Web App Security - OWASP Top 10 2013

Web Application Security

Hi, I’m Driss @drams88 https://speakerdeck.com/drissamri

Internally developed Commercial Open Source Applications by Supplier Type

Open Web Application Security Project (OWASP) Top 10 Cheat Sheets
Development guides ESAPI - Security API WebGoat - JEE web application Zed Attack Proxy - Penetration testing

A1 - Injection A2 - Broken Auth. & Session Management
A3 - Cross-Site Scripting (XSS) A4 - Insecure Direct Object References A5 - Security Misconfiguration A6 - Sensitive Data Exposure A7 - Missing Function Level Access Control A8 - Cross-Site Request Forgery (CSRF) A9 - Using Components with Known Vulnerabilities A10 - Unvalidated Redirects and Forwards OWASP Top 10 - 2013 The Ten Most Critical Web Application Security Risks

A1 - Injection “Financial injection” - @Doug88888, http://www.flickr.com/photos/doug88888/4561376850/

SELECT * FROM Users WHERE username = ‘“ + userName
+ “‘; SQL Injection tobbawi SELECT * FROM Users WHERE username = ‘tobbawi’; QUERY INPUT RESULT SELECT * FROM Users WHERE username = ‘tobbawi' OR 'a' = 'a’; tobbawi’ OR 'a' = 'a INPUT RESULT

String query = “SELECT * FROM Users WHERE name =
?”; PreparedStatement statement = connection.prepareStatement(query); statement.setString(1, userName); String query = “SELECT * FROM USERS WHERE name = :userName”; TypedQuery<User> query = em.createQuery(query , User.class); query.setParameter(“userName”, userName) SQL Injection

XML External Entity (XXE) Processing <?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE request
[ <!ENTITY include SYSTEM “file=/etc/passwd" > ]> <request> <description> &include; </description> ... </request> root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/

XML External Entity (XXE) Processing Do not include external entities
by setting this feature to false String FEATURE = "http://xml.org/sax/features/external-general-entities"; dbf.setFeature(FEATURE, false); Disallow an inline DTD by setting this feature to true String FEATURE = "http://apache.org/xml/features/disallow-doctype-decl"; dbf.setFeature(FEATURE, true);

A2 - Broken Auth. & Session Management “Lion secured” -
ericmcgregor, http://www.flickr.com/photos/ericmcgregor/103895441/

Password management Credentials in Transit Session Protection Browser Caching Trust
Relationships

Servlet 3.0

Level 0: No Plaintext Anywhere

Level 1: Don’t Just Hash It

Level 2: Salt it!

Level 3: Computational Cost

Level 4: Encryption

Level 5: Distributed Data Storage

A3 - XSS

victim is the application user malicious content delivered to users
using JavaScript

Stored XSS Attacks (Persistent, Type-I XSS)

Reflected XSS Attacks (Non-Persistent, Type-II XSS)

“HTML5 broke my XSS filter!” Validate user input • Use
a whitelist • Business validation checks Output encoding • Encode user data so it isn’t treated as markup Input filtering • Strip dangerous characters and tags from user data

1;--<?f><x:!μ!:x\/style=`b\65h\0061vio\r:url (#def&#x61ult#time2)';'`/onbegin=&#x5b�=\u00&#0 54;1le&#114t&#40&#x31)&#x5d&#x2f/&#xy,z\>

[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+ []]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+ (!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]]) [+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+ [+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([] [(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]] +(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+ []]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!! []+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+ [])[+[]]+(![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!
+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]+[+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+ []+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+ [+[]]])() alert(1)

https://github.com/chrisisbeef/jquery-encoder

Content-Security-Policy New browser feature for mitigating XSS and data-injection attacks
1.0 W3C Candidate Recommendation (1.1 underway) Whitelists "safe" script hosts Content-Security-Policy HTTP header

Content-Security-Policy default-src ‘none’; style-src: https://www.opt.is; frame-src https://www.youtube.com https://www.speakerdeck.com; script-src https://www.opt.is
https://ssl.google-analytics.com; img-src ‘self’ https://www.opt.is; font-src https://www.opt.is; report-uri https://www.opt.is/csp-violation

Content-Security-Policy: Chrome 25+, Firefox 23.0+, Opera 15+ X-WebKit-CSP: Chrome 25,
Safari 5.1+ X-Content-Security-Policy: Firefox 22.0, Internet Explorer 10+* http://www.html5rocks.com/en/tutorials/security/content-security-policy/

• X-Frame-Options: DENY • Content-Security-Policy: … • X-XSS-Protection: 1; mode=block
• X-Content-Type-Options: nosniff HTTP Headers https://securityheaders.com/

A4 - Insecure Direct Object References “Parallel lines” - theilr,
http://www.flickr.com/photos/90863480@N00/10268837315/

Avoid exposing your private object references Validate any private object
references Verify authorization to all references objects

A5 - Security Misconfiguration “Unlocked” - BlakJakDavy, http://www.flickr.com/photos/74221558@N00/3653039689/

Apply software updates Disable unnecessary features Disable default accounts Don’t
reveal stack traces

A6 - Sensitive Data Exposure “Watching YouTube” - Hero ♪,
http://www.flickr.com/photos/60507644@N06/9677923769/

No data stored in clear text Don’t transmit in clear
text Weak crypto algorithms & keys Don’t store sensitive data unnecessarily Disable auto-complete and caching

A7 - Missing Function Level Access Control “Escape artist” -
Amanda Tipton, http://www.flickr.com/photos/34039290@N06/7454420422/

Deny all by default Authorization not (only) on front-end

A8 - Cross-Site Request Forgery “Rustic 'Throne'” - RightBrainPhotography, http://www.flickr.com/photos/21757951@N00/2291533525/

POST /transfer HTTP/1.1 Host: bank.example.com Cookie: JSESSIONID=randomid; Domain=bank.example; HttpOnly Content-Type:
application/x-www-form-urlencoded amount=100.00&routingNumber=1234&account=9876 <form action="https://bank.example.com/transfer" method="post"> <input type="hidden" name="amount" value="100.00"/> <input type="hidden" name="routingNumber" value="evilsRoutingNumber" /> <input type="hidden" name="account" value="evilsAccountNumber"/> <input type="submit" value="Win Money!'/> </form>

CSRF tokens ▪ Spring Security 3.2 <http …> <csrf />
</http> Use proper HTTP Verbs Synchronizer Token Pattern

A9 - Using Components with Known Vuln. “Sharp edged view”
- lucymagoo_images, http://www.flickr.com/photos/lucymagoo/9286276021/

Apache CXF Authentication Bypass Spring Remote Code Execution Struts2 Remote
Code Execution

Common Vulnerabilities and Exposures http://cve.mitre.org/ https://github.com/jeremylong/DependencyCheck National Vulnerability Database http://nvd.nist.gov/home.cfm
mvn versions:display-dependency-updates

A10 - Unvalidated Redirects and Forwards “One Almond Tree Under
the Storm” - DavidFrutos, http://www.flickr.com/photos/davidfe2/5546540291/lightbox/

Review all redirects and forwards Spider site for redirects

Developer awareness Software Development Lifecycle (SDLC) Security automation

Web App Security - OWASP Top 10 2013

Web App Security - OWASP Top 10 2013

More Decks by Driss Amri

Other Decks in Technology

Featured

Transcript