SlideShare uma empresa Scribd logo

Owasp & Asp.Net

Transferir como PPTX, PDF
Önsel Akın
Önsel Akın

Prepared with the great information that can be found at http://www.troyhunt.com/2011/12/free-ebook-owasp-top-10-for-net.html

Tecnologia
1 de 40
OWASP & ASP.NET
OWASP TOP 10 • Injection • Cross-Site Scripting (XSS) • Broken Authentication & Session Management • Insecure Direct Object References • Cross-Site Request Forgery • Security Misconfiguration • Insecure Cryptographic Storage • Failure to Restrict Url Access • Insufficient Transport Layer Protection • Unvalidated Redirects and Forwards
Injection • SQL, OS, LDAP injection occur when untrusted data is sent to an interpreter as part of a command query • Untrusted data: – Integrity is not verifiable – Intent may be malicious – Manual user input – Implicit user input – Constructed user input
OWASP Matrix Thread Agents Attack Vectors Security Weakness Technical Impacts Business Impact Exploitability EASY Prevalence COMMON Detectability AVERAGE Impact SEVERE Anyone who can send data to system Attacker sends simple text-based attacks that exploit the syntax of the interpreter. Very prevalent particularly in legacy code, often found in SQL, LDAP queries and OS commands, program arguments. Can result in data loss or corruption, lack of accountability or denial of access. Business value of effected data.
CROSS SITE SCRIPTING (XSS)
CROSS SITE SCRIPTING • Most commonly exploited vulnerability • WhiteHat Security report: 65% of sites with XSS vulnerability • Sending data to a browser without proper validation and escaping • Allows executing scripts in the victim’s browser – Hijack user sessions – Redirect to malicious sites • Expose an attack vector from database
XSS Matrix Thread Agents Attack Vectors Security Weakness Technical Impacts Business Impact Exploitability AVERAGE Prevalence WIDESPREAD Detectability EASY Impact MODERATE Anyone who can send untrusted data to system Attacker sends simple text-based attacks that exploit the syntax of the interpreter. Most prevalent web application security flaw. 3 types: 1: Stored, 2: Reflected, 3: Dom Based Attacker can execute script in victim’s browser. Session hijacking, inserting hostile content, using malware etc. Business value of effected data.
Encoding Encoding Method Example/Pattern HtmlEncode <a href="http://www.contoso.com">Click Here [Untrusted input]</a> HtmlAttributeEncode <hr noshade size=[Untrusted input]> JavaScriptEncode <script type="text/javascript"> … [Untrusted input] … </script> UrlEncode <a href="http://search.msn.com/results.aspx?q=[Untrusted- input]">Click Here!</a> XmlEncode <xml_tag>[Untrusted input]</xml_tag> XmlAttributeEncode <xml_tag attribute=[Untrusted input]>Some Text</xml_tag>
XSS Prevention Rule #0 • Never Insert Untrusted Data Except in Allowed Locations <script>...NEVER PUT UNTRUSTED DATA HERE...</script> directly in a script <!--...NEVER PUT UNTRUSTED DATA HERE...--> inside an HTML comment <div ...NEVER PUT UNTRUSTED DATA HERE...=test /> in an attribute name <NEVER PUT UNTRUSTED DATA HERE... href="/test" /> in a tag name <style>...NEVER PUT UNTRUSTED DATA HERE...</style> directly in CSS
XSS Prevention Rule #1 • HTML Escape Before Inserting Untrusted Data into HTML Element Content <body>...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...</body> <div>...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...</div> any other normal HTML elements • & --> &amp; • < --> &lt; • > --> &gt; • " --> &quot; • ' --> &#x27; • / --> &#x2F;
XSS Prevention Rule #2 • Attribute Escape Before Inserting Untrusted Data into HTML Common Attributes <div attr=...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...>content</div> inside UNquoted attribute <div attr='...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...'>content</div> inside single quoted attribute <div attr="...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...">content</div> inside double quoted attribute
XSS Prevention Rule #3 • JavaScript Escape Before Inserting Untrusted Data into JavaScript Data Values <script>alert('...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...')</script> inside a quoted string <script>x='...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...'</script> one side of a quoted expression <div onmouseover="x='...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...'"</div> inside quoted event handler
XSS Prevention Rule #4 • CSS Escape And Strictly Validate Before Inserting Untrusted Data into HTML Style Property Values <style>selector { property : ...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...; } </style> property value <style>selector { property : "...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE..."; } </style> property value <span style="property : ...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...">text</style> property value
XSS Prevention Rule #5 • URL Escape Before Inserting Untrusted Data into HTML URL Parameter Values <a href="http://www.somesite.com?test=...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...">link</a >
XSS Prevention Rule #6 • Use an HTML Policy engine to validate or clean user-driven HTML in an outbound way • AntiXSS
BROKEN AUTHENTICATION & SESSION MANAGEMENT
Defining Broken Authentication • Authentication and session management functions not implemented correctly • Allow attackers to compromise passwords, keys, session tokens
Broken Authentication Matrix Thread Agents Attack Vectors Security Weakness Technical Impacts Business Impact Exploitability AVERAGE Prevalence COMMON Detectability AVERAGE Impact SEVERE External attackers, internal users trying to steal accounts from others Attackers uses leaks or flaws in the auth or session management functions Custom authentication and session management schemes. Hard to find flaws. Allow some or all accounts to be attacked. Business value of effected data.
Anatomy of Broken Authentication • Session IDs in the url – Cookieless session state • Can still occur without IDs in the url (via executed XSS flaws) • HttpOnly Cookies • Use ASP.NET Membership & Role Providers
Session Fixation • Do not accept session identifiers from GET / POST variables • Use identity confirmation • Store session identifiers in cookies • Regenerate SID on each request • Accept only server-generated SIDs • Logout function • Time-out old SIDs • Destroy session if Referrer is suspicious • Verify that additional information is consistent – User Agent
INSECURE DIRECT OBJECT REFERENCE
Defining insecure direct object reference • Data being unintentionally disclosed • Exposing a reference to an internal object, file, directory or database key
IDOR Matrix Thread Agents Attack Vectors Security Weakness Technical Impacts Business Impact Exploitability AVERAGE Prevalence COMMON Detectability AVERAGE Impact SEVERE Users of the system, having partial access to system data. Simple parameter modification Applications use actual name or key value of an object. Authorization is not verified. Compromise all data that can be referenced. Business value of effected data.
CROSS SITE REQUEST FORGERY
Defining Cross Site Request Forgery • Tricking the user into inadvertently issuing an HTTP request to a site – Confused deputy problem • Sends: – Session cookie – Authentication information • Victim needs to be logged on
CSRF Matrix Thread Agents Attack Vectors Security Weakness Technical Impacts Business Impact Exploitability AVERAGE Prevalence COMMON Detectability AVERAGE Impact SEVERE Anyone who can trick your users submitting a request to your site Creates forged HTTP request via image tags, XSS Browsers send credentials like authentication cookies automatically, attackers can create malicious web pages that generate forged requests. Attackers can change any data the victim is allowed to change Business value of effected data.
CSRF Prevention • Prevention measured that don’t work: – Using a secret cookie – Only accepting POST requests – Multi-step transactions – URL Rewriting
CSRF Prevention • Synchronizer Token Pattern • ViewState – ViewStateUserKey = Session.SessionID • Double submit cookies – Header – Hidden form value • .NET CSRF Guard
INSECURE CRYPTOGRAPHIC STORAGE
Defining Insecure Cyptographic Storage • Protection of sensitive data Thread Agents Attack Vectors Security Weakness Technical Impacts Business Impact Exploitability DIFFICULT Prevalence UNCOMMON Detectability DIFFICULT Impact SEVERE Users of the system Attackers don’t break the crypto. They find keys, get clear text copies of data. Common flaw is not encrypting data. Unsafe key generation, storage of keys, weak algorithms. Compromises that all data should have been encrypted. Business value of effected data.
Questions • Is the right data encrypted? • Are the keys protected? • Is the source data exposed by other interfaces? • Is the hashing week?
Encryption, hashing, salting • Encryption: Transforming text into an illegible format that can only be deciphered with a ‘key’ • Hashing: Creating a one way digest that cannot be converted back. • Salting: Adding a random string to input text before hashing to add unpredictability to the process.
MD5, SHA, DES, AES • MD5: Common, not collision resistant. • SHA: Secure Has Algorithm, most popular, not most secure) • DES: Data Encryption Standard, insecure. • AES: Advanced Encryption Standart, common.
Symmetric / Asymmetric Encryption • Symmetric Encryption – Uses same key to both encrypt and decrypt. – Same algorithm can be applied to reverse encryption • Asymmetric Encryption – Different keys for encryption / decryption
Key Management • Keep keys unique • Protect the keys • Always store keys away from data • Keys should have a defined lifecycle
Cryptographic Cheat Sheet • Only store sensitive data you need • Only use strong crypto algorithms (AES, RSA) • Ensure that random numbers are cryptographically strong • Only use widely accepted implementations of cryptographic algorithms • Store the hashed and salted value of passwords • Ensure that any secret key is protected from unauthorized access
FAILURE TO RESTRICT URL ACCESS
Defining failure to restrict url access • Users are able to access a resource they should not because appropriate controls do not exist
Matrix Thread Agents Attack Vectors Security Weakness Technical Impacts Business Impact Exploitability EASY Prevalence UNCOMMON Detectability AVERAGE Impact MODERATE Anyone with network access can send the application a request Attacker (already authorized), changes to url to a privileged page. Misconfigured urls, improper code checks Allows attackers to access unauthorized functionality Business value of effected data.
Suggestions • Leverage roles in preference to individual users • Apply principal permissions – [PrincipalPermission] attribute • Protect web services and async calls • Leverage IIS 7 Integrated pipeline • Do not roll your own security model

Recomendados

Web security and OWASP
Web security and OWASPWeb security and OWASP
Web security and OWASPIsuru Samaraweera
 
OWASP Top Ten in Practice
OWASP Top Ten in PracticeOWASP Top Ten in Practice
OWASP Top Ten in PracticeSecurity Innovation
 
OWASP Top Ten 2017
OWASP Top Ten 2017OWASP Top Ten 2017
OWASP Top Ten 2017Michael Furman
 
Secure Web Applications Ver0.01
Secure Web Applications Ver0.01Secure Web Applications Ver0.01
Secure Web Applications Ver0.01Vasan Ramadoss
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top TenSecurity Innovation
 
Web application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresWeb application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresAung Thu Rha Hein
 
Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding GuideGeoffrey Vandiest
 
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Security Innovation
 

Recomendados

Web security and OWASP
Web security and OWASPWeb security and OWASP
Web security and OWASPIsuru Samaraweera
 
OWASP Top Ten in Practice
OWASP Top Ten in PracticeOWASP Top Ten in Practice
OWASP Top Ten in PracticeSecurity Innovation
 
OWASP Top Ten 2017
OWASP Top Ten 2017OWASP Top Ten 2017
OWASP Top Ten 2017Michael Furman
 
Secure Web Applications Ver0.01
Secure Web Applications Ver0.01Secure Web Applications Ver0.01
Secure Web Applications Ver0.01Vasan Ramadoss
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top TenSecurity Innovation
 
Web application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresWeb application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresAung Thu Rha Hein
 
Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding GuideGeoffrey Vandiest
 
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Security Innovation
 
Secure code practices
Secure code practicesSecure code practices
Secure code practicesHina Rawal
 
Beyond the OWASP Top 10
Beyond the OWASP Top 10Beyond the OWASP Top 10
Beyond the OWASP Top 10iphonepentest
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu
 
Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentationAshwini Paranjpe
 
OWASP Top 10 - 2017
OWASP Top 10 - 2017OWASP Top 10 - 2017
OWASP Top 10 - 2017HackerOne
 
Web attacks
Web attacksWeb attacks
Web attackshusnara mohammad
 
OWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksOWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksKun-Da Wu
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & TestingDeepu S Nath
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013tmd800
 
Anatomy Web Attack
Anatomy Web AttackAnatomy Web Attack
Anatomy Web AttackKelly Speiser
 
Owasp 2017 oveview
Owasp 2017 oveviewOwasp 2017 oveview
Owasp 2017 oveviewShreyas N
 
A5: Security Misconfiguration
A5: Security Misconfiguration A5: Security Misconfiguration
A5: Security Misconfiguration Tariq Islam
 
香港六合彩
香港六合彩香港六合彩
香港六合彩baoyin
 
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20Tabăra de Testare
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure CodingMateusz Olejarka
 
OISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec PrimerOISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec PrimerCiNPA Security SIG
 
Security testing presentation
Security testing presentationSecurity testing presentation
Security testing presentationConfiz
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesMarco Morana
 
Top 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTop 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTerrance Medina
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 
Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentationowasp-pune
 
Attacking Web Applications
Attacking Web ApplicationsAttacking Web Applications
Attacking Web ApplicationsSasha Goldshtein
 

Mais conteúdo relacionado

Mais procurados

Secure code practices
Secure code practicesSecure code practices
Secure code practicesHina Rawal
 
Beyond the OWASP Top 10
Beyond the OWASP Top 10Beyond the OWASP Top 10
Beyond the OWASP Top 10iphonepentest
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu
 
OWASP Top 10 - 2017
OWASP Top 10 - 2017OWASP Top 10 - 2017
OWASP Top 10 - 2017HackerOne
 
OWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksOWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksKun-Da Wu
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & TestingDeepu S Nath
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013tmd800
 
Owasp 2017 oveview
Owasp 2017 oveviewOwasp 2017 oveview
Owasp 2017 oveviewShreyas N
 
A5: Security Misconfiguration
A5: Security Misconfiguration A5: Security Misconfiguration
A5: Security Misconfiguration Tariq Islam
 
香港六合彩
香港六合彩香港六合彩
香港六合彩baoyin
 
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20Tabăra de Testare
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure CodingMateusz Olejarka
 
OISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec PrimerOISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec PrimerCiNPA Security SIG
 
Security testing presentation
Security testing presentationSecurity testing presentation
Security testing presentationConfiz
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesMarco Morana
 
Top 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTop 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTerrance Medina
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 

Mais procurados (20)

Secure code practices
Secure code practicesSecure code practices
Secure code practices
 
Beyond the OWASP Top 10
Beyond the OWASP Top 10Beyond the OWASP Top 10
Beyond the OWASP Top 10
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa Workshop
 
Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentation
 
OWASP Top 10 - 2017
OWASP Top 10 - 2017OWASP Top 10 - 2017
OWASP Top 10 - 2017
 
Web attacks
Web attacksWeb attacks
Web attacks
 
OWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksOWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risks
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & Testing
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013
 
Anatomy Web Attack
Anatomy Web AttackAnatomy Web Attack
Anatomy Web Attack
 
Owasp 2017 oveview
Owasp 2017 oveviewOwasp 2017 oveview
Owasp 2017 oveview
 
A5: Security Misconfiguration
A5: Security Misconfiguration A5: Security Misconfiguration
A5: Security Misconfiguration
 
香港六合彩
香港六合彩香港六合彩
香港六合彩
 
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure Coding
 
OISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec PrimerOISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec Primer
 
Security testing presentation
Security testing presentationSecurity testing presentation
Security testing presentation
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root Causes
 
Top 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTop 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilities
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 

Semelhante a Owasp & Asp.Net

Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentationowasp-pune
 
Attacking Web Applications
Attacking Web ApplicationsAttacking Web Applications
Attacking Web ApplicationsSasha Goldshtein
 
Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Sean Jackson
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10bilcorry
 
Make your Azure PaaS Deployment More Safe
Make your Azure PaaS Deployment More SafeMake your Azure PaaS Deployment More Safe
Make your Azure PaaS Deployment More SafeThuan Ng
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Sql server security in an insecure world
Sql server security in an insecure worldSql server security in an insecure world
Sql server security in an insecure worldGianluca Sartori
 
OWASP, Application Security
OWASP, Application Security OWASP, Application Security
OWASP, Application Security Dilip Sharma
 
Cybersecurity - Mobile Application Security
Cybersecurity - Mobile Application SecurityCybersecurity - Mobile Application Security
Cybersecurity - Mobile Application SecurityEryk Budi Pratama
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFBrian Huff
 
How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a DatabaseJohn Ashmead
 
OWASP Top 10 List Overview for Web Developers
OWASP Top 10 List Overview for Web DevelopersOWASP Top 10 List Overview for Web Developers
OWASP Top 10 List Overview for Web DevelopersBenjamin Floyd
 
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Michael Pirnat
 
Web Application Security Session for Web Developers
Web Application Security Session for Web DevelopersWeb Application Security Session for Web Developers
Web Application Security Session for Web DevelopersKrishna Srikanth Manda
 
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - Trivadis
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - TrivadisTechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - Trivadis
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - TrivadisTrivadis
 

Semelhante a Owasp & Asp.Net (20)

Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentation
 
Attacking Web Applications
Attacking Web ApplicationsAttacking Web Applications
Attacking Web Applications
 
Web security uploadv1
Web security uploadv1Web security uploadv1
Web security uploadv1
 
Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Owasp top 10_openwest_2019
Owasp top 10_openwest_2019
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
 
Make your Azure PaaS Deployment More Safe
Make your Azure PaaS Deployment More SafeMake your Azure PaaS Deployment More Safe
Make your Azure PaaS Deployment More Safe
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Sql server security in an insecure world
Sql server security in an insecure worldSql server security in an insecure world
Sql server security in an insecure world
 
OWASP, Application Security
OWASP, Application Security OWASP, Application Security
OWASP, Application Security
 
Cybersecurity - Mobile Application Security
Cybersecurity - Mobile Application SecurityCybersecurity - Mobile Application Security
Cybersecurity - Mobile Application Security
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
 
How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a Database
 
OWASP Top 10 List Overview for Web Developers
OWASP Top 10 List Overview for Web DevelopersOWASP Top 10 List Overview for Web Developers
OWASP Top 10 List Overview for Web Developers
 
Presentation on Web Attacks
Presentation on Web AttacksPresentation on Web Attacks
Presentation on Web Attacks
 
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
 
Web Application Security Session for Web Developers
Web Application Security Session for Web DevelopersWeb Application Security Session for Web Developers
Web Application Security Session for Web Developers
 
Web application security (eng)
Web application security (eng)Web application security (eng)
Web application security (eng)
 
Lets Make our Web Applications Secure
Lets Make our Web Applications SecureLets Make our Web Applications Secure
Lets Make our Web Applications Secure
 
Joomla web application development vulnerabilities
Joomla web application development vulnerabilitiesJoomla web application development vulnerabilities
Joomla web application development vulnerabilities
 
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - Trivadis
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - TrivadisTechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - Trivadis
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - Trivadis
 

Último

SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 

Último (20)

SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 

Owasp & Asp.Net

  • 2. OWASP TOP 10 • Injection • Cross-Site Scripting (XSS) • Broken Authentication & Session Management • Insecure Direct Object References • Cross-Site Request Forgery • Security Misconfiguration • Insecure Cryptographic Storage • Failure to Restrict Url Access • Insufficient Transport Layer Protection • Unvalidated Redirects and Forwards
  • 3. Injection • SQL, OS, LDAP injection occur when untrusted data is sent to an interpreter as part of a command query • Untrusted data: – Integrity is not verifiable – Intent may be malicious – Manual user input – Implicit user input – Constructed user input
  • 4. OWASP Matrix Thread Agents Attack Vectors Security Weakness Technical Impacts Business Impact Exploitability EASY Prevalence COMMON Detectability AVERAGE Impact SEVERE Anyone who can send data to system Attacker sends simple text-based attacks that exploit the syntax of the interpreter. Very prevalent particularly in legacy code, often found in SQL, LDAP queries and OS commands, program arguments. Can result in data loss or corruption, lack of accountability or denial of access. Business value of effected data.
  • 6. CROSS SITE SCRIPTING • Most commonly exploited vulnerability • WhiteHat Security report: 65% of sites with XSS vulnerability • Sending data to a browser without proper validation and escaping • Allows executing scripts in the victim’s browser – Hijack user sessions – Redirect to malicious sites • Expose an attack vector from database
  • 7. XSS Matrix Thread Agents Attack Vectors Security Weakness Technical Impacts Business Impact Exploitability AVERAGE Prevalence WIDESPREAD Detectability EASY Impact MODERATE Anyone who can send untrusted data to system Attacker sends simple text-based attacks that exploit the syntax of the interpreter. Most prevalent web application security flaw. 3 types: 1: Stored, 2: Reflected, 3: Dom Based Attacker can execute script in victim’s browser. Session hijacking, inserting hostile content, using malware etc. Business value of effected data.
  • 8. Encoding Encoding Method Example/Pattern HtmlEncode <a href="http://www.contoso.com">Click Here [Untrusted input]</a> HtmlAttributeEncode <hr noshade size=[Untrusted input]> JavaScriptEncode <script type="text/javascript"> … [Untrusted input] … </script> UrlEncode <a href="http://search.msn.com/results.aspx?q=[Untrusted- input]">Click Here!</a> XmlEncode <xml_tag>[Untrusted input]</xml_tag> XmlAttributeEncode <xml_tag attribute=[Untrusted input]>Some Text</xml_tag>
  • 9. XSS Prevention Rule #0 • Never Insert Untrusted Data Except in Allowed Locations <script>...NEVER PUT UNTRUSTED DATA HERE...</script> directly in a script <!--...NEVER PUT UNTRUSTED DATA HERE...--> inside an HTML comment <div ...NEVER PUT UNTRUSTED DATA HERE...=test /> in an attribute name <NEVER PUT UNTRUSTED DATA HERE... href="/test" /> in a tag name <style>...NEVER PUT UNTRUSTED DATA HERE...</style> directly in CSS
  • 10. XSS Prevention Rule #1 • HTML Escape Before Inserting Untrusted Data into HTML Element Content <body>...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...</body> <div>...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...</div> any other normal HTML elements • & --> &amp; • < --> &lt; • > --> &gt; • " --> &quot; • ' --> &#x27; • / --> &#x2F;
  • 11. XSS Prevention Rule #2 • Attribute Escape Before Inserting Untrusted Data into HTML Common Attributes <div attr=...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...>content</div> inside UNquoted attribute <div attr='...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...'>content</div> inside single quoted attribute <div attr="...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...">content</div> inside double quoted attribute
  • 12. XSS Prevention Rule #3 • JavaScript Escape Before Inserting Untrusted Data into JavaScript Data Values <script>alert('...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...')</script> inside a quoted string <script>x='...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...'</script> one side of a quoted expression <div onmouseover="x='...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...'"</div> inside quoted event handler
  • 13. XSS Prevention Rule #4 • CSS Escape And Strictly Validate Before Inserting Untrusted Data into HTML Style Property Values <style>selector { property : ...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...; } </style> property value <style>selector { property : "...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE..."; } </style> property value <span style="property : ...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...">text</style> property value
  • 14. XSS Prevention Rule #5 • URL Escape Before Inserting Untrusted Data into HTML URL Parameter Values <a href="http://www.somesite.com?test=...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...">link</a >
  • 15. XSS Prevention Rule #6 • Use an HTML Policy engine to validate or clean user-driven HTML in an outbound way • AntiXSS
  • 17. Defining Broken Authentication • Authentication and session management functions not implemented correctly • Allow attackers to compromise passwords, keys, session tokens
  • 18. Broken Authentication Matrix Thread Agents Attack Vectors Security Weakness Technical Impacts Business Impact Exploitability AVERAGE Prevalence COMMON Detectability AVERAGE Impact SEVERE External attackers, internal users trying to steal accounts from others Attackers uses leaks or flaws in the auth or session management functions Custom authentication and session management schemes. Hard to find flaws. Allow some or all accounts to be attacked. Business value of effected data.
  • 19. Anatomy of Broken Authentication • Session IDs in the url – Cookieless session state • Can still occur without IDs in the url (via executed XSS flaws) • HttpOnly Cookies • Use ASP.NET Membership & Role Providers
  • 20. Session Fixation • Do not accept session identifiers from GET / POST variables • Use identity confirmation • Store session identifiers in cookies • Regenerate SID on each request • Accept only server-generated SIDs • Logout function • Time-out old SIDs • Destroy session if Referrer is suspicious • Verify that additional information is consistent – User Agent
  • 22. Defining insecure direct object reference • Data being unintentionally disclosed • Exposing a reference to an internal object, file, directory or database key
  • 23. IDOR Matrix Thread Agents Attack Vectors Security Weakness Technical Impacts Business Impact Exploitability AVERAGE Prevalence COMMON Detectability AVERAGE Impact SEVERE Users of the system, having partial access to system data. Simple parameter modification Applications use actual name or key value of an object. Authorization is not verified. Compromise all data that can be referenced. Business value of effected data.
  • 25. Defining Cross Site Request Forgery • Tricking the user into inadvertently issuing an HTTP request to a site – Confused deputy problem • Sends: – Session cookie – Authentication information • Victim needs to be logged on
  • 26. CSRF Matrix Thread Agents Attack Vectors Security Weakness Technical Impacts Business Impact Exploitability AVERAGE Prevalence COMMON Detectability AVERAGE Impact SEVERE Anyone who can trick your users submitting a request to your site Creates forged HTTP request via image tags, XSS Browsers send credentials like authentication cookies automatically, attackers can create malicious web pages that generate forged requests. Attackers can change any data the victim is allowed to change Business value of effected data.
  • 27. CSRF Prevention • Prevention measured that don’t work: – Using a secret cookie – Only accepting POST requests – Multi-step transactions – URL Rewriting
  • 28. CSRF Prevention • Synchronizer Token Pattern • ViewState – ViewStateUserKey = Session.SessionID • Double submit cookies – Header – Hidden form value • .NET CSRF Guard
  • 30. Defining Insecure Cyptographic Storage • Protection of sensitive data Thread Agents Attack Vectors Security Weakness Technical Impacts Business Impact Exploitability DIFFICULT Prevalence UNCOMMON Detectability DIFFICULT Impact SEVERE Users of the system Attackers don’t break the crypto. They find keys, get clear text copies of data. Common flaw is not encrypting data. Unsafe key generation, storage of keys, weak algorithms. Compromises that all data should have been encrypted. Business value of effected data.
  • 31. Questions • Is the right data encrypted? • Are the keys protected? • Is the source data exposed by other interfaces? • Is the hashing week?
  • 32. Encryption, hashing, salting • Encryption: Transforming text into an illegible format that can only be deciphered with a ‘key’ • Hashing: Creating a one way digest that cannot be converted back. • Salting: Adding a random string to input text before hashing to add unpredictability to the process.
  • 33. MD5, SHA, DES, AES • MD5: Common, not collision resistant. • SHA: Secure Has Algorithm, most popular, not most secure) • DES: Data Encryption Standard, insecure. • AES: Advanced Encryption Standart, common.
  • 34. Symmetric / Asymmetric Encryption • Symmetric Encryption – Uses same key to both encrypt and decrypt. – Same algorithm can be applied to reverse encryption • Asymmetric Encryption – Different keys for encryption / decryption
  • 35. Key Management • Keep keys unique • Protect the keys • Always store keys away from data • Keys should have a defined lifecycle
  • 36. Cryptographic Cheat Sheet • Only store sensitive data you need • Only use strong crypto algorithms (AES, RSA) • Ensure that random numbers are cryptographically strong • Only use widely accepted implementations of cryptographic algorithms • Store the hashed and salted value of passwords • Ensure that any secret key is protected from unauthorized access
  • 37. FAILURE TO RESTRICT URL ACCESS
  • 38. Defining failure to restrict url access • Users are able to access a resource they should not because appropriate controls do not exist
  • 39. Matrix Thread Agents Attack Vectors Security Weakness Technical Impacts Business Impact Exploitability EASY Prevalence UNCOMMON Detectability AVERAGE Impact MODERATE Anyone with network access can send the application a request Attacker (already authorized), changes to url to a privileged page. Misconfigured urls, improper code checks Allows attackers to access unauthorized functionality Business value of effected data.
  • 40. Suggestions • Leverage roles in preference to individual users • Apply principal permissions – [PrincipalPermission] attribute • Protect web services and async calls • Leverage IIS 7 Integrated pipeline • Do not roll your own security model

Notas do Editor

  1. Implicit user input: Request headers Constructed user input: Query string variables