Don’t get Stung
(An introduction to the OWASP Top Ten Project)
Barry Dorrans
Microsoft Information Security Tools
Contents
• OWASP Top Ten
• http://www.owasp.org
• A worldwide free and open community
focused on improving the security of
application software
Introduction
• Do not try this at home. Or at work.
• These are not just ASP.NET vulnerabilities
• If you don’t want to ask public questions ...
barryd@idunno.org / http://idunno.org
10 – Unvalidated Redirects and Forwards
Unvalidated Redirect and Forwards
• Users don’t check the address bar
• MVC authentication (pre-3.0) is vulnerable.
• Check the ReturnUrl parameter –
http://weblogs.asp.net/jgalloway/archive/201
1/01/25/preventing-open-redirection-attacksin-asp-net-mvc.aspx
9 – Insufficient Transport Layer Protection
Insufficient Transport Layer Protection
• Use SSL
• Protection communications between web
server and backend systems (SSL, IPSEC etc.)
• Replay attacks – use time limited tokens
8 – Failure to restrict URI access
Failure to restrict URI access
•
•
•
•
•
Security by obscurity is useless
Restrict via ASP.NET – no rolling your own!
Integrated pipeline restricts everything
Use [PrincipalPermission] to protect yourself
IIS7 replaces file ACLs with a web.config based
authorization list.
7 – Insecure Cryptographic Storage
Insecure Cryptographic Storage
• Symmetric – same key
• Asymmetric – public/private keys
• Use safe algorithms –
Hashing :
SHA256
Symmetric: AES
Asymmetric: CMS/PKCS#7
• Encrypt then sign
Insecure Cryptographic Storage
• Use symmetric when
– All systems are under your control
– No need to identify who did the encryption
• Use asymmetric when
– Talking/accepting from external systems
– Non-repudiation on who encrypted/signed (X509)
– All in memory – so no large plain tex!
• Combine the two for speed and security
Insecure Cryptographic Storage
•
•
•
•
•
•
Do not reuse keys for different purposes
Store keys outside the main database
Use CryptGenRandom for random numbers
Use & rotate salts
Use unique IVs
DAPI can provide a key store
6 – Security Misconfiguration
Security Misconfiguration
• PATCH PATCH PATCH
• IIS7 App Pool Isolation –
http://learn.iis.net/page.aspx/764/ensuresecurity-isolation-for-web-sites/
• URLScan
• Security Runtime Engine (CTP)
• Disable unused modules, accounts etc.
Security Misconfiguration
<httpModules>
<add name="OutputCache" type="System.Web.Caching.OutputCacheModule" />
<add name="Session" type="System.Web.SessionState.SessionStateModule" />
<add name="WindowsAuthentication"
type="System.Web.Security.WindowsAuthenticationModule" />
<add name="FormsAuthentication"
type="System.Web.Security.FormsAuthenticationModule" />
<add name="PassportAuthentication"
type="System.Web.Security.PassportAuthenticationModule" />
<add name="RoleManager" type="System.Web.Security.RoleManagerModule" />
<add name="UrlAuthorization"
type="System.Web.Security.UrlAuthorizationModule" />
<add name="FileAuthorization"
type="System.Web.Security.FileAuthorizationModule" />
<add name="AnonymousIdentification"
type="System.Web.Security.AnonymousIdentificationModule" />
<add name="Profile" type="System.Web.Profile.ProfileModule" />
</httpModules>
Security Misconfiguration
<httpModules>
<remove name="PassportAuthentication" />
<remove name="Profile" />
<remove name="AnonymousIdentification" />
</httpModules>
• NB: Some modules depend on others
Forms auth needs caching.
There’s no easy way to tell!
5 – Cross Site Request Forgery
Cross Site Request Forgery
• WebForms
– Lock ViewState using ViewStateUserKey
• Needs a way to identify user
• Set in Page_Init
– Use a CSRF token – http://anticsrf.codeplex.com
• MVC
<%= Html.AntiForgeryToken() %> - in form
[ValidateAntiForgeryToken] – on action method
• Encourage users to log out
• When is a postback not a postback?
4 – Insecure Direct Object Reference
Insecure Direct Object Reference
• Use indirect object references
• Always check access permissions
• For MVC don’t allow binding to your ID field
[Bind(Exclude="id")]
3 - Broken Authentication/Sessions
Broken Authentication/Sessions
• Don’t roll your own!
• If you must validate sessions on every request
check the browser string, not the IP
2 – Cross Site Scripting
XSS
• <IMG SRC=javascript:alert('XSS')>
• <IMG SRC=JaVaScRiPt:alert('XSS')>
• <IMG
SRC=&#106;&#97;&#118;&#97;&#115;&#99;
&#114;&#105;&#112;&#116;&#58;&#97;&#1
08;&#101;&#114;&#116;&#40;&#39;&#88;&#
83;&#83;&#39;&#41;>
XSS
•
•
•
•
•
All input is evil
Work from white-lists not black-lists.
Store un-encoded data in your database
Use HttpOnly cookies
AntiXSS project http://antixss.codeplex.com
– Better HTML/URL Encoding
– Adds HTML Attribute, Javascript, VBScript
• XSS Cheat Sheet http://ha.ckers.org/xss.html
1 – Injection Flaws
Injection Flaws
• SQL
– Use SQL parameters
– Remove direct SQL table access
– When building SQL strings within SPs
parameterise those too!
• Xpath
– Use XsltContext
– http://mvpxml.codeplex.com/
Injection Flaws
DECLARE @cmd=
'SELECT * FROM Customer WHERE
FirstName LIKE @first OR
LastName LIKE @last'
EXEC @cmd,
N'@first nvarchar(25),
@last nvarchar(25)',
@first, @last
Changes from 2007
• Malicious File Execution
• Information Leakage / Improper Error
Handling
• Security Misconfiguration
• Un-validated Redirects and Forwards
The OWASP Top Ten
• A1-Injection
• A2-Cross Site Scripting (XSS)
• A3-Broken Authentication and Session
Management
• A4-Insecure Direct Object References
• A5-Cross Site Request Forgery (CSRF)
• A6-Security Misconfiguration
• A7-Insecure Cryptographic Storage
• A8-Failure to Restrict URL Access
• A9-Insufficient Transport Layer Protection
• A10-Unvalidated Redirects and Forwards
Mandatory Book Pimping
Questions