Don’t get Stung(An introduction to the OWASP Top Ten Project)
Barry DorransMicrosoft Information Security Tools
NEW AND IMPROVED!
Contents
• OWASP Top Ten• http://www.owasp.org• A worldwide free and open community
focused on improving the security of application software
Introduction
• Do not try this at home. Or at work.• These are not just ASP.NET vulnerabilities• If you don’t want to ask public questions ...
[email protected] / http://idunno.org
10 – Unvalidated Redirects and Forwards
Unvalidated Redirect and Forwards
• Users don’t check the address bar• MVC authentication (pre-3.0) is vulnerable.• Check the ReturnUrl parameter –
http://weblogs.asp.net/jgalloway/archive/2011/01/25/preventing-open-redirection-attacks-in-asp-net-mvc.aspx
9 – Insufficient Transport Layer Protection
Insufficient Transport Layer Protection
• Use SSL• Protection communications between web
server and backend systems (SSL, IPSEC etc.)• Replay attacks – use time limited tokens
8 – Failure to restrict URI access
Failure to restrict URI access
• Security by obscurity is useless • Restrict via ASP.NET – no rolling your own!• Integrated pipeline restricts everything• Use [PrincipalPermission] to protect yourself• IIS7 replaces file ACLs with a web.config based
authorization list.
7 – Insecure Cryptographic Storage
Insecure Cryptographic Storage
• Symmetric – same key• Asymmetric – public/private keys• Use safe algorithms –
Hashing : SHA256Symmetric: AESAsymmetric: CMS/PKCS#7
• Encrypt then sign
Insecure Cryptographic Storage
• Use symmetric when– All systems are under your control– No need to identify who did the encryption
• Use asymmetric when– Talking/accepting from external systems– Non-repudiation on who encrypted/signed (X509)– All in memory – so no large plain tex!
• Combine the two for speed and security
Insecure Cryptographic Storage
• Do not reuse keys for different purposes• Store keys outside the main database• Use CryptGenRandom for random numbers• Use & rotate salts• Use unique IVs• DAPI can provide a key store
6 – Security Misconfiguration
Security Misconfiguration
• PATCH PATCH PATCH• IIS7 App Pool Isolation –
http://learn.iis.net/page.aspx/764/ensure-security-isolation-for-web-sites/
• URLScan• Security Runtime Engine (CTP)• Disable unused modules, accounts etc.
Security Misconfiguration<httpModules> <add name="OutputCache" type="System.Web.Caching.OutputCacheModule" /> <add name="Session" type="System.Web.SessionState.SessionStateModule" /> <add name="WindowsAuthentication" type="System.Web.Security.WindowsAuthenticationModule" /> <add name="FormsAuthentication" type="System.Web.Security.FormsAuthenticationModule" /> <add name="PassportAuthentication" type="System.Web.Security.PassportAuthenticationModule" /> <add name="RoleManager" type="System.Web.Security.RoleManagerModule" /> <add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule" /> <add name="FileAuthorization" type="System.Web.Security.FileAuthorizationModule" /> <add name="AnonymousIdentification" type="System.Web.Security.AnonymousIdentificationModule" /> <add name="Profile" type="System.Web.Profile.ProfileModule" /></httpModules>
Security Misconfiguration
<httpModules> <remove name="PassportAuthentication" /> <remove name="Profile" /> <remove name="AnonymousIdentification" /></httpModules>
• NB: Some modules depend on othersForms auth needs caching.There’s no easy way to tell!
5 – Cross Site Request Forgery
Cross Site Request Forgery
• WebForms– Lock ViewState using ViewStateUserKey
• Needs a way to identify user• Set in Page_Init
– Use a CSRF token – http://anticsrf.codeplex.com• MVC
<%= Html.AntiForgeryToken() %> - in form[ValidateAntiForgeryToken] – on action method
• Encourage users to log out• When is a postback not a postback?
4 – Insecure Direct Object Reference
Insecure Direct Object Reference
• Use indirect object references• Always check access permissions• For MVC don’t allow binding to your ID field
[Bind(Exclude="id")]
3 - Broken Authentication/Sessions
Broken Authentication/Sessions
• Don’t roll your own!• If you must validate sessions on every request
check the browser string, not the IP
2 – Cross Site Scripting
XSS
• <IMG SRC=javascript:alert('XSS')>• <IMG SRC=JaVaScRiPt:alert('XSS')>• <IMG
SRC=javascript:alert('XSS')>
XSS
• All input is evil• Work from white-lists not black-lists.• Store un-encoded data in your database• Use HttpOnly cookies• AntiXSS project http://antixss.codeplex.com– Better HTML/URL Encoding– Adds HTML Attribute, Javascript, VBScript
• XSS Cheat Sheet http://ha.ckers.org/xss.html
1 – Injection Flaws
Injection Flaws
• SQL– Use SQL parameters– Remove direct SQL table access– When building SQL strings within SPs
parameterise those too!• Xpath– Use XsltContext– http://mvpxml.codeplex.com/
Injection Flaws
DECLARE @cmd= 'SELECT * FROM Customer WHERE FirstName LIKE @first OR LastName LIKE @last'EXEC @cmd, N'@first nvarchar(25), @last nvarchar(25)', @first, @last
Changes from 2007
• Malicious File Execution• Information Leakage / Improper Error
Handling• Security Misconfiguration• Un-validated Redirects and Forwards
The OWASP Top Ten
• A1-Injection• A2-Cross Site Scripting (XSS)• A3-Broken Authentication and Session Management• A4-Insecure Direct Object References• A5-Cross Site Request Forgery (CSRF)• A6-Security Misconfiguration• A7-Insecure Cryptographic Storage• A8-Failure to Restrict URL Access• A9-Insufficient Transport Layer Protection• A10-Unvalidated Redirects and Forwards
Mandatory Book Pimping
Questions