I have been following the OWASP Top 10 for 2017 for a while and have decided to create a talk on the topic. It was interesting watching the discussion on the OWASP GitHub repo, and now that the list appears to be settled, I can publish my talk.
This talk is meant to provide an overview of the OWASP Top 10 from a .NET developer’s perspective. To support a 60-minute talk, I’m providing a large number of links to additional resources, as I know I can’t go in depth on any single topic. This blog post will serve as my Links and Further Information for the talk, so here goes:
- The OWASP Top 10 Application Security Risks for 2013
- The OWASP Top 10 Application Security Risks for 2017
- OWASP also has a cheat sheet for their top ten list.
- OWASP also has a guide specifically for .NET developers, providing good advice on securing your web applications.
- Troy Hunt has an excellent Pluralsight course covering the OWASP Top 10. His course doesn’t cover the new items for 2017 but I highly recommend watching it.
- Troy’s Pluralsight course was based off of his free e-book covering the OWASP Top 10 for 2010.
- At NDC Oslo 2017, Christian Wenz looked at RC1 of the OWASP Top 10 for 2017. Note that several of these items have changed, but Christian’s talk is excellent. I particularly appreciated his look at content security policies.
- Bill Sempf has a contrarian take on the top ten list. It’s definitely worth the read.
- I have an entire talk on SQL injection.
- OWASP shows how to write SQL injection scripts which can bypass Web Application Firewalls.
- George Mauer shows how to perform CSV injection, performing arbitrary operations in Excel and Google Sheets.
Authentication and Session Management
- Max McCarty walks through credential management in .NET.
- OWASP has a couple cheat sheets on the topic. First, they have their authentication cheat sheet. Specifically for password management, they have their forgotten password cheat sheet. Finally, they have a session management cheat sheet.
- Troy Hunt narrows down on authentication and session management.
- Jaider de Jesus Ariza Coba looks at a built-in Web Forms protection mechanism.
- Regarding the .NET Framework padding oracle attack, Acunetix has a great description of the problem. Troy Hunt explains the issue as well. And Brian Holyfield demos a tool to help you see if you’re affected–at this point, I hope you aren’t.
Sensitive Data Exposure
- Mark Nunnikhoven shows how to secure an S3 bucket.
- On the other side of things, Rapid7 reported a large number of publicly available buckets back in 2013. And there are tools to help you find open buckets.
- Michele Preziuso contrasts PBKDF2, bcrypt, and scrypt. Note that this article came out a couple months before Argon2.
- Aaron Toponce provides a rank order for password hashing mechanisms. He also looks deeper into Argon2i.
- Just because you’re using bcrypt doesn’t mean your hashes are uncrackable.
Having a deadbolt on the front door doesn’t help much when the window’s open.
- Hynek Schlawack explains that bcrypt isn’t a good standard for new systems. That doesn’t mean you have to change your existing bcrypt setup, but if you’re developing a new greenfield application in 2017 or 2018, use scrypt instead. If you’re developing in 2020, probably use Argon2i instead.
XML External Entity Injection
- OWASP has an XML External Entity injection cheat sheet.
- Eric F. Tameesh explains how XML External Entity injection works.
- James Jardine shows which .NET classes are secure by default and which are not.
- Max McCarty has a multi-part series on securing .NET applications. Check out his hardening guide as well as preventing sensitive data exposure (which also fits well in the Sensitive Data Exposure section above).
- Troy Hunt provides guidance on .NET security configuration. It’s geared toward the .NET of old, but most of it still applies today.
- The folks at Portswigger show how to use the Burp suite to find misconfigured security.
Broken Access Control
- This is a good place to link the Google Hacking Database, which shows you how to craft Google queries to find websites which follow certain practices, such as poorly-thought-out querystring parameters, exposed pages that shouldn’t be, etc.
- OWASP has a set of guidance around access controls.
- OWASP also has an access control cheat sheet.
- NIST has a new set of guidelines around digital identity, including some sensible guidelines around passwords.
- I’m really liking Content Security Policies. I think they’re a great additional layer of defense against cross-site scripting and several other web problems.
- Max McCarty shows how to protect against cross-site scripting.
- The AntiXSS NuGet package is end-of-life and is meant for old .NET Framework versions. That’s because Microsoft has put this into System.Web.Security.AntiXss. OWASP has more information on the library.
- Bill Morefield shares his guidance on preventing cross-site scripting attacks.
- Stephen Breen has a fantastic overview of the Java deserialization problem.
- Benedikt Ritter argues that the deserialization problem is not due to a particular library, but rather in how people misused the library; using a different library wouldn’t help if you follow the same destructive patterns.
- OWASP has a deserialization cheat sheet, focused mostly around Java.
- Catalin Cimpanu points out that .NET has the same deserialization problem that has plagued Java.
- In 2012, James Forshaw pointed out at Black Hat how to use .NET serialization in an attack.
- In 2017, Alvaro Munoz and Oleksandr Mirosh, once more at Black Hat, walked through JSON and XML deserialization problems in .NET and Java.
Using Components with Known Vulnerabilities
- As a bit of flavor, here’s a story of iPhone-based malware.
- Jordan Wright has a post looking for malicious npm packages.
- To keep abreast of software exploits, Exploit DB and NIST’s National Vulnerability Database are good starting points.
- OWASP has a dependency checker for Java and .NET code which looks for vulnerable libraries.
Insufficient Logging and Monitoring
- OWASP has a cheat sheet for logging and monitoring.
Cross-Site Request Forgery
- OWASP explains Cross-Site Request Forgery. They also have a cheat sheet for protecting yourself against CSRF.
- Microsoft has documentation on using the anti-forgery token built into MVC.
- James Jardine with SANS shows how to protect Web Forms applications from CSRF.