Presentation is loading. Please wait.

Presentation is loading. Please wait.

Varun Sharma Application Consulting and Engineering (ACE) Team, Microsoft India.

Published byKelley Ferdinand Walton Modified over 9 years ago

Similar presentations

Presentation on theme: "Varun Sharma Application Consulting and Engineering (ACE) Team, Microsoft India."— Presentation transcript:

1 Varun Sharma Application Consulting and Engineering (ACE) Team, Microsoft India

2 Flaw – 1 Custom Authentication Flaw – 2 Lack of Rule based Authorization Flaw – 3 Black list input validation Flaw – 4 Improper use of Crypto Flaw – 5 App layer DOS attack

3 Site implements custom forms authentication Buggy code Demo

4 Principles:- Use well known and time tested, system provided methods for authentication. Avoid writing custom authentication code.

5 Authorization implemented by disabling UI Rule based authorization not considered Demo

6 Principles:- Do not rely on UI for authorization Disabled buttons is not authorization Consider rule based authorization in your design

7 Only set of bad characters are checked for Becomes vulnerable in special situations Demo

8 Principles:- Validate for valid allowed values (white list) If white list validation is not possible, Encode to prevent XSS Parameterize to prevent SQL Injection…

9 Not knowing what services are provided by what mechanisms For example, what services do Digital Signatures provide? Demo

10 Product 1 ‘s Site Product 2 ‘s Site Product 3 ‘s Site Central Payment Site Signed XML POST

11 Principles:- Know what service each mechanism provides Do not implement crypto mechanisms yourself Use system provided methods

12 Book movie ticket Screen 1 for User 1

13 Book movie ticket Screen 2 for User 1 You have 7 minutes left Enter Payment details:- Name:- Credit Card Number:- Address:- …. Click to Book

14 Book movie ticket Screen 1 for User 2

15 Book movie ticket Screen 1 for User 2 after 7 minutes

16 Principles:- Use CAPTCHA to avoid automated attacks Design with security in mind

17

Download ppt "Varun Sharma Application Consulting and Engineering (ACE) Team, Microsoft India."

Similar presentations

Office of Labor-Management Standards (OLMS)

Office of Labor-Management Standards (OLMS)
Microsoft ® Office 2007 Training Security II: Turn off the Message Bar and run code safely P J Human Resources Pte Ltd presents:

Microsoft ® Office 2007 Training Security II: Turn off the Message Bar and run code safely P J Human Resources Pte Ltd presents:
SO YOU WANT TO BE A HACKER? Maybe not yet, but you will at the end of the hour!

SO YOU WANT TO BE A HACKER? Maybe not yet, but you will at the end of the hour!
Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!

Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
Chapter 1  Introduction 1 Introduction Chapter 1  Introduction 2 The Cast of Characters  Alice and Bob are the good guys  Trudy is the bad guy 

Chapter 1  Introduction 1 Introduction Chapter 1  Introduction 2 The Cast of Characters  Alice and Bob are the good guys  Trudy is the bad guy 
Chapter 1  Introduction 1 Chapter 1: Introduction.

Chapter 1  Introduction 1 Chapter 1: Introduction.
Chapter 1  Introduction 1 Chapter 1: Introduction “Begin at the beginning,” the King said, very gravely, “and go on till you come to the end: then stop.”

Chapter 1  Introduction 1 Chapter 1: Introduction “Begin at the beginning,” the King said, very gravely, “and go on till you come to the end: then stop.”
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
A case for business.  College Curriculums Lacks security module Not updated  Programmers Hard to find Lack formal training unaware.

A case for business.  College Curriculums Lacks security module Not updated  Programmers Hard to find Lack formal training unaware.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Uniqueness of user names is enforced Customer information logged to database Require contact information as well as email address Email address will.

Uniqueness of user names is enforced Customer information logged to database Require contact information as well as address address will.
Chapter 1  Introduction 1 Chapter 1: Introduction “Begin at the beginning,” the King said, very gravely, “and go on till you come to the end: then stop.”

Chapter 1  Introduction 1 Chapter 1: Introduction “Begin at the beginning,” the King said, very gravely, “and go on till you come to the end: then stop.”
Web Application Security An Introduction. OWASP Top Ten Exploits *Unvalidated Input Broken Access Control Broken Authentication and Session Management.

Web Application Security An Introduction. OWASP Top Ten Exploits *Unvalidated Input Broken Access Control Broken Authentication and Session Management.
Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.

Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.
Varun Sharma Security Engineer | ACE Team | Microsoft Information Security

Varun Sharma Security Engineer | ACE Team | Microsoft Information Security
Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.

Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.
Web Application Testing with AppScan Terry Labach.

Web Application Testing with AppScan Terry Labach.
Regal Web Booking Engine Group Booking User Guide.

Regal Web Booking Engine Group Booking User Guide.
Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
OWASP Mobile Top 10 Why They Matter and What We Can Do

OWASP Mobile Top 10 Why They Matter and What We Can Do

Similar presentations

Ads by Google