James Crowley, profile picture
Uploaded byJames Crowley
PDF, PPTX113 views

10 things I’ve learnt about web application security

James Crowley's document outlines ten key learnings about web application security, emphasizing the importance of addressing known vulnerabilities and implementing best practices. He advises developers to hack their own applications, validate inputs, and ensure proper encoding and security configurations. The document also provides actionable recommendations for fortifying web applications against common threats like XSS and CSRF, and highlights the significance of SSL best practices.

Embed presentation

Download as PDF, PPTX
10 things I’ve learnt about web application security James Crowley CTO, FundApps @jamescrowley
Who has written software with bugs in before?
Learning #1 – Security vulnerabilities are bugs
OWASPTop 10 in 2013 Injection BrokenAuthentication & Session Management Cross Site Scripting Insecure Direct Object References Security Misconfiguration Sensitive Data Exposure Missing Function Level Access Control Cross Site Request Forgery Using Components with Known vulnerabilities Unvalidated redirects and forwards
Learning #2 – If you feel confident about security, be afraid!
Action: Hack your own applications * Fiddler ZED Attack Proxy Skipfish WATOBO Tamper Data WebScarab Packaged VMs: Beef project, SamuriWTF More here: http://resources.infosecinstitute.com/owasp-top-10-tools-and-tactics/ * Be aware of computer misuse act.
Demo!
Learning #3 – Fixing the basics are easy and worthwhile.
Unvalidated redirects (esp MVC 1 & 2) Secure & HttpOnly cookies Obvious cross site scripting vulnerabilities Obvious SQL injection Missing best practice headers Allowing caching of secure pages Autocomplete on password pages (!!) Application errors being disclosed and different error pages Directory traversals Missing XSRF protection Things they (should) pick up…
Reminder:These are automated tools
You’re using a salted hash, right? How many iterations?
Action: Check if you’re using 1000+ iterations on your password hashing. If not, plan to migrate. // use this helper or use Rfc2898DeriveBytes directly System.Web.Helpers.Crypto.HashPassword(passwordToHash);
Learning #4 – It’s game over once you have fallen for XSS (those alert boxes are scary)
Demo!
Learning #5 – Do not rely on Request validation. Not even a little bit.
Action: Validate input using white lists not black lists. Apply blanket validation to model binding (unless set otherwise)
Learning #6 - Encode your output, especially with JavaScript. Be wary with 3rd party libraries.
Action: Review encoding anywhere you’re passing variables between server and JavaScript/Urls/Css System.Web.HttpUtility.UrlEncode System.Web.Security.AntiXss.AntiXssEncoder.CssEncode System.Web.HttpUtility.JavaScriptStringEncode
Action: Review anywhere you’re accessing parameters (such as the URL fragment) from JS
Action:Tighten up encoding using AntiXSS – uses whitelist rather than blacklist <httpRuntime encoderType="System.Web.Security.AntiXss.AntiXssEncoder, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
Learning #7 - Be especially wary of file uploads if you’re supporting IE 8 (or earlier)
Action: Ensure Content-Disposition is always set
Action: Ensure you white list both file extension and mime types
Action: Use X-Content-Type-Options to disable mime type sniffing in IE <system.webServer> <httpProtocol> <customHeaders> ... <add name="X-Content-Type-Options" value="nosniff" /> </customHeaders> </httpProtocol> </system.webServer>
Action: Use Content-Security-Policy-Report-Only header to monitor JavaScript usage and then Content-Security-Policy to restrict (and enforce best practice!) <add name="Content-Security-Policy" value="default-src 'self'; script-src 'self' https://apis.google.com; report- uri http://loghost.example.com/reports.jsp" />
Learning #8 – Don’t forget about your emails
# Learning 9 – Have a reliable strategy for preventing cross site request forgeries Hint: ScatteringValidateAntiForgeryToken at random on your actions doesn’t count!
Demo
Demo
Action: ApplyValidateAntiForgeryToken to all non-GET requests. Fail secure. https://gist.github.com/jamescrowley/a6e53957c8c0778f5e12
Learning #10 - Forward Secrecy and SSL best practices are easier than you might think (but it’s a moving target)
Demo: If you’re not running HTTPS…
Action: Scan your current setup for configuration & Heartbleed https://www.ssllabs.com/ https://filippo.io/Heartbleed/
Action: Get your ciphers in order, enable ECDHE for forward secrecy
Action: Apply Strict-Transport-Security header (with a long age) <add name="Strict-Transport-Security" value="max- age=31536000" />
Wrapping up Go hack your own application Run ZED Attack Proxy / SkipFish Pass on your knowledge
Thanks for listening – any questions? Tweet me: @jamescrowley Blog: www.jamescrowley.co.uk PS FundApps is hiring! Get in touch 
Resources
Books The Browser Hacker's Handbook The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws
Best Practices Troy Hunt - http://www.troyhunt.com/ “Don’t do this, do that” from the ASP.NETTeam - http://bit.ly/1fXzIH2 (article) and http://vimeo.com/68390507 (video) OWASP - https://www.owasp.org/index.php/Category:OWASP_.NET_Project
Security news & resources OWASP - https://www.owasp.org/index.php/Main_Page Microsoft security response - @msftsecresponse / microsoft.com/msrcblog SANS - http://www.sans.org/security-resources/ CVE - http://cve.mitre.org/
Specific resources Content-Security-Policy https://blog.twitter.com/2011/improving-browser-security-csp http://www.html5rocks.com/en/tutorials/security/content-security-policy
Other tools to protect yourself… Vulnerability scanning Skipfish, WebInspect, QualysGuard… Web Application Firewalls Snort, Imperva, Cloudflare, ModSecurity… PCI Scanning HackerGuardian, QualsysGuard…

More Related Content

PPTX
Hacking WebApps for fun and profit : how to approach a target?
byYassine Aboukir
 
PPT
OWASP Serbia - A3 broken authentication and session management
byNikola Milosevic
 
PPT
OWASP Serbia - A5 cross-site request forgery
byNikola Milosevic
 
PDF
Tale of Forgotten Disclosure and Lesson learned
byAnant Shrivastava
 
PDF
Xss 101 by-sai-shanthan
byRaghunath G
 
PPTX
Why vulners? Short story about reinventing a wheel
byKirill Ermakov
 
PDF
Security awareness for information security team
byKirill Ermakov
 
PPTX
4 . future uni presentation
byRashid Khatmey
 
Hacking WebApps for fun and profit : how to approach a target?
byYassine Aboukir
 
OWASP Serbia - A3 broken authentication and session management
byNikola Milosevic
 
OWASP Serbia - A5 cross-site request forgery
byNikola Milosevic
 
Tale of Forgotten Disclosure and Lesson learned
byAnant Shrivastava
 
Xss 101 by-sai-shanthan
byRaghunath G
 
Why vulners? Short story about reinventing a wheel
byKirill Ermakov
 
Security awareness for information security team
byKirill Ermakov
 
4 . future uni presentation
byRashid Khatmey
 

What's hot

PDF
Penetration testing web application web application (in) security
byNahidul Kibria
 
PPTX
Web application Security tools
byNico Penaredondo
 
PPTX
A2 - broken authentication and session management(OWASP thailand chapter Apri...
byNoppadol Songsakaew
 
PPTX
Browser Security by pratimesh Pathak ( Buldhana)
byPratimesh Pathak
 
PDF
Vulners: Google for hackers
byKirill Ermakov
 
PDF
Browser Exploit Framework
byn|u - The Open Security Community
 
PDF
Web Security: What's wrong, and how the bad guys can break your website
byAndrew Sorensen
 
PPTX
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
byQuek Lilian
 
PDF
[Cluj] CSP (Content Security Policy)
byOWASP EEE
 
PPTX
Presentation on Top 10 Vulnerabilities in Web Application
byMd Mahfuzur Rahman
 
PPTX
Cyber ppt
bykarthik menon
 
PDF
The moment my site got hacked - WordCamp Sofia
byMarko Heijnen
 
PPTX
2 . web app s canners
byRashid Khatmey
 
PPTX
Beef saurabh
bySaurav Chaudhary
 
PDF
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
bydrewz lin
 
PPTX
3. backup file artifacts - mazin ahmed
byRashid Khatmey
 
PPTX
Phu appsec13
bydrewz lin
 
PDF
State of Web Security RailsConf 2016
byIMMUNIO
 
PPTX
XSS (Cross Site Scripting)
byShubham Gupta
 
PDF
Vulnerability Funalitics with vulners.com
byKirill Ermakov
 
Penetration testing web application web application (in) security
byNahidul Kibria
 
Web application Security tools
byNico Penaredondo
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
byNoppadol Songsakaew
 
Browser Security by pratimesh Pathak ( Buldhana)
byPratimesh Pathak
 
Vulners: Google for hackers
byKirill Ermakov
 
Browser Exploit Framework
byn|u - The Open Security Community
 
Web Security: What's wrong, and how the bad guys can break your website
byAndrew Sorensen
 
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
byQuek Lilian
 
[Cluj] CSP (Content Security Policy)
byOWASP EEE
 
Presentation on Top 10 Vulnerabilities in Web Application
byMd Mahfuzur Rahman
 
Cyber ppt
bykarthik menon
 
The moment my site got hacked - WordCamp Sofia
byMarko Heijnen
 
2 . web app s canners
byRashid Khatmey
 
Beef saurabh
bySaurav Chaudhary
 
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
bydrewz lin
 
3. backup file artifacts - mazin ahmed
byRashid Khatmey
 
Phu appsec13
bydrewz lin
 
State of Web Security RailsConf 2016
byIMMUNIO
 
XSS (Cross Site Scripting)
byShubham Gupta
 
Vulnerability Funalitics with vulners.com
byKirill Ermakov
 

Similar to 10 things I’ve learnt about web application security

PDF
Application Security - Your Success Depends on it
byWSO2
 
ODP
Secure coding in C#
bySiddharth Bezalwar
 
PPT
Secure code practices
byHina Rawal
 
PDF
Owasp top 10_openwest_2019
bySean Jackson
 
PDF
A security note for web developers
byJohn Ombagi
 
PDF
OWASP Top 10 List Overview for Web Developers
byBenjamin Floyd
 
PDF
Oh, WASP! Security Essentials for Web Apps
byTechWell
 
PDF
Secure coding guidelines
byZakaria SMAHI
 
PPTX
Application Security - Myth or Fact Slides
bydfgrumpy
 
PDF
Secure RESTful Web Services for ASP.NET Web API
byRob Daigneau
 
PDF
Security .NET.pdf
byAbhi Jain
 
PPTX
Don't get stung - an introduction to the OWASP Top 10
byBarry Dorrans
 
PPT
Web application development_dos_and_donts
byhuynhvanphuc
 
PPTX
Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013
byLostar
 
PPTX
So Your Company Hired A Pentester
byNorthBayWeb
 
PDF
How to Harden the Security of Your .NET Website
byDNN
 
PPTX
Web security for app developers
byPablo Gazmuri
 
PDF
Web application security (eng)
byAnatoliy Okhotnikov
 
PDF
Secure Web Services
byRob Daigneau
 
PPTX
Don't Get Stung
byBarry Dorrans
 
Application Security - Your Success Depends on it
byWSO2
 
Secure coding in C#
bySiddharth Bezalwar
 
Secure code practices
byHina Rawal
 
Owasp top 10_openwest_2019
bySean Jackson
 
A security note for web developers
byJohn Ombagi
 
OWASP Top 10 List Overview for Web Developers
byBenjamin Floyd
 
Oh, WASP! Security Essentials for Web Apps
byTechWell
 
Secure coding guidelines
byZakaria SMAHI
 
Application Security - Myth or Fact Slides
bydfgrumpy
 
Secure RESTful Web Services for ASP.NET Web API
byRob Daigneau
 
Security .NET.pdf
byAbhi Jain
 
Don't get stung - an introduction to the OWASP Top 10
byBarry Dorrans
 
Web application development_dos_and_donts
byhuynhvanphuc
 
Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013
byLostar
 
So Your Company Hired A Pentester
byNorthBayWeb
 
How to Harden the Security of Your .NET Website
byDNN
 
Web security for app developers
byPablo Gazmuri
 
Web application security (eng)
byAnatoliy Okhotnikov
 
Secure Web Services
byRob Daigneau
 
Don't Get Stung
byBarry Dorrans
 

Recently uploaded

PDF
IDSECCONF2025 - Faisal Ilham - Semi Automating Vulnerability Scanner and Expl...
byidsecconf
 
PDF
Oracle MySQL HeatWave - Complete - Version 3
byLuca Bonesini
 
PDF
Supercharging Android Apps with On-Device AI: Gemini Nano
bydinoykraj
 
PDF
Building a Multi-Tenant OpenShift Platform with HyperShift
byTosin Akinosho
 
PDF
Running Non-Cloud-Native Databases in Cloud-Native Environments_ Challenges a...
byAlkin Tezuysal
 
PDF
Build an AI/ML-driven image archive processing workflow: Image archive, analy...
bywesley chun
 
PDF
SELinux Basics: Managing SELinux Modes and Context - RHCSA+.pdf
byLinuxCert Guru
 
PDF
Linux Professional Institute LPIC-1 Exam.pdf
byLinuxCert Guru
 
PDF
AWS Cloud Technical Essentials - AWS Certificate
byVICTOR MAESTRE RAMIREZ
 
PPTX
oop pillor polymorphism Code Presentation
byhifzamahmood8
 
PPTX
Agentic AI presentation with Python Exercises
byParth Mane
 
PPTX
Explaining ourselves – people, computers and AI
byAlan Dix
 
PDF
Beyond Basics: How to Build Scalable, Intelligent Imagery Pipelines
bySafe Software
 
PDF
Mastering UiPath Maestro – Session 2 – Building a Live Use Case - Session 2
byDianaGray10
 
PPTX
Opening Plenary - Esri UK Welsh Conference 2025
byEsri UK
 
PDF
How to Spot a Fraudulent Shopping Website
byAshwini Singh
 
PDF
MINDCTI Revenue Release Quarter 3 2025 - Financial Presentation
byMIND CTI
 
PDF
UnityNet AI Induced Harm & Youth Protection Position Statement 2025-11-15
byLHelferty
 
PPTX
The power of Slack and MuleSoft | Bangalore MuleSoft Meetup #60
byshyamraj55
 
PDF
Command Line Text Processing - RHCSA +.pdf
byLinuxCert Guru
 
IDSECCONF2025 - Faisal Ilham - Semi Automating Vulnerability Scanner and Expl...
byidsecconf
 
Oracle MySQL HeatWave - Complete - Version 3
byLuca Bonesini
 
Supercharging Android Apps with On-Device AI: Gemini Nano
bydinoykraj
 
Building a Multi-Tenant OpenShift Platform with HyperShift
byTosin Akinosho
 
Running Non-Cloud-Native Databases in Cloud-Native Environments_ Challenges a...
byAlkin Tezuysal
 
Build an AI/ML-driven image archive processing workflow: Image archive, analy...
bywesley chun
 
SELinux Basics: Managing SELinux Modes and Context - RHCSA+.pdf
byLinuxCert Guru
 
Linux Professional Institute LPIC-1 Exam.pdf
byLinuxCert Guru
 
AWS Cloud Technical Essentials - AWS Certificate
byVICTOR MAESTRE RAMIREZ
 
oop pillor polymorphism Code Presentation
byhifzamahmood8
 
Agentic AI presentation with Python Exercises
byParth Mane
 
Explaining ourselves – people, computers and AI
byAlan Dix
 
Beyond Basics: How to Build Scalable, Intelligent Imagery Pipelines
bySafe Software
 
Mastering UiPath Maestro – Session 2 – Building a Live Use Case - Session 2
byDianaGray10
 
Opening Plenary - Esri UK Welsh Conference 2025
byEsri UK
 
How to Spot a Fraudulent Shopping Website
byAshwini Singh
 
MINDCTI Revenue Release Quarter 3 2025 - Financial Presentation
byMIND CTI
 
UnityNet AI Induced Harm & Youth Protection Position Statement 2025-11-15
byLHelferty
 
The power of Slack and MuleSoft | Bangalore MuleSoft Meetup #60
byshyamraj55
 
Command Line Text Processing - RHCSA +.pdf
byLinuxCert Guru
 

10 things I’ve learnt about web application security

  • 1.
    10 things I’velearnt about web application security James Crowley CTO, FundApps @jamescrowley
  • 2.
    Who has writtensoftware with bugs in before?
  • 3.
    Learning #1 –Security vulnerabilities are bugs
  • 4.
    OWASPTop 10 in2013 Injection BrokenAuthentication & Session Management Cross Site Scripting Insecure Direct Object References Security Misconfiguration Sensitive Data Exposure Missing Function Level Access Control Cross Site Request Forgery Using Components with Known vulnerabilities Unvalidated redirects and forwards
  • 5.
    Learning #2 –If you feel confident about security, be afraid!
  • 6.
    Action: Hack yourown applications * Fiddler ZED Attack Proxy Skipfish WATOBO Tamper Data WebScarab Packaged VMs: Beef project, SamuriWTF More here: http://resources.infosecinstitute.com/owasp-top-10-tools-and-tactics/ * Be aware of computer misuse act.
  • 7.
  • 8.
    Learning #3 –Fixing the basics are easy and worthwhile.
  • 9.
    Unvalidated redirects (espMVC 1 & 2) Secure & HttpOnly cookies Obvious cross site scripting vulnerabilities Obvious SQL injection Missing best practice headers Allowing caching of secure pages Autocomplete on password pages (!!) Application errors being disclosed and different error pages Directory traversals Missing XSRF protection Things they (should) pick up…
  • 10.
  • 11.
    You’re using asalted hash, right? How many iterations?
  • 12.
    Action: Check ifyou’re using 1000+ iterations on your password hashing. If not, plan to migrate. // use this helper or use Rfc2898DeriveBytes directly System.Web.Helpers.Crypto.HashPassword(passwordToHash);
  • 13.
    Learning #4 –It’s game over once you have fallen for XSS (those alert boxes are scary)
  • 14.
  • 15.
    Learning #5 –Do not rely on Request validation. Not even a little bit.
  • 16.
    Action: Validate inputusing white lists not black lists. Apply blanket validation to model binding (unless set otherwise)
  • 17.
    Learning #6 -Encode your output, especially with JavaScript. Be wary with 3rd party libraries.
  • 18.
    Action: Review encodinganywhere you’re passing variables between server and JavaScript/Urls/Css System.Web.HttpUtility.UrlEncode System.Web.Security.AntiXss.AntiXssEncoder.CssEncode System.Web.HttpUtility.JavaScriptStringEncode
  • 19.
    Action: Review anywhereyou’re accessing parameters (such as the URL fragment) from JS
  • 20.
    Action:Tighten up encodingusing AntiXSS – uses whitelist rather than blacklist <httpRuntime encoderType="System.Web.Security.AntiXss.AntiXssEncoder, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
  • 21.
    Learning #7 -Be especially wary of file uploads if you’re supporting IE 8 (or earlier)
  • 22.
  • 23.
    Action: Ensure youwhite list both file extension and mime types
  • 24.
    Action: Use X-Content-Type-Optionsto disable mime type sniffing in IE <system.webServer> <httpProtocol> <customHeaders> ... <add name="X-Content-Type-Options" value="nosniff" /> </customHeaders> </httpProtocol> </system.webServer>
  • 25.
    Action: Use Content-Security-Policy-Report-Only headerto monitor JavaScript usage and then Content-Security-Policy to restrict (and enforce best practice!) <add name="Content-Security-Policy" value="default-src 'self'; script-src 'self' https://apis.google.com; report- uri http://loghost.example.com/reports.jsp" />
  • 26.
    Learning #8 –Don’t forget about your emails
  • 27.
    # Learning 9– Have a reliable strategy for preventing cross site request forgeries Hint: ScatteringValidateAntiForgeryToken at random on your actions doesn’t count!
  • 28.
  • 29.
  • 30.
    Action: ApplyValidateAntiForgeryToken toall non-GET requests. Fail secure. https://gist.github.com/jamescrowley/a6e53957c8c0778f5e12
  • 31.
    Learning #10 -Forward Secrecy and SSL best practices are easier than you might think (but it’s a moving target)
  • 32.
    Demo: If you’renot running HTTPS…
  • 33.
    Action: Scan yourcurrent setup for configuration & Heartbleed https://www.ssllabs.com/ https://filippo.io/Heartbleed/
  • 34.
    Action: Get yourciphers in order, enable ECDHE for forward secrecy
  • 35.
    Action: Apply Strict-Transport-Securityheader (with a long age) <add name="Strict-Transport-Security" value="max- age=31536000" />
  • 36.
    Wrapping up Go hackyour own application Run ZED Attack Proxy / SkipFish Pass on your knowledge
  • 37.
    Thanks for listening –any questions? Tweet me: @jamescrowley Blog: www.jamescrowley.co.uk PS FundApps is hiring! Get in touch 
  • 38.
  • 39.
    Books The Browser Hacker'sHandbook The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws
  • 40.
    Best Practices Troy Hunt- http://www.troyhunt.com/ “Don’t do this, do that” from the ASP.NETTeam - http://bit.ly/1fXzIH2 (article) and http://vimeo.com/68390507 (video) OWASP - https://www.owasp.org/index.php/Category:OWASP_.NET_Project
  • 41.
    Security news &resources OWASP - https://www.owasp.org/index.php/Main_Page Microsoft security response - @msftsecresponse / microsoft.com/msrcblog SANS - http://www.sans.org/security-resources/ CVE - http://cve.mitre.org/
  • 42.
  • 43.
    Other tools toprotect yourself… Vulnerability scanning Skipfish, WebInspect, QualysGuard… Web Application Firewalls Snort, Imperva, Cloudflare, ModSecurity… PCI Scanning HackerGuardian, QualsysGuard…