SlideShare a Scribd company logo

OWASP TOP 10 by Team xbios

Vi Vek
Vi Vek

OWASP Top 10 vulnerabilities in 2013 and its avoiding techniques.

Technology
1 of 46
Download to read offline
By team Xbios
INJECTION flaws ‘ or 1 = 1 ’- -
Injection means… Tricking an application into including unintended commands in the data sent to an interpreter Interpreter Take strings and interpret them as commands Eg : SQL, OS Shell, LDAP, XPath, Hibernate, etc…
SQL Injection Example $username = $_POST[‘username’]; $password = $_POST[‘password’]; $query = “SELECT * FROM user WHERE username = ‘$username’ AND password = ‘$password’”; $user = $db->query($query);
Recommendations Avoid the interpreter entirely, or Use an interface that supports bind variables (e.g., prepared statements, or stored procedures), Encode all user input before passing it to the interpreter References For more details, read the new http://www.owasp.org/index.php/SQL_Injection_ Prevention_Cheat_Sheet
HTTP is a “stateless” protocol • SESSION ID used to track state since HTTP doesn’t and it is just as good as credentials to an attacker. • SESSION ID is typically exposed on the network, in browser, in logs, … Beware of side-doors Change my password, remember my password, forgot my password, secret question, logout, email address, etc…
Site uses URL rewriting (i.e., put session in URL) 3 2 Hacker uses JSESSIONID and takes over victim’s account 4 Bus. Functions E-Commerce Knowledge Mgmt Transactions Custom Code User clicks on a link to http://www.hacker.com in a forum Hacker checks referrer logs on www.hacker.com and finds user’s JSESSIONID 5 Communication www.boi.com?JSESSIONID=9FA1DB9EA... Administration User sends credentials Accounts 1 Finance Attack Illustration
Impacts User accounts compromised or user sessions hijacked Recommendations • Verify your architecture • Verify the implementation References Follow the guidance from http://www.owasp.org/index.php/Authentication_Cheat_Sheet
XSS <script> alert(”cross site scripting”); </script> ‘
Occurs any time… Raw data from attacker is sent to an innocent user’s browser Raw Data…. • Stored in database • Reflected from web input (form field, hidden field, URL, etc…) • Sent directly into rich JavaScript client
Impacts • Steal user’s session, steal sensitive data, rewrite web page, redirect user to phishing or malware site • Most Severe: Install XSS proxy which allows attacker to observe and direct all user’s behavior on vulnerable site and force user to other sites
Recommendations • Don’t include user supplied input in the output page • Defend Against the Flaw Primary Recommendation: Use OWASP’s ESAPI to output encode: • For large chunks of user supplied HTML, use OWASP’s AntiSamy References For how to output encode properly, read the new http://www.owasp.org/index.php/XSS_(Cross Site Scripting) Prevention Cheat Sheet
Insecure Direct Object References
Occurs when… • Developer exposes a reference to an internal implementation object. • Without an access control check or other protection, attackers can manipulate Impacts • Users are able to access unauthorized files or data
Insecure Direct Object References Illustrated https://www.onlinebank.com/user?acct=6065 • Attacker notices his acct parameter is 6065 ?acct=6065 • He modifies it to a nearby number ?acct=6066 • Attacker views the victim’s account information
Recommendations • Eliminate the direct object reference • Validate the direct object reference
Security Misconfiguration
Risks • Default settings can be insecure, and intended for development not production. • Attackers can use misconfigured software to gain knowledge and access. Impacts • XSS flaw exploits due to missing application framework patches. • Unauthorized access to default accounts, application functionality or data.
Recommendations • Know the tools you use, and configure them correctly. • Keep up to date on vulnerabilities in the tools you use. • Remove/disable any services/features you aren’t using.
Sensitive Data Exposure
Storing and transmitting sensitive data insecurely • Failure to identify all sensitive data • Failure to identify all the places that this sensitive data gets stored • Failure to properly protect this data in every location Impacts • Attackers access or modify confidential or private information • Attackers extract secrets to use in additional attacks • Expense of cleaning up the incident • Business gets sued and/or fined
1 Victim enters credit card number in form Accounts Finance Administration Transactions Communication Knowledge Mgmt E-Commerce Bus. Functions Insecure Cryptographic Storage Illustrated Custom Code 4 Log files Malicious insider steals 4 million credit card numbers Logs are accessible to all members of IT staff for debugging purposes Error handler logs CC details because merchant gateway is unavailable 3 2
Recommendations • • • • Verify your architecture Protect with appropriate mechanisms Use the mechanisms correctly Verify the implementation
Missing Function Level Access Control
Risks • Hidden things can easily be found. • Creative people will eventually find your hidden URLs Impacts • Attackers invoke functions and services they’re not authorized for • Access other user’s accounts and data • Perform privileged actions
Failure to Restrict URL Access Illustrated https://www.onlinebank.com/user/getAccounts • Attacker notices the URL indicates his role /user/getAccounts • He modifies it to another directory (role) /admin/getAccounts, or /manager/getAccounts • Attacker views more accounts than just their own
Recommendations • For each URL, a site needs to do 3 things • Verify your architecture • Verify the implementation
Cross Site Request Forgery
Risks • Evil websites can perform actions for users logged into your site. • Vulnerability is caused by browsers automatically including user authentication data with each request Impacts • Initiate transactions (transfer funds, logout user, close account) • Access sensitive data • Change account details
CSRF Illustrated While logged into vulnerable site, victim views attacker site Communication Knowledge Mgmt E-Commerce Bus. Functions 2 Administration Transactions Hidden <img> tag contains attack against vulnerable site Application with CSRF vulnerability Accounts Finance 1 Attacker sets the trap on some website on the internet (or simply via an e-mail) Custom Code 3 <img> tag loaded by browser – sends GET request (including credentials) to vulnerable site Vulnerable site sees legitimate request from victim and performs the action requested
Prevention • Add opaque expiring tokens to all forms. • Requests missing tokens or containing invalid tokens should be rejected.
Using Known Vulnerable Components
Vulnerable components are common The full range of weaknesses is possible, including injection, broken access control, XSS, etc. The impact could range from minimal to complete host takeover and data compromise Impacts The full range of weaknesses is possible, including injection, broken access control, XSS, etc. The impact could range from minimal to complete host takeover and data compromise
Preventing Known Vulnerable Components • One option is not to use components that you didn’t write. But that’s not very realistic. • Most component projects do not create vulnerability patches for old versions. Instead, most simply fix the problem in the next version. So upgrading to these new versions is critical.
Unvalidated Redirects and Forwards
Web application redirects are very common • And frequently include user supplied parameters in the destination URL • If they aren’t validated, attacker can send victim to a site of their choice Impacts • Redirect victim to phishing or malware site • Attacker’s request is forwarded past security checks, allowing unauthorized function or data access
Unvalidated Redirect Illustrated Attacker sends attack to victim via email or webpage Bus. Functions E-Commerce Communication Knowledge Mgmt Transactions Victim clicks link containing invalidated parameter Application redirects victim to attacker’s site Administration 2 3 Finance From: Internal Revenue Service Subject: Your Unclaimed Tax Refund Our records show you have an unclaimed federal tax refund. Please click here to initiate your claim. Accounts 1 Custom Code Request sent to vulnerable site, including attacker’s destination site as parameter. Redirect sends victim to attacker site http://www.irs.gov/taxrefund/claim.jsp?year=2006 & … &dest=www.evilsite.com Evil Site 4 Evil site installs malware on victim, or phish’s for private information
Avoiding Unvalidated Redirects and Forwards • Avoid using redirects and forwards as much as you can • If used, don’t involve user parameters in defining the target URL • If you ‘must’ involve user parameters, then either • Validate each parameter • Use server side mapping
How do you address these problems? • Develop Secure Code • Review Your Applications • Have an expert team review your applications • Review your applications yourselves following OWASP Guidelines
How do you address these problems? • Develop Secure Code • Review Your Applications
OWASP TOP 10 by Team xbios
OWASP TOP 10 by Team xbios
OWASP TOP 10 by Team xbios

Recommended

Vulnerabilities in Web Applications
Vulnerabilities in Web ApplicationsVulnerabilities in Web Applications
Vulnerabilities in Web ApplicationsVenkat Ramana Reddy Parine
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationshipn|u - The Open Security Community
 
Owasp Top 10-2013
Owasp Top 10-2013Owasp Top 10-2013
Owasp Top 10-2013n|u - The Open Security Community
 
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Security Innovation
 
A7 Missing Function Level Access Control
A7 Missing Function Level Access ControlA7 Missing Function Level Access Control
A7 Missing Function Level Access Controlstevil1224
 
Secure Code Warrior - Trust no input
Secure Code Warrior - Trust no inputSecure Code Warrior - Trust no input
Secure Code Warrior - Trust no inputSecure Code Warrior
 
Secure Code Warrior - Defense in depth
Secure Code Warrior - Defense in depthSecure Code Warrior - Defense in depth
Secure Code Warrior - Defense in depthSecure Code Warrior
 
Owasp security testing methodlogies –part2
Owasp security testing methodlogies –part2Owasp security testing methodlogies –part2
Owasp security testing methodlogies –part2robin_bene
 

Recommended

Vulnerabilities in Web Applications
Vulnerabilities in Web ApplicationsVulnerabilities in Web Applications
Vulnerabilities in Web ApplicationsVenkat Ramana Reddy Parine
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationshipn|u - The Open Security Community
 
Owasp Top 10-2013
Owasp Top 10-2013Owasp Top 10-2013
Owasp Top 10-2013n|u - The Open Security Community
 
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Security Innovation
 
A7 Missing Function Level Access Control
A7 Missing Function Level Access ControlA7 Missing Function Level Access Control
A7 Missing Function Level Access Controlstevil1224
 
Secure Code Warrior - Trust no input
Secure Code Warrior - Trust no inputSecure Code Warrior - Trust no input
Secure Code Warrior - Trust no inputSecure Code Warrior
 
Secure Code Warrior - Defense in depth
Secure Code Warrior - Defense in depthSecure Code Warrior - Defense in depth
Secure Code Warrior - Defense in depthSecure Code Warrior
 
Owasp security testing methodlogies –part2
Owasp security testing methodlogies –part2Owasp security testing methodlogies –part2
Owasp security testing methodlogies –part2robin_bene
 
The Complete Web Application Security Testing Checklist
The Complete Web Application Security Testing ChecklistThe Complete Web Application Security Testing Checklist
The Complete Web Application Security Testing ChecklistCigital
 
Web application attacks
Web application attacksWeb application attacks
Web application attackshruth
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLFn|u - The Open Security Community
 
Security Testing Training With Examples
Security Testing Training With ExamplesSecurity Testing Training With Examples
Security Testing Training With ExamplesAlwin Thayyil
 
Application Security-Understanding The Horizon
Application Security-Understanding The HorizonApplication Security-Understanding The Horizon
Application Security-Understanding The HorizonLalit Kale
 
Top 10 Web App Security Risks
Top 10 Web App Security RisksTop 10 Web App Security Risks
Top 10 Web App Security RisksSperasoft
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top TenSecurity Innovation
 
Injection attacks
Injection attacksInjection attacks
Injection attacksAdamu Muhammad
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013tmd800
 
Web Application Penetration Tests - Information Gathering Stage
Web Application Penetration Tests - Information Gathering StageWeb Application Penetration Tests - Information Gathering Stage
Web Application Penetration Tests - Information Gathering StageNetsparker
 
Core defense mechanisms against security attacks on web applications
Core defense mechanisms against security attacks on web applicationsCore defense mechanisms against security attacks on web applications
Core defense mechanisms against security attacks on web applicationsKaran Nagrecha
 
OWASP A7 and A8
OWASP A7 and A8OWASP A7 and A8
OWASP A7 and A8Pavan M
 
Get Ready for Web Application Security Testing
Get Ready for Web Application Security TestingGet Ready for Web Application Security Testing
Get Ready for Web Application Security TestingAlan Kan
 
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense MechanismsCh 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense MechanismsSam Bowne
 
InsecureDirectObjectReferences
InsecureDirectObjectReferencesInsecureDirectObjectReferences
InsecureDirectObjectReferencesmacanazon
 
Attackers Vs Programmers
Attackers Vs ProgrammersAttackers Vs Programmers
Attackers Vs Programmersrobin_bene
 
Session3 data-validation-sql injection
Session3 data-validation-sql injectionSession3 data-validation-sql injection
Session3 data-validation-sql injectionzakieh alizadeh
 
Testing Web Application Security
Testing Web Application SecurityTesting Web Application Security
Testing Web Application SecurityTed Husted
 
Security testing presentation
Security testing presentationSecurity testing presentation
Security testing presentationConfiz
 
A10 - Unvalidated Redirects and Forwards
A10 - Unvalidated Redirects and ForwardsA10 - Unvalidated Redirects and Forwards
A10 - Unvalidated Redirects and ForwardsShane Stanley
 
ค่ายอาเซียน
ค่ายอาเซียนค่ายอาเซียน
ค่ายอาเซียนAonaon Krubpom
 
น้ำผึ้ง 4 10 เลขที่ 3
น้ำผึ้ง 4 10 เลขที่ 3น้ำผึ้ง 4 10 เลขที่ 3
น้ำผึ้ง 4 10 เลขที่ 3Yuan Yuan'
 

More Related Content

What's hot

The Complete Web Application Security Testing Checklist
The Complete Web Application Security Testing ChecklistThe Complete Web Application Security Testing Checklist
The Complete Web Application Security Testing ChecklistCigital
 
Web application attacks
Web application attacksWeb application attacks
Web application attackshruth
 
Security Testing Training With Examples
Security Testing Training With ExamplesSecurity Testing Training With Examples
Security Testing Training With ExamplesAlwin Thayyil
 
Application Security-Understanding The Horizon
Application Security-Understanding The HorizonApplication Security-Understanding The Horizon
Application Security-Understanding The HorizonLalit Kale
 
Top 10 Web App Security Risks
Top 10 Web App Security RisksTop 10 Web App Security Risks
Top 10 Web App Security RisksSperasoft
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top TenSecurity Innovation
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013tmd800
 
Web Application Penetration Tests - Information Gathering Stage
Web Application Penetration Tests - Information Gathering StageWeb Application Penetration Tests - Information Gathering Stage
Web Application Penetration Tests - Information Gathering StageNetsparker
 
Core defense mechanisms against security attacks on web applications
Core defense mechanisms against security attacks on web applicationsCore defense mechanisms against security attacks on web applications
Core defense mechanisms against security attacks on web applicationsKaran Nagrecha
 
OWASP A7 and A8
OWASP A7 and A8OWASP A7 and A8
OWASP A7 and A8Pavan M
 
Get Ready for Web Application Security Testing
Get Ready for Web Application Security TestingGet Ready for Web Application Security Testing
Get Ready for Web Application Security TestingAlan Kan
 
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense MechanismsCh 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense MechanismsSam Bowne
 
InsecureDirectObjectReferences
InsecureDirectObjectReferencesInsecureDirectObjectReferences
InsecureDirectObjectReferencesmacanazon
 
Attackers Vs Programmers
Attackers Vs ProgrammersAttackers Vs Programmers
Attackers Vs Programmersrobin_bene
 
Session3 data-validation-sql injection
Session3 data-validation-sql injectionSession3 data-validation-sql injection
Session3 data-validation-sql injectionzakieh alizadeh
 
Testing Web Application Security
Testing Web Application SecurityTesting Web Application Security
Testing Web Application SecurityTed Husted
 
Security testing presentation
Security testing presentationSecurity testing presentation
Security testing presentationConfiz
 
A10 - Unvalidated Redirects and Forwards
A10 - Unvalidated Redirects and ForwardsA10 - Unvalidated Redirects and Forwards
A10 - Unvalidated Redirects and ForwardsShane Stanley
 

What's hot (20)

The Complete Web Application Security Testing Checklist
The Complete Web Application Security Testing ChecklistThe Complete Web Application Security Testing Checklist
The Complete Web Application Security Testing Checklist
 
Web application attacks
Web application attacksWeb application attacks
Web application attacks
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
 
Security Testing Training With Examples
Security Testing Training With ExamplesSecurity Testing Training With Examples
Security Testing Training With Examples
 
Application Security-Understanding The Horizon
Application Security-Understanding The HorizonApplication Security-Understanding The Horizon
Application Security-Understanding The Horizon
 
Top 10 Web App Security Risks
Top 10 Web App Security RisksTop 10 Web App Security Risks
Top 10 Web App Security Risks
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
 
Injection attacks
Injection attacksInjection attacks
Injection attacks
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013
 
Web Application Penetration Tests - Information Gathering Stage
Web Application Penetration Tests - Information Gathering StageWeb Application Penetration Tests - Information Gathering Stage
Web Application Penetration Tests - Information Gathering Stage
 
Core defense mechanisms against security attacks on web applications
Core defense mechanisms against security attacks on web applicationsCore defense mechanisms against security attacks on web applications
Core defense mechanisms against security attacks on web applications
 
OWASP A7 and A8
OWASP A7 and A8OWASP A7 and A8
OWASP A7 and A8
 
Get Ready for Web Application Security Testing
Get Ready for Web Application Security TestingGet Ready for Web Application Security Testing
Get Ready for Web Application Security Testing
 
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense MechanismsCh 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
 
InsecureDirectObjectReferences
InsecureDirectObjectReferencesInsecureDirectObjectReferences
InsecureDirectObjectReferences
 
Attackers Vs Programmers
Attackers Vs ProgrammersAttackers Vs Programmers
Attackers Vs Programmers
 
Session3 data-validation-sql injection
Session3 data-validation-sql injectionSession3 data-validation-sql injection
Session3 data-validation-sql injection
 
Testing Web Application Security
Testing Web Application SecurityTesting Web Application Security
Testing Web Application Security
 
Security testing presentation
Security testing presentationSecurity testing presentation
Security testing presentation
 
A10 - Unvalidated Redirects and Forwards
A10 - Unvalidated Redirects and ForwardsA10 - Unvalidated Redirects and Forwards
A10 - Unvalidated Redirects and Forwards
 

Viewers also liked

ค่ายอาเซียน
ค่ายอาเซียนค่ายอาเซียน
ค่ายอาเซียนAonaon Krubpom
 
น้ำผึ้ง 4 10 เลขที่ 3
น้ำผึ้ง 4 10 เลขที่ 3น้ำผึ้ง 4 10 เลขที่ 3
น้ำผึ้ง 4 10 เลขที่ 3Yuan Yuan'
 
หน่วยที่ 02
หน่วยที่ 02หน่วยที่ 02
หน่วยที่ 02Nuytoo Naruk
 
คู่มือการใช้งานระบบ Back office ของ seacon square draft1
คู่มือการใช้งานระบบ Back office ของ seacon square draft1คู่มือการใช้งานระบบ Back office ของ seacon square draft1
คู่มือการใช้งานระบบ Back office ของ seacon square draft1Somjet Sareerom
 
Surat lamaran kerja1
Surat lamaran kerja1Surat lamaran kerja1
Surat lamaran kerja1Siti Permana
 

Viewers also liked (6)

ค่ายอาเซียน
ค่ายอาเซียนค่ายอาเซียน
ค่ายอาเซียน
 
น้ำผึ้ง 4 10 เลขที่ 3
น้ำผึ้ง 4 10 เลขที่ 3น้ำผึ้ง 4 10 เลขที่ 3
น้ำผึ้ง 4 10 เลขที่ 3
 
หน่วยที่ 02
หน่วยที่ 02หน่วยที่ 02
หน่วยที่ 02
 
คู่มือการใช้งานระบบ Back office ของ seacon square draft1
คู่มือการใช้งานระบบ Back office ของ seacon square draft1คู่มือการใช้งานระบบ Back office ของ seacon square draft1
คู่มือการใช้งานระบบ Back office ของ seacon square draft1
 
Surat lamaran kerja1
Surat lamaran kerja1Surat lamaran kerja1
Surat lamaran kerja1
 
Three IT Kingdoms
Three IT KingdomsThree IT Kingdoms
Three IT Kingdoms
 

Similar to OWASP TOP 10 by Team xbios

2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10bilcorry
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application SecurityPrateek Jain
 
Secure code practices
Secure code practicesSecure code practices
Secure code practicesHina Rawal
 
Web application security part 01
Web application security part 01Web application security part 01
Web application security part 01G Prachi
 
Secure Coding BSSN Semarang Material.pdf
Secure Coding BSSN Semarang Material.pdfSecure Coding BSSN Semarang Material.pdf
Secure Coding BSSN Semarang Material.pdfnanangAris1
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...IBM Security
 
Owasp top 10 vulnerabilities 2013
Owasp top 10 vulnerabilities 2013Owasp top 10 vulnerabilities 2013
Owasp top 10 vulnerabilities 2013Vishrut Sharma
 
Jonathan Singer - Wheezing The Juice.pdf
Jonathan Singer - Wheezing The Juice.pdfJonathan Singer - Wheezing The Juice.pdf
Jonathan Singer - Wheezing The Juice.pdfJonathan Singer
 
Detailed Developer Report.pdf
Detailed Developer Report.pdfDetailed Developer Report.pdf
Detailed Developer Report.pdfnalla14
 
Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentationowasp-pune
 
Watch How the Giants Fall
Watch How the Giants FallWatch How the Giants Fall
Watch How the Giants Falljtmelton
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSebastien Deleersnyder
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks Ahmed Sherif
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelinesZakaria SMAHI
 

Similar to OWASP TOP 10 by Team xbios (20)

2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application Security
 
Secure code practices
Secure code practicesSecure code practices
Secure code practices
 
Web application security part 01
Web application security part 01Web application security part 01
Web application security part 01
 
Secure Coding BSSN Semarang Material.pdf
Secure Coding BSSN Semarang Material.pdfSecure Coding BSSN Semarang Material.pdf
Secure Coding BSSN Semarang Material.pdf
 
Owasp top 10 2017
Owasp top 10 2017Owasp top 10 2017
Owasp top 10 2017
 
Lets Make our Web Applications Secure
Lets Make our Web Applications SecureLets Make our Web Applications Secure
Lets Make our Web Applications Secure
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
 
Owasp top 10 vulnerabilities 2013
Owasp top 10 vulnerabilities 2013Owasp top 10 vulnerabilities 2013
Owasp top 10 vulnerabilities 2013
 
Jonathan Singer - Wheezing The Juice.pdf
Jonathan Singer - Wheezing The Juice.pdfJonathan Singer - Wheezing The Juice.pdf
Jonathan Singer - Wheezing The Juice.pdf
 
Detailed Developer Report.pdf
Detailed Developer Report.pdfDetailed Developer Report.pdf
Detailed Developer Report.pdf
 
Owasp web security
Owasp web securityOwasp web security
Owasp web security
 
Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentation
 
Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentation
 
Watch How the Giants Fall
Watch How the Giants FallWatch How the Giants Fall
Watch How the Giants Fall
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 seba
 
Nii sample pt_report
Nii sample pt_reportNii sample pt_report
Nii sample pt_report
 
Security testing
Security testingSecurity testing
Security testing
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 

Recently uploaded

🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 

Recently uploaded (20)

🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 

OWASP TOP 10 by Team xbios

  • 2.
  • 3.
  • 4. INJECTION flaws ‘ or 1 = 1 ’- -
  • 5. Injection means… Tricking an application into including unintended commands in the data sent to an interpreter Interpreter Take strings and interpret them as commands Eg : SQL, OS Shell, LDAP, XPath, Hibernate, etc…
  • 6. SQL Injection Example $username = $_POST[‘username’]; $password = $_POST[‘password’]; $query = “SELECT * FROM user WHERE username = ‘$username’ AND password = ‘$password’”; $user = $db->query($query);
  • 7. Recommendations Avoid the interpreter entirely, or Use an interface that supports bind variables (e.g., prepared statements, or stored procedures), Encode all user input before passing it to the interpreter References For more details, read the new http://www.owasp.org/index.php/SQL_Injection_ Prevention_Cheat_Sheet
  • 8.
  • 9. HTTP is a “stateless” protocol • SESSION ID used to track state since HTTP doesn’t and it is just as good as credentials to an attacker. • SESSION ID is typically exposed on the network, in browser, in logs, … Beware of side-doors Change my password, remember my password, forgot my password, secret question, logout, email address, etc…
  • 10. Site uses URL rewriting (i.e., put session in URL) 3 2 Hacker uses JSESSIONID and takes over victim’s account 4 Bus. Functions E-Commerce Knowledge Mgmt Transactions Custom Code User clicks on a link to http://www.hacker.com in a forum Hacker checks referrer logs on www.hacker.com and finds user’s JSESSIONID 5 Communication www.boi.com?JSESSIONID=9FA1DB9EA... Administration User sends credentials Accounts 1 Finance Attack Illustration
  • 11. Impacts User accounts compromised or user sessions hijacked Recommendations • Verify your architecture • Verify the implementation References Follow the guidance from http://www.owasp.org/index.php/Authentication_Cheat_Sheet
  • 12. XSS <script> alert(”cross site scripting”); </script> ‘
  • 13. Occurs any time… Raw data from attacker is sent to an innocent user’s browser Raw Data…. • Stored in database • Reflected from web input (form field, hidden field, URL, etc…) • Sent directly into rich JavaScript client
  • 14. Impacts • Steal user’s session, steal sensitive data, rewrite web page, redirect user to phishing or malware site • Most Severe: Install XSS proxy which allows attacker to observe and direct all user’s behavior on vulnerable site and force user to other sites
  • 15. Recommendations • Don’t include user supplied input in the output page • Defend Against the Flaw Primary Recommendation: Use OWASP’s ESAPI to output encode: • For large chunks of user supplied HTML, use OWASP’s AntiSamy References For how to output encode properly, read the new http://www.owasp.org/index.php/XSS_(Cross Site Scripting) Prevention Cheat Sheet
  • 17. Occurs when… • Developer exposes a reference to an internal implementation object. • Without an access control check or other protection, attackers can manipulate Impacts • Users are able to access unauthorized files or data
  • 18. Insecure Direct Object References Illustrated https://www.onlinebank.com/user?acct=6065 • Attacker notices his acct parameter is 6065 ?acct=6065 • He modifies it to a nearby number ?acct=6066 • Attacker views the victim’s account information
  • 19. Recommendations • Eliminate the direct object reference • Validate the direct object reference
  • 21. Risks • Default settings can be insecure, and intended for development not production. • Attackers can use misconfigured software to gain knowledge and access. Impacts • XSS flaw exploits due to missing application framework patches. • Unauthorized access to default accounts, application functionality or data.
  • 22. Recommendations • Know the tools you use, and configure them correctly. • Keep up to date on vulnerabilities in the tools you use. • Remove/disable any services/features you aren’t using.
  • 24. Storing and transmitting sensitive data insecurely • Failure to identify all sensitive data • Failure to identify all the places that this sensitive data gets stored • Failure to properly protect this data in every location Impacts • Attackers access or modify confidential or private information • Attackers extract secrets to use in additional attacks • Expense of cleaning up the incident • Business gets sued and/or fined
  • 25. 1 Victim enters credit card number in form Accounts Finance Administration Transactions Communication Knowledge Mgmt E-Commerce Bus. Functions Insecure Cryptographic Storage Illustrated Custom Code 4 Log files Malicious insider steals 4 million credit card numbers Logs are accessible to all members of IT staff for debugging purposes Error handler logs CC details because merchant gateway is unavailable 3 2
  • 26. Recommendations • • • • Verify your architecture Protect with appropriate mechanisms Use the mechanisms correctly Verify the implementation
  • 28. Risks • Hidden things can easily be found. • Creative people will eventually find your hidden URLs Impacts • Attackers invoke functions and services they’re not authorized for • Access other user’s accounts and data • Perform privileged actions
  • 29. Failure to Restrict URL Access Illustrated https://www.onlinebank.com/user/getAccounts • Attacker notices the URL indicates his role /user/getAccounts • He modifies it to another directory (role) /admin/getAccounts, or /manager/getAccounts • Attacker views more accounts than just their own
  • 30. Recommendations • For each URL, a site needs to do 3 things • Verify your architecture • Verify the implementation
  • 32. Risks • Evil websites can perform actions for users logged into your site. • Vulnerability is caused by browsers automatically including user authentication data with each request Impacts • Initiate transactions (transfer funds, logout user, close account) • Access sensitive data • Change account details
  • 33. CSRF Illustrated While logged into vulnerable site, victim views attacker site Communication Knowledge Mgmt E-Commerce Bus. Functions 2 Administration Transactions Hidden <img> tag contains attack against vulnerable site Application with CSRF vulnerability Accounts Finance 1 Attacker sets the trap on some website on the internet (or simply via an e-mail) Custom Code 3 <img> tag loaded by browser – sends GET request (including credentials) to vulnerable site Vulnerable site sees legitimate request from victim and performs the action requested
  • 34. Prevention • Add opaque expiring tokens to all forms. • Requests missing tokens or containing invalid tokens should be rejected.
  • 36. Vulnerable components are common The full range of weaknesses is possible, including injection, broken access control, XSS, etc. The impact could range from minimal to complete host takeover and data compromise Impacts The full range of weaknesses is possible, including injection, broken access control, XSS, etc. The impact could range from minimal to complete host takeover and data compromise
  • 37. Preventing Known Vulnerable Components • One option is not to use components that you didn’t write. But that’s not very realistic. • Most component projects do not create vulnerability patches for old versions. Instead, most simply fix the problem in the next version. So upgrading to these new versions is critical.
  • 39. Web application redirects are very common • And frequently include user supplied parameters in the destination URL • If they aren’t validated, attacker can send victim to a site of their choice Impacts • Redirect victim to phishing or malware site • Attacker’s request is forwarded past security checks, allowing unauthorized function or data access
  • 40. Unvalidated Redirect Illustrated Attacker sends attack to victim via email or webpage Bus. Functions E-Commerce Communication Knowledge Mgmt Transactions Victim clicks link containing invalidated parameter Application redirects victim to attacker’s site Administration 2 3 Finance From: Internal Revenue Service Subject: Your Unclaimed Tax Refund Our records show you have an unclaimed federal tax refund. Please click here to initiate your claim. Accounts 1 Custom Code Request sent to vulnerable site, including attacker’s destination site as parameter. Redirect sends victim to attacker site http://www.irs.gov/taxrefund/claim.jsp?year=2006 & … &dest=www.evilsite.com Evil Site 4 Evil site installs malware on victim, or phish’s for private information
  • 41. Avoiding Unvalidated Redirects and Forwards • Avoid using redirects and forwards as much as you can • If used, don’t involve user parameters in defining the target URL • If you ‘must’ involve user parameters, then either • Validate each parameter • Use server side mapping
  • 42. How do you address these problems? • Develop Secure Code • Review Your Applications • Have an expert team review your applications • Review your applications yourselves following OWASP Guidelines
  • 43. How do you address these problems? • Develop Secure Code • Review Your Applications