Presentation Title

OWASP

The OWASP Top Ten
Most Critical Web Application Security Risks
2013/12/04

Simon BennettsMozilla Security Team, OWASP ZAP Project Leadpsiinon@gmail.com

The OWASP Top Ten

Most Critical Web Application Security Risks

A great place to start

Current list published in 2013

Well known and well regarded

But the vast majority of websites still have a high, critical or urgent issue

Threat Agent

Attack Vector

Weakness Prevalence

Weakness Detectability

Technical Impact

Business Impact

?

Easy

Widespread

Easy

Severe

?

?

Average

Common

Average

Moderate

?

?

Difficult

Uncommon

Difficult

Minor

?

The OWASP Top Ten

A1: Injection

A2: Broken Authentication and Session ManagementA3: Cross-Site Scripting (XSS)A4: Insecure Direct Object References

A5: Security MisconfigurationA6: Sensitive Data ExposureA7: Mission Function Level Access ControlA8: Cross-Site Request Forgery (CSRF)A9: Using Components with Known VulnerabilitiesA10: Unvalidated Redirects or Forwards

A1: Injection

Tricking an application into including unintended commands in the data sent to an interpreter

SQL, OS Shell, LDAP, Xpath, Hibernate

Impact: SEVERE!

Unauthorized application access

Unauthorized data access

OS access

Attack Vector

Weakness Prevalence

Weakness Detectability

Technical Impact

Easy

Common

Average

Severe

A1: Injection

User

Server

Db

A1: Injection (SQL)

Example UI:

Example code:

String sql = SELECT * FROM users where username = + username + and password = + password + ;

Expected SQL:

SELECT * FROM users where username = admin and password = c0rr3ct

admin

Name:

Login

*******

Password:

--

A1: Injection (SQL)

Example UI:

Example code:

String sql = SELECT * FROM users where username = + username + and password = + password + ;

Expected SQL:

SELECT * FROM users where username = admin and password = c0rr3ct

Resulting SQL query:

SELECT * FROM users where username = admin-- and password = anything

admin

Name:

Login

*******

Password:

--

A1: Injection

Prevention:

Use interfaces that provide a parameterized interface:Prepared Statements

Stored Procedures

Whitelist input

Encode all user input

Minimize database privileges

OWASP SQL Injection Prevention Cheat sheet

A2: Broken Authentication and Session Management

HTTP is stateless

Session IDs used to track state, good as credentials to an attacker

Can be accessed via sniffer, logs, XSS

Change my password, forgotten my password, secret questions

Impact: sessions hijacked / accounts compromised

Attack Vector

Weakness Prevalence

Weakness Detectability

Technical Impact

Average

WidespreadAverage

Severe

A2: Broken Authentication and Session Management

Prevention:

Use standard implementations

Use SSL for ALL requests

Thoroughly test all authentication related functionality

Use SECURE & HTTPOnly cookies flags

Avoid XSS flaws

A3: Cross Site Scripting (XSS)

Injecting malicious content/code into web pages

HTML / javascript most common, but many other technologies also vulnerable:

Java, Active X, Flash, RSS, Atom,

Present in 68% of all web applications in 2011

Can be present in form and URL parameters AND cookies

Attack Vector

Weakness Prevalence

Weakness Detectability

Technical Impact

Average

VERY Widespread

Easy

Moderate

A3: Cross Site Scripting (XSS)

Impact:

Session hijacking

Unauthorized data access

Web page rewriting

Redirect users (eg to phishing or malware sites)

Anything the web application can do

A2: Cross Site Scripting (XSS)

Reflected

Persistent

A2: Cross Site Scripting (XSS)

DOM

A3: Cross Site Scripting (XSS)

Forum: Have you seen XYZ are being taken over??
http://tinyurl/jdfgshr

XYZ Were being taken over!

Search this site:

Yes, were being taken over, but dont worry:login to find out why this is a good thing!

Username:Password:

https://www.xyz.com/s=%3C%2Fdiv%3E%E2%80%9C%3Cscript%3Edocument.title%3D%E2%80%98XYZ%20

Login

A3: Cross Site Scripting (XSS)

XYZ No Search Result found!

Search this site:

No search result found for: document.title=XYZ Were being taken over!;

Document.getElementById(results).style.display=none; Yes, were being taken over, but dont worry:login to find out why this is a good thing! Username:Password::

A3: Cross Site Scripting (XSS)

Prevention:

Dont output user supplied input

Whitelist input

Encode output (e.g. using OWASP ESAPI)

If you must support user supplied HTML,
use libraries like OWASPs AntiSamy

OWASP XSS Prevention Cheat sheet

A4: Insecure Direct Object Reference

A direct reference to an object that is not validated on each request

user=psiinon@gmail.com

company=Mega%20Corp

account=7352820

Typically in FORM and URL parameters (cookies less likely)

Impact: accounts and data compromised

Attack Vector

Weakness Prevalence

Weakness Detectability

Technical Impact

Easy

Common

Easy

Moderate

A4: Insecure Direct Object Reference

Attacker notices URL: acct=6065

Modifies it to acct=6066

Attacker can view (and maybe change?) the victims account

A4: Insecure Direct Object Reference

Prevention:

Use per user or per session indirect object references (ESAPI supports integer and random mapping)

Validate Direct Object References on each request

A5: Security Misconfiguration

Another multitude of sins

Server / Application configuration

Lack of server and application hardening

Unpatched OS, services, libraries

Default accounts

Detailed error messages (e.g. stack traces)

Unprotected files and directories

Attack Vector

Weakness Prevalence

Weakness Detectability

Technical Impact

Easy

Common

Easy

Moderate

A5: Security Misconfiguration

Impact:

Server compromise

Exploitation of known vulnerabilities

Prevention:

Repeatable server and application hardening process

Patch OS, services, libraries

Strong architecture that ensures secure separation between components

A6: Sensitive Data Exposure

Exposure of:

Credentials

Credit card numbers

Bank account details

Any sensitive data

In: Databases, Files, Logs, Backups

Attack Vector

Weakness Prevalence

Weakness Detectability

Technical Impact

Difficult

Uncommon

Average

Severe

Impact:

Attackers access or modify sensitive data

Attackers use sensitive data in further attacks

Company embarrassment, loss of trust

Company sued or fined

A6: Sensitive Data Exposure

Prevention:

Identify sensitive data

Store as little sensitive data as possible

Protect with suitable mechanisms (file, db, element encryption, SSL)

Only use standard, well recognised algorithms

Check your implementation!

A6: Sensitive Data Exposure

A7: Missing Function Level
Access Control

UI showing navigation to unauthorized functions

Server side authentication or authorization checks missing

Server side checks relying solely on attacker provided information

Impact:

Unauthorized account and data access

Access to administrative functionality

Attack Vector

Weakness Prevalence

Weakness Detectability

Technical Impact

Easy

Common

Average

Moderate

Prevention:

Process for managing entitlements thats easy to update and audit

Deny access by default, require specific grants to specific roles for access to every function

Check workflow for correct state

A7: Missing Function Level
Access Control

A8: Cross site request forgery

Exploits sessions established in other browser windows or tabs

Impact: Attacker can perform any action on behalf of the victim

Attack Vector

Weakness Prevalence

Weakness Detectability

Technical Impact

Average

Common

Easy

Moderate

A8: Cross site request forgery

Browser

example.bank.com

bad.site.com

1

4

3

2

$$$

5

A8: Cross site request forgery

Prevention:

Never allow GETs to change things

Anti CSRF tokensViewstate (ASP.NET)

OWASP CSRF Guard

Challenge-ResponseRe-Authentication

CAPTCHA

A9: Using Components with Known Vulnerabilities

As per the title!

Impact:Full range of weaknesses, including injection, broken access control, XSS

Minimal complete host takeover and data compromise

Attack Vector

Weakness Prevalence

Weakness Detectability

Technical Impact

Average

Widespread

Difficult

Moderate

A9: Using Components with Known Vulnerabilities

Prevention:

Identify all components and versions in use

Monitor security of these components

Keep components up to date

Establish security policies governing use

If necessary add wrappers to disable unused or vulnerable aspects of components

A10: Unvalidated Redirects and Forwards

Redirects are common and send the user to a new site .. which could be malicious if not validated!
http://fail.com/redir.php?url=badsite.com

Forwards (Transfers) send the request to a new page in the same application .. which could bypass authentication or authorization
http://fail.com/redir.php?url=admin.php

Attack Vector

Weakness Prevalence

Weakness Detectability

Technical Impact

Average

Uncommon

Easy

Moderate

A10: Unvalidated Redirects and Forwards

Impact:

Redirect victim to phishing or malware site

Attackers request is forwarded past security checks, allowing unauthorized function or data access

Prevention:

Avoid using them

Dont use user supplied data for destination

Validate any user data that must be used

Where Next?

Read and understand the full document!

Read the OWASP Developers Guide

Watch the OWASP AppSec Tutorial videos on youtube

Re-examine your code!

Introduce a Secure Development Lifecycle

Use tools like the OWASP Zed Attack Proxy

Any Questions?


https://www.owasp.org/index.php/Top_10_2013

The OWASP Foundationhttp://www.owasp.org

Copyright The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.