I have been following the OWASP Top 10 for 2017 for a while and have decided to create a talk on the topic. It was interesting watching the discussion on the OWASP GitHub repo, and now that the list appears to be settled, I can publish my talk.
This talk is meant to provide an overview of the OWASP Top 10 from a .NET developer’s perspective. To support a 60-minute talk, I’m providing a large number of links to additional resources, as I know I can’t go in depth on any single topic. This blog post will serve as my Links and Further Information for the talk, so here goes:
- The OWASP Top 10 Application Security Risks for 2013
- The OWASP Top 10 Application Security Risks for 2017
- OWASP also has a cheat sheet for their top ten list.
- OWASP also has a guide specifically for .NET developers, providing good advice on securing your web applications.
- Troy Hunt has an excellent Pluralsight course covering the OWASP Top 10. His course doesn’t cover the new items for 2017 but I highly recommend watching it.
- Troy’s Pluralsight course was based off of his free e-book covering the OWASP Top 10 for 2010.
- At NDC Oslo 2017, Christian Wenz looked at RC1 of the OWASP Top 10 for 2017. Note that several of these items have changed, but Christian’s talk is excellent. I particularly appreciated his look at content security policies.
- Bill Sempf has a contrarian take on the top ten list. It’s definitely worth the read.
- I have an entire talk on SQL injection.
- OWASP shows how to write SQL injection scripts which can bypass Web Application Firewalls.
- George Mauer shows how to perform CSV injection, performing arbitrary operations in Excel and Google Sheets.
Authentication and Session Management
- Max McCarty walks through credential management in .NET.
- OWASP has a couple cheat sheets on the topic. First, they have their authentication cheat sheet. Specifically for password management, they have their forgotten password cheat sheet. Finally, they have a session management cheat sheet.
- Troy Hunt narrows down on authentication and session management.
- Jaider de Jesus Ariza Coba looks at a built-in Web Forms protection mechanism.
- Regarding the .NET Framework padding oracle attack, Acunetix has a great description of the problem. Troy Hunt explains the issue as well. And Brian Holyfield demos a tool to help you see if you’re affected–at this point, I hope you aren’t.
- OWASP also has a nice tutorial on enabling two-factor authentication with Google Authenticator if you are using the Microsoft Identity Framework. There are at least four NuGet packages which help you do this and I’m sure there are others for other services.
Sensitive Data Exposure
- Michele Preziuso contrasts PBKDF2, bcrypt, and scrypt. Note that this article came out a couple months before Argon2.
- Aaron Toponce provides a rank order for password hashing mechanisms. He also looks deeper into Argon2i.
- Just because you’re using bcrypt doesn’t mean your hashes are uncrackable.
Having a deadbolt on the front door doesn’t help much when the window’s open.
- Hynek Schlawack explains that bcrypt isn’t a good standard for new systems. That doesn’t mean you have to change your existing bcrypt setup, but if you’re developing a new greenfield application, use scrypt instead. If you’re developing in 2021 or so, probably use Argon2i instead.
XML External Entity Injection
- OWASP has an XML External Entity injection cheat sheet.
- Eric F. Tameesh explains how XML External Entity injection works.
- James Jardine shows which .NET classes are secure by default and which are not.
- Max McCarty has a multi-part series on securing .NET applications. Check out his hardening guide as well as preventing sensitive data exposure (which also fits well in the Sensitive Data Exposure section above).
- Troy Hunt provides guidance on .NET security configuration. It’s geared toward the .NET of old, but most of it still applies today.
- The folks at Portswigger show how to use the Burp suite to find misconfigured security.
- Mark Nunnikhoven shows how to secure an S3 bucket.
- On the other side of things, Rapid7 reported a large number of publicly available buckets back in 2013. And there are tools to help you find open buckets.
Broken Access Control
- This is a good place to link the Google Hacking Database, which shows you how to craft Google queries to find websites which follow certain practices, such as poorly-thought-out querystring parameters, exposed pages that shouldn’t be, etc.
- OWASP has a set of guidance around access controls.
- OWASP also has an access control cheat sheet.
- NIST has a new set of guidelines around digital identity, including some sensible guidelines around passwords.
- I’m really liking Content Security Policies. I think they’re a great additional layer of defense against cross-site scripting and several other web problems.
- Max McCarty shows how to protect against cross-site scripting.
- The AntiXSS NuGet package is end-of-life and is meant for old .NET Framework versions. That’s because Microsoft has put this into System.Web.Security.AntiXss. OWASP has more information on the library.
- Bill Morefield shares his guidance on preventing cross-site scripting attacks.
- Stephen Breen has a fantastic overview of the Java deserialization problem.
- Benedikt Ritter argues that the deserialization problem is not due to a particular library, but rather in how people misused the library; using a different library wouldn’t help if you follow the same destructive patterns.
- OWASP has a deserialization cheat sheet, focused mostly around Java.
- Catalin Cimpanu points out that .NET has the same deserialization problem that has plagued Java.
- In 2012, James Forshaw pointed out at Black Hat how to use .NET serialization in an attack.
- In 2017, Alvaro Munoz and Oleksandr Mirosh, once more at Black Hat, walked through JSON and XML deserialization problems in .NET and Java.
Using Components with Known Vulnerabilities
- As a bit of flavor, here’s a story of iPhone-based malware.
- Jordan Wright has a post looking for malicious npm packages.
- To keep abreast of software exploits, Exploit DB and NIST’s National Vulnerability Database are good starting points.
- OWASP has a dependency checker for Java and .NET code which looks for vulnerable libraries.
Insufficient Logging and Monitoring
- OWASP has a cheat sheet for logging and monitoring.
(Bonus) Cross-Site Request Forgery
- OWASP explains Cross-Site Request Forgery. They also have a cheat sheet for protecting yourself against CSRF.
- Microsoft has documentation on using the anti-forgery token built into MVC.
- James Jardine with SANS shows how to protect Web Forms applications from CSRF.