security of web applications: top 6 risks to avoid

Security of Web Applications

TOP 6 RISKS TO AVOID

Console.WriteLine(“Hello World”);

I'm Audrius Kovalenko

.NET Developer

Hack for fun

@slicklash

http://www.notreallycode.com

Forecasts for Upcoming Years

VERY CLOUDY

SaaS GROWTH

WEB APPLICATIONS IN HIGH-DEMAND

Web Application Security Today

Source: Web Hacking Incident Database (WHID)

Distribution of Attack Methods in 2011

Puzzle

How to pour all liquid into the glass?

IMPOSSIBLE

Everyone knows it

How to deliver secure product knowing little about application security?

Who's bag is it then?If that's my bag

SQLi

XSS

CSRF

HD Moore

Bruce

Schneier

Troy

Hunt

Michał Zalewski

Agile

TDD

Refactoring DI

Kent BeckREST

Steve

Freeman

DesignPatterns

Martin

Fowler

Builder vs Breaker

Problem

We don't know what we don't know

The Unknowns

WHAT ARE THE COUNTERMEASURES?

WHAT TO LOOK FOR?

WHAT ARE THE MAJOR RISKS?

CWE/SANS Top 25 Most Dangerous Software Errors

https://cwe.mitre.org/top25

Open Web Application Security Project

OWASPhttps://www.owasp.org

What is a risk anyway?

The OWASP Top 10 6 Web Risks

A3 BROKEN AUTHENTICATION AND SESSION MANAGEMENT

A1 INJECTION

A2 CROSS SITE SCRIPTING (XSS)

A4 INSECURE DIRECT OBJECT REFERENCES

A5 CROSS SITE REQUEST FORGERY (CSRF)

A6 SECURITY MISCONFIGURATION

Injections

Breaking out of a data context into a code context

Why is SQLi still around?

Injections (2)

var catId = Request.QueryString["Category"];var sql = "SELECT * FROM Products WHERE [CategoryId] = " + catId;

Anti-Injection

ORM

PARAMETERIZED QUERIES

DON'T BE LAZY

Cross Site Scripting (XSS)

Injection of client-side code into Web pages viewed by other users

public static MvcHtmlString DeviceInfoEvil(this HtmlHelper helper){ string s = "<span>" + helper.ViewContext.HttpContext.Request.UserAgent + "</span>"; return MvcHtmlString.Create(s);}

[...]

Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5;)<script>alert(1);</script>

[...]

public static MvcHtmlString DeviceInfoGood(this HtmlHelper helper){ TagBuilder userAgent = new TagBuilder("span"); userAgent.SetInnerText(helper.ViewContext.HttpContext.Request.UserAgent); return MvcHtmlString.Create(userAgent.ToString());}

Cross Site Request Forgery (CSRF)

Forged requests executed by tricking authenticated victim

<img src="https://bank.com/smth?param=1" />

<iframe src="https://bank.com/smth?param=1" />

<body onload="document.forms[0].submit"> <form method="post" action="https://bank.com/smth"> <input type="hidden" name="param" value="1" /> </form></body>

Anti-XSS

INPUT FILTERING

OUTPUT FILTERING

MICROSOFT AntiXSS

OUTPUT FILTERING

ANTIFORGERY TOKENS

Broken Authentication andSession Management

Poor implementation of authentication and session management

6.5 MILLION HASHES

PLAIN SHA1

450 000 PASSWORDS

PLAIN TEXT

June 2012 July 2012

Be careful

OUTPUT FILTERING

HASH + SALT + STRECHING

NO HARDCODED “SHORTCUTS”

TLS

Use #if DEBUG

bcrypt/scrypt

https://www.cookiecadger.com

DON'T REINVENT THE WHEEL

Insecure Direct Object References

Unauthorized access of exposed reference to an internal implementation

MASS ASSIGNMENT VULNERABILITY

Insecure Direct Object References (2)

public class User{ public string UserName { get; set; } public bool IsAdmin { get; set; }}

[Authorize][AcceptVerbs(HttpVerbs.Post)]public ActionResult UpdateUser(User model){ if (ModelState.IsValid) { var user = db.Users.Single(u => u.UserName == model.UserName); if (TryUpdateModel(user)) { db.SaveChanges(); } } return View();}

Insecure Direct Object References (3)

public ActionResult UpdateUser([Bind(Exclude="IsAdmin")] User model) //Black Listing - NO

[...]

public ActionResult UpdateUser([Bind(Include="UserName")] User model) //White Listing – OK

[...]

public class UserViewModel //Secure by Design - BEST{ public string UserName { get; set; }}

Countermeasures

CODE REVIEWS

ACCESS CHECKS

NO COPY-PASTE

Security Misconfiguration

Improper application configuration

Web.Config Security Analyzer

https://sourceforge.net/projects/wcsa

Introducing in development

DEDICATED PERSON

SPECIAL TRAINING

SELF TRAINING LEARN

PRACTICE

UNDERSTAND

?

Common Excuses

TIGHT DEADLINESS Budget

NO ONE WILL HACK US Ignorance

The Real Issue

WRONG PERSON IN WRONG PLACE Architect

Manager

Lazy Co-Worker

Security is hard but possiblewhen you know

Drowning is your personal problem

Don't forget

Further Reading

Highly Recommended

ACADEMIC

ENTERPRISE

HACKER

Learning From The Breakers

http://www.irongeek.com

Hacking IllustratedVideo from Security Conferences