1 / 38

Mitigating Web Application Vulnerabilities: OWASP Top 10 Guide

Learn about the common threats to web applications and how to address them with OWASP Top 10 recommendations. Stay informed about security standards and protect your applications from potential attacks.

berlanga
Download Presentation

Mitigating Web Application Vulnerabilities: OWASP Top 10 Guide

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. OWASP Top 10

  2. OWASP What is OWASP? Open Web Application Security Project • Organization of industry-wide application security experts • Chapters all over the world • Conferences held on a daily basis Produces Security Standards / Guides • Risk • Architecture • Engineering • Testing

  3. OWASP Top Ten Common Vulnerabilities List of popular attacks against web applications seen across all industries; Based on MITRE Vulnerability Trends for 2006 Distilled Top 10 Security Vulnerabilities

  4. OWASP Top 10 What does OWASP Top 10 Mean? • Vulnerability Management: • Decide which vulnerabilities are important to fix • Annual updates ensure relevance • Education: • Promotes awareness of popular attacks • Developers learn how to mitigate well-established attacks • Standards: • Encourages industry-wide application security standards and safe design

  5. OWASP Top 10 Common Vulnerabilities of 2007

  6. OWASP Top 10 Common Vulnerabilities of 2007

  7. OWASP Top 10 Cross Site Scripting (XSS) • Primary Effect: • Unintended executed of scripts on a user’s browser • Hijack user sessions • Deface web sites • Insert hostile content • Conduct phishing attacks • Take over user’s browser

  8. OWASP Top 10 Cross Site Scripting – Famous Example • Steal credit card numbers • Users access URL on genuine PayPal site • Page modified via XSS attack to silently redirect user to external server • Fake PayPal Member log-in page • User supplies login credentials to fake site • Worked for two years http://www.webappsec.org/projects/whid/byid_id_2006-36.shtml

  9. OWASP Top 10 Cross Site Scripting – General Algorithm XSS Attack • Display raw data to user • Browser interprets data as HTML or JavaScript • Browser executes JavaScript • Reflected • Data comes from user • Stored • Data comes from database

  10. OWASP Top 10 Injection Flaws • Primary Effect: • Interpreters execute unintended commands on a server • SQL Injection • LDAP Injection • XPath Injection • XSLT Injection • HTML Injection • OS Command Injection

  11. OWASP Top 10 Injection Flaws – Famous Example – May 2005 • Paris Hilton’s information posted publically: • Celebrity e-mail addresses • Pictures • Address book • Voice-mails • SQL Injection attack through Paris’ T-Mobile Sidekick account • Information synchronized from her phone to web site http://www.stonehenge.com/merlyn/UnixReview/col58.html

  12. OWASP Top 10 Injection Flaw – General Algorithm • Generate dynamic string to be used by an interpreter • Append raw data to string • Raw data is unexpected • Pass string to interpreter to be executed • Interpreter performs some other operation as a result of unexpected data

  13. OWASP Top 10 SQL Injection – General Algorithm • Perform a dynamic query against a SQL database such as: Select * from USER where alias = ‘+userID+’ • User sets userID = x'; drop table members; -- • SQL database query has now changed meaning: Select * from USER where alias = ‘x'; drop table members; --’ • Database will now delete the members table instead of querying user table

  14. OWASP Top 10 Malicious File Execution • Primary Effect: • Remote code execution • Remote root kit installation and complete system compromise

  15. OWASP Top 10 Malicious File Execution – Famous Example – April 2008 • Windows Media Player • Advanced Streaming Format (ASF) files • Very Similar to WMV Files • Contains video, audio, slideshows • Open ASF file • Browser opens and automatically downloads and installs Malware on user’s machine http://cyberinsecure.com/asf-files-are-used-to-execute-malicious-scripts-in-windows-media-player/

  16. OWASP Top 10 Malicious File Execution – General Algorithm • Example PHP script contains the script: include $_REQUEST[‘filename’]; • Incoming request from client to server takes the form: http://www.host.com/script.php?filename=additional_src.php PHP script includes additional scripts based on the incoming ‘filename’ parameter • User manually alters filename parameter to include malicious script

  17. OWASP Top 10 Insecure Direct Object Reference • Primary Effect: • Unauthorized access to objects on a server

  18. OWASP Top 10 Insecure Direct Object Reference – Famous Example • Australian Tax Office Department’s GST Start Up Assistance Site • Used to assist organizations in paying taxes • Legitimate but hostile user extrapolated financial information of 17,000 organizations • Modified the company identifier in a legitimate URL request • Source of major embarrassment for ATO http://www.abc.net.au/7.30/stories/s146760.htm

  19. OWASP Top 10 Insecure Direct Object Reference – General Algorithm • Create module that uses an incoming identifier to pull sensitive data from a database • Execute module with incoming identifier • Perform query against a database using this incoming identifier • Perform authorization checks for execution of module • Do not perform authorization checks against identifier used with module • User modifies identifier to retrieve sensitive data belonging to other legitimate users

  20. OWASP Top 10 Cross Site Request Forgery (CSRF) • Primary Effect: • User is tricked into performing a sensitive action they would never normally authorize • Session Riding • One-Click Attacks • Cross Site Reference Forgery • Hostile Linking • Automation Attack

  21. OWASP Top 10 CSRF Attack – Famous Example – February 2008 • 18 Million Korean financial records stolen from auction.co.uk • Korean equivalent of E-Bay • Users unintentionally transmitted session tokens to third party • Subsequent session hijacking allowed information leakage • Chinese hackers suspect http://www.webappsec.org/projects/whid/byid_id_2008-10.shtml

  22. OWASP Top 10 Cross Site Request Forgery (CSRF) – General Algorithm • Design module that performs a sensitive transaction • Solely rely upon session tokens for authentication and authorization • Create incoming service request that does not rely upon any other unique signatures for the transaction (besides session tokens) • Do not perform visual confirmation before transaction takes place • Do not require random re-authentication • Have user log in • Have user click on generic GET request (in e-mail) for sensitive transaction

  23. OWASP Top 10 Information Leakage • Primary Effect: • Applications accidently leak information useful to an adversary • Internal Application Configuration • Internal Workings • Sensitive Data • Privacy-Related Data

  24. OWASP Top 10 Information Leak – Famous Example – September 2000 • IKEA Exposes Customer Information • IKEA contains a catalogue web site • Reported error messages revealed database file location • Database file anonymously downloaded by typing filename into address bar "We normally have very high security" "That's why we're so shocked. Whoever broke into it has a lot of knowledge of these things." http://www.webappsec.org/projects/whid/byid_id_2000-2.shtml

  25. OWASP Top 10 Information Leakage – General Algorithm • Dump Stack Traces directly to screen / console • Dump Stack Traces to disc in an unencrypted file • Leave debugging options on within a production environment • Turn anonymous read-access on within sensitive directories

  26. OWASP Top 10 Broken Authentication and Session Management • Primary Effect: • Hijacking of user or administrative accounts • Undermines authorization • Undermines accountability • May cause privacy violations

  27. OWASP Top 10 Broken Authentication – Famous Example – October 2007 • Hackers break into E-Bay Server, lock users out • Left over administrative functionality (backdoors) exposed on public sites • Everyone assumed code was deactivated in production environment • Results • Loss of Sales • Blocked Users • Closed Sales http://www.webappsec.org/projects/whid/byid_id_2007-44.shtml

  28. OWASP Top 10 Broken Authentication and Session Management – General Algorithm • General Algorithm for Broken Authentication: • Rely upon a copy-and-paste approach to checking for authentication within each exposed module • Forget to include that common-code within a module • General Algorithm for Broken Session Management: • Fail to invalidate sessions upon session timeout or logoff • Do not validate every incoming session token • Do not try to match IP addresses against session tokens • Do not respond appropriately to invalid or unexpected session tokens

  29. OWASP Top 10 Insecure Cryptographic Storage • Primary Effect: • Leads to disclosure of sensitive data • Leads to compliance violations

  30. OWASP Top 10 Insecure Cryptographic Storage – Famous Example • MAC OS X • Poor encryption algorithm chosen for PDF Previewer • Insecure 40-bit RC4 encryption • Adversary can easily decrypt PDF’s encrypted using PDF Previewer http://www.juniper.net/security/auto/vulnerabilities/vuln28386.html

  31. OWASP Top 10 Insecure Cryptographic Storage – General Algorithm • Do not establish a data classification scheme • Do not establish an encryption standard based upon data classification scheme • Do not adhere to existing encryption standards within the organization • Do not specify encryption standard within design documents • Choose an encryption algorithm solely based on ease-of-implementation or costs

  32. OWASP Top 10 Insecure Communication • Primary Effect: • Leads to disclosure of sensitive data • Authentication credentials • Session credentials • Privacy-related data

  33. OWASP Top 10 Insecure Communication – Famous Example – 2006 • TJ Maxx reveals 45.7 Million credit cards and debit cards stolen • Wi-Fi network secured using WEP protocol • Less secure than WPA, which has been standard since 2004 • Company failed to use firewalls • Ignored Visa / Mastercard requirements for storage / transmission of credit card data • Adversary monitored network traffic in a Marshall’s parking lot in St Paul http://www.sophos.com/pressoffice/news/articles/2007/03/tjx.html

  34. OWASP Top 10 Insecure Communication – General Algorithm • Implement all communication using HTTP channel • Implement HTTPS with non-secure SSL v2 or less • Rely upon infrastructure for secure communication channel

  35. OWASP Top 10 Failure to Restrict URL Access • Primary Effect: • Adversary performs actions anonymously

  36. OWASP Top 10 Failure to Restrict URL Access – Famous Example • Credit card data of 15,700 customers • Human error blamed • Anonymous public access to files containing data • Data not encrypted http://news.cnet.com/2100-1023-245525.html http://www.webappsec.org/projects/whid/byid_id_2000-2.shtml

  37. OWASP Top 10 Failure to Restrict URL Access – General Algorithm • General Algorithm • Fail to take infrastructure security into account when considering security • Fail to communicate effectively with Deployment Team • Security Requirements • How to verify security of application

More Related