Varun - Subtle Security Flaws - ClubHack2007
-
Upload
clubhack -
Category
Technology
-
view
464 -
download
2
Transcript of Varun - Subtle Security Flaws - ClubHack2007
Varun Sharma
Application Consulting and Engineering (ACE) Team,
Microsoft India
Flaw – 1 Custom AuthenticationFlaw – 2 Lack of Rule based AuthorizationFlaw – 3 Black list input validationFlaw – 4 Improper use of CryptoFlaw – 5 App layer DOS attack
Site implements custom forms authenticationBuggy codeDemo
Principles:-Use well known and time tested, system provided methods for authentication. Avoid writing custom authentication code.
Authorization implemented by disabling UIRule based authorization not consideredDemo
Principles:-Do not rely on UI for authorizationDisabled buttons is not authorizationConsider rule based authorization in your design
Only set of bad characters are checked forBecomes vulnerable in special situationsDemo
Principles:-Validate for valid allowed values (white list)If white list validation is not possible,
Encode to prevent XSSParameterize to prevent SQL Injection…
Not knowing what services are provided by what mechanisms
For example, what services do Digital Signatures provide?
Demo
Product 1 ‘s Site
Product 2 ‘s Site
Product 3 ‘s Site
Central Payment Site
Signed XML POST
Principles:-Know what service each mechanism providesDo not implement crypto mechanisms yourselfUse system provided methods
Book movie ticket Screen 1 for User 1
Book movie ticket Screen 2 for User 1
You have 7 minutes left
Enter Payment details:-
Name:-Credit Card Number:-Address:-….
Click to Book
Book movie ticket Screen 1 for User 2
Book movie ticket Screen 1 for User 2 after 7 minutes
Principles:-Use CAPTCHA to avoid automated attacksDesign with security in mind