• Microsoft Regional Director & MVP • https://www.youtube.com/user/troyhuntdotcom • Scott Helme (https://scotthelme.co.uk) • Security researcher & international speaker • PluralSight.com • Google / Bing
being “unhackable” it’s about making it so difficult it’s not worth their time. Layers of security, like an onion, make them want to cry trying to get in and go somewhere else instead • Don’t think in terms of “how do I prevent” and instead “how do I mitigate” • You’re not a security expert but want to write safer code
want to serve any contents on the same domain as http • Can only be set during a secure request • Trust on first user (TOFU) – Make one insecure request to get HSTS header then all future requests are always sent over secure https • Strict-Transport-Security: max-age:31536000; includeSubdomains; preload
Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request • https://www.owasp.org/index.php/Cross- Site_Request_Forgery_(CSRF)
The end user is tricked into clicking an email link, clicking an invisible frame or by visiting a site with malicious scripts while logged into the target site. Ways to mitigate • Do not allow Cross-Origin Resource Sharing (CORS) • http header X-Frame-Options - DENY, SAMEORIGIN, ALLOW-FROM. Not all browser version honor all three of these. • http header Content-Security-Policy: frame-ancestors none, self, self (list of sites). Not all browser versions honor all three of these and X-Frame-Options will be ignored if CSP is defined. • Anti-forgery tokens. Microsoft helps out with this if you’re using MVC and scaffolding in the razor file.
Where can your site pull resources for • Takes some work to get the header correct, but worth the effort once done • Keywords (None, Self, *) - There are more keywords • Hosts (ability to specify source of content) – https://someExternalSite.com
so that our site can only pull content from itself • script-src ‘self’ https://www.google.com https://www.google- analytics.com • Frame-ancestors ‘self’
Don’t have any sort of client-side regex or validation indicating the user name entered is not in a correct format. Whatever the user enters should always be sent to the server. • Only one error message for failed authentication, doesn’t matter if the username was not found or the password was incorrect. Any difference between error messages indicate some sort of success. • Never send credentials to client-side for validation.
id, account numbers etc. All information coming from client should be considered suspect. Most developers don’t like session state but it’s better to keep certain information server side. • Always perform all steps in authentication even if username doesn’t exist. The more complex your authentication steps are the more important this step becomes. (Timing attacks)
sent to the user • Server, X-AspNet-Version, X-AspNetMvc-Version, X-Powered-By • X-Frame-Options (Not supported by all browsers/versions) – Deny/SameOrigin/Allow-From • Cache-Control, “No-Cache, No-Store, Must-Revalidate” • Pragma, No-Cache (Older version of Cache-Control)
exposes too much system information and should never be shown to end users • Easy to hide - <customErrors mode=“{On}{Off}{RemoteOnly}”/> • Http Errors are just as bad if not properly handled. Fix these at the IIS level
can get away with. The Open Web Application Security Project (OWASP) suggest minimum length of 10 allowing special characters and suggest encouraging passphrases. • Password complexity, make password case sensitive, allow special characters (,./;:?-+[]\| *), require a mix of upper and lower case characters ([A-Z][a-z]) and require numbers ([0-9]). Don’t allow know words (baseball) or variations of them (b@seb@ll) and don’t allow repeating characters (111).
stored using a one-way transform; passwords should never be reversible! • Transforming passwords should include latest hash algorithm, a salt and a “work factor”. • Packages such as bcrypt and PBKDF2 are available and make it almost “plug and play”.
cookies HttpOnly (<httpCookies httpOnlyCookies="true" /> in .NET). This helps mitigate client-side code from accessing cookies. • Mark cookies secure, means cookie is only sent over https. Anything not sent over https can be stolen. <httpCookies requireSSL=“true”/> • Encrypt all cookies (System.Web.Security.FormsAuthentication.Encrypt)
“injection” or a SQL query via the input data from the client to the application. How the attack can occur: Developers create dynamic SQL based on user input or output un-encoded user input. Ways to mitigate • Use prepared statements – Parameterized queries • Use stored procedures • Whitelist user input • Encoding of output data
or a SQL query via the input data from the client to the application. How the attack can occur: Developers create dynamic SQL based on user input or output un-encoded user input. Ways to mitigate • Encoding output is the most effective way to mitigate • Use prepared statements – Parameterized queries • Use stored procedures • Whitelist user input
know about the risks. • Potential sensitive information in the logs if you’re query strings contains information. • Hard drive space, logs can become very large.
hamadakoji
manarobot
kzkmaeda
yuhta28
ham0215
takakiyo
tetsuyaooooo
ohbarye
riyaamemiya
doradora09
pauli
brettharned
erikaheidi
kastner
scottboms
keithpitt
kneath
sferik
tammielis
aki_iinuma
trishagee
philhawksworth
trallard
