1. Don’t get Stung
(An introduction to the OWASP Top Ten Project)
Barry Dorrans
MVP – Developer Security
2. Contents
• OWASP Top Ten
• http://www.owasp.org
• A worldwide free and open community
focused on improving the security of
application software
3. Introduction
• Do not try this at home. Or at work.
• These are not just ASP.NET vulnerabilities
• If you don’t want to ask public questions ...
barryd@idunno.org / http://idunno.org
5. Failure to restrict URI access
• Security by obscurity is useless
• Restrict via ASP.NET
• Integrated pipeline restricts everything
• Use [PrincipalPermission] to protect yourself
9. Insecure Cryptographic Storage
• Symmetric – same key
• Asymmetric – public/private keys
• Use safe algorithms –
Hashing : SHA256
Symmetric: AES
Asymmetric: CMS/PKCS#7
• Encrypt then sign
10. Insecure Cryptographic Storage
• Use symmetric when
– All systems are under your control
– No need to identify who did the encryption
• Use asymmetric when
– Talking/accepting from external systems
– Non-repudiation on who encrypted/signed (X509)
– All in memory!
• Combine the two for speed and security
11. Insecure Cryptographic Storage
• Do not reuse keys for different purposes
• Store keys outside the main database
• Use CryptGenRandom for random numbers
• Use & rotate salts
• Use unique IVs
• DAPI can provide a key store
15. Information Leakage
• Don’t show raw errors
• Catch errors “properly”
• Don’t upload PDBs or debug assemblies
• Encrypt web.config parts
• Encrypt ViewState -
• Watch your CSS!
• For Ajax UpdatePanels are more secure
• Turn off meta data in web services
17. Cross Site Request Forgery
• Lock ViewState using ViewStateUserKey
– Needs a way to identify user
– Set in Page_Init
• Use a CSRF token –
http://anticsrf.codeplex.com
• Encourage users to log out
• GET requests must be idempotent
• When is a postback not a postback?
26. XSS
• All input is evil
• Work from white-lists not black-lists.
• Store un-encoded data in your database
• Use HttpOnly cookies
• AntiXSS project http://antixss.codeplex.com
– Better HTML/URL Encoding
– Adds HTML Attribute,Javascript,JSON,VBScript
• XSS Cheat Sheet http://ha.ckers.org/xss.html
27. The OWASP Top Ten
• Failure to restrict URL access
• Insecure Communications
• Insecure Cryptographic Storage
• Broken Authentication / Session Management
• Information Leakage
• Cross Site Request Forgery
• Insecure Direct Object Reference
• Malicious File Execution
• Injection Flaws
• Cross Site Scripting