SlideShare ist ein Scribd-Unternehmen logo

Owasp & Asp.Net

•Als PPTX, PDF herunterladen•
•
Önsel Akın
Önsel Akın

Prepared with the great information that can be found at http://www.troyhunt.com/2011/12/free-ebook-owasp-top-10-for-net.html

Technologie
1 von 40
OWASP & ASP.NET
OWASP TOP 10 • Injection • Cross-Site Scripting (XSS) • Broken Authentication & Session Management • Insecure Direct Object References • Cross-Site Request Forgery • Security Misconfiguration • Insecure Cryptographic Storage • Failure to Restrict Url Access • Insufficient Transport Layer Protection • Unvalidated Redirects and Forwards
Injection • SQL, OS, LDAP injection occur when untrusted data is sent to an interpreter as part of a command query • Untrusted data: – Integrity is not verifiable – Intent may be malicious – Manual user input – Implicit user input – Constructed user input
OWASP Matrix Thread Agents Attack Vectors Security Weakness Technical Impacts Business Impact Exploitability EASY Prevalence COMMON Detectability AVERAGE Impact SEVERE Anyone who can send data to system Attacker sends simple text-based attacks that exploit the syntax of the interpreter. Very prevalent particularly in legacy code, often found in SQL, LDAP queries and OS commands, program arguments. Can result in data loss or corruption, lack of accountability or denial of access. Business value of effected data.
CROSS SITE SCRIPTING (XSS)
CROSS SITE SCRIPTING • Most commonly exploited vulnerability • WhiteHat Security report: 65% of sites with XSS vulnerability • Sending data to a browser without proper validation and escaping • Allows executing scripts in the victim’s browser – Hijack user sessions – Redirect to malicious sites • Expose an attack vector from database
XSS Matrix Thread Agents Attack Vectors Security Weakness Technical Impacts Business Impact Exploitability AVERAGE Prevalence WIDESPREAD Detectability EASY Impact MODERATE Anyone who can send untrusted data to system Attacker sends simple text-based attacks that exploit the syntax of the interpreter. Most prevalent web application security flaw. 3 types: 1: Stored, 2: Reflected, 3: Dom Based Attacker can execute script in victim’s browser. Session hijacking, inserting hostile content, using malware etc. Business value of effected data.
Encoding Encoding Method Example/Pattern HtmlEncode <a href="http://www.contoso.com">Click Here [Untrusted input]</a> HtmlAttributeEncode <hr noshade size=[Untrusted input]> JavaScriptEncode <script type="text/javascript"> … [Untrusted input] … </script> UrlEncode <a href="http://search.msn.com/results.aspx?q=[Untrusted- input]">Click Here!</a> XmlEncode <xml_tag>[Untrusted input]</xml_tag> XmlAttributeEncode <xml_tag attribute=[Untrusted input]>Some Text</xml_tag>
XSS Prevention Rule #0 • Never Insert Untrusted Data Except in Allowed Locations <script>...NEVER PUT UNTRUSTED DATA HERE...</script> directly in a script <!--...NEVER PUT UNTRUSTED DATA HERE...--> inside an HTML comment <div ...NEVER PUT UNTRUSTED DATA HERE...=test /> in an attribute name <NEVER PUT UNTRUSTED DATA HERE... href="/test" /> in a tag name <style>...NEVER PUT UNTRUSTED DATA HERE...</style> directly in CSS
XSS Prevention Rule #1 • HTML Escape Before Inserting Untrusted Data into HTML Element Content <body>...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...</body> <div>...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...</div> any other normal HTML elements • & --> &amp; • < --> &lt; • > --> &gt; • " --> &quot; • ' --> &#x27; • / --> &#x2F;
XSS Prevention Rule #2 • Attribute Escape Before Inserting Untrusted Data into HTML Common Attributes <div attr=...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...>content</div> inside UNquoted attribute <div attr='...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...'>content</div> inside single quoted attribute <div attr="...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...">content</div> inside double quoted attribute
XSS Prevention Rule #3 • JavaScript Escape Before Inserting Untrusted Data into JavaScript Data Values <script>alert('...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...')</script> inside a quoted string <script>x='...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...'</script> one side of a quoted expression <div onmouseover="x='...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...'"</div> inside quoted event handler
XSS Prevention Rule #4 • CSS Escape And Strictly Validate Before Inserting Untrusted Data into HTML Style Property Values <style>selector { property : ...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...; } </style> property value <style>selector { property : "...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE..."; } </style> property value <span style="property : ...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...">text</style> property value
XSS Prevention Rule #5 • URL Escape Before Inserting Untrusted Data into HTML URL Parameter Values <a href="http://www.somesite.com?test=...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...">link</a >
XSS Prevention Rule #6 • Use an HTML Policy engine to validate or clean user-driven HTML in an outbound way • AntiXSS
BROKEN AUTHENTICATION & SESSION MANAGEMENT
Defining Broken Authentication • Authentication and session management functions not implemented correctly • Allow attackers to compromise passwords, keys, session tokens
Broken Authentication Matrix Thread Agents Attack Vectors Security Weakness Technical Impacts Business Impact Exploitability AVERAGE Prevalence COMMON Detectability AVERAGE Impact SEVERE External attackers, internal users trying to steal accounts from others Attackers uses leaks or flaws in the auth or session management functions Custom authentication and session management schemes. Hard to find flaws. Allow some or all accounts to be attacked. Business value of effected data.
Anatomy of Broken Authentication • Session IDs in the url – Cookieless session state • Can still occur without IDs in the url (via executed XSS flaws) • HttpOnly Cookies • Use ASP.NET Membership & Role Providers
Session Fixation • Do not accept session identifiers from GET / POST variables • Use identity confirmation • Store session identifiers in cookies • Regenerate SID on each request • Accept only server-generated SIDs • Logout function • Time-out old SIDs • Destroy session if Referrer is suspicious • Verify that additional information is consistent – User Agent
INSECURE DIRECT OBJECT REFERENCE
Defining insecure direct object reference • Data being unintentionally disclosed • Exposing a reference to an internal object, file, directory or database key
IDOR Matrix Thread Agents Attack Vectors Security Weakness Technical Impacts Business Impact Exploitability AVERAGE Prevalence COMMON Detectability AVERAGE Impact SEVERE Users of the system, having partial access to system data. Simple parameter modification Applications use actual name or key value of an object. Authorization is not verified. Compromise all data that can be referenced. Business value of effected data.
CROSS SITE REQUEST FORGERY
Defining Cross Site Request Forgery • Tricking the user into inadvertently issuing an HTTP request to a site – Confused deputy problem • Sends: – Session cookie – Authentication information • Victim needs to be logged on
CSRF Matrix Thread Agents Attack Vectors Security Weakness Technical Impacts Business Impact Exploitability AVERAGE Prevalence COMMON Detectability AVERAGE Impact SEVERE Anyone who can trick your users submitting a request to your site Creates forged HTTP request via image tags, XSS Browsers send credentials like authentication cookies automatically, attackers can create malicious web pages that generate forged requests. Attackers can change any data the victim is allowed to change Business value of effected data.
CSRF Prevention • Prevention measured that don’t work: – Using a secret cookie – Only accepting POST requests – Multi-step transactions – URL Rewriting
CSRF Prevention • Synchronizer Token Pattern • ViewState – ViewStateUserKey = Session.SessionID • Double submit cookies – Header – Hidden form value • .NET CSRF Guard
INSECURE CRYPTOGRAPHIC STORAGE
Defining Insecure Cyptographic Storage • Protection of sensitive data Thread Agents Attack Vectors Security Weakness Technical Impacts Business Impact Exploitability DIFFICULT Prevalence UNCOMMON Detectability DIFFICULT Impact SEVERE Users of the system Attackers don’t break the crypto. They find keys, get clear text copies of data. Common flaw is not encrypting data. Unsafe key generation, storage of keys, weak algorithms. Compromises that all data should have been encrypted. Business value of effected data.
Questions • Is the right data encrypted? • Are the keys protected? • Is the source data exposed by other interfaces? • Is the hashing week?
Encryption, hashing, salting • Encryption: Transforming text into an illegible format that can only be deciphered with a ‘key’ • Hashing: Creating a one way digest that cannot be converted back. • Salting: Adding a random string to input text before hashing to add unpredictability to the process.
MD5, SHA, DES, AES • MD5: Common, not collision resistant. • SHA: Secure Has Algorithm, most popular, not most secure) • DES: Data Encryption Standard, insecure. • AES: Advanced Encryption Standart, common.
Symmetric / Asymmetric Encryption • Symmetric Encryption – Uses same key to both encrypt and decrypt. – Same algorithm can be applied to reverse encryption • Asymmetric Encryption – Different keys for encryption / decryption
Key Management • Keep keys unique • Protect the keys • Always store keys away from data • Keys should have a defined lifecycle
Cryptographic Cheat Sheet • Only store sensitive data you need • Only use strong crypto algorithms (AES, RSA) • Ensure that random numbers are cryptographically strong • Only use widely accepted implementations of cryptographic algorithms • Store the hashed and salted value of passwords • Ensure that any secret key is protected from unauthorized access
FAILURE TO RESTRICT URL ACCESS
Defining failure to restrict url access • Users are able to access a resource they should not because appropriate controls do not exist
Matrix Thread Agents Attack Vectors Security Weakness Technical Impacts Business Impact Exploitability EASY Prevalence UNCOMMON Detectability AVERAGE Impact MODERATE Anyone with network access can send the application a request Attacker (already authorized), changes to url to a privileged page. Misconfigured urls, improper code checks Allows attackers to access unauthorized functionality Business value of effected data.
Suggestions • Leverage roles in preference to individual users • Apply principal permissions – [PrincipalPermission] attribute • Protect web services and async calls • Leverage IIS 7 Integrated pipeline • Do not roll your own security model

Empfohlen

Web security and OWASP
Web security and OWASPWeb security and OWASP
Web security and OWASPIsuru Samaraweera
 
OWASP Top Ten in Practice
OWASP Top Ten in PracticeOWASP Top Ten in Practice
OWASP Top Ten in PracticeSecurity Innovation
 
OWASP Top Ten 2017
OWASP Top Ten 2017OWASP Top Ten 2017
OWASP Top Ten 2017Michael Furman
 
Secure Web Applications Ver0.01
Secure Web Applications Ver0.01Secure Web Applications Ver0.01
Secure Web Applications Ver0.01Vasan Ramadoss
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top TenSecurity Innovation
 
Web application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresWeb application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresAung Thu Rha Hein
 
Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding GuideGeoffrey Vandiest
 
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Security Innovation
 

Empfohlen

Web security and OWASP
Web security and OWASPWeb security and OWASP
Web security and OWASPIsuru Samaraweera
 
OWASP Top Ten in Practice
OWASP Top Ten in PracticeOWASP Top Ten in Practice
OWASP Top Ten in PracticeSecurity Innovation
 
OWASP Top Ten 2017
OWASP Top Ten 2017OWASP Top Ten 2017
OWASP Top Ten 2017Michael Furman
 
Secure Web Applications Ver0.01
Secure Web Applications Ver0.01Secure Web Applications Ver0.01
Secure Web Applications Ver0.01Vasan Ramadoss
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top TenSecurity Innovation
 
Web application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresWeb application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresAung Thu Rha Hein
 
Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding GuideGeoffrey Vandiest
 
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Security Innovation
 
Secure code practices
Secure code practicesSecure code practices
Secure code practicesHina Rawal
 
Beyond the OWASP Top 10
Beyond the OWASP Top 10Beyond the OWASP Top 10
Beyond the OWASP Top 10iphonepentest
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu
 
Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentationAshwini Paranjpe
 
OWASP Top 10 - 2017
OWASP Top 10 - 2017OWASP Top 10 - 2017
OWASP Top 10 - 2017HackerOne
 
Web attacks
Web attacksWeb attacks
Web attackshusnara mohammad
 
OWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksOWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksKun-Da Wu
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & TestingDeepu S Nath
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013tmd800
 
Anatomy Web Attack
Anatomy Web AttackAnatomy Web Attack
Anatomy Web AttackKelly Speiser
 
Owasp 2017 oveview
Owasp 2017 oveviewOwasp 2017 oveview
Owasp 2017 oveviewShreyas N
 
A5: Security Misconfiguration
A5: Security Misconfiguration A5: Security Misconfiguration
A5: Security Misconfiguration Tariq Islam
 
香港六合彩
香港六合彩香港六合彩
香港六合彩baoyin
 
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20Tabăra de Testare
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure CodingMateusz Olejarka
 
OISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec PrimerOISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec PrimerThreatReel Podcast
 
Security testing presentation
Security testing presentationSecurity testing presentation
Security testing presentationConfiz
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesMarco Morana
 
Top 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTop 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTerrance Medina
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 
Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentationowasp-pune
 
Attacking Web Applications
Attacking Web ApplicationsAttacking Web Applications
Attacking Web ApplicationsSasha Goldshtein
 

Weitere ähnliche Inhalte

Was ist angesagt?

Secure code practices
Secure code practicesSecure code practices
Secure code practicesHina Rawal
 
Beyond the OWASP Top 10
Beyond the OWASP Top 10Beyond the OWASP Top 10
Beyond the OWASP Top 10iphonepentest
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu
 
Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentationAshwini Paranjpe
 
OWASP Top 10 - 2017
OWASP Top 10 - 2017OWASP Top 10 - 2017
OWASP Top 10 - 2017HackerOne
 
OWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksOWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksKun-Da Wu
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & TestingDeepu S Nath
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013tmd800
 
Anatomy Web Attack
Anatomy Web AttackAnatomy Web Attack
Anatomy Web AttackKelly Speiser
 
Owasp 2017 oveview
Owasp 2017 oveviewOwasp 2017 oveview
Owasp 2017 oveviewShreyas N
 
A5: Security Misconfiguration
A5: Security Misconfiguration A5: Security Misconfiguration
A5: Security Misconfiguration Tariq Islam
 
香港六合彩
香港六合彩香港六合彩
香港六合彩baoyin
 
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20Tabăra de Testare
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure CodingMateusz Olejarka
 
OISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec PrimerOISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec PrimerThreatReel Podcast
 
Security testing presentation
Security testing presentationSecurity testing presentation
Security testing presentationConfiz
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesMarco Morana
 
Top 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTop 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTerrance Medina
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 

Was ist angesagt? (20)

Secure code practices
Secure code practicesSecure code practices
Secure code practices
 
Beyond the OWASP Top 10
Beyond the OWASP Top 10Beyond the OWASP Top 10
Beyond the OWASP Top 10
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa Workshop
 
Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentation
 
OWASP Top 10 - 2017
OWASP Top 10 - 2017OWASP Top 10 - 2017
OWASP Top 10 - 2017
 
Web attacks
Web attacksWeb attacks
Web attacks
 
OWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksOWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risks
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & Testing
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013
 
Anatomy Web Attack
Anatomy Web AttackAnatomy Web Attack
Anatomy Web Attack
 
Owasp 2017 oveview
Owasp 2017 oveviewOwasp 2017 oveview
Owasp 2017 oveview
 
A5: Security Misconfiguration
A5: Security Misconfiguration A5: Security Misconfiguration
A5: Security Misconfiguration
 
香港六合彩
香港六合彩香港六合彩
香港六合彩
 
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure Coding
 
OISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec PrimerOISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec Primer
 
Security testing presentation
Security testing presentationSecurity testing presentation
Security testing presentation
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root Causes
 
Top 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTop 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilities
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 

Ähnlich wie Owasp & Asp.Net

Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentationowasp-pune
 
Attacking Web Applications
Attacking Web ApplicationsAttacking Web Applications
Attacking Web ApplicationsSasha Goldshtein
 
Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Sean Jackson
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10bilcorry
 
Make your Azure PaaS Deployment More Safe
Make your Azure PaaS Deployment More SafeMake your Azure PaaS Deployment More Safe
Make your Azure PaaS Deployment More SafeThuan Ng
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Sql server security in an insecure world
Sql server security in an insecure worldSql server security in an insecure world
Sql server security in an insecure worldGianluca Sartori
 
OWASP, Application Security
OWASP, Application Security OWASP, Application Security
OWASP, Application Security Dilip Sharma
 
Cybersecurity - Mobile Application Security
Cybersecurity - Mobile Application SecurityCybersecurity - Mobile Application Security
Cybersecurity - Mobile Application SecurityEryk Budi Pratama
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFBrian Huff
 
How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a DatabaseJohn Ashmead
 
OWASP Top 10 List Overview for Web Developers
OWASP Top 10 List Overview for Web DevelopersOWASP Top 10 List Overview for Web Developers
OWASP Top 10 List Overview for Web DevelopersBenjamin Floyd
 
Presentation on Web Attacks
Presentation on Web AttacksPresentation on Web Attacks
Presentation on Web AttacksVivek Sinha Anurag
 
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Michael Pirnat
 
Web Application Security Session for Web Developers
Web Application Security Session for Web DevelopersWeb Application Security Session for Web Developers
Web Application Security Session for Web DevelopersKrishna Srikanth Manda
 
Web application security (eng)
Web application security (eng)Web application security (eng)
Web application security (eng)Anatoliy Okhotnikov
 
Lets Make our Web Applications Secure
Lets Make our Web Applications SecureLets Make our Web Applications Secure
Lets Make our Web Applications SecureAryashree Pritikrishna
 
Joomla web application development vulnerabilities
Joomla web application development vulnerabilitiesJoomla web application development vulnerabilities
Joomla web application development vulnerabilitiesBlazeDream Technologies Pvt Ltd
 
TechEvent 2019: Security 101 fĂźr Web Entwickler; Roland KrĂźger - Trivadis
TechEvent 2019: Security 101 fĂźr Web Entwickler; Roland KrĂźger - TrivadisTechEvent 2019: Security 101 fĂźr Web Entwickler; Roland KrĂźger - Trivadis
TechEvent 2019: Security 101 fĂźr Web Entwickler; Roland KrĂźger - TrivadisTrivadis
 

Ähnlich wie Owasp & Asp.Net (20)

Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentation
 
Attacking Web Applications
Attacking Web ApplicationsAttacking Web Applications
Attacking Web Applications
 
Web security uploadv1
Web security uploadv1Web security uploadv1
Web security uploadv1
 
Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Owasp top 10_openwest_2019
Owasp top 10_openwest_2019
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
 
Make your Azure PaaS Deployment More Safe
Make your Azure PaaS Deployment More SafeMake your Azure PaaS Deployment More Safe
Make your Azure PaaS Deployment More Safe
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Sql server security in an insecure world
Sql server security in an insecure worldSql server security in an insecure world
Sql server security in an insecure world
 
OWASP, Application Security
OWASP, Application Security OWASP, Application Security
OWASP, Application Security
 
Cybersecurity - Mobile Application Security
Cybersecurity - Mobile Application SecurityCybersecurity - Mobile Application Security
Cybersecurity - Mobile Application Security
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
 
How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a Database
 
OWASP Top 10 List Overview for Web Developers
OWASP Top 10 List Overview for Web DevelopersOWASP Top 10 List Overview for Web Developers
OWASP Top 10 List Overview for Web Developers
 
Presentation on Web Attacks
Presentation on Web AttacksPresentation on Web Attacks
Presentation on Web Attacks
 
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
 
Web Application Security Session for Web Developers
Web Application Security Session for Web DevelopersWeb Application Security Session for Web Developers
Web Application Security Session for Web Developers
 
Web application security (eng)
Web application security (eng)Web application security (eng)
Web application security (eng)
 
Lets Make our Web Applications Secure
Lets Make our Web Applications SecureLets Make our Web Applications Secure
Lets Make our Web Applications Secure
 
Joomla web application development vulnerabilities
Joomla web application development vulnerabilitiesJoomla web application development vulnerabilities
Joomla web application development vulnerabilities
 
TechEvent 2019: Security 101 fĂźr Web Entwickler; Roland KrĂźger - Trivadis
TechEvent 2019: Security 101 fĂźr Web Entwickler; Roland KrĂźger - TrivadisTechEvent 2019: Security 101 fĂźr Web Entwickler; Roland KrĂźger - Trivadis
TechEvent 2019: Security 101 fĂźr Web Entwickler; Roland KrĂźger - Trivadis
 

KĂźrzlich hochgeladen

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusZilliz
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbuapidays
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024The Digital Insurer
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 

KĂźrzlich hochgeladen (20)

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 

Owasp & Asp.Net

  • 2. OWASP TOP 10 • Injection • Cross-Site Scripting (XSS) • Broken Authentication & Session Management • Insecure Direct Object References • Cross-Site Request Forgery • Security Misconfiguration • Insecure Cryptographic Storage • Failure to Restrict Url Access • Insufficient Transport Layer Protection • Unvalidated Redirects and Forwards
  • 3. Injection • SQL, OS, LDAP injection occur when untrusted data is sent to an interpreter as part of a command query • Untrusted data: – Integrity is not verifiable – Intent may be malicious – Manual user input – Implicit user input – Constructed user input
  • 4. OWASP Matrix Thread Agents Attack Vectors Security Weakness Technical Impacts Business Impact Exploitability EASY Prevalence COMMON Detectability AVERAGE Impact SEVERE Anyone who can send data to system Attacker sends simple text-based attacks that exploit the syntax of the interpreter. Very prevalent particularly in legacy code, often found in SQL, LDAP queries and OS commands, program arguments. Can result in data loss or corruption, lack of accountability or denial of access. Business value of effected data.
  • 6. CROSS SITE SCRIPTING • Most commonly exploited vulnerability • WhiteHat Security report: 65% of sites with XSS vulnerability • Sending data to a browser without proper validation and escaping • Allows executing scripts in the victim’s browser – Hijack user sessions – Redirect to malicious sites • Expose an attack vector from database
  • 7. XSS Matrix Thread Agents Attack Vectors Security Weakness Technical Impacts Business Impact Exploitability AVERAGE Prevalence WIDESPREAD Detectability EASY Impact MODERATE Anyone who can send untrusted data to system Attacker sends simple text-based attacks that exploit the syntax of the interpreter. Most prevalent web application security flaw. 3 types: 1: Stored, 2: Reflected, 3: Dom Based Attacker can execute script in victim’s browser. Session hijacking, inserting hostile content, using malware etc. Business value of effected data.
  • 8. Encoding Encoding Method Example/Pattern HtmlEncode <a href="http://www.contoso.com">Click Here [Untrusted input]</a> HtmlAttributeEncode <hr noshade size=[Untrusted input]> JavaScriptEncode <script type="text/javascript"> … [Untrusted input] … </script> UrlEncode <a href="http://search.msn.com/results.aspx?q=[Untrusted- input]">Click Here!</a> XmlEncode <xml_tag>[Untrusted input]</xml_tag> XmlAttributeEncode <xml_tag attribute=[Untrusted input]>Some Text</xml_tag>
  • 9. XSS Prevention Rule #0 • Never Insert Untrusted Data Except in Allowed Locations <script>...NEVER PUT UNTRUSTED DATA HERE...</script> directly in a script <!--...NEVER PUT UNTRUSTED DATA HERE...--> inside an HTML comment <div ...NEVER PUT UNTRUSTED DATA HERE...=test /> in an attribute name <NEVER PUT UNTRUSTED DATA HERE... href="/test" /> in a tag name <style>...NEVER PUT UNTRUSTED DATA HERE...</style> directly in CSS
  • 10. XSS Prevention Rule #1 • HTML Escape Before Inserting Untrusted Data into HTML Element Content <body>...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...</body> <div>...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...</div> any other normal HTML elements • & --> &amp; • < --> &lt; • > --> &gt; • " --> &quot; • ' --> &#x27; • / --> &#x2F;
  • 11. XSS Prevention Rule #2 • Attribute Escape Before Inserting Untrusted Data into HTML Common Attributes <div attr=...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...>content</div> inside UNquoted attribute <div attr='...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...'>content</div> inside single quoted attribute <div attr="...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...">content</div> inside double quoted attribute
  • 12. XSS Prevention Rule #3 • JavaScript Escape Before Inserting Untrusted Data into JavaScript Data Values <script>alert('...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...')</script> inside a quoted string <script>x='...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...'</script> one side of a quoted expression <div onmouseover="x='...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...'"</div> inside quoted event handler
  • 13. XSS Prevention Rule #4 • CSS Escape And Strictly Validate Before Inserting Untrusted Data into HTML Style Property Values <style>selector { property : ...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...; } </style> property value <style>selector { property : "...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE..."; } </style> property value <span style="property : ...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...">text</style> property value
  • 14. XSS Prevention Rule #5 • URL Escape Before Inserting Untrusted Data into HTML URL Parameter Values <a href="http://www.somesite.com?test=...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...">link</a >
  • 15. XSS Prevention Rule #6 • Use an HTML Policy engine to validate or clean user-driven HTML in an outbound way • AntiXSS
  • 17. Defining Broken Authentication • Authentication and session management functions not implemented correctly • Allow attackers to compromise passwords, keys, session tokens
  • 18. Broken Authentication Matrix Thread Agents Attack Vectors Security Weakness Technical Impacts Business Impact Exploitability AVERAGE Prevalence COMMON Detectability AVERAGE Impact SEVERE External attackers, internal users trying to steal accounts from others Attackers uses leaks or flaws in the auth or session management functions Custom authentication and session management schemes. Hard to find flaws. Allow some or all accounts to be attacked. Business value of effected data.
  • 19. Anatomy of Broken Authentication • Session IDs in the url – Cookieless session state • Can still occur without IDs in the url (via executed XSS flaws) • HttpOnly Cookies • Use ASP.NET Membership & Role Providers
  • 20. Session Fixation • Do not accept session identifiers from GET / POST variables • Use identity confirmation • Store session identifiers in cookies • Regenerate SID on each request • Accept only server-generated SIDs • Logout function • Time-out old SIDs • Destroy session if Referrer is suspicious • Verify that additional information is consistent – User Agent
  • 22. Defining insecure direct object reference • Data being unintentionally disclosed • Exposing a reference to an internal object, file, directory or database key
  • 23. IDOR Matrix Thread Agents Attack Vectors Security Weakness Technical Impacts Business Impact Exploitability AVERAGE Prevalence COMMON Detectability AVERAGE Impact SEVERE Users of the system, having partial access to system data. Simple parameter modification Applications use actual name or key value of an object. Authorization is not verified. Compromise all data that can be referenced. Business value of effected data.
  • 25. Defining Cross Site Request Forgery • Tricking the user into inadvertently issuing an HTTP request to a site – Confused deputy problem • Sends: – Session cookie – Authentication information • Victim needs to be logged on
  • 26. CSRF Matrix Thread Agents Attack Vectors Security Weakness Technical Impacts Business Impact Exploitability AVERAGE Prevalence COMMON Detectability AVERAGE Impact SEVERE Anyone who can trick your users submitting a request to your site Creates forged HTTP request via image tags, XSS Browsers send credentials like authentication cookies automatically, attackers can create malicious web pages that generate forged requests. Attackers can change any data the victim is allowed to change Business value of effected data.
  • 27. CSRF Prevention • Prevention measured that don’t work: – Using a secret cookie – Only accepting POST requests – Multi-step transactions – URL Rewriting
  • 28. CSRF Prevention • Synchronizer Token Pattern • ViewState – ViewStateUserKey = Session.SessionID • Double submit cookies – Header – Hidden form value • .NET CSRF Guard
  • 30. Defining Insecure Cyptographic Storage • Protection of sensitive data Thread Agents Attack Vectors Security Weakness Technical Impacts Business Impact Exploitability DIFFICULT Prevalence UNCOMMON Detectability DIFFICULT Impact SEVERE Users of the system Attackers don’t break the crypto. They find keys, get clear text copies of data. Common flaw is not encrypting data. Unsafe key generation, storage of keys, weak algorithms. Compromises that all data should have been encrypted. Business value of effected data.
  • 31. Questions • Is the right data encrypted? • Are the keys protected? • Is the source data exposed by other interfaces? • Is the hashing week?
  • 32. Encryption, hashing, salting • Encryption: Transforming text into an illegible format that can only be deciphered with a ‘key’ • Hashing: Creating a one way digest that cannot be converted back. • Salting: Adding a random string to input text before hashing to add unpredictability to the process.
  • 33. MD5, SHA, DES, AES • MD5: Common, not collision resistant. • SHA: Secure Has Algorithm, most popular, not most secure) • DES: Data Encryption Standard, insecure. • AES: Advanced Encryption Standart, common.
  • 34. Symmetric / Asymmetric Encryption • Symmetric Encryption – Uses same key to both encrypt and decrypt. – Same algorithm can be applied to reverse encryption • Asymmetric Encryption – Different keys for encryption / decryption
  • 35. Key Management • Keep keys unique • Protect the keys • Always store keys away from data • Keys should have a defined lifecycle
  • 36. Cryptographic Cheat Sheet • Only store sensitive data you need • Only use strong crypto algorithms (AES, RSA) • Ensure that random numbers are cryptographically strong • Only use widely accepted implementations of cryptographic algorithms • Store the hashed and salted value of passwords • Ensure that any secret key is protected from unauthorized access
  • 37. FAILURE TO RESTRICT URL ACCESS
  • 38. Defining failure to restrict url access • Users are able to access a resource they should not because appropriate controls do not exist
  • 39. Matrix Thread Agents Attack Vectors Security Weakness Technical Impacts Business Impact Exploitability EASY Prevalence UNCOMMON Detectability AVERAGE Impact MODERATE Anyone with network access can send the application a request Attacker (already authorized), changes to url to a privileged page. Misconfigured urls, improper code checks Allows attackers to access unauthorized functionality Business value of effected data.
  • 40. Suggestions • Leverage roles in preference to individual users • Apply principal permissions – [PrincipalPermission] attribute • Protect web services and async calls • Leverage IIS 7 Integrated pipeline • Do not roll your own security model

Hinweis der Redaktion

  1. Implicit user input: Request headers Constructed user input: Query string variables