Presentation is loading. Please wait.

Presentation is loading. Please wait.

Bill Riggins III OWASP Orlando Co-Chapter Lead

Published byWidya Hartono Modified over 6 years ago

Similar presentations

Presentation on theme: "Bill Riggins III OWASP Orlando Co-Chapter Lead"— Presentation transcript:

1 Bill Riggins III OWASP Orlando Co-Chapter Lead
OWASP Top 10 Bill Riggins III OWASP Orlando Co-Chapter Lead

2 Top 10 for 2010 A1: Injection A2: Cross-Site Scripting (XSS)
A3: Broken Authentication and Session Management A4: Insecure Direct Object References A5: Cross-Site Request Forgery (CSRF) A6: Security Misconfiguration A7: Insecure Cryptographic Storage A8: Failure to Restrict URL Access A9: Insufficient Transport Layer Protection A10: Unvalidated Redirects and Forwards

3 A1: Injection

4 A1: Injection Spot the Bug
<?php $offset = $_GET['offset']; $query = "SELECT id, name FROM products ORDER BY name LIMIT 20 OFFSET $offset;"; $result = pg_query($conn, $query); ?>

5 A1: Injection Spot the Bug Solution
<?php $offset = $_GET['offset']; $query = "SELECT id, name FROM products ORDER BY name LIMIT 20 OFFSET $offset;"; $result = pg_query($conn, $query); ?>

6 A1: Injection Spot the Bug Mitigation
<?php $offset = $_GET['offset']; $query = 'SELECT id, name FROM products ORDER BY name LIMIT 20 OFFSET $1;'; $result = pg_query_params($dbconn, $query, array($offset)); ?>

7 A2: Cross-Site Scripting (XSS)

8 A2: Cross-Site Scripting (XSS) Spot the Bug
<!doctype html><html lang="en"> <head><title>XSS test</title></head> <body> <form> <input type="text" name="xss"> <input type="submit"> </form> <p>Result: ${param.xss}</p> </body></html>

9 A2: Cross-Site Scripting (XSS) Spot the Bug Solution
<!doctype html><html lang="en"> <head><title>XSS test</title></head> <body> <form> <input type="text" name="xss"> <input type="submit"> </form> <p>Result: ${param.xss}</p> </body></html>

10 A2: Cross-Site Scripting (XSS) Spot the Bug Mitigation
<!doctype html><html lang="en"> <head><title>XSS test</title></head> <body> <form> <input type="text" name="xss"> <input type="submit"> </form> <p>Result: ${fn:escapeXml(param.xss)}</p> </body></html>

11 A3: Broken Auth & Session Mgmt.

12 A3: Broken Auth & Session Mgmt. Spot the Bug
GET / HTTP/1.1 Host: example.com User-Agent: Mozilla/5.0 Gecko Accept: text/xml, image/png, image/jpeg, image/gif, */* Cookie: PHPSESSID=

13 A3: Broken Auth & Session Mgmt. Spot the Bug Solution
GET / HTTP/1.1 Host: example.com User-Agent: Mozilla/5.0 Gecko Accept: text/xml, image/png, image/jpeg, image/gif, */* Cookie: PHPSESSID=

14 A3: Broken Auth & Session Mgmt. Spot the Bug Mitigation
Use HTTPS for authorization checks Use HTTPOnly and SecureOnly flags Keep the session cookie out of the URL Rotate session IDs after successful login Etc, see OWASP documentation.

15 A4: Insecure Direct Object References

16 A4: Insecure Direct Object References Spot the Bug
String query = "SELECT * FROM accts WHERE account = ?"; PreparedStatement pstmt = connection.prepareStatement(query , ... ); pstmt.setString(1,request.getParameter("acct") ); ResultSet results = pstmt.executeQuery();

17 A4: Insecure Direct Object References Spot the Bug Solution
String query = "SELECT * FROM accts WHERE account = ?"; PreparedStatement pstmt = connection.prepareStatement(query , ... ); pstmt.setString(1,request.getParameter("acct") ); ResultSet results = pstmt.executeQuery();

18 A4: Insecure Direct Object References Spot the Bug Mitigation
String query = "SELECT * FROM accts WHERE account = ? and acctOwner = ?"; PreparedStatement pstmt = connection.prepareStatement(query , ... ); pstmt.setString(1,myUser.accts[0]); pstmt.setString(2,myUser.id); ResultSet results = pstmt.executeQuery();

19 A5: Cross-Site Request Forgery (CSRF)

20 A5: Cross-Site Request Forgery Spot the Bug
<cfif IsUserLoggedIn() > <cfset user = GetAuthUser() > <cfset pageid = url.pageid> <cfquery name="myquery "datasource="myds"> UPDATE member_likes set like = 1 where pageid = <cfqueryparam cfsqltype="cf_sql_varchar" maxlength="250" value="pageid" /> </cfquery></cfif><a href="likeme.cfm?pageid=112">Like Me</a>

21 A5: Cross-Site Request Forgery Spot the Bug Solution
<cfif IsUserLoggedIn() > <cfset user = GetAuthUser() > <cfset pageid = url.pageid> <cfquery name="myquery "datasource="myds"> UPDATE member_likes set like = 1 where pageid = <cfqueryparam cfsqltype="cf_sql_varchar" maxlength="250" value="pageid" /> </cfquery></cfif><a href="likeme.cfm?pageid=112">Like Me</a>

22 A5: Cross-Site Request Forgery Spot the Bug Mitigation
<cfif IsUserLoggedIn() and (isdefined("form.csrfToken")) and (CSRFVerifyToken(form.csrfToken))> <cfset user = GetAuthUser() > <cfset pageid = url.pageid> <cfquery name="myquery "datasource="myds"> UPDATE member_likes set like = 1 where pageid = <cfqueryparam cfsqltype="cf_sql_varchar" maxlength="250" value="pageid" /> </cfquery></cfif><cfset csrftoken = CSRFGenerateToken()/> <cfform method="post" action="likeme.cfm"> <cfinput name="token" type="hidden" value="#csrfToken#" /> <cfinput name="pageid" type="hidden" value="31337" /> <cfinput name="Submit" type="submit" value="Like Me" /> </cfform>

23 A6: Security Misconfiguration

24 A6: Security Misconfiguration Spot the Bug
<?xml version="1.0" encoding="UTF-8"?><tomcat-users> <role rolename="manager-gui"/> <role rolename="manager-script"/> <user username="tomcat" password="tomcat" roles="manager-gui, manager-script"/></tomcat-users>

25 A6: Security Misconfiguration Spot the Bug Solution
<?xml version="1.0" encoding="UTF-8"?><tomcat-users> <role rolename="manager-gui"/> <role rolename="manager-script"/> <user username="tomcat" password="tomcat" roles="manager-gui, manager-script"/></tomcat-users>

26 A6: Security Misconfiguration Spot the Bug Mitigation
<?xml version="1.0" encoding="UTF-8"?><tomcat-users> <role rolename="manager-gui"/> <role rolename="manager-script"/> <user username="myusername" password="mypassword" roles="manager-gui, manager-script"/></tomcat-users> Also, see:

27 A7: Insecure Cryptographic Storage

28 A7: Insecure Cryptographic Storage Spot the Bug
<?php$encryptedPassword = sha1(strtolower('username') . 'password');?>

29 A7: Insecure Cryptographic Storage Spot the Bug Solution
<?php$encryptedPassword = sha1(strtolower('username') . 'password');?>

30 A7: Insecure Cryptographic Storage Spot the Bug Mitigation
I may be shamed for this, but the answer is (almost) always... bcrypt.

31 A8: Failure to Restrict URL Access

32 A8: Failure to Restrict URL Access Spot the Bug
<location path="Admin"> <system.web> <authorization> <allow users="*" /> </authorization> </system.web> </location>

33 A8: Failure to Restrict URL Access Spot the Bug Solution
<location path="Admin"> <system.web> <authorization> <allow users="*" /> </authorization> </system.web> </location>

34 A8: Failure to Restrict URL Access Spot the Bug Mitigation
<location path="Admin"> <system.web> <authorization> <allow users="briggins" /> <deny users="*" /> </authorization> </system.web> </location>

35 A9: Insufficient Transport Layer Protection

36 A9: Insufficient Transport Protection Spot the Bug

37 A9: Insufficient Transport Protection Spot the Bug Solution

38 A9: Insufficient Transport Protection Spot the Bug Mitigation
<user-data-constraint> <transport-guarantee> CONFIDENTIAL </transport-guarantee></user-data-constraint> Also, see:

39 A10: Unvalidated Redirects and Forwards

40 A10: Unvalidated Redirects, Forwards Spot the Bug
public class RedirectServlet extends HttpServlet { protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { String query = request.getQueryString(); if (query.contains("url")) { String url = request.getParameter("url"); response.sendRedirect(url); } }}

41 A10: Unvalidated Redirects, Forwards Spot the Bug Solution
public class RedirectServlet extends HttpServlet { protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { String query = request.getQueryString(); if (query.contains("url")) { String url = request.getParameter("url"); response.sendRedirect(url); } }}

42 A10: Unvalidated Redirects, Forwards Spot the Bug Mitigation
public class RedirectServlet extends HttpServlet { protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { String query = request.getQueryString(); if (query.contains("goThere")) { response.sendRedirect(" } }}

43 What about _____? This isn't just about JSP and PHP, or custom code:
pe%5D=alltext pe%5D=alltext _type%5D=alltext ext_type%5D=alltext _type%5D=alltext

44

45 Resources injection.php makes-an-input-vulnerable-to-xss Insecure_Direct_Object_References applications-from-csrf-attacks-with-coldfusion-10 developers-part-8.html

Download ppt "Bill Riggins III OWASP Orlando Co-Chapter Lead"

Similar presentations

Webgoat.

Webgoat.
Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.

Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.
Don’t Teach Developers Security Caleb Sima Armorize Technologies.

Don’t Teach Developers Security Caleb Sima Armorize Technologies.
Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!

Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
SEC835 OWASP Top Ten Project.

SEC835 OWASP Top Ten Project.
The OWASP Foundation OWASP Top 10 2010 Kuai Hinojosa Software Security Consultant at Cigital OWASP Global Education Committee OWASP.

The OWASP Foundation OWASP Top Kuai Hinojosa Software Security Consultant at Cigital OWASP Global Education Committee OWASP.
A Demo of and Preventing XSS in.NET Applications.

A Demo of and Preventing XSS in.NET Applications.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Solving Real-World Problems with an Enterprise Security API (ESAPI) Chris Schmidt ESAPI Project Manager ESAPI4JS Project Owner Application Security Engineer.

Solving Real-World Problems with an Enterprise Security API (ESAPI) Chris Schmidt ESAPI Project Manager ESAPI4JS Project Owner Application Security Engineer.
The 10 Most Critical Web Application Security Vulnerabilities

The 10 Most Critical Web Application Security Vulnerabilities
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Workshop 3 Web Application Security Li Weichao March 14 2014.

Workshop 3 Web Application Security Li Weichao March
OWASP Zed Attack Proxy Project Lead

OWASP Zed Attack Proxy Project Lead
HTTP and Server Security James Walden Northern Kentucky University.

HTTP and Server Security James Walden Northern Kentucky University.
Origins, Cookies and Security – Oh My! John Kemp, Nokia Mobile Solutions.

Origins, Cookies and Security – Oh My! John Kemp, Nokia Mobile Solutions.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.

Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.
Security testing of study information system Security team: Matis Alliksoo Alo Konno Urmo Lihten Taavi Podzuks Sander Saarm.

Security testing of study information system Security team: Matis Alliksoo Alo Konno Urmo Lihten Taavi Podzuks Sander Saarm.

Similar presentations

Ads by Google