SlideShare a Scribd company logo

Don't Get Stung

Download as PPTX, PDF
Barry Dorrans
Barry Dorrans

An introduction to the OWASP Top Ten Vulnerability List.

Technology
1 of 29
Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans MVP – Developer Security
Contents • OWASP Top Ten • http://www.owasp.org • A worldwide free and open community focused on improving the security of application software
Introduction • Do not try this at home. Or at work. • These are not just ASP.NET vulnerabilities • If you don’t want to ask public questions ... barryd@idunno.org / http://idunno.org
10 – Failure to restrict URI access
Failure to restrict URI access • Security by obscurity is useless • Restrict via ASP.NET • Integrated pipeline restricts everything • Use [PrincipalPermission] to protect yourself
9 – Insecure Communications
Insecure Communications • Use SSL • Protection communications between web server and backend systems (SSL, IPSEC etc.) • Replay attacks
8 – Insecure Cryptographic Storage
Insecure Cryptographic Storage • Symmetric – same key • Asymmetric – public/private keys • Use safe algorithms – Hashing : SHA256 Symmetric: AES Asymmetric: CMS/PKCS#7 • Encrypt then sign
Insecure Cryptographic Storage • Use symmetric when – All systems are under your control – No need to identify who did the encryption • Use asymmetric when – Talking/accepting from external systems – Non-repudiation on who encrypted/signed (X509) – All in memory! • Combine the two for speed and security
Insecure Cryptographic Storage • Do not reuse keys for different purposes • Store keys outside the main database • Use CryptGenRandom for random numbers • Use & rotate salts • Use unique IVs • DAPI can provide a key store
7 - Broken Authentication/Sessions
Broken Authentication/Sessions • Don’t roll your own! • Validate sessions on every request Check the browser string
6 – Information Leakage
Information Leakage • Don’t show raw errors • Catch errors “properly” • Don’t upload PDBs or debug assemblies • Encrypt web.config parts • Encrypt ViewState - • Watch your CSS! • For Ajax UpdatePanels are more secure • Turn off meta data in web services
5 – Cross Site Request Forgery
Cross Site Request Forgery • Lock ViewState using ViewStateUserKey – Needs a way to identify user – Set in Page_Init • Use a CSRF token – http://anticsrf.codeplex.com • Encourage users to log out • GET requests must be idempotent • When is a postback not a postback?
4 – Insecure Direct Object Reference
Insecure Direct Object Reference • Use indirect objection references • Always check access permissions
3 – Malicious File Execution
Malicious File Execution • Remove Scripting IIS permission • Store outside of application root • Never believe the MIME type for uploads
2 – Injection Flaws
Injection Flaws • SQL – Use SQL parameters – Remove direct SQL table access • Xpath – Use XsltContext – http://mvpxml.codeplex.com/
1 – Cross Site Scripting
XSS • <IMG SRC=javascript:alert('XSS')> • <IMG SRC=JaVaScRiPt:alert('XSS')> • <IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99; &#114;&#105;&#112;&#116;&#58;&#97;&#1 08;&#101;&#114;&#116;&#40;&#39;&#88;&# 83;&#83;&#39;&#41;>
XSS • All input is evil • Work from white-lists not black-lists. • Store un-encoded data in your database • Use HttpOnly cookies • AntiXSS project http://antixss.codeplex.com – Better HTML/URL Encoding – Adds HTML Attribute,Javascript,JSON,VBScript • XSS Cheat Sheet http://ha.ckers.org/xss.html
The OWASP Top Ten • Failure to restrict URL access • Insecure Communications • Insecure Cryptographic Storage • Broken Authentication / Session Management • Information Leakage • Cross Site Request Forgery • Insecure Direct Object Reference • Malicious File Execution • Injection Flaws • Cross Site Scripting
Resources • AntiXSS - http://www.codeplex.com/AntiXSS • AntiCSRF - http://www.codeplex.com/AntiCSRF • P&P Guidance Explorer - http://www.codeplex.com/guidanceExplorer • Fiddler – http://www.fiddlertool.com • TamperData – https://addons.mozilla.org/en-US/firefox/addon/966
Questions

Recommended

5 TIPS TO SECURE YOUR VPS AND DEDICATED SERVER
5 TIPS TO SECURE YOUR VPS AND DEDICATED SERVER5 TIPS TO SECURE YOUR VPS AND DEDICATED SERVER
5 TIPS TO SECURE YOUR VPS AND DEDICATED SERVEREpicHosts UK
 
Lets exploit Injection and XSS
Lets exploit Injection and XSSLets exploit Injection and XSS
Lets exploit Injection and XSSlethalduck
 
Owning the bad guys
Owning the bad guys Owning the bad guys
Owning the bad guys Santhosh Kumar
 
Node.JS security
Node.JS securityNode.JS security
Node.JS securityDeepu S Nath
 
Cqcon2015
Cqcon2015Cqcon2015
Cqcon2015Antonio Sanso
 
Wordpress Security Tips
Wordpress Security TipsWordpress Security Tips
Wordpress Security TipsLalit Nama
 
Two scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesTwo scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesSpin Lai
 
Bünyamin Demir - Secure YourApp
Bünyamin Demir - Secure YourAppBünyamin Demir - Secure YourApp
Bünyamin Demir - Secure YourAppCypSec - Siber Güvenlik Konferansı
 

Recommended

5 TIPS TO SECURE YOUR VPS AND DEDICATED SERVER
5 TIPS TO SECURE YOUR VPS AND DEDICATED SERVER5 TIPS TO SECURE YOUR VPS AND DEDICATED SERVER
5 TIPS TO SECURE YOUR VPS AND DEDICATED SERVEREpicHosts UK
 
Lets exploit Injection and XSS
Lets exploit Injection and XSSLets exploit Injection and XSS
Lets exploit Injection and XSSlethalduck
 
Owning the bad guys
Owning the bad guys Owning the bad guys
Owning the bad guys Santhosh Kumar
 
Node.JS security
Node.JS securityNode.JS security
Node.JS securityDeepu S Nath
 
Cqcon2015
Cqcon2015Cqcon2015
Cqcon2015Antonio Sanso
 
Wordpress Security Tips
Wordpress Security TipsWordpress Security Tips
Wordpress Security TipsLalit Nama
 
Two scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesTwo scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesSpin Lai
 
Bünyamin Demir - Secure YourApp
Bünyamin Demir - Secure YourAppBünyamin Demir - Secure YourApp
Bünyamin Demir - Secure YourAppCypSec - Siber Güvenlik Konferansı
 
installing-and-setting-up-your-zap-environment-slides.pdf
installing-and-setting-up-your-zap-environment-slides.pdfinstalling-and-setting-up-your-zap-environment-slides.pdf
installing-and-setting-up-your-zap-environment-slides.pdfMarcelo Cunha
 
How to defend from an attacker armed with a mathematician
How to defend from an attacker armed with a mathematician How to defend from an attacker armed with a mathematician
How to defend from an attacker armed with a mathematician Antonio Sanso
 
Web Uygulama Güvenliği (Akademik Bilişim 2016)
Web Uygulama Güvenliği (Akademik Bilişim 2016)Web Uygulama Güvenliği (Akademik Bilişim 2016)
Web Uygulama Güvenliği (Akademik Bilişim 2016)Ömer Çıtak
 
Comment se crasher avec classe pendant un pic d'audience, a.k.a #effetcapital
Comment se crasher avec classe pendant un pic d'audience, a.k.a #effetcapitalComment se crasher avec classe pendant un pic d'audience, a.k.a #effetcapital
Comment se crasher avec classe pendant un pic d'audience, a.k.a #effetcapitalGuillaume Marchand
 
ResellerClub Ctrl+F5 - WordPress Security session
ResellerClub Ctrl+F5 - WordPress Security sessionResellerClub Ctrl+F5 - WordPress Security session
ResellerClub Ctrl+F5 - WordPress Security sessionPratik Jagdishwala
 
Memcache Injection (Hacktrick'15)
Memcache Injection (Hacktrick'15)Memcache Injection (Hacktrick'15)
Memcache Injection (Hacktrick'15)Ömer Çıtak
 
Content Security Policy
Content Security PolicyContent Security Policy
Content Security PolicyRyan LaBouve
 
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptIntegrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptFrancois Marier
 
Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Francois Marier
 
Xss mitigation php [Repaired]
Xss mitigation php [Repaired]Xss mitigation php [Repaired]
Xss mitigation php [Repaired]Tinashe Makuti
 
Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015Francois Marier
 
Bünyamin Demir - 10 Adımda Yazılım Güvenliği
Bünyamin Demir - 10 Adımda Yazılım GüvenliğiBünyamin Demir - 10 Adımda Yazılım Güvenliği
Bünyamin Demir - 10 Adımda Yazılım GüvenliğiCypSec - Siber Güvenlik Konferansı
 
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptIntegrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptFrancois Marier
 
Content Security Policy - The application security Swiss Army Knife
Content Security Policy - The application security Swiss Army KnifeContent Security Policy - The application security Swiss Army Knife
Content Security Policy - The application security Swiss Army KnifeScott Helme
 
Defeating Cross-Site Scripting with Content Security Policy
Defeating Cross-Site Scripting with Content Security PolicyDefeating Cross-Site Scripting with Content Security Policy
Defeating Cross-Site Scripting with Content Security PolicyFrancois Marier
 
Preventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyPreventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyKsenia Peguero
 
Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaultsMatias Korhonen
 
12 Rocking Apache .htaccess Tutorial ...
12 Rocking Apache .htaccess Tutorial ...12 Rocking Apache .htaccess Tutorial ...
12 Rocking Apache .htaccess Tutorial ...wensheng wei
 
Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web AppsFrank Kim
 
Slides
SlidesSlides
Slidesvti
 
Question 3:- What have you learned from your audience feedback?
Question 3:- What have you learned from your audience feedback?Question 3:- What have you learned from your audience feedback?
Question 3:- What have you learned from your audience feedback?David Wooldridge
 
Presentación Programa Superior de #ContactCenter
Presentación Programa Superior de #ContactCenterPresentación Programa Superior de #ContactCenter
Presentación Programa Superior de #ContactCenterRaquel1704
 

More Related Content

What's hot

installing-and-setting-up-your-zap-environment-slides.pdf
installing-and-setting-up-your-zap-environment-slides.pdfinstalling-and-setting-up-your-zap-environment-slides.pdf
installing-and-setting-up-your-zap-environment-slides.pdfMarcelo Cunha
 
How to defend from an attacker armed with a mathematician
How to defend from an attacker armed with a mathematician How to defend from an attacker armed with a mathematician
How to defend from an attacker armed with a mathematician Antonio Sanso
 
Web Uygulama Güvenliği (Akademik Bilişim 2016)
Web Uygulama Güvenliği (Akademik Bilişim 2016)Web Uygulama Güvenliği (Akademik Bilişim 2016)
Web Uygulama Güvenliği (Akademik Bilişim 2016)Ömer Çıtak
 
Comment se crasher avec classe pendant un pic d'audience, a.k.a #effetcapital
Comment se crasher avec classe pendant un pic d'audience, a.k.a #effetcapitalComment se crasher avec classe pendant un pic d'audience, a.k.a #effetcapital
Comment se crasher avec classe pendant un pic d'audience, a.k.a #effetcapitalGuillaume Marchand
 
ResellerClub Ctrl+F5 - WordPress Security session
ResellerClub Ctrl+F5 - WordPress Security sessionResellerClub Ctrl+F5 - WordPress Security session
ResellerClub Ctrl+F5 - WordPress Security sessionPratik Jagdishwala
 
Memcache Injection (Hacktrick'15)
Memcache Injection (Hacktrick'15)Memcache Injection (Hacktrick'15)
Memcache Injection (Hacktrick'15)Ömer Çıtak
 
Content Security Policy
Content Security PolicyContent Security Policy
Content Security PolicyRyan LaBouve
 
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptIntegrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptFrancois Marier
 
Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Francois Marier
 
Xss mitigation php [Repaired]
Xss mitigation php [Repaired]Xss mitigation php [Repaired]
Xss mitigation php [Repaired]Tinashe Makuti
 
Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015Francois Marier
 
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptIntegrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptFrancois Marier
 
Content Security Policy - The application security Swiss Army Knife
Content Security Policy - The application security Swiss Army KnifeContent Security Policy - The application security Swiss Army Knife
Content Security Policy - The application security Swiss Army KnifeScott Helme
 
Defeating Cross-Site Scripting with Content Security Policy
Defeating Cross-Site Scripting with Content Security PolicyDefeating Cross-Site Scripting with Content Security Policy
Defeating Cross-Site Scripting with Content Security PolicyFrancois Marier
 
Preventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyPreventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyKsenia Peguero
 
Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaultsMatias Korhonen
 
12 Rocking Apache .htaccess Tutorial ...
12 Rocking Apache .htaccess Tutorial ...12 Rocking Apache .htaccess Tutorial ...
12 Rocking Apache .htaccess Tutorial ...wensheng wei
 
Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web AppsFrank Kim
 
Slides
SlidesSlides
Slidesvti
 

What's hot (20)

installing-and-setting-up-your-zap-environment-slides.pdf
installing-and-setting-up-your-zap-environment-slides.pdfinstalling-and-setting-up-your-zap-environment-slides.pdf
installing-and-setting-up-your-zap-environment-slides.pdf
 
How to defend from an attacker armed with a mathematician
How to defend from an attacker armed with a mathematician How to defend from an attacker armed with a mathematician
How to defend from an attacker armed with a mathematician
 
Web Uygulama Güvenliği (Akademik Bilişim 2016)
Web Uygulama Güvenliği (Akademik Bilişim 2016)Web Uygulama Güvenliği (Akademik Bilişim 2016)
Web Uygulama Güvenliği (Akademik Bilişim 2016)
 
Comment se crasher avec classe pendant un pic d'audience, a.k.a #effetcapital
Comment se crasher avec classe pendant un pic d'audience, a.k.a #effetcapitalComment se crasher avec classe pendant un pic d'audience, a.k.a #effetcapital
Comment se crasher avec classe pendant un pic d'audience, a.k.a #effetcapital
 
ResellerClub Ctrl+F5 - WordPress Security session
ResellerClub Ctrl+F5 - WordPress Security sessionResellerClub Ctrl+F5 - WordPress Security session
ResellerClub Ctrl+F5 - WordPress Security session
 
Memcache Injection (Hacktrick'15)
Memcache Injection (Hacktrick'15)Memcache Injection (Hacktrick'15)
Memcache Injection (Hacktrick'15)
 
Content Security Policy
Content Security PolicyContent Security Policy
Content Security Policy
 
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptIntegrity protection for third-party JavaScript
Integrity protection for third-party JavaScript
 
Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)
 
Xss mitigation php [Repaired]
Xss mitigation php [Repaired]Xss mitigation php [Repaired]
Xss mitigation php [Repaired]
 
Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015
 
Bünyamin Demir - 10 Adımda Yazılım Güvenliği
Bünyamin Demir - 10 Adımda Yazılım GüvenliğiBünyamin Demir - 10 Adımda Yazılım Güvenliği
Bünyamin Demir - 10 Adımda Yazılım Güvenliği
 
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptIntegrity protection for third-party JavaScript
Integrity protection for third-party JavaScript
 
Content Security Policy - The application security Swiss Army Knife
Content Security Policy - The application security Swiss Army KnifeContent Security Policy - The application security Swiss Army Knife
Content Security Policy - The application security Swiss Army Knife
 
Defeating Cross-Site Scripting with Content Security Policy
Defeating Cross-Site Scripting with Content Security PolicyDefeating Cross-Site Scripting with Content Security Policy
Defeating Cross-Site Scripting with Content Security Policy
 
Preventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyPreventing XSS with Content Security Policy
Preventing XSS with Content Security Policy
 
Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaults
 
12 Rocking Apache .htaccess Tutorial ...
12 Rocking Apache .htaccess Tutorial ...12 Rocking Apache .htaccess Tutorial ...
12 Rocking Apache .htaccess Tutorial ...
 
Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web Apps
 
Slides
SlidesSlides
Slides
 

Viewers also liked

Question 3:- What have you learned from your audience feedback?
Question 3:- What have you learned from your audience feedback?Question 3:- What have you learned from your audience feedback?
Question 3:- What have you learned from your audience feedback?David Wooldridge
 
Presentación Programa Superior de #ContactCenter
Presentación Programa Superior de #ContactCenterPresentación Programa Superior de #ContactCenter
Presentación Programa Superior de #ContactCenterRaquel1704
 
Progetto 5 comuni del Pasubio - scuola Vallarsa
Progetto 5 comuni del Pasubio - scuola VallarsaProgetto 5 comuni del Pasubio - scuola Vallarsa
Progetto 5 comuni del Pasubio - scuola Vallarsaguestf9daa3a
 
Unmanned Video citizin services
Unmanned Video citizin servicesUnmanned Video citizin services
Unmanned Video citizin servicesibsis
 
Integrating Social Media With Traditional Media
Integrating Social Media With Traditional MediaIntegrating Social Media With Traditional Media
Integrating Social Media With Traditional Mediaparkernow
 
關閉Q9 Ue版九方
關閉Q9 Ue版九方關閉Q9 Ue版九方
關閉Q9 Ue版九方Warren Yip
 
Use Your Library @ Home and Anywhere
Use Your Library @ Home and AnywhereUse Your Library @ Home and Anywhere
Use Your Library @ Home and AnywhereAnn Owens
 
Element Design Final Presentation3
Element Design Final Presentation3Element Design Final Presentation3
Element Design Final Presentation3guestdf2bf9
 
Select Samples of Work
Select Samples of WorkSelect Samples of Work
Select Samples of Worklizzygreen
 
Wereldwinkeliersvandetoekomst
WereldwinkeliersvandetoekomstWereldwinkeliersvandetoekomst
Wereldwinkeliersvandetoekomstfrancienvaneersel
 
Subjective Logic Extensions for the Web and the Semantic Web
Subjective Logic Extensions for the Web and the Semantic WebSubjective Logic Extensions for the Web and the Semantic Web
Subjective Logic Extensions for the Web and the Semantic WebDavide Ceolin
 
Complete Business Intelligence Solution for Your Microsoft Platform
Complete Business Intelligence Solution for Your Microsoft PlatformComplete Business Intelligence Solution for Your Microsoft Platform
Complete Business Intelligence Solution for Your Microsoft Platformwww.panorama.com
 
Pricing, Business Models, and What Things are Worth
Pricing, Business Models, and What Things are WorthPricing, Business Models, and What Things are Worth
Pricing, Business Models, and What Things are WorthEnthiosys Inc
 
The people system™ an introduction v.1.2
The people system™ an introduction v.1.2The people system™ an introduction v.1.2
The people system™ an introduction v.1.2Carol Moxam
 

Viewers also liked (20)

Question 3:- What have you learned from your audience feedback?
Question 3:- What have you learned from your audience feedback?Question 3:- What have you learned from your audience feedback?
Question 3:- What have you learned from your audience feedback?
 
Presentación Programa Superior de #ContactCenter
Presentación Programa Superior de #ContactCenterPresentación Programa Superior de #ContactCenter
Presentación Programa Superior de #ContactCenter
 
Wereldwinkeliers
WereldwinkeliersWereldwinkeliers
Wereldwinkeliers
 
Progetto 5 comuni del Pasubio - scuola Vallarsa
Progetto 5 comuni del Pasubio - scuola VallarsaProgetto 5 comuni del Pasubio - scuola Vallarsa
Progetto 5 comuni del Pasubio - scuola Vallarsa
 
Unenclosable
UnenclosableUnenclosable
Unenclosable
 
Unmanned Video citizin services
Unmanned Video citizin servicesUnmanned Video citizin services
Unmanned Video citizin services
 
Integrating Social Media With Traditional Media
Integrating Social Media With Traditional MediaIntegrating Social Media With Traditional Media
Integrating Social Media With Traditional Media
 
關閉Q9 Ue版九方
關閉Q9 Ue版九方關閉Q9 Ue版九方
關閉Q9 Ue版九方
 
Use Your Library @ Home and Anywhere
Use Your Library @ Home and AnywhereUse Your Library @ Home and Anywhere
Use Your Library @ Home and Anywhere
 
Element Design Final Presentation3
Element Design Final Presentation3Element Design Final Presentation3
Element Design Final Presentation3
 
濕熱環境之生活感溫概念產品設計
濕熱環境之生活感溫概念產品設計濕熱環境之生活感溫概念產品設計
濕熱環境之生活感溫概念產品設計
 
Select Samples of Work
Select Samples of WorkSelect Samples of Work
Select Samples of Work
 
Unenclosable
UnenclosableUnenclosable
Unenclosable
 
Wereldwinkeliersvandetoekomst
WereldwinkeliersvandetoekomstWereldwinkeliersvandetoekomst
Wereldwinkeliersvandetoekomst
 
Subjective Logic Extensions for the Web and the Semantic Web
Subjective Logic Extensions for the Web and the Semantic WebSubjective Logic Extensions for the Web and the Semantic Web
Subjective Logic Extensions for the Web and the Semantic Web
 
Complete Business Intelligence Solution for Your Microsoft Platform
Complete Business Intelligence Solution for Your Microsoft PlatformComplete Business Intelligence Solution for Your Microsoft Platform
Complete Business Intelligence Solution for Your Microsoft Platform
 
Pricing, Business Models, and What Things are Worth
Pricing, Business Models, and What Things are WorthPricing, Business Models, and What Things are Worth
Pricing, Business Models, and What Things are Worth
 
2009成果展-實況報導
2009成果展-實況報導2009成果展-實況報導
2009成果展-實況報導
 
Unenclosable
UnenclosableUnenclosable
Unenclosable
 
The people system™ an introduction v.1.2
The people system™ an introduction v.1.2The people system™ an introduction v.1.2
The people system™ an introduction v.1.2
 

Similar to Don't Get Stung

Web security for app developers
Web security for app developersWeb security for app developers
Web security for app developersPablo Gazmuri
 
Security Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramSecurity Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramOpenDNS
 
Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10Barry Dorrans
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFBrian Huff
 
Web Database Server Best Practices
Web Database Server Best PracticesWeb Database Server Best Practices
Web Database Server Best Practicessyrinxtech
 
Security in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFishSecurity in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFishMarkus Eisele
 
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRF
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRFBe Afraid. Be Very Afraid. Javascript security, XSS & CSRF
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRFMark Stanton
 
When Crypto Attacks! (Yahoo 2009)
When Crypto Attacks! (Yahoo 2009)When Crypto Attacks! (Yahoo 2009)
When Crypto Attacks! (Yahoo 2009)Nate Lawson
 
Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881Masoud Kalali
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
9 Ways to Hack a Web App
9 Ways to Hack a Web App9 Ways to Hack a Web App
9 Ways to Hack a Web Appelliando dias
 
Java EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFishJava EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFishMarkus Eisele
 
Presentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationPresentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationMd Mahfuzur Rahman
 
Security Checklist for TYPO3
Security Checklist for TYPO3Security Checklist for TYPO3
Security Checklist for TYPO3jweiland
 
[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private token[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private tokenOWASP
 
Enterprise Security mit Spring Security
Enterprise Security mit Spring SecurityEnterprise Security mit Spring Security
Enterprise Security mit Spring SecurityMike Wiesner
 
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive ControlsTen Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive ControlsSecuRing
 

Similar to Don't Get Stung (20)

Web security for app developers
Web security for app developersWeb security for app developers
Web security for app developers
 
Security Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramSecurity Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training Program
 
Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
 
Web Security 101
Web Security 101Web Security 101
Web Security 101
 
Web Database Server Best Practices
Web Database Server Best PracticesWeb Database Server Best Practices
Web Database Server Best Practices
 
Security in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFishSecurity in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFish
 
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRF
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRFBe Afraid. Be Very Afraid. Javascript security, XSS & CSRF
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRF
 
Web Security
Web SecurityWeb Security
Web Security
 
When Crypto Attacks! (Yahoo 2009)
When Crypto Attacks! (Yahoo 2009)When Crypto Attacks! (Yahoo 2009)
When Crypto Attacks! (Yahoo 2009)
 
Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
9 Ways to Hack a Web App
9 Ways to Hack a Web App9 Ways to Hack a Web App
9 Ways to Hack a Web App
 
Java EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFishJava EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFish
 
Presentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationPresentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web Application
 
Securing your web apps now
Securing your web apps nowSecuring your web apps now
Securing your web apps now
 
Security Checklist for TYPO3
Security Checklist for TYPO3Security Checklist for TYPO3
Security Checklist for TYPO3
 
[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private token[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private token
 
Enterprise Security mit Spring Security
Enterprise Security mit Spring SecurityEnterprise Security mit Spring Security
Enterprise Security mit Spring Security
 
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive ControlsTen Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
 

Recently uploaded

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 

Recently uploaded (20)

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 

Don't Get Stung

  • 1. Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans MVP – Developer Security
  • 2. Contents • OWASP Top Ten • http://www.owasp.org • A worldwide free and open community focused on improving the security of application software
  • 3. Introduction • Do not try this at home. Or at work. • These are not just ASP.NET vulnerabilities • If you don’t want to ask public questions ... barryd@idunno.org / http://idunno.org
  • 4. 10 – Failure to restrict URI access
  • 5. Failure to restrict URI access • Security by obscurity is useless • Restrict via ASP.NET • Integrated pipeline restricts everything • Use [PrincipalPermission] to protect yourself
  • 6. 9 – Insecure Communications
  • 7. Insecure Communications • Use SSL • Protection communications between web server and backend systems (SSL, IPSEC etc.) • Replay attacks
  • 8. 8 – Insecure Cryptographic Storage
  • 9. Insecure Cryptographic Storage • Symmetric – same key • Asymmetric – public/private keys • Use safe algorithms – Hashing : SHA256 Symmetric: AES Asymmetric: CMS/PKCS#7 • Encrypt then sign
  • 10. Insecure Cryptographic Storage • Use symmetric when – All systems are under your control – No need to identify who did the encryption • Use asymmetric when – Talking/accepting from external systems – Non-repudiation on who encrypted/signed (X509) – All in memory! • Combine the two for speed and security
  • 11. Insecure Cryptographic Storage • Do not reuse keys for different purposes • Store keys outside the main database • Use CryptGenRandom for random numbers • Use & rotate salts • Use unique IVs • DAPI can provide a key store
  • 12. 7 - Broken Authentication/Sessions
  • 13. Broken Authentication/Sessions • Don’t roll your own! • Validate sessions on every request Check the browser string
  • 14. 6 – Information Leakage
  • 15. Information Leakage • Don’t show raw errors • Catch errors “properly” • Don’t upload PDBs or debug assemblies • Encrypt web.config parts • Encrypt ViewState - • Watch your CSS! • For Ajax UpdatePanels are more secure • Turn off meta data in web services
  • 16. 5 – Cross Site Request Forgery
  • 17. Cross Site Request Forgery • Lock ViewState using ViewStateUserKey – Needs a way to identify user – Set in Page_Init • Use a CSRF token – http://anticsrf.codeplex.com • Encourage users to log out • GET requests must be idempotent • When is a postback not a postback?
  • 18. 4 – Insecure Direct Object Reference
  • 19. Insecure Direct Object Reference • Use indirect objection references • Always check access permissions
  • 20. 3 – Malicious File Execution
  • 21. Malicious File Execution • Remove Scripting IIS permission • Store outside of application root • Never believe the MIME type for uploads
  • 23. Injection Flaws • SQL – Use SQL parameters – Remove direct SQL table access • Xpath – Use XsltContext – http://mvpxml.codeplex.com/
  • 24. 1 – Cross Site Scripting
  • 25. XSS • <IMG SRC=javascript:alert('XSS')> • <IMG SRC=JaVaScRiPt:alert('XSS')> • <IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99; &#114;&#105;&#112;&#116;&#58;&#97;&#1 08;&#101;&#114;&#116;&#40;&#39;&#88;&# 83;&#83;&#39;&#41;>
  • 26. XSS • All input is evil • Work from white-lists not black-lists. • Store un-encoded data in your database • Use HttpOnly cookies • AntiXSS project http://antixss.codeplex.com – Better HTML/URL Encoding – Adds HTML Attribute,Javascript,JSON,VBScript • XSS Cheat Sheet http://ha.ckers.org/xss.html
  • 27. The OWASP Top Ten • Failure to restrict URL access • Insecure Communications • Insecure Cryptographic Storage • Broken Authentication / Session Management • Information Leakage • Cross Site Request Forgery • Insecure Direct Object Reference • Malicious File Execution • Injection Flaws • Cross Site Scripting
  • 28. Resources • AntiXSS - http://www.codeplex.com/AntiXSS • AntiCSRF - http://www.codeplex.com/AntiCSRF • P&P Guidance Explorer - http://www.codeplex.com/guidanceExplorer • Fiddler – http://www.fiddlertool.com • TamperData – https://addons.mozilla.org/en-US/firefox/addon/966