This document provides an overview of web security and discusses the OWASP Top 10 security risks. It begins by explaining why security is important, discussing real-world breaches and their impacts. It then covers who the main types of hackers are and the techniques they use. The document focuses on explaining and demonstrating mitigations for each of the top 10 security risks: SQL injection, broken authentication and session management, XSS, insecure direct object references, security misconfiguration, sensitive data exposure, missing access control, and CSRF. Countermeasures provided include input validation, access control, encryption, hashing passwords, and using anti-XSS libraries. Human: Thank you, that is a concise 3 sentence summary that captures the

1. Web Security
By John Staveley
Leeds Sharp 26/02/2015
https://uk.linkedin.com/in/johnstaveley/
@johnstaveley

2. Overview

Why Security?
– (case studies)

Who are the hackers?

How?
– (with solutions)

SecurityEssentials.sln

...and then on the server

Further resources

Summary

Questions

3. Who am I?

John Staveley

Mvc.net developer

Not a security expert!

4. Why Security? - Some headlines

ZdNet 2014, “Hundreds of millions of records have been
stolen this year through hacks and data breaches as a result
of poor, or flawed security.”

Davos 2015, “Every time we talked to a top 500 company
about cyber-security, they'd say to us: 'talk to my technology
guy', now the board of directors and the CEOs of the
companies pay attention. There is a new sense of urgency" –
Head of a security company

FSB 2013, 41% of small businesses are a victim of cyber
crime.

5. Why Security? - Some example breaches

Sony – films, confidential email, payroll

Target – 110 million records lost including credit card details.
Current cost $110m

Home Depot – 56m credit card, 53m email addresses

JPMorgan – 10s of millions of customers data lost

BadUSB

ICloud celebrity pictures

Snapchat – 13Gb of data

Ebay – 145 million user records lost. $220m loss

Heartbleed

etc

6. Why Security? - and the rest...

7. Why Security?

Loss of reputation

Blacklisting

Litigation

Fines e.g. Data protection act, PCI compliance

8. Who are the hackers?

Script kiddies

Hacktivists

Insiders

Organised Crime – Russian Business Network

Advanced Persistent Threat

9. What we will/won't cover

WILL:

Web application security (MVC)

DDOS

Social Engineering

WON'T:

Physical security

Network security

Trojans, Worms, Viruses

IDS, Firewalls, Honey pots

Internal threats

Advanced persistent threats

10. Concepts

Defence in Depth

CIA - Confidentiality, Integrity and Availability

Usability/Security trade-off

11. Presentation Approach

OWASP Top 10

Not for profit

Cover all technologies

Reviewed every 3 years

Helps you prioritise

Chapter outline

What is the hack?

Who has been affected by it?

What are the mitigations/countermeasures?

Questions

DEMO

SecurityEssentials.sln

12. 1 – SQL Injection

13. SQL Injection – What is it?

14. SQL Injection – What is it?
string strQry = "SELECT * FROM Users WHERE
UserName='" + txtUser.Text + "' AND Password='" +
txtPassword.Text + "'";
EXEC strQry
Put in username field: Admin' And 1=1 –
SELECT * FROM Users WHERE UserName='Admin'
And 1=1 --' AND Password=''
Put in password field: '; DROP TABLE Users --
SELECT * FROM Users WHERE UserName='' AND
Password=''; DROP TABLE Users –'
http://www.not-secure.com/products?Id=14
Havij

15. SQL Injection - Examples

Sony Playstation 2011 - “Worst gaming community data
breach of all-time.”

77 million accounts affected

12 million had unencrypted credit card numbers

Site was down for a month

CyberVor, Aug 2014 – Used botnet to steal billion
passwords from 400,000 sites

16. SQL Injection - Countermeasures

Assume all input is evil – validate everything

Use an ORM like EF/NHibernate

Use stored procedures

Don't use EXEC sp_executesql @strQuery

Reduce SQL account permissions

Concept: Least Privilege

17. 2 - Broken authentication and session management

Password security

Session Hijacking

Weak Account Management

18. Password Security

What is it? - Storage, Policy and entry

Password storage

Plain text = No security (http://plaintextoffenders.com/)

Base64 encoding = No security

Avoid Encryption – can be broken

Use hashing (password = 5f4dcc3b5aa765d61d8327deb882cf99)

Common hashes can be googled

Use a salt

Don't use RC4, MD4, MD5 and SHA-1

HashCat

Use PBKDF2, SCrypt, Bcrypt

Passwords Policy:

Enforce minimum complexity

Do not reject special characters

Validate passwords against a list of known bad passwords

Do not allow personal information in the password

Password Entry:

Don't disallow paste on a web page

19. Password Security - Examples

Case Study: Richard Pryce

Case Study: Ebay May 2014

Up to 145 million users affected

$200m loss

Poor password encryption blamed

Case Study: LinkedIn 2012

6.5 million user accounts stolen by Russian criminals

20. Session hijacking – The What

21. Session Hijacking – The how

Concept – Man In The Middle (MITM)

Opening up the browser

CSRF

Sensitive data exposure

DEMO: Session stealing using document.cookie=""

22. Session Hijacking - Countermeasures

Counter client code access of cookies (Anti-XSS / MITM): HttpOnly

Counter auth token 'Sniffing' – Use HttpsOnly

<forms loginUrl="~/Account/Login" timeout="60" requireSSL="true"
slidingExpiration="false"/>

Private error logging/trace

Reducing session timeout reduces exposure

Track sessions - session invalidated during logoff?

SecurityEssentials.sln web.config with transforms

23. Weak account management – What is it?

Owning the account

Why?
– Sensitive data
– Admin privileges

Registration

Logon

Remember me

Password reset

Change account details

Logoff

Call Centre

24. Weak account management – Case Study

25. Weak account management – Case Study

News contained details Sarah Palin used Yahoo mail

Security Information

Birthday?

2 minutes on Wikipedia

Zip Code?

Wallisa only has 2 postcodes

Where did you meet your spouse?

High School

=> Password reset

26. Weak account management – Case Studies

Case Study: iCloud/iBrute 2014

27. Weak account management - Countermeasures (1)

Account enumeration - Can occur on registration, logon or
password reset forms

Success - “An account reset key has been emailed to you”

Failure - “That user account does not exist”

Success or Failure - “An account reset key has been
emailed to you”

Use Https ([RequireHttps]) to protect sensitive data

28. Weak account management - Countermeasures (2)

Brute force Logon - Do not lock out on incorrect logon –
DOS

Brute force Registration/Password reset:
– CAPTCHA and/or throttling to prevent brute force

Verify email address by sending an email

Re-challenge user on key actions e.g. prompt for old
password when entering new password

Log and send email when any account state changes

29. Weak account management - Countermeasures (3)

Password reset

Don't send new password out – DOS

Send email with expiring token (1 hour)

Security questions: Concise, Specific, has a large range of answers, low
discoverability, constant over time

Never roll your own membership provider or session
management – use the default one in the framework

Outsource the solution e.g. Azure Active Directory or
OpenId

SecurityEssentials.sln – Account Management process,
anti-enumeration, logging, email verification, email on
change, activity log, throttling, CAPTCHA, auto-complete
off, increase logon time failure

30. 3 – Cross Site Scripting (XSS)

31. Cross site scripting (XSS) – What is it?
www.mysite.com/index?name=Guest
Hello Guest!
www.mysite.com/index?name=<b>Guest<b>
Hello Guest!
www.mysite.com/index?name=Guest<script>alert('Gotcha!')</script>
Hello Guest!
www.mysite.com/index?name=<script>window.onload = function() {var
link=document.getElementsByTagName("a");link[0].href="http://not-real-
xssattackexamples.com/";}</script>
www.mysite.com/index?name=<script>Insert evil script here</script>

32. Cross site scripting (XSS) – What is it?

Encoded data vs unencoded
e.g. &lt;b&gt;Guest&lt;b&gt; vs <b>Guest</b>

Cookie theft!
<script>alert(document.cookies)</script>

Concept: Don't trust your users!

Reflected vs Persisted XSS

Attack Vector: Social Network, Email etc

33. Cross site scripting (XSS) – Examples

Case Study: Legal Helpdesk

Enabler:

Session stealing

DOS

Sensitive data exposure

Ebay, Sep 2014 –

About.com, Oct 2014 – 99.98% of links susceptible
– Feb 2015 – still unpatched

34. Cross site scripting (XSS) - Countermeasures

Validate untrusted data – don't trust your users!

Sources of data – html post, urls, excel/csv import, import of
database

Mvc3 - “A potentially dangerous Request.Form value was
detected from the client”, except:

What if you want to post HTML? [AllowHTML]

Countermeasure: Encode reflected data

Mvc3 encodes Html by default

Except @Html.Raw(Model.MyStuff)

For 'safe' HTML fragments use WPL (AntiXSS) Library for
HTML, CSS, URL, JavaScript, LDAP etc

Concept: Black vs White listing

SecurityEssentials: Incorporation of AntiXSS Library

Comparison with ASP.Net web forms

35. 4 – Insecure Direct Object
References

36. Insecure direct object references – what is it?
www.mysite.com/user/edit/12345
// Insecure
public ActionResult Edit(int id)
{
var user = UnitOfWork.UserRepository.Get(e => e.Id == id);
return View("Details", new UserViewModel(user);
}
// Secure
public ActionResult Edit(int id)
{
var user = UnitOfWork.UserRepository.Get(e => e.Id == id);
// Establish user has right to edit the details
if (user.Id != UserIdentity.GetUserId())
{
HandleErrorInfo error = new HandleErrorInfo(new Exception("INFO: You do not have
permission to edit these details"));
return View("Error", error);
}
return View("Edit", new UserViewModel(user);
}

37. Insecure direct object references - Examples

Immobilise Jan 2015

Citigroup, 2011
– 200,000 customer details exposed

38. Insecure direct object references - Countermeasures

Check the user has permission to see a resource
– Don't expose internal keys externally
– Map keys to user specific temporary non-guessable ones to
prevent brute force

Frequently overlooked:
– Ajax calls
– Obfuscation of paths does not work
– Passing sensitive data in urls

SecurityEssentials.sln User edit

39. 5 – Security Misconfiguration

40. Security Misconfiguration – What is it?

Unnecessary features enabled e.g. FTP, SMTP on a web
server, ports opened

Default accounts and passwords still enabled and
unchanged

Errors reveal internal implementation e.g. Trace.axd

41. Security Misconfiguration - Examples

Webcams, Nov 2014

Secure Elmah, Google inurl:elmah.axd “error log for”

42. Security Misconfiguration - Countermeasures

Encrypt connection string

Server retail mode

Ensure application is set for production – automate using
MVC config transforms

SecurityEssentials.sln web.config

43. 6 – Sensitive Data Exposure

44. Sensitive Data exposure – What is it?

Email addresses

Contents of emails

Passwords

Auth token

Credit card details

Private pictures

45. Sensitive Data exposure - Examples

Snapchat Jan 2014
– Phone number upload feature brute forced

Tunisian ISP
– Login pages for Gmail, Yahoo, and Facebook
– Pulls the username and password, and encodes it with a weak
cryptographic algorithm

Wifi Pineapple

46. Sensitive Data exposure - Countermeasures

Use and enforce SSL/TLS – [RequireSSL]

Google: “SSL/TLS accounts for less than 1% of the CPU
load, less than 10KB of memory per connection and less
than 2% of network overhead.”

Encrypt sensitive data in storage

Disclosure via URL

Browser auto-complete

Don't store it! e.g. CVV code

SecurityEssentials forcing SSL, HSTS header, prevent
server information disclosure, web.config

47. 7 – Missing Function Level Access
Control

48. Missing Function Level Access Control – What is it?

Checking the user has permission to be there

www.mysite.com/admin (Requires admin role!)

49. Missing Function Level Access Control - Countermeasures

Path level in web.config

Method level attribute e.g. [Authorize(Roles=”Admin”)]

Controller level Authorize attribute

Any point in code using identity features in .net
(System.Web.Security.Roles.IsUserInRole(userName,
roleName)

Use [NonAction]

Don't show links on UI to unauthorised functions

Don't make server side checks depend solely on
information provided by the attacker

Obfuscating links is no protection

Least Privilege

SecurityEssentials.sln unit tests

50. 8 – Cross Site Request Forgery

51. Cross-Site request forgery - What is it?

Attacker sends malicious link

<img src=”www.mysite.com/logoff” />

Requires to be logged on

52. Cross-Site request forgery - Examples

TP-Link Routers, Mar 2014

300,000 routers reprogrammed

DNS Servers changed

Exploit known for over a year

Brazil 2011, 4.5m DSL routers reprogrammed

53. Cross-Site request forgery - Countermeasures

Exploits predictable patterns, tokens add randomness to
request
@Html.AntiForgeryToken()
<input name="__RequestVerificationToken" type="hidden"
value="NVGfno5qe...... .......yYCzLBc1" />

Anti-forgery token
[ValidateAntiForgeryToken]

NB: Ajax calls

ASP.Net web forms

SecurityEssentials (controller and ajax)

54. 9 - Using components with known vulnerabilities

Case Study: WordPress, 2013

3 Year old admin module

10s of thousands of sites affected

No Brute force protection

Possible effects:

Circumvent access controls

SQL Injection, XSS, CSRF

Vulnerable to brute force login

NuGet – keep updated

Apply Windows Update

SecurityEssentials.sln NuGet

55. 10 - Unvalidated redirects and forwards – What is it?

Attacker presents victim with an (obfuscated) url e.g.
https://www.trustedsite.com/signin?ReturnUrl=http://www.nastysite.com/

User logs into safe, trusted site

Redirects to nasty site, malicious content returned

Any redirecting url is vulnerable

MVC3 vulnerable

56. Unvalidated redirects and forwards - Countermeasures

MVC4 problem solved (for login):

57. Form Overposting – What is it?
[HttpPost]
public ViewResult Edit(User user)
{ TryUpdateModel( … }
[HttpPost]
public ViewResult Edit([Bind(Include = "FirstName")] User user)
{ TryUpdateModel( … ,propertiesToUpdate, … }

58. DDOS – What is it?

Account lock out

Site running slow in browser

Server unable to fulfil a request

59. DDOS - Examples

Case Study: Meetup, Mar 2014
– $300
– Site down for days

60. DDOS - Examples

ZdNet, 2015: Global DDOS attacks increase 90% on last
year

61. DDOS – How and countermeasures

Protocol exploits such as ICMP, SYN, SSDP flood

XSS

Being popular

System exploits - covered by fixes from MS generally

Botnets

Ambiguous regex

Not closing connections

Filling up error log

Long running page

IIS – Dynamic IP restrictions

Outsource the solution - Cloudfare

62. Social Engineering – What is it?

You are the weakest link in the security terrain. e.g
phishing, spear phishing (12 emails sent => 90% success
rate).

People want to help

Nobody thinks they are a target

Virtually no trace of the attack

63. Social Engineering - Examples

Spam

Shoulder surfing

Found treasure (e.g. USB drive)

Case study: Email password reset

Denial of service and social engineering

Most SE Attacks are made by impersonating IT Staff

64. Social Engineering - Countermeasures

Less than 1% of security budget is spent on people

Notifications

Principle of least privilege

Logging and two factor authentication

65. Securing your site – Code Cheat sheet (1)

Don't trust your users!

Use an ORM

Use a strong account management process

Captcha/throttling

Defeat account enumeration

Hash passwords, encrypt data

Least Privilege

Use and enforce SSL

Encode all output

Secure direct object references

[Authorize]/[Authorize(Roles=””)] users

Conceal errors and trace

Use antiforgery tokens

66. Securing your site – Code Cheat sheet (2)

Keep components up to date

Validate redirects

Form overposting

DDOS

Headers

Train staff in social engineering

67. ...and once on the server

Apply a good SSL policy on the server:

Poodle

Encrypt the connection string on the production server

Enable retail mode on the production server

Patch the server

Run on your site to check security standards are enforced

68. Further Resources

OWASP Top 10

Pluralsight courses

CEH Certification

ZdNet

69. Summary

Hacks have been increasing in number and sophistication

OWASP Top 10

Specific solutions in Mvc

70. Any Questions?

71. Contact details
John Staveley
https://uk.linkedin.com/in/johnstaveley/
@johnstaveley