This project is read-only.

Threats and Countermeasures for Web Applications on Windows Azure


Visual Threats - Web App.JPG


Visual Vulnerabilities - Web App.JPG


Visual Countermeasures - Web App.JPG

Threats and Attacks

Category Threats/Attacks
Auditing and Logging * User denies performing an operation
* Attacker exploits an application without trace
* Attacker covers his tracks
Authentication * Brute force attacks
* Cookie replay attacks
* Dictionary attacks
* Network eavesdropping
* Credential theft
Authorization * Disclosure of confidential data
* Data tampering
* Elevation of privilege
* Luring attacks
Configuration Management * Unauthorized access to configuration stores
* Retrieval of clear text configuration secrets
* Lack of individual accountability
Cryptography * Encryption cracking
* Loss of decryption keys
Exception Management * Revealing sensitive system or application details
* Denial of service attacks
Input and Data Validation * HTTP forgery (CSRF)
* Cookie manipulation
* Query string manipulation
* HTTP header manipulation
* Cross-site scripting
* Buffer overflows
* SQL injection
* Canonicalization attacks
* Form field manipulation
Sensitive Data * Accessing sensitive data in storage
* Network eavesdropping
* Information disclosure
Session Management * Session hijacking
* Session replay
* Man-in-the-middle attacks


Category Vulnerabilities
Auditing and Logging * Failing to audit failed logons
* Failing to audit across application tiers
Authentication * Storing clear text credentials in configuration files
* Passing clear text credentials over the network
* Using weak passwords
* Permitting over-privileged accounts
* Permitting prolonged session lifetime
* Mixing personalization with authentication
Authorization * Relying on a single gatekeeper
* Failing to limit database access to specified stored procedures
* Using inadequate separation of privileges
Configuration Management * Using insecure configuration stores
* Storing clear text configuration data
* Using insecure administration interfaces
* Having too many administrators
Cryptography * Using custom cryptography
* Failing to secure encryption keys
* Using the wrong algorithm or a key size that is too small
* Using the same key for a prolonged period of time
* Distributing keys in an insecure manner
Exception Management * Failing to use structured exception handling
* Revealing too much information to the client
Input and Data Validation * Using non-validated input in the Hypertext Markup Language (HTML) output stream
* Failing to validate input from all sources including cookies, query string parameters, HTTP headers, databases, and network resources
* Failure to uniquely identify transactions
* Using non-validated input used to generate SQL queries
* Relying on client-side validation
* Using input file names, URLs, or user names for security decisions
* Using application-only filters for malicious input
* Looking for known bad patterns of input
* Trusting data read from databases, file shares, and other network resources
Sensitive Data * Storing secrets in code
* Storing secrets in clear text
* Storing secrets when you do not need to
* Passing sensitive data in clear text over networks
Session Management * Having insecure session state stores
* Permitting prolonged session lifetime
* Passing session identifiers over unencrypted channels
* Placing session identifiers in query strings


Category Countermeasures
Auditing and Logging * Identify malicious behavior
* Know your baseline (know what good traffic looks like)
* Use application instrumentation to expose behavior that can be monitored
Authentication * Encrypt communication channels to secure authentication tokens
* Use HTTPS only with forms authentication cookies
* Use authentication mechanisms that do not require clear text credentials to be passed over the network
* Do not store credentials
* Use strong password policies
* Separate anonymous from authenticated pages
Authorization * Use multiple gatekeepers
* Consider granularity of access
* Enforce separation of privileges
* Use least privilege accounts
Configuration Management * Do not store credentials in clear text
* Avoid storing sensitive information in the Web space
* Use only local administration
* Use strong authentication and authorization on administrative interfaces
Cryptography * Do not develop and use proprietary algorithms (XOR is not encryption. Use established cryptography such as RSA)
* Avoid key management.
* Use the RNGCryptoServiceProvider method to generate random numbers
* Periodically change your keys
Exception Management * Do not log private data such as passwords
* Do not reveal sensitive system or application information
* Use structured exception handling (by using try/catch blocks)
* Catch and wrap exceptions only if the operation adds value/information
Input and Data Validation * Do not trust input
* Validate input: length, range, format, and type
* Constrain, reject, and sanitize input
* Encode output
* Uniquely identify transactions
Sensitive Data * Do not store secrets in software
* Encrypt sensitive data over the network
* Secure the channel
Session Management * Secure the channel to the session store
* Authenticate and authorize access to the session store
* Partition site by anonymous, identified, and authenticated users
* Reduce session timeouts
* Avoid storing sensitive data in session stores

Last edited May 20, 2010 at 2:07 AM by paulenfield, version 4


No comments yet.