Oh, WASP! Security Essentials for Web Apps
Upcoming SlideShare
Loading in...5
×
 

Oh, WASP! Security Essentials for Web Apps

on

  • 631 views

The past few years have seen a rapid increase in business efficiency through Web-based applications. Unfortunately, a dramatic increase in the number of web application vulnerabilities has followed. ...

The past few years have seen a rapid increase in business efficiency through Web-based applications. Unfortunately, a dramatic increase in the number of web application vulnerabilities has followed. Insecure web applications can be disastrous for mission critical businesses and users' sensitive data. More than 70 percent of security vulnerabilities are due to flaws in the application rather than firewall breaches. Bennie Paul explains how security testing has become an indispensable part of the SDLC for businesses operating online today. OWASP (Open Web Application Security Project) provides open source tools, code, and materials to develop, test, and maintain application security. Monitoring the “OWASP Top 10” web application security flaws is highly recommended as part of an organization’s testing methodology. Vulnerabilities identified are compared against the organization’s security objectives and regulations, and categorized accordingly for remediation. Benny guides you through the OWASP vulnerabilities, technique, framework, and preventive measures that you can adopt for building better software.

Statistics

Views

Total Views
631
Views on SlideShare
622
Embed Views
9

Actions

Likes
0
Downloads
210
Comments
0

1 Embed 9

http://www.stickyminds.com 9

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Oh, WASP! Security Essentials for Web Apps Oh, WASP! Security Essentials for Web Apps Document Transcript

  • BW8 Concurrent Session 11/13/2013 2:15 PM "Oh, WASP! Security Essentials for Web Apps" Presented by: Benny Paul Cognizant Technology Solutions Brought to you by: 340 Corporate Way, Suite 300, Orange Park, FL 32073 888 268 8770 904 278 0524 sqeinfo@sqe.com www.sqe.com
  • Benny Paul Cognizant Technology Solutions Benny Paul brings more than fifteen years of IT experience to Cognizant Testing Services where he is responsible for program management, strategic planning, and delivery of QA Services. Benny is experienced in building and managing large scale QA programs in multiple domains, with resolute focus on improving QA maturity practices, enhancing quality engineering and delivery, incorporating optimization techniques, and implementing practical and effective process improvement methods. Benny’s passion for business development, maintaining customer relationships and people management through motivation and inspiration, further contributes to his ability to manage large programs and deliver business value to Cognizant’s global clients.
  • Oh, WASP! Security Essentials for Web Apps Benny Paul Cognizant Testing Services Nov 11, 2013 1 | ©2013, Cognizant
  • Introduction Purpose of Session - Provide Overview of Web Application Security - OWASP Top 10 What is Web Application Security? - A brief discussion - Attacker’s hotspots Top Security Problems on the web today - Recent Nightmares - Some statistics Understand OWASP 2013 Top 10 Vulnerabilities - Define the vulnerabilities - How do we protect against them? 2 | ©2013, Cognizant www.owasp.org
  • Credits & References !  Documents copyrighted Open Web Application Security Project, and freely downloaded from www.owasp.org. !  OWASP Top Ten titled "The Ten Most Critical Web Application Security Vulnerabilities" 2013 update. https://www.owasp.org/index.php/Top_10_2013-Top_10 !  The OWASP Tutorial Series by Jerry Hoff https://www.owasp.org/index.php/Main_Page https://www.owasp.org/index.php/OWASP_Appsec_Tutorial_Series !  Several Application Security Testing related sites and content on the web like iTeach etc.. 3 | ©2013, Cognizant www.owasp.org
  • What is Web Application Security? ! Not Network Security ! Starts in the initial planning stages ! Continues through coding, testing, and deployment ! Doesn’t finish until the lifecycle is completely finished Likelihood of a successful web application attack -A web application is attacked at 1-in-3 days on average - Easy to exploit without special tools or knowledge - Little chance of being detected Consequences: -Unauthorized Access to web and application servers -Database Corruption and Disclosure of contents -Breach in user authentication and access control - Website defacement 4 | ©2013, Cognizant www.owasp.org
  • Percentage of Websites Vulnerability by Class Who are we up against? Who What Why Organized Crime Cash Espionage (Nation State & Corporate) Data Theft & Intellectual Property Competitive Advantage Hackers / Script Kiddies 5 Data & Identity Theft Defacement & Denial of Service Ego & Credibility building | ©2013, Cognizant www.owasp.org
  • Most sites are not secure… An attacker can access unauthorized data, attack users using your website! 6 | ©2013, Cognizant www.owasp.org
  • Look at Web App through eyes of Attacker 7 | ©2013, Cognizant www.owasp.org
  • Hot Spots for Attacker 8 | ©2013, Cognizant www.owasp.org
  • Recent Security Flaws… Real Attack on Australian Tax office - Attacker changed the tax id in the url, got info on 17,000 companies Bank W e Aug 15 bsite Hacke d! 2013 http://articles.timesofindia.indiatimes.com/2013-08-15/delhi/41412603_1_bank-accountsarun-kumar-machines 9 | ©2013, Cognizant www.owasp.org
  • So, how can we fix this? 10 | ©2013, Cognizant www.owasp.org
  • OWASP - What is that? Open Web Application Security Project www.owasp.org "  International not-for-profit charitable Open Source Org "  Top Ten "  Guides towards Building Secure Web Apps Application Testing Code Reviews "  OWASP Resources and Community Documentation & Wiki Code Projects Chapters Conferences "  Participation in OWASP is free and open to all! 11 | ©2013, Cognizant www.owasp.org
  • Most Critical Web App Security Risks https://www.owasp.org/index.php/Top_10_2013-Top_10 12 | ©2013, Cognizant www.owasp.org
  • OWASP Top 10 Risks 1 Injection 13 | ©2013, Cognizant www.owasp.org
  • 1 - Injection Easy Common Critical https://www.owasp.org/index.php/Top_10_2013-A1-Injection 14 | ©2013, Cognizant www.owasp.org
  • 1 - Injection String query = "SELECT * FROM accounts WHERE custID='" + request.getParameter("id") + "'"; String query = "SELECT * FROM accounts WHERE custID='" + 209907 + "'"; Retu rns 1 row Web Server DB String query = "SELECT * FROM accounts WHERE custID='" + 209907’ or ‘1’=‘1+ "'"; 15 | ©2013, Cognizant www.owasp.org
  • 1 - Injection How do I Prevent 'Injection'? " Use Parameterized Queries   "Stored Procedures instead of Dynamic SQL " OWASP ESAPI " Whitelist Input validation https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet 16 | ©2013, Cognizant www.owasp.org
  • OWASP Top 10 Risks 2 Broken Authentication & Session Management 17 | ©2013, Cognizant www.owasp.org
  • 2 - Broken Authentication & Session Mgmt ncryption shing or e using ha en stored tected wh aren’t pro dentials ication cre weak acco Authent unt m Session IDs are exposed in the URL anagemen t functions ter login n’t Rotate af eout, do IDs don’t tim Session 18 | ©2013, Cognizant www.owasp.org
  • 2 - Broken Authentication & Session Mgmt Scenario 1 – Session id in URL http://myairline.com/sale/saleitems jsessionid=47HDFKWkJDS8723HAUG12HG? dest=Sydney -An authenticated User shares the airline offer (link) - The link has his session id since app supports URL rewriting - When friends open the link, they have access to his session, Credit card etc. Scenario 2 – Improper Application Timeouts -User accesses site in a public computer - Closes browser instead of logging out - Attacker uses same browser shortly, browser is still authenticated Scenario 3 – No restriction on Login attempts - In 2009, an attacker gained admin access to a Twitter server due to no restriction on the no. of login attempts. - Attacker targets a support staff's password using “brute force” - Gains admin access to 33 accounts belonging to celebrities, politicians 19 | ©2013, Cognizant www.owasp.org
  • 2 - Broken Authentication & Session Mgmt How do I Prevent ‘Authentication’ and ‘Session’ related risks'? A single set of strong authentication and session management controls. Such controls should strive to: -Meet all the authentication and session management requirements defined in OWASP’s Application Security Verification Standard (ASVS) areas V2 (Authentication) and V3 (Session Management). https://www.owasp.org/index.php/ASVS 20 | ©2013, Cognizant www.owasp.org
  • OWASP Top 10 Risks 3 Cross Site Scripting (XSS) 21 | ©2013, Cognizant www.owasp.org
  • 3 - Cross Site Scripting (XSS) XSS is targeted to attack other users’ browse 22 | ©2013, Cognizant www.owasp.org
  • 3 - Cross Site Scripting (XSS) Using Javascript, an attacker can steal Session ID / coockie, rewrite webpages etc.. 23 | ©2013, Cognizant www.owasp.org
  • 3 - Cross Site Scripting (XSS) How do I Prevent ‘XSS'? " Data Escaping techniques " Contextual Encoding   "Auto Sanitation Libaries " Content Secure Policy (CSP) " Whitelist Input validation https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet 24 | ©2013, Cognizant www.owasp.org
  • OWASP Top 10 Risks 4 Insecure Direct Object References 25 | ©2013, Cognizant www.owasp.org
  • 4 - Insecure Direct Object References Unauthorized access to objects thru Parameter Tampering.. 26 | ©2013, Cognizant www.owasp.org
  • 4 - Insecure Direct Object References 1 4 2 5 3 6 27 | ©2013, Cognizant www.owasp.org
  • 4 - Insecure Direct Object References How Do I Prevent? " Avoid exposing your private object references to users " Validate any private object references " Verify authorization to all referenced objects " Session indirect object references 28 | ©2013, Cognizant www.owasp.org
  • OWASP Top 10 Risks 5 Security Misconfiguration 29 | ©2013, Cognizant www.owasp.org
  • 5 - Security Misconfiguration Web Apps exposing server error messages on scree Default Acounts 30 | ©2013, Cognizant www.owasp.org
  • 5 - Security Misconfiguration Unprotected Website Directories ! 31 | ©2013, Cognizant www.owasp.org
  • 5 - Security Misconfiguration How Do I Prevent? " Directory listing disabled on your server " Disable stack traces to be returned to users " Identical configuration of Dev, QA & Prod, properly locked down with different passwords   "Periodic scans & audits to detect misconfigurations From OWASP: Development Guide: Chapter on Configuration https://www.owasp.org/index.php/Configuration Testing Guide: Configuration Management https://www.owasp.org/index.php/Testing_for_configuration_management 32 | ©2013, Cognizant www.owasp.org
  • OWASP Top 10 Risks 6 Sensitive Data Exposure 33 | ©2013, Cognizant www.owasp.org
  • 6 - Sensitive Data Exposure Sensitive Data not Protected properly! 34 | ©2013, Cognizant www.owasp.org
  • 6 - Sensitive Data Exposure Example 1: Https only during login https://OfficeEmail.com HTTP HTTPS HTTP Example 2: Man-in-the-middle Attack 35 | ©2013, Cognizant www.owasp.org
  • 6 - Sensitive Data Exposure How Do I Prevent? " Strict Transport Security in HTTP Header (converts Http to Https at the browser) " Secured sites should switch entirely to HTTPS   "Encrypt all sensitive data " Don’t store sensitive data unnecessarily – Discard them " Disable autocomplete on forms https://www.owasp.org/index.php/Cryptographic_Storage_Cheat_Sheet 36 | ©2013, Cognizant www.owasp.org
  • OWASP Top 10 Risks 7 Missing Function Level Access Control 37 | ©2013, Cognizant www.owasp.org
  • 7 - Missing Function Level Access Control UI shows navigation to unauthorized functionsserver side authentication No http://example.com/app/getappInfo http://example.com/app/admin_getappInfo Example Access to unauthorized functions 38 | ©2013, Cognizant www.owasp.org
  • 6 - Sensitive Data Exposure How Do I Prevent? " “presentation layer access control” vs. validations at controller or business logic " Define specific roles for access to every function " Establish a solid process for ‘Managing Entitlements’ OWASP offers: ESAPI Access Control API http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/ AccessController.html OWASP Development Guide: Chapter on Authorization https://www.owasp.org/index.php/Guide_to_Authorization Testing Guide: Testing for Path Traversal https://www.owasp.org/index.php/Testing_for_Path_Traversal 39 | ©2013, Cognizant www.owasp.org
  • OWASP Top 10 Risks 8 Cross Site Request Forgery (CSRF) 40 | ©2013, Cognizant www.owasp.org
  • 8 - Cross Site Request Forgery (CSRF) Forged Http requests Easy to detect v ia Penetrat ion Testing 41 | ©2013, Cognizant www.owasp.org
  • 8 - Cross Site Request Forgery (CSRF) Example : 1. Victim browses a page from Evil.org. 2. Evil.org crafted an HTML image element that references a script to the victim's bank's website (rather than an image file), for example: 3. If the victim's bank stores his authentication information in a cookie, and if the cookie hasn't expired, then the attempt by the victim's browser to load the image will submit the withdrawal form with his cookie, thus authorizing a transaction without the victim's approval 42 | ©2013, Cognizant www.owasp.org
  • 8 - Cross Site Request Forgery (CSRF) How Do I Prevent CSRF? " Include unpredictable unique Token in each HTTP request   "Token in a hidden field rather than URL " Re-authentication via CAPTCHA OWASP offers: CSRF Guard to include such tokens in Java EE, .NET, or PHP apps https://www.owasp.org/index.php/CSRFGuard Other References: 43 | ©2013, Cognizant www.owasp.org
  • OWASP Top 10 Risks 9 Using Unknown Vulnerable Components 44 | ©2013, Cognizant www.owasp.org
  • 9 - Using Unknown Vulnerable Components Weak external Components – vulnerable to injection, broken access control, XSS, etc 45 | ©2013, Cognizant www.owasp.org
  • 9 - Using Unknown Vulnerable Components Components built by other Developers Dependency Developer # Web toolkits # Widgets # Runtime engines # Web servers # Framework libraries Etc…. Example: The following two vulnerable components were downloaded 22m times in 2011! Every application using these are vulnerable to attack as both components are directly accessible by application users !  !  46 | ©2013, Cognizant Apache CXF Authentication Bypass Spring Remote Code Execution www.owasp.org
  • 9 - Using Unknown Vulnerable Components How Do I Prevent? " Upgrade to newer versions " Establish security policies governing component use- like requiring certain software development practices, passing security tests, and acceptable licenses OWASP References: https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities 47 | ©2013, Cognizant www.owasp.org
  • OWASP Top 10 Risks 10 Unvalidated Redirects & Forwards 48 | ©2013, Cognizant www.owasp.org
  • 10 - Unvalidated Redirects & Forwards Easy to detect 49 | ©2013, Cognizant www.owasp.org
  • 10 - Unvalidated Redirects & Forwards Example : 1 2 3 50 | ©2013, Cognizant User receives trusted Email containing legitimate Link Hovering on link shows legitimate Website www.trustedsite.com Clicking on link redirects to www.evilsite.com www.owasp.org
  • 9 - Using Unknown Vulnerable Components How Do I Prevent? " Simply avoid using redirects and forwards " If used, don’t involve user parameters " use OWASP ESAPI to override redirect destinations OWASP References: https://www.owasp.org/index.php/Top_10_2013-A10-Unvalidated_Redirects_and_Forwards 51 | ©2013, Cognizant www.owasp.org
  • OWASP - A Great start for your Web Apps Security! !  Read the OWASP Top Ten paper! !  Get developers trained in web app security !  Try OWASP WebGoat to learn how flaws work !  Define security rules for your application !  Get expert code review and penetration test periodically 52 | ©2013, Cognizant www.owasp.org
  • Most Critical Web App Security Risks Free download Available at OWASP.Org https://www.owasp.org/index.php/Top_10_2013-Top_10 53 | ©2013, Cognizant www.owasp.org
  • Thank you for your time Any Questions? 54 | ©2012, Cognizant www.owasp.org