician
How to defend from an attacker armed with a mathematician How to defend from an attacker armed with a mathematician
How to defend from an attacker armed with a mathematician Antonio Sanso
 
Web Uygulama Güvenliği (Akademik Bilişim 2016)
Web Uygulama Güvenliği (Akademik Bilişim 2016)Web Uygulama Güvenliği (Akademik Bilişim 2016)
Web Uygulama Güvenliği (Akademik Bilişim 2016)Ömer Çıtak
 
Comment se crasher avec classe pendant un pic d'audience, a.k.a #effetcapital
Comment se crasher avec classe pendant un pic d'audience, a.k.a #effetcapitalComment se crasher avec classe pendant un pic d'audience, a.k.a #effetcapital
Comment se crasher avec classe pendant un pic d'audience, a.k.a #effetcapitalGuillaume Marchand
 
ResellerClub Ctrl+F5 - WordPress Security session
ResellerClub Ctrl+F5 - WordPress Security sessionResellerClub Ctrl+F5 - WordPress Security session
ResellerClub Ctrl+F5 - WordPress Security sessionPratik Jagdishwala
 
Memcache Injection (Hacktrick'15)
Memcache Injection (Hacktrick'15)Memcache Injection (Hacktrick'15)
Memcache Injection (Hacktrick'15)Ömer Çıtak
 
Content Security Policy
Content Security PolicyContent Security Policy
Content Security PolicyRyan LaBouve
 
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptIntegrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptFrancois Marier
 
Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Francois Marier
 
Xss mitigation php [Repaired]
Xss mitigation php [Repaired]Xss mitigation php [Repaired]
Xss mitigation php [Repaired]Tinashe Makuti
 
Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015Francois Marier
 
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptIntegrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptFrancois Marier
 
Content Security Policy - The application security Swiss Army Knife
Content Security Policy - The application security Swiss Army KnifeContent Security Policy - The application security Swiss Army Knife
Content Security Policy - The application security Swiss Army KnifeScott Helme
 
Defeating Cross-Site Scripting with Content Security Policy
Defeating Cross-Site Scripting with Content Security PolicyDefeating Cross-Site Scripting with Content Security Policy
Defeating Cross-Site Scripting with Content Security PolicyFrancois Marier
 
Preventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyPreventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyKsenia Peguero
 
Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaultsMatias Korhonen
 
12 Rocking Apache .htaccess Tutorial ...
12 Rocking Apache .htaccess Tutorial ...12 Rocking Apache .htaccess Tutorial ...
12 Rocking Apache .htaccess Tutorial ...wensheng wei
 
Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web AppsFrank Kim
 
Slides
SlidesSlides
Slidesvti
 

Was ist angesagt? (20)

installing-and-setting-up-your-zap-environment-slides.pdf
installing-and-setting-up-your-zap-environment-slides.pdfinstalling-and-setting-up-your-zap-environment-slides.pdf
installing-and-setting-up-your-zap-environment-slides.pdf
 
How to defend from an attacker armed with a mathematician
How to defend from an attacker armed with a mathematician How to defend from an attacker armed with a mathematician
How to defend from an attacker armed with a mathematician
 
Web Uygulama Güvenliği (Akademik Bilişim 2016)
Web Uygulama Güvenliği (Akademik Bilişim 2016)Web Uygulama Güvenliği (Akademik Bilişim 2016)
Web Uygulama Güvenliği (Akademik Bilişim 2016)
 
Comment se crasher avec classe pendant un pic d'audience, a.k.a #effetcapital
Comment se crasher avec classe pendant un pic d'audience, a.k.a #effetcapitalComment se crasher avec classe pendant un pic d'audience, a.k.a #effetcapital
Comment se crasher avec classe pendant un pic d'audience, a.k.a #effetcapital
 
ResellerClub Ctrl+F5 - WordPress Security session
ResellerClub Ctrl+F5 - WordPress Security sessionResellerClub Ctrl+F5 - WordPress Security session
ResellerClub Ctrl+F5 - WordPress Security session
 
Memcache Injection (Hacktrick'15)
Memcache Injection (Hacktrick'15)Memcache Injection (Hacktrick'15)
Memcache Injection (Hacktrick'15)
 
Content Security Policy
Content Security PolicyContent Security Policy
Content Security Policy
 
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptIntegrity protection for third-party JavaScript
Integrity protection for third-party JavaScript
 
Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)
 
Xss mitigation php [Repaired]
Xss mitigation php [Repaired]Xss mitigation php [Repaired]
Xss mitigation php [Repaired]
 
Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015
 
Bünyamin Demir - 10 Adımda Yazılım Güvenliği
Bünyamin Demir - 10 Adımda Yazılım GüvenliğiBünyamin Demir - 10 Adımda Yazılım Güvenliği
Bünyamin Demir - 10 Adımda Yazılım Güvenliği
 
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptIntegrity protection for third-party JavaScript
Integrity protection for third-party JavaScript
 
Content Security Policy - The application security Swiss Army Knife
Content Security Policy - The application security Swiss Army KnifeContent Security Policy - The application security Swiss Army Knife
Content Security Policy - The application security Swiss Army Knife
 
Defeating Cross-Site Scripting with Content Security Policy
Defeating Cross-Site Scripting with Content Security PolicyDefeating Cross-Site Scripting with Content Security Policy
Defeating Cross-Site Scripting with Content Security Policy
 
Preventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyPreventing XSS with Content Security Policy
Preventing XSS with Content Security Policy
 
Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaults
 
12 Rocking Apache .htaccess Tutorial ...
12 Rocking Apache .htaccess Tutorial ...12 Rocking Apache .htaccess Tutorial ...
12 Rocking Apache .htaccess Tutorial ...
 
Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web Apps
 
Slides
SlidesSlides
Slides
 

Andere mochten auch

Question 3:- What have you learned from your audience feedback?
Question 3:- What have you learned from your audience feedback?Question 3:- What have you learned from your audience feedback?
Question 3:- What have you learned from your audience feedback?David Wooldridge
 
Presentación Programa Superior de #ContactCenter
Presentación Programa Superior de #ContactCenterPresentación Programa Superior de #ContactCenter
Presentación Programa Superior de #ContactCenterRaquel1704
 
Progetto 5 comuni del Pasubio - scuola Vallarsa
Progetto 5 comuni del Pasubio - scuola VallarsaProgetto 5 comuni del Pasubio - scuola Vallarsa
Progetto 5 comuni del Pasubio - scuola Vallarsaguestf9daa3a
 
Unmanned Video citizin services
Unmanned Video citizin servicesUnmanned Video citizin services
Unmanned Video citizin servicesibsis
 
Integrating Social Media With Traditional Media
Integrating Social Media With Traditional MediaIntegrating Social Media With Traditional Media
Integrating Social Media With Traditional Mediaparkernow
 
關閉Q9 Ue版九方
關閉Q9 Ue版九方關閉Q9 Ue版九方
關閉Q9 Ue版九方Warren Yip
 
Use Your Library @ Home and Anywhere
Use Your Library @ Home and AnywhereUse Your Library @ Home and Anywhere
Use Your Library @ Home and AnywhereAnn Owens
 
Element Design Final Presentation3
Element Design Final Presentation3Element Design Final Presentation3
Element Design Final Presentation3guestdf2bf9
 
Select Samples of Work
Select Samples of WorkSelect Samples of Work
Select Samples of Worklizzygreen
 
Wereldwinkeliersvandetoekomst
WereldwinkeliersvandetoekomstWereldwinkeliersvandetoekomst
Wereldwinkeliersvandetoekomstfrancienvaneersel
 
Subjective Logic Extensions for the Web and the Semantic Web
Subjective Logic Extensions for the Web and the Semantic WebSubjective Logic Extensions for the Web and the Semantic Web
Subjective Logic Extensions for the Web and the Semantic WebDavide Ceolin
 
Complete Business Intelligence Solution for Your Microsoft Platform
Complete Business Intelligence Solution for Your Microsoft PlatformComplete Business Intelligence Solution for Your Microsoft Platform
Complete Business Intelligence Solution for Your Microsoft Platformwww.panorama.com
 
Pricing, Business Models, and What Things are Worth
Pricing, Business Models, and What Things are WorthPricing, Business Models, and What Things are Worth
Pricing, Business Models, and What Things are WorthEnthiosys Inc
 
The people system™ an introduction v.1.2
The people system™ an introduction v.1.2The people system™ an introduction v.1.2
The people system™ an introduction v.1.2Carol Moxam
 

Andere mochten auch (20)

Question 3:- What have you learned from your audience feedback?
Question 3:- What have you learned from your audience feedback?Question 3:- What have you learned from your audience feedback?
Question 3:- What have you learned from your audience feedback?
 
Presentación Programa Superior de #ContactCenter
Presentación Programa Superior de #ContactCenterPresentación Programa Superior de #ContactCenter
Presentación Programa Superior de #ContactCenter
 
Wereldwinkeliers
WereldwinkeliersWereldwinkeliers
Wereldwinkeliers
 
Progetto 5 comuni del Pasubio - scuola Vallarsa
Progetto 5 comuni del Pasubio - scuola VallarsaProgetto 5 comuni del Pasubio - scuola Vallarsa
Progetto 5 comuni del Pasubio - scuola Vallarsa
 
Unenclosable
UnenclosableUnenclosable
Unenclosable
 
Unmanned Video citizin services
Unmanned Video citizin servicesUnmanned Video citizin services
Unmanned Video citizin services
 
Integrating Social Media With Traditional Media
Integrating Social Media With Traditional MediaIntegrating Social Media With Traditional Media
Integrating Social Media With Traditional Media
 
關閉Q9 Ue版九方
關閉Q9 Ue版九方關閉Q9 Ue版九方
關閉Q9 Ue版九方
 
Use Your Library @ Home and Anywhere
Use Your Library @ Home and AnywhereUse Your Library @ Home and Anywhere
Use Your Library @ Home and Anywhere
 
Element Design Final Presentation3
Element Design Final Presentation3Element Design Final Presentation3
Element Design Final Presentation3
 
濕熱環境之生活感溫概念產品設計
濕熱環境之生活感溫概念產品設計濕熱環境之生活感溫概念產品設計
濕熱環境之生活感溫概念產品設計
 
Select Samples of Work
Select Samples of WorkSelect Samples of Work
Select Samples of Work
 
Unenclosable
UnenclosableUnenclosable
Unenclosable
 
Wereldwinkeliersvandetoekomst
WereldwinkeliersvandetoekomstWereldwinkeliersvandetoekomst
Wereldwinkeliersvandetoekomst
 
Subjective Logic Extensions for the Web and the Semantic Web
Subjective Logic Extensions for the Web and the Semantic WebSubjective Logic Extensions for the Web and the Semantic Web
Subjective Logic Extensions for the Web and the Semantic Web
 
Complete Business Intelligence Solution for Your Microsoft Platform
Complete Business Intelligence Solution for Your Microsoft PlatformComplete Business Intelligence Solution for Your Microsoft Platform
Complete Business Intelligence Solution for Your Microsoft Platform
 
Pricing, Business Models, and What Things are Worth
Pricing, Business Models, and What Things are WorthPricing, Business Models, and What Things are Worth
Pricing, Business Models, and What Things are Worth
 
2009成果展-實況報導
2009成果展-實況報導2009成果展-實況報導
2009成果展-實況報導
 
Unenclosable
UnenclosableUnenclosable
Unenclosable
 
The people system™ an introduction v.1.2
The people system™ an introduction v.1.2The people system™ an introduction v.1.2
The people system™ an introduction v.1.2
 

Ähnlich wie Don't Get Stung

Web security for app developers
Web security for app developersWeb security for app developers
Web security for app developersPablo Gazmuri
 
Security Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramSecurity Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramOpenDNS
 
Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10Barry Dorrans
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFBrian Huff
 
Web Database Server Best Practices
Web Database Server Best PracticesWeb Database Server Best Practices
Web Database Server Best Practicessyrinxtech
 
Security in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFishSecurity in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFishMarkus Eisele
 
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRF
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRFBe Afraid. Be Very Afraid. Javascript security, XSS & CSRF
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRFMark Stanton
 
When Crypto Attacks! (Yahoo 2009)
When Crypto Attacks! (Yahoo 2009)When Crypto Attacks! (Yahoo 2009)
When Crypto Attacks! (Yahoo 2009)Nate Lawson
 
Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881Masoud Kalali
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
9 Ways to Hack a Web App
9 Ways to Hack a Web App9 Ways to Hack a Web App
9 Ways to Hack a Web Appelliando dias
 
Java EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFishJava EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFishMarkus Eisele
 
Presentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationPresentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationMd Mahfuzur Rahman
 
Security Checklist for TYPO3
Security Checklist for TYPO3Security Checklist for TYPO3
Security Checklist for TYPO3jweiland
 
[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private token[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private tokenOWASP
 
Enterprise Security mit Spring Security
Enterprise Security mit Spring SecurityEnterprise Security mit Spring Security
Enterprise Security mit Spring SecurityMike Wiesner
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure CodingMateusz Olejarka
 

Ähnlich wie Don't Get Stung (20)

Web security for app developers
Web security for app developersWeb security for app developers
Web security for app developers
 
Security Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramSecurity Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training Program
 
Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
 
Web Security 101
Web Security 101Web Security 101
Web Security 101
 
Web Database Server Best Practices
Web Database Server Best PracticesWeb Database Server Best Practices
Web Database Server Best Practices
 
Security in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFishSecurity in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFish
 
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRF
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRFBe Afraid. Be Very Afraid. Javascript security, XSS & CSRF
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRF
 
Web Security
Web SecurityWeb Security
Web Security
 
When Crypto Attacks! (Yahoo 2009)
When Crypto Attacks! (Yahoo 2009)When Crypto Attacks! (Yahoo 2009)
When Crypto Attacks! (Yahoo 2009)
 
Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
9 Ways to Hack a Web App
9 Ways to Hack a Web App9 Ways to Hack a Web App
9 Ways to Hack a Web App
 
Java EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFishJava EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFish
 
Presentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationPresentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web Application
 
Securing your web apps now
Securing your web apps nowSecuring your web apps now
Securing your web apps now
 
Security Checklist for TYPO3
Security Checklist for TYPO3Security Checklist for TYPO3
Security Checklist for TYPO3
 
[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private token[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private token
 
Enterprise Security mit Spring Security
Enterprise Security mit Spring SecurityEnterprise Security mit Spring Security
Enterprise Security mit Spring Security
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure Coding
 

Kürzlich hochgeladen

08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 

Kürzlich hochgeladen (20)

08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 

Don't Get Stung

  • 1. Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans MVP – Developer Security
  • 2. Contents • OWASP Top Ten • http://www.owasp.org • A worldwide free and open community focused on improving the security of application software
  • 3. Introduction • Do not try this at home. Or at work. • These are not just ASP.NET vulnerabilities • If you don’t want to ask public questions ... barryd@idunno.org / http://idunno.org
  • 4. 10 – Failure to restrict URI access
  • 5. Failure to restrict URI access • Security by obscurity is useless • Restrict via ASP.NET • Integrated pipeline restricts everything • Use [PrincipalPermission] to protect yourself
  • 6. 9 – Insecure Communications
  • 7. Insecure Communications • Use SSL • Protection communications between web server and backend systems (SSL, IPSEC etc.) • Replay attacks
  • 8. 8 – Insecure Cryptographic Storage
  • 9. Insecure Cryptographic Storage • Symmetric – same key • Asymmetric – public/private keys • Use safe algorithms – Hashing : SHA256 Symmetric: AES Asymmetric: CMS/PKCS#7 • Encrypt then sign
  • 10. Insecure Cryptographic Storage • Use symmetric when – All systems are under your control – No need to identify who did the encryption • Use asymmetric when – Talking/accepting from external systems – Non-repudiation on who encrypted/signed (X509) – All in memory! • Combine the two for speed and security
  • 11. Insecure Cryptographic Storage • Do not reuse keys for different purposes • Store keys outside the main database • Use CryptGenRandom for random numbers • Use & rotate salts • Use unique IVs • DAPI can provide a key store
  • 12. 7 - Broken Authentication/Sessions
  • 13. Broken Authentication/Sessions • Don’t roll your own! • Validate sessions on every request Check the browser string
  • 14. 6 – Information Leakage
  • 15. Information Leakage • Don’t show raw errors • Catch errors “properly” • Don’t upload PDBs or debug assemblies • Encrypt web.config parts • Encrypt ViewState - • Watch your CSS! • For Ajax UpdatePanels are more secure • Turn off meta data in web services
  • 16. 5 – Cross Site Request Forgery
  • 17. Cross Site Request Forgery • Lock ViewState using ViewStateUserKey – Needs a way to identify user – Set in Page_Init • Use a CSRF token – http://anticsrf.codeplex.com • Encourage users to log out • GET requests must be idempotent • When is a postback not a postback?
  • 18. 4 – Insecure Direct Object Reference
  • 19. Insecure Direct Object Reference • Use indirect objection references • Always check access permissions
  • 20. 3 – Malicious File Execution
  • 21. Malicious File Execution • Remove Scripting IIS permission • Store outside of application root • Never believe the MIME type for uploads
  • 23. Injection Flaws • SQL – Use SQL parameters – Remove direct SQL table access • Xpath – Use XsltContext – http://mvpxml.codeplex.com/
  • 24. 1 – Cross Site Scripting
  • 25. XSS • <IMG SRC=javascript:alert('XSS')> • <IMG SRC=JaVaScRiPt:alert('XSS')> • <IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99; &#114;&#105;&#112;&#116;&#58;&#97;&#1 08;&#101;&#114;&#116;&#40;&#39;&#88;&# 83;&#83;&#39;&#41;>
  • 26. XSS • All input is evil • Work from white-lists not black-lists. • Store un-encoded data in your database • Use HttpOnly cookies • AntiXSS project http://antixss.codeplex.com – Better HTML/URL Encoding – Adds HTML Attribute,Javascript,JSON,VBScript • XSS Cheat Sheet http://ha.ckers.org/xss.html
  • 27. The OWASP Top Ten • Failure to restrict URL access • Insecure Communications • Insecure Cryptographic Storage • Broken Authentication / Session Management • Information Leakage • Cross Site Request Forgery • Insecure Direct Object Reference • Malicious File Execution • Injection Flaws • Cross Site Scripting
  • 28. Resources • AntiXSS - http://www.codeplex.com/AntiXSS • AntiCSRF - http://www.codeplex.com/AntiCSRF • P&P Guidance Explorer - http://www.codeplex.com/guidanceExplorer • Fiddler – http://www.fiddlertool.com • TamperData – https://addons.mozilla.org/en-US/firefox/addon/966