Wednesday, 30 January 2013

OWASP Top Ten (Top of the Pops style)

This is one in a series of videos and blog posts that explore the top 10 most critical web application security risks as defined by OWASP.
Unlike my other posts where I explore a specific threat or how to mitigate it, this is a tongue in cheek run down of the OWASP Top Ten risks and mitigations in the style of the classic 1970s show - Top of the Pops.

You can read the transcript below.




Hello folks and welcome to the OWASP Top 10 for 2010, with me your host  Philip Stirpe.

So here is the run down of OWASP’s web security top ten.

Brought to you in the style of the classic 1970s show, top of the pops.

Kicking off with a new entry at number ten.  

Unvalidated Redirects and Forwards”

The risk?
Unvalidated redirects enable a site to act as a launch point for an attack.

The fix?
  • Redirect paths passed in the URL should be validated against a whitelist of allowable values
  • Use an identifier to an allowable URL stored in a database, rather than the path
  • Check the referrer to ensure external resources aren’t abusing the redirect function
We have a non mover at 9 it’s a remix of the classic "Insecure Communications" titled 

"Insufficient Transport Layer Protection"

The risk?
Data and user account theft including administrative accounts
The fix?
  • Always load logon forms and authentication cookies over HTTPS
  • Don’t mix HTTP content into an HTTPS page
  • Add the HSTS response header to sites which should be SSL only

Up 2 places to number 8 it’s 

"Failure to Restrict URL Access"

The risk?

Authorised attacker can change URL to a privileged page and granted access to unauthorised functionality
The fix?
  • Leverage the ASP.NET role provider to implement a consistent role-based approach to permissions
  • For web forms, use location permissions in the web.config to define access rights for roles to paths
  • For MVC, use the Authorize attribute to define access rights for roles to controllers and actions
  • In IIS 7 and newer, make use of the integrated pipeline to secure static resources the same way as dynamic resources

Up 1 place to number 7  it’s 

"Insecure Cryptographic Storage"

The risk?
Failure to protect sensitive data with encryption  or the encryption keys themselves can impact on reputation and perhaps prosecution if data is compromised

The fix?
  • Never store passwords as unsalted hashes
  • Always implement a cryptographically random salt
  • Never store passwords with a single salted hash
  • Use DPAPI for easy asymmetric encryption

We have a non mover at 6 it’s the tidy rerecording of  "Information Leakage and Improper Error Handling" entitled 

"Security Misconfiguration"

The risk?
Attacker can access default accounts, unused pages, unpatched flaws, unprotected files and directories, etc. to gain unauthorised access to or knowledge of the system
The fix?
  • Keep anything that exposes internal logs such as ELMAH tightly secured
  • Turn custom errors on and ensure there is a default redirect page in order to avoid public YSODs
  • Leverage NuGet to easily keep third party libraries and packages up to date
  • Encrypt sensitive parts of the web.config using aspnet_regiis

Another  non mover at number 5 it’s 

"Cross Site Request Forgery"

The risk?
Attacker creates forged HTTP requests and tricks victim into submitting them and performing any function the victim is authorised to use

The fix?
  • Anti forgery tokens are the predominant defence against CSRF
  • In ASPNET MVC, use the AntiForgeryToken HTML helper and decorate controller actions with ValidateAntiForgeryToken

Another non mover at number 4 it’s  

"Insecure Direct Object References"

The risk?
That an attacker who is an authorised user may simply change a parameter value that directly refers to a system object for which the user isn't authorised

The fix?
  • Always implement proper access controls, never rely on the URL alone being “secure”
  • Use an indirect reference map stored in the session to abstract internal keys from identifiers
  • Undiscoverable keys (not natural and not in a sequence) such as GUIDs may be used for further obfuscation

Up 4  places to number 3 it’s 

"Broken Authentication and Session Management"

The risk?
Attacker uses flaws in authentication or session management to impersonate users
The fix?
  • Always persist session data via cookies, never via the URL
  • Leverage the native authentication management features built into the ASP.NET membership provider
  • Reduce timeouts to the minimum practical level
  • If feasible, disable sliding expiration

Down 1 place and knocked off the top spot it’s 

"Cross Site Scripting"

The risk?

Attacker sends text-based attacks that exploit the interpreter in the browser to hijack user sessions, deface websites, insert hostile content and redirect users etc.
The fix?
  • Always validate all untrusted data against a whitelist of allowable values
  • Always implement output encoding for all untrusted data
  • Use the AntiXSS library built into .NET 4.5
  • Use the HTML helpers built into ASP.NET MVC
  • Ensure you output encode for the correct context (HTML, JavaScript, CSS, etc.)

Up 1 place and this year’s new number 1 it’s 


The risk?
Attacker sends text-based attacks that exploit the syntax of the targeted interpreter resulting in data loss or corruption

The fix?
  • Always validate all untrusted data against a whitelist of allowable values
  • Implement parameterisation by applying:
    • Stored procedures
    • Object Relational Mappers (ORMs)
    • Parameterised queries
  • Apply the principle of least privilege by locking down the SQL user account the web app connects with

So there you have it. The run down of the OWASP 2010 Top Ten with me Phil Stirpe.

Thanks for watching.

And as Sgt. Phil Esterhause used to say, "Let's be careful out there!"



If you are interested in OWASP training, we offer the following courses:

See you soon

Phil Stirpé
"I don't do average!"

No comments:

Post a Comment