Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Similar documents
OWASP Top 10 The Ten Most Critical Web Application Security Risks

Web Application Security. Philippe Bogaerts

Aguascalientes Local Chapter. Kickoff

Copyright

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

C1: Define Security Requirements

THREAT MODELING IN SOCIAL NETWORKS. Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

Simplifying Application Security and Compliance with the OWASP Top 10

Application vulnerabilities and defences

Advanced Web Technology 10) XSS, CSRF and SQL Injection

Security Testing White Paper

CIS 4360 Secure Computer Systems XSS

DEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology

OWASP Top 10. Copyright 2017 Ergon Informatik AG 2/13

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

Securing Your Web Application against security vulnerabilities. Alvin Wong, Brand Manager IBM Rational Software

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

Featuring. and. Göteborg. Ulf Larson Thursday, October 24, 13

Your Turn to Hack the OWASP Top 10!

P2_L12 Web Security Page 1

Certified Secure Web Application Engineer

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

Top 10 Web Application Vulnerabilities

CSWAE Certified Secure Web Application Engineer

OWASP TOP OWASP TOP

This slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in

Securing Your Company s Web Presence

Exploiting and Defending: Common Web Application Vulnerabilities

Web Application Vulnerabilities: OWASP Top 10 Revisited

Solutions Business Manager Web Application Security Assessment

CSCE 813 Internet Security Case Study II: XSS

Welcome to the OWASP TOP 10

Perslink Security. Perslink Security. Eleonora Petridou Pascal Cuylaerts. System And Network Engineering University of Amsterdam.

Application Layer Security

Hacker Attacks on the Horizon: Web 2.0 Attack Vectors

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

Web Application Penetration Testing

1 About Web Security. What is application security? So what can happen? see [?]

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

Robust Defenses for Cross-Site Request Forgery Review

Evaluating the Security Risks of Static vs. Dynamic Websites

ANZTB SIGIST May 2011 Perth OWASP How minor vulnerabilities can do very bad things. OWASP Wednesday 25 th May The OWASP Foundation


Why bother? Causes of data breaches OWASP. Top ten attacks. Now what? Do it yourself Questions?

Web Application Whitepaper

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

F5 Application Security. Radovan Gibala Field Systems Engineer

Secure Development Guide

Introduction F rom a management perspective, application security is a difficult topic. Multiple parties within an organization are involved, as well

The security of Mozilla Firefox s Extensions. Kristjan Krips

Presentation Overview

SECURITY TESTING. Towards a safer web world

A (sample) computerized system for publishing the daily currency exchange rates

Vidder PrecisionAccess

Is Browsing Safe? Web Browser Security. Subverting the Browser. Browser Security Model. XSS / Script Injection. 1. XSS / Script Injection

OWASP Top Dave Wichers OWASP Top 10 Project Lead OWASP Board Member COO/Cofounder, Aspect Security

Webomania Solutions Pvt. Ltd. 2017

Dell SonicWALL Secure Mobile Access 8.5. Web Application Firewall Feature Guide


Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009

Sichere Software vom Java-Entwickler

Lecture Overview. IN5290 Ethical Hacking

Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks

Authentication and Password CS166 Introduction to Computer Security 2/11/18 CS166 1

INF3700 Informasjonsteknologi og samfunn. Application Security. Audun Jøsang University of Oslo Spring 2015

VULNERABILITIES IN 2017 CODE ANALYSIS WEB APPLICATION AUTOMATED

Protect Your Application with Secure Coding Practices. Barrie Dempster & Jason Foy JAM306 February 6, 2013

COPYRIGHTED MATERIAL. Contents. Part I: The Basics in Depth 1. Chapter 1: Windows Attacks 3. Chapter 2: Conventional and Unconventional Defenses 51

AN E-GOVERNANCE WEB SECURITY AUDIT Deven Pandya 1, Dr. N. J. Patel 2 1 Research Scholar, Department of Computer Application

GOING WHERE NO WAFS HAVE GONE BEFORE

INNOV-09 How to Keep Hackers Out of your Web Application

Becoming the Adversary

Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing

PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH

Development*Process*for*Secure* So2ware

Domino Web Server Security

Test Harness for Web Application Attacks

Web Applications Penetration Testing

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Frontline Techniques to Prevent Web Application Vulnerability

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Web Application & Web Server Vulnerabilities Assessment Pankaj Sharma

Making the web secure by design

WEB SECURITY: XSS & CSRF

Best Practices Guide to Electronic Banking

CIT 380: Securing Computer Systems. Web Security II

Don t blink or how to create secure software. Bozhidar Bozhanov, LogSentinel

Web security: an introduction to attack techniques and defense methods

HP 2012 Cyber Security Risk Report Overview

OWASP TOP 10. By: Ilia

Security Engineering by Ross Andersson Chapter 18. API Security. Presented by: Uri Ariel Nepomniashchy 31/05/2016

The Top 6 WAF Essentials to Achieve Application Security Efficacy

Vulnerabilities in online banking applications

Transcription:

OWASP Top 10

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any tester can (and should) do security testing and not just leave it to the pen testers

The traditional security areas of concern are: Confidentiality Integrity Availability Accountability. Security is dependent on context different organisations have different needs.

Physical doors, walls, locks etc. Network OS, network, firewalls etc. Application software at the application layer Perceived vs. Actual security Security theater FUD Fear Uncertainty & Doubt Absolutism nothing is totally secure

Attackers can potentially use many different paths through your application to do harm to your business or organization. Each of these paths represents a risk that may, or may not, be serious enough to warrant attention.

The term Threat Agent is used to indicate an individual or group that can manifest a threat. It is fundamental to identify who would want to exploit the assets of a company, and how they might use them against the company. Attack Vector Control Technical Business Threat Agents

Attacks are the techniques that attackers use to exploit the vulnerabilities in applications. Attack Vector Control Technical Business Threat Agents

A vulnerability is a hole or a weakness in the application, which can be a design flaw or an implementation bug, that allows an attacker to cause harm to the stakeholders of an application. The term "vulnerability" is often used very loosely. Attack Vector Control Technical Business Threat Agents

Controls are defensive technologies or modules that are used to detect, deter, or deny attacks. A weakness or design flaw of a control, or the lack of a necessary controls results in a vulnerability that can make the application susceptible to attacks. Attack Vector Control Technical Business Threat Agents

A technical impact is the system damage that results from a successful security breach. This is just the effect on the technology, not the business. Attack Vector Control Technical Business Threat Agents

A business impact is the impact to a business that results from a successful attack. Generally this is in terms of money, lives, reputation, customers, or speed. The business risk is what justifies investment in fixing security problems. Attack Vector Control Technical Business Threat Agents

Attack Vector Control Business Attack Vector Control Technical Business Threat Agents Attack Vector Control Technical Business Control A threat agent detects a weakness in the application and its controls. The agent launches an attack that causes both technical and business impacts.

OWASP provide a list of the top ten risks. The names of the risks in the Top 10 stem from the type of attack, the type of weakness, or the type of impact they cause. OWASP chose the name that is best known and will achieve the highest level of awareness. The primary aim of the OWASP Top 10 is to educate.

The basic standard risk model is Risk = Likelihood * Impact The OWASP approach used in this document is based on standard methodologies and is customized for application security.

Injection flaws, such as SQL, OS, and LDAP injection, occur when un- trusted data is sent to an interpreter as part of a command or query. The attacker s hostile data can trick the interpreter into executing unintended commands or accessing unauthorized data. Threat Agents Attack Vector Technical Business Exploitability EASY Prevalence COMMON detectability AVERAGE Impact SEVERE

http://iona.net.nz/leavemsg.asp http://iona.net.nz/leavemsgpost.asp LeaveMsg.asp confirmmsg.asp Email.asp Allows user to enter a message for the bank Only one message per user at a time Saves message into queue (form s target) Confirms message saved Generates HTML for email to user

http://xkcd.com/327/

Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, session tokens, or exploit other implementation flaws to assume other users identities. Threat Agents Attack Vector Technical Business Exploitability AVERAGE Prevalence COMMON detectability AVERAGE Impact SEVERE

XSS flaws occur whenever an application takes un- trusted data and sends it to a web browser without proper validation and escaping. XSS allows attackers to execute scripts in the victim s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites. Threat Agents Attack Vector Technical Business Exploitability AVERAGE Prevalence VERY WIDESPREAD detectability EASY Impact MODERATE

http://iona.net.nz/leavemsgpost.asp LeaveMsgPost.asp confirmmsg.asp Allows user to enter a message for the bank Only one message per user at a time Form uses Post Method Saves message into queue (form s target) Confirms message saved XSS Me Cross Site Scripting checker

A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data. Threat Agents Attack Vector Technical Business Exploitability EASY Prevalence COMMON detectability EASY Impact MODERATE

Example Ecan bus website http://www.stuff.co.nz/the- press/news/transport/ 9386649/ECan- public- transport- card- hacked Demo of how you might have hacked the site using the command line and Excel My card number is 733731 and I can see my balance at http://iona.net.nz/bus.asp?id=733731

Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. All these settings should be defined, implemented, and maintained as many are not shipped with secure defaults. Threat Agents Attack Vector Technical Business Exploitability EASY Prevalence COMMON detectability EASY Impact MODERATE

http://www.defaultpassword.com

Many web applications do not properly protect sensitive data, such as credit cards, SSNs, and authentication credentials, with appropriate encryption or hashing. Attackers may steal or modify such weakly protected data to conduct identity theft, credit card fraud, or other crimes. Threat Agents Attack Vector Technical Business Exploitability DIFFCULT Prevalence UNCOMMON detectability AVERAGE Impact SEVERE

Not all users should have access to all functions. Sometimes, function level protection is managed via configuration, and the system is misconfigured or sometimes, developers forget to include the proper checks. Threat Agents Attack Vector Technical Business Exploitability EASY Prevalence UNCOMMON detectability AVERAGE Impact MODERATE

A CSRF attack forces a logged- on victim s browser to send a forged HTTP request, including the victim s session cookie and any other automatically included authentication information, to a vulnerable web application. This forces the victim s browser to generate requests application thinks are legitimate. Threat Agents Attack Vector Technical Business Exploitability AVERAGE Prevalence WIDESPREAD detectability EASY Impact MODERATE

Login.asp User logs in and is given session cookie User opens another page in new browser tab img tab sends request on behalf of user to one of routers CGI pages Router system processes message as if it was a user request.

Virtually every application has these issues because most development teams don t focus on ensuring their components/libraries are up to date. In many cases, the developers don t even know all the components they are using, never mind their versions. Component dependencies make things even worse. Threat Agents Attack Vector Technical Business Exploitability AVERAGE Prevalence WIDESPREAD detectability DIFFICULT Impact MODERATE

Web applications frequently redirect and forward users to other pages and websites, and use un- trusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages. Threat Agents Attack Vector Technical Business Exploitability AVERAGE Prevalence UNCOMMON detectability EASY Impact MODERATE

http://iona.net.nz/home.asp Home.asp Link to site in email User is not logined in User is not logined in redirect redirect tto o llogin.asp ogin.asp Login.asp Login.asp User logs in and is User logs in and is given given ssession ession ccookie ookie Home.asp This time logged in Surprise!

The OWASP Top 10 is a place to start. It does not define all the possible threats. The Top 10 s roll is to educate and provide an introduction a number of critical threats. Testing for weaknesses does not provide as much assurance as having a secure development lifecycle. Build security in don t bolt it on.

Firebug https://getfirebug.com HttpFox https://addons.mozilla.org/en- US/firefox/addon/httpfox Tamper Data https://addons.mozilla.org/en- US/firefox/addon/tamper- data XSS Me https://addons.mozilla.org/en- US/firefox/addon/xss- me HackBar https://addons.mozilla.org/en- US/firefox/addon/hackbar

Login.asp Access for authorised users admin admin or user password Home.asp Home of piggy bank s Intranet LeaveMsg.asp Leave a message (GET) LeaveMsgPost.asp - Leave a message (POST) ConfirmMsg.asp confirms message Email.asp generates HTML for email DisplayMsg.asp Banks view of waiting messages Base URL http://iona.net.nz/

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback