Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Slides:



Advertisements
Similar presentations
Past, Present and Future By Eoin Keary and Jim Manico
Advertisements

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.
OWASP Web Vulnerabilities and Auditing
SEC835 OWASP Top Ten Project.
IT Security: Threats, Vulnerabilities and Countermeasures # 3
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
WebGoat & WebScarab “What is computer security for $1000 Alex?”
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Introduction to Web Application Security
Web server security Dr Jim Briggs WEBP security1.
Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.
The 10 Most Critical Web Application Security Vulnerabilities
Expert System Approach on Web Vulnerability Analysis / Jong Heon, PARK / Hyun Woo, CHO CS548 Advanced Information Security Term Project.
Web Application Security
Security Scanning OWASP Education Nishi Kumar Computer based training
By: Razieh Rezaei Saleh.  Security Evaluation The examination of a system to determine its degree of compliance with a stated security model, security.
OWASP Mobile Top 10 Why They Matter and What We Can Do
Evolving Threats. Application Security - Understanding the Problem DesktopTransportNetworkWeb Applications Antivirus Protection Encryption (SSL) Firewalls.
Introduction to Application Penetration Testing
Web Security Overview Lohika ASC team 2009
OWASP Zed Attack Proxy Project Lead
HTTP and Server Security James Walden Northern Kentucky University.
Lets Make our Web Applications Secure. Dipankar Sinha Project Manager Infrastructure and Hosting.
The OWASP Way Understanding the OWASP Vision and the Top Ten.
A Framework for Automated Web Application Security Evaluation
Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.
Ryan Dewhurst - 20th March 2012 Web Application (PHP) Security.
November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Web Application Security ECE ECE Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.
Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
October 3, 2008IMI Security Symposium Application Security through a Hacker’s Eyes James Walden Northern Kentucky University
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Web Applications Testing By Jamie Rougvie Supported by.
Building Secure Web Applications With ASP.Net MVC.
CS526Topic 12: Web Security (2)1 Information Security CS 526 Topic 9 Web Security Part 2.
Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.
OWASP Building Secure Web Applications And the OWASP top 10 vulnerabilities.
Copyright © The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation OWASP Denver February 2012.
Module: Software Engineering of Web Applications Chapter 3 (Cont.): user-input-validation testing of web applications 1.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Web Security.
Web Application (In)security Note: Unless noted differently, all scanned figures were from the textbook, Stuttard & Pinto, 2011.
Intro to Web Application Security. iHostCodex Web Services - CEO Project-AG – CoFounder OWASP Panay -Chapter Leader -Web Application Pentester -Ethical.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Do not try any of the techniques discussed in this presentation on a system you do not own. It is illegal and you will get caught.
Page 1 Ethical Hacking by Douglas Williams. Page 2 Intro Attackers can potentially use many different paths through your application to do harm to your.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Module: Software Engineering of Web Applications
Web Application Vulnerabilities
Intro to Web Application Security
Module: Software Engineering of Web Applications
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
TOPIC: Web Security (Part-4)
Penetration Testing following OWASP
Finding and Fighting the Causes of Insecure Applications
امنیت نرم‌افزارهای وب تقديم به پيشگاه مقدس امام عصر (عج) عباس نادری
Finding and Fighting the Causes of Insecure Applications
WWW安全 國立暨南國際大學 資訊管理學系 陳彥錚.
Exploring DOM-Based Cross Site Attacks
Presentation transcript:

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP Detecting Web Application Vulnerabilities Using Open Source Means Konstantinos Papapanagiotou Committee Member OWASP Greek Chapter 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

OWASP What is OWASP?  The Open Web Application Security Project  Worldwide, free and open community  Mission: improve application software security  Information and awareness  Documentation  Guidelines  Forums, mailing lists, conferences, local chapters  Practical aspects  Open Source Tools  Non-profit, charitable organization  Members: VISA, Deloitte, Unisys, Foundstone, … 2

OWASP The Greek Chapter  Created in 2005 but active since early 2007  Mission: raise security awareness in Greece  Activities:  Translation of OWASP documentation  Mailing list  Monthly newsletter  Participation in working groups and conferences  Software tools: Web Vulnerability Scanner  ~60 members   Soon: 3

OWASP 4 Outline  Motivation: The need for web security  Terminology  OWASP Top10: 10 most important vulnerabilities  Detection Tools  OWASP Web Scarab  WVS (Web Vulnerability Scanner)  Conclusions

OWASP Web Security  Rapid growth of the Internet in the last 2-3 years  Increase of population and bandwidth  Dynamic web sites  Hacker trends have changed  Used to be: viruses, worms, defacements  Now: phishing, zombie networks, web application security  Weakest links  End-users  Developers 5

OWASP Web Application Vulnerabilities  Some vocabulary  Threats  Vulnerabilities  Exploits  Attacks  Patching…  Web Applications: new category of applications  Widely available  Can access local resources  New code – old code 6

OWASP Tackling the problem  Security is not a one-off project  Secure Development Lifecycle: 1.Getting informed, raise awareness 2.Secure design and implementation 3.Product Launch 4.Vulnerability detection 5.Patching 6.Monitoring 7.Keep the track  Not a end-user or developer only matter 7

OWASP Step 1: Awareness - The OWASP Top 10  Document that lists the 10 most important web vulnerabilities  Aim: educate developers, designers, architects and organizations about the consequences of the most common web application security vulnerabilities.  Provides:  Brief description  basic methods for protection  2007: second version 8

OWASP The Vulnerabilities  A1 - Cross Site Scripting (XSS)  User supplied data are sent to web browser without validating or encoding that content.  Result: can allow script execution that can lead to user sessions hijacking, web site defacement, etc.  A2 - Injection Flaws (e.g. SQL injection)  User supplied data are sent to an interpreter as part of a command or query.  Result: the interpreter is tricked into executing unintended commands or changing data. 9

OWASP The Vulnerabilities (2)  A3 - Malicious File Execution (e.g. remote file inclusion (RFI)  Can allow attackers to include hostile code and data  Result: up to total server compromise.  Target: PHP, XML and any framework which accepts filenames or files from users.  A4 - Insecure Direct Object Reference  Reference to an internal implementation object (file, directory, database record, key, etc) as a URL or form parameter is accidentally exposed by the developer.  Result: Attackers can manipulate those references to access other objects without authorization. 10

OWASP The Vulnerabilities (3)  A5 - Cross Site Request Forgery (CSRF)  Forces a logged-on victim's browser to send a pre- authenticated request to a vulnerable web application, which then forces the victim's browser to perform a hostile action to the benefit of the attacker.  A6 - Information Leakage and Improper Error Handling  Unintentional leak of information regarding configuration, internal workings, or privacy violation  Result: Attackers use this weakness to steal sensitive data, or conduct more serious attacks. 11

OWASP The Vulnerabilities (4)  A7 - Broken Authentication and Session Management  Account credentials and session tokens are often not properly protected.  Result: Attackers compromise passwords, keys, or authentication tokens to assume other users' identities.  A8 - Insecure Cryptographic Storage  Web applications rarely use cryptographic functions properly to protect data and credentials.  Result: can lead to identity theft, credit card fraud, etc. 12

OWASP The Vulnerabilities (5)  A9 - Insecure Communications  Applications frequently fail to encrypt network traffic when it is necessary to protect sensitive communications.  A10 - Failure to Restrict URL Access  Frequently, an application only protects sensitive functionality by preventing the display of links or URLs to unauthorized users.  Result: Attackers can use this weakness to access and perform unauthorized operations by accessing those URLs directly. 13

OWASP Step 2: Detection – OWASP WebScarab  Framework for analysing applications that communicate using HTTP and HTTPS.  Written in Java for portability  Operates as an intercepting proxy  The operator can review and modify requests created by the browser before they are sent to the server  He can also review and modify responses returned from the server before they are received by the browser.  Several modes of operation and plugins 14

OWASP Step 2: Detection – OWASP WebScarab (2)  Target Groups:  Developers can debug otherwise difficult problems  Security specialists can identify vulnerabilities in the way that the application has been designed or implemented.  SP_WebScarab_Project SP_WebScarab_Project  Under Development: OWASP Web Scarab Next Generation  Complete rewrite  New user interface 15

OWASP Step 2: Detection – WVS  Web Vulnerability Scanner  Started off as a university student project  Goal: test a web site or application (not the server in the back end)  Target group: security specialists, penetration testers, developers  Functional but still under development  Beta version at: ( 16

OWASP WVS – Design and Implementation  Three tier architecture:  Vulnerability database  SQLite  Data retrieval API  Update API  Communication API  Communication with server (GET, POST, etc)  Presentation Level  Plaintext output, graphical interface, html, etc  Multi-threaded  User-specified 17

OWASP WVS – Advantages  Less false negatives  “Paranoid scanning”  User-enabled  Retrieves the site’s structure  Makes all possible checks in the entire site  Less false positives  Static sites: MD5 hash checking  Future work: dynamic sites  Portability  Use of open and portable technologies (SQLite, libcurl, etc)  Future work: POSIX threads 18

OWASP WVS – Future Work  Eliminate false positives in dynamic sites  Enhance Portability  POSIX threads  Java implementation (?)  Sophisticated checks for XSS and SQL injection  Fuzzing algorithms  Other suggestions… 19

OWASP Conclusions  Web Application Security is a continuous process  Developers  have the skills  Are not always well informed  Organizations  Follow deadlines  Worry about security after release  End users  Low awareness  OWASP  Continuous effort to raise awareness 20

OWASP Q & A