SlideShare a Scribd company logo

OWASP TOP 10 & .NET

D
Daniel Krasnokucki

The document discusses the OWASP Top 10 web application vulnerabilities with a focus on .NET practices as presented by Daniel Krasnokucki. Each vulnerability is outlined, including examples such as injection flaws, broken authentication, and sensitive data exposure, along with mitigation strategies to enhance security. It emphasizes the importance of secure logging, proper configuration, and avoiding the use of vulnerable components in software development.

Technology
1 of 53
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
OWASP TOP 10 & .NET DANIEL KRASNOKUCKI, EQUINIX & GROUPKA
WHOAMI? / Bezpiecznik (AppSec) / DevSecOps / Programista / Trener / Wykładowca 2OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019
WHY R U HERE? OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019 3
TEXT USERS AND PROGRAMERS VS. SECURITY OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019 4
A1 - INJECTIONS A2 - BROKEN AUTHENTICATION A3 - SENSITIVE DATA EXPOSURE A4 - XML EXTERNAL ENTITIES A5 - BROKEN ACCESS CONTROL A6 - SECURITY MISCONFIGURATION A7 - CROSS-SITE SCRIPTING A8 - INSECURE DESERIALISATION A9 - USING COMPONENTS WITH KNOWN VULNERABILITIES A10 - INSUFFICIENT LOGGING & MONITORING OWASP TOP 10 WEB APPLICATION VULNERABILITIES 5OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019
A1 - INJECTIONS A2 - BROKEN AUTHENTICATION A3 - SENSITIVE DATA EXPOSURE A4 - XML EXTERNAL ENTITIES A5 - BROKEN ACCESS CONTROL A6 - SECURITY MISCONFIGURATION A7 - CROSS-SITE SCRIPTING A8 - INSECURE DESERIALISATION A9 - USING COMPONENTS WITH KNOWN VULNERABILITIES A10 - INSUFFICIENT LOGGING & MONITORING STARTING WITH THE OBVIOUS ONES… 6OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019
A10 - INSUFFICIENT LOGGING & MONITORING Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data. Most breach studies show time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring. 7OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019
8OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019
LOGGING IN .NET 9OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019 Logging guidance from Microsoft https://microsoft.github.io/code-with-engineering-playbook/Engineering/DevOpsLoggingDetailsCSharp.html Where possible, always log: • Input and output validation failures e.g. protocol violations, unacceptable encodings, invalid parameter names and values • Authentication successes and failures and Authorization (access control) failures • Session management failures e.g. cookie session identification value modification • Application errors and system events • Application and related systems start-ups and shut-downs, and logging initialization (starting, stopping or pausing) • Use of higher-risk functionality • Legal and other opt-ins e.g. permissions for mobile phone capabilities, terms & conditions, PII data usage consent
A1 - INJECTIONS A2 - BROKEN AUTHENTICATION A3 - SENSITIVE DATA EXPOSURE A4 - XML EXTERNAL ENTITIES A5 - BROKEN ACCESS CONTROL A6 - SECURITY MISCONFIGURATION A7 - CROSS-SITE SCRIPTING A8 - INSECURE DESERIALISATION A9 - USING COMPONENTS WITH KNOWN VULNERABILITIES A10 - INSUFFICIENT LOGGING & MONITORING ANOTHER OBVIOUS ONE… 10OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019
A9 - USING COMPONENTS WITH KNOWN VULNERABILITIES Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defences and enable various attacks and impacts. 11OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019
A1 - INJECTIONS A2 - BROKEN AUTHENTICATION A3 - SENSITIVE DATA EXPOSURE A4 - XML EXTERNAL ENTITIES A5 - BROKEN ACCESS CONTROL A6 - SECURITY MISCONFIGURATION A7 - CROSS-SITE SCRIPTING A8 - INSECURE DESERIALISATION A9 - USING COMPONENTS WITH KNOWN VULNERABILITIES A10 - INSUFFICIENT LOGGING & MONITORING 12OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019
A8 - INSECURE DESERIALISATION Insecure deserialization often leads to remote code execution. Even if deserialization flaws do not result in remote code execution, they can be used to perform attacks, including replay attacks, injection attacks, and privilege escalation attacks. OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019 {
 "$type": "System.Windows.Data.ObjectDataProvider, PresentationFramework", 
 “ObjectInstance": { 
 "$type":"System.Diagnostics.Process, System”}, 
 "MethodParameters":{ 
 "$type":"System.Collections.ArrayList, mscorlib", 
 "$values":["calc"]}, 
 "MethodName":"Start" 
 }
ANY FLOWS IN .NET? 14OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019
INSECURE DESERIALISATION MITIGATION ‣ Do not deserialize untrusted data! ‣ … do not deserialize untrusted data! ‣ If you really need to deserialize: ‣ Make sure to evaluate the security and of the chosen library ‣ Avoid libraries without strict Type control ‣ Never use user-controlled data to define the deserializer expected Type ‣ Do not roll your own format 15OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019
A1 - INJECTIONS A2 - BROKEN AUTHENTICATION A3 - SENSITIVE DATA EXPOSURE A4 - XML EXTERNAL ENTITIES A5 - BROKEN ACCESS CONTROL A6 - SECURITY MISCONFIGURATION A7 - CROSS-SITE SCRIPTING A8 - INSECURE DESERIALISATION A9 - USING COMPONENTS WITH KNOWN VULNERABILITIES A10 - INSUFFICIENT LOGGING & MONITORING 16OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019
A7 - CROSS-SITE SCRIPTING XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user-supplied data using a browser API that can create HTML or JavaScript. XSS allows attackers to execute scripts in the victim's browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites. 17OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019
IT’S MOSTLY SECURED BY DEFAULT IN .NET, BUT … 18OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019 ‣ Stop reinventing the wheel ‣ Do not be smarter than the framework ‣ If you use Razor, then use Razor. If you use something else, then use something else, but do not use your own Razor-ish, MVC-ish, .NET-ish… ‣ Validate and whitelist each input and parameter ‣ Use proper output encoding
A1 - INJECTIONS A2 - BROKEN AUTHENTICATION A3 - SENSITIVE DATA EXPOSURE A4 - XML EXTERNAL ENTITIES A5 - BROKEN ACCESS CONTROL A6 - SECURITY MISCONFIGURATION A7 - CROSS-SITE SCRIPTING A8 - INSECURE DESERIALISATION A9 - USING COMPONENTS WITH KNOWN VULNERABILITIES A10 - INSUFFICIENT LOGGING & MONITORING 19OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019
A6 - SECURITY MISCONFIGURATION Security misconfiguration is the most commonly seen issue. This is a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Not only must all operating systems, frameworks, libraries, and applications be securely configured, but they must be patched/upgraded in a timely fashion. 20OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019
POSSIBLE .NET MISCONFIGURATION ‣ Missing appropriate security hardening across any part of the application stack, or improperly configured permissions on cloud services. ‣ Unnecessary features are enabled or installed ‣ Default accounts and their passwords still enabled and unchanged ‣ Error handling without custom errors ‣ For upgraded systems, latest security features are disabled or not configured securely ‣ The security settings in the application servers, application frameworks, libraries, databases, etc. not set to secure values. ‣ The server does not send security headers or directives or they are not set to secure values. 21OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019
SECURITY HEADERS 22OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019
EXAMPLE: CONTENT SECURITY POLICY 23OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019
SECURITY CONFIGURATIONS IN .NET - COOKIES 24OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019
A1 - INJECTIONS A2 - BROKEN AUTHENTICATION A3 - SENSITIVE DATA EXPOSURE A4 - XML EXTERNAL ENTITIES A5 - BROKEN ACCESS CONTROL A6 - SECURITY MISCONFIGURATION A7 - CROSS-SITE SCRIPTING A8 - INSECURE DESERIALISATION A9 - USING COMPONENTS WITH KNOWN VULNERABILITIES A10 - INSUFFICIENT LOGGING & MONITORING 25OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019
A5 - BROKEN ACCESS CONTROL Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users' accounts, view sensitive files, modify other users' data, change access rights, etc. 26OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019
IDOR (INSECURE DIRECT OBJECT REFERENCES) www.mybestandonlystore.com/orders/orderid=900 27OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019
CORS (CROSS-ORIGIN RESOURCE SHARING) 28OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019
A1 - INJECTIONS A2 - BROKEN AUTHENTICATION A3 - SENSITIVE DATA EXPOSURE A4 - XML EXTERNAL ENTITIES A5 - BROKEN ACCESS CONTROL A6 - SECURITY MISCONFIGURATION A7 - CROSS-SITE SCRIPTING A8 - INSECURE DESERIALISATION A9 - USING COMPONENTS WITH KNOWN VULNERABILITIES A10 - INSUFFICIENT LOGGING & MONITORING 29OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019
XXE string xml = "<?xml version="1.0" ?> <!DOCTYPE doc [<!ENTITY win SYSTEM "file:///C:/Users/user/Documents/test.txt">] ><doc>&win;</doc>”; --------------------- string xml2 = "<?xml version="1.0" ?> <!DOCTYPE doc [<!ENTITY lin SYSTEM „/etc/passwd">]><doc>&lin;</doc>"; 30OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019
A4 - XML EXTERNAL ENTITIES Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks. 31OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019
.NET XML LIBRARIES Object Safe by default? XmlReader < 4.0 4.0 + XmlTextReader < 4.0 4.0+ XmlDocument < 4.6 4.6+ 32OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019
A1 - INJECTIONS A2 - BROKEN AUTHENTICATION A3 - SENSITIVE DATA EXPOSURE A4 - XML EXTERNAL ENTITIES A5 - BROKEN ACCESS CONTROL A6 - SECURITY MISCONFIGURATION A7 - CROSS-SITE SCRIPTING A8 - INSECURE DESERIALISATION A9 - USING COMPONENTS WITH KNOWN VULNERABILITIES A10 - INSUFFICIENT LOGGING & MONITORING 33OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019
A3 - SENSITIVE DATA EXPOSURE Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser. 34OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019
LOOKS FAMILIAR? 35OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019
A1 - INJECTIONS A2 - BROKEN AUTHENTICATION A3 - SENSITIVE DATA EXPOSURE A4 - XML EXTERNAL ENTITIES A5 - BROKEN ACCESS CONTROL A6 - SECURITY MISCONFIGURATION A7 - CROSS-SITE SCRIPTING A8 - INSECURE DESERIALISATION A9 - USING COMPONENTS WITH KNOWN VULNERABILITIES A10 - INSUFFICIENT LOGGING & MONITORING 36OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019
A2 - BROKEN AUTHENTICATION Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users' identities temporarily or permanently. 37OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019
BROKEN AUTHENTICATION MITIGATIONS 38OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019 ‣ Passwords with proper length and complexity ‣ Use general messages for the user ‣ Limit the attempts of login ‣ Do not show sessionID to the user ‣ Secure your cookies ‣ Use MFA ‣ If you are using hashed passwords, do not use your own hashing functions and add a salt http://www.przyklad.com/(S(lit2py15t221z5v65vlsd23s55))/zamowienie.aspx
BROKEN AUTHENTICATION - EXAMPLE SETTINGS 39OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019
A1 - INJECTIONS A2 - BROKEN AUTHENTICATION A3 - SENSITIVE DATA EXPOSURE A4 - XML EXTERNAL ENTITIES A5 - BROKEN ACCESS CONTROL A6 - SECURITY MISCONFIGURATION A7 - CROSS-SITE SCRIPTING A8 - INSECURE DESERIALISATION A9 - USING COMPONENTS WITH KNOWN VULNERABILITIES A10 - INSUFFICIENT LOGGING & MONITORING 40OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019
A1 - INJECTIONS Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker's hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. 41OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019
SQL INJECTION - GENERAL CASE 42OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019 www.somestore.com/Products.aspx?CategoryID=1 www.somestore.com/Products.aspx?CategoryID=1 or 1=1
SQL INJECTION - REAL EXAMPLE 43OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019 And quick mitigation….
SQL INJECTION MITIGATION 44OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019 ‣ Use .NET security leading practices and OWASP Guidelines ‣ Parametrize your queries ‣ Validate the parameters from the user - ALWAYS! ‣ Use whitelisting of characters ‣ Check the length of the parameter ‣ App should have the minimum required permission in the system (not running as an admin “because it’s easier and it’s working”) ‣ You can use ORM…
IQUERYABLE<T> VS. IENUMERABLE<T> 45OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019 ‣ IEnumerable is best to query data from in-memory collections like List, Array, etc. ‣ While query data from a database, IEnumerable execute a select query on the server side, load data in- memory on a client-side and then filter data. ‣ IEnumerable doesn’t support custom query. ‣ IEnumerable doesn’t support lazy loading. Hence not suitable for paging like scenarios. ‣ Extension methods support by IEnumerable takes functional objects. ‣ IQueryable is best to query data from out-memory (like remote database, service) collections. ‣ While query data from a database, IQueryable execute the select query on the server side with all filters. ‣ IQueryable supports custom query using CreateQuery and Execute methods. ‣ IQueryable support lazy loading. Hence it is suitable for paging like scenarios. ‣ Extension methods support by IQueryable takes expression objects means expression tree.
IQUERYABLE<T> VS. IENUMERABLE<T> 46OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019 public IQueryable<Customer> GetCustomer(int customerId) ‣ A consumer of this query can call .Include("Orders") on the returned IQueryable<Customer> to retrieve data that the query did not intend to expose. This can be avoided by changing the return type of the method to IEnumerable<T> and calling a method (such as .ToList()) that materializes the results. ‣ Because  IQueryable<T>  queries are executed when the results are iterated over, a consumer of a query that exposes an IQueryable<T> type could catch exceptions that are thrown. Exceptions could contain information not intended for the consumer. Avoid returning IQueryable<T> types from methods that are exposed to potentially untrusted callers
.NET CORE VALIDATION PROBLEMS 47OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019 ‣ Laziness (our laziness… not .NET) ‣ Tools first! (we do not think) ‣ Front-end validation ‣ Improper feedback for the user
A1 - INJECTIONS A2 - BROKEN AUTHENTICATION A3 - SENSITIVE DATA EXPOSURE A4 - XML EXTERNAL ENTITIES A5 - BROKEN ACCESS CONTROL A6 - SECURITY MISCONFIGURATION A7 - CROSS-SITE SCRIPTING A8 - INSECURE DESERIALISATION A9 - USING COMPONENTS WITH KNOWN VULNERABILITIES A10 - INSUFFICIENT LOGGING & MONITORING 48OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019
49OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019
OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019
…? 51OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019
WYJAŚNIJ CO TO JEST, JAK DZIAŁA 
 I GDZIE W .NET-CIE MOŻNA USTAWIĆ CSP PYTANIE KONKURSOWE 52
THANK YOU. DZIĘKUJĘ. DANIEL.KRASNOKUCKI@OWASP.ORG 53

More Related Content

PDF
Owasp top 10
YasserElsnbary
 
PDF
Owasp Top 10
Shivam Porwal
 
PPT
Owasp Top 10
Shivam Porwal
 
PPTX
Owasp top 10 2017
ibrahimumer2
 
PPTX
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
Andre Van Klaveren
 
PPTX
OWASP Top 10 Vulnerabilities 2017- AppTrana
Ishan Mathur
 
PPTX
Owasp 2017 oveview
Shreyas N
 
PDF
OWASP TOP TEN 2017 RC1
Chema Alonso
 
Owasp top 10
YasserElsnbary
 
Owasp Top 10
Shivam Porwal
 
Owasp Top 10
Shivam Porwal
 
Owasp top 10 2017
ibrahimumer2
 
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
Andre Van Klaveren
 
OWASP Top 10 Vulnerabilities 2017- AppTrana
Ishan Mathur
 
Owasp 2017 oveview
Shreyas N
 
OWASP TOP TEN 2017 RC1
Chema Alonso
 

What's hot (20)

PPTX
OWASP Top 10 - 2017 Top 10 web application security risks
Kun-Da Wu
 
PDF
Top 10 Web Application vulnerabilities
Terrance Medina
 
PDF
OWASP Top 10 2017
Siddharth Phatarphod
 
PPTX
Owasp first5 presentation
Ashwini Paranjpe
 
PPTX
OWASP Top 10 2017 - New Vulnerabilities
Dilum Bandara
 
PPTX
Owasp top 10 security threats
Vishal Kumar
 
PDF
Oh, WASP! Security Essentials for Web Apps
TechWell
 
PPTX
Owasp top 10 vulnerabilities
OWASP Delhi
 
PDF
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
All Things Open
 
PPT
Owasp top 10 & Web vulnerabilities
RIZWAN HASAN
 
PPTX
OWASP -Top 5 Jagjit
Jagjit Singh Brar
 
PDF
OWASP Top 10 - 2017
HackerOne
 
PDF
The New OWASP Top Ten: Let's Cut to the Chase
Security Innovation
 
PDF
t r
electronicmingle01
 
PDF
Web Application Security and Awareness
Abdul Rahman Sherzad
 
PPT
OWASP Serbia - A3 broken authentication and session management
Nikola Milosevic
 
PPTX
Beyond the OWASP Top 10
iphonepentest
 
PPT
Owasp Top 10 And Security Flaw Root Causes
Marco Morana
 
PPTX
Analysis of web application penetration testing
Engr Md Yusuf Miah
 
PPTX
Owasp
penetration Tester
 
OWASP Top 10 - 2017 Top 10 web application security risks
Kun-Da Wu
 
Top 10 Web Application vulnerabilities
Terrance Medina
 
OWASP Top 10 2017
Siddharth Phatarphod
 
Owasp first5 presentation
Ashwini Paranjpe
 
OWASP Top 10 2017 - New Vulnerabilities
Dilum Bandara
 
Owasp top 10 security threats
Vishal Kumar
 
Oh, WASP! Security Essentials for Web Apps
TechWell
 
Owasp top 10 vulnerabilities
OWASP Delhi
 
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
All Things Open
 
Owasp top 10 & Web vulnerabilities
RIZWAN HASAN
 
OWASP -Top 5 Jagjit
Jagjit Singh Brar
 
OWASP Top 10 - 2017
HackerOne
 
The New OWASP Top Ten: Let's Cut to the Chase
Security Innovation
 
t r
electronicmingle01
 
Web Application Security and Awareness
Abdul Rahman Sherzad
 
OWASP Serbia - A3 broken authentication and session management
Nikola Milosevic
 
Beyond the OWASP Top 10
iphonepentest
 
Owasp Top 10 And Security Flaw Root Causes
Marco Morana
 
Analysis of web application penetration testing
Engr Md Yusuf Miah
 
Owasp
penetration Tester
 
Ad

Similar to OWASP TOP 10 & .NET (20)

PDF
[OPD 2019] .NET Core Security
OWASP
 
PPTX
owasp features in secure coding techniques
Sri Latha
 
PDF
Shields up - improving web application security
Konstantin Mirin
 
PDF
Whats new in The OWASP Top Ten 2017?
JimBurger7
 
PDF
Secure coding guidelines
Zakaria SMAHI
 
PDF
How to Harden the Security of Your .NET Website
DNN
 
PDF
Top 10 web application security risks akash mahajan
Akash Mahajan
 
PPT
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Braindev Kyiv
 
PDF
OWASP Top 10 List Overview for Web Developers
Benjamin Floyd
 
PPT
OWASP Top10 2010
Tommy Tracx Xaypanya
 
PPTX
Owasp top 10 web application security risks 2017
Sampath Bhargav Pinnam
 
PDF
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
Philippe Gamache
 
PDF
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
Philippe Gamache
 
PPTX
OWASP Top Ten 2017
chw
 
PDF
Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...
Sonatype
 
PDF
OWASP Top 10 Web Vulnerabilities from DCC 04/14
Chris Holwerda
 
PDF
OWASP top10 2017, Montpellier JUG de Noel
Hubert Gregoire
 
PPTX
Application Security Vulnerabilities: OWASP Top 10 -2007
Vaibhav Gupta
 
PDF
OWASP (Open Web Application Security Project) .pdf
kavsinghta
 
PDF
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
ITCamp
 
[OPD 2019] .NET Core Security
OWASP
 
owasp features in secure coding techniques
Sri Latha
 
Shields up - improving web application security
Konstantin Mirin
 
Whats new in The OWASP Top Ten 2017?
JimBurger7
 
Secure coding guidelines
Zakaria SMAHI
 
How to Harden the Security of Your .NET Website
DNN
 
Top 10 web application security risks akash mahajan
Akash Mahajan
 
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Braindev Kyiv
 
OWASP Top 10 List Overview for Web Developers
Benjamin Floyd
 
OWASP Top10 2010
Tommy Tracx Xaypanya
 
Owasp top 10 web application security risks 2017
Sampath Bhargav Pinnam
 
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
Philippe Gamache
 
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
Philippe Gamache
 
OWASP Top Ten 2017
chw
 
Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...
Sonatype
 
OWASP Top 10 Web Vulnerabilities from DCC 04/14
Chris Holwerda
 
OWASP top10 2017, Montpellier JUG de Noel
Hubert Gregoire
 
Application Security Vulnerabilities: OWASP Top 10 -2007
Vaibhav Gupta
 
OWASP (Open Web Application Security Project) .pdf
kavsinghta
 
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
ITCamp
 
Ad

Recently uploaded (20)

PDF
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 
PDF
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
PPTX
cloud_computing_Infrastucture_as_cloud_p
mainakbhattacharya20
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
Transform Your ITIL® 4 & ITSM Strategy with AI in 2025.pdf
PDCA Consulting
 
PDF
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
PDF
WOOl fibre morphology and structure.pdf for textiles
Rajendrakumar868651
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PPTX
TechTalks-8-2019-Service-Management-ITIL-Refresh-ITIL-4-Framework-Supports-Ou...
bonakiduza1024
 
PPTX
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
PPTX
Chapter 5: Probability Theory and Statistics
RandyFin
 
PPTX
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
DASA ADMISSION 2024_FirstRound_FirstRank_LastRank.pdf
rameswartudu05
 
PDF
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
PPTX
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
cloud_computing_Infrastucture_as_cloud_p
mainakbhattacharya20
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Transform Your ITIL® 4 & ITSM Strategy with AI in 2025.pdf
PDCA Consulting
 
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
WOOl fibre morphology and structure.pdf for textiles
Rajendrakumar868651
 
Approach and Philosophy of On baking technology
30anthuong17
 
TechTalks-8-2019-Service-Management-ITIL-Refresh-ITIL-4-Framework-Supports-Ou...
bonakiduza1024
 
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
Chapter 5: Probability Theory and Statistics
RandyFin
 
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
DASA ADMISSION 2024_FirstRound_FirstRank_LastRank.pdf
rameswartudu05
 
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 

OWASP TOP 10 & .NET

  • 1. OWASP TOP 10 & .NET DANIEL KRASNOKUCKI, EQUINIX & GROUPKA
  • 2. WHOAMI? / Bezpiecznik (AppSec) / DevSecOps / Programista / Trener / Wykładowca 2OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019
  • 3. WHY R U HERE? OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019 3
  • 4. TEXT USERS AND PROGRAMERS VS. SECURITY OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019 4
  • 5. A1 - INJECTIONS A2 - BROKEN AUTHENTICATION A3 - SENSITIVE DATA EXPOSURE A4 - XML EXTERNAL ENTITIES A5 - BROKEN ACCESS CONTROL A6 - SECURITY MISCONFIGURATION A7 - CROSS-SITE SCRIPTING A8 - INSECURE DESERIALISATION A9 - USING COMPONENTS WITH KNOWN VULNERABILITIES A10 - INSUFFICIENT LOGGING & MONITORING OWASP TOP 10 WEB APPLICATION VULNERABILITIES 5OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019
  • 6. A1 - INJECTIONS A2 - BROKEN AUTHENTICATION A3 - SENSITIVE DATA EXPOSURE A4 - XML EXTERNAL ENTITIES A5 - BROKEN ACCESS CONTROL A6 - SECURITY MISCONFIGURATION A7 - CROSS-SITE SCRIPTING A8 - INSECURE DESERIALISATION A9 - USING COMPONENTS WITH KNOWN VULNERABILITIES A10 - INSUFFICIENT LOGGING & MONITORING STARTING WITH THE OBVIOUS ONES… 6OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019
  • 7. A10 - INSUFFICIENT LOGGING & MONITORING Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data. Most breach studies show time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring. 7OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019
  • 8. 8OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019
  • 9. LOGGING IN .NET 9OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019 Logging guidance from Microsoft https://microsoft.github.io/code-with-engineering-playbook/Engineering/DevOpsLoggingDetailsCSharp.html Where possible, always log: • Input and output validation failures e.g. protocol violations, unacceptable encodings, invalid parameter names and values • Authentication successes and failures and Authorization (access control) failures • Session management failures e.g. cookie session identification value modification • Application errors and system events • Application and related systems start-ups and shut-downs, and logging initialization (starting, stopping or pausing) • Use of higher-risk functionality • Legal and other opt-ins e.g. permissions for mobile phone capabilities, terms & conditions, PII data usage consent
  • 10. A1 - INJECTIONS A2 - BROKEN AUTHENTICATION A3 - SENSITIVE DATA EXPOSURE A4 - XML EXTERNAL ENTITIES A5 - BROKEN ACCESS CONTROL A6 - SECURITY MISCONFIGURATION A7 - CROSS-SITE SCRIPTING A8 - INSECURE DESERIALISATION A9 - USING COMPONENTS WITH KNOWN VULNERABILITIES A10 - INSUFFICIENT LOGGING & MONITORING ANOTHER OBVIOUS ONE… 10OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019
  • 11. A9 - USING COMPONENTS WITH KNOWN VULNERABILITIES Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defences and enable various attacks and impacts. 11OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019
  • 12. A1 - INJECTIONS A2 - BROKEN AUTHENTICATION A3 - SENSITIVE DATA EXPOSURE A4 - XML EXTERNAL ENTITIES A5 - BROKEN ACCESS CONTROL A6 - SECURITY MISCONFIGURATION A7 - CROSS-SITE SCRIPTING A8 - INSECURE DESERIALISATION A9 - USING COMPONENTS WITH KNOWN VULNERABILITIES A10 - INSUFFICIENT LOGGING & MONITORING 12OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019
  • 13. A8 - INSECURE DESERIALISATION Insecure deserialization often leads to remote code execution. Even if deserialization flaws do not result in remote code execution, they can be used to perform attacks, including replay attacks, injection attacks, and privilege escalation attacks. OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019 {
 "$type": "System.Windows.Data.ObjectDataProvider, PresentationFramework", 
 “ObjectInstance": { 
 "$type":"System.Diagnostics.Process, System”}, 
 "MethodParameters":{ 
 "$type":"System.Collections.ArrayList, mscorlib", 
 "$values":["calc"]}, 
 "MethodName":"Start" 
 }
  • 14. ANY FLOWS IN .NET? 14OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019
  • 15. INSECURE DESERIALISATION MITIGATION ‣ Do not deserialize untrusted data! ‣ … do not deserialize untrusted data! ‣ If you really need to deserialize: ‣ Make sure to evaluate the security and of the chosen library ‣ Avoid libraries without strict Type control ‣ Never use user-controlled data to define the deserializer expected Type ‣ Do not roll your own format 15OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019
  • 16. A1 - INJECTIONS A2 - BROKEN AUTHENTICATION A3 - SENSITIVE DATA EXPOSURE A4 - XML EXTERNAL ENTITIES A5 - BROKEN ACCESS CONTROL A6 - SECURITY MISCONFIGURATION A7 - CROSS-SITE SCRIPTING A8 - INSECURE DESERIALISATION A9 - USING COMPONENTS WITH KNOWN VULNERABILITIES A10 - INSUFFICIENT LOGGING & MONITORING 16OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019
  • 17. A7 - CROSS-SITE SCRIPTING XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user-supplied data using a browser API that can create HTML or JavaScript. XSS allows attackers to execute scripts in the victim's browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites. 17OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019
  • 18. IT’S MOSTLY SECURED BY DEFAULT IN .NET, BUT … 18OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019 ‣ Stop reinventing the wheel ‣ Do not be smarter than the framework ‣ If you use Razor, then use Razor. If you use something else, then use something else, but do not use your own Razor-ish, MVC-ish, .NET-ish… ‣ Validate and whitelist each input and parameter ‣ Use proper output encoding
  • 19. A1 - INJECTIONS A2 - BROKEN AUTHENTICATION A3 - SENSITIVE DATA EXPOSURE A4 - XML EXTERNAL ENTITIES A5 - BROKEN ACCESS CONTROL A6 - SECURITY MISCONFIGURATION A7 - CROSS-SITE SCRIPTING A8 - INSECURE DESERIALISATION A9 - USING COMPONENTS WITH KNOWN VULNERABILITIES A10 - INSUFFICIENT LOGGING & MONITORING 19OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019
  • 20. A6 - SECURITY MISCONFIGURATION Security misconfiguration is the most commonly seen issue. This is a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Not only must all operating systems, frameworks, libraries, and applications be securely configured, but they must be patched/upgraded in a timely fashion. 20OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019
  • 21. POSSIBLE .NET MISCONFIGURATION ‣ Missing appropriate security hardening across any part of the application stack, or improperly configured permissions on cloud services. ‣ Unnecessary features are enabled or installed ‣ Default accounts and their passwords still enabled and unchanged ‣ Error handling without custom errors ‣ For upgraded systems, latest security features are disabled or not configured securely ‣ The security settings in the application servers, application frameworks, libraries, databases, etc. not set to secure values. ‣ The server does not send security headers or directives or they are not set to secure values. 21OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019
  • 22. SECURITY HEADERS 22OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019
  • 23. EXAMPLE: CONTENT SECURITY POLICY 23OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019
  • 24. SECURITY CONFIGURATIONS IN .NET - COOKIES 24OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019
  • 25. A1 - INJECTIONS A2 - BROKEN AUTHENTICATION A3 - SENSITIVE DATA EXPOSURE A4 - XML EXTERNAL ENTITIES A5 - BROKEN ACCESS CONTROL A6 - SECURITY MISCONFIGURATION A7 - CROSS-SITE SCRIPTING A8 - INSECURE DESERIALISATION A9 - USING COMPONENTS WITH KNOWN VULNERABILITIES A10 - INSUFFICIENT LOGGING & MONITORING 25OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019
  • 26. A5 - BROKEN ACCESS CONTROL Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users' accounts, view sensitive files, modify other users' data, change access rights, etc. 26OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019
  • 27. IDOR (INSECURE DIRECT OBJECT REFERENCES) www.mybestandonlystore.com/orders/orderid=900 27OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019
  • 28. CORS (CROSS-ORIGIN RESOURCE SHARING) 28OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019
  • 29. A1 - INJECTIONS A2 - BROKEN AUTHENTICATION A3 - SENSITIVE DATA EXPOSURE A4 - XML EXTERNAL ENTITIES A5 - BROKEN ACCESS CONTROL A6 - SECURITY MISCONFIGURATION A7 - CROSS-SITE SCRIPTING A8 - INSECURE DESERIALISATION A9 - USING COMPONENTS WITH KNOWN VULNERABILITIES A10 - INSUFFICIENT LOGGING & MONITORING 29OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019
  • 30. XXE string xml = "<?xml version="1.0" ?> <!DOCTYPE doc [<!ENTITY win SYSTEM "file:///C:/Users/user/Documents/test.txt">] ><doc>&win;</doc>”; --------------------- string xml2 = "<?xml version="1.0" ?> <!DOCTYPE doc [<!ENTITY lin SYSTEM „/etc/passwd">]><doc>&lin;</doc>"; 30OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019
  • 31. A4 - XML EXTERNAL ENTITIES Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks. 31OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019
  • 32. .NET XML LIBRARIES Object Safe by default? XmlReader < 4.0 4.0 + XmlTextReader < 4.0 4.0+ XmlDocument < 4.6 4.6+ 32OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019
  • 33. A1 - INJECTIONS A2 - BROKEN AUTHENTICATION A3 - SENSITIVE DATA EXPOSURE A4 - XML EXTERNAL ENTITIES A5 - BROKEN ACCESS CONTROL A6 - SECURITY MISCONFIGURATION A7 - CROSS-SITE SCRIPTING A8 - INSECURE DESERIALISATION A9 - USING COMPONENTS WITH KNOWN VULNERABILITIES A10 - INSUFFICIENT LOGGING & MONITORING 33OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019
  • 34. A3 - SENSITIVE DATA EXPOSURE Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser. 34OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019
  • 35. LOOKS FAMILIAR? 35OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019
  • 36. A1 - INJECTIONS A2 - BROKEN AUTHENTICATION A3 - SENSITIVE DATA EXPOSURE A4 - XML EXTERNAL ENTITIES A5 - BROKEN ACCESS CONTROL A6 - SECURITY MISCONFIGURATION A7 - CROSS-SITE SCRIPTING A8 - INSECURE DESERIALISATION A9 - USING COMPONENTS WITH KNOWN VULNERABILITIES A10 - INSUFFICIENT LOGGING & MONITORING 36OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019
  • 37. A2 - BROKEN AUTHENTICATION Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users' identities temporarily or permanently. 37OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019
  • 38. BROKEN AUTHENTICATION MITIGATIONS 38OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019 ‣ Passwords with proper length and complexity ‣ Use general messages for the user ‣ Limit the attempts of login ‣ Do not show sessionID to the user ‣ Secure your cookies ‣ Use MFA ‣ If you are using hashed passwords, do not use your own hashing functions and add a salt http://www.przyklad.com/(S(lit2py15t221z5v65vlsd23s55))/zamowienie.aspx
  • 39. BROKEN AUTHENTICATION - EXAMPLE SETTINGS 39OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019
  • 40. A1 - INJECTIONS A2 - BROKEN AUTHENTICATION A3 - SENSITIVE DATA EXPOSURE A4 - XML EXTERNAL ENTITIES A5 - BROKEN ACCESS CONTROL A6 - SECURITY MISCONFIGURATION A7 - CROSS-SITE SCRIPTING A8 - INSECURE DESERIALISATION A9 - USING COMPONENTS WITH KNOWN VULNERABILITIES A10 - INSUFFICIENT LOGGING & MONITORING 40OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019
  • 41. A1 - INJECTIONS Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker's hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. 41OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019
  • 42. SQL INJECTION - GENERAL CASE 42OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019 www.somestore.com/Products.aspx?CategoryID=1 www.somestore.com/Products.aspx?CategoryID=1 or 1=1
  • 43. SQL INJECTION - REAL EXAMPLE 43OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019 And quick mitigation….
  • 44. SQL INJECTION MITIGATION 44OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019 ‣ Use .NET security leading practices and OWASP Guidelines ‣ Parametrize your queries ‣ Validate the parameters from the user - ALWAYS! ‣ Use whitelisting of characters ‣ Check the length of the parameter ‣ App should have the minimum required permission in the system (not running as an admin “because it’s easier and it’s working”) ‣ You can use ORM…
  • 45. IQUERYABLE<T> VS. IENUMERABLE<T> 45OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019 ‣ IEnumerable is best to query data from in-memory collections like List, Array, etc. ‣ While query data from a database, IEnumerable execute a select query on the server side, load data in- memory on a client-side and then filter data. ‣ IEnumerable doesn’t support custom query. ‣ IEnumerable doesn’t support lazy loading. Hence not suitable for paging like scenarios. ‣ Extension methods support by IEnumerable takes functional objects. ‣ IQueryable is best to query data from out-memory (like remote database, service) collections. ‣ While query data from a database, IQueryable execute the select query on the server side with all filters. ‣ IQueryable supports custom query using CreateQuery and Execute methods. ‣ IQueryable support lazy loading. Hence it is suitable for paging like scenarios. ‣ Extension methods support by IQueryable takes expression objects means expression tree.
  • 46. IQUERYABLE<T> VS. IENUMERABLE<T> 46OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019 public IQueryable<Customer> GetCustomer(int customerId) ‣ A consumer of this query can call .Include("Orders") on the returned IQueryable<Customer> to retrieve data that the query did not intend to expose. This can be avoided by changing the return type of the method to IEnumerable<T> and calling a method (such as .ToList()) that materializes the results. ‣ Because  IQueryable<T>  queries are executed when the results are iterated over, a consumer of a query that exposes an IQueryable<T> type could catch exceptions that are thrown. Exceptions could contain information not intended for the consumer. Avoid returning IQueryable<T> types from methods that are exposed to potentially untrusted callers
  • 47. .NET CORE VALIDATION PROBLEMS 47OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019 ‣ Laziness (our laziness… not .NET) ‣ Tools first! (we do not think) ‣ Front-end validation ‣ Improper feedback for the user
  • 48. A1 - INJECTIONS A2 - BROKEN AUTHENTICATION A3 - SENSITIVE DATA EXPOSURE A4 - XML EXTERNAL ENTITIES A5 - BROKEN ACCESS CONTROL A6 - SECURITY MISCONFIGURATION A7 - CROSS-SITE SCRIPTING A8 - INSECURE DESERIALISATION A9 - USING COMPONENTS WITH KNOWN VULNERABILITIES A10 - INSUFFICIENT LOGGING & MONITORING 48OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019
  • 49. 49OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019
  • 50. OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019
  • 51. …? 51OWASP TOP 10 & .NET | DANIEL KRASNOKUCKI | OWASP SILESIA | 25.09.2019
  • 52. WYJAŚNIJ CO TO JEST, JAK DZIAŁA 
 I GDZIE W .NET-CIE MOŻNA USTAWIĆ CSP PYTANIE KONKURSOWE 52