Owasp for dummies handouts
-
Upload
bcc -
Category
Technology
-
view
10.585 -
download
7
Transcript of Owasp for dummies handouts
OWASP
Bart ten Brinke
• https://www.owasp.org/
• Owasp gathers statistics of internet hacks and uses this to generate their security top 10.
The Open Web Application Security Project (OWASP)
Availablity
IntegrityConfidentiality
Data
“Doctor specific patient records cannot be viewed by Nurses,which means they are not as well informed as they could be.”
“Putting stuff on wikipedia makesit very available, but not very confidential.”
“Wikipedia always has the latest newsavailable, but how can you be sure
that all the facts are checked?”
• http://en.wikipedia.org/wiki/Information_security
• The safest door is one you can’t walk through at all.
• De nuances of the CIA triangle are lost in the current media reports: something either safe or unsafe.
Every solution is a compromise betweenConfidentiality, Integrity & Availability.
Unsafe
Safe
During the design of the dutch public transportation card (Ov-chipkaart)the designers make the decision to use less secure rfid cards,
because the savings of these cheap rfid-cards where much higher thenthe loss of revenue to hackers.
This was not reflected by the media at all.
OWASP Top 10
1. SQL injection
We have a website where you can log in using yourusername and password:
Username john
Password 1234
The application checks these credentials with a database:
Username john
Password 1234
SELECT * FROM usersWHERE username = ”john”AND password = ”1234”
Give me all users with thename ”john” en password ”1234”.If there is one, you will be logged in.
Username john
Password 1234
SELECT * FROM usersWHERE username = ”john”AND password = ”1234”
Username administrator
Password ” OR 1=”1
SELECT * FROM usersWHERE username = ”administrator”AND password = ”” OR 1=”1”
SELECT * FROM usersWHERE username = ”administrator”AND password = ”” OR 1=”1”
Give me all users wherewith the name ”administrator”
who has an empty password OR where 1=1.
1=1 is always true, so you will be loggedin as the administrator.
2. XSS - Cross site Scripting
As an example we will be using a catblog which has a guestbook where you can post messages.
My weblog
Story about my cat
Comments:john: I have a cat just like that!
Name john
Comment I have a cat just like that!
• Visitors can be redirected to another site.
• Visitors can be presented with a popup containing a virus download link.
If the guestbook is poorly secured, it is possible tostore other things then messages.
For example you might be able to store javascript.
Because other people can read the guestbook, it is possible to abuse the catblog to help you spread your
javascript to other readers of the blog.
Name hacker
Comment window.location = ”badstuff.tv”
Hacker posts on blog.John visits blog.
John gets redirected to adifferent website.
3. Broken session management
• Has to be secret.
• Should be very hard to guess.
• May not be changed by other people.
Each visitor to a website receives a unique number from the webserver: your session_id.
Through this number the webserver is able to keeptrack of who you are. This is why the number:
_session_id My session_id +1
Guessing a session_id can be very easy.
Email to administrator of website:
I can’t log in! Could you try it for me?https://catblog.com/?PHP_SESSION_ID=123456
Greets, hacker
Sometimes it is possible to send other people yoursession_id, forcing a shared session.
This might cause credentials of users to be combined.
4. Insecure direct object reference
As an example we will take a website with a “change your password” form:
<form id="form" method="post" action="/employees/1234"> <input type="text" name="username" /> <input type="password" name="password" value="" /> <input type="hidden" name="employee_id" value="1234" /></form>
If you select “view source” in your browser, youwill see something like this:
What happens if you change the actionor the employee_id?
Could you can reset somebody else’s password?
5. Cross site request forgery
Complex variant of Cross Site Scripting (XSS), so we willbe reusing the catblog example with a guestbook.
My weblog
Story about my cat
Comments:john: I have a cat just like that!
Name john
Comment I have a cat just like that!
If the guestbook is poorly, secured, it might be possibleto store other things like javascript in the message box.
Because other visitors can read the guestbook, it is possible to abuse the catblog to help you spread your javascript to other
readers of the blog.
By using ajax we can abuse active sessions visitors might have with other services (like Gmail), to send spam
through their account.
Name hacker
Comment
$.ajax({ type: 'POST', url: ”www.gmail.com/new”, data: { to: ”[email protected]”, subject: ”NOT SPAM!”, body: ”Need Viagra?” }, success: success, dataType: dataType});
Hacker posts on blog.John visits blog.
Jan sends Spam to Anne via Gmail, without noticing it.
5. Security misconfiguration
• Check if your provider/hoster has a maintenance window to do updates.
Every system needs periodic updates, to ensurethe latest versions are installed.
7. Insecure Cryptographic
Storage
Username Email Password
jantje [email protected] jantje1
pietje [email protected] welkom123
Incorrectly secure data.For example: this should NEVER be in your
database in plaintext:
8. Failure to restrict URL access
• http://catblog.com/admin.php
• http://test.com/employee/1234 => 1235?
• http://ibm.com/annualreport/2011 => 2012?
Modify the URL of a website.This is very popular by journalists, because
you can do it with any browser.
9. Insufficient Transport Layer
Protection
• Virusses sometimes turn the encryption level of a browser down to the lowest possible setting.
• Badly configured severs agree with the low setting and set up a badly encrypted connection.
• Eavesdropping the secure traffic between the server and the client is now possible.
With HTTPS the server and client negotiate about the level of security. Together they figure out
what the highest level of encryption is that theycan use for the connection.
If people can not reach our website, but you can, thereis a good possibility that our server wont drop to
their suggested encryption level.Browsers give very bad error messages when this
happens.
10. Unvalidated Redirects and
Forwards (rickroll)
When you open a link to a secure section of a website, andyou are not logged in, you are often redirected to the login page. After you log in you will be sent back to the original
page you where trying to open.
http://catblog.com/login.php?return_url=/admin.php
Sometimes it is possible to abuse this and send people a link, which looks legit & contains a website they trust.
However, after they log in, they are sent to somewhere else.
http://catblog.com/login.php?return_url=http://www.youtube.com/
watch?v=oHg5SJYRHA0
Solutions?
• Using a framework like JBoss, Rails or Zend will fix 90% of the problems addressed in the OWASP top 10.
• To fix the other 10% you need to periodically have your application audited by an external party.
• Make sure you point out the responsibility of the end-user. Often the weakest link is a employee who is careless with printed files or leaves his computer logged in.