The OWASP 2010 Top 10 Jason Montgomery, CISSP OWASP Cincinnati – Aug 30, 2011.

Slides:



Advertisements
Similar presentations
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
Advertisements

Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
SEC835 OWASP Top Ten Project.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
The XSS Files Find, Exploit, and Eliminate. Josh Little Security Engineer at global vertical market business intelligence company. 9 years in application.
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
Team Members: Brad Stancel,
A Demo of and Preventing XSS in.NET Applications.
Blackbox Reversing of XSS Filters Alexander Sotirov ekoparty 2008.
A case for business.  College Curriculums Lacks security module Not updated  Programmers Hard to find Lack formal training unaware.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Advanced Security Center Overview Northern Illinois University.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?
Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Varun Sharma Security Engineer | ACE Team | Microsoft Information Security
OWASP Mobile Top 10 Why They Matter and What We Can Do
Secure Software Development Mini Zeng University of Alabama in Huntsville 1.
Workshop 3 Web Application Security Li Weichao March
OWASP Zed Attack Proxy Project Lead
Cosc 4765 Server side Web security. Web security issues From Cenzic Vulnerability report
Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.
Prevent Cross-Site Scripting (XSS) attack
The OWASP Way Understanding the OWASP Vision and the Top Ten.
Security Management prepared by Dean Hipwell, CISSP
BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Security testing of study information system Security team: Matis Alliksoo Alo Konno Urmo Lihten Taavi Podzuks Sander Saarm.
A Security Review Process for Existing Software Applications
Ryan Dewhurst - 20th March 2012 Web Application (PHP) Security.
November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Cross-Site Attacks James Walden Northern Kentucky University.
Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 1 RubyJax Brent Morris/
OWASP Top Ten #1 Unvalidated Input. Agenda What is the OWASP Top 10? Where can I find it? What is Unvalidated Input? What environments are effected? How.
OWASP Top 10 from a developer’s perspective John Wilander, OWASP/Omegapoint, IBWAS’10.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Web Applications Testing By Jamie Rougvie Supported by.
Building Secure Web Applications With ASP.Net MVC.
CS526Topic 12: Web Security (2)1 Information Security CS 526 Topic 9 Web Security Part 2.
PHP Error Handling & Reporting. Error Handling Never allow a default error message or error number returned by the mysql_error() and mysql_errno() functions.
OWASP Building Secure Web Applications And the OWASP top 10 vulnerabilities.
Copyright © The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation OWASP Denver February 2012.
What Is XSS ? ! Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to.
Do not try any of the techniques discussed in this presentation on a system you do not own. It is illegal and you will get caught.
By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,
The OWASP Foundation OWASP XSS Remediation Cassia Martin Romain Gaucher April 7 th, 2011.
Page 1 Ethical Hacking by Douglas Williams. Page 2 Intro Attackers can potentially use many different paths through your application to do harm to your.
SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.
SECURE DEVELOPMENT. SEI CERT TOP 10 SECURE CODING PRACTICES Validate input Use strict compiler settings and resolve warnings Architect and design for.
CSCE 548 Student Presentation Ryan Labrador
Web Application Vulnerabilities
An Introduction to Web Application Security
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
Finding and Fighting the Causes of Insecure Applications
امنیت نرم‌افزارهای وب تقديم به پيشگاه مقدس امام عصر (عج) عباس نادری
Finding and Fighting the Causes of Insecure Applications
WWW安全 國立暨南國際大學 資訊管理學系 陳彥錚.
Exploring DOM-Based Cross Site Attacks
Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago
Presentation transcript:

The OWASP 2010 Top 10 Jason Montgomery, CISSP OWASP Cincinnati – Aug 30, 2011

Cyber Security Engineering Team, AEP Author / Technical Editor Professional K2 blackpearl, Wiley Press © 2009 Professional C#, Beginning C#, etc. SANS Institute – sans.org DEV 532: Essential Secure Coding in ASP.NET DEV 544: Secure Coding in.NET: Developing Defensible Applications GIAC GSSP.NET Steering Committee Developer Sys Admin © 2011 Jason Montgomery

“Code is Law” - Lawrence Lessig © 2011 Jason Montgomery

“When first tested, more than half of all applications fail to meet acceptable security quality, and more than 8 out of 10 web applications fail OWASP Top 10.” VERACODE State of Software Security Report, Whose Vulnerable? © 2011 Jason Montgomery

Whose Vulnerable? Whitehat Website Security Statistics Report, Winter

© 2011 Jason Montgomery Window of Exposure Source: Whitehat Website Security Statistics Report, Winter Figure at a Glance – Sorted by Industry The average number of serious* vulnerabilities per website, the percentage of reported vulnerabilities that have been resolved (Remediation Rate), and average that a website is exposed to at least one serious vulnerability (Window of Exposure).

What are some challenges to Secure Applications?

Business (features) drives development, not security (non-functional requirements) © 2011 Jason Montgomery Challenges to App Sec

“Don’t Worry, Be Crappy” Guy Kawasaki © 2011 Jason Montgomery Market Forces

“Our developers are pretty smart. I’m sure they’ve got it covered.” “Our developers do amazing things. I’m sure they already understand these issues.” “We haven’t been hacked yet.” © 2011 Jason Montgomery Knowledge Gap

“We don’t have the time.” “It’s too expensive.” “We don’t have anyone here with the expertise.” © 2011 Jason Montgomery Constraints

No security in Software Development Lifecycle Rely on Black box or white box scanning Only fix what’s found Little or no assurance © 2011 Jason Montgomery No Process to Incorporate Security

“6 Billion Crash Test Dummies” - David Rice Geekonomics: The Real Cost of Insecure Software © 2011 Jason Montgomery

Common Weakness Enumeration (CWE) Top x Lists OWASP Top 10 – 2010: The 10 Most Critical Web Application Security Risks _Ten_Project _Ten_Project 2010 CWE-SANS Top 25 Most Dangerous Software Errors re-errors/ © 2011 Jason Montgomery Software and Security

Why are these important? Raise Awareness / Education Industry Accepted Mitigation Techniques Collaboration Define common terms and Language for describing issues Makes security measurable Help Prioritize © 2011 Jason Montgomery Software and Security

Software Bugs vs. Flaws CWE defines ~658 Software Weaknesses 356 can be introduced during design 578 can be introduced during implementation 100% Security…? Goal: Secure…or Defensible? © 2011 Jason Montgomery Secure vs. Defensible

The Building Security In Maturity Model (BSIMM2) Software Assurance Maturity Model (SAMM) – OWASP Microsoft SDLC © 2011 Jason Montgomery Add Security to the Development Lifecycle

A1: Injection A2: Cross-Site Scripting (XSS) A3: Broken Authentication and Session Management A4: Insecure Direct Object References A5: Cross-Site Request Forgery (CSRF) A6: Security Misconfiguration A7: Insecure Cryptographic Storage A8: Failure to Restrict URL Access A9: Insufficient Transport Layer Protection A10: Unvalidated Redirects and Forwards © 2011 Jason Montgomery OWASP Top

“The software does not sufficiently validate, filter, escape, and/or encode user-controllable input before it is placed in output that is used as a web page that is served to other users.” CWE-79 © 2011 Jason Montgomery A2: Cross-Site Scripting (XSS)

© 2011 Jason Montgomery CWE Taxonomy of XSS CWE-20: Improper Input Validation (Category) CWE-74: Injection (Class) CWE-79: Cross-Site Scripting (Base) CWE-80: Basic XSS (V) CWE-81: Improper Sanitization of Script in an Error Message Web Page (V) CWE-83: Improper Neutralization of Script in Attributes in a Web Page(V) CWE-84: Failure to Resolve Encoded URI Schemes in a Web Page (V) CWE-85: Doubled Character XSS Manipulations (V) CWE-86: Improper Neutralization of Invalid Characters in Identifiers in Web Pages (V) CWE-87: Failure to Sanitize Alternate XSS Syntax (V)

Stored XSS Persisted to a data store, embedded into DOM server-side Reflected XSS Reflected from client into the DOM from Server DOM Based Reflected through URL back to client, embedded into DOM by JavaScript Cross-site Scripting Types © 2011 Jason Montgomery

Reflected XSS Example The following error occurred: %3Cscript%3Ealert('xss')%3B%3C%2Fscript%3E Error.aspx Code URL © 2011 Jason Montgomery

Reflected XSS Example The following error occurred: %3Cscript%3Ealert('xss')%3B%3C%2Fscript%3E Error.aspx Code URL The following error occurred: alert('xss'); Output HTML © 2011 Jason Montgomery

Web Html Entities Html Attributes JavaScript URL CSS / Style © 2011 Jason Montgomery Context Matters

XSS Injection Points HTML Element HTML Attribute HTML Comments --> " src=... /> © 2011 Jason Montgomery

XSS Injection Points Cont. JavaScript variables / data Styles Attributes / CSS Files URL function Redirect() { document.location = ' '; } function Redirect() { document.location = ' '; } "... /> ">link © 2011 Jason Montgomery

Real XSS Examples alert('boo') Source: askId=135&prod=%22%3E%3CSCRIPT%3Ealert(%22kefka%20was%20here%22)%3C/SCR IPT%3E =%3C/textarea%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E&send=Send C/script%3E&_nks=true&c=us&cs=19&l=en&s=dhs&x=0&y=0 %22onmouseover=%22alert('XSS')%22 © 2011 Jason Montgomery

Facebook (Oct. 5 th, 2010) - “wormable” Twitter (Sept. 21 st, 2010) – “wormable” © 2011 Jason Montgomery XSS In the News

 Constrain input through input validation © 2011 Jason Montgomery A1 / A2: Injection – Defense in Depth

 Must encode special characters © 2011 Jason Montgomery A1 / A2: Injection – Solution

Injection: Ask Two Questions Web Application Should I consume? Should I emit? Inbound data Outbound data Info Store Outbound data Inbound data © 2011 Jason Montgomery

Defense in Depth Assume all input is malicious (Re)use a vetted library Enforce Length Checks Enforce Type Checks Validate Input Whitelists/Blacklists Escape/Encode Output Properly encode/escape data * Take care with regular expressions © 2011 Jason Montgomery Injection Mitigation

Defense In Depth Set consistent encoding Encode using whitelists Constrain Input Sanitize dangerous tags/attributes Avoid allowing HTML input – (if possible) Prefer lightweight markup language (e.g. BBCode) and convert to stylistic input Not always an option with WYSIWYG controls on sites © 2011 Jason Montgomery Cross-Site Scripting (XSS) Mitigation +ADw-script+AD4-

AKA AntiXSS 4.0 Whitelists Narrowly defines allowable character sets and encodes everything else Microsoft Web Protection Library (WPL) © 2011 Jason Montgomery

Web Protection Library Sanitizer Class “…transforms and filters HTML of executable scripts. A safe list of tags and attributes are used to strip dangerous scripts from the HTML. HTML is also normalized where tags are properly closed and attributes are properly formatted.” [1] © 2011 Jason Montgomery WPL Cross-Site Scripting (XSS) Sanitation Sanitizer.GetSafeHtml() Sanitizes an entire HTML Document. Sanitizer.GetSafeHtmlFragment() Sanitizes a fragment of an HTML document.

UnicodeCharacterEncoder.MarkAsSafe() Configures Encoder class with valid ranges of Unicode Choose expected Lower, Lower Middle, Middle, Upper Middle, and Upper from code chart codes: © 2011 Jason Montgomery

Encoding Static Methods for Web Encoder.CssEncode() Encoder.HtmlEncode() Encoder.HtmlAttributeEncode() Encoder.UrlEncode() Encoder.HtmlFormEncode() Encoder.JavaScriptEncode() Encoder.VisualBasicScriptEncode() WPL Encoder Class

XSS Injection Fixed HTML Element HTML Attribute <img alt="<%= Encoder.HtmlAttributeEncode( Request.QueryString['altTxt'])%>" src=... /> <img alt="<%= Encoder.HtmlAttributeEncode( Request.QueryString['altTxt'])%>" src=... /> <%= Encoder.HtmlEncode( Request.QueryString['message']) %> <%= Encoder.HtmlEncode( Request.QueryString['message']) %> © 2011 Jason Montgomery

XSS Injection Fixed Cont. JavaScript variables / data Styles Attributes / CSS Files function Redirect() { document.location = '<%= Encoder.JavaScriptEncode( Request.QueryString["location"]) %>'; } function Redirect() { document.location = '<%= Encoder.JavaScriptEncode( Request.QueryString["location"]) %>'; } <DIV STYLE="width: <%= Encoder.CssEncode( untrustedInput) %>"... /> <DIV STYLE="width: <%= Encoder.CssEncode( untrustedInput) %>"... /> © 2011 Jason Montgomery

ASP.NET 4.0 – Encoding Change Default Encoding New Abbreviated Syntax © 2011 Jason Montgomery

ASP.NET 4.0 – Encoding New Abbreviated Syntax * Does NOT completely encode for HTML Attributes, JavaScript, VBScript, URL, or MVC 3 Razor View Engine & '"<> and range 0x0a – 0xFF Default Encoder Blacklist © 2011 Jason Montgomery

Replacing Default HttpEncoder web.config public class AntiXssEncoder : HttpEncoder { public AntiXssEncoder() {} protected override void HtmlEncode(string value, TextWriter output) { output.Write(Encoder.HtmlEncode(value)); } protected override void HtmlAttributeEncode(string value, TextWriter output) { output.Write(Encoder.HtmlAttributeEncode(value)); } } AntiXssEncoder.cs © 2011 Jason Montgomery

XSS Exploit Demo BeEF: Browser Exploitation Framework © 2011 Jason Montgomery

(put OWASP in the subject) LinkedIn Blog © 2011 Jason Montgomery Contact