Your SlideShare is downloading. ×
  • Like
Owasp for dummies handouts
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Owasp for dummies handouts

  • 10,076 views
Published

 

Published in Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
10,076
On SlideShare
0
From Embeds
0
Number of Embeds
3

Actions

Shares
Downloads
35
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. OWASP Bart ten Brinke
  • 2. The Open Web Application Security Project (OWASP)• https://www.owasp.org/• Owasp gathers statistics of internet hacks and uses this to generate their security top 10.
  • 3. Availablity “Wikipedia always has the latest news “Putting stuff on wikipedia makes available, but how can you be sureit very available, but not very confidential.” that all the facts are checked?” Data Confidentiality Integrity “Doctor specific patient records cannot be viewed by Nurses, which means they are not as well informed as they could be.”
  • 4. Every solution is a compromise between Confidentiality, Integrity & Availability.• http://en.wikipedia.org/wiki/Information_security• The safest door is one you can’t walk through at all.• De nuances of the CIA triangle are lost in the current media reports: something either safe or unsafe.
  • 5. SafeUnsafe
  • 6. During the design of the dutch public transportation card (Ov-chipkaart) the designers make the decision to use less secure rfid cards,because the savings of these cheap rfid-cards where much higher then the loss of revenue to hackers. This was not reflected by the media at all.
  • 7. OWASP Top 10
  • 8. 1. SQL injection
  • 9. We have a website where you can log in using your username and password:Username johnPassword 1234
  • 10. The application checks these credentials with a database:Username johnPassword 1234 SELECT  *  FROM  users WHERE  username  =  ”john” AND  password  =  ”1234”
  • 11. Give me all users with the name ”john” en password ”1234”. If there is one, you will be logged in.Username johnPassword 1234 SELECT  *  FROM  users WHERE  username  =  ”john” AND  password  =  ”1234”
  • 12. Username administratorPassword ”  OR  1=”1SELECT  *  FROM  usersWHERE  username  =  ”administrator”AND  password  =  ””  OR  1=”1”
  • 13. Give me all users where with the name ”administrator”who has an empty password OR where 1=1. 1=1 is always true, so you will be logged in as the administrator. SELECT  *  FROM  users WHERE  username  =  ”administrator” AND  password  =  ””  OR  1=”1”
  • 14. 2. XSS - Cross site Scripting
  • 15. As an example we will be using a catblog which has a guestbook where you can post messages.
  • 16. Name johnComment I  have  a  cat  just  like  that!My weblogStory about my catComments:john: I have a cat just like that!
  • 17. If the guestbook is poorly secured, it is possible to store other things then messages. For example you might be able to store javascript. Because other people can read the guestbook, it ispossible to abuse the catblog to help you spread your javascript to other readers of the blog.• Visitors can be redirected to another site.• Visitors can be presented with a popup containing a virus download link.
  • 18. Name hacker Comment window.location  =  ”badstuff.tv” Hacker posts on blog. John visits blog.John gets redirected to a different website.
  • 19. 3. Broken session management
  • 20. Each visitor to a website receives a unique number from the webserver: your session_id. Through this number the webserver is able to keep track of who you are. This is why the number: • Has to be secret. • Should be very hard to guess. • May not be changed by other people.
  • 21. Guessing a session_id can be very easy._session_id My  session_id  +1
  • 22. Sometimes it is possible to send other people your session_id, forcing a shared session. This might cause credentials of users to be combined.Email to administrator of website:I can’t log in! Could you try it for me?https://catblog.com/?PHP_SESSION_ID=123456Greets, hacker
  • 23. 4. Insecure directobject reference
  • 24. As an example we will take a website with a “change your password” form:
  • 25. If you select “view source” in your browser, you will see something like this:<form  id="form"  method="post"  action="/employees/1234">    <input  type="text"  name="username"  />    <input  type="password"  name="password"  value=""  />    <input  type="hidden"  name="employee_id"  value="1234"  /></form> What happens if you change the action or the employee_id? Could you can reset somebody else’s password?
  • 26. 5. Cross siterequest forgery
  • 27. Complex variant of Cross Site Scripting (XSS), so we will be reusing the catblog example with a guestbook.
  • 28. Name johnComment I  have  a  cat  just  like  that!My weblogStory about my catComments:john: I have a cat just like that!
  • 29. If the guestbook is poorly, secured, it might be possible to store other things like javascript in the message box.Because other visitors can read the guestbook, it is possible toabuse the catblog to help you spread your javascript to other readers of the blog.By using ajax we can abuse active sessions visitors might have with other services (like Gmail), to send spam through their account.
  • 30. Name hacker $.ajax({    type:  POST,    url:  ”www.gmail.com/new”,    data:  {        to:  ”anne@hotmail.com”,Comment        subject:  ”NOT  SPAM!”,        body:  ”Need  Viagra?”    },    success:  success,    dataType:  dataType });
  • 31. Hacker posts on blog. John visits blog.Jan sends Spam to Anne via Gmail, without noticing it.
  • 32. 5. Securitymisconfiguration
  • 33. Every system needs periodic updates, to ensure the latest versions are installed.• Check if your provider/hoster has a maintenance window to do updates.
  • 34. 7. InsecureCryptographic Storage
  • 35. Incorrectly secure data. For example: this should NEVER be in your database in plaintext:Username Email Passwordjantje jantje@hotmail.com jantje1pietje pietje@hotmail.com welkom123
  • 36. 8. Failure torestrict URL access
  • 37. Modify the URL of a website. This is very popular by journalists, because you can do it with any browser.• http://catblog.com/admin.php• http://test.com/employee/1234 => 1235?• http://ibm.com/annualreport/2011 => 2012?
  • 38. 9. InsufficientTransport Layer Protection
  • 39. With HTTPS the server and client negotiate about the level of security. Together they figure out what the highest level of encryption is that they can use for the connection.• Virusses sometimes turn the encryption level of a browser down to the lowest possible setting.• Badly configured severs agree with the low setting and set up a badly encrypted connection.• Eavesdropping the secure traffic between the server and the client is now possible.
  • 40. If people can not reach our website, but you can, there is a good possibility that our server wont drop to their suggested encryption level. Browsers give very bad error messages when this happens.
  • 41. 10. Unvalidated Redirects andForwards (rickroll)
  • 42. When you open a link to a secure section of a website, andyou are not logged in, you are often redirected to the loginpage. After you log in you will be sent back to the original page you where trying to open.http://catblog.com/login.php? return_url=/admin.php
  • 43. Sometimes it is possible to abuse this and send people a link, which looks legit & contains a website they trust. However, after they log in, they are sent to somewhere else. http://catblog.com/login.php?return_url=http://www.youtube.com/ watch?v=oHg5SJYRHA0
  • 44. Solutions?
  • 45. • Using a framework like JBoss, Rails or Zend will fix 90% of the problems addressed in the OWASP top 10.• To fix the other 10% you need to periodically have your application audited by an external party.• Make sure you point out the responsibility of the end-user. Often the weakest link is a employee who is careless with printed files or leaves his computer logged in.