Varun Sharma Application Consulting and Engineering (ACE) Team, Microsoft India
Varun Sharma Application Consulting and Engineering (ACE) Team, Microsoft India.
Dec 31, 2015
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Varun Sharma
Application Consulting and Engineering (ACE) Team,
Microsoft India
Flaw – 1 Custom AuthenticationFlaw – 2 Lack of Rule based AuthorizationFlaw – 3 Black list input validationFlaw – 4 Improper use of CryptoFlaw – 5 App layer DOS attack
Site implements custom forms authenticationBuggy codeDemo
Principles:-Use well known and time tested, system provided methods for authentication. Avoid writing custom authentication code.
Authorization implemented by disabling UIRule based authorization not consideredDemo
Principles:-Do not rely on UI for authorizationDisabled buttons is not authorizationConsider rule based authorization in your design
Only set of bad characters are checked forBecomes vulnerable in special situationsDemo
Principles:-Validate for valid allowed values (white list)If white list validation is not possible,
Encode to prevent XSSParameterize to prevent SQL Injection…
Not knowing what services are provided by what mechanisms
For example, what services do Digital Signatures provide?
Demo
Product 1 ‘s Site
Product 2 ‘s Site
Product 3 ‘s Site
Central Payment Site
Signed XML POST
Principles:-Know what service each mechanism providesDo not implement crypto mechanisms yourselfUse system provided methods
Book movie ticket Screen 1 for User 1
Book movie ticket Screen 2 for User 1
You have 7 minutes left
Enter Payment details:-
Name:-Credit Card Number:-Address:-….
Click to Book
Book movie ticket Screen 1 for User 2
Book movie ticket Screen 1 for User 2 after 7 minutes
Principles:-Use CAPTCHA to avoid automated attacksDesign with security in mind
Related Documents
