March 2012 Top Ten Controls v4.2 Jim Manico and Eoin Keary Page 1 Top 10 Web Security Controls.

Slides:



Advertisements
Similar presentations
PHP Form and File Handling
Advertisements

February 2012 Top Ten Controls v1 Eoin Keary and Jim Manico Page 1 OWASP Foundation – Los Angeles Chapter
Nick Feamster CS 6262 Spring 2009
HTML Forms. collect information for passing to server- side processes built up from standard widgets –text-input, radio buttons, check boxes, option lists,
Past, Present and Future By Eoin Keary and Jim Manico
Past, Present and Future
The OWASP Foundation Web Application Security Host Apps Firewall Host Apps Database Host Web serverApp serverDB server Securing the.
Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
SEC835 OWASP Top Ten Project.
JavaScript and the DOM Les Carr COMP3001 Les Carr COMP3001.
0 The Past, Present and Future of XSS Defense Jim Manico 2011 OWASP Brussels.
APPLICATION DEVELOPMENT SECURE CODING WORKSHOP JIM MANICO VP, Security Architecture MARCH 2013.
Top 10 Defenses for Website Security Jim Manico VP of Security Architecture July 2012.
1 Page © 2012 WhiteHat Security, Inc. 1 Top 10 Defenses for Website Security Jim Manico VP of Security Architecture June 2012.
The XSS Files Find, Exploit, and Eliminate. Josh Little Security Engineer at global vertical market business intelligence company. 9 years in application.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Web App Access Control Design
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
The OWASP Foundation Cross Site Scripting JavaScript Injection Contextual Output Encoding.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Web Development & Design Foundations with XHTML Chapter 9 Key Concepts.
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
The OWASP Foundation Injection Flaws.
1 Web Developer & Design Foundations with XHTML Chapter 6 Key Concepts.
Cosc 4765 Server side Web security. Web security issues From Cenzic Vulnerability report
+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.
CSCI 6962: Server-side Design and Programming Secure Web Programming.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
JavaScript, Fourth Edition
© All rights reserved. Zend Technologies, Inc. PHP Security Kevin Schroeder Zend Technologies.
November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University
CNIT 133 Interactive Web Pags – JavaScript and AJAX JavaScript Environment.
March 2012 Top Ten Controls v4.1 Jim Manico and Eoin Keary Page 1 Top 10 Web Security Controls.
Feedback #2 (under assignments) Lecture Code:
Introduction To Web Application Security in PHP. Security is Big And Often Difficult PHP doesn’t make it any easier.
HTML Forms.
Introduction HTML (Hypertext Markup Language) is used to create document on the World Wide Web. HTML is not a programming language, it is a markup language.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Web Security.
Web Applications Testing By Jamie Rougvie Supported by.
Web Security SQL Injection, XSS, CSRF, Parameter Tampering, DoS Attacks, Session Hijacking SoftUni Team Technical Trainers Software University
Cookies and Sessions IDIA 618 Fall 2014 Bridget M. Blodgett.
OWASP Building Secure Web Applications And the OWASP top 10 vulnerabilities.
Securing Angular Apps Brian Noyes
Copyright © The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation OWASP Denver February 2012.
20-753: Fundamentals of Web Programming 1 Lecture 6: Advanced HTML Fundamentals of Web Programming Lecture 6: Advanced HTML.
Securing Web Applications Lesson 4B / Slide 1 of 34 J2EE Web Components Pre-assessment Questions 1. Identify the correct return type returned by the doStartTag()
Intro to Web Application Security. iHostCodex Web Services - CEO Project-AG – CoFounder OWASP Panay -Chapter Leader -Web Application Pentester -Ethical.
Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.
ASP.NET 2.0 Security Alex Mackman CM Group Ltd
Do not try any of the techniques discussed in this presentation on a system you do not own. It is illegal and you will get caught.
Web Security (cont.) 1. Referral issues r HTTP referer (originally referrer) – HTTP header that designates calling resource  Page on which a link is.
Group 18: Chris Hood Brett Poche
Building Secure ColdFusion Applications
Web Application Vulnerabilities
An Introduction to Web Application Security
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
What is REST API ? A REST (Representational State Transfer) Server simply provides access to resources and the REST client accesses and presents the.
Cross-Site Forgery
A Security Review Process for Existing Software Applications
WWW安全 國立暨南國際大學 資訊管理學系 陳彥錚.
Cross Site Request Forgery (CSRF)
Presentation transcript:

March 2012 Top Ten Controls v4.2 Jim Manico and Eoin Keary Page 1 Top 10 Web Security Controls

March 2012 Top Ten Controls v4.2 Jim Manico and Eoin Keary Page 2 Jim  VP Security Architecture, WhiteHat Security  15 years of web-based, database-driven software development and analysis experience  Over 7 years as a provider of secure developer training courses for SANS, Aspect Security and others  OWASP Connections Committee Chair   OWASP Podcast Series Producer/Host  OWASP Cheat-Sheet Series Manager

March 2012 Top Ten Controls v4.2 Jim Manico and Eoin Keary Page 3 (1) Query Parameterization (PHP PDO) $stmt = $dbh->prepare("INSERT INTO REGISTRY (name, value) VALUES (:name, :value)"); $stmt->bindParam(':name', $name); $stmt->bindParam(':value', $value);

March 2012 Top Ten Controls v4.2 Jim Manico and Eoin Keary Page 4 Query Parameterization (.NET) SqlConnection objConnection = new SqlConnection(_ConnectionString); objConnection.Open(); SqlCommand objCommand = new SqlCommand( "SELECT * FROM User WHERE Name AND Password objConnection); NameTextBox.Text); PasswordTextBox.Text); SqlDataReader objReader = objCommand.ExecuteReader(); if (objReader.Read()) {...

March 2012 Top Ten Controls v4.2 Jim Manico and Eoin Keary Page 5 Query Parameterization (Java) double newSalary = request.getParameter("newSalary") ; int id = request.getParameter("id"); PreparedStatement pstmt = con.prepareStatement("UPDATE EMPLOYEES SET SALARY = ? WHERE ID = ?"); pstmt.setDouble(1, newSalary); pstmt.setInt(2, id); Query safeHQLQuery = session.createQuery("from Inventory where productID=:productid"); safeHQLQuery.setParameter("productid", userSuppliedParameter);

March 2012 Top Ten Controls v4.2 Jim Manico and Eoin Keary Page 6 Query Parameterization (Ruby) # Create Project.create!(:name => 'owasp') # Read Project.all(:conditions => "name = ?", name) Project.all(:conditions => { :name => name }) Project.where("name = :name", :name => name) # Update project.update_attributes(:name => 'owasp') # Delete Project.delete(:name => 'name')

March 2012 Top Ten Controls v4.2 Jim Manico and Eoin Keary Page 7 Query Parameterization (Cold Fusion) SELECT * FROM #strDatabasePrefix#_courses WHERE intCourseID =

March 2012 Top Ten Controls v4.2 Jim Manico and Eoin Keary Page 8 Query Parameterization (PERL) my $sql = "INSERT INTO foo (bar, baz) VALUES ( ?, ? )"; my $sth = $dbh->prepare( $sql ); $sth->execute( $bar, $baz );

March 2012 Top Ten Controls v4.2 Jim Manico and Eoin Keary Page 9 OWASP Query Parameterization Cheat Sheet

March 2012 Top Ten Controls v4.2 Jim Manico and Eoin Keary Page 10 XSS: Why so Serious?  Session hijacking  Site defacement  Network scanning  Undermining CSRF defenses  Site redirection/phishing  Load of remotely hosted scripts  Data theft  Keystroke logging

March 2012 Top Ten Controls v4.2 Jim Manico and Eoin Keary Page 11 Danger: Multiple Contexts HTML Body HTML Attributes Context Context URL Context Browsers have multiple contexts that must be considered!

March 2012 Top Ten Controls v4.2 Jim Manico and Eoin Keary Page 12 XSS in HTML Attributes <input type="text" name="comments" value="UNTRUSTED DATA"> <input type="text" name="comments" value="hello" onmouseover="/*fire attack*/"> Attackers can add event handlers:  onMouseOver  onLoad  onUnLoad  etc…

March 2012 Top Ten Controls v4.2 Jim Manico and Eoin Keary Page 13 XSS in Source Attribute User input often winds up in src attribute Tags such as Example Request: Attackers can use javascript:/*attack*/ in src attributes

March 2012 Top Ten Controls v4.2 Jim Manico and Eoin Keary Page 14 URL Parameter Escaping Escape all non alpha-num characters with the %HH format Be careful not to allow untrusted data to drive entire URL’s or URL fragments This encoding only protects you from XSS at the time of rendering the link Treat DATA as untrusted after submitted

March 2012 Top Ten Controls v4.2 Jim Manico and Eoin Keary Page 15 URL parameter written within style tag Applications sometimes take user data and use it to generate presentation style Consider this example: XSS in the Style Tag

March 2012 Top Ten Controls v4.2 Jim Manico and Eoin Keary Page 16 ;"> Mouse over UNTRUSTED = ESAPI.encoder().encodeForCSS("expression(alert(String.fr omCharCode (88,88,88)))"); Mouse over Pops in at least IE6 and IE7 lists.owasp.org/pipermail/owasp-esapi/2009-February/ html CSS Pwnage Test Case

March 2012 Top Ten Controls v4.2 Jim Manico and Eoin Keary Page 17 Javascript Context Escape all non alpha-num characters with the \xHH format var x='UNTRUSTED DATA'; You're now protected from XSS at the time data is assigned What happens to x after you assign it?

March 2012 Top Ten Controls v4.2 Jim Manico and Eoin Keary Page 18 Best Practice: DOM Based XSS Defense  Untrusted data should only be treated as displayable text  JavaScript encode and delimit untrusted data as quoted strings  Use document.createElement("…"), element.setAttribute("…","value"), element.appendChild(…), etc. to build dynamic interfaces  Avoid use of HTML rendering methods  If you do have to use the methods above remember to HTML and then JavaScript encode the untrusted data  Avoid passing untrusted data to eval(), setTimeout() etc.  Don’t eval() JSON to convert it to native JavaScript objects. Instead use JSON.toJSON() and JSON.parse()  Run untrusted scripts in a sandbox (ECMAScript canopy, HTML 5 frame sandbox, etc)

March 2012 Top Ten Controls v4.2 Jim Manico and Eoin Keary Page 19 (2) XSS Defense by Data Type and Context Data TypeContextDefense StringHTML BodyHTML Entity Encode StringHTML AttributeMinimal Attribute Encoding StringGET ParameterURL Encoding StringUntrusted URLURL Validation, avoid javascript: URL’s, Attribute encoding, safe URL verification StringCSSStrict structural validation, CSS Hex encoding, good design HTMLHTML BodyHTML Validation (JSoup, AntiSamy, HTML Sanitizer) AnyDOMDOM XSS Cheat sheet Untrusted JavaScriptAnySandboxing JSONClient parse timeJSON.parse() or json2.js Safe HTML Attributes include: align, alink, alt, bgcolor, border, cellpadding, cellspacing, class, color, cols, colspan, coords, dir, face, height, hspace, ismap, lang, marginheight, marginwidth, multiple, nohref, noresize, noshade, nowrap, ref, rel, rev, rows, rowspan, scrolling, shape, span, summary, tabindex, title, usemap, valign, value, vlink, vspace, width

March 2012 Top Ten Controls v4.2 Jim Manico and Eoin Keary Page 20 OWASP Abridged XSS Prevention Cheat Sheet

March 2012 Top Ten Controls v4.2 Jim Manico and Eoin Keary Page 21 Attacks on Access Control  Vertical Access Control Attacks  A standard user accessing administration functionality  "Privilege Escalation"  Horizontal Access Control attacks  Same role, but accessing another user's private data  Business Logic Access Control Attacks  Abuse of workflow

March 2012 Top Ten Controls v4.2 Jim Manico and Eoin Keary Page 22 Best Practice: Code to the Permission if (AC.hasAccess(ARTICLE_EDIT, NUM)) { //execute activity }  Code it once, never needs to change again  Implies policy is persisted in some way  Requires more design/work up front to get right

March 2012 Top Ten Controls v4.2 Jim Manico and Eoin Keary Page 23 Best Practice: Use a Centralized Access Controller In Presentation Layer if (ACL.isAuthorized(VIEW_LOG_PANEL)) { Here are the logs } In Controller try (ACL.assertAuthorized(DELETE_USER)) { deleteUser(); }

March 2012 Top Ten Controls v4.2 Jim Manico and Eoin Keary Page 24 (3) Access Control Positive Patterns  Code to the permission, not the role  Centralize access control logic  Design access control as a filter  Fail securely (deny-by-default)  Apply same core logic to presentation and server- side access control decisions  Server-side trusted data should drive access control  Provide privilege and user grouping for better management  Isolate administrative features and access

March 2012 Top Ten Controls v4.2 Jim Manico and Eoin Keary Page 25 OWASP Access Control Cheat Sheet (beta, work in progress)

March 2012 Top Ten Controls v4.2 Jim Manico and Eoin Keary Page 26 Anatomy of an CSRF Attack  Consider a consumer banking application that contains the following form Account Num: Transfer Amt: document.getElementById(‘form1’).submit();

March 2012 Top Ten Controls v4.2 Jim Manico and Eoin Keary Page 27 (4) Cross Site Request Forgery Defenses  Cryptographic Tokens  Primary and most powerful defense. Randomness is your friend.  Request that cause side effects should use (and require) the POST method  Alone, this is not sufficient  Require users to re-authenticate  Amazon.com does this *really* well  Double-cookie submit  Decent defense, but no based on randomness, based on SOP

March 2012 Top Ten Controls v4.2 Jim Manico and Eoin Keary Page 28 OWASP CSRF Cheat Sheet Cheat Sheet

March 2012 Top Ten Controls v4.2 Jim Manico and Eoin Keary Page 29 Authentication Dangers  Weak password  Login Brute Force  Username Harvesting  Session Fixation  Weak or Predictable Session  Plaintext or poor password storage  Weak "Forgot Password" feature  Weak "Change Password" feature  Credential or session exposure in transit via network sniffing  Session Hijacking via XSS

March 2012 Top Ten Controls v4.2 Jim Manico and Eoin Keary Page 30 (5) Authentication Defenses  2FA/MFA/Passwords as single factor are DEAD  Develop generic failed login messages that do not indicate whether the user-id or password was incorrect  Enforce account lockout after a pre-determined number of failed login attempts  Force re-authentication at critical application boundaries  edit , edit profile, edit finance info, ship to new address, change password, etc.  Implement server-side enforcement of credential syntax and strength

March 2012 Top Ten Controls v4.2 Jim Manico and Eoin Keary Page 31 OWASP Authentication Sheet Cheat Sheet

March 2012 Top Ten Controls v4.2 Jim Manico and Eoin Keary Page 32  Require identity and security questions  Last name, account number, , DOB  Enforce lockout policy  Ask one or more good security questions   Send the user a randomly generated token via out-of-band method  , SMS or token  Verify code in same web session  Enforce lockout policy  Change password  Enforce password policy (6) Forgot Password Secure Design

March 2012 Top Ten Controls v4.2 Jim Manico and Eoin Keary Page 33 OWASP Forgot Password Sheet Cheat Sheet

March 2012 Top Ten Controls v4.2 Jim Manico and Eoin Keary Page 34  Ensure secure session ID’s  20+ bytes, cryptographically random  Stored in HTTP Cookies  Cookies: Secure, HTTP Only, limited path  Generate new session ID at login time  To avoid session fixation  Session Timeout  Idle Timeout  Absolute Timeout  Logout Functionality (7) Session Defenses

March 2012 Top Ten Controls v4.2 Jim Manico and Eoin Keary Page 35 OWASP Session Management Cheat Sheet

March 2012 Top Ten Controls v4.2 Jim Manico and Eoin Keary Page 36 (8) Clickjacking Defense  Standard Option: X-FRAME-OPTIONS Header // to prevent all framing of this content response.addHeader( "X-FRAME-OPTIONS", "DENY" ); // to allow framing of this content only by this site response.addHeader( "X-FRAME-OPTIONS", "SAMEORIGIN" );  Frame-breaking Script defense: body{display:none} if (self == top) { var antiClickjack = document.getElementByID("antiClickjack"); antiClickjack.parentNode.removeChild(antiClickjack) } else { top.location = self.location; }

March 2012 Top Ten Controls v4.2 Jim Manico and Eoin Keary Page 37 OWASP Clickjacking Sheet Cheat Sheet Missing, care to help?

March 2012 Top Ten Controls v4.2 Jim Manico and Eoin Keary Page 38 (9a) Secure Password Storage public String hash(String plaintext, String salt, int iterations) throws EncryptionException { byte[] bytes = null; try { MessageDigest digest = MessageDigest.getInstance(hashAlgorithm); digest.reset(); digest.update(ESAPI.securityConfiguration().getMasterSalt()); digest.update(salt.getBytes(encoding)); digest.update(plaintext.getBytes(encoding)); // rehash a number of times to help strengthen weak passwords bytes = digest.digest(); for (int i = 0; i < iterations; i++) { digest.reset(); bytes = digest.digest(bytes); } String encoded = ESAPI.encoder().encodeForBase64(bytes,false); return encoded; } catch (Exception ex) { throw new EncryptionException("Internal error", "Error"); }}

March 2012 Top Ten Controls v4.2 Jim Manico and Eoin Keary Page 39 (9b) Password Security Defenses  Disable Browser Autocomplete   Password and form fields  Input type=password  Additional password security  Do not display passwords in HTML document  Only submit passwords over HTTPS

March 2012 Top Ten Controls v4.2 Jim Manico and Eoin Keary Page 40 OWASP Password Storage Sheet Cheat Sheet beta, work in progress

March 2012 Top Ten Controls v4.2 Jim Manico and Eoin Keary Page 41 (10) Encryption in Transit (TLS)  Authentication credentials and session identifiers must me be encrypted in transit via HTTPS/SSL  Starting when the login form is rendered  Until logout is complete  All other sensitive data should be protected via HTTPS!  free online assessment of public facing server HTTPS configuration  tion_Cheat_Sheet for HTTPS best practices tion_Cheat_Sheet

March 2012 Top Ten Controls v4.2 Jim Manico and Eoin Keary Page 42 OWASP Transport Layer Protection Cheat Sheet

March 2012 Top Ten Controls v4.2 Jim Manico and Eoin Keary Page 43 Thank you! Questions?  

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.