7. How to deliver secure product knowing
little about application security?
If that's my bag Who's bag is it then?
CSRF ruce
B r
Agile Steve
an XSS Schneie
Martin Freem
Troy HD M
r
Fowle TDD
Ken Hunt oo
t REST Design re
Bec Patt
erns
k Mi
ring Za cha
Refacto l ew ł SQLi
DI
sk
i
Builder vs Breaker
13. The OWASP Top 10 6 Web Risks
A1 INJECTION
A2 CROSS SITE SCRIPTING (XSS)
A3 BROKEN AUTHENTICATION AND SESSION MANAGEMENT
A4 INSECURE DIRECT OBJECT REFERENCES
A5 CROSS SITE REQUEST FORGERY (CSRF)
A6 SECURITY MISCONFIGURATION
17. Cross Site Scripting (XSS)
Injection of client-side code into Web pages
viewed by other users
public static MvcHtmlString DeviceInfoEvil(this HtmlHelper helper)
{
string s = "<span>" + helper.ViewContext.HttpContext.Request.UserAgent + "</span>";
return MvcHtmlString.Create(s);
}
[...]
Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5;)<script>alert(1);</script>
[...]
public static MvcHtmlString DeviceInfoGood(this HtmlHelper helper)
{
TagBuilder userAgent = new TagBuilder("span");
userAgent.SetInnerText(helper.ViewContext.HttpContext.Request.UserAgent);
return MvcHtmlString.Create(userAgent.ToString());
}
19. Anti-XSS
INPUT FILTERING
OUTPUT FILTERING
MICROSOFT AntiXSS
ANTIFORGERY TOKENS
20. Broken Authentication and
Session Management
Poor implementation of
authentication and session management
6.5 MILLION HASHES 450 000 PASSWORDS
PLAIN SHA1 PLAIN TEXT
June 2012 July 2012
21. Be careful
DON'T REINVENT THE WHEEL
NO HARDCODED “SHORTCUTS”
OUTPUT FILTERING Use #if DEBUG
HASH + SALT + STRECHING bcrypt/scrypt
TLS
https://www.cookiecadger.com
22. Insecure Direct Object References
Unauthorized access of exposed reference
to an internal implementation
MASS ASSIGNMENT VULNERABILITY
23. Insecure Direct Object References (2)
public class User
{
public string UserName { get; set; }
public bool IsAdmin { get; set; }
}
[Authorize]
[AcceptVerbs(HttpVerbs.Post)]
public ActionResult UpdateUser(User model)
{
if (ModelState.IsValid)
{
var user = db.Users.Single(u => u.UserName == model.UserName);
if (TryUpdateModel(user))
{
db.SaveChanges();
}
}
return View();
}
24. Insecure Direct Object References (3)
public ActionResult UpdateUser([Bind(Exclude="IsAdmin")] User model) //Black Listing - NO
[...]
public ActionResult UpdateUser([Bind(Include="UserName")] User model) //White Listing – OK
[...]
public class UserViewModel //Secure by Design - BEST
{
public string UserName { get; set; }
}