• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Scared Straight: Mitigating OWASP Top 10 with PHP
 

Scared Straight: Mitigating OWASP Top 10 with PHP

on

  • 11,858 views

Overview of OWASP and its Top 10 Security Vulnerabilities. Strategies for protecting against common web application security vulnerabilities....

Overview of OWASP and its Top 10 Security Vulnerabilities. Strategies for protecting against common web application security vulnerabilities.

Presented at the January 2011 KU Web Developers meeting.

Statistics

Views

Total Views
11,858
Views on SlideShare
11,854
Embed Views
4

Actions

Likes
5
Downloads
0
Comments
0

1 Embed 4

http://www.docseek.net 4

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Scared Straight: Mitigating OWASP Top 10 with PHP Scared Straight: Mitigating OWASP Top 10 with PHP Presentation Transcript

    • SCARED STRAIGHT MITIGATING OWASP TOP 10 WITH PHP
    • DISCLAIMER
    • DISCLAIMER• I am NOT a “security expert"
    • DISCLAIMER• I am NOT a “security expert"• But I know a little about web security
    • DISCLAIMER• I am NOT a “security expert"• But I know a little about web security• Taken SANS DEV422: Defending Web Application Security Essentials
    • DISCLAIMER• I am NOT a “security expert"• But I know a little about web security• Taken SANS DEV422: Defending Web Application Security Essentials• I don’t know everything
    • ASSUMPTIONS
    • ASSUMPTIONS• This is an introduction-level talk
    • ASSUMPTIONS• This is an introduction-level talk• You know enough PHP to be dangerous
    • ASSUMPTIONS• This is an introduction-level talk• You know enough PHP to be dangerous• You’ve heard of some security vulns
    • ASSUMPTIONS• This is an introduction-level talk• You know enough PHP to be dangerous• You’ve heard of some security vulns• Again, I don’t know everything
    • TALK STRUCTURE
    • TALK STRUCTURE• What is the risk?
    • TALK STRUCTURE• What is the risk?• Typical Impact
    • TALK STRUCTURE• What is the risk?• Typical Impact• How is it exploited?
    • TALK STRUCTURE• What is the risk?• Typical Impact• How is it exploited?• How to prevent it when using PHP?
    • OWASP http://www.owasp.org
    • OWASP
    • OpenWebApplicationSecurityProject
    • OWASP• Non-profit focused on improving security of application software• Focused on awareness of risks and education on mitigating those risks• Kansas City chapter meets every other month • Next meeting: Thursday, February 10, 2011 at Johnson County Community College • Free! No registration required, but RSVPs appreciated
    • http://www.owasp.org
    • OWASP Top 10 (2010) Source: Dave Wichers OWASP Top 10 Presentation
    • INJECTION
    • INJECTION SI T? I Tricking an application into unintended HATW commands in the data sent to an interpreter -Interpreter--- -Injection--- Database SQL Injection Shell Command Injection File System File Injection/Inclusion PHP PHP Injection
    • CT INJECTION PA IM IC AL Technical Impact: SEVERET YP Entire database read or modified Access files on the filesystem Uses a programs elevated privileges to carry out unauthorized execution
    • LO I TE D? INJECTION P T EX I SIHOW Source: Dave Wichers OWASP Top 10 Presentation
    • T I T? INJECTION EN R EV P TOHOW
    • T I T? INJECTION EN R EV P TOHOW SYSTEM LEVEL
    • T I T? INJECTION EN R EV P TOHOW SYSTEM LEVEL Limit access rights of your application accounts
    • T I T? INJECTION EN R EV P TOHOW SYSTEM LEVEL Limit access rights of your application accounts OS user and database accounts
    • T I T? INJECTION EN R EV P TOHOW SYSTEM LEVEL Limit access rights of your application accounts OS user and database accounts Limit attack vectors
    • T I T? INJECTION EN R EV P TOHOW SYSTEM LEVEL Limit access rights of your application accounts OS user and database accounts Limit attack vectors Sandbox execution
    • T I T? INJECTION EN R EV P TOHOW SYSTEM LEVEL Limit access rights of your application accounts OS user and database accounts Limit attack vectors Sandbox execution Firewall web-facing machine
    • T I T? INJECTION EN R EV P TOHOW SYSTEM LEVEL Limit access rights of your application accounts OS user and database accounts Limit attack vectors Sandbox execution Firewall web-facing machine Close unused ports and services
    • T I T? INJECTION EN R EV P TO OW SYSTEM LEVELKU ITH D Limit access rights of your application accounts OES T OS user and database accounts HIS F OR YO Limit attack vectors Sandbox execution Firewall web-facing machine Close unused ports and services U
    • T I T? INJECTION EN R EV P TOHOW APPLICATION LEVEL “Filter Input, Escape Output” Examples: HTML SQL / DATABASE
    • T I T? INJECTION EN R EV P TOHOW HTML Injection
    • T I T? INJECTION EN R EV P TO SQL Injection - Prepared StatementsHOW
    • T I T? INJECTION EN R EV P TOHOW SQL Injection Source: http://xkcd.com/327/
    • CROSS SITE SCRIPTING (XSS)
    • CROSS SITE SCRIPTING (XSS) ? IS IT AT Malicious data delivered to anW H innocent users browser
    • CROSS SITE SCRIPTING (XSS) ? IS IT AT Malicious data delivered to anW H innocent users browser Single Request Exploit
    • CROSS SITE SCRIPTING (XSS) ? IS IT AT Malicious data delivered to anW H innocent users browser Single Request Exploit Specially crafted URL injecting JavaScript or other defacement code
    • CROSS SITE SCRIPTING (XSS) ? IS IT AT Malicious data delivered to anW H innocent users browser Single Request Exploit Specially crafted URL injecting JavaScript or other defacement code Persistent Request Exploit
    • CROSS SITE SCRIPTING (XSS) ? IS IT AT Malicious data delivered to anW H innocent users browser Single Request Exploit Specially crafted URL injecting JavaScript or other defacement code Persistent Request Exploit Saved in the file itself or more commonly in a database
    • CROSS SITE SCRIPTING (XSS) ? IS IT AT Malicious data delivered to anW H innocent users browser Single Request Exploit Specially crafted URL injecting JavaScript or other defacement code Persistent Request Exploit Saved in the file itself or more commonly in a database Delivered to all visitors just by visiting the page
    • CROSS SITE SCRIPTING (XSS) CT PA IM Technical Impact: AL MODERATE ICT YP
    • CROSS SITE SCRIPTING (XSS) CT PA IM Technical Impact: AL MODERATE ICT YP Steal stored browser data... Session IDs & cookies Account numbers Usernames Deface website Redirect user to phishing or malware site
    • CROSS SITE SCRIPTING (XSS) LO I TE D? EXP SI T IHOW Source: Dave Wichers OWASP Top 10 Presentation
    • CROSS SITE SCRIPTING (XSS) NT I T? VE P RE TOHOW “Filter Input, Escape Output” Validate / Sanitize user input Escape user input sent to a Database or the Browser
    • CROSS SITE SCRIPTING (XSS) NT I T? VE P RE TOHOW
    • CROSS SITE SCRIPTING (XSS) NT I T? VE P RE TO Filter InputHOW
    • CROSS SITE SCRIPTING (XSS) NT I T? VE P RE TO Filter InputHOW Use PHP filter_* methods
    • CROSS SITE SCRIPTING (XSS) NT I T? VE P RE TO Filter InputHOW Use PHP filter_* methods http://www.php.net/manual/en/ref.filter.php
    • CROSS SITE SCRIPTING (XSS) NT I T? VE P RE TO Filter InputHOW Use PHP filter_* methods http://www.php.net/manual/en/ref.filter.php
    • CROSS SITE SCRIPTING (XSS) NT I T? VE P RE TO Escape OutputHOW
    • CROSS SITE SCRIPTING (XSS) NT I T? VE P RE TO Escape OutputHOW htmlentities() ???
    • CROSS SITE SCRIPTING (XSS) NT I T? VE P RE TO Escape OutputHOW htmlentities() ???
    • CROSS SITE SCRIPTING (XSS) NT I T? VE P RE TO Escape OutputHOW htmlentities() ???
    • CROSS SITE SCRIPTING (XSS) NT I T? VE P RE TO Escape OutputHOW htmlentities() ??? MEH
    • CROSS SITE SCRIPTING (XSS) NT I T? VE P RE TO Escape OutputHOW http://htmlpurifier.org/
    • CROSS SITE SCRIPTING (XSS) NT I T? VE P RE TO Escape OutputHOW http://htmlpurifier.org/
    • BROKEN AUTHENTICATIONAND SESSION MANAGEMENT
    • BROKEN AUTHENTICATION IT?AND SESSION MANAGEMENT IS HAT Authentication or Sessions areW improperly implemented
    • BROKEN AUTHENTICATION IT?AND SESSION MANAGEMENT IS HAT Authentication or Sessions areW improperly implemented HTTP is “stateless”
    • BROKEN AUTHENTICATION IT?AND SESSION MANAGEMENT IS HAT Authentication or Sessions areW improperly implemented HTTP is “stateless” HTTP sends credentials with every request
    • BROKEN AUTHENTICATION IT?AND SESSION MANAGEMENT IS HAT Authentication or Sessions areW improperly implemented HTTP is “stateless” HTTP sends credentials with every request Credentials are usually a Session ID
    • BROKEN AUTHENTICATION IT?AND SESSION MANAGEMENT IS HAT Authentication or Sessions areW improperly implemented HTTP is “stateless” HTTP sends credentials with every request Credentials are usually a Session ID Attack is possible when attacker gets a valid Session ID
    • BROKEN AUTHENTICATION IT?AND SESSION MANAGEMENT IS HAT Authentication or Sessions areW improperly implemented HTTP is “stateless” HTTP sends credentials with every request Credentials are usually a Session ID Attack is possible when attacker gets a valid Session ID Remember Firesheep?
    • BROKEN AUTHENTICATION PA AND SESSION MANAGEMENT CT L IM Technical Impact: CA SEVERE IT YP
    • BROKEN AUTHENTICATION PA AND SESSION MANAGEMENT CT L IM Technical Impact: CA SEVERE IT YP An attacker might be able to...
    • BROKEN AUTHENTICATION PA AND SESSION MANAGEMENT CT L IM Technical Impact: CA SEVERE IT YP An attacker might be able to... Login without a valid password
    • BROKEN AUTHENTICATION PA AND SESSION MANAGEMENT CT L IM Technical Impact: CA SEVERE IT YP An attacker might be able to... Login without a valid password Change another user’s personal info
    • BROKEN AUTHENTICATION PA AND SESSION MANAGEMENT CT L IM Technical Impact: CA SEVERE IT YP An attacker might be able to... Login without a valid password Change another user’s personal info Assume another user’s identity by just clicking a link
    • BROKEN AUTHENTICATION D? AND I TE SESSION MANAGEMENT P LO T EX I SIHOW Source: Dave Wichers OWASP Top 10 Presentation
    • BROKEN AUTHENTICATION T? T I SESSION MANAGEMENT VEAND N P RE TOHOW Rely on strong authentication and session management controls Integrate Shibboleth into your application
    • BROKEN AUTHENTICATION T? T I SESSION MANAGEMENT VEAND N P RE TOHOW Proper Session Storage Default config stores sessions in a global temp directory
    • BROKEN AUTHENTICATION T? T I SESSION MANAGEMENT VEAND N P RE TOHOW Proper Session Regeneration Always run session_regenerate_id() after an escalation in authentication/authorization
    • BROKEN AUTHENTICATION T? T I SESSION MANAGEMENT VEAND N P RE TO Proper Session cookie handlingHOW Only allow session cookies over secure connections Only allow session cookies over HTTP (not JavaScript) Only allow session IDs in cookies (not in the URL)
    • BROKEN AUTHENTICATION T? T I SESSION MANAGEMENT VEAND N P RE TO Use HTTPSHOW NEVER deliver unencrypted network traffic when in HTTPS http://test.ku.edu/page2.php ==> http://webmedia.ku.edu/jquery.js https://test.ku.edu/page2.php ==> https://webmedia.ku.edu/jquery.js
    • INSECURE DIGITAL OBJECT REFERENCES
    • INSECURE DIGITAL OBJECT REFERENCES SI T? I HAT Users without proper credentials W can view secure data Do any users have only partial access to certain types of system data?
    • INSECURE DIGITAL OBJECT REFERENCES T PAC IM Technical Impact: AL MODERATE ICT YP
    • INSECURE DIGITAL OBJECT REFERENCES T PAC IM Technical Impact: AL MODERATE ICT YP Depends on the value of the secure data Flaws can compromise all data referenced by an insecure object
    • INSECURE DIGITAL OBJECT REFERENCES I TE D? P LO T EX I SIHOW User clicks link “My Account” User accesses “My Account” page at URL: http://mybank.com/account/2055 User increments parameter in the URL: http://mybank.com/account/2056 User is granted access
    • INSECUREIT? T DIGITAL OBJECT REFERENCES EN R EV Use Array Map to P Obfuscate URL Parameters TOHOW
    • INSECUREIT? T DIGITAL OBJECT REFERENCES EN EV Use switch() to test for valid values P R TOHOW
    • CROSS SITE REQUEST FORGERY (CSRF)
    • CROSS SITE REQUEST FORGERY (CSRF) SI T? I HAT Victims browser is tricked into issuing aW command to a vulnerable web application
    • CROSS SITE REQUEST FORGERY (CSRF) SI T? I HAT Victims browser is tricked into issuing aW command to a vulnerable web application HTTP is “stateless” - Credentials are included with every request If the user visits another website while still authenticated... Any request back to the application is considered authentic
    • CROSS SITE REQUEST FORGERY (CSRF) T PAC IM Technical Impact: AL MODERATE ICT YP
    • CROSS SITE REQUEST FORGERY (CSRF) T PAC IM Technical Impact: AL MODERATE ICT YP What if a hacker could steer your mouse and get you to click on links in your online banking application?
    • CROSS SITE REQUEST FORGERY (CSRF) T PAC IM Technical Impact: AL MODERATE ICT YP What if a hacker could steer your mouse and get you to click on links in your online banking application? What could they make you do?
    • CROSS SITE REQUEST FORGERY (CSRF) T PAC IM Technical Impact: AL MODERATE ICT YP What if a hacker could steer your mouse and get you to click on links in your online banking application? What could they make you do? Make Transactions?
    • CROSS SITE REQUEST FORGERY (CSRF) T PAC IM Technical Impact: AL MODERATE ICT YP What if a hacker could steer your mouse and get you to click on links in your online banking application? What could they make you do? Make Transactions? Close Accounts?
    • CROSS SITE REQUEST FORGERY (CSRF) T PAC IM Technical Impact: AL MODERATE ICT YP What if a hacker could steer your mouse and get you to click on links in your online banking application? What could they make you do? Make Transactions? Close Accounts? Change Password?
    • CROSS SITE REQUEST FORGERY (CSRF) I TE D? P LO T EX I SIHOW A vulnerable web application allows destructive actions (INSERT, UPDATE, DELETE) when using $_GET http://mydomain.com/file.php?action=delete&id=12345
    • CROSS SITE REQUEST FORGERY (CSRF) I TE D? P LO T EX I SIHOW A vulnerable web application allows destructive actions (INSERT, UPDATE, DELETE) when using $_GET http://mydomain.com/file.php?action=delete&id=12345
    • CROSS SITE REQUEST FORGERY (CSRF) I TE D? P LO T EX I SIHOW Destructive actions are executed with minimal or no verification of the origin of the request HTTP POST => http://mydomain.com/file.php?action=delete
    • CROSS SITE REQUEST FORGERY (CSRF) I TE D? P LO T EX I SIHOW Destructive actions are executed with minimal or no verification of the origin of the request HTTP POST => http://mydomain.com/file.php?action=delete Only marginally more difficult to forge a POST
    • CROSS SITE REQUEST FORGERY (CSRF) T I T? EN R EV P TOHOW A few easy ways...
    • CROSS SITE REQUEST FORGERY (CSRF) T I T? EN R EV P TOHOW A few easy ways... Invalidate user sessions quickly
    • CROSS SITE REQUEST FORGERY (CSRF) T I T? EN R EV P TOHOW A few easy ways... Invalidate user sessions quickly Encourage users to logout (they don’t)
    • CROSS SITE REQUEST FORGERY (CSRF) T I T? EN R EV P TOHOW A few easy ways... Invalidate user sessions quickly Encourage users to logout (they don’t) Don’t implement “Remember Me” features
    • CROSS SITE REQUEST FORGERY (CSRF) T I T? EN R EV P TOHOW Implement a CSRF Token Add a secret, not automatically submitted, token to ALL sensitive requests Verify token exists and matches the expected value before executing the request
    • CROSS SITE REQUEST FORGERY (CSRF) T I T? EN R EV P TOHOW Implement a CSRF Token Generate token and store in users session Source: http://shiflett.org/articles/cross-site-request-forgeries
    • CROSS SITE REQUEST FORGERY (CSRF) T I T? EN R EV P TOHOW Implement a CSRF Token Use token in POST form Source: http://shiflett.org/articles/cross-site-request-forgeries
    • CROSS SITE REQUEST FORGERY (CSRF) T I T? EN R EV P TOHOW Implement a CSRF Token Validate when POST received Source: http://shiflett.org/articles/cross-site-request-forgeries
    • SECURITY MISCONFIGURATION
    • SECURITY MISCONFIGURATION SI T? I HAT Running web applications on a secure foundationW
    • SECURITY MISCONFIGURATION SI T? I HAT Running web applications on a secure foundationW From the Operating System up through Apache All PHP extensions All installed libraries on the server
    • SECURITY MISCONFIGURATION T PAC IM Technical Impact: AL MODERATE ICT YP
    • SECURITY MISCONFIGURATION T PAC IM Technical Impact: AL MODERATE ICT YP Install backdoor through missing security patch
    • SECURITY MISCONFIGURATION T PAC IM Technical Impact: AL MODERATE ICT YP Install backdoor through missing security patch Install malware on the server
    • SECURITY MISCONFIGURATION T PAC IM Technical Impact: AL MODERATE ICT YP Install backdoor through missing security patch Install malware on the server “Root” the server
    • SECURITY MISCONFIGURATION T PAC IM Technical Impact: AL MODERATE ICT YP Install backdoor through missing security patch Install malware on the server “Root” the server All your data is stolen
    • SECURITY MISCONFIGURATION I TE D? P LO T EX I SIHOW Source: Dave Wichers OWASP Top 10 Presentation
    • SECURITY MISCONFIGURATION T I T? EN R EV P TOHOW
    • SECURITY MISCONFIGURATION T I T? EN R EV P TOHOW SYSTEM LEVEL Update to latest application versions Install security patches Monitor vulnerabilities list
    • SECURITY MISCONFIGURATION T I T? EN R EV P TO OWKU ITH D SYSTEM LEVEL OES T HIS F Update to latest application versions Install security patches OR YO Monitor vulnerabilities list U
    • SECURITY MISCONFIGURATION T I T? EN R EV P TOHOW APPLICATION LEVEL Use latest available version of PHP Update third-party software when available Monitor mailing lists
    • SECURITY MISCONFIGURATION T I T? EN R EV P TOHOW APPLICATION LEVEL Use latest available version of PHP Update third-party software when available Monitor mailing lists
    • INSECURE CRYPTOGRAPHIC STORAGE
    • INSECURE CRYPTOGRAPHIC STORAGE SI T? I Incorrectly storing and transmitting HATW confidential data
    • INSECURE CRYPTOGRAPHIC STORAGE SI T? I Incorrectly storing and transmitting HATW confidential data Database data Log files Backup files Password files
    • INSECURE CRYPTOGRAPHIC STORAGE SI T? I HAT What is considered secure data at KU?W Data protected by FERPA Data protected by GLB Data subject to PCI (credit or payment card industry) standards Data subject to other Federal or state confidentiality laws Donor or prospect information Passwords and PINs Personally Identifiable Information (“PII”) Personnel data Individually identifiable information created and collected by research projects Certain research data with National Security implications Data subject to protection pursuant to non-disclosure agreements Audit working papers Data protected by attorney/client privilege Email covering topics listed above Source: https://documents.ku.edu/policies/Information_Services/APPENDIX_1_Data_Classif_Policy.htm
    • INSECURE CRYPTOGRAPHIC STORAGE SI T? I HAT What is considered secure data at KU?W Data protected by FERPA Data protected by GLB Data subject to PCI (credit or payment card industry) standards Data subject to other Federal or state confidentiality laws Donor or prospect information Passwords and PINs Personally Identifiable Information (“PII”) Personnel data Individually identifiable information created and collected by research projects Certain research data with National Security implications Data subject to protection pursuant to non-disclosure agreements Audit working papers Data protected by attorney/client privilege Email covering topics listed above THIS LIST IS NOT ALL INCLUSIVE Source: https://documents.ku.edu/policies/Information_Services/APPENDIX_1_Data_Classif_Policy.htm
    • INSECURE CRYPTOGRAPHIC STORAGE T PAC IM IC AL Technical Impact:T YPSEVERE
    • INSECURE CRYPTOGRAPHIC STORAGE T PAC IM IC AL Technical Impact:T YPSEVERE Attacker accesses or modifies confidential data Intellectual property stolen You or KU might get sued Makes the company look bad in the press
    • INSECURE CRYPTOGRAPHIC STORAGE T PAC IM IC AL Business Impacts:T YPSEVERE High risk of... significant financial loss legal liability public distrust harm ...if this data is disclosed
    • INSECURE CRYPTOGRAPHIC STORAGE I TE D? P LO T EX I SIHOW Source: Dave Wichers OWASP Top 10 Presentation
    • INSECURE? CRYPTOGRAPHIC STORAGE T IT EN R EV P TOHOW
    • INSECURE? CRYPTOGRAPHIC STORAGE T IT EN R EV P TOHOW Identify all sensitive data and all places it is stored
    • INSECURE? CRYPTOGRAPHIC STORAGE T IT EN R EV P TOHOW Identify all sensitive data and all places it is stored Don’t store private data in public_html
    • INSECURE? CRYPTOGRAPHIC STORAGE T IT EN R EV P TOHOW Identify all sensitive data and all places it is stored Don’t store private data in public_html Don’t invent your own encryption algorithm
    • INSECURE? CRYPTOGRAPHIC STORAGE T IT EN R EV P TOHOW Identify all sensitive data and all places it is stored Don’t store private data in public_html Don’t invent your own encryption algorithm Don’t transmit confidential data over unencrypted means
    • FAILURE TO RESTRICT URL ACCESS
    • FAILURE TO RESTRICT URL ACCESS SI T? I HAT Unauthorized users can view private pagesW Public users could access your admin functionality
    • FAILURE TO RESTRICT URL ACCESS T PAC IM Technical Impact: AL MODERATE ICT YP
    • FAILURE TO RESTRICT URL ACCESS T PAC IM Technical Impact: AL MODERATE ICT YP Attackers invoke functions and services they’re not authorized for Access other user’s accounts and data Perform privileged actions
    • FAILURE TO RESTRICT URL ACCESS I TE D? P LO T EX I SIHOW User accesses URL http://mydomain.com/user/profile User changes role of URL http://mydomain.com/manager/profile http://mydomain.com/admin/profile
    • FAILURE TO RESTRICT URL ACCESS I TE D? P LO T EX I SIHOW Presentation Layer Access Control
    • FAILURE TO RESTRICT URL ACCESS I TE D? P LO T EX I SIHOW Presentation Layer Access Control DOESN’T WORK
    • FAILURE TO RESTRICT URL ACCESS I TE D? P LO T EX I SIHOW Unlinked URLs http://mydomain.com/you/will/never/find/this/index.html
    • FAILURE TO RESTRICT URL ACCESS I TE D? P LO T EX I SIHOW Unlinked URLs http://mydomain.com/you/will/never/find/this/index.html DOESN’T WORK
    • FAILURE ?TO RESTRICT URL ACCESS T IT EN R EV P TO Check credentials on every pageHOW
    • FAILURE ?TO RESTRICT URL ACCESS T IT EN R EV P TO Check credentials on every pageHOW Disallow requests to unauthorized page types http://mydomain.com/uploads
    • FAILURE ?TO RESTRICT URL ACCESS T IT EN R EV P TO Check credentials on every pageHOW Disallow requests to unauthorized page types http://mydomain.com/uploads Test it!
    • INSUFFICIENT TRANSPORT LAYER PROTECTION
    • INSUFFICIENT TRANSPORT LAYER PROTECTION SI T? I HAT W
    • INSUFFICIENT TRANSPORT LAYER PROTECTION SI T? I Sending confidential data over HAT W
    • INSUFFICIENT TRANSPORT LAYER PROTECTION SI T? I Sending confidential data over HAT W unencrypted protocols
    • INSUFFICIENT TRANSPORT LAYER PROTECTION SI T? I Sending confidential data over HAT W unencrypted protocols Failure to identify all sensitive data
    • INSUFFICIENT TRANSPORT LAYER PROTECTION SI T? I Sending confidential data over HAT W unencrypted protocols Failure to identify all sensitive data Failure to identify all places sensitive data is sent
    • INSUFFICIENT TRANSPORT LAYER PROTECTION SI T? I Sending confidential data over HAT W unencrypted protocols Failure to identify all sensitive data Failure to identify all places sensitive data is sent Between:
    • INSUFFICIENT TRANSPORT LAYER PROTECTION SI T? I Sending confidential data over HAT W unencrypted protocols Failure to identify all sensitive data Failure to identify all places sensitive data is sent Between: Server and user
    • INSUFFICIENT TRANSPORT LAYER PROTECTION SI T? I Sending confidential data over HAT W unencrypted protocols Failure to identify all sensitive data Failure to identify all places sensitive data is sent Between: Server and user Backend databases
    • INSUFFICIENT TRANSPORT LAYER PROTECTION SI T? I Sending confidential data over HAT W unencrypted protocols Failure to identify all sensitive data Failure to identify all places sensitive data is sent Between: Server and user Backend databases Colleagues
    • INSUFFICIENT TRANSPORT LAYER PROTECTION SI T? I Sending confidential data over HAT W unencrypted protocols Failure to identify all sensitive data Failure to identify all places sensitive data is sent Between: Server and user Backend databases Colleagues Internal Communications
    • INSUFFICIENT TRANSPORT LAYER PROTECTION CT PA IM Technical Impact: AL MODERATE ICT YP
    • INSUFFICIENT TRANSPORT LAYER PROTECTION CT PA IM Technical Impact: AL MODERATE ICT YP Expose users’ confidential data Account theft
    • INSUFFICIENT ?TRANSPORT LAYER PROTECTION T ED I P LO T EX I SIHOW Does your application... Use confidential data?
    • INSUFFICIENT ?TRANSPORT LAYER PROTECTION T ED OI PL T EX I SI What is considered secure data at KU?HOW Data protected by FERPA Data protected by GLB Data subject to PCI (credit or payment card industry) standards Data subject to other Federal or state confidentiality laws Donor or prospect information Passwords and PINs Personally Identifiable Information (“PII”) Personnel data Individually identifiable information created and collected by research projects Certain research data with National Security implications Data subject to protection pursuant to non-disclosure agreements Audit working papers Data protected by attorney/client privilege Email covering topics listed above Source: https://documents.ku.edu/policies/Information_Services/APPENDIX_1_Data_Classif_Policy.htm
    • INSUFFICIENT ?TRANSPORT LAYER PROTECTION T ED I P LO T EX I SIHOW
    • INSUFFICIENT ?TRANSPORT LAYER PROTECTION T ED I P LO T EX I SIHOW Does your application...
    • INSUFFICIENT ?TRANSPORT LAYER PROTECTION T ED I P LO T EX I SIHOW Does your application... Use confidential data?
    • INSUFFICIENT ?TRANSPORT LAYER PROTECTION T ED I P LO T EX I SIHOW Does your application... Use confidential data? Send it over email?
    • INSUFFICIENT ?TRANSPORT LAYER PROTECTION T ED I P LO T EX I SIHOW Does your application... Use confidential data? Send it over email? Send it to a database?
    • INSUFFICIENT ?TRANSPORT LAYER PROTECTION T ED I P LO T EX I SIHOW Does your application... Use confidential data? Send it over email? Send it to a database? Use HTTPS for ALL authentication requests?
    • INSUFFICIENT ?TRANSPORT LAYER PROTECTION T ED I P LO T EX I SIHOW
    • INSUFFICIENT ?TRANSPORT LAYER PROTECTION T ED I P LO T EX I SIHOW Do you...
    • INSUFFICIENT ?TRANSPORT LAYER PROTECTION T ED I P LO T EX I SIHOW Do you... Have encrypted email setup between colleagues?
    • INSUFFICIENT ?TRANSPORT LAYER PROTECTION T ED I P LO T EX I SIHOW Do you... Have encrypted email setup between colleagues? Use encrypted IM chat between colleagues?
    • INSUFFICIENT ?TRANSPORT LAYER PROTECTION T ED I P LO T EX I SIHOW Do you... Have encrypted email setup between colleagues? Use encrypted IM chat between colleagues? Store your account passwords in a password safe?
    • INSUFFICIENT TRANSPORT LAYER PROTECTION I T? T EN R EV P TOHOW Don’t use KU Email Form to send confidential data
    • INSUFFICIENT TRANSPORT LAYER PROTECTION I T? T EN R EV P TOHOW Don’t use KU Email Form to send confidential data 1. Build a web form that stores it in a secure database
    • INSUFFICIENT TRANSPORT LAYER PROTECTION I T? T EN R EV P TOHOW Don’t use KU Email Form to send confidential data 1. Build a web form that stores it in a secure database 2. Build a page to download or browse the info
    • INSUFFICIENT TRANSPORT LAYER PROTECTION I T? T EN R EV P TOHOW Don’t use KU Email Form to send confidential data 1. Build a web form that stores it in a secure database 2. Build a page to download or browse the info 3. Only allow specific users to access it using Shibboleth
    • INSUFFICIENT TRANSPORT LAYER PROTECTION I T? T EN R EV P TOHOW Don’t use KU Email Form to send confidential data 1. Build a web form that stores it in a secure database 2. Build a page to download or browse the info 3. Only allow specific users to access it using Shibboleth
    • INSUFFICIENT TRANSPORT LAYER PROTECTION I T? T EN R EV P TOHOW Use secure protocols to transmit and store data
    • INSUFFICIENT TRANSPORT LAYER PROTECTION I T? T EN R EV P TOHOW Use secure protocols to transmit and store data Ever try to FTP to www2.ku.edu without SFTP?
    • INSUFFICIENT TRANSPORT LAYER PROTECTION I T? T EN R EV P TOHOW Use secure protocols to transmit and store data Ever try to FTP to www2.ku.edu without SFTP? Store confidential data in our secure Oracle database
    • INSUFFICIENT TRANSPORT LAYER PROTECTION I T? T EN R EV P TOHOW Require HTTPS on all secure pages
    • INSUFFICIENT TRANSPORT LAYER PROTECTION I T? T EN R EV P TOHOW Require HTTPS on all secure pages
    • INSUFFICIENT TRANSPORT LAYER PROTECTION I T? T EN R EV P TOHOW Setup email encryption between colleagues http://www.technology.ku.edu/ca/install/
    • INSUFFICIENT TRANSPORT LAYER PROTECTION I T? T EN R EV P TOHOW Setup Off-The-Record chat encryption http://www.h-i-r.net/2011/01/introduction-to-encrypted-internet-chat.html
    • INSUFFICIENT TRANSPORT LAYER PROTECTION I T? T EN R EV P TOHOW KeePass Windows: http://keepass.info/ Mac: http://www.keepassx.org/ Free & Open-Source
    • UNVALIDATED REDIRECTS AND FORWARDS
    • UNVALIDATED REDIRECTS AND FORWARDS SI T? I HATW URL Redirects built by the web application can be exploited if unvalidated Appears as a valid URL but contains a payload Internal redirects are common External redirects are becoming more common
    • UNVALIDATED REDIRECTS AND FORWARDS CT PA IM Technical Impact: AL MODERATE ICT YP Install malware Phishing site Bypass authorization controls
    • UNVALIDATED REDIRECTS AND FORWARDS TE D? I P LO T EX I SIHOW Source: Dave Wichers OWASP Top 10 Presentation
    • UNVALIDATED REDIRECTS AND FORWARDS I T? T EN R EV P TOHOW Avoid using redirects and forwards as much as possible If used, don’t use user-input parameters If using user-input... Use Array Map to Whitelist URL Parameters
    • UNVALIDATED REDIRECTS AND FORWARDS I T? T EN R EV Use Array Map to P Whitelist URL Parameters TOHOW
    • Questions?
    • My Challenge to you Read the OWASP Wiki http://www.owasp.org Review your code http://www.owasp.org/index.php/Code_Review_Guidehttp://www.owasp.org/index.php/OWASP_Testing_Project
    • SourcesOWASP Sources:- OWASP Application Security Verification Standard Project. <http://www.owasp.org/index.php/ASVS>- OWASP Authentication Cheat Sheet. <http://www.owasp.org/index.php/Authentication_Cheat_Sheet>- OWASP Code Review Project. <http://www.owasp.org/index.php/Code_Review_Guide>- OWASP Testing Project. <http://www.owasp.org/index.php/OWASP_Testing_Project>- OWASP Top 10 - 2010: The Top 10 Most Critical Web Application Security Risks. Dave Wichers, OWASP Board Member. <http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2010%20Presentation.pptx>- OWASP XSS (Cross Site Scripting) Prevention Cheat Sheet. <http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet>Links:- Setting up encrypted email at KU. http://www.technology.ku.edu/ca/install/- Introduction to Encrypted Internet Chat. http://www.h-i-r.net/2011/01/introduction-to-encrypted-internet-chat.htmlSoftware:- HTMLPurifier <http://htmlpurifier.org/>- KeePass <http://keepass.info/>- KeePassX <http://www.keepassx.org/>- WebScarab <http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project>Photos:http://www.flickr.com/photos/mrbenn/2337943659/http://www.flickr.com/photos/12836528@N00/4294660659/ John Kary | johnkary@ku.eduhttp://xkcd.com/327/ Web Development & Interface Design University of Kansas, Information Technology January 2011 KU Web Developers Meeting