The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

Slides:



Advertisements
Similar presentations
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
Advertisements

OWASP’s Ten Most Critical Web Application Security Vulnerabilities
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
OWASP Web Vulnerabilities and Auditing
Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
SEC835 OWASP Top Ten Project.
The OWASP Foundation OWASP Top Kuai Hinojosa Software Security Consultant at Cigital OWASP Global Education Committee OWASP.
The OWASP Foundation Why hackers don’t care about your firewall Seba Deleersnyder
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.
Tobias Gondrom (OWASP Project Leader)
The 10 Most Critical Web Application Security Vulnerabilities
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Martin Kruliš by Martin Kruliš (v1.0)1.
Evolving Threats. Application Security - Understanding the Problem DesktopTransportNetworkWeb Applications Antivirus Protection Encryption (SSL) Firewalls.
Introduction to Application Penetration Testing
Workshop 3 Web Application Security Li Weichao March
Web Security Overview Lohika ASC team 2009
OWASP Zed Attack Proxy Project Lead
The OWASP Way Understanding the OWASP Vision and the Top Ten.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
1-Vulnerabilities 2-Hackers 3-Categories of attacks 4-What a malicious hacker do? 5-Security mechanisms 6-HTTP Web Servers 7-Web applications attacks.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Security testing of study information system Security team: Matis Alliksoo Alo Konno Urmo Lihten Taavi Podzuks Sander Saarm.
© All rights reserved. Zend Technologies, Inc. PHP Security Kevin Schroeder Zend Technologies.
Ryan Dewhurst - 20th March 2012 Web Application (PHP) Security.
CSC 2720 Building Web Applications Web Application Security.
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Web Application Security ECE ECE Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.
Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.
OWASP Top 10 from a developer’s perspective John Wilander, OWASP/Omegapoint, IBWAS’10.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
The attacks ● XSS – type 1: non-persistent – type 2: persistent – Advanced: other keywords (, prompt()) or other technologies such as Flash.
October 3, 2008IMI Security Symposium Application Security through a Hacker’s Eyes James Walden Northern Kentucky University
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Web Applications Testing By Jamie Rougvie Supported by.
Building Secure Web Applications With ASP.Net MVC.
Web Security SQL Injection, XSS, CSRF, Parameter Tampering, DoS Attacks, Session Hijacking SoftUni Team Technical Trainers Software University
OWASP OWASP top 10 - Agenda  Background  Risk based  Top 10 items 1 – 6  Live demo  Top 10 items 7 – 10  OWASP resources.
COMP9321 Web Application Engineering Semester 2, 2015 Dr. Amin Beheshti Service Oriented Computing Group, CSE, UNSW Australia Week 9 1COMP9321, 15s2, Week.
CS526Topic 12: Web Security (2)1 Information Security CS 526 Topic 9 Web Security Part 2.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation OWASP Denver February 2012.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Intro to Web Application Security. iHostCodex Web Services - CEO Project-AG – CoFounder OWASP Panay -Chapter Leader -Web Application Pentester -Ethical.
Do not try any of the techniques discussed in this presentation on a system you do not own. It is illegal and you will get caught.
Page 1 Ethical Hacking by Douglas Williams. Page 2 Intro Attackers can potentially use many different paths through your application to do harm to your.
SECURE DEVELOPMENT. SEI CERT TOP 10 SECURE CODING PRACTICES Validate input Use strict compiler settings and resolve warnings Architect and design for.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Web Application Security
Web Application Vulnerabilities
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
TOPIC: Web Security (Part-4)
Penetration Testing following OWASP
WWW安全 國立暨南國際大學 資訊管理學系 陳彥錚.
Presentation transcript:

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. Durham University Computing Society The OWASP Top Ten Most Critical Web Application Security Risks 2012/03/06 Simon Bennetts Development and Security Team Leader, Sage Ltd OWASP Zed Attack Proxy Project Leader OWASP Manchester Chapter Leader

What is OWASP? The Open Web Application Security Project Promotes secure software development Oriented to the delivery of web oriented services Focused primarily on the “back-end” than web-design issues An open forum for discussion A free resource for any development team 2

What is OWASP? Non-profit, volunteer driven organization Provide free resources to the community Supported through sponsorships Provide: Publications Software Local Chapters 3

WARNING! I will be describing techniques that can be used to compromise systems. Do NOT use them without the permission of the system owner! Using these techniques without permission may result in criminal charges. 4

The OWASP Top Ten Most Critical Web Application Security Risks A great place to start Current list published in 2010 Well known and well regarded But … the vast majority of websites still have a high, critical or urgent issue 5 Threat AgentAttack VectorWeakness Prevalence Weakness Detectability Technical Impact Business Impact ?EasyWidespreadEasySevere? ?AverageCommonAverageModerate? ?DifficultUncommonDifficultMinor?

The OWASP Top Ten A1: Injection A2: Cross-Site Scripting A3: Broken Authentication and Session Management A4: Insecure Direct Object References A5: Cross-Site Request Forgery (CSRF) A6: Security Misconfiguration A7: Insecure Cryptographic Storage A8: Failure to Restrict URL Access A9: Insufficient Transport Layer Protection A10: Unvalidated Redirects or Forwards 6

7 A1: Injection Tricking an application into including unintended commands in the data sent to an interpreter SQL, OS Shell, LDAP, Xpath, Hibernate… Impact: SEVERE! Unauthorized application access Unauthorized data access OS access… Attack VectorWeakness PrevalenceWeakness DetectabilityTechnical Impact EasyCommonAverageSevere

A1: Injection 8 User Server Db

A1: Injection (SQL) Example UI: Example code: String sql = “SELECT * FROM users where username = ʹ ” + username + “ ʹ and password = ʹ ” + password + “ ʹ ”; Expected SQL: SELECT * FROM users where username = ʹ admin ʹ and password = ʹ c0rr3ct ʹ Resulting SQL query: SELECT * FROM users where username = ʹ admin ʹ -- ʹ and password = ʹ anything ʹ admin Name: Login ******* Password: ʹ -- 9

10 A1: Injection Prevention: Use interfaces that support ‘bind variables’: Prepared Statements Stored Procedures Whitelist input Encode all user input Minimize database privileges OWASP SQL Injection Prevention Cheat sheet

11 A2: Cross Site Scripting (XSS) Injecting malicious content/code into web pages HTML / javascript most common, but many other technologies also vulnerable: Java, Active X, Flash, RSS, Atom, … Present in 64% of all web applications in 2010 Can be present in form and URL parameters AND cookies Attack VectorWeakness PrevalenceWeakness DetectabilityTechnical Impact AverageVERY WidespreadEasyModerate

12 A2: Cross Site Scripting (XSS) Impact: Session hijacking Unauthorized data access Web page rewriting Redirect users (eg to phishing or malware sites) Anything the web application can do…

A2: Cross Site Scripting (XSS) 13 Reflected Persistent

14 A2: Cross Site Scripting (XSS) Forum: “Have you seen XYZ are being taken over?? XYZ – We’re being taken over! Search this site: Yes, we’re being taken over, but don’t worry: login to find out why this is a good thing! Username: Password: Login

15 A2: Cross Site Scripting (XSS) XYZ – No Search Result found! Search this site: No search result found for: “ document.title=‘ XYZ – We’re being taken over!’; Document.getElementById(‘results’).style.display=‘none’; Yes, we’re being taken over, but don’t worry: login to find out why this is a good thing! Username: Password: <input id=‘password’ type=…”

16 A2: Cross Site Scripting (XSS) View Source: : No search result found for: “ document.title=‘ XYZ – We’re being taken over!’; Document.getElementById(‘results’).style.display=‘none’; Yes, we’re being taken over, but don’t worry: login to find out why this is a good thing! Username: Password: <input id=‘password’ type=… ” :

17 A2: Cross Site Scripting (XSS) Prevention: Don’t output user supplied input Whitelist input Encode output (e.g. using OWASP ESAPI) If you must support user supplied HTML, use libraries like OWASP’s AntiSamy OWASP XSS Prevention Cheat sheet

A3: Broken Authentication and Session Management HTTP is stateless Session IDs used to track state, good as credentials to an attacker Can be accessed via sniffer, logs, XSS… Change my password, forgotten my password, secret questions … Impact: sessions hijacked / accounts compromised 18 Attack VectorWeakness PrevalenceWeakness DetectabilityTechnical Impact AverageCommonAverageSevere

A3: Broken Authentication and Session Management Prevention: Use standard implementations Use SSL for ALL requests Thoroughly test all authentication related functionality Use SECURE & HTTPOnly cookies flags 19

A4: Insecure Direct Object Reference A direct reference to an object that is not validated on each request company=Mega%20Corp account= Typically in FORM and URL parameters (cookies less likely) Impact: accounts and data compromised 20 Attack VectorWeakness PrevalenceWeakness DetectabilityTechnical Impact EasyCommonEasyModerate

A4: Insecure Direct Object Reference Attacker notices URL: acct=6065 Modifies it to acct=6066 Attacker can view (and maybe change?) the victims account 21

A4: Insecure Direct Object Reference Prevention: Eliminate Direct Object References (ESAPI supports integer and random mapping) Validate Direct Object References on each request 22

A5: Cross site request forgery Exploits sessions established in other browser windows or tabs Impact: Attacker can perform any action on behalf of the victim 23 Attack VectorWeakness PrevalenceWeakness DetectabilityTechnical Impact AverageWidespreadEasyModerate

A5: Cross site request forgery Browser example.bank.combad.site.com $$$ 5 24

A5: Cross site request forgery Prevention: Never allow GETs to change things Anti CSRF tokens Viewstate (ASP.NET) OWASP CSRF Guard Challenge-Response Re-Authentication CAPTCHA 25

A6: Security Misconfiguration Another multitude of sins Server / Application configuration Lack of server and application hardening Unpatched OS, services, libraries Default accounts Detailed error messages (e.g. stack traces) Unprotected files and directories 26 Attack VectorWeakness PrevalenceWeakness DetectabilityTechnical Impact EasyCommonEasyModerate

A6: Security Misconfiguration Impact: Server compromise Exploitation of known vulnerabilities Prevention: Server and application hardening Patch OS, services, libraries 27

A7: Insecure Cryptographic Storage Storage of: Credentials Credit card numbers Bank account details Any sensitive data… In: Databases, Files, Logs, Backups … Either: In the clear, or using weak cryptography 28 Attack VectorWeakness PrevalenceWeakness DetectabilityTechnical Impact DifficultUncommonDifficultSevere

A7: Insecure Cryptographic Storage Impact: Attackers access or modify sensitive data Attackers use sensitive data in further attacks Company embarrassment, loss of trust Company sued or fined 29

A7: Insecure Cryptographic Storage Prevention: Identify sensitive data Don’t store sensitive data Protect with suitable mechanisms (file, db, element encryption) Only use standard, well recognised algorithms Check your implementation! 30

A8: Failure to restrict URL access ‘Hidden content’ with no authentication or access control Unprotected administrative pages robots.txt Impact: Unauthorized account and data access Access to administrative functionality 31 Attack VectorWeakness PrevalenceWeakness DetectabilityTechnical Impact EasyUncommonAverageModerate

A8: Failure to restrict URL access Prevention: For ALL (non public) URLs always check authentication and permissions Use a simple ‘fail safe’ mechanisms at each layer of your application 32

A9: Insufficient Transport Layer Protection Failure to identify all sensitive data Failure to identify all places that the sensitive data is transmitted Failure to employ suitable protection 33 Attack VectorWeakness PrevalenceWeakness DetectabilityTechnical Impact DifficultCommonEasyModerate

A9: Insufficient Transport Layer Protection Impact: Attackers access or modify sensitive data Attackers use sensitive data in further attacks Company embarrassment, loss of trust Company sued or fined 34

A9: Insufficient Transport Layer Protection Prevention: Use SSL/TLS on all connections that transmit sensitive data Encrypt messages: XML-Encryption Sign messages: XML-Signature Only use standard, well recognised algorithms Check your implementation! 35

A10: Unvalidated Redirects and Forwards Redirects are common and send the user to a new site.. which could be malicious if not validated! Forwards (Transfers) send the request to a new page in the same application.. which could bypass authentication or authorization 36 Attack VectorWeakness PrevalenceWeakness DetectabilityTechnical Impact AverageUncommonEasyModerate

A10: Unvalidated Redirects and Forwards Impact: Redirect victim to phishing or malware site Attacker’s request is forwarded past security checks, allowing unauthorized function or data access Prevention: Validate all Redirects and Forwards 37

Where Next? Read and understand the full document! Read the OWASP Developers Guide Watch the OWASP AppSec Tutorial videos on youtube Re-examine your code! Introduce a Secure Development Lifecycle Use tools like the OWASP Zed Attack Proxy 38

Summer of Code Get paid for writing code for open source projects over the summer of 2012 OWASP is applying to be a participating open source organization – not confirmed! The OWASP Zed Attack Proxy is one of the tools proposing projects (mentor – yours truly) 39

Any Questions?