top 5 web application security bugs in custom code
DESCRIPTION
Top 5 Web Application Security bugs in custom code. Varun Sharma Security Engineer | ACE Team | Microsoft Information Security [email protected] . Top 5 Web App Security bugs. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Top 5 Web Application Security bugs in custom code](https://reader035.vdocuments.net/reader035/viewer/2022070419/56815cb7550346895dcab2cd/html5/thumbnails/1.jpg)
Top 5 Web Application Security bugs in custom code
Varun SharmaSecurity Engineer | ACE Team | Microsoft Information [email protected]
![Page 2: Top 5 Web Application Security bugs in custom code](https://reader035.vdocuments.net/reader035/viewer/2022070419/56815cb7550346895dcab2cd/html5/thumbnails/2.jpg)
Top 5 Web App Security bugs
Relative percentage of the Top 5 Web Application Security vulnerabilities found by Microsoft ACE Team since 1st Jan 08
![Page 3: Top 5 Web Application Security bugs in custom code](https://reader035.vdocuments.net/reader035/viewer/2022070419/56815cb7550346895dcab2cd/html5/thumbnails/3.jpg)
AgendaCross-Site ScriptingClear Text SecretsAuthorization Issues
Disabling Controls in the Web site to enforce authorizationDirect Object ReferenceMissing Authorization controls in web services
SQL Injection Verbose Error messages
![Page 4: Top 5 Web Application Security bugs in custom code](https://reader035.vdocuments.net/reader035/viewer/2022070419/56815cb7550346895dcab2cd/html5/thumbnails/4.jpg)
Cross-Site Scripting
User controlled input is rendered back to browser without sufficient input validation or output encoding
Leads to execution of script (controlled by the attacker) under the context of the victim
![Page 7: Top 5 Web Application Security bugs in custom code](https://reader035.vdocuments.net/reader035/viewer/2022070419/56815cb7550346895dcab2cd/html5/thumbnails/7.jpg)
Cross-Site Scripting
Common Buggy Code Some ASP.NET Controls encode and some do not
![Page 8: Top 5 Web Application Security bugs in custom code](https://reader035.vdocuments.net/reader035/viewer/2022070419/56815cb7550346895dcab2cd/html5/thumbnails/8.jpg)
Cross-Site Scripting
Common Buggy Code Some ASP.NET Controls encode and some do not
![Page 9: Top 5 Web Application Security bugs in custom code](https://reader035.vdocuments.net/reader035/viewer/2022070419/56815cb7550346895dcab2cd/html5/thumbnails/9.jpg)
Cross-Site Scripting
User input going in attribute context
User input going in JavaScript context
![Page 10: Top 5 Web Application Security bugs in custom code](https://reader035.vdocuments.net/reader035/viewer/2022070419/56815cb7550346895dcab2cd/html5/thumbnails/10.jpg)
Cross-Site Scripting
CountermeasuresValidate all input and encode all outputPerform context specific encodingUse the AntiXss Library
![Page 11: Top 5 Web Application Security bugs in custom code](https://reader035.vdocuments.net/reader035/viewer/2022070419/56815cb7550346895dcab2cd/html5/thumbnails/11.jpg)
Clear Text Secrets
The application may need to store credentials to connect to SQL Server, SMTP Server etc May need to store symmetric keys to perform encryption of application dataMay be storing user passwords or other secret information in the database
![Page 14: Top 5 Web Application Security bugs in custom code](https://reader035.vdocuments.net/reader035/viewer/2022070419/56815cb7550346895dcab2cd/html5/thumbnails/14.jpg)
Clear Text Secrets
CountermeasuresDo not store secrets (passwords/ keys) in codeUse the aspnet_regiis tool to encrypt configuration settings For application specific data, consider using SQL Server 2005/ 2008 Native Encryption
![Page 15: Top 5 Web Application Security bugs in custom code](https://reader035.vdocuments.net/reader035/viewer/2022070419/56815cb7550346895dcab2cd/html5/thumbnails/15.jpg)
Authorization IssuesDisabling Controls in the Web site to enforce authorization (Normal execution)
![Page 16: Top 5 Web Application Security bugs in custom code](https://reader035.vdocuments.net/reader035/viewer/2022070419/56815cb7550346895dcab2cd/html5/thumbnails/16.jpg)
Authorization IssuesDisabling Controls in the Web site to enforce authorization (What attacker does)
![Page 17: Top 5 Web Application Security bugs in custom code](https://reader035.vdocuments.net/reader035/viewer/2022070419/56815cb7550346895dcab2cd/html5/thumbnails/17.jpg)
Authorization IssuesDisabling HTML text boxes, buttons in only a visual indication, not a security controlNeed to perform explicit authorization checks on the server side
![Page 20: Top 5 Web Application Security bugs in custom code](https://reader035.vdocuments.net/reader035/viewer/2022070419/56815cb7550346895dcab2cd/html5/thumbnails/20.jpg)
Authorization IssuesDirect Object Reference (What attacker does)
![Page 21: Top 5 Web Application Security bugs in custom code](https://reader035.vdocuments.net/reader035/viewer/2022070419/56815cb7550346895dcab2cd/html5/thumbnails/21.jpg)
Authorization IssuesDirect Object Reference
Unique identifier is used to retrieve and update data for an object. This unique identifier is an incrementing integer (or easily available). No explicit authorization check is performed to ensure current user has access to the object.
![Page 22: Top 5 Web Application Security bugs in custom code](https://reader035.vdocuments.net/reader035/viewer/2022070419/56815cb7550346895dcab2cd/html5/thumbnails/22.jpg)
Authorization IssuesMissing authorization in web services in multi- tier applications
Web Server SQL ServerWeb Server
(Website) (Web service) (Database)
![Page 23: Top 5 Web Application Security bugs in custom code](https://reader035.vdocuments.net/reader035/viewer/2022070419/56815cb7550346895dcab2cd/html5/thumbnails/23.jpg)
Authorization IssuesCountermeasures:-
Perform server side authorizationUse a platform provided authorization mechanism
URL AuthorizationDeclarative and Imperative checks
Implement authorization controls in middle tiers
![Page 24: Top 5 Web Application Security bugs in custom code](https://reader035.vdocuments.net/reader035/viewer/2022070419/56815cb7550346895dcab2cd/html5/thumbnails/24.jpg)
SQL InjectionUser input without sufficient validation is used to create and execute a dynamic SQL statementUser can manipulate the SQL statement that gets executed
![Page 29: Top 5 Web Application Security bugs in custom code](https://reader035.vdocuments.net/reader035/viewer/2022070419/56815cb7550346895dcab2cd/html5/thumbnails/29.jpg)
SQL InjectionCountermeasures:-
Validate all inputUse parameterized SQL statements (in stored procedures as well, using sp_executesql)Configure SQL server with least privilege for defense in depth
![Page 30: Top 5 Web Application Security bugs in custom code](https://reader035.vdocuments.net/reader035/viewer/2022070419/56815cb7550346895dcab2cd/html5/thumbnails/30.jpg)
Verbose Error messagesDetailed error messages reveal inner workings of an application and make an attackers job easier
![Page 32: Top 5 Web Application Security bugs in custom code](https://reader035.vdocuments.net/reader035/viewer/2022070419/56815cb7550346895dcab2cd/html5/thumbnails/32.jpg)
Verbose Error messagesCommon Buggy Code:-
Missing exception handling in ASMX web services
![Page 36: Top 5 Web Application Security bugs in custom code](https://reader035.vdocuments.net/reader035/viewer/2022070419/56815cb7550346895dcab2cd/html5/thumbnails/36.jpg)
ReferencesAntiXss Libraryhttp://www.microsoft.com/downloads/details.aspx?familyid=efb9c819-53ff-4f82-bfaf-e11625130c25&displaylang=en
ASP.NET IIS Registration Tool (Aspnet_regiis)http://msdn.microsoft.com/en-us/library/k6h9cz8h(VS.80).aspx
ASP.NET Authorizationhttp://msdn.microsoft.com/en-us/library/wce3kxhd(VS.80).aspx
Using sp_executesqlhttp://msdn.microsoft.com/en-us/library/ms175170.aspx
![Page 37: Top 5 Web Application Security bugs in custom code](https://reader035.vdocuments.net/reader035/viewer/2022070419/56815cb7550346895dcab2cd/html5/thumbnails/37.jpg)
Feedback / QnAYour Feedback is Important!Please take a few moments to fill out our
online feedback form
Use the Question Manager on LiveMeeting to ask your questions now!
![Page 39: Top 5 Web Application Security bugs in custom code](https://reader035.vdocuments.net/reader035/viewer/2022070419/56815cb7550346895dcab2cd/html5/thumbnails/39.jpg)
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after
the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.