Slides form my talk - Essential security measures in ASP.NET MVC . More info on - https://hryniewski.net/essential-security-measures-in-asp-net-mvc-resources-for-talk/
17. Injection – Are you vulnerable?
• Do you concatenate strings in order to build database queries
or OS commands?
• Does your ORM protect you from injection?
• Do you validate internal and external inputs?
18. Injection - Example
var productName = "userInput";
var sql = "SELECT * FROM [dbo].[Products]
WHERE [Name] = '" + productName + "'";
19. Injection - Example
var productName = "userInput";
var sql = "SELECT * FROM [dbo].[Products]
WHERE [Name] = @productName";
var result =
ctx.Database.SqlQuery<Product>(sql,
new SqlParameter("productName",
productName))
.ToList();
20. Injection – Dos and don’ts
Do
• Validate inputs
• Whitelist inputs
• Use named parameters
• Use parametrized functions
and procedures
Don’t
• Trust exernal inputs
• Trust internal inputs
• Concatenate dynamic queries
and commands
• Use privileged accounts in
connection strings
23. Broken authentication – are you vulnerable?
• Do you have any brute force protection on sign in form?
• Do you indicate that account exists while someone post wrong
password?
• Is it possible to steal your session token? Does EVERY request
goes through HTTPS?
• Are your session cookies protected with secure flag?
• Do you use multi factor authentication?
• How long is your session timeout?
24. Broken authentication – Dos and don’ts
Do
• Require strong passwords
• Use Multi Factor
Authentication
• Check if password was
present in any data leak
(haveibeenpwned.com)
• Log and monitor
authentication failures
Don’t
• Allow for infinite sign in
attempts
• Send or display passwords in
any way
• Use long session timeouts
26. Sensitive Data Exposure
Photo: https://memegenerator.net/instance/74308018/what-if-i-told-you-what-if-i-told-you-ill-never-stop-talking-about-sensitive-data
27. Sensitive Data Exposure – are you vulnerable?
• Can any request be made without encryption?
• Do you store any sensitive and not encrypted data?
• Do you use obsolete and weak cryptography algorithms?
28. Sensitive Data Exposure – Dos and don’ts
Do
• Use HTTPS and HSTS
• Encrypt sensitive data
• Identify which data should be
considered sensitive
Don’t
• Store and/or send sensitive
data in plain text
• Allow for non-SSL browsing
• Use weak encryption
algorithms (SHA1 etc.)
29. XML External Entities
Photo: https://dev.to/rionmonster/hello-xml-my-old-friend-ive-come-to-encode-you-again-3iip
30. XML External Entities – are you vulnerable?
• Do you use XML at all?
• Do you sanitize your inputs?
• Do you use whitelists for input validations?
31. XML External Entities – Dos and don’ts
Do
• Use HTTPS and HSTS
• Encrypt sensitive data
• Know which data should be
considered sensitive
Don’t
• Store and/or send sensitive
data in plain text
• Allow for non-SSL browsing
• Use weak encryption
algorithms (SHA1 etc.)
33. Broken Access Control – are you vulnerable?
• Are you checking permissions at all?
• Do you handle permissions on frontend?
• Can you access endpoints you shouldn’t by modifying URLs or
cookies?
34. Broken Access Control – Dos and don’ts
Do
• Use role based access
control
• Handle permissions on
server-side
• Always check if someone is
allowed to do something
Don’t
• Think someone will never
guess your unsecured admin
route
• Allow changing of application
state to unauthorized user
37. Security Misconfiguration – are you vulnerable?
• Do you have any default accounts active?
• Is it possible to see error and stack traces in your application
when exception happen?
• Have you disabled security features because they were
annoying an d/or inconvenient?
• Does your application use any security headers?
38. Security Misconfiguration – Dos and don’ts
Do
• Remove or change any
default credentials
• Use accounts with least
needed privileges
• Use security headers
• Configure and turn on
framework/server/etc.
Security features
Don’t
• Use the same credentials on
test, dev and prod
environments
• Install or turn on any features
you don’t need
• Reveal error messages and
sensitive system informations
• Remove security features
because they bother you
47. XSS – are you vulnerable?
• Does your application return values like „Results for phrase X”?
• Do you store text with HTML tags for display purposes?
• Can I upload SVG file to your system and it’ll render it?
• Do you sanitize your inputs?
48. XSS – Dos and don’ts
Do
• Sanitize/escape untrusted
inputs
• Use Content Security Policy
header
• Use X-XSS-Protection header
• Use HTTPOnly flag on
sensitive cookies that
shouldn’t be used by JS
Don’t
• Allow users to upload SVG
files, if necessary – sanitize
them.
• Render user provided HTML -
formatted strings
• Return ContentType –
text/html if it’s JSON
49. XSS – Stored XSS
Case when you store insecure values in some kind of persistent
storage and render it afterwards (ie. comments)
50. XSS – Reflected XSS
Case when you return and render some kind of user input back
(ie. Search results for phrase: ‘<script>alert(“XSS”)</script>’
53. Insecure Deserialization – are you vulnerable?
• Can you change sensitive application state or behavior (ie.
Authorization) by sending modified, serialized value?
• Can you modify type in which object will deserialize?
• Do you validate field types after deserialization?
54. Insecure Deserialization – Dos and don’ts
Do
• Validate inputs
• Keep important data on the
backend
Don’t
• Send and receive mutable,
sensitive data.
• Compile and execute
received code on server side
55. Using Components with Known Vulnerabilities
Photo: https://devrant.com/rants/760537/heaviest-objects-in-the-universe
56. Using Components with Known Vulnerabilities –
are you vulnerable?
• Did you ever check you components against vulnerabilities?
• Do you use updated libraries and frameworks?
• Do you use automated tools for checking components you’re
using?
• Do you know EXACTLY what are ALL dependencies of your
application?
57. Using Components with Known Vulnerabilities –
Dos and don’ts
Do
• Use automated tools like
retire.js
• Always look for vulnerabilities
in stuff you install
• Perform regular updates
Don’t
• Ignore new versions of
libraries you’re using
• Use obsolete components
58. Using Components with Known Vulnerabilities –
not scary?
Screenshot: https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2017/3214296
60. Insufficient Logging & Monitoring – are you
vulnerable?
• Will you know when someone will try to bruteforce your users
password?
• Do you use any kind of anomaly detection?
• Do you need to read your logs to know about attempts to
breach your security or you’ll receive instant alert?
61. Insufficient Logging & Monitoring– Dos and don’ts
Do
• Log any potential security
breaches or even attempts
• Use alerts
• Detect anomalies
Don’t
• Just store logs
• Wait for someone to read
gigabytes of logs
62. But it’s all simple stuff so far…
Screenshot: https://stackoverflow.com/questions/43249998/chrome-err-blocked-by-xss-auditor-details#
63. …and yet there’s still a lot of vulnerable
applications out there
Screenshot: https://stackoverflow.com/questions/43249998/chrome-err-blocked-by-xss-auditor-details#
64. Breaking stuff is easy because we haven’t made it
hard enough
Photo: http://www.dumpaday.com/funny-pictures/funny-i-dont-even-know-what-im-doing-30-pics/
67. HTTP Strict Transport Security – Why?
• So, all your HTTP requests are redirected to HTTPS?
• But the first one is still not secure.
68. HTTP Strict Transport Security – what?
• It has great browser support and comes with preload list.
• All it takes is making your site secure and adding Strict-
Transport-Security header
• You can submit to preload list manually on
https://hstspreload.org
72. Content-Security-Policy
• A lot of various directives ie. Whitelisting script or styles files
sources, upgrading insecure urls, hide referrer etc.
• Allows to report CSP violations by HTTP request
• Directives reference - https://content-security-policy.com
76. Application Security Verification Standard - ASVS
• ASVS on OWASP site
• 3 levels
• Also has versions for mobile apps, IoT
• Basically a big checklist
77. Some tools
• Kali Linux
• W3af
• Zed Attack Proxy
• Sqlmap
• XSS Rays(browser extension)