Download presentation
Presentation is loading. Please wait.
Published byEdwin Brooks Modified over 9 years ago
1
Protecting Web Applications with ESAPI and AppSensor Manuel Lopez Arredondo manuel.lopez@owasp.org
2
“The cost of cybercrime is greater than the combined effect on the global economy of trafficking in marijuana, heroin and cocaine”|
3
Why Security is important?
Ponemon Institute. (2012) Cost of Cyber Crime Study:. Ponemon Institute LLC.
4
Why Security is important?
Verizon. (2012) Data BREACH Investigations Report:. Verizon LLC.
5
Why Security is important?
6
Mission Driven What is OWASP Nonprofit | World Wide | Unbiased
OWASP does not endorse or recommend commercial products or services
7
Community Driven What is OWASP 30,000 Mail List Participants
200 Active Chapters in 70 countries 1600+ Members, 56 Corporate Supporters 69 Academic Supporters
8
OWASP Guadalajara Chapter
What do we have to offer? Community of security professional Monthly meetings Mailing List Presentations Workshops Open forums for discussion Vendor neutral environments March 2012 – Till Date Meetings Workshops Conference News Letter Page Visit 3 1 2,528+
9
What is OWASP Quality Resources 200+ Projects
15,000+ downloads of tools, documentation 250,000+ unique visitors 800,000+ page views (monthly)
10
Quality Resources Code Tools 40% 10% 50% Documentation
11
OWASP Top Ten (2010 Edition)
A1: Injection A2: Cross-Site Scripting (XSS) A3: Broken Authentication and Session Management A4: Insecure Direct Object References A5: Cross Site Request Forgery (CSRF) A6: Security Misconfiguration A7: Failure to Restrict URL Access A8: Insecure Cryptographic Storage A9: Insufficient Transport Layer Protection A10: Unvalidated Redirects and Forwards
12
A1 – Injection Injection means…
Tricking an application into including unintended commands in the data sent to an interpreter Interpreters… Take strings and interpret them as commands SQL, OS Shell, LDAP, XPath, Hibernate, etc… SQL injection is still quite common Many applications still susceptible (really don’t know why) Even though it’s usually very simple to avoid Typical Impact Usually severe. Entire database can usually be read or modified May also allow full database schema, or account access, or even OS level access
13
"SELECT * FROM accounts WHERE acct=‘’ OR 1=1--’"
SQL Injection – Illustrated Account: SKU: Account: SKU: "SELECT * FROM accounts WHERE acct=‘’ OR 1=1--’" Account Summary Acct: Acct: Acct: Acct: HTTP response DB Table HTTP request SQL query Application Layer Accounts Finance Administration Transactions Communication Knowledge Mgmt E-Commerce Bus. Functions Databases Legacy Systems Web Services Directories Human Resrcs Billing APPLICATION ATTACK Custom Code 1. Application presents a form to the attacker 2. Attacker sends an attack in the form data App Server 3. Application forwards attack to the database in a SQL query Web Server Hardened OS 4. Database runs query containing attack and sends encrypted results back to application Network Layer Firewall Firewall 5. Application decrypts data as normal and sends results to the user
14
A2 – Cross-Site Scripting (XSS)
Occurs any time… Raw data from attacker is sent to an innocent user’s browser Raw data… Stored in database Reflected from web input (form field, hidden field, URL, etc…) Sent directly into rich JavaScript client Virtually every web application has this problem Try this in your browser – javascript:alert(document.cookie) Typical Impact Steal user’s session, steal sensitive data, rewrite web page, redirect user to phishing or malware site Most Severe: Install XSS proxy which allows attacker to observe and direct all user’s behavior on vulnerable site and force user to other sites
15
Cross-Site Scripting Illustrated
1 Attacker sets the trap – update my profile Application with stored XSS vulnerability Attacker enters a malicious script into a web page that stores the data on the server Custom Code Accounts Finance Administration Transactions Communication Knowledge Mgmt E-Commerce Bus. Functions 2 Victim views page – sees attacker profile Script runs inside victim’s browser with full access to the DOM and cookies 3 Script silently sends attacker Victim’s session cookie
16
Enterprise Security API
Project Leader: Chris Schmidt, Purpose: A free, open source, web application security control library that makes it easier for programmers to write lower-risk applications for Reboot
17
ESAPI - Vision Build a common set of security controls for today's most popular programming languages. Have interfaces in common across programming languages as much as possible and natural. Provide at least a simple reference implementation for each security control to serve as example if not useful in itself. Easily extensible Provide functionality that is most often needed, but lacking (or inconsistent) in various frameworks / languages.
18
Getting started Using ESAPI (1 of 3)
Download: ESAPI Cheat Sheet: ESAPI Swingset:
19
https://lists.owasp.org/mailman/listinfo/esapi-user
Using ESAPI (2 of 3) Getting help ESAPI User mailing list (focuses on Java version): ESAPI Developer mailing list: ESAPI Project page: (coming soon)
20
Getting involved Using ESAPI (3 of 3)
Many other language implementations, all playing catch up ESAPI for Java version needs help with user documentation ESAPI 2.1 (Java) starting soon ESAPI Swingset and Swingset Interactive → Port to use ESAPI 2.0
21
Enterprise Security API
Custom Enterprise Web Application Enterprise Security API Authenticator User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer Exception Handling Logger IntrusionDetector SecurityConfiguration Existing Enterprise Security Services/Libraries
22
Potential Enterprise ESAPI Cost Savings
23
Basic ESAPI Approach – Examples
In Java: String input = request.getParameter( "input" ); // Throws ValidationException or IntrusionException // if problem String cleaned = ESAPI.validator().getValidInput("Secure input example", input, "SafeString", // regex spec 200, // max lengyh false, // no nulls true); // canonicalize String safeHTML = ESAPI.encoder().encoderForHTML(cleaned);
24
Basic ESAPI Approach – Examples
In PHP: $cleanTmp = array(); // local in scope $cleanParams = array(); // local in scope $cleanTmp['username'] = ESAPI::getValidator()->getValidInput( "Secure input example", $input, "SafeString", 200, false, true); $cleanParams['username'] = ESAPI::getEncoder()->encodeForHTML($cleanTmp['username']);
25
OWASP ESAPI Project Scorecard Feature Set vs. Programming Language
Authentication 2.0 1.4 2.0 planned Identity Access Control Input Validation Output Escaping Canonicalization ??? Encryption Random Numbers Exception Handling Logging 1,4 Intrusion Detection Security Configuration TBD WAF
26
Source Code and Javadoc Online Now!
27
Create attack aware applications
AppSensor Project Leader(s): Michael Coates, John Melton, Colin Watson Purpose: Defines a conceptual framework and methodology that offers prescriptive guidance to implement intrusion detection and automated response into an existing application. Release: AppSensor Nov 2010 (Tool) & September 2008 (doc) Create attack aware applications
30
Detecting Attacks the Right Way
Detect INSIDE the Application Automatic Detection Comprehensive Minimize False Positives Understand Business Logic Immediate Response No Manual Efforts Required
32
Implementing AppSensor
Detection Points Application Log Server AppSensor Brain Response Listener
34
VIDEO DEMO
35
Think out of the box for development teams
Take aways Open Source solutions Low cost and low effort Think out of the box for development teams Techniques used on the Industry OWASP Google Summer of Code 2013
36
Q & A
37
Backup 37
38
About OWASP Online since December 1st 2001
Not-for-profit charitable organization OPEN Everything at OWASP is radically transparent from our finances to our code. INNOVATION OWASP encourages and supports innovation/experiments for solutions to software security challenges. GLOBAL Anyone around the world is encouraged to participate in the OWASP community. INTEGRITY OWASP is an honest and truthful, vendor agnostic, global community.
39
OWASP Success Story
40
OWASP Guadalajara Chapter
What do we have to offer? Community of security professional Monthly meetings Mailing List Presentations Workshops Open forums for discussion Vendor neutral environments March 2012 – Till Date Meetings Workshops Conference News Letter Page Visit 3 1 2,528+
41
Application Developers
New attacks/ defense guideline Cheat Sheets Web Goat-emulator-designed to teach web application security lessons
42
Application Testers and Quality Assurance
Testing guide Penetration testing tools Application Security Verification Standard Project
43
OWASP ZAP Proxy/ WebScarab / CSRF Tester
44
OWASP Testing Framework
4. Web Application Penetration Testing 4.2 Information Gathering 4.3 Configuration Management Testing 4.4 Business logic testing 4.5 Authentication Testing 4.6 Authorization Testing 4.7 Session Management Testing 4.8 Data Validation Testing 4.9 Testing for Denial of Service 4.10 Web Services Testing 4.11 Ajax Testing OWASP Testing Guide v3 V4 is not finalize
45
Application Project Management and Staff
Define the process SDLC Code Review Code review tool Decision maker
46
Download Get OWASP Books
47
Business advantages of being associated with OWASP
The main benefit of becoming an OWASP corporate supporter is to demonstrate the organization's belief that application security is important and that the organization is working to take necessary steps to properly address application security risk in their businesses The organization itself gets security benefit at reduced costs Security code review tools are free Lots of open & free security testing tools Security guidelines & best practices Opportunity to endorse organization's logo in OWASP events, conferences, & website The organization gets listed as a sponsor in the newsletter that goes to over 20,000 individuals around the world on owasp mailing lists and linked 'in group If you are looking to expand your business in emerging market here is an opportunity to reach out When organization becomes a supporter of a security community it helps employees, partners, suppliers and customers to understand the value & importance of security, and improves application security throughout the whole supply chain Membership options :
48
Join Us ! Subscribe mailing list
Chapter Leaders: Eduardo Cerna Mauel Lopez
49
App Sensor Design AppSensor “Brain” Demo App App Logs
Embedded AppSensor Response
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.