Presentation is loading. Please wait.

Presentation is loading. Please wait.

OWASP Top 10 Vulnerabilities: Panel Discussion

Published byCarla Maas Modified over 5 years ago

Similar presentations

Presentation on theme: "OWASP Top 10 Vulnerabilities: Panel Discussion"— Presentation transcript:

1 OWASP Top 10 Vulnerabilities: Panel Discussion
Sebastien Deleersnyder CISSP Sep, 2005

2 Agenda Panel Introduction OWASP Top 10 Panel Discussion

3 Agenda Panel Introduction OWASP Top 10 Panel Discussion

4 Panel Introduction Erwin Geirnaert, Security Innovation
Dirk Dussart, Belgian Post Eric Devolder, Mastercard Herman Stevens, Ubizen Frank Piessens, KU Leuven present yourself shortly + how do you or your organisation use the Top 10 ?

5 Agenda Introduction OWASP Top 10 Panel Discussion

6 OWASP Top 10 A1 Unvalidated Input A2 Broken Access Control A3
Broken Authentication and Session Management A4 Cross Site Scripting (XSS) Flaws A5 Buffer Overflows A6 Injection Flaws A7 Improper Error Handling A8 Insecure Storage A9 Denial of Service A10 Insecure Configuration Management

7 HTTP requests from browsers to web apps
1. Unvalidated Input HTTP requests from browsers to web apps URL, Querystring, Form Fields, Hidden Fields, Cookies, Headers Web apps use this information to generate web pages Attackers can modify anything in request WebScarab Key Points: Check before you use anything in HTTP request Canonicalize before you check Client-side validation is irrelevant Reject anything not specifically allowed Type, min/max length, character set, regex, min/max value…

8 2. Broken Access Control Access control is how you keep one user away from other users’ information The problem is that many environments provide authentication, but don’t handle access control well Many sites have a complex access control policy Insidiously difficult to implement correctly Key Points Write down your access control policy Don’t use any “id’s” that an attacker can manipulate Implement access control in a centralized module Aka Authorization

9 3. Broken Authentication and Session Management
Handling credentials across client-server gap Backend authentication credentials too Session Management HTTP is a “stateless” protocol. Web apps need to keep track of which request came from which user “Brand” sessions with an id using cookie, hidden field, URL tag, etc… Key Points Keep credentials secret at all times Use only the random sessionid provided by your environment

10 4. Cross-Site Scripting (XSS) Flaws
Web browsers execute code sent from websites Javascript Flash and many others haven’t really been explored But what if an attacker could get a website to forward an attack! Stored – web application stores content from user, then sends it to other users Reflected – web application doesn’t store attack, just sends it back to whoever sent the request Key Points Don’t try to strip out active content – too many variations. Use a “positive” specification.

11 Web applications read all types of input from users
5. Buffer Overflows Web applications read all types of input from users Libraries, DLL’s, Server code, Custom code, Exec C and C++ code is vulnerable to buffer overflows Input overflows end of buffer and overwrites the stack Can be used to execute arbitrary code Key Points Don’t use C or C++ Be careful about reading into buffers Use safe string libraries correctly

12 Web applications involve many interpreters Malicious code
6. Injection Flaws Web applications involve many interpreters OS calls, SQL databases Malicious code Sent in HTTP request Extracted by web application Passed to interpreter, executed on behalf of web app Key Points Use extreme care when invoking an interpreter Use limited interfaces where possible (PreparedStatement) Check return values

13 7. Improper Error Handling
Errors occur in web applications all the time Out of memory, too many users, timeout, db failure Authentication failure, access control failure, bad input How do you respond? Need to tell user what happened (no hacking clues) Need to log an appropriate (different) message Logout, , pager, clear credit card, etc… Key Points: Make sure error screens don’t print stack traces Design your error handling scheme Configure your server

14 Use cryptography to store sensitive information Key Points
8. Insecure Storage Use cryptography to store sensitive information Algorithms are simple to use, integrating them is hard Key Points Do not even think about inventing a new algorithm Be extremely careful storing keys, certs, and passwords Rethink whether you need to store the information Don’t store user passwords – use a hash like SHA-256 The “master secret” can be split into two locations and assembled Configuration files, external servers, within the code

15 Difference between attack and ordinary traffic?
9. Denial of Service Difference between attack and ordinary traffic? IP address filtering? DDOS, Slashdotted? Account lock-outs Abuse error, consume resources Key Points Limit resource allocation Use quotas Avoid “expensive” operations Graceful handling of errors

16 10. Insecure Configuration Management
All web and application servers have many security-relevant configuration options Default accounts and passwords Unnecessary default, backup, sample apps, libraries Overly informative error messages Misconfigured SSL, default certificates, self-signed certs Unused administrative services Key Points: Keep up with patches (Code Red, Slammer) Use Scanning Tools (Nikto, Nessus) Harden your servers!

17 OWASP Top 1O Success E.g. referenced by payment card industry, Federal Trade Commission, US gov. Used by Sprint, IBM Global Services, Cognizant, Foundstone, Strategic Security, Bureau of Alcohol, Tobacco, and Firearms (ATF), Sun Microsystems, British Telecom, Swiss Federal Institute of Technology, Sempra Energy, Corillian Corporation, A.G. Edwards, Texas Dept of Human Services, Predictive Systems, Price Waterhouse Coopers, Best Software, Online Business Systems, ZipForm, Contra Costa County, SSP Solutions, Recreational Equipment, Inc. (REI), Zapatec, Cboss Internet, Samsung SDS (Korea), Norfolk Southern, Bank of Newport part of curriculum at Michigan State University and the University of California at San Diego

18 Agenda Introduction OWASP Top 10 Panel Discussion

19 Panel Discussion Does the Top 10 improve web application security?
Are we talking vulnerabilities, solutions or threats? Can we base our best practices / standards on the Top 10? Should the Top 10 be incorporated in curricula? How to test your web site security on the Top 10? Do we need localized versions of the Top 10? Is the OWASP Top 10 still necessary? How to update the Top 10? Other format? Survey? Awareness! -Criteria for evaluating technology (web app scanners, firewalls) -Metrics and comparison for software security programs -Education outline -Assessment framework ?

Download ppt "OWASP Top 10 Vulnerabilities: Panel Discussion"

Similar presentations

Webgoat.

Webgoat.
OWASP’s Ten Most Critical Web Application Security Vulnerabilities

OWASP’s Ten Most Critical Web Application Security Vulnerabilities
OWASP Web Vulnerabilities and Auditing

OWASP Web Vulnerabilities and Auditing
Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!

Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Security in Application & SDLC

Security in Application & SDLC
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Web Application Security An Introduction. OWASP Top Ten Exploits *Unvalidated Input Broken Access Control Broken Authentication and Session Management.

Web Application Security An Introduction. OWASP Top Ten Exploits *Unvalidated Input Broken Access Control Broken Authentication and Session Management.
1 Security in Application & SDLC Barkan Asaf Nov, 2006.

1 Security in Application & SDLC Barkan Asaf Nov, 2006.
Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.

Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.
The 10 Most Critical Web Application Security Vulnerabilities

The 10 Most Critical Web Application Security Vulnerabilities
Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.

Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.
Web Application Attacks ECE 4112 Fall 2007 Group 9 Zafeer Khan & Simmon Yau.

Web Application Attacks ECE 4112 Fall 2007 Group 9 Zafeer Khan & Simmon Yau.
Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department

Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Similar presentations

Ads by Google