Introduction to Web Protection Library (WPL)
-
Upload
matheus-albarello -
Category
Documents
-
view
42 -
download
1
description
Transcript of Introduction to Web Protection Library (WPL)
![Page 1: Introduction to Web Protection Library (WPL)](https://reader035.fdocuments.in/reader035/viewer/2022081809/544a9988af7959b0438b4a4a/html5/thumbnails/1.jpg)
Introduction to
Web Protection Library (WPL)
Securitybyte & OWASP Confidential
(WPL)
Anil ChintalaInformation Security ToolsMicrosoft [email protected]
![Page 2: Introduction to Web Protection Library (WPL)](https://reader035.fdocuments.in/reader035/viewer/2022081809/544a9988af7959b0438b4a4a/html5/thumbnails/2.jpg)
OWASP Top 10 - 2007
� A1. Cross Site Scripting (XSS)
� A2. Injection Flaws
� A3. Insecure Remote File Include (NEW)
� A4. Insecure Direct Object Reference
� A5. Cross Site Request Forgery (CSRF) (NEW)
Securitybyte & OWASP Confidential 2Securitybyte & OWASP AppSec Conference 2009
� A5. Cross Site Request Forgery (CSRF) (NEW)
� A6. Information Leakage and Improper Error
Handling
� A7. Broken Authentication and Session Management
� A8. Insecure Cryptographic Storage
� A9. Insecure Communications (NEW)
� A10. Failure to Restrict URL Access
![Page 3: Introduction to Web Protection Library (WPL)](https://reader035.fdocuments.in/reader035/viewer/2022081809/544a9988af7959b0438b4a4a/html5/thumbnails/3.jpg)
Top Vulnerabilities
Securitybyte & OWASP Confidential 3Securitybyte & OWASP AppSec Conference 2009
Picture courtesy of http://www.net-security.org/secworld.php?id=8489.
![Page 4: Introduction to Web Protection Library (WPL)](https://reader035.fdocuments.in/reader035/viewer/2022081809/544a9988af7959b0438b4a4a/html5/thumbnails/4.jpg)
Comprehensive Web Application Protection
Securitybyte & OWASP Confidential 4Securitybyte & OWASP AppSec Conference 2009
![Page 5: Introduction to Web Protection Library (WPL)](https://reader035.fdocuments.in/reader035/viewer/2022081809/544a9988af7959b0438b4a4a/html5/thumbnails/5.jpg)
Agenda
� Anti-XSS Library
� Introduction to WPL– Encoding Library
– Security Runtime Engine
– Configuration Engine
– Extensibility
Securitybyte & OWASP Confidential 5Securitybyte & OWASP AppSec Conference 2009
– Extensibility
� Demo
� Questions?
![Page 6: Introduction to Web Protection Library (WPL)](https://reader035.fdocuments.in/reader035/viewer/2022081809/544a9988af7959b0438b4a4a/html5/thumbnails/6.jpg)
What is Anti-XSS Library?
� Anti-XSS is an encoding library designed to help
developers protect their ASP.NET applications
from XSS attacks.
� It differs from most encoding libraries in that it
uses the white-listing technique to provide
Securitybyte & OWASP Confidential 6Securitybyte & OWASP AppSec Conference 2009
uses the white-listing technique to provide
protection against XSS attacks.
� Anti-XSS 3.1 introduced Security Runtime
Engine (SRE)
![Page 7: Introduction to Web Protection Library (WPL)](https://reader035.fdocuments.in/reader035/viewer/2022081809/544a9988af7959b0438b4a4a/html5/thumbnails/7.jpg)
Introduction
� Comprehensive web application protection
– Security Runtime Engine
– Encoding Library
� Does not require any code change
� Extensible framework for plug-ins
Securitybyte & OWASP Confidential 7Securitybyte & OWASP AppSec Conference 2009
� Extensible framework for plug-ins
� Minimal Performance Impact
![Page 8: Introduction to Web Protection Library (WPL)](https://reader035.fdocuments.in/reader035/viewer/2022081809/544a9988af7959b0438b4a4a/html5/thumbnails/8.jpg)
Features
� Encoding Library
– HTML Encoding
– HTML Sanitization
– LDAP Encoding
– Cascading Style Sheets Encoding
Securitybyte & OWASP Confidential 8Securitybyte & OWASP AppSec Conference 2009
– Cascading Style Sheets Encoding
� Security Runtime Engine
– Centralized Logging
– Extensive Configurable Options
– Comprehensive Attack Protection
![Page 9: Introduction to Web Protection Library (WPL)](https://reader035.fdocuments.in/reader035/viewer/2022081809/544a9988af7959b0438b4a4a/html5/thumbnails/9.jpg)
Comprehensive Attack Protection
Attack Detections Attack Mitigations
SQL Injection Cross Site Scripting
File Canonicalization Cookie Theft
Securitybyte & OWASP Confidential 9Securitybyte & OWASP AppSec Conference 2009
Script Injections Clickjacking
Information Disclosure
![Page 10: Introduction to Web Protection Library (WPL)](https://reader035.fdocuments.in/reader035/viewer/2022081809/544a9988af7959b0438b4a4a/html5/thumbnails/10.jpg)
Architecture
SRE Module
Attack Detection Attack Mitigation
XSS Processor
Cookies Processor
Clickjacking Processor
SQL Injection Processor
File Canonicalization Processor
Request Validation Processor
Securitybyte & OWASP Confidential 10Securitybyte & OWASP AppSec Conference 2009
Logging Block
Log Store
SSL Redirect Processor
ASP.NET Web Application
Encoding Library
![Page 11: Introduction to Web Protection Library (WPL)](https://reader035.fdocuments.in/reader035/viewer/2022081809/544a9988af7959b0438b4a4a/html5/thumbnails/11.jpg)
Demo
Securitybyte & OWASP Confidential 11Securitybyte & OWASP AppSec Conference 2009
![Page 12: Introduction to Web Protection Library (WPL)](https://reader035.fdocuments.in/reader035/viewer/2022081809/544a9988af7959b0438b4a4a/html5/thumbnails/12.jpg)
Extensibility
� Abstract Classes for new processors
� Extensible Configuration Base Classes
� Configuration UI Attributes
� Asynchronous Log Writer
Included Samples in Final Release
Securitybyte & OWASP Confidential 12Securitybyte & OWASP AppSec Conference 2009
� Included Samples in Final Release
![Page 13: Introduction to Web Protection Library (WPL)](https://reader035.fdocuments.in/reader035/viewer/2022081809/544a9988af7959b0438b4a4a/html5/thumbnails/13.jpg)
Release Timeline
� November 1st week
– Encoding Library Updates
– Extensible Framework for Processors
– XSS and SQL Injection Protection
� February 1st Week
Securitybyte & OWASP Confidential 13Securitybyte & OWASP AppSec Conference 2009
� February 1st Week
– Cookies, SSL, Clickjacking, Request Validation
Processors
� March 1st Week
– Help
– Sample Code
– File Canonicalization Processor
![Page 14: Introduction to Web Protection Library (WPL)](https://reader035.fdocuments.in/reader035/viewer/2022081809/544a9988af7959b0438b4a4a/html5/thumbnails/14.jpg)
Call to Action
� You can register for our program at Connect
and can download the tool directly
� https://connect.microsoft.com/Downloads/Do
wnloadDetails.aspx?SiteID=734&DownloadID=23
329 – WPL 1.0 CTP
Securitybyte & OWASP Confidential 14Securitybyte & OWASP AppSec Conference 2009
329 – WPL 1.0 CTP
![Page 15: Introduction to Web Protection Library (WPL)](https://reader035.fdocuments.in/reader035/viewer/2022081809/544a9988af7959b0438b4a4a/html5/thumbnails/15.jpg)
Other Security Tools
� CAT.NET 2.0 CTP
– Ported to the Phoenix compiler infrastructure
– Shiny new configuration rules engine that look in the
*.config for common security mis-configurations
– This CTP is a command line only single-pass data
Securitybyte & OWASP Confidential 15Securitybyte & OWASP AppSec Conference 2009
– This CTP is a command line only single-pass data
flow engine and configuration rules engine.
– Will fully integrate the tool into the Code Analysis
menu of Visual Studio 2010.
� https://connect.microsoft.com/Downloads/Do
wnloadDetails.aspx?SiteID=734&DownloadID=23
328
![Page 16: Introduction to Web Protection Library (WPL)](https://reader035.fdocuments.in/reader035/viewer/2022081809/544a9988af7959b0438b4a4a/html5/thumbnails/16.jpg)
Other Security Tools
� WACA 1.0 CTP
– Web Application Configuration Analyzer.
– Over 100 security rules in total (many more in the
final release)
– IIS / .NET / SQL Server Security Configuration
Securitybyte & OWASP Confidential 16Securitybyte & OWASP AppSec Conference 2009
– IIS / .NET / SQL Server Security Configuration
– Windows Permissions
– Generate HTML based report, export results to Excel
and export findings as work items to TFS
– Scan a machine remotely (Requires WMI and Remote
Registry)
� https://connect.microsoft.com/Downloads/Do
wnloadDetails.aspx?SiteID=734&DownloadID=23
330
![Page 17: Introduction to Web Protection Library (WPL)](https://reader035.fdocuments.in/reader035/viewer/2022081809/544a9988af7959b0438b4a4a/html5/thumbnails/17.jpg)
Questions?
Securitybyte & OWASP Confidential 17Securitybyte & OWASP AppSec Conference 2009