• Save
Athens Owasp workshop Athens Digital Week 2010
Upcoming SlideShare
Loading in...5

Like this? Share it with your network


Athens Owasp workshop Athens Digital Week 2010

Uploaded on

Presented by Konstantinos Papanagiotiou

Presented by Konstantinos Papanagiotiou

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads


Total Views
On Slideshare
From Embeds
Number of Embeds



Embeds 42

http://zero.gr 42

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. OWASP Projects and Resources you can use today Konstantinos Papapanagiotou Greek Chapter Leader conpap@owasp.gr OWASP Athens Digital Week 9/10/2010 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org
  • 2. Your Code is Part of Your Security Perimeter Your security “perimeter” has huge holes at the application layer Custom Developed Application Code APPLICATION ATTACK App Server Web Server Hardened OS You can’t use network layer protection (firewall, SSL, IDS, hardening) to stop or detect application layer attacks OWASP 3
  • 3. OWASP The Open Web Application Security Project http://www.owasp.org http://www.owasp.gr – http://blog.owasp.gr
  • 4. What is OWASP? Open Web Application Security Project Worldwide, free and open community Non-profit, volunteer driven organization Mission: improve application software security Promotes secure software development An open forum for discussion A free resource for any development team  Publications, Articles, Standards  Testing and Training Software  Local Chapters & Mailing Lists OWASP 5
  • 5. The Greek Chapter Created in 2005 but active since early 2007 Mission: raise security awareness in Greece Activities: Translation of OWASP documentation Mailing list Blog Participation in working groups and conferences Awareness ~120 members http://www.owasp.gr - http://blog.owasp.gr OWASP 6
  • 6. OWASP Body of Knowledge Guidance and Tools for Measuring and Guide to Application Managing Application Security Testing and Security Guide to Application Security Code Review Verifying Managing Application Application Guide to Building Security Security Secure Web Applications and Web Services Acquiring and Application Core Application AppSec Conferences Building Security Security Secure Tools Knowledge Base Chapters Projects Applications Tools for Scanning, Testing, Simulating, and Reporting Web Application Security AppSec Issues Research to Secure New Education and Research Projects to CBT Figure Out How to Technologies Principles Secure the Use of New Threat Agents, OWASP Community Platform Web Based Learning Attacks, (wiki, forums, mailing lists) Technologies (like Ajax) Environment and Vulnerabilities, Guide for Learning Impacts, and Application Security Countermeasures OWASP Foundation 501c3 OWASP
  • 7. OWASP Tools and Technology • Vulnerability • Penetration • ESAPI Scanners Testing Tools • Static Analysis • Code Review Tools Tools • Fuzzing Automated Manual Security Security Security Architecture Verification Verification • AppSec Libraries • Reporting Tools • Flawed Apps • ESAPI Reference • Learning Implementation Environments • Guards and • Live CD Filters • SiteGenerator Secure AppSec AppSec Coding Management Education OWASP 8
  • 8. What’s a WebGoat OWASP project with ~115,000 downloads Deliberately insecure Java EE web application Teaches common application vulnerabilities via a series of individual lessons OWASP 9
  • 9. OWASP WebScarab OWASP
  • 10. Risk OWASP
  • 11. OWASP Top 10 Risk Rating Methodology 1 2 3 Injection Example 1.66 weighted risk rating OWASP 13
  • 12. OWASP Top 10 2010 http://www.owasp.org/index.php/Top_10 OWASP 14
  • 13. A1. Injection "SELECT * FROM Account Summary accounts WHERE Account: HTTP acct=‘’ OR 1=1-- SKU: Acct:5424-6066-2134-4334 DB Table Acct:4128-7574-3921-0192 HTTP SQL response ’" Acct:5424-9383-2039-4029 APPLICATION request ATTACK query Acct:4128-0004-1234-0293 Custom Code 1. Application presents a form to the attacker 2. Attacker sends an attack in the form data App Server 3. Application forwards attack to Web Server the database in a SQL query Hardened OS 4. Database runs query containing attack and sends encrypted results back to application 5. Application decrypts data as normal and sends results to the user OWASP 15
  • 14. A2. Cross-Site Scripting (XSS) 1 Attacker sets the trap – update my profile Application with stored XSS Attacker enters a vulnerability malicious script into a web page that stores the data on the server 2 Victim views page – sees attacker profile Custom Code Script runs inside victim’s browser with full access to the DOM and cookies 3 Script silently sends attacker Victim’s session cookie OWASP 16
  • 15. A3. Broken Authentication and Session Management 1 User sends credentials www.boi.com?JSESSIONID=9FA1DB9EA... Site uses URL rewriting 2 Custom Code (i.e., put session in URL) 3 User clicks on a link to http://www.hacker.com in a forum Hacker checks referer logs on www.hacker.com and finds user’s JSESSIONID 4 5 Hacker uses JSESSIONID and takes over victim’s account OWASP 17
  • 16. A4. Insecure Direct Object References  Attacker notices his acct https://www.onlinebank.com/user?acct=6065 parameter is 6065 ?acct=6065  He modifies it to a nearby number ?acct=6066  Attacker views the victim’s account information OWASP 18
  • 17. A5. Cross-Site Request Forgery (CSRF) Attacker sets the trap on some website on the internet 1 (or simply via an e-mail) Application with CSRF Hidden <img> tag vulnerability contains attack against vulnerable site While logged into vulnerable site, 2 victim views attacker site Custom Code 3 Vulnerable site sees <img> tag loaded by legitimate request from browser – sends GET victim and performs the request (including action requested credentials) to vulnerable site OWASP 19
  • 18. A6 – Security Misconfiguration Web applications rely on a secure foundation • Everywhere from the OS up through the App Server • Don’t forget all the libraries you are using!! Is your source code a secret? • Think of all the places your source code goes • Security should not require secret source code CM must extend to all parts of the application • All credentials should change in production Typical Impact • Install backdoor through missing OS or server patch • XSS flaw exploits due to missing application framework patches • Unauthorized access to default accounts, application functionality or data, or unused but accessible functionality due to poor server configuration OWASP
  • 19. A7. Insecure Cryptographic Storage Victim enters credit 1 card number in form Malicious insider Log files 4 steals 4 million credit Error handler logs CC 2 card numbers details because merchant gateway is unavailable Logs are accessible to all 3 members of IT staff for debugging purposes OWASP 21
  • 20. A8. Failure to Restrict URL Access  Attacker notices the URL https://www.onlinebank.com/user/getAccounts indicates his role /user/getAccounts  He modifies it to another directory (role) /admin/getAccounts, or /manager/getAccounts  Attacker views more accounts than just their own OWASP 22
  • 21. A9. Insufficient Transport Layer Protection Business Partners External Victim Custom Code Backend Systems Employees 1 2 External attacker Internal attacker steals credentials steals credentials and data off and data from network internal network External Attacker Internal Attacker OWASP
  • 22. A10. Unvalidated Redirects and Forwards 1 Attacker sends attack to victim via email or webpage From: Internal Revenue Service Subject: Your Unclaimed Tax Refund Our records show you have an 3 Application redirects unclaimed federal tax refund. Please victim to attacker’s site click here to initiate your claim. Victim clicks link containing unvalidated 2 parameter Custom Code Request sent to vulnerable site, including attacker’s destination site as parameter. Redirect sends victim to attacker site Evil Site 4 Evil site installs malware on http://www.irs.gov/taxrefund/claim.jsp?year=2006 victim, or phish’s for private & … &dest=www.evilsite.com information OWASP 24
  • 23. Penetration Testing OWASP
  • 24. http://www.opensamm.org/
  • 25. Goals and Purpose  To define building blocks for an assurance program  Delineate all functions within an organisation that could be improved over time  To allow organizations to create customized roadmaps  Each organisation can choose the order and extent they improve each function  To provide sample roadmaps for common types of organisations  Each roadmap is a baseline that can be tweaked based on the specific concerns of a given organisation OWASP 27
  • 26. OWASP SAMM (Software Assurance Maturity Model) OWASP
  • 27. Imagine an Enterprise Security API  All the security controls a developer needs  Standard  Centralized  Organized  Integrated  High Quality  Intuitive  Tested  Solves the problems of missing and broken controls OWASP
  • 28. Authenticator User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Enterprise Security API Encryptor EncryptedProperties Randomizer Enterprise Security API Exception Handling Custom Enterprise Web Application Logger IntrusionDetector OWASP Existing Enterprise Security Services/Libraries SecurityConfiguration 30
  • 29. Questions? http://blog.owasp.gr http://www.owasp.gr