The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20
-
Upload
tabara-de-testare -
Category
Technology
-
view
3.680 -
download
0
Transcript of The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20
Presentation Title
OWASP
The OWASP Top Ten
Most Critical Web Application Security Risks
2013/12/04
Simon BennettsMozilla Security Team, OWASP ZAP Project
[email protected]
The OWASP Top Ten
Most Critical Web Application Security Risks
A great place to start
Current list published in 2013
Well known and well regarded
But the vast majority of websites still have a high, critical or urgent issue
Threat Agent
Attack Vector
Weakness Prevalence
Weakness Detectability
Technical Impact
Business Impact
?
Easy
Widespread
Easy
Severe
?
?
Average
Common
Average
Moderate
?
?
Difficult
Uncommon
Difficult
Minor
?
The OWASP Top Ten
A1: Injection
A2: Broken Authentication and Session ManagementA3: Cross-Site Scripting (XSS)A4: Insecure Direct Object References
A5: Security MisconfigurationA6: Sensitive Data ExposureA7: Mission Function Level Access ControlA8: Cross-Site Request Forgery (CSRF)A9: Using Components with Known VulnerabilitiesA10: Unvalidated Redirects or Forwards
A1: Injection
Tricking an application into including unintended commands in the data sent to an interpreter
SQL, OS Shell, LDAP, Xpath, Hibernate
Impact: SEVERE!
Unauthorized application access
Unauthorized data access
OS access
Attack Vector
Weakness Prevalence
Weakness Detectability
Technical Impact
Easy
Common
Average
Severe
A1: Injection
User
Server
Db
A1: Injection (SQL)
Example UI:
Example code:
String sql = SELECT * FROM users where username = + username + and password = + password + ;
Expected SQL:
SELECT * FROM users where username = admin and password = c0rr3ct
admin
Name:
Login
*******
Password:
--
A1: Injection (SQL)
Example UI:
Example code:
String sql = SELECT * FROM users where username = + username + and password = + password + ;
Expected SQL:
SELECT * FROM users where username = admin and password = c0rr3ct
Resulting SQL query:
SELECT * FROM users where username = admin-- and password = anything
admin
Name:
Login
*******
Password:
--
A1: Injection
Prevention:
Use interfaces that provide a parameterized interface:Prepared Statements
Stored Procedures
Whitelist input
Encode all user input
Minimize database privileges
OWASP SQL Injection Prevention Cheat sheet
A2: Broken Authentication and Session Management
HTTP is stateless
Session IDs used to track state, good as credentials to an attacker
Can be accessed via sniffer, logs, XSS
Change my password, forgotten my password, secret questions
Impact: sessions hijacked / accounts compromised
Attack Vector
Weakness Prevalence
Weakness Detectability
Technical Impact
Average
WidespreadAverage
Severe
A2: Broken Authentication and Session Management
Prevention:
Use standard implementations
Use SSL for ALL requests
Thoroughly test all authentication related functionality
Use SECURE & HTTPOnly cookies flags
Avoid XSS flaws
A3: Cross Site Scripting (XSS)
Injecting malicious content/code into web pages
HTML / javascript most common, but many other technologies also vulnerable:
Java, Active X, Flash, RSS, Atom,
Present in 68% of all web applications in 2011
Can be present in form and URL parameters AND cookies
Attack Vector
Weakness Prevalence
Weakness Detectability
Technical Impact
Average
VERY Widespread
Easy
Moderate
A3: Cross Site Scripting (XSS)
Impact:
Session hijacking
Unauthorized data access
Web page rewriting
Redirect users (eg to phishing or malware sites)
Anything the web application can do
A2: Cross Site Scripting (XSS)
Reflected
Persistent
A2: Cross Site Scripting (XSS)
DOM
A3: Cross Site Scripting (XSS)
Forum: Have you seen XYZ are being taken over??
http://tinyurl/jdfgshr
XYZ Were being taken over!
Search this site:
Yes, were being taken over, but dont worry:login to find out why this is a good thing!
Username:Password:
https://www.xyz.com/s=%3C%2Fdiv%3E%E2%80%9C%3Cscript%3Edocument.title%3D%E2%80%98XYZ%20
Login
A3: Cross Site Scripting (XSS)
XYZ No Search Result found!
Search this site:
No search result found for: document.title=XYZ Were being taken over!;
Document.getElementById(results).style.display=none; Yes, were being taken over, but dont worry:login to find out why this is a good thing! Username:Password::
A3: Cross Site Scripting (XSS)
Prevention:
Dont output user supplied input
Whitelist input
Encode output (e.g. using OWASP ESAPI)
If you must support user supplied HTML,
use libraries like OWASPs AntiSamy
OWASP XSS Prevention Cheat sheet
A4: Insecure Direct Object Reference
A direct reference to an object that is not validated on each request
company=Mega%20Corp
account=7352820
Typically in FORM and URL parameters (cookies less likely)
Impact: accounts and data compromised
Attack Vector
Weakness Prevalence
Weakness Detectability
Technical Impact
Easy
Common
Easy
Moderate
A4: Insecure Direct Object Reference
Attacker notices URL: acct=6065
Modifies it to acct=6066
Attacker can view (and maybe change?) the victims account
A4: Insecure Direct Object Reference
Prevention:
Use per user or per session indirect object references (ESAPI supports integer and random mapping)
Validate Direct Object References on each request
A5: Security Misconfiguration
Another multitude of sins
Server / Application configuration
Lack of server and application hardening
Unpatched OS, services, libraries
Default accounts
Detailed error messages (e.g. stack traces)
Unprotected files and directories
Attack Vector
Weakness Prevalence
Weakness Detectability
Technical Impact
Easy
Common
Easy
Moderate
A5: Security Misconfiguration
Impact:
Server compromise
Exploitation of known vulnerabilities
Prevention:
Repeatable server and application hardening process
Patch OS, services, libraries
Strong architecture that ensures secure separation between components
A6: Sensitive Data Exposure
Exposure of:
Credentials
Credit card numbers
Bank account details
Any sensitive data
In: Databases, Files, Logs, Backups
Attack Vector
Weakness Prevalence
Weakness Detectability
Technical Impact
Difficult
Uncommon
Average
Severe
Impact:
Attackers access or modify sensitive data
Attackers use sensitive data in further attacks
Company embarrassment, loss of trust
Company sued or fined
A6: Sensitive Data Exposure
Prevention:
Identify sensitive data
Store as little sensitive data as possible
Protect with suitable mechanisms (file, db, element encryption, SSL)
Only use standard, well recognised algorithms
Check your implementation!
A6: Sensitive Data Exposure
A7: Missing Function Level
Access Control
UI showing navigation to unauthorized functions
Server side authentication or authorization checks missing
Server side checks relying solely on attacker provided information
Impact:
Unauthorized account and data access
Access to administrative functionality
Attack Vector
Weakness Prevalence
Weakness Detectability
Technical Impact
Easy
Common
Average
Moderate
Prevention:
Process for managing entitlements thats easy to update and audit
Deny access by default, require specific grants to specific roles for access to every function
Check workflow for correct state
A7: Missing Function Level
Access Control
A8: Cross site request forgery
Exploits sessions established in other browser windows or
tabs
Impact: Attacker can perform any action on behalf of the victim
Attack Vector
Weakness Prevalence
Weakness Detectability
Technical Impact
Average
Common
Easy
Moderate
A8: Cross site request forgery
Browser
example.bank.com
bad.site.com
1
4
3
2
$$$
5
A8: Cross site request forgery
Prevention:
Never allow GETs to change things
Anti CSRF tokensViewstate (ASP.NET)
OWASP CSRF Guard
Challenge-ResponseRe-Authentication
CAPTCHA
A9: Using Components with Known Vulnerabilities
As per the title!
Impact:Full range of weaknesses, including injection, broken access control, XSS
Minimal complete host takeover and data compromise
Attack Vector
Weakness Prevalence
Weakness Detectability
Technical Impact
Average
Widespread
Difficult
Moderate
A9: Using Components with Known Vulnerabilities
Prevention:
Identify all components and versions in use
Monitor security of these components
Keep components up to date
Establish security policies governing use
If necessary add wrappers to disable unused or vulnerable aspects of components
A10: Unvalidated Redirects and Forwards
Redirects are common and send the user to a new site .. which
could be malicious if not validated!
http://fail.com/redir.php?url=badsite.com
Forwards (Transfers) send the request to a new page in the same
application .. which could bypass authentication or
authorization
http://fail.com/redir.php?url=admin.php
Attack Vector
Weakness Prevalence
Weakness Detectability
Technical Impact
Average
Uncommon
Easy
Moderate
A10: Unvalidated Redirects and Forwards
Impact:
Redirect victim to phishing or malware site
Attackers request is forwarded past security checks, allowing unauthorized function or data access
Prevention:
Avoid using them
Dont use user supplied data for destination
Validate any user data that must be used
Where Next?
Read and understand the full document!
Read the OWASP Developers Guide
Watch the OWASP AppSec Tutorial videos on youtube
Re-examine your code!
Introduce a Secure Development Lifecycle
Use tools like the OWASP Zed Attack Proxy
Any Questions?
https://www.owasp.org/index.php/Top_10_2013
The OWASP Foundationhttp://www.owasp.org
Copyright The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.