security of web applications: top 6 risks to avoid
DESCRIPTION
A modest Web application security introduction to .NET developers.TRANSCRIPT
![Page 1: Security of Web Applications: Top 6 Risks To Avoid](https://reader034.vdocument.in/reader034/viewer/2022052622/5597d0431a28abf1388b46fe/html5/thumbnails/1.jpg)
Security of Web Applications
TOP 6 RISKS TO AVOID
![Page 2: Security of Web Applications: Top 6 Risks To Avoid](https://reader034.vdocument.in/reader034/viewer/2022052622/5597d0431a28abf1388b46fe/html5/thumbnails/2.jpg)
Console.WriteLine(“Hello World”);
I'm Audrius Kovalenko
.NET Developer
Hack for fun
@slicklash
http://www.notreallycode.com
![Page 3: Security of Web Applications: Top 6 Risks To Avoid](https://reader034.vdocument.in/reader034/viewer/2022052622/5597d0431a28abf1388b46fe/html5/thumbnails/3.jpg)
Forecasts for Upcoming Years
VERY CLOUDY
SaaS GROWTH
WEB APPLICATIONS IN HIGH-DEMAND
![Page 4: Security of Web Applications: Top 6 Risks To Avoid](https://reader034.vdocument.in/reader034/viewer/2022052622/5597d0431a28abf1388b46fe/html5/thumbnails/4.jpg)
Web Application Security Today
Source: Web Hacking Incident Database (WHID)
Distribution of Attack Methods in 2011
![Page 5: Security of Web Applications: Top 6 Risks To Avoid](https://reader034.vdocument.in/reader034/viewer/2022052622/5597d0431a28abf1388b46fe/html5/thumbnails/5.jpg)
Puzzle
How to pour all liquid into the glass?
![Page 6: Security of Web Applications: Top 6 Risks To Avoid](https://reader034.vdocument.in/reader034/viewer/2022052622/5597d0431a28abf1388b46fe/html5/thumbnails/6.jpg)
IMPOSSIBLE
Everyone knows it
![Page 7: Security of Web Applications: Top 6 Risks To Avoid](https://reader034.vdocument.in/reader034/viewer/2022052622/5597d0431a28abf1388b46fe/html5/thumbnails/7.jpg)
How to deliver secure product knowing little about application security?
Who's bag is it then?If that's my bag
SQLi
XSS
CSRF
HD Moore
Bruce
Schneier
Troy
Hunt
Michał Zalewski
Agile
TDD
Refactoring DI
Kent BeckREST
Steve
Freeman
DesignPatterns
Martin
Fowler
Builder vs Breaker
![Page 8: Security of Web Applications: Top 6 Risks To Avoid](https://reader034.vdocument.in/reader034/viewer/2022052622/5597d0431a28abf1388b46fe/html5/thumbnails/8.jpg)
Problem
We don't know what we don't know
![Page 9: Security of Web Applications: Top 6 Risks To Avoid](https://reader034.vdocument.in/reader034/viewer/2022052622/5597d0431a28abf1388b46fe/html5/thumbnails/9.jpg)
The Unknowns
WHAT ARE THE COUNTERMEASURES?
WHAT TO LOOK FOR?
WHAT ARE THE MAJOR RISKS?
![Page 10: Security of Web Applications: Top 6 Risks To Avoid](https://reader034.vdocument.in/reader034/viewer/2022052622/5597d0431a28abf1388b46fe/html5/thumbnails/10.jpg)
CWE/SANS Top 25 Most Dangerous Software Errors
https://cwe.mitre.org/top25
![Page 12: Security of Web Applications: Top 6 Risks To Avoid](https://reader034.vdocument.in/reader034/viewer/2022052622/5597d0431a28abf1388b46fe/html5/thumbnails/12.jpg)
What is a risk anyway?
![Page 13: Security of Web Applications: Top 6 Risks To Avoid](https://reader034.vdocument.in/reader034/viewer/2022052622/5597d0431a28abf1388b46fe/html5/thumbnails/13.jpg)
The OWASP Top 10 6 Web Risks
A3 BROKEN AUTHENTICATION AND SESSION MANAGEMENT
A1 INJECTION
A2 CROSS SITE SCRIPTING (XSS)
A4 INSECURE DIRECT OBJECT REFERENCES
A5 CROSS SITE REQUEST FORGERY (CSRF)
A6 SECURITY MISCONFIGURATION
![Page 14: Security of Web Applications: Top 6 Risks To Avoid](https://reader034.vdocument.in/reader034/viewer/2022052622/5597d0431a28abf1388b46fe/html5/thumbnails/14.jpg)
Injections
Breaking out of a data context into a code context
Why is SQLi still around?
![Page 15: Security of Web Applications: Top 6 Risks To Avoid](https://reader034.vdocument.in/reader034/viewer/2022052622/5597d0431a28abf1388b46fe/html5/thumbnails/15.jpg)
Injections (2)
var catId = Request.QueryString["Category"];var sql = "SELECT * FROM Products WHERE [CategoryId] = " + catId;
![Page 16: Security of Web Applications: Top 6 Risks To Avoid](https://reader034.vdocument.in/reader034/viewer/2022052622/5597d0431a28abf1388b46fe/html5/thumbnails/16.jpg)
Anti-Injection
ORM
PARAMETERIZED QUERIES
DON'T BE LAZY
![Page 17: Security of Web Applications: Top 6 Risks To Avoid](https://reader034.vdocument.in/reader034/viewer/2022052622/5597d0431a28abf1388b46fe/html5/thumbnails/17.jpg)
Cross Site Scripting (XSS)
Injection of client-side code into Web pages viewed by other users
public static MvcHtmlString DeviceInfoEvil(this HtmlHelper helper){ string s = "<span>" + helper.ViewContext.HttpContext.Request.UserAgent + "</span>"; return MvcHtmlString.Create(s);}
[...]
Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5;)<script>alert(1);</script>
[...]
public static MvcHtmlString DeviceInfoGood(this HtmlHelper helper){ TagBuilder userAgent = new TagBuilder("span"); userAgent.SetInnerText(helper.ViewContext.HttpContext.Request.UserAgent); return MvcHtmlString.Create(userAgent.ToString());}
![Page 18: Security of Web Applications: Top 6 Risks To Avoid](https://reader034.vdocument.in/reader034/viewer/2022052622/5597d0431a28abf1388b46fe/html5/thumbnails/18.jpg)
Cross Site Request Forgery (CSRF)
Forged requests executed by tricking authenticated victim
<img src="https://bank.com/smth?param=1" />
<iframe src="https://bank.com/smth?param=1" />
<body onload="document.forms[0].submit"> <form method="post" action="https://bank.com/smth"> <input type="hidden" name="param" value="1" /> </form></body>
![Page 19: Security of Web Applications: Top 6 Risks To Avoid](https://reader034.vdocument.in/reader034/viewer/2022052622/5597d0431a28abf1388b46fe/html5/thumbnails/19.jpg)
Anti-XSS
INPUT FILTERING
OUTPUT FILTERING
MICROSOFT AntiXSS
OUTPUT FILTERING
ANTIFORGERY TOKENS
![Page 20: Security of Web Applications: Top 6 Risks To Avoid](https://reader034.vdocument.in/reader034/viewer/2022052622/5597d0431a28abf1388b46fe/html5/thumbnails/20.jpg)
Broken Authentication andSession Management
Poor implementation of authentication and session management
6.5 MILLION HASHES
PLAIN SHA1
450 000 PASSWORDS
PLAIN TEXT
June 2012 July 2012
![Page 21: Security of Web Applications: Top 6 Risks To Avoid](https://reader034.vdocument.in/reader034/viewer/2022052622/5597d0431a28abf1388b46fe/html5/thumbnails/21.jpg)
Be careful
OUTPUT FILTERING
HASH + SALT + STRECHING
NO HARDCODED “SHORTCUTS”
TLS
Use #if DEBUG
bcrypt/scrypt
https://www.cookiecadger.com
DON'T REINVENT THE WHEEL
![Page 22: Security of Web Applications: Top 6 Risks To Avoid](https://reader034.vdocument.in/reader034/viewer/2022052622/5597d0431a28abf1388b46fe/html5/thumbnails/22.jpg)
Insecure Direct Object References
Unauthorized access of exposed reference to an internal implementation
MASS ASSIGNMENT VULNERABILITY
![Page 23: Security of Web Applications: Top 6 Risks To Avoid](https://reader034.vdocument.in/reader034/viewer/2022052622/5597d0431a28abf1388b46fe/html5/thumbnails/23.jpg)
Insecure Direct Object References (2)
public class User{ public string UserName { get; set; } public bool IsAdmin { get; set; }}
[Authorize][AcceptVerbs(HttpVerbs.Post)]public ActionResult UpdateUser(User model){ if (ModelState.IsValid) { var user = db.Users.Single(u => u.UserName == model.UserName); if (TryUpdateModel(user)) { db.SaveChanges(); } } return View();}
![Page 24: Security of Web Applications: Top 6 Risks To Avoid](https://reader034.vdocument.in/reader034/viewer/2022052622/5597d0431a28abf1388b46fe/html5/thumbnails/24.jpg)
Insecure Direct Object References (3)
public ActionResult UpdateUser([Bind(Exclude="IsAdmin")] User model) //Black Listing - NO
[...]
public ActionResult UpdateUser([Bind(Include="UserName")] User model) //White Listing – OK
[...]
public class UserViewModel //Secure by Design - BEST{ public string UserName { get; set; }}
![Page 25: Security of Web Applications: Top 6 Risks To Avoid](https://reader034.vdocument.in/reader034/viewer/2022052622/5597d0431a28abf1388b46fe/html5/thumbnails/25.jpg)
Countermeasures
CODE REVIEWS
ACCESS CHECKS
NO COPY-PASTE
![Page 26: Security of Web Applications: Top 6 Risks To Avoid](https://reader034.vdocument.in/reader034/viewer/2022052622/5597d0431a28abf1388b46fe/html5/thumbnails/26.jpg)
Security Misconfiguration
Improper application configuration
![Page 27: Security of Web Applications: Top 6 Risks To Avoid](https://reader034.vdocument.in/reader034/viewer/2022052622/5597d0431a28abf1388b46fe/html5/thumbnails/27.jpg)
Web.Config Security Analyzer
https://sourceforge.net/projects/wcsa
![Page 28: Security of Web Applications: Top 6 Risks To Avoid](https://reader034.vdocument.in/reader034/viewer/2022052622/5597d0431a28abf1388b46fe/html5/thumbnails/28.jpg)
Introducing in development
DEDICATED PERSON
SPECIAL TRAINING
SELF TRAINING LEARN
PRACTICE
UNDERSTAND
?
![Page 29: Security of Web Applications: Top 6 Risks To Avoid](https://reader034.vdocument.in/reader034/viewer/2022052622/5597d0431a28abf1388b46fe/html5/thumbnails/29.jpg)
Common Excuses
TIGHT DEADLINESS Budget
NO ONE WILL HACK US Ignorance
![Page 30: Security of Web Applications: Top 6 Risks To Avoid](https://reader034.vdocument.in/reader034/viewer/2022052622/5597d0431a28abf1388b46fe/html5/thumbnails/30.jpg)
The Real Issue
WRONG PERSON IN WRONG PLACE Architect
Manager
Lazy Co-Worker
![Page 31: Security of Web Applications: Top 6 Risks To Avoid](https://reader034.vdocument.in/reader034/viewer/2022052622/5597d0431a28abf1388b46fe/html5/thumbnails/31.jpg)
Security is hard but possiblewhen you know
![Page 32: Security of Web Applications: Top 6 Risks To Avoid](https://reader034.vdocument.in/reader034/viewer/2022052622/5597d0431a28abf1388b46fe/html5/thumbnails/32.jpg)
Drowning is your personal problem
Don't forget
![Page 33: Security of Web Applications: Top 6 Risks To Avoid](https://reader034.vdocument.in/reader034/viewer/2022052622/5597d0431a28abf1388b46fe/html5/thumbnails/33.jpg)
Further Reading
![Page 34: Security of Web Applications: Top 6 Risks To Avoid](https://reader034.vdocument.in/reader034/viewer/2022052622/5597d0431a28abf1388b46fe/html5/thumbnails/34.jpg)
Highly Recommended
ACADEMIC
ENTERPRISE
HACKER
![Page 35: Security of Web Applications: Top 6 Risks To Avoid](https://reader034.vdocument.in/reader034/viewer/2022052622/5597d0431a28abf1388b46fe/html5/thumbnails/35.jpg)
Learning From The Breakers
http://www.irongeek.com
Hacking IllustratedVideo from Security Conferences