Open Web Application Security Project (OWASP) For .NET projects

 Author: Shengtao Zhou       Created: 3/27/2019 9:57:40 PM       Modified: 3/28/2019 2:37:04 AM   More...
Open Web Application Security Project (OWASP) is a not-for-profit group that issues software tools and knowledge-based document on application security.

On OWASP website, all sorts of of Attacks and Vulnerabilities are listed. This gives us a guide line of how to make of application more secure.

Security can be something very simple but over looked. For example, the Password Management Vulnerability:

E
Empty String Password
P
Password in Configuration File
Password Management: Hardcoded Password
Password Plaintext Storage

This remind us the current news that 400 million Facebook users are urged to change their password. Please read Facebook Data Breach -- What To Do Next for details.

There's a OWASP .NET Project  page of how to secure .NET applications.

There're 10 common security risks (OWASP Top 10 ・2017) (You can click each title for more detail):

1. Injection

This includes SQL script injection, also can happen in application code.

For example, when generating a dyamic SQL, a user 
'select * from Customers where FirstName = ''' + @FirstName + '''
If a user passes in @FirstName = 'Bob'' or ''1=1', the query becomes,
'select * from Customers where FirstName = 'Bob' or '1=1'
This will expose all customer information to hackers.

To resolve the problem, always use parameterization for raw SQL queries. (Raw SQL Queries). This mean use prepared statement. (Prevent SQL Injection via Prepared Statements or Parameterized Queries)

This is mostly related to securely managing user login sessions. Problem can occur if user passwords or session ids are exposed,  timeout and logout are not handled properly. (Broken Authentication)

3. Sensitive data exposure

This is also known as data breach. To avoid, sensitive date need to be encryption at rest (Disk Encryption and Database encryption) or in transit (Encrypted connection to web server and database server). 

4. XML External Entities (XXE)

Attackers can intercept xml files which may include sensitive data (like password) or resources pointing to sensitive data (like a WebAPI url that is not protected)

5. Broken Access control

This is about authorization loophole, that allowed some users to access more data then they should. This includes following areas:
Insecure Id’s
Forced Browsing Past Access Control Checks
Path Traversal
File Permissions
Client Side Caching

6. Security misconfigurations

This relates to security settings (Security setting, upgrade and patches) are not done properly or not updated. Also include expose sensitive data from application (like expose database schema in error message)

7. Cross-Site Scripting (XSS)

This is also called javascript injection. Hackers can inject javascript to retrieve or sending data to remote site. .NET has CORS settings to control if access are allowed from same machine, same domain or public.

8. Insecure Deserialization

This occurs when untrusted data is used to abuse the logic of an application, and interrupt users to use it. Which in turn causes denial of service (DoS) attack.

9. Using Components with known vulnerabilities

This is to use another software component that's not secure. This is often a problem to use open source software.

10. Insufficient logging and monitoring

Logging and monitoring should be in place to proactively prevent security attack.


More...          Back to List          

(Please enter you comments between 100 to 2000 characters. Thanks for your contribution.) 

         Created:       Modified: 

Editing a comment

       (Please enter you comments between 100 to 2000 characters. Please login before edit comment.)