2. OWASP TOP 10
• Injection
• Cross-Site Scripting (XSS)
• Broken Authentication & Session Management
• Insecure Direct Object References
• Cross-Site Request Forgery
• Security Misconfiguration
• Insecure Cryptographic Storage
• Failure to Restrict Url Access
• Insufficient Transport Layer Protection
• Unvalidated Redirects and Forwards
3. Injection
• SQL, OS, LDAP injection occur when untrusted
data is sent to an interpreter as part of a
command query
• Untrusted data:
– Integrity is not verifiable
– Intent may be malicious
– Manual user input
– Implicit user input
– Constructed user input
4. OWASP Matrix
Thread
Agents
Attack
Vectors
Security Weakness Technical
Impacts
Business
Impact
Exploitability
EASY
Prevalence
COMMON
Detectability
AVERAGE
Impact
SEVERE
Anyone who
can send
data to
system
Attacker
sends simple
text-based
attacks that
exploit the
syntax of the
interpreter.
Very prevalent particularly in
legacy code, often found in
SQL, LDAP queries and OS
commands, program
arguments.
Can result in
data loss or
corruption,
lack of
accountability
or denial of
access.
Business
value of
effected
data.
6. CROSS SITE SCRIPTING
• Most commonly exploited vulnerability
• WhiteHat Security report: 65% of sites with XSS
vulnerability
• Sending data to a browser without proper
validation and escaping
• Allows executing scripts in the victim’s browser
– Hijack user sessions
– Redirect to malicious sites
• Expose an attack vector from database
7. XSS Matrix
Thread
Agents
Attack
Vectors
Security Weakness Technical
Impacts
Business
Impact
Exploitability
AVERAGE
Prevalence
WIDESPREAD
Detectability
EASY
Impact
MODERATE
Anyone who
can send
untrusted
data to
system
Attacker
sends simple
text-based
attacks that
exploit the
syntax of the
interpreter.
Most prevalent web
application security flaw. 3
types: 1: Stored, 2: Reflected,
3: Dom Based
Attacker can
execute script
in victim’s
browser.
Session
hijacking,
inserting
hostile
content,
using
malware etc.
Business
value of
effected
data.
9. XSS Prevention Rule #0
• Never Insert Untrusted Data Except in Allowed
Locations
<script>...NEVER PUT UNTRUSTED DATA HERE...</script> directly in a
script
<!--...NEVER PUT UNTRUSTED DATA HERE...--> inside an HTML comment
<div ...NEVER PUT UNTRUSTED DATA HERE...=test /> in an attribute name
<NEVER PUT UNTRUSTED DATA HERE... href="/test" /> in a tag name
<style>...NEVER PUT UNTRUSTED DATA HERE...</style> directly in CSS
10. XSS Prevention Rule #1
• HTML Escape Before Inserting Untrusted Data
into HTML Element Content
<body>...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...</body>
<div>...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...</div>
any other normal HTML elements
• & --> &
• < --> <
• > --> >
• " --> "
• ' --> '
• / --> /
11. XSS Prevention Rule #2
• Attribute Escape Before Inserting Untrusted Data into HTML
Common Attributes
<div attr=...ESCAPE UNTRUSTED DATA BEFORE PUTTING
HERE...>content</div> inside UNquoted attribute
<div attr='...ESCAPE UNTRUSTED DATA BEFORE PUTTING
HERE...'>content</div> inside single quoted
attribute
<div attr="...ESCAPE UNTRUSTED DATA BEFORE PUTTING
HERE...">content</div> inside double quoted
attribute
12. XSS Prevention Rule #3
• JavaScript Escape Before Inserting Untrusted Data
into JavaScript Data Values
<script>alert('...ESCAPE UNTRUSTED DATA BEFORE PUTTING
HERE...')</script> inside a quoted string
<script>x='...ESCAPE UNTRUSTED DATA BEFORE PUTTING
HERE...'</script> one side of a quoted
expression
<div onmouseover="x='...ESCAPE UNTRUSTED DATA BEFORE
PUTTING HERE...'"</div> inside quoted event handler
13. XSS Prevention Rule #4
• CSS Escape And Strictly Validate Before
Inserting Untrusted Data into HTML Style
Property Values
<style>selector { property : ...ESCAPE UNTRUSTED DATA
BEFORE PUTTING HERE...; } </style> property value
<style>selector { property : "...ESCAPE UNTRUSTED DATA
BEFORE PUTTING HERE..."; } </style> property value
<span style="property : ...ESCAPE UNTRUSTED DATA
BEFORE PUTTING HERE...">text</style> property
value
14. XSS Prevention Rule #5
• URL Escape Before Inserting Untrusted Data
into HTML URL Parameter Values
<a href="http://www.somesite.com?test=...ESCAPE
UNTRUSTED DATA BEFORE PUTTING HERE...">link</a
>
15. XSS Prevention Rule #6
• Use an HTML Policy engine to validate or clean
user-driven HTML in an outbound way
• AntiXSS
17. Defining Broken Authentication
• Authentication and session management
functions not implemented correctly
• Allow attackers to compromise passwords,
keys, session tokens
18. Broken Authentication Matrix
Thread
Agents
Attack
Vectors
Security Weakness Technical
Impacts
Business
Impact
Exploitability
AVERAGE
Prevalence
COMMON
Detectability
AVERAGE
Impact
SEVERE
External
attackers,
internal users
trying to
steal
accounts
from others
Attackers
uses leaks or
flaws in the
auth or
session
management
functions
Custom authentication and
session management schemes.
Hard to find flaws.
Allow some
or all
accounts to
be attacked.
Business
value of
effected
data.
19. Anatomy of Broken Authentication
• Session IDs in the url
– Cookieless session state
• Can still occur without IDs in the url (via
executed XSS flaws)
• HttpOnly Cookies
• Use ASP.NET Membership & Role Providers
20. Session Fixation
• Do not accept session identifiers from GET / POST
variables
• Use identity confirmation
• Store session identifiers in cookies
• Regenerate SID on each request
• Accept only server-generated SIDs
• Logout function
• Time-out old SIDs
• Destroy session if Referrer is suspicious
• Verify that additional information is consistent
– User Agent
22. Defining insecure direct object
reference
• Data being unintentionally disclosed
• Exposing a reference to an internal object, file,
directory or database key
23. IDOR Matrix
Thread
Agents
Attack
Vectors
Security Weakness Technical
Impacts
Business
Impact
Exploitability
AVERAGE
Prevalence
COMMON
Detectability
AVERAGE
Impact
SEVERE
Users of the
system,
having partial
access to
system data.
Simple
parameter
modification
Applications use actual name
or key value of an object.
Authorization is not verified.
Compromise
all data that
can be
referenced.
Business
value of
effected
data.
25. Defining Cross Site Request Forgery
• Tricking the user into inadvertently issuing an
HTTP request to a site
– Confused deputy problem
• Sends:
– Session cookie
– Authentication information
• Victim needs to be logged on
26. CSRF Matrix
Thread
Agents
Attack
Vectors
Security Weakness Technical
Impacts
Business
Impact
Exploitability
AVERAGE
Prevalence
COMMON
Detectability
AVERAGE
Impact
SEVERE
Anyone who
can trick your
users
submitting a
request to
your site
Creates
forged HTTP
request via
image tags,
XSS
Browsers send credentials like
authentication cookies
automatically, attackers can
create malicious web pages
that generate forged requests.
Attackers can
change any
data the
victim is
allowed to
change
Business
value of
effected
data.
27. CSRF Prevention
• Prevention measured that don’t work:
– Using a secret cookie
– Only accepting POST requests
– Multi-step transactions
– URL Rewriting
28. CSRF Prevention
• Synchronizer Token Pattern
• ViewState
– ViewStateUserKey = Session.SessionID
• Double submit cookies
– Header
– Hidden form value
• .NET CSRF Guard
30. Defining Insecure Cyptographic
Storage
• Protection of sensitive data
Thread
Agents
Attack
Vectors
Security Weakness Technical
Impacts
Business
Impact
Exploitability
DIFFICULT
Prevalence
UNCOMMON
Detectability
DIFFICULT
Impact
SEVERE
Users of the
system
Attackers
don’t break
the crypto.
They find
keys, get
clear text
copies of
data.
Common flaw is not encrypting
data. Unsafe key generation,
storage of keys, weak
algorithms.
Compromises
that all data
should have
been
encrypted.
Business
value of
effected
data.
31. Questions
• Is the right data encrypted?
• Are the keys protected?
• Is the source data exposed by other
interfaces?
• Is the hashing week?
32. Encryption, hashing, salting
• Encryption: Transforming text into an illegible
format that can only be deciphered with a
‘key’
• Hashing: Creating a one way digest that
cannot be converted back.
• Salting: Adding a random string to input text
before hashing to add unpredictability to the
process.
33. MD5, SHA, DES, AES
• MD5: Common, not collision resistant.
• SHA: Secure Has Algorithm, most popular, not
most secure)
• DES: Data Encryption Standard, insecure.
• AES: Advanced Encryption Standart, common.
34. Symmetric / Asymmetric Encryption
• Symmetric Encryption
– Uses same key to both encrypt and decrypt.
– Same algorithm can be applied to reverse
encryption
• Asymmetric Encryption
– Different keys for encryption / decryption
35. Key Management
• Keep keys unique
• Protect the keys
• Always store keys away from data
• Keys should have a defined lifecycle
36. Cryptographic Cheat Sheet
• Only store sensitive data you need
• Only use strong crypto algorithms (AES, RSA)
• Ensure that random numbers are
cryptographically strong
• Only use widely accepted implementations of
cryptographic algorithms
• Store the hashed and salted value of passwords
• Ensure that any secret key is protected from
unauthorized access
40. Suggestions
• Leverage roles in preference to individual
users
• Apply principal permissions
– [PrincipalPermission] attribute
• Protect web services and async calls
• Leverage IIS 7 Integrated pipeline
• Do not roll your own security model
Notes de l'éditeur
Implicit user input: Request headers
Constructed user input: Query string variables