390 likes | 573 Views
OWASP Top 10. OWASP. What is OWASP?. Open Web Application Security Project Organization of industry-wide application security experts Chapters all over the world Conferences held on a daily basis Produces Security Standards / Guides Risk Architecture Engineering Testing. OWASP Top Ten.
E N D
OWASP What is OWASP? Open Web Application Security Project • Organization of industry-wide application security experts • Chapters all over the world • Conferences held on a daily basis Produces Security Standards / Guides • Risk • Architecture • Engineering • Testing
OWASP Top Ten Common Vulnerabilities List of popular attacks against web applications seen across all industries; Based on MITRE Vulnerability Trends for 2006 Distilled Top 10 Security Vulnerabilities
OWASP Top 10 What does OWASP Top 10 Mean? • Vulnerability Management: • Decide which vulnerabilities are important to fix • Annual updates ensure relevance • Education: • Promotes awareness of popular attacks • Developers learn how to mitigate well-established attacks • Standards: • Encourages industry-wide application security standards and safe design
OWASP Top 10 Common Vulnerabilities of 2007
OWASP Top 10 Common Vulnerabilities of 2007
OWASP Top 10 Cross Site Scripting (XSS) • Primary Effect: • Unintended executed of scripts on a user’s browser • Hijack user sessions • Deface web sites • Insert hostile content • Conduct phishing attacks • Take over user’s browser
OWASP Top 10 Cross Site Scripting – Famous Example • Steal credit card numbers • Users access URL on genuine PayPal site • Page modified via XSS attack to silently redirect user to external server • Fake PayPal Member log-in page • User supplies login credentials to fake site • Worked for two years http://www.webappsec.org/projects/whid/byid_id_2006-36.shtml
OWASP Top 10 Cross Site Scripting – General Algorithm XSS Attack • Display raw data to user • Browser interprets data as HTML or JavaScript • Browser executes JavaScript • Reflected • Data comes from user • Stored • Data comes from database
OWASP Top 10 Injection Flaws • Primary Effect: • Interpreters execute unintended commands on a server • SQL Injection • LDAP Injection • XPath Injection • XSLT Injection • HTML Injection • OS Command Injection
OWASP Top 10 Injection Flaws – Famous Example – May 2005 • Paris Hilton’s information posted publically: • Celebrity e-mail addresses • Pictures • Address book • Voice-mails • SQL Injection attack through Paris’ T-Mobile Sidekick account • Information synchronized from her phone to web site http://www.stonehenge.com/merlyn/UnixReview/col58.html
OWASP Top 10 Injection Flaw – General Algorithm • Generate dynamic string to be used by an interpreter • Append raw data to string • Raw data is unexpected • Pass string to interpreter to be executed • Interpreter performs some other operation as a result of unexpected data
OWASP Top 10 SQL Injection – General Algorithm • Perform a dynamic query against a SQL database such as: Select * from USER where alias = ‘+userID+’ • User sets userID = x'; drop table members; -- • SQL database query has now changed meaning: Select * from USER where alias = ‘x'; drop table members; --’ • Database will now delete the members table instead of querying user table
OWASP Top 10 Malicious File Execution • Primary Effect: • Remote code execution • Remote root kit installation and complete system compromise
OWASP Top 10 Malicious File Execution – Famous Example – April 2008 • Windows Media Player • Advanced Streaming Format (ASF) files • Very Similar to WMV Files • Contains video, audio, slideshows • Open ASF file • Browser opens and automatically downloads and installs Malware on user’s machine http://cyberinsecure.com/asf-files-are-used-to-execute-malicious-scripts-in-windows-media-player/
OWASP Top 10 Malicious File Execution – General Algorithm • Example PHP script contains the script: include $_REQUEST[‘filename’]; • Incoming request from client to server takes the form: http://www.host.com/script.php?filename=additional_src.php PHP script includes additional scripts based on the incoming ‘filename’ parameter • User manually alters filename parameter to include malicious script
OWASP Top 10 Insecure Direct Object Reference • Primary Effect: • Unauthorized access to objects on a server
OWASP Top 10 Insecure Direct Object Reference – Famous Example • Australian Tax Office Department’s GST Start Up Assistance Site • Used to assist organizations in paying taxes • Legitimate but hostile user extrapolated financial information of 17,000 organizations • Modified the company identifier in a legitimate URL request • Source of major embarrassment for ATO http://www.abc.net.au/7.30/stories/s146760.htm
OWASP Top 10 Insecure Direct Object Reference – General Algorithm • Create module that uses an incoming identifier to pull sensitive data from a database • Execute module with incoming identifier • Perform query against a database using this incoming identifier • Perform authorization checks for execution of module • Do not perform authorization checks against identifier used with module • User modifies identifier to retrieve sensitive data belonging to other legitimate users
OWASP Top 10 Cross Site Request Forgery (CSRF) • Primary Effect: • User is tricked into performing a sensitive action they would never normally authorize • Session Riding • One-Click Attacks • Cross Site Reference Forgery • Hostile Linking • Automation Attack
OWASP Top 10 CSRF Attack – Famous Example – February 2008 • 18 Million Korean financial records stolen from auction.co.uk • Korean equivalent of E-Bay • Users unintentionally transmitted session tokens to third party • Subsequent session hijacking allowed information leakage • Chinese hackers suspect http://www.webappsec.org/projects/whid/byid_id_2008-10.shtml
OWASP Top 10 Cross Site Request Forgery (CSRF) – General Algorithm • Design module that performs a sensitive transaction • Solely rely upon session tokens for authentication and authorization • Create incoming service request that does not rely upon any other unique signatures for the transaction (besides session tokens) • Do not perform visual confirmation before transaction takes place • Do not require random re-authentication • Have user log in • Have user click on generic GET request (in e-mail) for sensitive transaction
OWASP Top 10 Information Leakage • Primary Effect: • Applications accidently leak information useful to an adversary • Internal Application Configuration • Internal Workings • Sensitive Data • Privacy-Related Data
OWASP Top 10 Information Leak – Famous Example – September 2000 • IKEA Exposes Customer Information • IKEA contains a catalogue web site • Reported error messages revealed database file location • Database file anonymously downloaded by typing filename into address bar "We normally have very high security" "That's why we're so shocked. Whoever broke into it has a lot of knowledge of these things." http://www.webappsec.org/projects/whid/byid_id_2000-2.shtml
OWASP Top 10 Information Leakage – General Algorithm • Dump Stack Traces directly to screen / console • Dump Stack Traces to disc in an unencrypted file • Leave debugging options on within a production environment • Turn anonymous read-access on within sensitive directories
OWASP Top 10 Broken Authentication and Session Management • Primary Effect: • Hijacking of user or administrative accounts • Undermines authorization • Undermines accountability • May cause privacy violations
OWASP Top 10 Broken Authentication – Famous Example – October 2007 • Hackers break into E-Bay Server, lock users out • Left over administrative functionality (backdoors) exposed on public sites • Everyone assumed code was deactivated in production environment • Results • Loss of Sales • Blocked Users • Closed Sales http://www.webappsec.org/projects/whid/byid_id_2007-44.shtml
OWASP Top 10 Broken Authentication and Session Management – General Algorithm • General Algorithm for Broken Authentication: • Rely upon a copy-and-paste approach to checking for authentication within each exposed module • Forget to include that common-code within a module • General Algorithm for Broken Session Management: • Fail to invalidate sessions upon session timeout or logoff • Do not validate every incoming session token • Do not try to match IP addresses against session tokens • Do not respond appropriately to invalid or unexpected session tokens
OWASP Top 10 Insecure Cryptographic Storage • Primary Effect: • Leads to disclosure of sensitive data • Leads to compliance violations
OWASP Top 10 Insecure Cryptographic Storage – Famous Example • MAC OS X • Poor encryption algorithm chosen for PDF Previewer • Insecure 40-bit RC4 encryption • Adversary can easily decrypt PDF’s encrypted using PDF Previewer http://www.juniper.net/security/auto/vulnerabilities/vuln28386.html
OWASP Top 10 Insecure Cryptographic Storage – General Algorithm • Do not establish a data classification scheme • Do not establish an encryption standard based upon data classification scheme • Do not adhere to existing encryption standards within the organization • Do not specify encryption standard within design documents • Choose an encryption algorithm solely based on ease-of-implementation or costs
OWASP Top 10 Insecure Communication • Primary Effect: • Leads to disclosure of sensitive data • Authentication credentials • Session credentials • Privacy-related data
OWASP Top 10 Insecure Communication – Famous Example – 2006 • TJ Maxx reveals 45.7 Million credit cards and debit cards stolen • Wi-Fi network secured using WEP protocol • Less secure than WPA, which has been standard since 2004 • Company failed to use firewalls • Ignored Visa / Mastercard requirements for storage / transmission of credit card data • Adversary monitored network traffic in a Marshall’s parking lot in St Paul http://www.sophos.com/pressoffice/news/articles/2007/03/tjx.html
OWASP Top 10 Insecure Communication – General Algorithm • Implement all communication using HTTP channel • Implement HTTPS with non-secure SSL v2 or less • Rely upon infrastructure for secure communication channel
OWASP Top 10 Failure to Restrict URL Access • Primary Effect: • Adversary performs actions anonymously
OWASP Top 10 Failure to Restrict URL Access – Famous Example • Credit card data of 15,700 customers • Human error blamed • Anonymous public access to files containing data • Data not encrypted http://news.cnet.com/2100-1023-245525.html http://www.webappsec.org/projects/whid/byid_id_2000-2.shtml
OWASP Top 10 Failure to Restrict URL Access – General Algorithm • General Algorithm • Fail to take infrastructure security into account when considering security • Fail to communicate effectively with Deployment Team • Security Requirements • How to verify security of application