Bill Riggins III OWASP Orlando Co-Chapter Lead

Slides:



Advertisements
Similar presentations
Webgoat.
Advertisements

Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.
Don’t Teach Developers Security Caleb Sima Armorize Technologies.
Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
SEC835 OWASP Top Ten Project.
The OWASP Foundation OWASP Top Kuai Hinojosa Software Security Consultant at Cigital OWASP Global Education Committee OWASP.
A Demo of and Preventing XSS in.NET Applications.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Solving Real-World Problems with an Enterprise Security API (ESAPI) Chris Schmidt ESAPI Project Manager ESAPI4JS Project Owner Application Security Engineer.
The 10 Most Critical Web Application Security Vulnerabilities
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Workshop 3 Web Application Security Li Weichao March
OWASP Zed Attack Proxy Project Lead
HTTP and Server Security James Walden Northern Kentucky University.
Origins, Cookies and Security – Oh My! John Kemp, Nokia Mobile Solutions.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.
Security testing of study information system Security team: Matis Alliksoo Alo Konno Urmo Lihten Taavi Podzuks Sander Saarm.
Ryan Dewhurst - 20th March 2012 Web Application (PHP) Security.
November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
OWASP Top 10 from a developer’s perspective John Wilander, OWASP/Omegapoint, IBWAS’10.
The attacks ● XSS – type 1: non-persistent – type 2: persistent – Advanced: other keywords (, prompt()) or other technologies such as Flash.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Web Security.
nd Joint Workshop between Security Research Labs in JAPAN and KOREA Marking Scheme for Semantic- aware Web Application Security HPC.
Web Applications Testing By Jamie Rougvie Supported by.
Building Secure Web Applications With ASP.Net MVC.
OWASP OWASP top 10 - Agenda  Background  Risk based  Top 10 items 1 – 6  Live demo  Top 10 items 7 – 10  OWASP resources.
CS526Topic 12: Web Security (2)1 Information Security CS 526 Topic 9 Web Security Part 2.
Introduction to Servlets Allen Day. Notes This is a training NOT a presentation Please ask questions Prerequisites.
 Java Server Pages (JSP) By Offir Golan. What is JSP?  A technology that allows for the creation of dynamically generated web pages based on HTML, XML,
Example – SQL Injection MySQL & PHP code: // The next instruction prompts the user is to supply an ID $personID = getIDstringFromUser(); $sqlQuery = "SELECT.
Defending Applications Against Command Insertion Attacks Penn State Web Conference 2003 Arthur C. Jones June 18, 2003.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Do not try any of the techniques discussed in this presentation on a system you do not own. It is illegal and you will get caught.
SECURE DEVELOPMENT. SEI CERT TOP 10 SECURE CODING PRACTICES Validate input Use strict compiler settings and resolve warnings Architect and design for.
Web Application Security
Building Secure ColdFusion Applications
Web Application Vulnerabilities
CS520 Web Programming Declarative Security (II)
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
Securing Your Web Application in Azure with a WAF
TOPIC: Web Security (Part-4)
World Wide Web policy.
SQL Injection.
Example – SQL Injection
Vulnerability Chaining Every Low Issue Has its big impact
Penetration Testing following OWASP
Finding and Fighting the Causes of Insecure Applications
Cross-Site Forgery
Marking Scheme for Semantic-aware Web Application Security
Relevance of the OWASP Top 10
Intro to Ethical Hacking
1. ASSOCILATE DEGREE PROGRAM Application Attacks SUBMITTED TO: Fatima Ashiq SUBMITTED By: University Of Central Punjab Farooq Sardar (V1F16ASOC0012) Adnan.
Hub architecture Security.
An Introduction to Web Application Security
امنیت نرم‌افزارهای وب تقديم به پيشگاه مقدس امام عصر (عج) عباس نادری
In Class Assg 2 - solution
Finding and Fighting the Causes of Insecure Applications
WWW安全 國立暨南國際大學 資訊管理學系 陳彥錚.
Presentation transcript:

Bill Riggins III OWASP Orlando Co-Chapter Lead OWASP Top 10 Bill Riggins III OWASP Orlando Co-Chapter Lead

Top 10 for 2010 A1: Injection A2: Cross-Site Scripting (XSS) A3: Broken Authentication and Session Management A4: Insecure Direct Object References A5: Cross-Site Request Forgery (CSRF) A6: Security Misconfiguration A7: Insecure Cryptographic Storage A8: Failure to Restrict URL Access A9: Insufficient Transport Layer Protection A10: Unvalidated Redirects and Forwards

A1: Injection

A1: Injection Spot the Bug <?php $offset = $_GET['offset']; $query = "SELECT id, name FROM products ORDER BY name LIMIT 20 OFFSET $offset;"; $result = pg_query($conn, $query); ?>

A1: Injection Spot the Bug Solution <?php $offset = $_GET['offset']; $query = "SELECT id, name FROM products ORDER BY name LIMIT 20 OFFSET $offset;"; $result = pg_query($conn, $query); ?>

A1: Injection Spot the Bug Mitigation <?php $offset = $_GET['offset']; $query = 'SELECT id, name FROM products ORDER BY name LIMIT 20 OFFSET $1;'; $result = pg_query_params($dbconn, $query, array($offset)); ?>

A2: Cross-Site Scripting (XSS)

A2: Cross-Site Scripting (XSS) Spot the Bug <!doctype html><html lang="en"> <head><title>XSS test</title></head> <body> <form> <input type="text" name="xss"> <input type="submit"> </form> <p>Result: ${param.xss}</p> </body></html>

A2: Cross-Site Scripting (XSS) Spot the Bug Solution <!doctype html><html lang="en"> <head><title>XSS test</title></head> <body> <form> <input type="text" name="xss"> <input type="submit"> </form> <p>Result: ${param.xss}</p> </body></html>

A2: Cross-Site Scripting (XSS) Spot the Bug Mitigation <!doctype html><html lang="en"> <head><title>XSS test</title></head> <body> <form> <input type="text" name="xss"> <input type="submit"> </form> <p>Result: ${fn:escapeXml(param.xss)}</p> </body></html>

A3: Broken Auth & Session Mgmt.

A3: Broken Auth & Session Mgmt. Spot the Bug GET / HTTP/1.1 Host: example.com User-Agent: Mozilla/5.0 Gecko Accept: text/xml, image/png, image/jpeg, image/gif, */* Cookie: PHPSESSID=123456789

A3: Broken Auth & Session Mgmt. Spot the Bug Solution GET / HTTP/1.1 Host: example.com User-Agent: Mozilla/5.0 Gecko Accept: text/xml, image/png, image/jpeg, image/gif, */* Cookie: PHPSESSID=123456789

A3: Broken Auth & Session Mgmt. Spot the Bug Mitigation Use HTTPS for authorization checks Use HTTPOnly and SecureOnly flags Keep the session cookie out of the URL Rotate session IDs after successful login Etc, see OWASP documentation.

A4: Insecure Direct Object References

A4: Insecure Direct Object References Spot the Bug String query = "SELECT * FROM accts WHERE account = ?"; PreparedStatement pstmt = connection.prepareStatement(query , ... ); pstmt.setString(1,request.getParameter("acct") ); ResultSet results = pstmt.executeQuery();

A4: Insecure Direct Object References Spot the Bug Solution String query = "SELECT * FROM accts WHERE account = ?"; PreparedStatement pstmt = connection.prepareStatement(query , ... ); pstmt.setString(1,request.getParameter("acct") ); ResultSet results = pstmt.executeQuery();

A4: Insecure Direct Object References Spot the Bug Mitigation String query = "SELECT * FROM accts WHERE account = ? and acctOwner = ?"; PreparedStatement pstmt = connection.prepareStatement(query , ... ); pstmt.setString(1,myUser.accts[0]); pstmt.setString(2,myUser.id); ResultSet results = pstmt.executeQuery();

A5: Cross-Site Request Forgery (CSRF)

A5: Cross-Site Request Forgery Spot the Bug <cfif IsUserLoggedIn() > <cfset user = GetAuthUser() > <cfset pageid = url.pageid> <cfquery name="myquery "datasource="myds"> UPDATE member_likes set like = 1 where pageid = <cfqueryparam cfsqltype="cf_sql_varchar" maxlength="250" value="pageid" /> </cfquery></cfif><a href="likeme.cfm?pageid=112">Like Me</a>

A5: Cross-Site Request Forgery Spot the Bug Solution <cfif IsUserLoggedIn() > <cfset user = GetAuthUser() > <cfset pageid = url.pageid> <cfquery name="myquery "datasource="myds"> UPDATE member_likes set like = 1 where pageid = <cfqueryparam cfsqltype="cf_sql_varchar" maxlength="250" value="pageid" /> </cfquery></cfif><a href="likeme.cfm?pageid=112">Like Me</a>

A5: Cross-Site Request Forgery Spot the Bug Mitigation <cfif IsUserLoggedIn() and (isdefined("form.csrfToken")) and (CSRFVerifyToken(form.csrfToken))> <cfset user = GetAuthUser() > <cfset pageid = url.pageid> <cfquery name="myquery "datasource="myds"> UPDATE member_likes set like = 1 where pageid = <cfqueryparam cfsqltype="cf_sql_varchar" maxlength="250" value="pageid" /> </cfquery></cfif><cfset csrftoken = CSRFGenerateToken()/> <cfform method="post" action="likeme.cfm"> <cfinput name="token" type="hidden" value="#csrfToken#" /> <cfinput name="pageid" type="hidden" value="31337" /> <cfinput name="Submit" type="submit" value="Like Me" /> </cfform>

A6: Security Misconfiguration

A6: Security Misconfiguration Spot the Bug <?xml version="1.0" encoding="UTF-8"?><tomcat-users> <role rolename="manager-gui"/> <role rolename="manager-script"/> <user username="tomcat" password="tomcat" roles="manager-gui, manager-script"/></tomcat-users>

A6: Security Misconfiguration Spot the Bug Solution <?xml version="1.0" encoding="UTF-8"?><tomcat-users> <role rolename="manager-gui"/> <role rolename="manager-script"/> <user username="tomcat" password="tomcat" roles="manager-gui, manager-script"/></tomcat-users>

A6: Security Misconfiguration Spot the Bug Mitigation <?xml version="1.0" encoding="UTF-8"?><tomcat-users> <role rolename="manager-gui"/> <role rolename="manager-script"/> <user username="myusername" password="mypassword" roles="manager-gui, manager-script"/></tomcat-users> Also, see: https://www.owasp.org/index.php/Securing_tomcat

A7: Insecure Cryptographic Storage

A7: Insecure Cryptographic Storage Spot the Bug <?php$encryptedPassword = sha1(strtolower('username') . 'password');?>

A7: Insecure Cryptographic Storage Spot the Bug Solution <?php$encryptedPassword = sha1(strtolower('username') . 'password');?>

A7: Insecure Cryptographic Storage Spot the Bug Mitigation I may be shamed for this, but the answer is (almost) always... bcrypt. http://codahale.com/how-to-safely-store-a-password/

A8: Failure to Restrict URL Access

A8: Failure to Restrict URL Access Spot the Bug <location path="Admin"> <system.web> <authorization> <allow users="*" /> </authorization> </system.web> </location>

A8: Failure to Restrict URL Access Spot the Bug Solution <location path="Admin"> <system.web> <authorization> <allow users="*" /> </authorization> </system.web> </location>

A8: Failure to Restrict URL Access Spot the Bug Mitigation <location path="Admin"> <system.web> <authorization> <allow users="briggins" /> <deny users="*" /> </authorization> </system.web> </location>

A9: Insufficient Transport Layer Protection

A9: Insufficient Transport Protection Spot the Bug

A9: Insufficient Transport Protection Spot the Bug Solution

A9: Insufficient Transport Protection Spot the Bug Mitigation <user-data-constraint> <transport-guarantee> CONFIDENTIAL </transport-guarantee></user-data-constraint> Also, see: https://www.owasp.org/index.php/Securing_tomcat#Securing_Manager_WebApp

A10: Unvalidated Redirects and Forwards

A10: Unvalidated Redirects, Forwards Spot the Bug public class RedirectServlet extends HttpServlet { protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { String query = request.getQueryString(); if (query.contains("url")) { String url = request.getParameter("url"); response.sendRedirect(url); } }}

A10: Unvalidated Redirects, Forwards Spot the Bug Solution public class RedirectServlet extends HttpServlet { protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { String query = request.getQueryString(); if (query.contains("url")) { String url = request.getParameter("url"); response.sendRedirect(url); } }}

A10: Unvalidated Redirects, Forwards Spot the Bug Mitigation public class RedirectServlet extends HttpServlet { protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { String query = request.getQueryString(); if (query.contains("goThere")) { response.sendRedirect("http://mysite.com"); } }}

What about _____? This isn't just about JSP and PHP, or custom code: http://www.didrailshaveamajorsecurityflawtoday.com/ http://osvdb.org/search?search%5Bvuln_title%5D=csrf&search%5Btext_ty pe%5D=alltext http://osvdb.org/search?search%5Bvuln_title%5D=xss&search%5Btext_ty pe%5D=alltext http://osvdb.org/search?search%5Bvuln_title%5D=django&search%5Btext _type%5D=alltext http://osvdb.org/search?search%5Bvuln_title%5D=wordpress&search%5Bt ext_type%5D=alltext http://osvdb.org/search?search%5Bvuln_title%5D=drupal&search%5Btext _type%5D=alltext

Resources http://php.net/manual/en/security.database.sql- injection.php http://stackoverflow.com/questions/2905886/what- makes-an-input-vulnerable-to-xss http://www.exploit-db.com/papers/15990/ https://www.owasp.org/index.php/Top_10_2010-A4- Insecure_Direct_Object_References http://blogs.coldfusion.com/post.cfm/protecting-web- applications-from-csrf-attacks-with-coldfusion-10 http://www.troyhunt.com/2011/08/owasp-top-10-for-net- developers-part-8.html http://cwe.mitre.org/data/definitions/601.html

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.