Web App Security - OWASP Top 10 2013

Transcript

1. Web Application Security

2. Hi, I’m Driss @drams88 https://speakerdeck.com/drissamri

3. None
4. None

5. Internally developed Commercial Open Source Applications by Supplier Type

6. Open Web Application Security Project (OWASP) Top 10 Cheat Sheets

   Development guides ESAPI - Security API WebGoat - JEE web application Zed Attack Proxy - Penetration testing

7. A1 - Injection A2 - Broken Auth. & Session Management

   A3 - Cross-Site Scripting (XSS) A4 - Insecure Direct Object References A5 - Security Misconfiguration A6 - Sensitive Data Exposure A7 - Missing Function Level Access Control A8 - Cross-Site Request Forgery (CSRF) A9 - Using Components with Known Vulnerabilities A10 - Unvalidated Redirects and Forwards OWASP Top 10 - 2013 The Ten Most Critical Web Application Security Risks

8. A1 - Injection “Financial injection” - @Doug88888, http://www.flickr.com/photos/doug88888/4561376850/

9. SELECT * FROM Users WHERE username = ‘“ + userName

   + “‘; SQL Injection tobbawi SELECT * FROM Users WHERE username = ‘tobbawi’; QUERY INPUT RESULT SELECT * FROM Users WHERE username = ‘tobbawi' OR 'a' = 'a’; tobbawi’ OR 'a' = 'a INPUT RESULT

10. String query = “SELECT * FROM Users WHERE name =

    ?”; PreparedStatement statement = connection.prepareStatement(query); statement.setString(1, userName); String query = “SELECT * FROM USERS WHERE name = :userName”; TypedQuery<User> query = em.createQuery(query , User.class); query.setParameter(“userName”, userName) SQL Injection

11. XML External Entity (XXE) Processing <?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE request

    [ <!ENTITY include SYSTEM “file=/etc/passwd" > ]> <request> <description> &include; </description> ... </request> root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/

12. XML External Entity (XXE) Processing Do not include external entities

    by setting this feature to false String FEATURE = "http://xml.org/sax/features/external-general-entities"; dbf.setFeature(FEATURE, false); Disallow an inline DTD by setting this feature to true String FEATURE = "http://apache.org/xml/features/disallow-doctype-decl"; dbf.setFeature(FEATURE, true);

13. A2 - Broken Auth. & Session Management “Lion secured” -

    ericmcgregor, http://www.flickr.com/photos/ericmcgregor/103895441/

14. Password management Credentials in Transit Session Protection Browser Caching Trust

    Relationships

15. Servlet 3.0

16. None

17. Level 0: No Plaintext Anywhere

18. Level 1: Don’t Just Hash It

19. Level 2: Salt it!

20. Level 3: Computational Cost

21. Level 4: Encryption

22. Level 5: Distributed Data Storage

23. A3 - XSS

24. victim is the application user malicious content delivered to users

    using JavaScript

25. Stored XSS Attacks (Persistent, Type-I XSS)

26. Stored XSS Attacks (Persistent, Type-I XSS)

27. Reflected XSS Attacks (Non-Persistent, Type-II XSS)

28. Reflected XSS Attacks (Non-Persistent, Type-II XSS)

29. “HTML5 broke my XSS filter!” Validate user input • Use

    a whitelist • Business validation checks Output encoding • Encode user data so it isn’t treated as markup Input filtering • Strip dangerous characters and tags from user data

30. 1;--<?f><x:!μ!:x\/style=`b&#x5c;65h\0061vio\r:url (#def&#x61ult#time2)';'`/onbegin=&#x5b�=\u00&#0 54;1le&#114t&#40&#x31)&#x5d&#x2f/&#xy,z\>

31. [][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+ []]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+ (!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]]) [+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+ [+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([] [(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]] +(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+ []]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!! []+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+ [])[+[]]+(![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!

    +[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]+[+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+ []+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+ [+[]]])() alert(1)

32. <style> p { color: {{USER_COLOR}} ; } </style> <p> Hello

    {{USER_NAME}}, view your <a href=”{{USER_URL}}“>Account</a>. </p> <script> var id = {{USER_ID}}; </script> <!-- DEBUG {{INFO}} -->

33. https://github.com/chrisisbeef/jquery-encoder

34. Content-Security-Policy New browser feature for mitigating XSS and data-injection attacks

    1.0 W3C Candidate Recommendation (1.1 underway) Whitelists "safe" script hosts Content-Security-Policy HTTP header

35. Content-Security-Policy default-src ‘none’; style-src: https://www.opt.is; frame-src https://www.youtube.com https://www.speakerdeck.com; script-src https://www.opt.is

    https://ssl.google-analytics.com; img-src ‘self’ https://www.opt.is; font-src https://www.opt.is; report-uri https://www.opt.is/csp-violation

36. Content-Security-Policy: Chrome 25+, Firefox 23.0+, Opera 15+ X-WebKit-CSP: Chrome 25,

    Safari 5.1+ X-Content-Security-Policy: Firefox 22.0, Internet Explorer 10+* http://www.html5rocks.com/en/tutorials/security/content-security-policy/

37. • X-Frame-Options: DENY • Content-Security-Policy: … • X-XSS-Protection: 1; mode=block

    • X-Content-Type-Options: nosniff HTTP Headers https://securityheaders.com/

38. A4 - Insecure Direct Object References “Parallel lines” - theilr,

    http://www.flickr.com/photos/90863480@N00/10268837315/

39. Avoid exposing your private object references Validate any private object

    references Verify authorization to all references objects

40. A5 - Security Misconfiguration “Unlocked” - BlakJakDavy, http://www.flickr.com/photos/74221558@N00/3653039689/

41. Apply software updates Disable unnecessary features Disable default accounts Don’t

    reveal stack traces

42. A6 - Sensitive Data Exposure “Watching YouTube” - Hero ♪,

    http://www.flickr.com/photos/60507644@N06/9677923769/

43. No data stored in clear text Don’t transmit in clear

    text Weak crypto algorithms & keys Don’t store sensitive data unnecessarily Disable auto-complete and caching

44. A7 - Missing Function Level Access Control “Escape artist” -

    Amanda Tipton, http://www.flickr.com/photos/34039290@N06/7454420422/

45. Deny all by default Authorization not (only) on front-end

46. A8 - Cross-Site Request Forgery “Rustic 'Throne'” - RightBrainPhotography, http://www.flickr.com/photos/21757951@N00/2291533525/

47. POST /transfer HTTP/1.1 Host: bank.example.com Cookie: JSESSIONID=randomid; Domain=bank.example; HttpOnly Content-Type:

    application/x-www-form-urlencoded amount=100.00&routingNumber=1234&account=9876 <form action="https://bank.example.com/transfer" method="post"> <input type="hidden" name="amount" value="100.00"/> <input type="hidden" name="routingNumber" value="evilsRoutingNumber" /> <input type="hidden" name="account" value="evilsAccountNumber"/> <input type="submit" value="Win Money!'/> </form>

48. CSRF tokens ▪ Spring Security 3.2 <http …> <csrf />

    </http> Use proper HTTP Verbs Synchronizer Token Pattern

49. A9 - Using Components with Known Vuln. “Sharp edged view”

    - lucymagoo_images, http://www.flickr.com/photos/lucymagoo/9286276021/

50. Apache CXF Authentication Bypass Spring Remote Code Execution Struts2 Remote

    Code Execution

51. Common Vulnerabilities and Exposures http://cve.mitre.org/ https://github.com/jeremylong/DependencyCheck National Vulnerability Database http://nvd.nist.gov/home.cfm

    mvn versions:display-dependency-updates

52. A10 - Unvalidated Redirects and Forwards “One Almond Tree Under

    the Storm” - DavidFrutos, http://www.flickr.com/photos/davidfe2/5546540291/lightbox/

53. Review all redirects and forwards Spider site for redirects

54. None

55. Developer awareness Software Development Lifecycle (SDLC) Security automation

56. None