SlideShare a Scribd company logo

Owasp Top10 2010 rc1

Download as PPTX, PDF
Antonio Fontes, profile picture
Antonio Fontes

The document discusses the OWASP Top 10 web application security risks and their associated attack techniques, including injection flaws, broken authentication, cross-site scripting, and cryptographic issues. It presents various risks, countermeasures, and best practices for securing web applications, emphasizing the importance of robust security configurations and regular assessments. Additionally, the document features insights from Antonio Fontes, an expert in web security and OWASP chapter leader.

Technology
1 of 97
Downloaded 51 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
OWASP Top 10 - 2010 rc1The Top 10 Most Critical Web Application Security RisksAntonio FontesOWASP Geneva Chapter Leaderantonio.fontes@owasp.org
Agenda10 ways to attack web applicationsThe OWASP Top 10 rc1 ProjectIntegrating the Top 10 in an existing SDLC/SALCQ&A2Antonio Fontes / Confoo Conference, Montreal / 2010
About the OWASPOpen Web Application Security Project“Helping organizations secure their web applications.”Documentation and tools projects130 local chapters worldwidehttp://www.owasp.orgAntonio Fontes / Confoo Conference, Montreal / 20103
About me…Antonio Fontes, from Geneva (Switzerland)>1999: Web developer>2005: Ethical hacker / Security analyst>2008: Security & Privacy manager (banking software ISV)>2008: OWASP Geneva Chapter Leader >2010: Information Security Consultant SANS/CWE Top 25 Most Dangerous Programming Errors contributor4Antonio Fontes / Confoo Conference, Montreal / 2010
And about you?Coders? Testers?Managers?Hardcore OWASP Top 10 users?5Antonio Fontes / Confoo Conference, Montreal / 2010
Just taking the temperature…6© Randal Munroe (xkcd.com)Antonio Fontes / Confoo Conference, Montreal / 2010
Part 1: Top 10 major web application attack techniques7Antonio Fontes / Confoo Conference, Montreal / 2010
Attacking the infrastructureAttacking the applicationAttacking the usersOther attacks8Antonio Fontes / Confoo Conference, Montreal / 2010
Attacking the infrastructurehitting the weakest layer9Antonio Fontes / Confoo Conference, Montreal / 2010
10 ; ) Are all demo apps removed?Is the web server up to date?Is the admin area protected from external access?Is directory indexing been disabled?Were all default passwords changed?Are all unnecessary scripts removed?Are there any backup/test/unused resources?Is the web server up to date?Have all default passwords been changed?Are all unnecessary services disabled?Are all unnecessary accounts disabled?Have all default passwords been changed?Is the system up to date?© Darwin Bell@flickrAre all unnecessary paths closed?Are all unnecessary ports closed?Is the admin interface reachable from the web?Can an administrative account be broken?Is the device up to date?Antonio Fontes / Confoo Conference, Montreal / 2010
Risk A6: Security misconfiguration11Antonio Fontes / Confoo Conference, Montreal / 2010
What is the risk?If there is a weaker link than the web application itself, the attacker will switch to the flawed layer. What are the countermeasures?Harden all layersReduce services and accounts to the minimumNo default passwordsKeep everything up to dateApply security guidelines (OS security, Web server security, Application server security, etc.)Keep default web application configuration safe“Deploy securely on a secure architecture”12Antonio Fontes / Confoo Conference, Montreal / 2010
Attacking the infrastructureAttacking the applicationAttacking the usersOther attacks13Antonio Fontes / Confoo Conference, Montreal / 2010
Attacking the applicationinjecting hostile code…14Antonio Fontes / Confoo Conference, Montreal / 2010
what if?15Antonio Fontes / Confoo Conference, Montreal / 2010
16what if?SELECT * FROM users usrWHERE usr.username = 'admin ';--‘AND usr.password = ‘bb21158c733229347bd4e681891e213d94c685be’Antonio Fontes / Confoo Conference, Montreal / 2010
17what if?Antonio Fontes / Confoo Conference, Montreal / 2010
what if?18Antonio Fontes / Confoo Conference, Montreal / 2010
19 Any user input is a potential attack vector.Antonio Fontes / Confoo Conference, Montreal / 2010
Risk A1: Injections20Antonio Fontes / Confoo Conference, Montreal / 2010
RISK?Any application entry point can be used as a vector to inject hostile content that will modify expected behaviors.GOOD TO KNOWAll non-binding query languages are exposed! (LDAP and Xpath….)21Antonio Fontes / Confoo Conference, Montreal / 2010
COUNTERMEASURES?All input can be modified client-side. Be sure to validate:Querystring parametersForm fields (hidden fields also count)File submissions : if you’re expecting a picture, then make sure it is a picture!CookiesHTTP headers: all fields, including referrer are “user input”22Antonio Fontes / Confoo Conference, Montreal / 2010
COUNTERMEASURES? (cont’d)Neverpaste user input into query commands (SQL, Xpath, LDAP, OS commands, etc.):Use binding variables such as SQL parameters:If no binding model, encode input before pasting:Doubled quotes (‘’) for SQL serverEscaped quotes (\’) for MySQL (PHP addslashes is helpful!)Etc.23Antonio Fontes / Confoo Conference, Montreal / 2010
COUNTERMEASURES ?(cont’d)Choose best validation strategy!Best: WhitelistWhen all possible values are known (enums, if/else if statements, regular expressions, …)Graylist:Enforce business rules:Type: string, numeric, byte, …Range: >0, <MaxInt, [a-z]{3,20}Weakest: Blacklistif(input.IndexOf(“<script>”)>=0)//reject24Antonio Fontes / Confoo Conference, Montreal / 2010
Attacking the applicationplaying with obvious identifiers…25Antonio Fontes / Confoo Conference, Montreal / 2010
what if?2699999999Antonio Fontes / Confoo Conference, Montreal / 2010
what if?271234567Antonio Fontes / Confoo Conference, Montreal / 2010
Risk A4: Insecure direct object references28Antonio Fontes / Confoo Conference, Montreal / 2010
What is the risk?All references can modified client-side. An attacker might be able to access and/or modify confidential information.What are the countermeasures?Never send internal references to the browser:Use temporary or random number mapping (#0, #1, #2, #3, etc.)OR combine referenced access with access control:SELECT * FROM item WHERE id = $id AND owner = $uIDUPDATE item … WHERE id = $id AND owner = $id29Antonio Fontes / Confoo Conference, Montreal / 2010
Attacking the applicationbreaking session and authentication mechanisms…30Antonio Fontes / Confoo Conference, Montreal / 2010
what if?31Antonio Fontes / Confoo Conference, Montreal / 2010
what if?32Antonio Fontes / Confoo Conference, Montreal / 2010
what if?33Antonio Fontes / Confoo Conference, Montreal / 2010
Risk A3: Broken authentication or session management34Antonio Fontes / Confoo Conference, Montreal / 2010
What is the risk?HTTP is a stateless protocol. Each request must transmit ‘session’ information over the network.Authentication mechanisms are highly targeted by attackers , at all levels: forms, traffic, stored data.What are the countermeasures?Use simple, centralized and standardized session mechanismEnable cookie security attributes (secure flag, httponly flag, encryption and integrity control)Validate session identifiers Is the sessionID coming from the right place?35Antonio Fontes / Confoo Conference, Montreal / 2010
countermeasures? (cont’d)Make sure ‘logoff’ actually invalidates the session.Prevent bruteforcing attacks, but also prevent denial of service on legitimate accountsEnforce secure password recoveryAuthenticate before resettingReview, review, review authentication (and logoff) code manually!36Antonio Fontes / Confoo Conference, Montreal / 2010
Attacking the applicationfinding hidden “secret” URLs…37Antonio Fontes / Confoo Conference, Montreal / 2010
what if?38Antonio Fontes / Confoo Conference, Montreal / 2010
what if?39Antonio Fontes / Confoo Conference, Montreal / 2010
Risk A7: Failure to restrict URL access40Antonio Fontes / Confoo Conference, Montreal / 2010
What is the risk?URLs that lead to confidential resources can be easily sent, stored (bookmarks), monitored (proxies, security devices) and sometimes, guessed. What are the countermeasures?Completely disallow access to sensitive file typesValidate ALL incoming requestsAuthorize explicitly (web.xml, ASP.Net page lifecycle, etc.)Don’t expose physical documents with permanent or guessable URLs41Antonio Fontes / Confoo Conference, Montreal / 2010
Attacking the infrastructureAttacking the applicationAttacking the usersOther attacks42Antonio Fontes / Confoo Conference, Montreal / 2010
Attacking the usersredirecting users elsewhere…43Antonio Fontes / Confoo Conference, Montreal / 2010
what if?44Antonio Fontes / Confoo Conference, Montreal / 2010
Risk A8: Non-validated redirects and forwards45Antonio Fontes / Confoo Conference, Montreal / 2010
What is the risk?An attacker may use your website reputation as a vector to redirect victims to a hostile website.What are the countermeasures?Never allow absolute URL redirection.If not possible: Use a whitelist of valid hostsShow a warning before redirecting the userIf using a “web portal”, make sure redirect pages do not include sensitive information in URLs (aka single-signon-on information)46Antonio Fontes / Confoo Conference, Montreal / 2010
Attacking the usersrunning client hostile code in the website…47Antonio Fontes / Confoo Conference, Montreal / 2010
what if?48Antonio Fontes / Confoo Conference, Montreal / 2010
what if?49Antonio Fontes / Confoo Conference, Montreal / 2010
Risk A2: Cross-site scripting50Antonio Fontes / Confoo Conference, Montreal / 2010
What is the risk?An attacker might inject client-side hostile code in the web application, which will be returned to a victim.51Antonio Fontes / Confoo Conference, Montreal / 2010
What are the countermeasures?Sanitize output. Encode to destination format.For HTML output, use HtmlEntities:<div id=“comment”>Here is my <script>attack</script></div> <div id=“comment”>Here is my &lt;script&gt;attack&lt;/script&gt;</div>52Antonio Fontes / Confoo Conference, Montreal / 2010
What are the countermeasures?Sanitize output, encode to destination format:For XML output, use predefined entities:<says>“here is my <script>”</says>  <says><![CDATA[here is my <script>]]></says><says>my input is <script></says> <says>my input is &lt;script&gt;</says>53Antonio Fontes / Confoo Conference, Montreal / 2010
Attacking the usersreplaying predictable requests…54Antonio Fontes / Confoo Conference, Montreal / 2010
what if?55Antonio Fontes / Confoo Conference, Montreal / 2010
what if?56Antonio Fontes / Confoo Conference, Montreal / 2010
Risk A5: Cross-site Request Forgery57Antonio Fontes / Confoo Conference, Montreal / 2010
What is the risk?An attacker might build her own website and trigger requests on the visitor’s browser. (yes, that’s exactly what it seems to be...)58Antonio Fontes / Confoo Conference, Montreal / 2010
What are the countermeasures?Implement unpredictable requests for all sensitive actionsUse temporary random hidden control fields:<input type=hidden name=check value=ab23b4a/>Link forms to the user session:if(!(Request.Form[“checker”]).Equals(SessionID)) // return errorUse CAPTCHAUse out-of-band verification:SMS / Voice call / Cryptographic tokens, etc.59Antonio Fontes / Confoo Conference, Montreal / 2010
Attacking the infrastructureAttacking the applicationAttacking the usersOther attacks60Antonio Fontes / Confoo Conference, Montreal / 2010
Other attacksbreaking weak cryptography…61Antonio Fontes / Confoo Conference, Montreal / 2010
what if?Encrypting with Base64$cookie = base64($sessionId);62It’s not encryption, it’s encoding!Antonio Fontes / Confoo Conference, Montreal / 2010
what if?Encrypting user passwords with AES256$password = encrypt($get_[“password”],AES256,key);63reversible encryption!Antonio Fontes / Confoo Conference, Montreal / 2010
what if?Hashing user passwords with md5$password = md5($get_[“password”]);64weak algorithm!Antonio Fontes / Confoo Conference, Montreal / 2010
what if?Hashing user passwords with SHA-256$password = sha($get_[“password”]);65Missing seed!Antonio Fontes / Confoo Conference, Montreal / 2010
what if?Building keys with Math.RandomByte[] key = Math.RandBytes(128);66Weak random number generator!Antonio Fontes / Confoo Conference, Montreal / 2010
what if?Deriving a key from human entered secret$key = md5($GET_[“secret”]);67Weak key entropy!Antonio Fontes / Confoo Conference, Montreal / 2010
what if?Using ECB mode of operation$bytes = encrypt($text, key);// returns: {0xAF00CADACCE34A4D}$bytes2 = encrypt($text, key);// returns: {0xAF00CADACCE34A4D}68Weak mode of operation!Antonio Fontes / Confoo Conference, Montreal / 2010
what if?Using CBC mode of operation$bytes = encrypt($text, key);// returns: {0xAF00CADACCE34A4D}$bytes2 = encrypt($text, key);// returns: {0xAF00CADACCE34A4D}69Non-random initialization vectors!Antonio Fontes / Confoo Conference, Montreal / 2010
what if?Decrypting with internal secretString clearText = CryptUtils.Decrypt($bytes, Parameters.SecretKey);70Hard-coded secret!Antonio Fontes / Confoo Conference, Montreal / 2010
what if?blablabla71Another problem.Antonio Fontes / Confoo Conference, Montreal / 2010
Risk A9: Insecure cryptographic storage72Antonio Fontes / Confoo Conference, Montreal / 2010
What is the risk?An attacker might not need as much time as you expected to decrypt your data.If one of these words sounds foggy to you, there is a risk:Asymmetric/symmetric encryption, offline encryption, online encryption, CBC, key entropy, initialization vector, ECB, message authentication code, PBKDF2 (RFC2898), constant time operation, Rijndael, AES, 3DES, DSA, RSA, ECC, SHA, keyring, DPAPI, … 73Antonio Fontes / Confoo Conference, Montreal / 2010
What are the countermeasures?Don’t do cryptography by yourselfUse business level APIs:Use open-source reference implementations (OpenSSL, Truecrypt, etc.)Use expert-community-driven libraries (OWASP ESAPI, …)Take classes…74Antonio Fontes / Confoo Conference, Montreal / 2010
Other attacksobserving the environment…75Antonio Fontes / Confoo Conference, Montreal / 2010
76?© daquellamanera @flickrAntonio Fontes / Confoo Conference, Montreal / 2010
Risk A10: Insufficient transport layer protection77Antonio Fontes / Confoo Conference, Montreal / 2010
What is the risk?Traffic eavesdropping, due to insufficient transport layer protection.What are the countermeasures?Require an SSL encrypted link.Use appropriate certificates (signed and valid).Prevent cookies from leaving the encrypted link (“secure” flag enabled).78Antonio Fontes / Confoo Conference, Montreal / 2010
79Antonio Fontes / Confoo Conference, Montreal / 2010WHAT IS THE RISK LEVEL ?LOWHIGH
Part 2: Assessing the risks induced by these 10 attacks80Antonio Fontes / Confoo Conference, Montreal / 2010
Hopefully, someone did it…81Antonio Fontes / Confoo Conference, Montreal / 2010
rating the risksAntonio Fontes / Confoo Conference, Montreal / 201082XSS (example)= 2,6x?
83Antonio Fontes / Confoo Conference, Montreal / 2010OWASP Top 10 – 2010 RC1The top ten web application security risks
84Risk Managers exploitability
prevalence
detectability
impact (CIA, AAA)Testers search patterns
typical cases
mythsDevelopers mitigation steps (agnostic)
best practicesAdvanced material detailed attack scenarios
mitigation techniques (per technology)
further referencesTeachers / Students example scenariosAntonio Fontes / Confoo Conference, Montreal / 2010
85Migration info removed entries
new entries
gap analysisAntonio Fontes / Confoo Conference, Montreal / 2010
Part 3: Integrating the Top 10 into an existing software development / acquisition lifecycle86Antonio Fontes / Confoo Conference, Montreal / 2010
Antonio Fontes / ConfooConference, Montreal / 2010The Top 10 in your SDLC/SALC87Secure codingMetrics analysisSecurity testingSecure designSoftware vendorPERSONEL TRAININGQUALITY ASSURANCESoftware buyerPenetration testDesign review reportsSecurity test resultsContract conditionsSLA support

More Related Content

PPTX
The top 10 web application intrusion techniques
Antonio Fontes
 
PPTX
15 owasp top 10 - a3-xss
appsec
 
PPTX
Developing Secure Web Application - Cross-Site Scripting (XSS)
Codecamp Romania
 
PPTX
Authentication and session v4
skimil
 
PDF
2013 OWASP Top 10
bilcorry
 
PPTX
Web application security: how to start?
Antonio Fontes
 
PDF
Log Analytics for Distributed Microservices
Kai Wähner
 
PPT
Web Application Testing for Today’s Biggest and Emerging Threats
Alan Kan
 
The top 10 web application intrusion techniques
Antonio Fontes
 
15 owasp top 10 - a3-xss
appsec
 
Developing Secure Web Application - Cross-Site Scripting (XSS)
Codecamp Romania
 
Authentication and session v4
skimil
 
2013 OWASP Top 10
bilcorry
 
Web application security: how to start?
Antonio Fontes
 
Log Analytics for Distributed Microservices
Kai Wähner
 
Web Application Testing for Today’s Biggest and Emerging Threats
Alan Kan
 

Similar to Owasp Top10 2010 rc1 (20)

PPTX
unit cyber security BOTNETS Documents.pptx
vishal2226it1214
 
PDF
VoIp Security Services Technical Description Cyber51
martinvoelk
 
PDF
INSECURE Magazine - 35
Felipe Prado
 
PPT
Professional Open Source
Sebastiaan Deckers
 
PPTX
Higgins active clients and personal data stores v2
Paul Trevithick
 
PDF
Module 12 (web application vulnerabilities)
Wail Hassan
 
PPTX
Ivanti Patch Tuesday for April 2020
Ivanti
 
PPTX
Data Protection & Privacy During the Coronavirus Pandemic
Ulf Mattsson
 
PDF
Lime broker
John Pereira
 
PDF
Module 6.Security in Evolving Technology
Sitamarhi Institute of Technology
 
PDF
Module 6.pdf
Sitamarhi Institute of Technology
 
PDF
CompTIA Security+ Objectives
sombat nirund
 
PDF
Analyzing The Audit Statement Provided By The Information...
April Charlton
 
PDF
ICT Security 2010: Le minacce delle nuove tecnologie
Alessio Pennasilico
 
PDF
Nt1320 Unit 6
Ashley Jean
 
PDF
Secureview 3
Felipe Prado
 
PPTX
Can Containers be Secured in a PaaS?
Tom Kranz
 
PPTX
Can Containers be secured in a PaaS?
Tom Kranz
 
PDF
Secure client
Hai Nguyen
 
PPTX
Patch Tuesday August 2020
Ivanti
 
unit cyber security BOTNETS Documents.pptx
vishal2226it1214
 
VoIp Security Services Technical Description Cyber51
martinvoelk
 
INSECURE Magazine - 35
Felipe Prado
 
Professional Open Source
Sebastiaan Deckers
 
Higgins active clients and personal data stores v2
Paul Trevithick
 
Module 12 (web application vulnerabilities)
Wail Hassan
 
Ivanti Patch Tuesday for April 2020
Ivanti
 
Data Protection & Privacy During the Coronavirus Pandemic
Ulf Mattsson
 
Lime broker
John Pereira
 
Module 6.Security in Evolving Technology
Sitamarhi Institute of Technology
 
Module 6.pdf
Sitamarhi Institute of Technology
 
CompTIA Security+ Objectives
sombat nirund
 
Analyzing The Audit Statement Provided By The Information...
April Charlton
 
ICT Security 2010: Le minacce delle nuove tecnologie
Alessio Pennasilico
 
Nt1320 Unit 6
Ashley Jean
 
Secureview 3
Felipe Prado
 
Can Containers be Secured in a PaaS?
Tom Kranz
 
Can Containers be secured in a PaaS?
Tom Kranz
 
Secure client
Hai Nguyen
 
Patch Tuesday August 2020
Ivanti
 
Ad

More from Antonio Fontes (13)

PDF
Sécurité des applications web: attaque et défense
Antonio Fontes
 
PDF
Owasp ottawa training-day_2012-secure_design-final
Antonio Fontes
 
PDF
Securing your web apps before they hurt the organization
Antonio Fontes
 
PPTX
Modéliser les menaces d'une application web
Antonio Fontes
 
PPTX
Trouvez la faille! - Confoo 2012
Antonio Fontes
 
PPTX
Confoo 2012 - Web security keynote
Antonio Fontes
 
PDF
Threat Modeling web applications (2012 update)
Antonio Fontes
 
PDF
Rapid Threat Modeling : case study
Antonio Fontes
 
PPTX
Sécurité dans les contrats d'externalisation de services de développement et ...
Antonio Fontes
 
PPTX
Meet the OWASP
Antonio Fontes
 
PPTX
IT Security Days - Threat Modeling
Antonio Fontes
 
PPTX
Threat modeling web application: a case study
Antonio Fontes
 
PPTX
Cyber-attaques: mise au point
Antonio Fontes
 
Sécurité des applications web: attaque et défense
Antonio Fontes
 
Owasp ottawa training-day_2012-secure_design-final
Antonio Fontes
 
Securing your web apps before they hurt the organization
Antonio Fontes
 
Modéliser les menaces d'une application web
Antonio Fontes
 
Trouvez la faille! - Confoo 2012
Antonio Fontes
 
Confoo 2012 - Web security keynote
Antonio Fontes
 
Threat Modeling web applications (2012 update)
Antonio Fontes
 
Rapid Threat Modeling : case study
Antonio Fontes
 
Sécurité dans les contrats d'externalisation de services de développement et ...
Antonio Fontes
 
Meet the OWASP
Antonio Fontes
 
IT Security Days - Threat Modeling
Antonio Fontes
 
Threat modeling web application: a case study
Antonio Fontes
 
Cyber-attaques: mise au point
Antonio Fontes
 
Ad

Recently uploaded (20)

PPTX
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PPTX
1. Introduction to Computer Programming.pptx
bonakiduza1024
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
Getting Started with Data Integration: FME Form 101
Safe Software
 
PPTX
cloud_computing_Infrastucture_as_cloud_p
mainakbhattacharya20
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
Heart disease approach using modified random forest and particle swarm optimi...
IAESIJAI
 
PDF
Mushroom cultivation and it's methods.pdf
mailmeonrishi
 
PPTX
Machine Learning_overview_presentation.pptx
kondavamsidharreddy2
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
1. Introduction to Computer Programming.pptx
bonakiduza1024
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Getting Started with Data Integration: FME Form 101
Safe Software
 
cloud_computing_Infrastucture_as_cloud_p
mainakbhattacharya20
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Encapsulation theory and applications.pdf
gurumoop
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Heart disease approach using modified random forest and particle swarm optimi...
IAESIJAI
 
Mushroom cultivation and it's methods.pdf
mailmeonrishi
 
Machine Learning_overview_presentation.pptx
kondavamsidharreddy2
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
A Presentation on Artificial Intelligence
memembruh336
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 

Owasp Top10 2010 rc1

  • 1. OWASP Top 10 - 2010 rc1The Top 10 Most Critical Web Application Security RisksAntonio FontesOWASP Geneva Chapter Leaderantonio.fontes@owasp.org
  • 2. Agenda10 ways to attack web applicationsThe OWASP Top 10 rc1 ProjectIntegrating the Top 10 in an existing SDLC/SALCQ&A2Antonio Fontes / Confoo Conference, Montreal / 2010
  • 3. About the OWASPOpen Web Application Security Project“Helping organizations secure their web applications.”Documentation and tools projects130 local chapters worldwidehttp://www.owasp.orgAntonio Fontes / Confoo Conference, Montreal / 20103
  • 4. About me…Antonio Fontes, from Geneva (Switzerland)>1999: Web developer>2005: Ethical hacker / Security analyst>2008: Security & Privacy manager (banking software ISV)>2008: OWASP Geneva Chapter Leader >2010: Information Security Consultant SANS/CWE Top 25 Most Dangerous Programming Errors contributor4Antonio Fontes / Confoo Conference, Montreal / 2010
  • 5. And about you?Coders? Testers?Managers?Hardcore OWASP Top 10 users?5Antonio Fontes / Confoo Conference, Montreal / 2010
  • 6. Just taking the temperature…6© Randal Munroe (xkcd.com)Antonio Fontes / Confoo Conference, Montreal / 2010
  • 7. Part 1: Top 10 major web application attack techniques7Antonio Fontes / Confoo Conference, Montreal / 2010
  • 8. Attacking the infrastructureAttacking the applicationAttacking the usersOther attacks8Antonio Fontes / Confoo Conference, Montreal / 2010
  • 9. Attacking the infrastructurehitting the weakest layer9Antonio Fontes / Confoo Conference, Montreal / 2010
  • 10. 10 ; ) Are all demo apps removed?Is the web server up to date?Is the admin area protected from external access?Is directory indexing been disabled?Were all default passwords changed?Are all unnecessary scripts removed?Are there any backup/test/unused resources?Is the web server up to date?Have all default passwords been changed?Are all unnecessary services disabled?Are all unnecessary accounts disabled?Have all default passwords been changed?Is the system up to date?© Darwin Bell@flickrAre all unnecessary paths closed?Are all unnecessary ports closed?Is the admin interface reachable from the web?Can an administrative account be broken?Is the device up to date?Antonio Fontes / Confoo Conference, Montreal / 2010
  • 11. Risk A6: Security misconfiguration11Antonio Fontes / Confoo Conference, Montreal / 2010
  • 12. What is the risk?If there is a weaker link than the web application itself, the attacker will switch to the flawed layer. What are the countermeasures?Harden all layersReduce services and accounts to the minimumNo default passwordsKeep everything up to dateApply security guidelines (OS security, Web server security, Application server security, etc.)Keep default web application configuration safe“Deploy securely on a secure architecture”12Antonio Fontes / Confoo Conference, Montreal / 2010
  • 13. Attacking the infrastructureAttacking the applicationAttacking the usersOther attacks13Antonio Fontes / Confoo Conference, Montreal / 2010
  • 14. Attacking the applicationinjecting hostile code…14Antonio Fontes / Confoo Conference, Montreal / 2010
  • 15. what if?15Antonio Fontes / Confoo Conference, Montreal / 2010
  • 16. 16what if?SELECT * FROM users usrWHERE usr.username = 'admin ';--‘AND usr.password = ‘bb21158c733229347bd4e681891e213d94c685be’Antonio Fontes / Confoo Conference, Montreal / 2010
  • 17. 17what if?Antonio Fontes / Confoo Conference, Montreal / 2010
  • 18. what if?18Antonio Fontes / Confoo Conference, Montreal / 2010
  • 19. 19 Any user input is a potential attack vector.Antonio Fontes / Confoo Conference, Montreal / 2010
  • 20. Risk A1: Injections20Antonio Fontes / Confoo Conference, Montreal / 2010
  • 21. RISK?Any application entry point can be used as a vector to inject hostile content that will modify expected behaviors.GOOD TO KNOWAll non-binding query languages are exposed! (LDAP and Xpath….)21Antonio Fontes / Confoo Conference, Montreal / 2010
  • 22. COUNTERMEASURES?All input can be modified client-side. Be sure to validate:Querystring parametersForm fields (hidden fields also count)File submissions : if you’re expecting a picture, then make sure it is a picture!CookiesHTTP headers: all fields, including referrer are “user input”22Antonio Fontes / Confoo Conference, Montreal / 2010
  • 23. COUNTERMEASURES? (cont’d)Neverpaste user input into query commands (SQL, Xpath, LDAP, OS commands, etc.):Use binding variables such as SQL parameters:If no binding model, encode input before pasting:Doubled quotes (‘’) for SQL serverEscaped quotes (\’) for MySQL (PHP addslashes is helpful!)Etc.23Antonio Fontes / Confoo Conference, Montreal / 2010
  • 24. COUNTERMEASURES ?(cont’d)Choose best validation strategy!Best: WhitelistWhen all possible values are known (enums, if/else if statements, regular expressions, …)Graylist:Enforce business rules:Type: string, numeric, byte, …Range: >0, <MaxInt, [a-z]{3,20}Weakest: Blacklistif(input.IndexOf(“<script>”)>=0)//reject24Antonio Fontes / Confoo Conference, Montreal / 2010
  • 25. Attacking the applicationplaying with obvious identifiers…25Antonio Fontes / Confoo Conference, Montreal / 2010
  • 26. what if?2699999999Antonio Fontes / Confoo Conference, Montreal / 2010
  • 27. what if?271234567Antonio Fontes / Confoo Conference, Montreal / 2010
  • 28. Risk A4: Insecure direct object references28Antonio Fontes / Confoo Conference, Montreal / 2010
  • 29. What is the risk?All references can modified client-side. An attacker might be able to access and/or modify confidential information.What are the countermeasures?Never send internal references to the browser:Use temporary or random number mapping (#0, #1, #2, #3, etc.)OR combine referenced access with access control:SELECT * FROM item WHERE id = $id AND owner = $uIDUPDATE item … WHERE id = $id AND owner = $id29Antonio Fontes / Confoo Conference, Montreal / 2010
  • 30. Attacking the applicationbreaking session and authentication mechanisms…30Antonio Fontes / Confoo Conference, Montreal / 2010
  • 31. what if?31Antonio Fontes / Confoo Conference, Montreal / 2010
  • 32. what if?32Antonio Fontes / Confoo Conference, Montreal / 2010
  • 33. what if?33Antonio Fontes / Confoo Conference, Montreal / 2010
  • 34. Risk A3: Broken authentication or session management34Antonio Fontes / Confoo Conference, Montreal / 2010
  • 35. What is the risk?HTTP is a stateless protocol. Each request must transmit ‘session’ information over the network.Authentication mechanisms are highly targeted by attackers , at all levels: forms, traffic, stored data.What are the countermeasures?Use simple, centralized and standardized session mechanismEnable cookie security attributes (secure flag, httponly flag, encryption and integrity control)Validate session identifiers Is the sessionID coming from the right place?35Antonio Fontes / Confoo Conference, Montreal / 2010
  • 36. countermeasures? (cont’d)Make sure ‘logoff’ actually invalidates the session.Prevent bruteforcing attacks, but also prevent denial of service on legitimate accountsEnforce secure password recoveryAuthenticate before resettingReview, review, review authentication (and logoff) code manually!36Antonio Fontes / Confoo Conference, Montreal / 2010
  • 37. Attacking the applicationfinding hidden “secret” URLs…37Antonio Fontes / Confoo Conference, Montreal / 2010
  • 38. what if?38Antonio Fontes / Confoo Conference, Montreal / 2010
  • 39. what if?39Antonio Fontes / Confoo Conference, Montreal / 2010
  • 40. Risk A7: Failure to restrict URL access40Antonio Fontes / Confoo Conference, Montreal / 2010
  • 41. What is the risk?URLs that lead to confidential resources can be easily sent, stored (bookmarks), monitored (proxies, security devices) and sometimes, guessed. What are the countermeasures?Completely disallow access to sensitive file typesValidate ALL incoming requestsAuthorize explicitly (web.xml, ASP.Net page lifecycle, etc.)Don’t expose physical documents with permanent or guessable URLs41Antonio Fontes / Confoo Conference, Montreal / 2010
  • 42. Attacking the infrastructureAttacking the applicationAttacking the usersOther attacks42Antonio Fontes / Confoo Conference, Montreal / 2010
  • 43. Attacking the usersredirecting users elsewhere…43Antonio Fontes / Confoo Conference, Montreal / 2010
  • 44. what if?44Antonio Fontes / Confoo Conference, Montreal / 2010
  • 45. Risk A8: Non-validated redirects and forwards45Antonio Fontes / Confoo Conference, Montreal / 2010
  • 46. What is the risk?An attacker may use your website reputation as a vector to redirect victims to a hostile website.What are the countermeasures?Never allow absolute URL redirection.If not possible: Use a whitelist of valid hostsShow a warning before redirecting the userIf using a “web portal”, make sure redirect pages do not include sensitive information in URLs (aka single-signon-on information)46Antonio Fontes / Confoo Conference, Montreal / 2010
  • 47. Attacking the usersrunning client hostile code in the website…47Antonio Fontes / Confoo Conference, Montreal / 2010
  • 48. what if?48Antonio Fontes / Confoo Conference, Montreal / 2010
  • 49. what if?49Antonio Fontes / Confoo Conference, Montreal / 2010
  • 50. Risk A2: Cross-site scripting50Antonio Fontes / Confoo Conference, Montreal / 2010
  • 51. What is the risk?An attacker might inject client-side hostile code in the web application, which will be returned to a victim.51Antonio Fontes / Confoo Conference, Montreal / 2010
  • 52. What are the countermeasures?Sanitize output. Encode to destination format.For HTML output, use HtmlEntities:<div id=“comment”>Here is my <script>attack</script></div> <div id=“comment”>Here is my &lt;script&gt;attack&lt;/script&gt;</div>52Antonio Fontes / Confoo Conference, Montreal / 2010
  • 53. What are the countermeasures?Sanitize output, encode to destination format:For XML output, use predefined entities:<says>“here is my <script>”</says>  <says><![CDATA[here is my <script>]]></says><says>my input is <script></says> <says>my input is &lt;script&gt;</says>53Antonio Fontes / Confoo Conference, Montreal / 2010
  • 54. Attacking the usersreplaying predictable requests…54Antonio Fontes / Confoo Conference, Montreal / 2010
  • 55. what if?55Antonio Fontes / Confoo Conference, Montreal / 2010
  • 56. what if?56Antonio Fontes / Confoo Conference, Montreal / 2010
  • 57. Risk A5: Cross-site Request Forgery57Antonio Fontes / Confoo Conference, Montreal / 2010
  • 58. What is the risk?An attacker might build her own website and trigger requests on the visitor’s browser. (yes, that’s exactly what it seems to be...)58Antonio Fontes / Confoo Conference, Montreal / 2010
  • 59. What are the countermeasures?Implement unpredictable requests for all sensitive actionsUse temporary random hidden control fields:<input type=hidden name=check value=ab23b4a/>Link forms to the user session:if(!(Request.Form[“checker”]).Equals(SessionID)) // return errorUse CAPTCHAUse out-of-band verification:SMS / Voice call / Cryptographic tokens, etc.59Antonio Fontes / Confoo Conference, Montreal / 2010
  • 60. Attacking the infrastructureAttacking the applicationAttacking the usersOther attacks60Antonio Fontes / Confoo Conference, Montreal / 2010
  • 61. Other attacksbreaking weak cryptography…61Antonio Fontes / Confoo Conference, Montreal / 2010
  • 62. what if?Encrypting with Base64$cookie = base64($sessionId);62It’s not encryption, it’s encoding!Antonio Fontes / Confoo Conference, Montreal / 2010
  • 63. what if?Encrypting user passwords with AES256$password = encrypt($get_[“password”],AES256,key);63reversible encryption!Antonio Fontes / Confoo Conference, Montreal / 2010
  • 64. what if?Hashing user passwords with md5$password = md5($get_[“password”]);64weak algorithm!Antonio Fontes / Confoo Conference, Montreal / 2010
  • 65. what if?Hashing user passwords with SHA-256$password = sha($get_[“password”]);65Missing seed!Antonio Fontes / Confoo Conference, Montreal / 2010
  • 66. what if?Building keys with Math.RandomByte[] key = Math.RandBytes(128);66Weak random number generator!Antonio Fontes / Confoo Conference, Montreal / 2010
  • 67. what if?Deriving a key from human entered secret$key = md5($GET_[“secret”]);67Weak key entropy!Antonio Fontes / Confoo Conference, Montreal / 2010
  • 68. what if?Using ECB mode of operation$bytes = encrypt($text, key);// returns: {0xAF00CADACCE34A4D}$bytes2 = encrypt($text, key);// returns: {0xAF00CADACCE34A4D}68Weak mode of operation!Antonio Fontes / Confoo Conference, Montreal / 2010
  • 69. what if?Using CBC mode of operation$bytes = encrypt($text, key);// returns: {0xAF00CADACCE34A4D}$bytes2 = encrypt($text, key);// returns: {0xAF00CADACCE34A4D}69Non-random initialization vectors!Antonio Fontes / Confoo Conference, Montreal / 2010
  • 70. what if?Decrypting with internal secretString clearText = CryptUtils.Decrypt($bytes, Parameters.SecretKey);70Hard-coded secret!Antonio Fontes / Confoo Conference, Montreal / 2010
  • 71. what if?blablabla71Another problem.Antonio Fontes / Confoo Conference, Montreal / 2010
  • 72. Risk A9: Insecure cryptographic storage72Antonio Fontes / Confoo Conference, Montreal / 2010
  • 73. What is the risk?An attacker might not need as much time as you expected to decrypt your data.If one of these words sounds foggy to you, there is a risk:Asymmetric/symmetric encryption, offline encryption, online encryption, CBC, key entropy, initialization vector, ECB, message authentication code, PBKDF2 (RFC2898), constant time operation, Rijndael, AES, 3DES, DSA, RSA, ECC, SHA, keyring, DPAPI, … 73Antonio Fontes / Confoo Conference, Montreal / 2010
  • 74. What are the countermeasures?Don’t do cryptography by yourselfUse business level APIs:Use open-source reference implementations (OpenSSL, Truecrypt, etc.)Use expert-community-driven libraries (OWASP ESAPI, …)Take classes…74Antonio Fontes / Confoo Conference, Montreal / 2010
  • 75. Other attacksobserving the environment…75Antonio Fontes / Confoo Conference, Montreal / 2010
  • 76. 76?© daquellamanera @flickrAntonio Fontes / Confoo Conference, Montreal / 2010
  • 77. Risk A10: Insufficient transport layer protection77Antonio Fontes / Confoo Conference, Montreal / 2010
  • 78. What is the risk?Traffic eavesdropping, due to insufficient transport layer protection.What are the countermeasures?Require an SSL encrypted link.Use appropriate certificates (signed and valid).Prevent cookies from leaving the encrypted link (“secure” flag enabled).78Antonio Fontes / Confoo Conference, Montreal / 2010
  • 79. 79Antonio Fontes / Confoo Conference, Montreal / 2010WHAT IS THE RISK LEVEL ?LOWHIGH
  • 80. Part 2: Assessing the risks induced by these 10 attacks80Antonio Fontes / Confoo Conference, Montreal / 2010
  • 81. Hopefully, someone did it…81Antonio Fontes / Confoo Conference, Montreal / 2010
  • 82. rating the risksAntonio Fontes / Confoo Conference, Montreal / 201082XSS (example)= 2,6x?
  • 83. 83Antonio Fontes / Confoo Conference, Montreal / 2010OWASP Top 10 – 2010 RC1The top ten web application security risks
  • 87. impact (CIA, AAA)Testers search patterns
  • 89. mythsDevelopers mitigation steps (agnostic)
  • 90. best practicesAdvanced material detailed attack scenarios
  • 91. mitigation techniques (per technology)
  • 92. further referencesTeachers / Students example scenariosAntonio Fontes / Confoo Conference, Montreal / 2010
  • 95. gap analysisAntonio Fontes / Confoo Conference, Montreal / 2010
  • 96. Part 3: Integrating the Top 10 into an existing software development / acquisition lifecycle86Antonio Fontes / Confoo Conference, Montreal / 2010
  • 97. Antonio Fontes / ConfooConference, Montreal / 2010The Top 10 in your SDLC/SALC87Secure codingMetrics analysisSecurity testingSecure designSoftware vendorPERSONEL TRAININGQUALITY ASSURANCESoftware buyerPenetration testDesign review reportsSecurity test resultsContract conditionsSLA support
  • 98. ConclusionYour web application will be hacked. ; )88Antonio Fontes / Confoo Conference, Montreal / 2010
  • 99. ConclusionBut if you use the Top 10…89Antonio Fontes / Confoo Conference, Montreal / 2010
  • 100. ConclusionIt won’t be the cheap way…90Antonio Fontes / Confoo Conference, Montreal / 2010
  • 101. ConclusionAnd it won’t be the embarrassing way…91Antonio Fontes / Confoo Conference, Montreal / 2010
  • 102. ConclusionYou now know the 10 riskiest flaws in web applications.92Antonio Fontes / Confoo Conference, Montreal / 2010
  • 103. ConclusionBut there’s still a lot to see…93CWE/SANS Top 25 Programming errorsWASC Threat ClassificationThreat modelingOWASP Application Security Verification Standard (ASVS)Open Software Assurance Maturity ModelAntonio Fontes / Confoo Conference, Montreal / 2010
  • 104. Conclusionbefore becoming “secure”.94Antonio Fontes / Confoo Conference, Montreal / 2010
  • 105. http://owasp.org/index.php/Top10(final version: end of March 2010)95Antonio Fontes / Confoo Conference, Montreal / 2010thank you :)
  • 106. 96Antonio Fontes / Confoo Conference, Montreal / 2010
  • 107. CopyrightYou are free:To share (copy, distribute, transmit) To remix But only if: You attribute this workYou use it for non-commercial purposesAnd you keep sharing your result the same way I did97Antonio Fontes / Confoo Conference, Montreal / 2010