owasp top 10 by team xbios
Post on 21-Oct-2014
221 views
DESCRIPTION
OWASP Top 10 vulnerabilities in 2013 and its avoiding techniques.TRANSCRIPT
![Page 1: OWASP TOP 10 by Team xbios](https://reader033.vdocuments.site/reader033/viewer/2022051816/544592c8afaf9feb2a8b45a8/html5/thumbnails/1.jpg)
By team Xbios
![Page 2: OWASP TOP 10 by Team xbios](https://reader033.vdocuments.site/reader033/viewer/2022051816/544592c8afaf9feb2a8b45a8/html5/thumbnails/2.jpg)
![Page 3: OWASP TOP 10 by Team xbios](https://reader033.vdocuments.site/reader033/viewer/2022051816/544592c8afaf9feb2a8b45a8/html5/thumbnails/3.jpg)
![Page 4: OWASP TOP 10 by Team xbios](https://reader033.vdocuments.site/reader033/viewer/2022051816/544592c8afaf9feb2a8b45a8/html5/thumbnails/4.jpg)
‘ or 1 = 1 ’- -
INJECTION flaws
![Page 5: OWASP TOP 10 by Team xbios](https://reader033.vdocuments.site/reader033/viewer/2022051816/544592c8afaf9feb2a8b45a8/html5/thumbnails/5.jpg)
Tricking an application into including
unintended commands in the data sent to
an interpreter
Injection means…
Interpreter Take strings and interpret them as
commands
Eg : SQL, OS Shell, LDAP, XPath, Hibernate,
etc…
![Page 6: OWASP TOP 10 by Team xbios](https://reader033.vdocuments.site/reader033/viewer/2022051816/544592c8afaf9feb2a8b45a8/html5/thumbnails/6.jpg)
$username = $_POST[‘username’];
$password = $_POST[‘password’];
$query = “SELECT * FROM user
WHERE username = ‘$username’
AND password = ‘$password’”;
$user = $db->query($query);
SQL Injection Example
![Page 7: OWASP TOP 10 by Team xbios](https://reader033.vdocuments.site/reader033/viewer/2022051816/544592c8afaf9feb2a8b45a8/html5/thumbnails/7.jpg)
Avoid the interpreter entirely, or
Use an interface that supports bind variables
(e.g., prepared statements, or stored procedures),
Encode all user input before passing it to the
interpreter
Recommendations
References
For more details, read the new
http://www.owasp.org/index.php/SQL_Injection_
Prevention_Cheat_Sheet
![Page 8: OWASP TOP 10 by Team xbios](https://reader033.vdocuments.site/reader033/viewer/2022051816/544592c8afaf9feb2a8b45a8/html5/thumbnails/8.jpg)
![Page 9: OWASP TOP 10 by Team xbios](https://reader033.vdocuments.site/reader033/viewer/2022051816/544592c8afaf9feb2a8b45a8/html5/thumbnails/9.jpg)
• SESSION ID used to track state since HTTP doesn’t
and it is just as good as credentials to an attacker.
• SESSION ID is typically exposed on the network, in
browser, in logs, …
HTTP is a “stateless” protocol
Beware of side-doors
Change my password, remember my password, forgot my
password, secret question, logout, email address, etc…
![Page 10: OWASP TOP 10 by Team xbios](https://reader033.vdocuments.site/reader033/viewer/2022051816/544592c8afaf9feb2a8b45a8/html5/thumbnails/10.jpg)
Custom Code
Acc
ou
nts
Fin
ance
Ad
min
istr
atio
n
Tran
sact
ion
s
Co
mm
un
icat
ion
Kn
ow
led
ge M
gmt
E-C
om
me
rce
Bu
s. F
un
ctio
ns
1 User sends credentials
2 Site uses URL rewriting
(i.e., put session in URL)
3 User clicks on a link to http://www.hacker.com in a forum
www.boi.com?JSESSIONID=9FA1DB9EA...
4
Hacker checks referrer logs on www.hacker.com
and finds user’s JSESSIONID
5 Hacker uses JSESSIONID and takes over victim’s account
Attack Illustration
![Page 11: OWASP TOP 10 by Team xbios](https://reader033.vdocuments.site/reader033/viewer/2022051816/544592c8afaf9feb2a8b45a8/html5/thumbnails/11.jpg)
User accounts compromised or user sessions hijacked
Impacts
Recommendations
• Verify your architecture
• Verify the implementation
References Follow the guidance from http://www.owasp.org/index.php/Authentication_Cheat_Sheet
![Page 12: OWASP TOP 10 by Team xbios](https://reader033.vdocuments.site/reader033/viewer/2022051816/544592c8afaf9feb2a8b45a8/html5/thumbnails/12.jpg)
<script> alert(‘ ”cross site scripting”); </script>
XSS
![Page 13: OWASP TOP 10 by Team xbios](https://reader033.vdocuments.site/reader033/viewer/2022051816/544592c8afaf9feb2a8b45a8/html5/thumbnails/13.jpg)
Raw data from attacker is sent to an innocent user’s
browser
Occurs any time…
Raw Data….
• Stored in database
• Reflected from web input (form field, hidden field, URL,
etc…)
• Sent directly into rich JavaScript client
![Page 14: OWASP TOP 10 by Team xbios](https://reader033.vdocuments.site/reader033/viewer/2022051816/544592c8afaf9feb2a8b45a8/html5/thumbnails/14.jpg)
• Steal user’s session, steal sensitive data, rewrite web
page, redirect user to phishing or malware site
• Most Severe: Install XSS proxy which allows attacker
to observe and direct all user’s behavior on vulnerable
site and force user to other sites
Impacts
![Page 15: OWASP TOP 10 by Team xbios](https://reader033.vdocuments.site/reader033/viewer/2022051816/544592c8afaf9feb2a8b45a8/html5/thumbnails/15.jpg)
• Don’t include user supplied input in the output page
• Defend Against the Flaw
Primary Recommendation: Use OWASP’s ESAPI to
output encode:
• For large chunks of user supplied HTML, use
OWASP’s AntiSamy
Recommendations
References
For how to output encode properly, read the new http://www.owasp.org/index.php/XSS_(Cross Site Scripting)
Prevention Cheat Sheet
![Page 16: OWASP TOP 10 by Team xbios](https://reader033.vdocuments.site/reader033/viewer/2022051816/544592c8afaf9feb2a8b45a8/html5/thumbnails/16.jpg)
Insecure Direct
Object
References
![Page 17: OWASP TOP 10 by Team xbios](https://reader033.vdocuments.site/reader033/viewer/2022051816/544592c8afaf9feb2a8b45a8/html5/thumbnails/17.jpg)
• Developer exposes a reference to an internal
implementation object.
• Without an access control check or other protection,
attackers can manipulate
Occurs when…
Impacts • Users are able to access unauthorized files or data
![Page 18: OWASP TOP 10 by Team xbios](https://reader033.vdocuments.site/reader033/viewer/2022051816/544592c8afaf9feb2a8b45a8/html5/thumbnails/18.jpg)
Insecure Direct Object References Illustrated
• Attacker notices his
acct parameter is 6065
?acct=6065
• He modifies it to a
nearby number
?acct=6066
• Attacker views the
victim’s account
information
https://www.onlinebank.com/user?acct=6065
![Page 19: OWASP TOP 10 by Team xbios](https://reader033.vdocuments.site/reader033/viewer/2022051816/544592c8afaf9feb2a8b45a8/html5/thumbnails/19.jpg)
• Eliminate the direct object reference
• Validate the direct object reference
Recommendations
![Page 20: OWASP TOP 10 by Team xbios](https://reader033.vdocuments.site/reader033/viewer/2022051816/544592c8afaf9feb2a8b45a8/html5/thumbnails/20.jpg)
Security
Misconfiguration
![Page 21: OWASP TOP 10 by Team xbios](https://reader033.vdocuments.site/reader033/viewer/2022051816/544592c8afaf9feb2a8b45a8/html5/thumbnails/21.jpg)
• Default settings can be insecure, and intended for
development not production.
• Attackers can use misconfigured software to gain
knowledge and access.
Risks
Impacts
• XSS flaw exploits due to missing application
framework patches.
• Unauthorized access to default accounts, application
functionality or data.
![Page 22: OWASP TOP 10 by Team xbios](https://reader033.vdocuments.site/reader033/viewer/2022051816/544592c8afaf9feb2a8b45a8/html5/thumbnails/22.jpg)
• Know the tools you use, and configure them correctly.
• Keep up to date on vulnerabilities in the tools you use.
• Remove/disable any services/features you aren’t
using.
Recommendations
![Page 23: OWASP TOP 10 by Team xbios](https://reader033.vdocuments.site/reader033/viewer/2022051816/544592c8afaf9feb2a8b45a8/html5/thumbnails/23.jpg)
Sensitive Data Exposure
![Page 24: OWASP TOP 10 by Team xbios](https://reader033.vdocuments.site/reader033/viewer/2022051816/544592c8afaf9feb2a8b45a8/html5/thumbnails/24.jpg)
• Failure to identify all sensitive data
• Failure to identify all the places that this sensitive data
gets stored
• Failure to properly protect this data in every location
Storing and transmitting sensitive data insecurely
Impacts • Attackers access or modify confidential or private
information
• Attackers extract secrets to use in additional attacks
• Expense of cleaning up the incident
• Business gets sued and/or fined
![Page 25: OWASP TOP 10 by Team xbios](https://reader033.vdocuments.site/reader033/viewer/2022051816/544592c8afaf9feb2a8b45a8/html5/thumbnails/25.jpg)
Custom Code
Acc
ou
nts
Fin
ance
Ad
min
istr
atio
n
Tran
sact
ion
s
Co
mm
un
icat
ion
K
no
wle
dge
M
gmt
E-C
om
mer
ce
Bu
s. F
un
ctio
ns
1 Victim enters credit card number in form
2 Error handler logs CC details because merchant
gateway is unavailable
4 Malicious insider steals 4 million credit card numbers
Log files
3 Logs are accessible to all members of IT staff for
debugging purposes
Insecure Cryptographic Storage Illustrated
![Page 26: OWASP TOP 10 by Team xbios](https://reader033.vdocuments.site/reader033/viewer/2022051816/544592c8afaf9feb2a8b45a8/html5/thumbnails/26.jpg)
• Verify your architecture
• Protect with appropriate mechanisms
• Use the mechanisms correctly
• Verify the implementation
Recommendations
![Page 27: OWASP TOP 10 by Team xbios](https://reader033.vdocuments.site/reader033/viewer/2022051816/544592c8afaf9feb2a8b45a8/html5/thumbnails/27.jpg)
Missing
Function
Level Access
Control
![Page 28: OWASP TOP 10 by Team xbios](https://reader033.vdocuments.site/reader033/viewer/2022051816/544592c8afaf9feb2a8b45a8/html5/thumbnails/28.jpg)
• Hidden things can easily be found.
• Creative people will eventually find your hidden URLs
Risks
Impacts • Attackers invoke functions and services they’re not
authorized for
• Access other user’s accounts and data
• Perform privileged actions
![Page 29: OWASP TOP 10 by Team xbios](https://reader033.vdocuments.site/reader033/viewer/2022051816/544592c8afaf9feb2a8b45a8/html5/thumbnails/29.jpg)
https://www.onlinebank.com/user/getAccountshttps://www.onlinebank.com/user/getAccounts
Failure to Restrict URL Access Illustrated
• Attacker notices the
URL indicates his role
/user/getAccounts
• He modifies it to
another directory (role)
/admin/getAccounts, or
/manager/getAccounts
• Attacker views more
accounts than just their
own
![Page 30: OWASP TOP 10 by Team xbios](https://reader033.vdocuments.site/reader033/viewer/2022051816/544592c8afaf9feb2a8b45a8/html5/thumbnails/30.jpg)
• For each URL, a site needs to do 3 things
• Verify your architecture
• Verify the implementation
Recommendations
![Page 31: OWASP TOP 10 by Team xbios](https://reader033.vdocuments.site/reader033/viewer/2022051816/544592c8afaf9feb2a8b45a8/html5/thumbnails/31.jpg)
Cross
Site
Request
Forgery
![Page 32: OWASP TOP 10 by Team xbios](https://reader033.vdocuments.site/reader033/viewer/2022051816/544592c8afaf9feb2a8b45a8/html5/thumbnails/32.jpg)
• Evil websites can perform actions for users logged into
your site. • Vulnerability is caused by browsers automatically including
user authentication data with each request
Risks
Impacts • Initiate transactions (transfer funds, logout user, close
account)
• Access sensitive data
• Change account details
![Page 33: OWASP TOP 10 by Team xbios](https://reader033.vdocuments.site/reader033/viewer/2022051816/544592c8afaf9feb2a8b45a8/html5/thumbnails/33.jpg)
3
2
Attacker sets the trap on some website on the internet (or simply via an e-mail) 1
While logged into vulnerable site, victim views attacker site
Vulnerable site sees legitimate request from victim and performs the action requested
<img> tag loaded by browser – sends GET request (including credentials) to vulnerable site
Custom Code
Acc
ou
nts
Fin
ance
Ad
min
istr
atio
n
Tran
sact
ion
s
Co
mm
un
icat
ion
Kn
ow
led
ge M
gmt
E-C
om
me
rce
Bu
s. F
un
ctio
ns
Hidden <img> tag contains attack against vulnerable site
Application with CSRF vulnerability
CSRF Illustrated
![Page 34: OWASP TOP 10 by Team xbios](https://reader033.vdocuments.site/reader033/viewer/2022051816/544592c8afaf9feb2a8b45a8/html5/thumbnails/34.jpg)
• Add opaque expiring tokens to all forms.
• Requests missing tokens or containing invalid tokens
should be rejected.
Prevention
![Page 35: OWASP TOP 10 by Team xbios](https://reader033.vdocuments.site/reader033/viewer/2022051816/544592c8afaf9feb2a8b45a8/html5/thumbnails/35.jpg)
Using Known
Vulnerable
Components
![Page 36: OWASP TOP 10 by Team xbios](https://reader033.vdocuments.site/reader033/viewer/2022051816/544592c8afaf9feb2a8b45a8/html5/thumbnails/36.jpg)
The full range of weaknesses is possible, including
injection, broken access control, XSS, etc. The impact
could range from minimal to complete host takeover and
data compromise
Vulnerable components are common
Impacts
The full range of weaknesses is possible, including
injection, broken access control, XSS, etc. The impact
could range from minimal to complete host takeover and
data compromise
![Page 37: OWASP TOP 10 by Team xbios](https://reader033.vdocuments.site/reader033/viewer/2022051816/544592c8afaf9feb2a8b45a8/html5/thumbnails/37.jpg)
• One option is not to use components that you didn’t
write. But that’s not very realistic.
• Most component projects do not create vulnerability
patches for old versions. Instead, most simply fix the
problem in the next version. So upgrading to these
new versions is critical.
Preventing Known Vulnerable Components
![Page 38: OWASP TOP 10 by Team xbios](https://reader033.vdocuments.site/reader033/viewer/2022051816/544592c8afaf9feb2a8b45a8/html5/thumbnails/38.jpg)
Unvalidated
Redirects and
Forwards
![Page 39: OWASP TOP 10 by Team xbios](https://reader033.vdocuments.site/reader033/viewer/2022051816/544592c8afaf9feb2a8b45a8/html5/thumbnails/39.jpg)
• And frequently include user supplied parameters in
the destination URL
• If they aren’t validated, attacker can send victim to a
site of their choice
Web application redirects are very common
Impacts • Redirect victim to phishing or malware site
• Attacker’s request is forwarded past security checks,
allowing unauthorized function or data access
![Page 40: OWASP TOP 10 by Team xbios](https://reader033.vdocuments.site/reader033/viewer/2022051816/544592c8afaf9feb2a8b45a8/html5/thumbnails/40.jpg)
3
2
Attacker sends attack to victim via email or webpage
From: Internal Revenue Service Subject: Your Unclaimed Tax Refund Our records show you have an unclaimed federal tax refund. Please click here to initiate your claim.
1
Application redirects victim to attacker’s site
Request sent to vulnerable site, including attacker’s destination site as parameter. Redirect sends victim to attacker site
Custom Code
Acc
ou
nts
Fin
ance
Ad
min
istr
atio
n
Tran
sact
ion
s
Co
mm
un
icat
ion
Kn
ow
led
ge M
gmt
E-C
om
me
rce
Bu
s. F
un
ctio
ns
4 Evil site installs malware on victim, or phish’s for private information
Victim clicks link containing invalidated parameter
Evil Site
http://www.irs.gov/taxrefund/claim.jsp?year=2006& … &dest=www.evilsite.com
Unvalidated Redirect Illustrated
![Page 41: OWASP TOP 10 by Team xbios](https://reader033.vdocuments.site/reader033/viewer/2022051816/544592c8afaf9feb2a8b45a8/html5/thumbnails/41.jpg)
• Avoid using redirects and forwards as much as you
can
• If used, don’t involve user parameters in defining the
target URL
• If you ‘must’ involve user parameters, then either
• Validate each parameter
• Use server side mapping
Avoiding Unvalidated Redirects and Forwards
![Page 42: OWASP TOP 10 by Team xbios](https://reader033.vdocuments.site/reader033/viewer/2022051816/544592c8afaf9feb2a8b45a8/html5/thumbnails/42.jpg)
• Develop Secure Code
• Review Your Applications
• Have an expert team review your
applications
• Review your applications yourselves
following OWASP Guidelines
How do you address these problems?
![Page 43: OWASP TOP 10 by Team xbios](https://reader033.vdocuments.site/reader033/viewer/2022051816/544592c8afaf9feb2a8b45a8/html5/thumbnails/43.jpg)
How do you address these
problems?
• Develop Secure Code
• Review Your Applications
![Page 44: OWASP TOP 10 by Team xbios](https://reader033.vdocuments.site/reader033/viewer/2022051816/544592c8afaf9feb2a8b45a8/html5/thumbnails/44.jpg)
![Page 45: OWASP TOP 10 by Team xbios](https://reader033.vdocuments.site/reader033/viewer/2022051816/544592c8afaf9feb2a8b45a8/html5/thumbnails/45.jpg)
![Page 46: OWASP TOP 10 by Team xbios](https://reader033.vdocuments.site/reader033/viewer/2022051816/544592c8afaf9feb2a8b45a8/html5/thumbnails/46.jpg)