Web Application Vulnerabilities: OWASP Top 10 Revisited

Similar documents
(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection

Integrity attacks (from data to code): Cross-site Scripting - XSS

Copyright

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

Web Application Security. Philippe Bogaerts

C1: Define Security Requirements

OWASP Top 10 The Ten Most Critical Web Application Security Risks

Applications Security

OPEN WEB APPLICATION SECURITY PROJECT OWASP TOP 10 VULNERABILITIES

Integrity attacks (from data to code): Malicious File upload, code execution, SQL Injection

OWASP Top 10. Copyright 2017 Ergon Informatik AG 2/13

THREAT MODELING IN SOCIAL NETWORKS. Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda

Web Application Whitepaper

Web Application Threats and Remediation. Terry Labach, IST Security Team

Solutions Business Manager Web Application Security Assessment

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

DEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology

Your Turn to Hack the OWASP Top 10!

"Charting the Course to Your Success!" Securing.Net Web Applications Lifecycle Course Summary

OWASP Top David Caissy OWASP Los Angeles Chapter July 2017

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Introduction F rom a management perspective, application security is a difficult topic. Multiple parties within an organization are involved, as well

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

Hacking Web Sites OWASP Top 10

OWASP TOP OWASP TOP

SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

OWASP Top David Johansson. Principal Consultant, Synopsys. Presentation material contributed by Andrew van der Stock

Drone /12/2018. Threat Model. Description. Threats. Threat Source Risk Status Date Created

Bank Infrastructure - Video - 1

Development*Process*for*Secure* So2ware

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

Test Harness for Web Application Attacks

Application Layer Security

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

Hacking by Numbers OWASP. The OWASP Foundation

Chrome Extension Security Architecture

OWASP TOP 10. By: Ilia

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

OWASP Review. Amherst Security Group June 14, 2017 Robert Hurlbut.

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

Featuring. and. Göteborg. Ulf Larson Thursday, October 24, 13

SECURITY TESTING. Towards a safer web world

Secure Development Guide

Web Applications Penetration Testing

Aguascalientes Local Chapter. Kickoff

1 About Web Security. What is application security? So what can happen? see [?]

Defend Your Web Applications Against the OWASP Top 10 Security Risks. Speaker Name, Job Title

Certified Secure Web Application Engineer

GOING WHERE NO WAFS HAVE GONE BEFORE

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

Excerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt

VULNERABILITIES IN 2017 CODE ANALYSIS WEB APPLICATION AUTOMATED

Evaluating the Security Risks of Static vs. Dynamic Websites

Web Application Penetration Testing

Atlassian. Atlassian Software Development and Collaboration Tools. Bugcrowd Bounty Program Results. Report created on October 04, 2017.

COMP9321 Web Application Engineering

F5 Big-IP Application Security Manager v11

Copyright

Managed Application Security trends and best practices in application security

EXECUTIVE REPORT ADOBE SYSTEMS, INC. COLDFUSION SECURITY ASSESSMENT

Exploiting and Defending: Common Web Application Vulnerabilities

Information Security. Gabriel Lawrence Director, IT Security UCSD

PRESENTED BY:

Security Communications and Awareness

F5 Application Security. Radovan Gibala Field Systems Engineer

CSE 484 / CSE M 584: Computer Security and Privacy. Web Security. Autumn Tadayoshi (Yoshi) Kohno

SECURITY TRENDS & VULNERABILITIES REVIEW WEB APPLICATIONS

CSWAE Certified Secure Web Application Engineer

Certified Secure Web Application Secure Development Checklist

Top 10 Web Application Vulnerabilities

Application vulnerabilities and defences

EasyCrypt passes an independent security audit

PRACTICAL WEB DEFENSE VERSION 1

CIS 4360 Secure Computer Systems XSS

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

Web Application Security GVSAGE Theater

Vulnerabilities in online banking applications

SOLUTION BRIEF CA API MANAGEMENT. Enable and Protect Your Web Applications From OWASP Top Ten With CA API Management

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

V Conference on Application Security and Modern Technologies

About the OWASP Top 10

WEB SECURITY: XSS & CSRF

Certified Secure Web Application Security Test Checklist

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

Simplifying Application Security and Compliance with the OWASP Top 10

SECURITY TRENDS & VULNERABILITIES REVIEW WEB APPLICATIONS

COMP9321 Web Application Engineering

Advanced Web Technology 10) XSS, CSRF and SQL Injection

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

Welcome to the OWASP TOP 10

This slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in

Information Security CS 526 Topic 8

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Hacker Attacks on the Horizon: Web 2.0 Attack Vectors

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009


CSE361 Web Security. Attacks against the server-side of web applications. Nick Nikiforakis

Transcription:

Pattern Recognition and Applications Lab Web Application Vulnerabilities: OWASP Top 10 Revisited Igino Corona igino.corona AT diee.unica.it Computer Security April 5th, 2018 Department of Electrical and Electronic Engineering University of Cagliari, Italy 1 What is a web application? Distributed Program accross client and server systems so many interpreters involved data exchanged through the HTTP(s) protocol Each interpreter adds functionalities but also attack surface and complexity Flash Silverlight PDF Reader JavaScript Images CSS HTML Application Database HTTP(S) Client HTTP(S) server

Open Web Application Security Project International non-profit project to make web applications (web services) more secure i.e., towards confidentiality, integrity, availability of systems and data Independent, reputable source https://www.owasp.org Key goals: Awareness: knowledge of the major/common threats Testing: metodologies and tools to detect known vulnerabilities Training: how to address known vulnerabilities 3 OWASP Top 10 Project One of the most important outputs of OWASP is the TOP 10 Project The OWASP Top 10 is an awareness document that focuses on the (ten) most serious threats for web applications based primarily on data submissions from firms that specialize in application security and an industry survey that was completed by individuals New version each 3 years It may be considered as a starting point to identify the threats for your web applications First step of the risk evaluation The latest version has been produced in 2017 https://www.owasp.org/index.php/category:owasp_top_ten_2 017_Project 4

TOP 10 History 5 TOP 10-2017 vs 2013 New categories A4:2017 - XML External Entities (XXE) A8:2017 - Insecure Deserialization A10:2017 - Insufficient Logging & Monitoring Merged A5:2017 - Broken Access Control A4:2013 - Insecure Direct Object References A7:2013 - Missing Function Level Access Control Retired A8:2013 - Cross-Site Request Forgery (CSRF) A10:2013 - Unvalidated Redirects and Forwards https://www.owasp.org/index.php/top_10-2017_release_notes 6

OWASP TOP 10 In the following we present all TOP 10-2017 threats Examples and mitigation mechanisms as described in the official OWASP website We also highlight the main points for the mitigation of issues/threat vectors A1:2017 Injection Injection: the quote ( ) is a meta-character: it is internally used to separate data from (SQL) instructions 8

A1:2017 Injection Input data must be assumed as untrusted. A safe API must always keep data separate from code, and take into account the specifics of the involved interpreter(s) - meta-characters Go to main table 9 A2:2017 Broken Authentication Bruteforce attack password guessing Weak authentication credentials e.g. password easy to guess and reused Session identifiers effectively substitute authentication credentials during login. They may be stolen and used by an attacker. 10

A2:2017 Broken Authentication Strong authentication credentials: default, multifactor, complexity, expiration, recovery Protection against user impersonation attacks e.g., due to credentials theft or CSRF Protection against information gathering (e.g., account enumeration) Logging Key point (not highlighted in this slide): Unique, Safe, Server-side Authentication API triggered for any request Bruteforce attack protection Go to main table 11 A3:2017 Sensitive Data Exposure Automatic decryption Insecure data transport Insecure data storage 12

A3:2017 Sensitive Data Exposure Secure Data storage Secure Access Control Secure Data transport Go to main table 13 A4:2017 - XML External Entities (XXE) Custom Document Type Definition (DTD) DTD has an entity provided in another file The entity is printed out: content of /etc/passwd file 14

Other XML DTD attack (Billion Laughs) Parsed Character Data (generic text) https://en.wikipedia.org/wiki/billion_laughs_attack 15 A4:2017 - XML External Entities (XXE) Input data must be assumed as untrusted. A safe API must always keep data separate from code, and take into account the specifics of the involved interpreter(s) Use a less powerful API! Go to main table 16

A5:2017 Broken Access Control In both cases, data access depends on unauthenticated data 17 A5:2017 Broken Access Control Unique, Safe, Serverside Access Control API triggered for any request Default: deny If possible do not use Cross- Origin Resource Sharing (CORS) - a relaxed version of Sameorigin policy Logging Go to main table 18

A6:2017 Security Misconfiguration Forgotten applications/data Insecure default configuration 19 A6:2017 Security Misconfiguration Systematic Hardening Process Security by default Minimal functionalities (lesspowerful APIs) Go to main table Security-oriented Architecture 20

A7:2017 Cross-site scripting Injection: different meta-characters (e.g., < >) used by the browser to separate data from (HTML/Javascript) instructions 20 A7:2017 Cross-site scripting Input data must be assumed as untrusted. A safe API must always keep data separate from code, and take into account the specifics of the involved interpreter(s) - meta-characters Be aware and enforce document encoding! Go to main table Browser mitigation: allow script code only from specific domain names/paths (or completely disallow it) https://developer.mozilla.org/en- US/docs/Web/HTTP/CSP 21

A8:2017 Insecure Deserialization Input data is parsed to dynamically generate code (data structure/classes): e.g. java and php objects Well.. Actually this is an access control issue not a serialization one wrong example 22 A8:2017 Insecure Deserialization Do not use serialization. In general, it is a too powerful API. Keep data separate from code (natively) Go to main table 23

A9:2017 - Using Components with Known Vulnerabilities Web applications are more and more complex. They may use hundreds of different libraries and third-party components. A vulnerability in any component may be automatically found and exploited. E.g. struts, other (trusted) devices 25 A9:2017 - Using Components with Known Vulnerabilities Dependency/vulnerability checks must be automatized and become integral part of the software development life cycle Remove not used components Always verify the source of components Use actively mantained components Go to main table 26

A10:2017 - Insufficient Logging&Monitoring Insufficient logging/monitoring leads to worse breaches (higher attack impact) 27 A10:2017 - Insufficient Logging&Monitoring Logging relevant context allows for reducing the impact of security issues (response/remediation) Ensure Log integrity (append only) Logging and monitoring is just part of an Incident ResponsePlan Humans must be in the loop Go to main table 28

OWASP Top 10 Project - Issues Issues The OWASP TOP 10 is very useful, but somewhat confusing In the following we try to group TOP 10 entries according to their root causes security violations This allows to get a high-level view of common problems foresee and protect against attacks with the same root causes New threats Threats more relevant to your web applications 29 Information System Security Main Security Goals key aspects: authentication access control Confidentiality ensure that (sensitive) information is disclosed to authorized parties only Integrity prevent unauthorized modification of data (data integrity), including system code and (ab)use of system functionalities (system integrity) Availability guarantee that data and services can be accessed (in a reasonable time) by authorized parties when requested NOTE: Violations in one category may enable violations in any other category! Examples: Password theft (confidentiality violation) may allow attackers to perform unhauthorized modifications of user data (data integrity violation) A buffer overflow attack (system integrity violation) may allow attackers to gather private data (confidentiality violation) 30

Information System Security Meta-Security Goals mitigate the impact/risk of security violations Monitoring keep track of security-relevant events, such as authentications, accesses, data modifications, system performance, detected attacks/errors/anomalies. Response counteract against detected security violations and remediate (incident response plan) Remember: Security is a risk management process and Humans are always in the loop! 31 Information System Security - Objectives MONITORING RESPONSE CONFIDENTIALITY INTEGRITY AVAILABILITY AUTHENTICATION ACCESS CONTROL TOP 10 Classification 32

TOP 10 Threats and Security Violations TOP 10 Threat Security Violation A1:2017 Injection Integrity (DataàCode) A2:2017 - Broken Authentication Authentication A3:2017 Sensitive Data Exposure Confidentiality A4:2017 - XML External Entities (XXE) Integrity (DataàCode) A5:2017 - Broken Access Control Access Control A6:2017 - Security Misconfiguration Any A7:2017 - Cross-Site Scripting (XSS) Integrity (DataàCode) A8:2017 - Insecure Deserialization Integrity (DataàCode) A9:2017 - Using Components with Known Vulnerabilities Any A10:2017 - Insufficient Logging & Monitoring Monitoring Back to Security Objectives OWASP TOP 10 Integrity Violations Data à Instruction A1:2017 InjectionMONITORING A4:2017 - XML External Entities (XXE) A7:2017 - Cross-Site Scripting (XSS) A8:2017 - Insecure Deserialization A10:2013 - Unvalidated Redirects and Forwards A6:2010 - Malicious File Execution A5:2004 - Buffer Overflows THREAT VECTORS CONFIDENTIALITY RESPONSE INTEGRITY AVAILABILITY AUTHENTICATION ACCESS CONTROL 34

TOP 10 OWASP - Integrity Violations Unauthorized modification of data and (ab)use of system functionalities Manipulating data, the attacker can exploit unexpected system functionalities or abuse expected ones The attacker (ab)uses system functionalities. Unexpected functionalities are often raised by exploiting interpreter vulnerabilities, so that input data is erroneously interpreted as code data and code are carried in the same channel! In this category fall the following TOP 10 attacks: A1:2017 Injection A4:2017 - XML External Entities (XXE) A7:2017 - Cross-Site Scripting (XSS) A8:2017 - Insecure Deserialization A10:2013 - Unvalidated Redirects and Forwards A6:2010 - Malicious File Execution A5:2004 - Buffer Overflows 35 TOP 10 OWASP - Integrity Violations Input Data is wrongly/arbitrarily interpreted as Database Query (typical), OS command, LDAP, others A1:2017 Injection XML instruction A4:2017 - XML External Entities (XXE) JavaScript instruction A7:2017 Cross-site Scripting (XSS) Ad-hoc interpreter A8:2017 Insecure Deserialization Browser instruction A10:2013 Unvalidated Redirects and Forwards Assembly instruction A5:2004 Buffer Overflows Web Application Interpreter A6:2010 Malicious File Execution Preventing dataàcode attacks requires keeping data separate from instructions (safe API) 36

From Data to Code - Integrity Violations Interpreters widespread accross client and server systems may be really complex may interact to each other Each interpreter adds attack surface and complexity Flash Silverlight PDF Reader JavaScript Images CSS HTML Application Database HTTP(S) Client HTTP(S) server 37 OWASP TOP 10 Generic Threat Vectors MONITORING RESPONSE Generic Threat Vectors A9:2017 - Using Components with Known Vulnerabilities A6:2017 - Security Misconfiguration THREAT VECTORS CONFIDENTIALITY INTEGRITY AVAILABILITY AUTHENTICATION ACCESS CONTROL 38

OWASP TOP 10 Authentication MONITORING RESPONSE A8:2013-Cross-site Request Forgeries THREAT VECTOR CONFIDENTIALITY INTEGRITY AVAILABILITY A2:2017-Broken Authentication AUTHENTICATION ISSUES ACCESS CONTROL 39 OWASP TOP 10 Confidentiality MONITORING RESPONSE A3:2017 Sensitive Data Exposure CONFIDENTIALITY ISSUES INTEGRITY AVAILABILITY AUTHENTICATION ACCESS CONTROL 40

OWASP TOP 10 Access Control MONITORING RESPONSE CONFIDENTIALITY INTEGRITY A5:2017 - Broken Access Control AVAILABILITY AUTHENTICATION ISSUES ACCESS CONTROL 41 OWASP TOP 10 Availability MONITORING RESPONSE CONFIDENTIALITY INTEGRITY AVAILABILITY ISSUES A9:2004-Denial Of Service AUTHENTICATION ACCESS CONTROL 42

OWASP TOP 10 Monitoring MONITORING RESPONSE ISSUES A10:2017 - Insufficient Logging & Monitoring CONFIDENTIALITY INTEGRITY AVAILABILITY AUTHENTICATION ACCESS CONTROL 43 In the next lessons We will dig into some of the most popular and threatening web attack techniques Most of them (but not all) are in the TOP10 OWASP 2017 Practical sessions with Real-world web services OWASP BWA 1. Download Virtualbox https://www.virtualbox.org/ 2. Download the OVA archive https://sourceforge.net/projects/owaspbwa/files/1.2/ 3. Import the OVA archive into VirtualBox

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback