OWASP

A 16-post collection

OWASP Top 10 for .NET developers part 6: Security Misconfiguration

This content is now available in the Pluralsight course "OWASP Top 10 Web Application Security Risks for ASP.NET" If your app uses a web server, a framework, an app platform, a database, a network or contains any code, you’re at risk of security misconfiguration. So that would be all of us then. The truth is, software is complex business. It’s not so much that the practice of writing code is tricky (in fact I’d argue it’s never been easier), but that software applications have so many potential points of vulnerability. Much of this is abstracted away from the software developer either by virtue of it being the domain of...

OWASP Top 10 for .NET developers part 5: Cross-Site Request Forgery (CSRF)

This content is now available in the Pluralsight course "OWASP Top 10 Web Application Security Risks for ASP.NET" If you’re anything like me (and if you’re reading this, you probably are), your browser looks a little like this right now: A bunch of different sites all presently authenticated to and sitting idly by waiting for your next HTTP instruction to update your status, accept your credit card or email your friends. And then there’s all those sites which, by virtue of the ubiquitous “remember me” checkbox, don’t appear open in any browser sessions yet remain willing and able to receive instruction on your behalf. Now, remember also...

OWASP Top 10 for .NET developers part 4: Insecure direct object reference

This content is now available in the Pluralsight course "OWASP Top 10 Web Application Security Risks for ASP.NET" Consider for a moment the sheer volume of information that sits out there on the web and is accessible by literally anyone. No authentication required, no subversive techniques need be employed, these days just a simple Google search can turn up all sorts of things. And yes, that includes content which hasn’t been promoted and even content which sits behind a publicly facing IP address without a user-friendly domain name. Interested in confidential government documents? Here you go. How about viewing the streams from personal webcams? This one’s easy. I’ll hasten a guess...

OWASP Top 10 for .NET developers part 3: Broken authentication and session management

This content is now available in the Pluralsight course "OWASP Top 10 Web Application Security Risks for ASP.NET" Authenticating to a website is something most of us probably do multiple times every day. Just looking at my open tabs right now I’ve got Facebook, Stack Overflow, Bit.ly, Hotmail, YouTube and a couple of non-technology forums all active, each one individually authenticated to. In each case I trust the site to appropriately secure both my current session and any persistent data – such as credentials – but beyond observing whether an SSL certificate is present, I have very little idea of how the site implements authentication and session management. At least not without doing the...

OWASP Top 10 for .NET developers part 2: Cross-Site Scripting (XSS)

This content is now available in the Pluralsight course "OWASP Top 10 Web Application Security Risks for ASP.NET" In the first post of this series I talked about injection and of most relevance for .NET developers, SQL injection. This exploit has some pretty severe consequences but fortunately many of the common practices employed when building .NET apps today – namely accessing data via stored procedures and ORMs – mean most apps have a head start on fending off attackers. Cross-site scripting is where things begin to get really interesting, starting with the fact that it’s by far and away the most commonly exploited vulnerability out there today. Last year, WhiteHat Security delivered their Website Security...

OWASP Top 10 for .NET developers part 1: Injection

This content is now available in the Pluralsight courses "OWASP Top 10 Web Application Security Risks for ASP.NET" and "Ethical Hacking: SQL Injection" There’s a harsh reality web application developers need to face up to; we don’t do security very well. A report from WhiteHat Security last year reported “83% of websites have had a high, critical or urgent issue”. That is, quite simply, a staggeringly high number and it’s only once you start to delve into to depths of web security that you begin to understand just how easy it is to inadvertently produce vulnerable code. Inevitably a large part of the problem is education. Oftentimes...