OWASP TOP 10 VULNERABILITIS
Download as PPTX, PDF0 likes602 views
The document discusses the top vulnerabilities from the OWASP Top 10 list - Injection, Cross-Site Scripting (XSS), and Cross-Site Request Forgery (CSRF). It provides details on each vulnerability like how injection occurs, types of XSS, and how CSRF allows unauthorized actions. Prevention techniques are also covered, such as input validation, output encoding, and synchronizer token pattern. The presentation is given by Arya Anindyaratna Bal for Wipro and covers their experience in application security and the history of OWASP Top 10 lists.
OWASP TOP 10 VULNERABILITIS
- 1. Internal to Wipro OWASP TOP 10 VULNERABILITES BY: ARYA ANINDYARATNA BAL
- 2. Internal to Wipro # ABOUT ME > 6 yr. in Application Security OSCP, CRTP, ECSA MTech In CSIR, GFSU (NFSU) Like to Travel
- 3. Internal to Wipro AGENDA OWASP Top 10 Vulnerabilities Injection Cross Site Scripting Cross Site Request Forgery
- 4. Internal to Wipro OWASP TOP 10 : 2021 RELEASE A1 Broken Access Control A2 Cryptographic Failures A3 Injection A4 Insecure Design A5 Security Misconfiguration A6 Vulnerable and Outdated Components A7 Identification and Authentication Failures A8 Software and Data Integrity Failures A9 Security Logging and Monitoring Failures A10 Server-Side Request Forgery
- 5. Internal to Wipro # WHO IS OWASP Worldwide not-for-profit organisation • Founded in 2001 OWASP – Open Web Application Security Project Mission to make the software security visible.
- 6. Internal to Wipro OWASP TOP HISTORY 2003 2004 2007 2010 2013 2017 2021 A1 Unvalidated Input Unvalidated Input Cross Site Scripting (XSS) Injection Injection Injection Broken Access Control A2 Broken Access Control Broken Access Control Injection Flaws Cross-Site Scripting Broken Authentication and Session Management Broken Authentication Cryptographic Failures A3 Broken Authentication and Session Management Broken Authentication and Session Management Malicious File Execution Broken Authentication and Session Management Cross-Site Scripting Sensitive Data Exposure Injection A4 Cross Site Scripting Cross Site Scripting Insecure Direct Object Reference Insecure Direct Object References Insecure Direct Object References XML External Entities (XXE) Insecure Design A5 Buffer Overflow Buffer Overflow Cross Site Request Forgery (CSRF) Cross-Site Request Forgery Security Misconfiguration Broken Access Control Security Misconfiguration A6 Injection Flaws Injection Flaws Information Leakage and Improper Error Handling Security Misconfiguration Sensitive Data Exposure Security Misconfiguration Vulnerable and Outdated Components A7 Improper Error Handling Improper Error Handling Broken Authentication and Session Management Insecure Cryptographic Storage Missing Function Level Access Control Cross-Site Scripting Identification and Authentication Failures A8 Insecure Storage Insecure Storage Insecure Cryptographic Storage Failure to Restrict URL Access Cross-Site Request Forgery Insecure Deserialization Software and Data Integrity Failures A9 Application Denial of Service Application Denial of Service Insecure Communications Insufficient Transport Layer Protection Using Components with Known Vulnerabilities Using Components with Known Vulnerabilities Security Logging and Monitoring Failures A10 Insecure Configuration Management Insecure Configuration Management Failure to Restrict URL Access Unvalidated Redirects and Forwards Unvalidated Redirects and Forwards Insufficient Logging & Monitoring Server-Side Request Forgery
- 7. Internal to Wipro # INJECTION Injection is most persistence vulnerability in the OWASP Top 10 list over the decade, particularly SQL Injection are the common in web applications as well as Mobile. Some of the more common injections are SQL, NoSQL, OS command, Server Sire Template Injection, LDAP injection etc... Injection occurs when user-supplied data is sent to an interpreter as part of a command or query. The hostile data tricks the interpreter into executing unintended commands or changing data.
- 8. Internal to Wipro # HOW TO PREVENT • Do not pass user input directly to executable statements. • Use of Prepared Statements (with Parameterized Queries) • Use of Properly Constructed Stored Procedures • Allow-list Input Validation • Escaping All User Supplied Input • Enforcing Least Privilege • Performing Allow-list Input Validation as a Secondary Defense
- 9. Internal to Wipro # CROSS SITE SCRIPTING Cross-Site Scripting (XSS) is a client-side code injection attack. The attacker aims to execute malicious JavaScript's in a web browser of the victim by including malicious code in a legitimate web page or web application. The actual attack occurs when the victim visits the web page or web application that executes the malicious code. The web page or web application becomes a vehicle to deliver the malicious script to the use’s browser.
- 10. Internal to Wipro # TYPES OF XSS • Reflected XSS • Reflected attacks are those where the injected script is reflected off the web server, such as in an error message, search result, or any other response that includes some or all of the input sent to the server as part of the request. • Stored XSS • Stored attacks are those where the injected script is permanently stored on the target servers, such as in a database, in a message forum, visitor log, comment field, etc. • DOM XSS • DOM-based XSS vulnerabilities usually arise when JavaScript takes data from an attacker-controllable source, such as the URL, and passes it to a sink that supports dynamic code execution, such as eval() or innerHTML.
- 11. Internal to Wipro # HOW TO PREVENT Encode data on output Validate input on arrival Safe Sinks
- 12. Internal to Wipro # CROSS SITE REQUEST FORGERY Cross-site request forgery (also known as CSRF) is a web security vulnerability that allows an attacker to induce users to perform actions that they do not intend to perform. In a successful CSRF attack, the attacker causes the victim user to carry out an action unintentionally like state change activity.
- 13. Internal to Wipro # WHY CSRF
- 14. Internal to Wipro # HOW TO PREVENT Synchronizer Token Pattern SameSite Cookie Attribute User Interaction Based CSRF Defense • One-time Token • CAPTCHA • 2MFA (2nd Multi Factor Authentication) Double Submit Cookie Verifying Origin • CHECKING THE ORIGIN HEADER • CHECKING THE REFERER HEADER
- 15. Internal to Wipro • CHECKING THE ORIGIN HEADER CHECKING THE REFERER HEADER # EXAMPLE
Editor's Notes
- #15: As double submit cookie verifies only the token in the cookie and body are same, then there a possibility that if application have session fix-session(if session token used as part of double submit cookie) or XSS (with HttpOnly flag not set) attacker can set the cookie value manually and same cookie value set in the CSRF POC.