OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

Similar documents
CIT 380: Securing Computer Systems. Web Security II

OWASP Top The Top 10 Most Critical Web Application Security Risks. The OWASP Foundation

OWASP Top Dave Wichers OWASP Top 10 Project Lead OWASP Board Member COO/Cofounder, Aspect Security

Vulnerability Scanner Tools. Security intelligence

Web Application Security. Philippe Bogaerts

About the OWASP Top 10

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

A10: Unvalidated Redirects and Forwards Axx: Unsolicited Framing

Sichere Software vom Java-Entwickler

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

Welcome to the OWASP TOP 10

1 About Web Security. What is application security? So what can happen? see [?]

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s


Aguascalientes Local Chapter. Kickoff

Application Layer Security

Application vulnerabilities and defences

DEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

Copyright

CIS 4360 Secure Computer Systems XSS

INF3700 Informasjonsteknologi og samfunn. Application Security. Audun Jøsang University of Oslo Spring 2015

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

OWASP Top 10 The Ten Most Critical Web Application Security Risks

C1: Define Security Requirements

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

Web Application Penetration Testing

OWASP Top 10. Copyright 2017 Ergon Informatik AG 2/13

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

Solutions Business Manager Web Application Security Assessment

GOING WHERE NO WAFS HAVE GONE BEFORE

OWASP TOP 10. By: Ilia

OWASP Top David Caissy OWASP Los Angeles Chapter July 2017

Computer Security 3e. Dieter Gollmann. Chapter 18: 1

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

SECURITY TESTING. Towards a safer web world

Advanced Web Technology 10) XSS, CSRF and SQL Injection

Top 10 Web Application Vulnerabilities

Your Turn to Hack the OWASP Top 10!

CSCD 303 Essential Computer Security Fall 2017

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

THREAT MODELING IN SOCIAL NETWORKS. Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda

CSCE 813 Internet Security Case Study II: XSS

Exploiting and Defending: Common Web Application Vulnerabilities

This slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis

Why bother? Causes of data breaches OWASP. Top ten attacks. Now what? Do it yourself Questions?

CSCD 303 Essential Computer Security Fall 2018

Web basics: HTTP cookies

How is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach

Domino Web Server Security

Web Application & Web Server Vulnerabilities Assessment Pankaj Sharma

Featuring. and. Göteborg. Ulf Larson Thursday, October 24, 13

RKN 2015 Application Layer Short Summary

Simplifying Application Security and Compliance with the OWASP Top 10

Web Application Vulnerabilities: OWASP Top 10 Revisited

Secure Coding, some simple steps help. OWASP EU Tour 2013

SECURE CODING ESSENTIALS

Attacking the Application OWASP. The OWASP Foundation. Dave Ferguson, CISSP Security Consultant FishNet Security.

P2_L12 Web Security Page 1

Evaluating the Security Risks of Static vs. Dynamic Websites

Web basics: HTTP cookies

Combating Common Web App Authentication Threats

OWASP TOP OWASP TOP

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

Information Security CS 526 Topic 8

TIBCO Cloud Integration Security Overview

WEB SECURITY: XSS & CSRF

Certified Secure Web Application Engineer

CSWAE Certified Secure Web Application Engineer

"Charting the Course to Your Success!" Securing.Net Web Applications Lifecycle Course Summary

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009

Lecture Overview. IN5290 Ethical Hacking

Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Excerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt

(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection

NET 311 INFORMATION SECURITY

Information Security. Gabriel Lawrence Director, IT Security UCSD

Web Application Threats and Remediation. Terry Labach, IST Security Team

Security Testing White Paper

Is Browsing Safe? Web Browser Security. Subverting the Browser. Browser Security Model. XSS / Script Injection. 1. XSS / Script Injection

Web Security: Web Application Security [continued]

Robust Defenses for Cross-Site Request Forgery Review

F5 Application Security. Radovan Gibala Field Systems Engineer

INNOV-09 How to Keep Hackers Out of your Web Application

Title: Multiple Remote Command Execution vulnerabilities on Avaya Intuity Audix LX (plus some client-side bugs)

Don t blink or how to create secure software. Bozhidar Bozhanov, LogSentinel

Application. Security. on line training. Academy. by Appsec Labs

EasyCrypt passes an independent security audit

Ruby on Rails Secure Coding Recommendations

Applications Security

SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0

COMP9321 Web Application Engineering

Transcription:

OWASP Top 10 Risks Dean.Bushmiller@ExpandingSecurity.com Many thanks to Dave Wichers & OWASP

My Mom I got on the email and did a google on my boy My boy works in this Internet thing He makes cyber cafes a safe place for me He speaks a whole different language It is called TCIP He is an Internet security teacher Awwww! Mom, you got it all screwed up.

Goals High level overview of the Top 10 in 45 min. Definition, Illustration, & Protection/Avoidance With abstraction comes loss of clarity Spend a whole life/week/day/hour Explain it to me like You should be able to explain it to someone else Your mom can get it Your boss s boss will care

The Top 10 Web Risks A1: Injection A2: Cross-Site Scripting (XSS) A3: Broken Authentication and Session Management A4: Insecure Direct Object References A5: Cross-Site Request Forgery (CSRF) A6: Security Misconfiguration A7: Insecure Cryptographic Storage A8: Failure to Restrict URL Access A9: Insufficient Transport Layer Protection A10: Unvalidated Redirects and Forwards

A1: Injection

A1 Injection Defined Command Interpreters SQL injection Impact commands inserted in the data, interpreted by interpreter Perl, OS Shell, LDAP, Xpath Web site are connected to Databases Impact Availability, Confidentiality, Integrity

SQL Injection Illustrated Account: SKU: Account: SKU: "SELECT * FROM accounts WHERE acct= OR 1=1-- " Account Summary Acct:5424-6066-2134-4334 Acct:4128-7574-3921-0192 Acct:5424-9383-2039-4029 Acct:4128-0004-1234-0293 1. Application presents a form to the attacker 2. Attacker sends an attack in the form data 3. Application forwards attack to the database in a SQL query 4. Database runs query containing attack and sends results back to application 5. Application sends results to the user

A1 Avoiding Injection Encode all user input before passing it to the interpreter Everything that is data, only treat it as data Avoid using interpreter Reduce amount of data available Least Privilege

A2: Cross-Site Scripting (XSS)

A2 Cross-Site Scripting (XSS) Defined Raw data Web 2.0 Impact Evil raw data from attacker is sent to an innocent user s browser Link retrieved from valid / trusted web site Link is a request for data sent directly to client Everyone posts to everyone else s site You can not get around it Confidentiality, Integrity Attacker may observe and direct all user s behavior

Cross-Site Scripting Illustrated 1 2 Attacker sets the trap update my profile Attacker enters a malicious script into a web page that stores the data on the server Victim views page sees attacker profile Application with stored XSS vulnerability Accounts Finance Administration Transactions Communication Knowledge Mgmt E-Commerce Bus. Functions Custom Code Script runs inside victim s browser with full access to the DOM and cookies 3 Script silently sends attacker Victim s session cookie

A2 Avoiding XSS Flaws Don t include user-supplied input in the output page Convert all user-supplied input to data only Whitelist input validation on all user input Use OWASP s AntiSamy to sanitize this HTML

A3: Broken Authentication and Session Management

A3 Broken Authentication and Session Management Defined Session management flaws Other session entry points Impact Convert user name & password to Session ID If attacker can predict Session ID, they can steal it Credentials must be appended with every request SESSION ID is used to track state since HTTP doesn t SESSION ID is typically exposed Change my password, remember my password, forgot my password, logout, email address, etc Confidentiality, Integrity Accounts compromised or sessions hijacked

Broken Authentication Illustrated 1 User sends credentials www.boi.com?jsessionid=9fa1db9ea... Site uses URL rewriting (i.e., put session in URL) 2 Accounts Finance Administration Transactions Communication Knowledge Mgmt E-Commerce Custom Code Bus. Functions 3 User clicks on a link to http://www.hacker.com in a forum Hacker checks referer logs on www.hacker.com and finds user s JSESSIONID 4 5 Hacker uses JSESSIONID and takes over victim s account

A3 Avoiding Broken Authentication and Session Management Architecture Authentication = simple, centralized, and standardized SSL from cradle to grave Implementation Check your SSL certificate Examine all the authentication-related functions Verify that logoff actually destroys the session WebScarab to test No automated analysis

A4: Insecure Direct Object References

A4 Insecure Direct Object References Defined Flaws Impact Internal files and executables lead to other internal sensitive functions Attacker tampers with parameter value Listing the authorized objects Hiding the object references Confidentiality Attackers are able to access unauthorized files or data

Insecure Direct Object References Illustrated https://www.onlinebank.com/user?acct=6065 Attacker notices his acct parameter is 6065?acct=6065 He modifies it to a nearby number?acct=6066 Attacker views the victim s account information

A4 Avoiding Insecure Direct Object References Eliminate the direct object reference temporary mapping value (e.g. 1, 2, 3) Validate the direct object reference http://app?file=report123.xls Internal http://app?file=1 http://app?id=9182374 http://app?id=7d3j93 Access Reference Map Reference Monitor External Request Doc Request 1 Acct:9182374 SERVER Client

A5: Cross-Site Request Forgery (CSRF)

A5 Cross Site Request Forgery (CSRF) Defined Cause Automatically Provided Credentials Impact Victim s browser is tricked into issuing a command to a vulnerable web application under attacker s control Browsers automatically including user authentication data with each request Session cookie, Basic authentication header, IP address Client side SSL certificates Windows domain authentication Confidentiality, Integrity Initiate transactions Access sensitive data

CSRF Illustrated 1 Attacker sets the trap on some website on the internet (or simply via an e-mail) 2 Hidden <img> tag contains attack against vulnerable site While logged into vulnerable site, victim views attacker site <img> tag loaded by browser sends GET request (including credentials) to vulnerable site Application with CSRF vulnerability Accounts Finance Custom Code 3 Administration Transactions Communication Knowledge Mgmt E-Commerce Bus. Functions Vulnerable site sees legitimate request from victim and performs the action requested

A5 Avoiding CSRF Flaws Add a secret, not automatically submitted Tokenize to ALL sensitive requests Cryptographically strong or random Don t allow attackers to store attacks on your site Properly encode all input on the way out This renders all links/requests inert in most interpreters

A6: Security Misconfiguration

A6 Security Misconfiguration Defined Unpatched operating systems and applications are an attack vector Other code Anything you install is an attack vector Impact Availability, Confidentiality, Integrity

Security Misconfiguration Illustrated Accounts Finance Administration Transactions Communication Knowledge Mgmt E-Commerce Bus. Functions Database Custom Code App Configuration Insider Framework App Server Web Server Hardened OS Development QA Servers Test Servers Source Control

A6 Avoiding Security Misconfiguration Hardening Operating System Utilities Applications Agents Patch Change Control

A7: Insecure Cryptographic Storage

A7 Insecure Cryptographic Storage Defined Data Impact Unidentified sensitive data at rest Databases, files, directories, log files, backups Confidentiality, Integrity Expense of cleaning up the incident Sued and/or fined

Insecure Cryptographic Storage Illustrated 1 Victim enters credit card number in form Accounts Finance Administration Transactions Communication Knowledge Mgmt E-Commerce Bus. Functions Custom Code 4 Malicious insider steals 4 million credit card numbers Log files Error handler logs CC details because merchant gateway is unavailable 2 Logs are accessible to all members of IT staff for debugging purposes 3

A7 Avoiding Insecure Cryptographic Storage Identify all sensitive data and locations Encryption as much as you can afford Use the mechanisms correctly Use standard strong algorithms Generate, distribute, and protect keys properly Be prepared for key change Verify and test

A8: Failure to Restrict URL Access

A8 Failure to Restrict URL Access Defined A common mistake Impact If authentication is used on any part of the site and not on all parts of the site Displaying only authorized links and menu choices Attacker types the URL directly Confidentiality Access other user s accounts and data Perform privileged actions

Failure to Restrict URL Access Illustrated Attacker notices the URL indicates his role /user/getaccounts He modifies it to another directory (role) /admin/getaccounts, or /manager/getaccounts Attacker views more accounts than just their own

A8 Avoiding URL Access Control Flaws For each URL, a site needs to do 3 things: Restrict access to authenticated users (if not public) Enforce any user or role-based permissions (if private) Completely disallow requests to unauthorized page types Verify the server configuration disallows requests to unauthorized file types Use WebScarab to forge unauthorized requests

A9: Insufficient Transport Layer Protection

A9 Insufficient Transport Layer Protection Define Sensitive data is transmitted in clear SSL & TLS Server side certificate normal Client side certificates are rare Server to server is possible Impact Confidentiality Attackers use data as launching point for further attack

Insufficient Transport Layer Protection Illustrated External Victim Custom Code Backend Systems Business Partners External attacker steals credentials and data off network External Attacker 1 2 Employees Internal attacker steals credentials and data from internal network Internal Attacker

A9 Avoiding Insufficient Transport Layer Protection Use SSL/TLS on all connections with sensitive data Use certificates correctly Use current standard strong algorithms Manage keys/certificates properly Client side Verify SSL certificates before using them

A10: Unvalidated Redirects and Forwards

A10 Unvalidated Redirects and Forwards Defined User-supplied parameters (Controlled by the Attacker) in the destination URL request data from unauthorized sites Attacker can send victim to a site of their choice Forwards (Transfer in.net) Internally send the request to a new page in the same application Sometimes parameters define the target page Impact Integrity Redirect victim to phishing or malware site

Unvalidated Redirect Illustrated 1 Attacker sends attack to victim via email or webpage From: Internal Revenue Service Subject: Your Unclaimed Tax Refund Our records show you have an unclaimed federal tax refund. Please click here to initiate your claim. 3 Application redirects victim to attacker s site 2 Victim clicks link containing unvalidated parameter Accounts Finance Administration Transactions Communication Knowledge Mgmt E-Commerce Bus. Functions Custom Code Request sent to vulnerable site, including attacker s destination site as parameter. Redirect sends victim to attacker site http://www.irs.gov/taxrefund/claim.jsp?year=2006 & &dest=www.evilsite.com 4 Evil Site Evil site installs malware on victim, or phish s for private information

Unvalidated Forward Illustrated 1 Attacker sends attack to vulnerable page they have access to 2 Application authorizes request, which continues to vulnerable page Request sent to vulnerable page which user does have access to. Redirect sends user directly to private page, bypassing access control. Filter public void dopost( HttpServletRequest request, HttpServletResponse response) { try { String target = request.getparameter( "dest" ) );... request.getrequestdispatcher( target ).forward(request, response); } catch (... public void sensitivemethod( HttpServletRequest request, HttpServletResponse response) { try { // Do sensitive stuff here.... } catch (... 3 Forwarding page fails to validate parameter, sending attacker to unauthorized page, bypassing access control

A10 Avoiding Unvalidated Redirects and Forwards Avoid using redirects and forwards Do not involve user parameters in defining the target URL If you must involve user parameters Validate each parameter Server side mapping

What I do for a living www.expandingsecurity.com We protect your business on the Internet By teaching managers and technologists How to integrate security into your business CISSP, ISSMP, ISSAP, CEH, Penetration testing, packet analysis, network security, business security Come get a pocket protector at my booth

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback