Top 10 web application security risks akash mahajan


Published on

Looking at the Top 10 web application security risks according to OWASP Top 2010

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Top 10 web application security risks akash mahajan

  1. 1. TOP 10 WEB APPLICATION SECURITY RISKS Overview of OWASP Top 10 – 2010 Akash Mahajan – Chapter Lead for null Bangalore
  3. 3. AKASH MAHAJAN | ABOUT ME • Independent Web Security Consultant • Chapter lead for null Bangalore • I test, hack, secure web applications and servers. • I consult companies on secure deployments on AWS etc. • Been doing application security for 5+ years. • Wrote IDS sigs for malware and vulnerabilities for 3 years as well.
  4. 4. AGENDA • OWASP • OWASP Top 10 • Application Security Risks • OWASP Top 10 Details • The Beginning • Contact Details
  5. 5. OPEN WEB APPLICATION SECURITY PROJECT • OWASP is a worldwide non-profit open community dedicated to web application security. • OWASP offers free tools, books, documents etc. to developers, security practitioners and anyone interested in application security. • Some of the most popular OWASP projects are • OWASP Top 10 • OWASP Web Goat Project • OWASP Testing Guide • OWASP Developer Guide • Definitely visit and track updates on
  6. 6. OWASP TOP 10 • OWASP TOP 10 is a document listing the top 10 most critical risks faced by web applications currently. • It is purely about managing risk and not just avoiding vulnerabilities. • It is meant to be consumed by the developers and not just security dudes. • You should consider using it if you are in-charge of keeping web apps safe. • Also If your organization doesn’t have a app sec program and would like to start now. • Top 10 implies that these risks should be mitigated first to ensure safety of the web application. • There are other risks but the less severe than the top 10.
  7. 7. OWASP TOP 10 • Who else is using it? • The PCI Council, US Department of Defense, US Federal Trade Commission, Data Interchange Standards Association • Companies like Microsoft, Citibank, IBM, HP, British Telecom, Oracle • How do they use it? • Microsoft uses it as part of Security Development Lifecycle • PCI Council uses it as part of the PCI Data Security Standard • Oracle, NSA use it as part of developer awareness • Others use it to ensure minimal level of security audit of web applications
  8. 8. APPLICATION SECURITY RISKS • Applications can have many attack vectors • A form that submits to the database • A database login for a partner for direct access. • FTP login for third party content team • These attack vectors can be used to exploit security weaknesses. • For example stolen FTP credentials for an Amazon EC2 server might allow the EC2 credentials to be stolen as well. • Once stolen all services based on your Amazon account are vulnerable to hijack. • You could end up paying for someone else misusing your Amazon services!
  9. 9. OWASP TOP 10 – A1 INJECTION • Injection flaws, such as SQL, OS injection, occur when untrusted data is sent to an interpreter as part of a command. • The attacker’s hostile data can trick the interpreter into executing commands or accessing unauthorized data. • SQL Injection is one of the most used vectors when malicious people want to create a new botnet. • First a vulnerable web facing application is identified. Automated roBOTs/scripts crawl the world wide web looking for the identified application. Once found they inject HTML/JS with links pointing to trojan downloaders etc. • Users with insecure browsers/OS come to the infected websites they get infected in turn creating a NETwork • In some cases up to 10,00,000 sites have been infected in a single day.
  10. 10. OWASP TOP 10 – A2 CROSS SITE SCRIPTING XSS • XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation and escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites. • Frequently used to steal your session. • One of the most in-famous example is the MySpace Samy worm. In less than a day he got more a million friends and MySpace had to be shutdown. • A XSS bug occurring on the website registration page can enable theft of registration details. • Would you like your competitor to find out about all your new users?
  11. 11. OWASP TOP 10 – A3 BROKEN AUTHENTICATION AND SESSION MANAGEMENT • Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, session tokens, or exploit other implementation flaws to assume other users’ identities • Developers tend to build custom authentication schemes which aren’t tested enough and may contain logical flaws as well. • Technical impact include login theft to malicious users getting access to all account details. • Generating a new password every time someone enters an email id in forgot password will cause a denial of service attack! • Not destroying the session after a fixed time.
  12. 12. CONNECT THIS IMAGE TO WEB SECURITY Paris Hilton Tinkerbell
  13. 13. OWASP TOP 10 – A4 INSECURE DIRECT OBJECT REFERENCE • A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data. • Technical impact can be letting unauthorized users download files not meant for them. • Real world website has a page to display invoice for the user. It contains an id parameter. If we change the parameter, it shows the details for another user. • Most people mistakenly think that if a file or folder is not linked from any web page it can’t be found by a malicious user.
  14. 14. OWASP TOP 10 – A5 CROSS SITE REQUEST FORGERY • A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. • This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim • Log you out of your email account. • Add a rouge DNS entry in your ADSL modem! • Create a filter in webmail to forward all email to a malicious user.
  15. 15. OWASP TOP 10 – A6 SECURITY MISCONFIGURATION • Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. • This includes keeping all software up to date, including all code libraries used by the application. • Network Solutions were offering wordpress installations on a shared server. The main configuration file wp-config.php was world readable. Mass hack of wordpress based websites • Shipping with default passwords!
  16. 16. OWASP TOP 10 – A7 INSECURE CRYPTOGRAPHIC STORAGE • Many web applications do not properly protect sensitive data, such as credit cards, SSNs, and authentication credentials, with appropriate encryption or hashing. • Attackers may steal or modify such weakly protected data to conduct identity theft, credit card fraud, or other crimes • Storing unsalted hashes in a known weak hash algorithm like md5. Using rainbow tables attackers can figure out stolen passwords in no time at all. • Storing the encryption key in the same location as the encrypted files.
  17. 17. OWASP TOP 10 – A8 FAILURE TO RESTRICT URL ACCESS • Many web applications check URL access rights before rendering protected links and buttons. However, applications need to perform similar access control checks each time these pages are accessed, or attackers will be able to forge URLs to access these hidden pages anyway • This can be due either • Simple misconfiguration • Flawed coding or logic. • Assuming that if it is hidden so it will be never found doesn’t usually end up well. Anonymous users accessing pages meant for authenticated users and authenticated users accessing admin pages can have a negative impact.
  18. 18. OWASP TOP 10 – A9 INSUFFICIENT TRANSPORT LAYER PROTECTION • Applications frequently fail to authenticate, encrypt, and protect the confidentiality and integrity of sensitive network traffic. When they do, they sometimes support weak algorithms, use expired or invalid certificates, or do not use them correctly. • Login and password passed in clear text over the wire. Anyone monitoring the traffic can get hold of the credentials.
  19. 19. OWASP TOP 10 – A10 UNVALIDATED REDIRECTS AND FORWARDS • Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages. • Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages. • Malicious user creating a redirect that points to another site for phishing • Forward parameter coded to send user to admin section or to normal section
  20. 20. THE BEGINNING • These risks only cover the top 10 of them all. There are many that are very dangerous and should be guarded against like • Clickjacking, Denial of service, Information Leakage, Improper Error Handling, Insufficient Anti-automation, Lack of intrusion detection, Malicious file execution • To develop secure code ‘OWASP Developers Guide’ • To test web applications for security ‘OWASP Testing Guide’ • To review web applications ‘OWASP Code Review Guide’ • Keep yourself updated join a local OWASP chapter • Get on the mailing lists.
  21. 21. AKASH MAHAJAN | REACH ME • Reach me on • Website: • Email: • Twitter: @makash • Linkedin: