Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Similar documents
Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

Web Application Security. Philippe Bogaerts

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

OWASP TOP 10. By: Ilia

Your Turn to Hack the OWASP Top 10!

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP


Certified Secure Web Application Engineer

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

CSWAE Certified Secure Web Application Engineer

DEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

CNIT 129S: Securing Web Applications. Ch 8: Attacking Access Controls

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Application Layer Security

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

CSCD 303 Essential Computer Security Fall 2017

CIS 4360 Secure Computer Systems XSS

P2_L12 Web Security Page 1

Web Application Threats and Remediation. Terry Labach, IST Security Team

Robust Defenses for Cross-Site Request Forgery Review

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

SECURITY TESTING. Towards a safer web world

Web Application Penetration Testing

Copyright

INF3700 Informasjonsteknologi og samfunn. Application Security. Audun Jøsang University of Oslo Spring 2015

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

Domino Web Server Security

Solutions Business Manager Web Application Security Assessment

TIBCO Cloud Integration Security Overview

WebGoat Lab session overview

CSCD 303 Essential Computer Security Fall 2018

Don t blink or how to create secure software. Bozhidar Bozhanov, LogSentinel

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

OWASP Top David Caissy OWASP Los Angeles Chapter July 2017

PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH

CSE361 Web Security. Attacks against the server-side of web applications. Nick Nikiforakis

OWASP Top 10 The Ten Most Critical Web Application Security Risks

Exploiting and Defending: Common Web Application Vulnerabilities

COMP9321 Web Application Engineering

GOING WHERE NO WAFS HAVE GONE BEFORE

Secure Coding, some simple steps help. OWASP EU Tour 2013

Securing ArcGIS Services

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis

Introductions. Jack Katie

Application vulnerabilities and defences

Secure Programming Techniques

C1: Define Security Requirements

COMP9321 Web Application Engineering

CNIT 129S: Securing Web Applications. Ch 3: Web Application Technologies

Why bother? Causes of data breaches OWASP. Top ten attacks. Now what? Do it yourself Questions?

SECURE CODING ESSENTIALS

1 About Web Security. What is application security? So what can happen? see [?]

Web Vulnerabilities. And The People Who Love Them

Aguascalientes Local Chapter. Kickoff

Secure Development Guide

Securing ArcGIS Server Services An Introduction


COMP9321 Web Application Engineering

(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection

THREAT MODELING IN SOCIAL NETWORKS. Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda

CSCE 813 Internet Security Case Study II: XSS

PHP Security. Kevin Schroeder Zend Technologies. Copyright 2007, Zend Technologies Inc.

Web Application Vulnerabilities: OWASP Top 10 Revisited

Applications Security

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

Web Applications Penetration Testing

Lecture Overview. IN5290 Ethical Hacking

Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks

Welcome to the OWASP TOP 10

Perslink Security. Perslink Security. Eleonora Petridou Pascal Cuylaerts. System And Network Engineering University of Amsterdam.

WEB SECURITY: XSS & CSRF

Featuring. and. Göteborg. Ulf Larson Thursday, October 24, 13

EPRI Software Development 2016 Guide for Testing Your Software. Software Quality Assurance (SQA)

Backend IV: Authentication, Authorization and Sanitization. Tuesday, January 13, 15

Sichere Software vom Java-Entwickler

Cross-Site Request Forgery: The Sleeping Giant. Jeremiah Grossman Founder and CTO, WhiteHat Security

Ethical Hacking as a Professional Penetration Testing Technique ISSA Southern Tier & Rochester Chapters

CPET 499/ITC 250 Web Systems Chapter 16 Security. Topics

Security issues. Unit 27 Web Server Scripting Extended Diploma in ICT 2016 Lecture: Phil Smith

Web 2.0 and AJAX Security. OWASP Montgomery. August 21 st, 2007

PRESENTED BY:

Curso: Ethical Hacking and Countermeasures

Defend Your Web Applications Against the OWASP Top 10 Security Risks. Speaker Name, Job Title

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

Evaluating the Security Risks of Static vs. Dynamic Websites

Securing Internet Communication: TLS

EXPLOITING CLOUD SYNCHRONIZATION TO HACK IOTS

Information Security CS 526 Topic 8

Avoiding Web Application Flaws In Embedded Devices. Jake Edge LWN.net URL for slides:

This slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

DreamFactory Security Guide

Security Best Practices. For DNN Websites

Integrity attacks (from data to code): Malicious File upload, code execution, SQL Injection

WEB APPLICATION SCANNERS. Evaluating Past the Base Case

Information Security CS 526 Topic 11

CSE484 Final Study Guide

Transcription:

Attacks Against Websites 3 The OWASP Top 10 Tom Chothia Computer Security, Lecture 14

OWASP top 10. The Open Web Application Security Project Open public effort to improve web security: Many useful documents. Open public meetings & events. There 10 top lists the current biggest web threats.

But First: Apple s TLS Bug 1. C S : N C 2. S C : N S, Cert S 3. C S : E S (K_seed), {Hash1} K CS 4. S C : {Hash2} K CS Hash 1 = #(N C,N S, E S (K_seed)) Hash 2 = #(N C,N S, E S (K_seed), {Hash1} K CS ) K CS is a session key based on N C, N S & K_seed,

TLS vs TLS-DHE 1. C S : N C 2. S C : N S, Cert S 3. C S : E S (K_seed), {#(All previous messages)} K CS 4. S C : {#(All previous messages)} K CS 1. C S : N C 2. S C : N S, g x, Cert S, SignS(#(N C,N S,g x )) 3. C S : g y, {#(All previous messages)} K CS 4. S C : {#(All previous messages)} K CS K CS is a session key based on N C, N S & g xy,

Apple s TLS-DHE 1. C S : N C 2. S C : N S, g x, Cert S, True 3. C S : g y, {#(All previous messages)} K CS 4. S C : {#(All previous messages)} K CS K CS is a session key based on N C, N S & g xy,

Simple MITM attack: 1. C S : N C 2. S E(C) : N S, g x, Cert S, Sign S (#(N C,N S,g x )) 2. E(S) C : N S, g z, Cert S, Sign S (#(N C,N S,g x )) 3. C E(S) : g y, {#(messages)} K CS1 4. E(S) C : {#(messages)} K CS1 3. E(C) S : g w, {#(messages)} K CS2 4. S E(C) : {#(messages)} K CS2 K CS1 is a session key based on N C, N S & g zy, K CS2 is a session key based on N C, N S & g xw,

Major issues ios fixed days before Mac OS! Why didn t tests pick this up? Compiler should warned of unreachable code. Bad programming style: no brackets, goto: http://xkcd.com/292/

OWASP top 10. The Open Web Application Security Project Open public effort to improve web security: Many useful documents. Open public meetings & events. There 10 top lists the current biggest web threats.

A1: Injection Server side command injection, e.g., SQL injection. Not just SQL injection, any command language can be injected. E.g. PHP, shell commands, XML processing commands,

A2: Broken Auth. Many web developers implement their own log in systems. Often broken, e.g. No session time outs. Passwords not hashed E.g. password shame list.

A3: XXS Cross Side Scripting attacks, as discussed. A1 injection is command injection on the server side. This is JavaScript injection on the client side.

A4: Insecure Direct Object Reference Problem: the server trusts the client to request only the resources it should. E.g. http://site.com/view?user=alice! which we could replace with:! http://site.com/view?user=bob! Also common with cookie values.!

Path Transversal The user can type anything they want into the URL bar, or even form the request by hand. http://nameofhost/../../../etc/shadow If the webserver is running with root permission this will give me the password file.

Path Transversal: Fix Use access control settings to stop Path Transversal. Best practice, make a specific user account for the webserver. Only give that account access to public files.

A5: Security Misconfiguration Make sure your security settings don t give an attacker an advantage, e.g. Error Messages: should not be made public. Directory Listings: It should not be possible to see the files in a directory. Admin panels should not be publically accessible.

A6: Sensitive Data Exposure All sensitive data should be protected at all times. Is SSL used everywhere? Credit card numbers not encrypted: CC no. should be encrypted in database. PHP page should decrypt these, if needed. This means that the hacker needs to attack the page and the database.

A7: Missing Function Level Access Control Query strings are used to tell dynamic webpages what to do http://mywebshop.com/index.php? account=tpc&action=add http://mywebshop.com/index.php? account=tpc&action=show What if the attacker tries: http://mywebshop.com/index.php? account=admin&action=delete

URL hacking The user can type anything they want into the URL bar, or even form the request by hand. http://nameofhost/filepath Attacker can try to guess filenames, Guessable directory names will be found.

Fix No security through obscurity Never rely on just the URL request for authentication. E.g. Use cookies to control access.

A8: CSRF Cross-Site Request Forgery (CSRF) As discussed earlier. Defend against by using unique token in the hidden field of important forms.

A9: Using Components with Known Vulnerabilities If a new security patch comes out has it been applied? A patch might require you to bring down the site and so lose money. Or it might even break your website. Is it worth applying the patch?

A10: Invalidated Redirects and Forwards If attackers can forward a user to another page then they can use it for: Phishing (e.g. a fake log in page) Ad Fraud. Launch exploits on browser. Not a major threat (IMHO).

Conclusion To secure a website you need to know how it works: How clients request resources. How clients are authenticated. How HTTP and webservers work. Errors are often down to bad app logic Always sanitize everything.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback