OWASP TOP 10. By: Ilia

Similar documents
Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Web Application Security. Philippe Bogaerts

Business Logic Security

Solutions Business Manager Web Application Security Assessment

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

DEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

Your Turn to Hack the OWASP Top 10!

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

OWASP Top David Caissy OWASP Los Angeles Chapter July 2017

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

TIBCO Cloud Integration Security Overview

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

OWASP Top 10 The Ten Most Critical Web Application Security Risks

Web Application Vulnerabilities: OWASP Top 10 Revisited

GOING WHERE NO WAFS HAVE GONE BEFORE

SECURE CODING ESSENTIALS

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

EPRI Software Development 2016 Guide for Testing Your Software. Software Quality Assurance (SQA)

Advanced Web Technology 10) XSS, CSRF and SQL Injection

Application vulnerabilities and defences

1 About Web Security. What is application security? So what can happen? see [?]

Lecture Overview. IN5290 Ethical Hacking

Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks

Aguascalientes Local Chapter. Kickoff

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis

PHP Security. Kevin Schroeder Zend Technologies. Copyright 2007, Zend Technologies Inc.

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

CSCE 813 Internet Security Case Study II: XSS

Excerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt

Copyright

Introductions. Jack Katie

Exploiting and Defending: Common Web Application Vulnerabilities

SECURITY TESTING. Towards a safer web world


Welcome to the OWASP TOP 10

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

CIS 4360 Secure Computer Systems XSS

C1: Define Security Requirements

OWASP Top 10. Copyright 2017 Ergon Informatik AG 2/13

Sichere Software vom Java-Entwickler

Perslink Security. Perslink Security. Eleonora Petridou Pascal Cuylaerts. System And Network Engineering University of Amsterdam.

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009

eb Security Software Studio

Certified Secure Web Application Engineer


WEB SECURITY: XSS & CSRF

Web Application Penetration Testing

CSE361 Web Security. Attacks against the server-side of web applications. Nick Nikiforakis

P2_L12 Web Security Page 1

JAMES BENNETT DJANGOCON EUROPE 3RD JUNE 2015 THE NET IS DARK AND FULL OF TERRORS

NET 311 INFORMATION SECURITY

COMP9321 Web Application Engineering

PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH

Development Security Guide Oracle Banking Virtual Account Management Release July 2018

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Application Layer Security

SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0

Web Security. Web Programming.

Secure Development Guide

Web Application Whitepaper

Development Security Guide Oracle Banking Credit Facilities Process Management Release [July] [2018]

Web Application Security

Web Application Threats and Remediation. Terry Labach, IST Security Team

Web Applications Penetration Testing

Abusing Windows Opener to Bypass CSRF Protection (Never Relay On Client Side)

OPEN WEB APPLICATION SECURITY PROJECT OWASP TOP 10 VULNERABILITIES

Ruby on Rails Secure Coding Recommendations

Title: Multiple Remote Command Execution vulnerabilities on Avaya Intuity Audix LX (plus some client-side bugs)

RKN 2015 Application Layer Short Summary

Attacking the Application OWASP. The OWASP Foundation. Dave Ferguson, CISSP Security Consultant FishNet Security.

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis

COMP9321 Web Application Engineering

COMP9321 Web Application Engineering

(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection

WHY CSRF WORKS. Implicit authentication by Web browsers

The Top 6 WAF Essentials to Achieve Application Security Efficacy

EasyCrypt passes an independent security audit

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

Domino Web Server Security

Web Vulnerabilities. And The People Who Love Them

Web 2.0 and AJAX Security. OWASP Montgomery. August 21 st, 2007

CSE 127 Computer Security

Robust Defenses for Cross-Site Request Forgery Review

INNOV-09 How to Keep Hackers Out of your Web Application

THREAT MODELING IN SOCIAL NETWORKS. Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda

Web Security: Web Application Security [continued]

Client Side Injection on Web Applications

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

Web basics: HTTP cookies

How is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach

Cyber Attacks and Application - Motivation, Methods and Mitigation. Alfredo Vistola Solution Architect Security, EMEA

Scan Report Executive Summary

CS 161 Computer Security

6-Points Strategy to Get Your Application in Security Shape

Large Scale Generation of Complex and Faulty PHP Test Cases

Dell SonicWALL Secure Mobile Access 8.5. Web Application Firewall Feature Guide

Transcription:

OWASP TOP 10 By: Ilia Alshanetsky @iliaa

ME, MYSELF & I PHP Core Developer Author of Guide to PHP Security Security Aficionado

WEB SECURITY

THE CONUNDRUM USABILITY SECURITY YOU CAN HAVE ONE ;-)

OPEN WEB APPLICATION SECURITY PROJECT A set of best practices and recommendations around making web applications more secure General database of common vulnerability vectors A good place to keep yourself up-to-date on security Not a Bible

THE TOP 10

INJECTION xkcd.com

WHAT NOT TO DO // $_POST['login'] = "login"; $pdo->query("select * from users WHERE login={$_post['login']} AND password={$_post['pwd']}"); // $_POST['login'] = "' OR 1=1; --"; $pdo->query("select * from users WHERE login='{$_post['login']}' AND password='{$_post['pwd']}'"); // $_POST['login'] = chr(0xbf). chr(0x27). " OR 1=1; -- ; // 0xbf27 + addslashes() == 0xbf5c27 == 뽜 + "'" $pdo->query("select * from users WHERE login='". addslashes($_post['login']). "' AND password='".addslashes($_post['pwd'])."'"); $pdo->query("select * from users WHERE login='". $pdo->quote($_post['login']). "' AND password='".$pdo->quote($_post['pwd'])."'"); http://hakipedia.com/index.php/sql_injection

PREVENT INJECTION For databases use prepared statements White list inputs whenever possible Sanitize inputs (use filter extension) Don t trust and always verify!

BROKEN AUTHENTICATION & SESSION MANAGEMENT

MITIGATION Enforce strong password policy Require periodic reset of password Use 2 factor authentication Use SSL and secure flag on cookies Don t forget about auto-logout Don t neglect failed-login detection & tracking

SESSION SECURITY Don t trust new session ids (session_regenerate_id(true)) Use unique session names (not PHPSESSID) Only use httponly cookies Ensure true randomness for session ids

CROSS SITE SCRIPTING -XSS Attacker posts content that contains embedded JavaScript that is stored by vulnerable application. User s browser renders the page and executes injected script User visits the compromised site that transmits expected content along with injected script User s data is transmitted to the attacking party

PROTECT YOURSELF Use filter extension to filter inputs Ensure that outputs are HTML encoded Don t reinvent the wheel Don t consider any part of the request as being safe

INSECURE DIRECT OBJECT REFERENCES

PREVENTION Low level access controls Prevent user input in file/url access commands No unsanitized input to execution commands (escapeshellarg() for arguments) Non-white-list input shouldn t dictate logic

SECURITY MISCONFIGURATION

MORE SPECIFICALLY Usage of default, un-secure settings Not disabling initial accounts (especially those with admin rights) Failure to apply latest security patches Leaving un-used functions/modules enabled Exposed error handling Keeping upgrade scripts in accessible directories

PREVENTION > CURE Perform periodic security checks using automated tools STATIC CODE ANALYSIS NMAP EXTERNAL VULNERABILITY SCANNERS DISTRO PACKAGE SECURITY CHECKS

SENSITIVE DATA EXPOSURE

SOME EXAMPLES Exposed PHP error messages Non-web related files stored inside web-root Application version exposure Un-encrypted sensitive data storage Not using SSL

MISSING FUNCTION LEVEL ACCESS CONTROL

WTF?? Valid input processing without access controls Reliance on hidden fields for record identifiers Decentralized access control layer JavaScript driven access controls

CROSS-SITE REQUEST FORGERY (CSRF) Attacker tricks the user into following a link to a trusted site with vulnerable payload User s data is transmitted to the attacking party User visits the compromised site that renders desired content along with compromised payload

PREVENTION Don t perform data changes on GET Use secure (csrf) tokens for POST Dynamic Field Names

USING COMPONENTS WITH KNOWN VULNERABILITIES Using old vulnerable software Not keeping libraries up-to-date *cough*openssl*cough* Forgetting to update JavaScript libraries

THE CURE On server do routine checks for software with known exploits Keep libraries up-to-date Compare utilized software versions to those listed on http://cve.mitre.org/

UNVALIDATED REDIRECTS AND FORWARDS Header Injection JavaScript Parameter Injection Reliance on HTTP_REFERER

THANK YOU FOR LISTENING Slides - http://ilia.ws @iliaa Feedback @ https://joind.in/15177

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback