OWASP Top 10from a developer’s perspectiveJohn Wilander, OWASP/Omegapoint, IBWAS’10

John Wilanderconsultant at Omegapointin Sweden

Researcher in application security

Co-leader OWASP Sweden

Certified Java Programmer

OWASP Top 10Top web applicationsecurity risks 2010

OWASP

1. Injection2. Cross-Site Scripting (XSS)3. Broken Authentication and Session

Management4. Insecure Direct Object References5. Cross-Site Request Forgery (CSRF)6. Security Misconfiguration7. Insecure Cryptographic Storage8. Failure to Restrict URL Access9. Insufficient Transport Layer Protection10.Unvalidated Redirects and Forwards

OWASP

1. Injection2. Cross-Site Scripting (XSS)3. Broken Authentication and Session

Management4. Insecure Direct Object References5. Cross-Site Request Forgery (CSRF)6. Security Misconfiguration7. Insecure Cryptographic Storage8. Failure to Restrict URL Access9. Insufficient Transport Layer Protection10.Unvalidated Redirects and Forwards

OWASP

Injection ...the good old, boring stuff

OWASP

sql = "SELECT * FROM users WHERE firstName = '" + fname + "' AND surName = '" + sname + "'";

OWASP

sql = "SELECT * FROM users WHERE firstName = '" + fname + "' AND surName = '" + sname + "'";

OWASP

fname = ’ OR 1=1--sname = blabla

OWASP

sql = "SELECT * FROM users WHERE firstName = '" + ’OR 1=1-- + "' AND surName = '" + blabla + "'";

SELECT *FROM usersWHERE firstName = ''OR 1=1--' AND surName = 'blabla'

OWASP

SELECT *FROM users

OWASP

Input Validation?

OWASP

fname = Johnsname = Wilander

Accept:A-Za-z

OWASP

fname = Luíssname = Grangeia

Accept:A-Za-zí

OWASP

fname = Joãosname = Franco

Accept:A-Za-zíã

OWASP

fname = {some name}sname = {some name}

Accept:A-Za-zíãåäöüû..........

OWASP

fname = {some name}sname = {some name}

Accept:\p{L}

OWASP

fname = Oliversname = O’Heir

Accept:\p{L}

OWASP

fname = Oliversname = O’Heir

Accept:\p{L}’

OWASP

fname = Fredriksname = Jägare-Lilja

Accept:\p{L}’

OWASP

fname = Fredriksname = Jägare-Lilja

Accept:\p{L}’-

OWASP

fname = John Ericsname = Wilander

Accept:\p{L}’-

OWASP

fname = ’OR ‘a’ IS NOT NULL--sname = blabla

Accept:\p{L}’-

OWASP

But ...

’OR ‘a’ IS NOT NULL--

is not a name!

OWASP

PreparedStatement preparedStmt = connection.prepareStatement( ”SELECT a, b FROM table WHERE c = ?”);preparedStmt.setInt(1, column);ResultSet resultset = preparedStmt.executeQuery();

OWASP

PreparedStatement preparedStmt = connection.prepareStatement( ”SELECT a, b FROM table WHERE c = ?”);preparedStmt.setInt(1, column);ResultSet resultset = preparedStmt.executeQuery();

OWASP

PreparedStatement preparedStmt = connection.prepareStatement( ”SELECT a, b FROM table WHERE c = ?”);preparedStmt.setInt(1, column);ResultSet resultset = preparedStmt.executeQuery();

OWASP

XSS ...much more exciting!

OWASP

Run

script

Cross-site

Scripting

OWASP

Is ...

<script src=”http://attacker.com/c.js”></script>

a name?

OWASP

Just filter <script>, huh?

<img src=javascript:alert('XSS')>

<body onload=alert('XSS')>

<table background="javascript:alert('XSS')">

¼script¾alert(¢XSS¢)¼/script¾

OWASP

<dependency> <groupId>org.owasp</groupId> <artifactId>antisamy</artifactId> <version>1.4</version></dependency>

OWASP AntiSamy

OWASP

Content Security Policy

X-Content-Security-Policy: allow 'self';

OWASP

Session Management ...just a quick one

OWASP

HTTP StatelessGET http://www.site.com/ HTTP/1.1

HTTP/1.1 200 OK

OWASP

HTTP StatelessGET http://www.site.com/ HTTP/1.1

HTTP/1.1 200 OK

OWASP

Hold Your Sessions

• Session ID in URLwww.site.com/ … ;sessionid=1234

• Session ID in hidden form fields<INPUT TYPE=”hidden” NAME=”sessionid” VALUE=”1234”>

• Session ID in cookieSet-Cookie: sessionID=”1234” …

OWASP

HTTP + SessionGET http://www.site.com/ HTTP/1.1

HTTP/1.1 200 OK

OWASP

HTTP + SessionGET http://www.site.com/ HTTP/1.1

HTTP/1.1 200 OK

Cookie Monster©2009 Sesame Workshop

OWASP

About Cookies

• Enduser owns the cookies

• don’t trust cookies backend

• don’t hide anything in them

• JavaScript (thus XSS) can read cookies

• use httpOnly attribute

• Cookies are sent for all requests

• use secure attributeOWASP

Insecure Direct Object Reference

just a quick one

OWASP

http://site.com/cms?file=report524.pdf

http://site.com/cms?file=../../../../../../../../../etc/passwd

OWASP

Filter ”../” huh?..%2F (URL encoding)%2E%2E%2F (URL encoding)Li4v (Base64 encoding)%002E%002E%002F (Unicode)

”..\” often the same meaning as ”../”..%5C (URL encoding)%2E%2E%5C (URL encoding)Li5c (Base64 encoding)%002E%002E%005C (Unicode)

OWASP

OWASP ESAPIAccess Reference Map

Browser URL

Access Ref Map

WS

DB

FSfile=456772 456772 report524.pdf

OWASP

CSRF ...my current favorite!

OWASP

What’s on your mind? What’s on your mind?POST POST

OWASP

I love OWASP!

What’s on your mind? What’s on your mind?POST POST

OWASP

I love OWASP!

What’s on your mind? What’s on your mind?POST POST

John: I love OWASP!

OWASP

What’s on your mind? What’s on your mind?POST POST

OWASP

What’s on your mind?I hate OWASP!

What’s on your mind?POST POST

OWASP

What’s on your mind?I hate OWASP!

What’s on your mind?POST POST

OWASP

What’s on your mind?I hate OWASP!

What’s on your mind?POST POST

John: I hate OWASP!

OWASP

What’s on your mind? What’s on your mind?POST

John: I hate OWASP!

<form id="target" method="POST" action="https://john.com/mind" style="visibility:hidden"><input type="text" value="I hate OWASP!" name="oneLiner"/><input type="submit" value="Go"/></form>

<script type="text/javascript"> $(document).ready(function() { $('#form').submit(); });</script>

OWASP

Insufficient Transport Layer Protection

OWASP

OWASP

OWASP

<div class="menu_login_container"><form method="POST" action="https://login.facebook.com/login.php?login_attempt=1" id="login_form">

OWASP

Moxie’s SSL Strip

Terminates SSL

Changes https to http

Normal https to the server

Acts as client

OWASP

Moxie’s SSL Strip

Secure cookie?

Encoding, gzip?

Cached content?

Sessions?

Strip the secure attribute off all cookies.

Strip all encodings in the request.

Strip all if-modified-since in the request.

Redriect to same page, set-cookie expired

OWASP

OWASP Transport Layer Protection Cheat Sheet

http://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet

OWASP

Unvalidated Redirects and Forwards ...

phising all the way home!

OWASP

Return Path et al

www.site.com/login?returnPath=www.site.com/secure?page=3

OWASP

Return Path et al

www.site.com/login?returnPath=www.attacker.com

OWASP

Return Path et al

www.site.com/login?returnPath=bit.ly/Kl89GT

OWASP

ESAPI sendRedirect()

http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/HTTPUtilities.html

sendRedirect(HttpServletResponse, String)

OWASP

1. Injection2. Cross-Site Scripting (XSS)3. Broken Authentication and Session

Management4. Insecure Direct Object References5. Cross-Site Request Forgery (CSRF)6. Security Misconfiguration7. Insecure Cryptographic Storage8. Failure to Restrict URL Access9. Insufficient Transport Layer Protection10.Unvalidated Redirects and Forwards

OWASP

john.wilander@owasp.orgTwitter: @johnwilander

Blog: appsandsecurity.blogspot.com

OWASP