Owasp for dummies handouts


Published on

Published in: Technology
1 Comment
  • On slide 31, I'm guessing you meant to say John, rather than Jan, correct? Great article btw
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Owasp for dummies handouts

  1. 1. OWASP Bart ten Brinke
  2. 2. The Open Web Application Security Project (OWASP)• https://www.owasp.org/• Owasp gathers statistics of internet hacks and uses this to generate their security top 10.
  3. 3. Availablity “Wikipedia always has the latest news “Putting stuff on wikipedia makes available, but how can you be sureit very available, but not very confidential.” that all the facts are checked?” Data Confidentiality Integrity “Doctor specific patient records cannot be viewed by Nurses, which means they are not as well informed as they could be.”
  4. 4. Every solution is a compromise between Confidentiality, Integrity & Availability.• http://en.wikipedia.org/wiki/Information_security• The safest door is one you can’t walk through at all.• De nuances of the CIA triangle are lost in the current media reports: something either safe or unsafe.
  5. 5. SafeUnsafe
  6. 6. During the design of the dutch public transportation card (Ov-chipkaart) the designers make the decision to use less secure rfid cards,because the savings of these cheap rfid-cards where much higher then the loss of revenue to hackers. This was not reflected by the media at all.
  7. 7. OWASP Top 10
  8. 8. 1. SQL injection
  9. 9. We have a website where you can log in using your username and password:Username johnPassword 1234
  10. 10. The application checks these credentials with a database:Username johnPassword 1234 SELECT  *  FROM  users WHERE  username  =  ”john” AND  password  =  ”1234”
  11. 11. Give me all users with the name ”john” en password ”1234”. If there is one, you will be logged in.Username johnPassword 1234 SELECT  *  FROM  users WHERE  username  =  ”john” AND  password  =  ”1234”
  12. 12. Username administratorPassword ”  OR  1=”1SELECT  *  FROM  usersWHERE  username  =  ”administrator”AND  password  =  ””  OR  1=”1”
  13. 13. Give me all users where with the name ”administrator”who has an empty password OR where 1=1. 1=1 is always true, so you will be logged in as the administrator. SELECT  *  FROM  users WHERE  username  =  ”administrator” AND  password  =  ””  OR  1=”1”
  14. 14. 2. XSS - Cross site Scripting
  15. 15. As an example we will be using a catblog which has a guestbook where you can post messages.
  16. 16. Name johnComment I  have  a  cat  just  like  that!My weblogStory about my catComments:john: I have a cat just like that!
  17. 17. If the guestbook is poorly secured, it is possible to store other things then messages. For example you might be able to store javascript. Because other people can read the guestbook, it ispossible to abuse the catblog to help you spread your javascript to other readers of the blog.• Visitors can be redirected to another site.• Visitors can be presented with a popup containing a virus download link.
  18. 18. Name hacker Comment window.location  =  ”badstuff.tv” Hacker posts on blog. John visits blog.John gets redirected to a different website.
  19. 19. 3. Broken session management
  20. 20. Each visitor to a website receives a unique number from the webserver: your session_id. Through this number the webserver is able to keep track of who you are. This is why the number: • Has to be secret. • Should be very hard to guess. • May not be changed by other people.
  21. 21. Guessing a session_id can be very easy._session_id My  session_id  +1
  22. 22. Sometimes it is possible to send other people your session_id, forcing a shared session. This might cause credentials of users to be combined.Email to administrator of website:I can’t log in! Could you try it for me?https://catblog.com/?PHP_SESSION_ID=123456Greets, hacker
  23. 23. 4. Insecure directobject reference
  24. 24. As an example we will take a website with a “change your password” form:
  25. 25. If you select “view source” in your browser, you will see something like this:<form  id="form"  method="post"  action="/employees/1234">    <input  type="text"  name="username"  />    <input  type="password"  name="password"  value=""  />    <input  type="hidden"  name="employee_id"  value="1234"  /></form> What happens if you change the action or the employee_id? Could you can reset somebody else’s password?
  26. 26. 5. Cross siterequest forgery
  27. 27. Complex variant of Cross Site Scripting (XSS), so we will be reusing the catblog example with a guestbook.
  28. 28. Name johnComment I  have  a  cat  just  like  that!My weblogStory about my catComments:john: I have a cat just like that!
  29. 29. If the guestbook is poorly, secured, it might be possible to store other things like javascript in the message box.Because other visitors can read the guestbook, it is possible toabuse the catblog to help you spread your javascript to other readers of the blog.By using ajax we can abuse active sessions visitors might have with other services (like Gmail), to send spam through their account.
  30. 30. Name hacker $.ajax({    type:  POST,    url:  ”www.gmail.com/new”,    data:  {        to:  ”anne@hotmail.com”,Comment        subject:  ”NOT  SPAM!”,        body:  ”Need  Viagra?”    },    success:  success,    dataType:  dataType });
  31. 31. Hacker posts on blog. John visits blog.Jan sends Spam to Anne via Gmail, without noticing it.
  32. 32. 5. Securitymisconfiguration
  33. 33. Every system needs periodic updates, to ensure the latest versions are installed.• Check if your provider/hoster has a maintenance window to do updates.
  34. 34. 7. InsecureCryptographic Storage
  35. 35. Incorrectly secure data. For example: this should NEVER be in your database in plaintext:Username Email Passwordjantje jantje@hotmail.com jantje1pietje pietje@hotmail.com welkom123
  36. 36. 8. Failure torestrict URL access
  37. 37. Modify the URL of a website. This is very popular by journalists, because you can do it with any browser.• http://catblog.com/admin.php• http://test.com/employee/1234 => 1235?• http://ibm.com/annualreport/2011 => 2012?
  38. 38. 9. InsufficientTransport Layer Protection
  39. 39. With HTTPS the server and client negotiate about the level of security. Together they figure out what the highest level of encryption is that they can use for the connection.• Virusses sometimes turn the encryption level of a browser down to the lowest possible setting.• Badly configured severs agree with the low setting and set up a badly encrypted connection.• Eavesdropping the secure traffic between the server and the client is now possible.
  40. 40. If people can not reach our website, but you can, there is a good possibility that our server wont drop to their suggested encryption level. Browsers give very bad error messages when this happens.
  41. 41. 10. Unvalidated Redirects andForwards (rickroll)
  42. 42. When you open a link to a secure section of a website, andyou are not logged in, you are often redirected to the loginpage. After you log in you will be sent back to the original page you where trying to open.http://catblog.com/login.php? return_url=/admin.php
  43. 43. Sometimes it is possible to abuse this and send people a link, which looks legit & contains a website they trust. However, after they log in, they are sent to somewhere else. http://catblog.com/login.php?return_url=http://www.youtube.com/ watch?v=oHg5SJYRHA0
  44. 44. Solutions?
  45. 45. • Using a framework like JBoss, Rails or Zend will fix 90% of the problems addressed in the OWASP top 10.• To fix the other 10% you need to periodically have your application audited by an external party.• Make sure you point out the responsibility of the end-user. Often the weakest link is a employee who is careless with printed files or leaves his computer logged in.