Education Module OWASP Top 10 Introduction and Remedies
-
Upload
shubhamsamarth -
Category
Documents
-
view
49 -
download
2
Transcript of Education Module OWASP Top 10 Introduction and Remedies
![Page 1: Education Module OWASP Top 10 Introduction and Remedies](https://reader033.fdocuments.us/reader033/viewer/2022061200/54770cb0b4af9f81108b45b9/html5/thumbnails/1.jpg)
Copyright 2007 © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation
OWASP
http://www.owasp.org
OWASP Top 10 Introduction & Remedies
Module (to be combined)
Education Project
![Page 2: Education Module OWASP Top 10 Introduction and Remedies](https://reader033.fdocuments.us/reader033/viewer/2022061200/54770cb0b4af9f81108b45b9/html5/thumbnails/2.jpg)
2OWASP
Introduction
![Page 3: Education Module OWASP Top 10 Introduction and Remedies](https://reader033.fdocuments.us/reader033/viewer/2022061200/54770cb0b4af9f81108b45b9/html5/thumbnails/3.jpg)
3OWASP
OWASP Top 10
The Ten Most Critical Web Application Security Vulnerabilities
2007 Release A great start, but not
a standard
![Page 4: Education Module OWASP Top 10 Introduction and Remedies](https://reader033.fdocuments.us/reader033/viewer/2022061200/54770cb0b4af9f81108b45b9/html5/thumbnails/4.jpg)
4OWASP
OWASP Top 10 2007
1. Cross Site Scripting (XSS)2. Injection Flaws3. Insecure Remote File Include4. Insecure Direct Object Reference5. Cross Site Request Forgery (CSRF)6. Information Leakage and Improper Error Handling7. Broken Authentication and Session Management8. Insecure Cryptographic Storage9. Insecure Communications10. Failure to Restrict URL Access
http://www.owasp.org/index.php/Top_10
![Page 5: Education Module OWASP Top 10 Introduction and Remedies](https://reader033.fdocuments.us/reader033/viewer/2022061200/54770cb0b4af9f81108b45b9/html5/thumbnails/5.jpg)
5OWASP
Top 10 Methodology
Take the MITRE Vulnerability Trends for 2006, and distill the Top 10 web application security issues
![Page 6: Education Module OWASP Top 10 Introduction and Remedies](https://reader033.fdocuments.us/reader033/viewer/2022061200/54770cb0b4af9f81108b45b9/html5/thumbnails/6.jpg)
6OWASP
OWASP Top 10 2007 OWASP Top 10 2004 MITRE 2006Raw Ranking
1. Cross Site Scripting (XSS) 4. Cross Site Scripting (XSS) 1
2. Injection Flaws 6. Injection Flaws 2
3. Insecure Remote File Include (NEW) 3
4. Insecure Direct Object Reference 2. Broken Access Control (split in 2007 T10) 5
5. Cross Site Request Forgery (CSRF) (NEW) 36
6. Info Leakage and Improper Error Handling 7. Improper Error Handling 6
7. Broken Auth. and Session Management 3. Broken Authentication and Session Management 14
8. Insecure Cryptographic Storage 8. Insecure Storage 8
9. Insecure Communications (NEW) Discussed under 10 8
10. Failure to Restrict URL Access 2. Broken Access Control (split in 2007 T10) 14
1. Unvalidated Input 7
5. Buffer Overflows 4, 8, and 10
9. Denial of Service 17
10. Insecure Configuration Management 29
Top 10 Mapping
![Page 7: Education Module OWASP Top 10 Introduction and Remedies](https://reader033.fdocuments.us/reader033/viewer/2022061200/54770cb0b4af9f81108b45b9/html5/thumbnails/7.jpg)
7OWASP
Cross Site Scripting (XSS)
![Page 8: Education Module OWASP Top 10 Introduction and Remedies](https://reader033.fdocuments.us/reader033/viewer/2022061200/54770cb0b4af9f81108b45b9/html5/thumbnails/8.jpg)
8OWASP
1. Cross-Site Scripting (XSS)
DescriptionMost prevalent web application security issueAllows attackers to execute script in the
victim’s browser
Affected EnvironmentsAll web application frameworks are vulnerable
to cross site scripting
![Page 9: Education Module OWASP Top 10 Introduction and Remedies](https://reader033.fdocuments.us/reader033/viewer/2022061200/54770cb0b4af9f81108b45b9/html5/thumbnails/9.jpg)
9OWASP
1. Cross-Site Scripting (XSS)
VulnerabilitiesThree types:
Reflected Stored DOM injection
Attacks are normally implemented in JavaScript or direct manipulation of request objects
![Page 10: Education Module OWASP Top 10 Introduction and Remedies](https://reader033.fdocuments.us/reader033/viewer/2022061200/54770cb0b4af9f81108b45b9/html5/thumbnails/10.jpg)
10OWASP
1. Cross-Site Scripting (XSS)
Verifying SecurityAll input parameters are validated and/or
encodedCode Reviews are useful to detectCentralized validation and encoding
mechanism Protection
Combination of whitelist validation of all incoming data and appropriate encoding of all output data
![Page 11: Education Module OWASP Top 10 Introduction and Remedies](https://reader033.fdocuments.us/reader033/viewer/2022061200/54770cb0b4af9f81108b45b9/html5/thumbnails/11.jpg)
11OWASP
1. Cross-Site Scripting (XSS)
References OWASP – Cross site scripting, http://
www.owasp.org/index.php/Cross_Site_Scripting OWASP – Testing for XSS, http://
www.owasp.org/index.php/Testing_for_Cross_site_scripting OWASP Stinger Project (A Java EE validation filter) – http://
www.owasp.org/index.php/Category:OWASP_Stinger_Project OWASP PHP Filter Project - http://
www.owasp.org/index.php/OWASP_PHP_Filters OWASP Encoding Project - http://
www.owasp.org/index.php/Category:OWASP_Encoding_Project RSnake, XSS Cheat Sheet, http://ha.ckers.org/xss.html Klein, A., DOM Based Cross Site Scripting,
http://www.webappsec.org/projects/articles/071105.shtml .NET Anti-XSS Library - http://www.microsoft.com/downloads/
details.aspx?FamilyID=efb9c819-53ff-4f82-bfaf-e11625130c25&DisplayLang=en
Wikipedia Definition – http://en.wikipedia.org/wiki/Cross-site_scripting
![Page 12: Education Module OWASP Top 10 Introduction and Remedies](https://reader033.fdocuments.us/reader033/viewer/2022061200/54770cb0b4af9f81108b45b9/html5/thumbnails/12.jpg)
12OWASP
Injection Flaws
![Page 13: Education Module OWASP Top 10 Introduction and Remedies](https://reader033.fdocuments.us/reader033/viewer/2022061200/54770cb0b4af9f81108b45b9/html5/thumbnails/13.jpg)
13OWASP
2. Injection Flaws
Description Injection occurs when user-supplied data is
sent to an interpreter as part of a command or query
SQL injection is the most common
Affected EnvironmentsAll web application frameworks that use
interpreters are vulnerable to injection attacks.
![Page 14: Education Module OWASP Top 10 Introduction and Remedies](https://reader033.fdocuments.us/reader033/viewer/2022061200/54770cb0b4af9f81108b45b9/html5/thumbnails/14.jpg)
14OWASP
2. Injection Flaws
Vulnerabilities If user input is passed into an interpreter
without validation or encoding, the application is vulnerable.
Check to see if user input is supplied directly to dynamic queries
![Page 15: Education Module OWASP Top 10 Introduction and Remedies](https://reader033.fdocuments.us/reader033/viewer/2022061200/54770cb0b4af9f81108b45b9/html5/thumbnails/15.jpg)
15OWASP
2. Injection Flaws
Verifying Security Verify that the user can not modify commands or
queries sent to any interpreter used by the application Code Reviews are useful to detect
Protection Avoid interpreters where possible Enforce least privilege Stored procedures are susceptible too User input validation
![Page 16: Education Module OWASP Top 10 Introduction and Remedies](https://reader033.fdocuments.us/reader033/viewer/2022061200/54770cb0b4af9f81108b45b9/html5/thumbnails/16.jpg)
16OWASP
2. Injection Flaws
References OWASP, http://www.owasp.org/index.php/SQL_Injection OWASP, http://www.owasp.org/index.php/Guide_to_SQL_Injection OWASP, http://www.owasp.org/index.php/Reviewing_Code_for_SQL_Injection OWASP, http://www.owasp.org/index.php/Testing_for_SQL_Injection SQL Injection, http://www.spidynamics.com/papers/SQLInjectionWhitePaper.pdf Advanced SQL Injection, http://
www.ngssoftware.com/papers/advanced_sql_injection.pdf More Advanced SQL Injection, http://
www.nextgenss.com/papers/more_advanced_sql_injection.pdf Hibernate, an advanced object relational manager (ORM) for J2EE and .NET,
http://www.hibernate.org/ J2EE Prepared Statements,
http://java.sun.com/docs/books/tutorial/jdbc/basics/prepared.html How to: Protect from SQL injection in ASP.Net,
http://msdn2.microsoft.com/en-us/library/ms998271.aspx PHP PDO functions, http://php.net/pdo
![Page 17: Education Module OWASP Top 10 Introduction and Remedies](https://reader033.fdocuments.us/reader033/viewer/2022061200/54770cb0b4af9f81108b45b9/html5/thumbnails/17.jpg)
17OWASP
Insecure Remote File Include
![Page 18: Education Module OWASP Top 10 Introduction and Remedies](https://reader033.fdocuments.us/reader033/viewer/2022061200/54770cb0b4af9f81108b45b9/html5/thumbnails/18.jpg)
18OWASP
3. Malicious File Injection
DescriptionAllows attackers to perform remote code
execution etc by compromising input files or streams; commonly caused by improperly trusting input files
Affected EnvironmentsAll web application frameworks that allow
uploaded files to be executed are vulnerableEnvironments are susceptible if they allow file
upload into web directories.
![Page 19: Education Module OWASP Top 10 Introduction and Remedies](https://reader033.fdocuments.us/reader033/viewer/2022061200/54770cb0b4af9f81108b45b9/html5/thumbnails/19.jpg)
19OWASP
3. Malicious File Injection
VulnerabilitiesHostile data being uploaded to session files or
log dataPHP is most common, other technologies are
accessible too Java and .Net Hostile DTD in XML Documents
![Page 20: Education Module OWASP Top 10 Introduction and Remedies](https://reader033.fdocuments.us/reader033/viewer/2022061200/54770cb0b4af9f81108b45b9/html5/thumbnails/20.jpg)
20OWASP
3. Malicious File Injection
Verifying SecurityCode Reviews are useful to detectAutomated tools are useful
ProtectionDo not allow a user defined file name to supply
server-based resourcesProperly configured and implemented security
protocolsUser input validation
![Page 21: Education Module OWASP Top 10 Introduction and Remedies](https://reader033.fdocuments.us/reader033/viewer/2022061200/54770cb0b4af9f81108b45b9/html5/thumbnails/21.jpg)
21OWASP
3. Malicious File Injection
References OWASP Guide,
http://www.owasp.org/index.php/File_System#Includes_and_Remote_files
OWASP Testing Guide, http://www.owasp.org/index.php/Testing_for_Directory_Traversal
OWASP PHP Top 5, http://www.owasp.org/index.php/PHP_Top_5#P1:_Remote_Code_Execution
Stefan Esser,http://blog.php-security.org/archives/45-PHP-5.2.0-and-allow_url_include.html
[SIF01] Sift Networks, Web Services: Teaching an old dog new tricks, http://www.ruxcon.org.au/files/2006/web_services_security.ppt
http://www.owasp.org/index.php/OWASP_Java_Table_of_Contents#Defining_a_Java_Security_Policy
Microsoft - Programming for Partial Trust, http://msdn2.microsoft.com/en-us/library/ms364059(VS.80).aspx
![Page 22: Education Module OWASP Top 10 Introduction and Remedies](https://reader033.fdocuments.us/reader033/viewer/2022061200/54770cb0b4af9f81108b45b9/html5/thumbnails/22.jpg)
22OWASP
Insecure Direct Object Reference
![Page 23: Education Module OWASP Top 10 Introduction and Remedies](https://reader033.fdocuments.us/reader033/viewer/2022061200/54770cb0b4af9f81108b45b9/html5/thumbnails/23.jpg)
23OWASP
4. Insecure Direct Object Reference
DescriptionOccurs when a developer exposes an
invalidated reference to an internal implementation object, such as a file, directory, database record, or key, as a URL or form parameter
Affected EnvironmentsAll web application frameworks are vulnerable
to attacks on insecure direct object references
![Page 24: Education Module OWASP Top 10 Introduction and Remedies](https://reader033.fdocuments.us/reader033/viewer/2022061200/54770cb0b4af9f81108b45b9/html5/thumbnails/24.jpg)
24OWASP
4. Insecure Direct Object Reference
VulnerabilitiesExposed internal object referencesAttackers use parameter tampering to change
references and violate the intended but unenforced access control policy
References to database keys are frequently exposed
![Page 25: Education Module OWASP Top 10 Introduction and Remedies](https://reader033.fdocuments.us/reader033/viewer/2022061200/54770cb0b4af9f81108b45b9/html5/thumbnails/25.jpg)
25OWASP
4. Insecure Direct Object Reference
Verifying SecurityRemove any direct object references that can
be manipulated by an attackerDifficult for both automated and manual
approaches
ProtectionBest protection is to avoid exposing direct
object references to usersVerify authorization to all referenced objects
![Page 26: Education Module OWASP Top 10 Introduction and Remedies](https://reader033.fdocuments.us/reader033/viewer/2022061200/54770cb0b4af9f81108b45b9/html5/thumbnails/26.jpg)
26OWASP
4. Insecure Direct Object Reference
References OWASP, http://
www.owasp.org/index.php/Testing_for_business_logic OWASP, http://
www.owasp.org/index.php/Testing_for_Directory_Traversal OWASP,
http://www.owasp.org/index.php/Category:Access_Control_Vulnerability
![Page 27: Education Module OWASP Top 10 Introduction and Remedies](https://reader033.fdocuments.us/reader033/viewer/2022061200/54770cb0b4af9f81108b45b9/html5/thumbnails/27.jpg)
27OWASP
Cross Site Request Forgery (CSRF)
![Page 28: Education Module OWASP Top 10 Introduction and Remedies](https://reader033.fdocuments.us/reader033/viewer/2022061200/54770cb0b4af9f81108b45b9/html5/thumbnails/28.jpg)
28OWASP
5. Cross Site Request Forgery (CSRF)
DescriptionAn attack that tricks the victim into loading a
page that contains a malicious request. Also known as Session Riding, One-Click
Attacks, Cross Site Reference Forgery, Hostile Linking, and Automation Attack
Affected EnvironmentsAll web application frameworks are vulnerable
to CSRF.
![Page 29: Education Module OWASP Top 10 Introduction and Remedies](https://reader033.fdocuments.us/reader033/viewer/2022061200/54770cb0b4af9f81108b45b9/html5/thumbnails/29.jpg)
29OWASP
5. Cross Site Request Forgery (CSRF)
Vulnerabilities In a forum, the attack may direct the user to
invoke a logout function Can be combined with XSS
![Page 30: Education Module OWASP Top 10 Introduction and Remedies](https://reader033.fdocuments.us/reader033/viewer/2022061200/54770cb0b4af9f81108b45b9/html5/thumbnails/30.jpg)
30OWASP
5. Cross Site Request Forgery (CSRF)
Verifying Security Use an authorization token that is not automatically
submitted by browser
Protection Eliminate any XSS vulnerabilities in your application Add a per-request nonce to URL and all forms in addition
to the standard session; if it is not built into your web app framework.
Require additional login screens for sensitive data Do not use GET requests for sensitive data
![Page 31: Education Module OWASP Top 10 Introduction and Remedies](https://reader033.fdocuments.us/reader033/viewer/2022061200/54770cb0b4af9f81108b45b9/html5/thumbnails/31.jpg)
31OWASP
5. Cross Site Request Forgery (CSRF)
References OWASP CSRF,
http://www.owasp.org/index.php/Cross-Site_Request_Forgery OWASP, https://www.owasp.org/index.php/Testing_for_CSRF OWASP CSRF Guard, http://
www.owasp.org/index.php/CSRF_Guard OWASP PHP CSRF Guard, http://
www.owasp.org/index.php/PHP_CSRF_Guard RSnake, "What is CSRF?",
http://ha.ckers.org/blog/20061030/what-is-csrf/ Microsoft, ViewStateUserKey details,
http://msdn2.microsoft.com/en-us/library/ms972969.aspx#securitybarriers_topic2
![Page 32: Education Module OWASP Top 10 Introduction and Remedies](https://reader033.fdocuments.us/reader033/viewer/2022061200/54770cb0b4af9f81108b45b9/html5/thumbnails/32.jpg)
32OWASP
Information Leakage and Improper Error Handling
![Page 33: Education Module OWASP Top 10 Introduction and Remedies](https://reader033.fdocuments.us/reader033/viewer/2022061200/54770cb0b4af9f81108b45b9/html5/thumbnails/33.jpg)
33OWASP
6. Information Leakage and Improper Error Handling
DescriptionApplications can unintentionally leak
information about their configuration, internal workings, or violate privacy through a variety of application problems
Affected EnvironmentsAll web application frameworks are vulnerable
to information leakage and improper error handling.
![Page 34: Education Module OWASP Top 10 Introduction and Remedies](https://reader033.fdocuments.us/reader033/viewer/2022061200/54770cb0b4af9f81108b45b9/html5/thumbnails/34.jpg)
34OWASP
6. Information Leakage and Improper Error Handling
VulnerabilitiesError message with too much detail
Stack Traces SQL Statements
Improper logging of detailed messages
![Page 35: Education Module OWASP Top 10 Introduction and Remedies](https://reader033.fdocuments.us/reader033/viewer/2022061200/54770cb0b4af9f81108b45b9/html5/thumbnails/35.jpg)
35OWASP
6. Information Leakage and Improper Error Handling
Verifying Security The goal is for the application to not leak detailed error
messages Automated and Manual approaches are useful, but
automated can not properly determine the meaning of the message and manual is time consuming
Protection Use testing to generate error messages and perform
ongoing evaluations in development Disable or limit detailed error handling
![Page 36: Education Module OWASP Top 10 Introduction and Remedies](https://reader033.fdocuments.us/reader033/viewer/2022061200/54770cb0b4af9f81108b45b9/html5/thumbnails/36.jpg)
36OWASP
6. Information Leakage and Improper Error Handling
References OWASP http://www.owasp.org/index.php/Error_Handling OWASP
http://www.owasp.org/index.php/Category:Sensitive_Data_Protection_Vulnerability
![Page 37: Education Module OWASP Top 10 Introduction and Remedies](https://reader033.fdocuments.us/reader033/viewer/2022061200/54770cb0b4af9f81108b45b9/html5/thumbnails/37.jpg)
37OWASP
Broken Authentication and Session Management
![Page 38: Education Module OWASP Top 10 Introduction and Remedies](https://reader033.fdocuments.us/reader033/viewer/2022061200/54770cb0b4af9f81108b45b9/html5/thumbnails/38.jpg)
38OWASP
7. Broken Authentication and Session Management
DescriptionFlaws in authentication and session
management most frequently involve the failure to protect credentials and session tokens through their lifecycle.
Affected EnvironmentsAll web application frameworks are vulnerable
to authentication and session management flaws
![Page 39: Education Module OWASP Top 10 Introduction and Remedies](https://reader033.fdocuments.us/reader033/viewer/2022061200/54770cb0b4af9f81108b45b9/html5/thumbnails/39.jpg)
39OWASP
7. Broken Authentication and Session Management
VulnerabilitiesFlaws in main authentication mechanismPassword managementSession Timeout
![Page 40: Education Module OWASP Top 10 Introduction and Remedies](https://reader033.fdocuments.us/reader033/viewer/2022061200/54770cb0b4af9f81108b45b9/html5/thumbnails/40.jpg)
40OWASP
7. Broken Authentication and Session Management
Verifying Security Application should properly authenticate users and protect
their credentials Automated tool have difficulty Combination of Code Reviews and Testing are effective
Protection Maintain secure communication and credential storage Use single authentication mechanism where applicable Create a new session upon authentication Ensure the logout link destroys all pertinent data Do not expose any credentials in URL or logs
![Page 41: Education Module OWASP Top 10 Introduction and Remedies](https://reader033.fdocuments.us/reader033/viewer/2022061200/54770cb0b4af9f81108b45b9/html5/thumbnails/41.jpg)
41OWASP
7. Broken Authentication and Session Management
References OWASP, http://
www.owasp.org/index.php/Guide_to_Authentication OWASP, http://
www.owasp.org/index.php/Reviewing_Code_for_Authentication OWASP, http://
www.owasp.org/index.php/Testing_for_authentication
![Page 42: Education Module OWASP Top 10 Introduction and Remedies](https://reader033.fdocuments.us/reader033/viewer/2022061200/54770cb0b4af9f81108b45b9/html5/thumbnails/42.jpg)
42OWASP
Insecure Cryptographic Storage
![Page 43: Education Module OWASP Top 10 Introduction and Remedies](https://reader033.fdocuments.us/reader033/viewer/2022061200/54770cb0b4af9f81108b45b9/html5/thumbnails/43.jpg)
43OWASP
8. Insecure Cryptographic Storage
DescriptionSimply failing to encrypt sensitive data is very
widespread. Applications that do encrypt frequently contain
poorly designed cryptography, either using inappropriate ciphers or making serious mistakes using strong ciphers.
Affected EnvironmentsAll web application frameworks are vulnerable
to insecure cryptographic storage.
![Page 44: Education Module OWASP Top 10 Introduction and Remedies](https://reader033.fdocuments.us/reader033/viewer/2022061200/54770cb0b4af9f81108b45b9/html5/thumbnails/44.jpg)
44OWASP
8. Insecure Cryptographic Storage
VulnerabilitiesNot encrypting sensitive dataUsing home grown algorithms Insecure use of strong algorithms Continued use of proven weak algorithms
(MD5, SHA-1, RC3, RC4, etc…)Hard coding keys, and storing keys in
unprotected stores
![Page 45: Education Module OWASP Top 10 Introduction and Remedies](https://reader033.fdocuments.us/reader033/viewer/2022061200/54770cb0b4af9f81108b45b9/html5/thumbnails/45.jpg)
45OWASP
8. Insecure Cryptographic Storage
Verifying Security Verify that the application properly encrypts sensitive
information in storage Automated vulnerability tools are not effective Code Review is the best way to verify that an application
encrypts sensitive data
Protection Use only approved public algorithms Check to make sure all sensitive data is being encrypted
![Page 46: Education Module OWASP Top 10 Introduction and Remedies](https://reader033.fdocuments.us/reader033/viewer/2022061200/54770cb0b4af9f81108b45b9/html5/thumbnails/46.jpg)
46OWASP
8. Insecure Cryptographic Storage
References OWASP, http://www.owasp.org/index.php/Cryptography OWASP, http://
www.owasp.org/index.php/Guide_to_Cryptography OWASP, http://www.owasp.org/index.php/Insecure_Storage OWASP,
http://www.owasp.org/index.php/How_to_protect_sensitive_data_in_URL’s
PCI Data Security Standard v1.1, https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf
Bruce Schneier, http://www.schneier.com/ CryptoAPI Next Generation,
http://msdn2.microsoft.com/en-us/library/aa376210.aspx
![Page 47: Education Module OWASP Top 10 Introduction and Remedies](https://reader033.fdocuments.us/reader033/viewer/2022061200/54770cb0b4af9f81108b45b9/html5/thumbnails/47.jpg)
47OWASP
Insecure Communications
![Page 48: Education Module OWASP Top 10 Introduction and Remedies](https://reader033.fdocuments.us/reader033/viewer/2022061200/54770cb0b4af9f81108b45b9/html5/thumbnails/48.jpg)
48OWASP
9. Insecure Communications
DescriptionApplications frequently fail to encrypt network
traffic when it is necessary to protect sensitive communications
SSL must be used for all authenticated connections
Affected EnvironmentsAll web application frameworks are vulnerable
to insecure communications.
![Page 49: Education Module OWASP Top 10 Introduction and Remedies](https://reader033.fdocuments.us/reader033/viewer/2022061200/54770cb0b4af9f81108b45b9/html5/thumbnails/49.jpg)
49OWASP
9. Insecure Communications
VulnerabilitiesNetwork sniffingAll authenticated traffic needs to go over SSL
because HTTP includes authentication credentials or a session token with every single request; not just the actual login request
Always use SSL with sensitive data
![Page 50: Education Module OWASP Top 10 Introduction and Remedies](https://reader033.fdocuments.us/reader033/viewer/2022061200/54770cb0b4af9f81108b45b9/html5/thumbnails/50.jpg)
50OWASP
9. Insecure Communications
Verifying SecurityVerify that the application properly encrypts all
authenticated and sensitive communicationsVulnerability scanning tools can verify that SSL
is used on the front end, and can find many SSL related flaws
Code review is quite efficient for verifying the proper use of SSL for all backend connections
ProtectionAlways use SSL with sensitive data
![Page 51: Education Module OWASP Top 10 Introduction and Remedies](https://reader033.fdocuments.us/reader033/viewer/2022061200/54770cb0b4af9f81108b45b9/html5/thumbnails/51.jpg)
51OWASP
9. Insecure Communications
References OWASP Testing Guide, Testing for SSL / TLS, https://
www.owasp.org/index.php/Testing_for_SSL-TLS OWASP Guide, http://
www.owasp.org/index.php/Guide_to_Cryptography Foundstone - SSL Digger, http://
www.foundstone.com/index.htm?subnav=services/navigation.htm&subcontent=/services/overview_s3i_des.htm
NIST, SP 800-52 Guidelines for the selection and use of transport layer security (TLS) Implementations, http://csrc.nist.gov/publications/nistpubs/800-52/SP800-52.pdf
NIST SP 800-95 Guide to secure web services, http://csrc.nist.gov/publications/drafts.html#sp800-95
![Page 52: Education Module OWASP Top 10 Introduction and Remedies](https://reader033.fdocuments.us/reader033/viewer/2022061200/54770cb0b4af9f81108b45b9/html5/thumbnails/52.jpg)
52OWASP
Failure to Restrict URL Access
![Page 53: Education Module OWASP Top 10 Introduction and Remedies](https://reader033.fdocuments.us/reader033/viewer/2022061200/54770cb0b4af9f81108b45b9/html5/thumbnails/53.jpg)
53OWASP
10. Failure to Restrict URL Access
DescriptionRelying on security by obscurity to restrict URL
accessNot using access control checks for URLs
Affected EnvironmentsAll web application frameworks are vulnerable
to failure to restrict URL access
![Page 54: Education Module OWASP Top 10 Introduction and Remedies](https://reader033.fdocuments.us/reader033/viewer/2022061200/54770cb0b4af9f81108b45b9/html5/thumbnails/54.jpg)
54OWASP
10. Failure to Restrict URL Access
VulnerabilitiesForced browsing“Hidden” URLs and filesOutdated security mechanismEvaluating privileges only on the client
![Page 55: Education Module OWASP Top 10 Introduction and Remedies](https://reader033.fdocuments.us/reader033/viewer/2022061200/54770cb0b4af9f81108b45b9/html5/thumbnails/55.jpg)
55OWASP
10. Failure to Restrict URL Access
Verifying Security Verify that access control is enforced consistently for all
URLs in the application Automated tools have difficulty verifying URL access
control Combination of Code Reviews and Testing are effective
Protection Properly architecting and implementing roles for URL
access Ensure all URLs are part of this process Do not use “hidden” URLs
![Page 56: Education Module OWASP Top 10 Introduction and Remedies](https://reader033.fdocuments.us/reader033/viewer/2022061200/54770cb0b4af9f81108b45b9/html5/thumbnails/56.jpg)
56OWASP
10. Failure to Restrict URL Access
References OWASP,
http://www.owasp.org/index.php/Testing_for_Directory_Traversal
OWASP, http://www.owasp.org/index.php/Forced_browsing OWASP,
http://www.owasp.org/index.php/Guide_to_Authorization