OWASP Top 10 : Let’s know & solve


Published on

Published in: Technology
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • OWASP Top 10 : Let’s know & solve

    1. 1. OWASP Top 10 : Let’s know & solve Harit Kothari
    2. 2. Top 10 <ul><li>Cross Site Scripting (XSS) </li></ul><ul><li>Injection Flaws </li></ul><ul><li>Malicious File Execution </li></ul><ul><li>Insecure Direct Object Reference </li></ul><ul><li>Cross Site Request Forgery (CSRF) </li></ul><ul><li>Information Leakage and Improper Error Handling </li></ul><ul><li>Broken Authentication and Session Management </li></ul><ul><li>Insecure Cryptographic Storage </li></ul><ul><li>Insecure Communications </li></ul><ul><li>Failure to Restrict URL Access </li></ul>
    3. 3. Cross Site Scripting (XSS)
    4. 4. Remedies <ul><li>Client side validation (using JavaScript etc.) </li></ul><ul><li>Specify character set (e.g. UTF-8, 8859_1) in HTML with CHARSET header </li></ul><ul><li>Server side validation </li></ul><ul><li>Best practse : Error reporting / Server logs </li></ul>
    5. 5. Examples <ul><li>Replace special character(s) with blanks ‘ ’ </li></ul><ul><li>final String filterPattern=&quot;[<>{};amp;]&quot;; </li></ul><ul><li>String inputStr = s.replaceAll(filterPattern,&quot; &quot;); </li></ul><ul><li>Another – check if String matches any of characters except numeric, using RegEx </li></ul><ul><li>final String inputStr = request.getParameter(&quot;input&quot;); </li></ul><ul><li>final String numericPattern = &quot;^+$&quot;; </li></ul><ul><li>if (!inputStr.matches(numericPattern)) </li></ul><ul><li>{ </li></ul><ul><li>/* invalid input, do something with error*/ </li></ul><ul><li>} </li></ul><ul><li>Yet another, change characters representation into decimal equivalent, of course paying performance penalty </li></ul><ul><li>public static String encode(String data) </li></ul><ul><li>{ </li></ul><ul><li>final StringBuffer buf = new StringBuffer(); </li></ul><ul><li>final char[] chars = data.toCharArray(); </li></ul><ul><li>for (int i = 0; i < chars.length; i++) </li></ul><ul><li>{ </li></ul><ul><li>buf.append(&quot;&#&quot; + (int) chars[i]); </li></ul><ul><li>} </li></ul><ul><li>return buf.toString(); </li></ul><ul><li>} </li></ul>
    6. 6. Examples continued <ul><li>Secure Exceptions thrown at server pages </li></ul><ul><li><!-- Maps the 404 Not Found response code to the error page /errPage404 --> </li></ul><ul><li><error-page> </li></ul><ul><li><error-code>404</error-code> </li></ul><ul><li><location>/errPage404</location> </li></ul><ul><li></error-page> </li></ul><ul><li><!-- Maps any thrown ServletExceptions to the error page /errPageServ --> </li></ul><ul><li><error-page> </li></ul><ul><li><exception-type>javax.servlet.ServletException</exception-type> </li></ul><ul><li><location>/errPageServ</location> </li></ul><ul><li></error-page> </li></ul><ul><li><!-- Maps any other thrown exceptions to a generic error page /errPageGeneric --> </li></ul><ul><li><error-page> </li></ul><ul><li><exception-type>java.lang.Throwable</exception-type> </li></ul><ul><li><location>/errPageGeneric</location> </li></ul><ul><li></error-page> </li></ul>
    7. 7. Injection Flaws
    8. 8. Remedies <ul><li>Input validation </li></ul><ul><li>Strongly typed query APIs (PreparedStatement in JDBC & ORM in Hibernate) </li></ul><ul><li>Avoid dynamic query APIs (Statement in JDBC) </li></ul><ul><li>Use of escape characters as prefix and sufix to values to eliminate LDAP injection </li></ul>
    9. 9. Examples <ul><li>Using PreparedStatement </li></ul><ul><li>try </li></ul><ul><li>{ </li></ul><ul><li>// Prepare a statement to insert a record </li></ul><ul><li>String sql = &quot;INSERT INTO my_table (columnName) VALUES(?)&quot;; </li></ul><ul><li>PreparedStatement pstmt = connection.prepareStatement(sql); </li></ul><ul><li>// Insert 10 rows </li></ul><ul><li>for (int i=0; i<10; i++) </li></ul><ul><li>{ </li></ul><ul><li>// Set the value </li></ul><ul><li>pstmt.setString(1, &quot;row &quot;+i); </li></ul><ul><li>// Insert the row </li></ul><ul><li>pstmt.executeUpdate(); </li></ul><ul><li>} </li></ul><ul><li>} </li></ul><ul><li>catch (SQLException e) </li></ul><ul><li>{ </li></ul><ul><li>} </li></ul>
    10. 10. Examples Continued <ul><li>To add Escape Chars </li></ul><ul><li>public static String escapeDN(String name) </li></ul><ul><li>{ </li></ul><ul><li>StringBuffer sb = new StringBuffer(); // If using JDK >= 1.5 consider using StringBuilder </li></ul><ul><li>if ((name.length() > 0) && ((name.charAt(0) == ' ') || (name.charAt(0) == '#'))) </li></ul><ul><li>sb.append('apos;); // add the leading backslash if needed </li></ul><ul><li>for (int i = 0; i < name.length(); i++) </li></ul><ul><li>{ </li></ul><ul><li>char curChar = name.charAt(i); </li></ul><ul><li>switch (curChar) </li></ul><ul><li>{ </li></ul><ul><li>case 'apos;: sb.append(&quot;&quot;); break; </li></ul><ul><li>case ',': sb.append(&quot;&quot;); break; </li></ul><ul><li>case '+' sb.append(&quot;&quot;); break; </li></ul><ul><li>case '&quot;': sb.append(&quot;amp;quot;&quot;); break; </li></ul><ul><li>case '<': sb.append(&quot;lt;&quot;); break; </li></ul><ul><li>case '>': sb.append(&quot;gt;&quot;); break; </li></ul><ul><li>case ';': sb.append(&quot;&quot;); break; </li></ul><ul><li>default: sb.append(curChar); </li></ul><ul><li>} </li></ul><ul><li>} </li></ul><ul><li>if ((name.length() > 1) && (name.charAt(name.length() - 1) == ' ')) </li></ul><ul><li>sb.insert(sb.length() - 1, 'apos;); // add the trailing backslash if needed </li></ul><ul><li>return sb.toString(); </li></ul><ul><li>} </li></ul>
    11. 11. <ul><li>To filter Escape Chars </li></ul><ul><li>public static final String escapeLDAPSearchFilter(String filter) </li></ul><ul><li>{ </li></ul><ul><li>StringBuffer sb = new StringBuffer(); // If using JDK >= 1.5 consider using StringBuilder </li></ul><ul><li>for (int i = 0; i < filter.length(); i++) </li></ul><ul><li>{ </li></ul><ul><li>char curChar = filter.charAt(i); </li></ul><ul><li>switch (curChar) </li></ul><ul><li>{ </li></ul><ul><li>case 'apos;: </li></ul><ul><li>sb.append(&quot;c&quot;); </li></ul><ul><li>break; </li></ul><ul><li>case '*': </li></ul><ul><li>sb.append(&quot;a&quot;); </li></ul><ul><li>break; </li></ul><ul><li>case '(': </li></ul><ul><li>sb.append(&quot;8&quot;); </li></ul><ul><li>break; </li></ul><ul><li>case ')': </li></ul><ul><li>sb.append(&quot;9&quot;); </li></ul><ul><li>break; </li></ul><ul><li>case 'u0000': </li></ul><ul><li>sb.append(&quot;0&quot;); </li></ul><ul><li>break; </li></ul><ul><li>default: </li></ul><ul><li>sb.append(curChar); </li></ul><ul><li>} </li></ul><ul><li>} </li></ul><ul><li>return sb.toString(); </li></ul><ul><li>} </li></ul>
    12. 12. Malicious File Execution
    13. 13. Remedies <ul><li>Strongly validate user </li></ul><ul><li>Add firewall </li></ul><ul><li>Check any user supplied files or filenames </li></ul><ul><li>Consider implementing a chroot jail / SandBox </li></ul>
    14. 14. Insecure Direct Object Reference
    15. 15. Remedies <ul><li>Limit direct reference (public access) to secure entities (objects) </li></ul><ul><li>Use some alternate parameter to check for access permission, e.g. userID </li></ul><ul><li>Use of index values to avoid actual name / parameter manipulation </li></ul>
    16. 16. Example <ul><li>int bankAccountNo = Integer.parseInt( request.getParameter( &quot;AccountNo&quot; ) ); </li></ul><ul><li>User user = (User)request.getSession().getAttribute( &quot;user&quot; ); </li></ul><ul><li>String query = &quot;SELECT * FROM account_master WHERE ac_no=&quot; + bankAccountNo + &quot; AND userID=&quot; + user.getID(); </li></ul>
    17. 17. Cross Site Request Forgery (XSRF) <ul><li>Also knows as… </li></ul><ul><ul><li>Session Riding </li></ul></ul><ul><ul><li>One-Click Attacks </li></ul></ul><ul><ul><li>Hostile Linking </li></ul></ul><ul><ul><li>Automation Attack </li></ul></ul>
    18. 18. Example <ul><li>Applications e.g. </li></ul><ul><ul><li>Ask for current password to change to new </li></ul></ul><ul><ul><li>Avoid hidden form fields </li></ul></ul><ul><ul><li>Use cryptographic tokens </li></ul></ul>
    19. 19. Remedies <ul><li>Limit direct reference (public access) to secure entities (objects) </li></ul><ul><li>Use some alternate parameter to check for access permission, e.g. userID </li></ul><ul><li>Use of index values to avoid actual name / parameter manipulation </li></ul><ul><li>Extensive use of SessionID (JSessionID In case of JavaEE), which is unpredictable </li></ul>
    20. 20. Information Leakage and Improper Error Handling
    21. 21. Remedies <ul><li>Exception handling & simplified message (that too only if required) on user end – a key! </li></ul><ul><li>Define error pages at AppServer level. E.g. 40X – Page related errors </li></ul>
    22. 22. Broken Authentication and Session Management
    23. 23. Example <ul><li>On logout, </li></ul><ul><ul><li>Session.invalidate(); </li></ul></ul>
    24. 24. Remedies <ul><li>Proper session management </li></ul><ul><ul><li>No other routine then application server’s default mechanism </li></ul></ul><ul><li>Session timeout after specific time </li></ul><ul><li>Destruction of session on logout / time out. </li></ul><ul><li>No session details in logs or URL </li></ul>
    25. 25. Insecure Cryptographic Storage
    26. 26. Remedies <ul><li>Really secure encryption algorithm </li></ul><ul><li>Ensure that every sensitive piece of information is encrypted well </li></ul><ul><li>Use publicly aproved algoriths instead of user defined </li></ul><ul><li>Store private keys in extremely secure location (offline) </li></ul><ul><li>Ensure encrypted data is not easily decrypted </li></ul>
    27. 27. Insecure Communications
    28. 28. Remedies <ul><li>Use of secure encryption while sending important data over network (SSL) </li></ul><ul><li>Encryption of sensitive data </li></ul><ul><li>Ensure communication between infrastructure elements (e.g. DB &Server) uses transport layer security or protocol level encryption </li></ul>
    29. 29. Failure to Restrict URL Access
    30. 30. Remedies <ul><li>Access control matrix </li></ul><ul><li>No read access to unauthorized user </li></ul><ul><li>Hidden URLs known only to the users, it is meant for, is wrong assumption </li></ul><ul><li>Include / Header files out of public scope, outside root of application </li></ul><ul><li>Block access to the type of files not entertained by application </li></ul>
    31. 31. References <ul><li>http://java.sun.com/javaee/security/ </li></ul><ul><li>http://www.owasp.org/index.php/Top_10_2007 </li></ul>