OWASP Top 10 - Checkmarx Presentation at Polytechnic Institute of Cávado and Ave

OWASP TOP 10
Polytechnic Institute of Cávado and Ave
October 31st
, 2018

Paulo Silva
Security Researcher
Researcher @ Checkmarx
Researcher/Team Leader/Software Developer @ Jscrambler
Volunteer @ OWASP
+13 years as Software Developer
Master in Innovation and Technological Entrepreneurship @ FEUP
Bachelor degree in Computer Sciences @ UMinho
2Checkmarx | All Rights Reserved
Who am I

Who am I

Agenda
Part I
Web Application architecture
The HTTP protocol
HTTP Request walk-through
Part II
What is OWASP
What is the OWASP TOP 10
OWASP Top 10 walk-through

Web
Application
Architecture
Checkmarx | All Rights Reserved 7

Web Application Architecture
Client Server
HTTP
WAF HTTP
Servers
Backend
Servers
Database
Servers
3rd
party services

The HTTP Protocol

Question 1
What does HTTP stand for?

What does HTTP stand for?
Hypertext Transfer Protocol

Question 2
What’s the HTTP protocol author’s name?

What’s the HTTP protocol author’s name?
Sir Tim Berners-Lee
(Turing Award 2016)

Question 3
When was the HTTP protocol first proposed?

When was the HTTP protocol first proposed?
1990

A little bit of history

HTTP/0.9 (1991)
Connection: Client-server TCP-IP link.
Request: Single ASCII characters line terminated by a CR LF.
Response: Hypertext mark-up language (HTML) document (byte stream of
ASCII characters).
Disconnection: TCP-IP connection is broken by the server when the whole
document has been transferred.

HTTP/0.9 (1991)
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0
Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-
strict.dtd">
<html dir="ltr" lang="pt-PT">
<head><meta name="GENERATOR" content="Microsoft
SharePoint" /><meta http-equiv="Content-type"
content="text/html; charset=utf-8" /><meta http-
equiv="X-UA-Compatible" content="IE=10" /><meta
http-equiv="Expires" content="0" /><meta
name="msapplication-TileImage"
content="/_layouts/15/images/SharePointMetroAppTi
le.png" /><meta name="msapplication-TileColor"
content="#0072C6" /><title>
Universidade do Minho
</title>
$ telnet www.uminho.pt 80
GET /

HTTP/1.0 (1996)
Purpose
Serve more than just http documents,
Provide richer meta data about the request and the response,
Enable content negotiation and more.
New Features
Additional Request Methods
Additional Header Field Definitions

HTTP/1.0 (1996)
GET / HTTP/1.0
HTTP/1.1 200 OK
Connection: close
Date: Tue, 11 Apr 2017 23:01:57 GMT
Content-Type: text/html; charset=utf-8
Last-Modified: Tue, 11 Apr 2017 23:01:57 GMT
Strict//EN"
strict.dtd">
SharePoint" />

HTTP/1.1 (1997)
New Features
Persistent Connections (Connection: Keep-Alive),
Internet address conservation (Host header became mandatory),
State Management (Netscape cookies standardization).

HTTP/1.1 (1997)
GET / HTTP/1.1
Host: www.uminho.pt
HTTP/1.1 200 OK
Connection: Keep-Alive
Date: Tue, 11 Apr 2017 23:01:57 GMT
Last-Modified: Tue, 11 Apr 2017 23:01:57 GMT
Strict//EN"
strict.dtd">
SharePoint" />

HTTP/2 (2012)
Purpose
Improve transport performance,
Lower latency,
Higher throughput.
New Features
Is binary, instead of textual.
Is fully multiplexed, instead of ordered and blocking.
Can therefore use one connection for parallelism.
Uses header compression to reduce overhead.
Allows servers to “push” responses proactively into client caches.

HTTP Request
walk-through

Type the URL

The HTTP GET Request
GET / HTTP/1.1
Host: www.uminho.pt
User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1

HTTP method aka verb
GET / HTTP/1.1
Host: www.uminho.pt
DNT: 1

Request URI (Uniform Resource Identifier)
GET / HTTP/1.1
Host: www.uminho.pt
DNT: 1

Protocol Version
GET / HTTP/1.1
Host: www.uminho.pt
DNT: 1

The “Host” header
GET / HTTP/1.1
Host: www.uminho.pt
DNT: 1

The “User-Agent” header
GET / HTTP/1.1
Host: www.uminho.pt
DNT: 1

The “Accept” header
GET / HTTP/1.1
Host: www.uminho.pt
DNT: 1

The “Accept-Language” header
GET / HTTP/1.1
Host: www.uminho.pt
DNT: 1

The “Accept-Encoding” header
GET / HTTP/1.1
Host: www.uminho.pt
DNT: 1

The “Do Not Track” header
GET / HTTP/1.1
Host: www.uminho.pt
DNT: 1
Working Draft

The “Connection” header
GET / HTTP/1.1
Host: www.uminho.pt
DNT: 1

The “Upgrade-Insecure-Requests” header
GET / HTTP/1.1
Host: www.uminho.pt
DNT: 1
Candidate Recommendation

DNS
DNS 1
DNS 2
www.uminho.pt
1
2
3
4
5
What is the address of
www.uminho.pt? I don’t know it, but
I will ask.
Awesome, I will call it.
On my cache it
maps to 193.137.9.114
Thanks, I will cache
it for a while.

Let’s query Google DNS (8.8.8.8)
$ dig @8.8.8.8 www.uminho.pt
; <<>> DiG 9.10.4-P6-RedHat-9.10.4-4.P6.fc25 <<>> @8.8.8.8 www.uminho.pt
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27263
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.uminho.pt. IN A
;; ANSWER SECTION:
www.uminho.pt. 12866 IN A 193.137.9.114
;; Query time: 53 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Apr 17 22:38:30 IST 2017
;; MSG SIZE rcvd: 58

Let’s connect and send the HTTP Request
IP Address : 193.137.9.114
Port : 80
GET / HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:52.0)
Gecko/20100101 Firefox/52.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
DNT: 1

HTTP Response
HTTP/1.1 302 Object Moved
Date: Mon, 17 Apr 2017 18:27:06 GMT
Content-Length: 0
Location: https://www.uminho.pt/

HTTP Response - Protocol Version
Date: Mon, 17 Apr 2017 18:27:06 GMT
Content-Length: 0

HTTP Response - Status Code
Date: Mon, 17 Apr 2017 18:27:06 GMT
Content-Length: 0
Location: https://www.uminho.pt/ Code Type
1xx Informational responses
2xx Success
3xx Redirection
4xx Client error
5xx Server error

HTTP Response - Reason Phrase
Date: Mon, 17 Apr 2017 18:27:06 GMT
Content-Length: 0
The standard says: 302 Found
“The requested resource resides temporarily under
a different URI. Since the redirection might be
altered on occasion, the client SHOULD continue to
use the Request-URI for future requests.
(…)
The temporary URI SHOULD be given by the
Location field in the response.”

HTTP Response - Date
Date: Mon, 17 Apr 2017 18:27:06 GMT
Content-Length: 0

HTTP Response - Connection
Date: Mon, 17 Apr 2017 18:27:06 GMT
Content-Length: 0

HTTP Response - Content-Length
Date: Mon, 17 Apr 2017 18:27:06 GMT
Content-Length: 0

HTTP Response - Location
Date: Mon, 17 Apr 2017 18:27:06 GMT
Content-Length: 0

Establish a secure connection - TLS

Send the exact same HTTP Request
GET / HTTP/1.1
Host: www.uminho.pt
DNT: 1

New redirection
HTTP/1.1 302 Found
Date: Mon, 17 Apr 2017 18:27:05 GMT
Last-Modified: Mon, 17 Apr 2017 18:27:05 GMT
Expires: Sun, 02 Apr 2017 18:27:05 GMT
Cache-Control: private, max-age=0
Content-Length: 141
Location: https://www.uminho.pt/PT
MicrosoftSharePointTeamServices: 15.0.0.4653
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-MS-InvokeApp: 1; RequireReadOnly
X-SharePointHealthScore: 0
request-id: 7ef5e89d-7982-e023-72c7-2200d957d925
x-powered-by: ASP.NET

And finally the Hypertext document
HTTP/1.1 200 OK
Date: Mon, 17 Apr 2017 18:27:05 GMT
Expires: Sun, 02 Apr 2017 18:27:06 GMT
Last-Modified: Mon, 17 Apr 2017 18:27:06 GMT
Cache-Control: private, max-age=0
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/
xhtml1-strict.dtd">
<html dir="ltr" lang="pt-PT"><head><meta name="GENERATOR" content="Microsoft SharePoint" /
><meta http-equiv="Content-type" content="text/html; charset=utf-8" /><meta http-equiv="X-
UA-Compatible" content="IE=10" /><meta http-equiv="Expires" content="0" /><meta
name="msapplication-TileImage" content="/_layouts/15/images/SharePointMetroAppTile.png"
/><meta name="msapplication-TileColor" content="#0072C6" /><title>
Universidade do Minho

What's Next?
Parsing HTTP Response header
Security headers (e.g. CSP)
Cookies
Caching headers
Parsing HTTP Response body
Parse response body as text/html (according to Content-Type header)
Identify resources to download
 JavaScript resources have to be downloaded, parsed and evaluated
 CSS files have to be downloaded, parsed and then browser repaint is triggered

Statistics
100 HTTP Requests (including redirects)
20.80MB data transferred
8.33 seconds

How does a POST HTTP Request looks like?
POST / HTTP/1.1
Host: login.uminho.pt
Accept-Encoding: gzip, deflate, br
Referer: https://login.uminho.pt/adfs/ls/?wa=wsignin1.0&wtrealm=urn%3auminho
%3aalunos&wctx=https%3a%2f%2falunos.uminho.pt%2fEN%2f_layouts%2f15%2fAuthenticate.aspx
%3fSource%3d%252Fpt%252Fprivate
Content-Type: application/x-www-form-urlencoded
Content-Length: 196
ctl00%24ContentPlaceHolder1%24UsernameTextBox=A50515&ctl00%24ContentPlaceHolder1%24Passwo
rdTextBox=Checkmarx-Research-Team&ctl00%24ContentPlaceHolder1%24SubmitButton=Iniciar+sess
%C3%A3o+%2F+Sign+in

What the hell is a cookie?
HTTP Response header set by the server
<name>=<value> can be anything but control characters or spaces and tabs. It also
must not contain the following characters: ( ) < > @ , ; : “ / [ ] ? = { }
Expires=<data> cookie lifetime. Session cookies do not specify this.
Domain=<domain-value> Specifies those hosts to which the cookie will be sent.
Path=<path-value> Indicates a URL path that must exist in the requested resource
before sending the Cookie header.
Secure Secure Cookies are only sent to the server when a request is made using SSL.
HttpOnly HTTP-only Cookies are not accessible via JavaScript though.
Document.cookie (and other APIs) to mitigate XSS attacks.

What the hell is a cookie?
HTTP/1.1 200 OK
Date: Sun, 23 Apr 2017 09:39:22 GMT
Content-Encoding: gzip
Set-Cookie: UserName=A50515; expires=Sat, 22-Apr-2017 09:39:22 GMT; path=/
Password=checkmarx-research-team; expires=Sat, 22-Apr-2017 09:39:22 GMT; path=/
Cache-Control: no-cache
Expires: -1
Pragma: no-cache
Server: Microsoft-IIS/8.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
...

What is OWASP

What is OWASP
Worldwide not-for-profit charitable organization;
Focuses on improving software security;
Provides impartial and practical information to AppSec individuals;
Issues software tools and knowledge-based documentation.

How does it work?
“as a community of like-minded professionals”

What is the
OWASP TOP 10

OWASP TOP 10
For each risk it provides:
A description
Example vulnerabilities
Example attacks
Guidance on how to avoid
References to OWASP and other related resources
“A list of the 10 Most Critical Web Application Security Risks”

OWASP TOP 10
walk-through

A1 - Injection
Application Specific
Exploitability
EASY
Prevalence
COMMON
Detectability
AVERAGE
Impact
SEVERE
Application / Business
Specific
Anyone who can send
untrusted data to the
system, including:
● external users,
● business partners,
● other systems,
● internal users, and
● administrators.
Attackers send simple
text-based attacks that
exploit the syntax of the
targeted interpreter.
● Injection flaws occur when an application sends
untrusted data to an interpreter.
● Injection flaws are very prevalent, particularly
in legacy code.
● They are often found in SQL, LDAP, XPath, or
NoSQL queries; OS commands; XML parsers,
SMTP Headers, expression languages, etc.
● Injection flaws are easy to discover when
examining code, but frequently hard to discover
via testing. Scanners and fuzzers can help
attackers find injection flaws.
Injection can result in:
● data loss or
corruption,
● lack of
accountability,
● denial of access,
● complete host
takeover.
Depends on:
● business value of
affected data;
● the platform running
the interpreter.
● How your reputation
can get harm
Security
Weakness
Security
Weakness
Attack
Vectors
Attack
Vectors
Technical
Impacts
Technical
ImpactsThreat
Agents
Business
Impacts
Business
Impacts

Am I Vulnerable?
SQL Injection

Am I Vulnerable?
Your database query
SELECT
*
FROM Users
WHERE
Username='$username'
AND
Password='$password'

Am I Vulnerable?
Inputs
SELECT
*
FROM Users
WHERE
Username='john'
AND
Password='h3ll0'
$username=”john”
$password=”h3ll0”

Am I Vulnerable?
Inputs
SELECT
*
FROM Users
WHERE
Username='1' or '1' = '1'
AND
Password='1' or '1' = '1'
$username=”1' or '1' = '1”
$password=”1' or '1' = '1”

Am I Vulnerable?
Inputs
SELECT
*
FROM Users
WHERE
AND
$username=”1' or '1' = '1”
$password=”1' or '1' = '1”
False OR True
AND
False OR True
True

Am I Vulnerable?
Yes you are!

Am I Vulnerable?
Your database query
SELECT
*
FROM Products
WHERE
id=$id
The URL: https://my-app.com/product/?id=10
Sometimes we have to use the back door!

Am I Vulnerable?
SELECT
*
FROM Products
WHERE
id=10; INSERT INTO users (...)
The URL
https://my-app.com/product/?id=10; INSERT INTO users (...)

Am I Vulnerable?
But, I’m using NoSQL ;-)

Am I Vulnerable?
Your database query
db.accounts.find({
“username”: username,
“password”: password
});

Am I Vulnerable?
Inputs
db.accounts.find({
“username”: “john”,
“password”: {$gt: “”}
});
username=”john”
password={$gt: “”}

Am I Vulnerable?
You’re still vulnerable ¯_( ツ )_/¯

How Do I Prevent?
Keep untrusted data separated from commands and queries
“SELECT
*
FROM Users
WHERE
Username='” + $username + ”' AND
Password='” + $password + ”'”

How Do I Prevent?
Use a parameterized interface
Most databases support Prepared Statements
$stmt = db.prepare(“SELECT * FROM Users WHERE
Username=? AND Password=?”);
$stmt.exec($username, $password);

How Do I Prevent?
Escape Special Characters
You should carefully escape special characters using the specific escape syntax for
the target interpreter (e.g. database query engine)

How Do I Prevent?
Escape Special Characters
SELECT
*
FROM Users
WHERE
AND

How Do I Prevent?
Input Validation
If you’re expecting a number do not allow letters;
This is not a complete defense, especially if your input requires special
characters;
Avoid writing your own validators: OWASP ESAPI.

Remember
This is not database specific
LDAP;
XPath;
OS commands;
XML parsers;
SMTP Headers;
Regular Expressions

A2 – Broken Authentication and Session Management
Application Specific Exploitability
AVERAGE
Prevalence
COMMON
Detectability
AVERAGE
Impact
SEVERE
Specific
 External attackers
(steal accounts from
others)
 Authorized users
(steal accounts from
others)
 insiders (wanting to
disguise their
actions)
Attackers use leaks or
flaws in the
authentication or session
management functions
(e.g., exposed accounts,
passwords, session IDs)
to temporarily or
permanently
impersonate users.
● Build custom authentication and session
management schemes is hard and error prone
● Common flaws in areas such as logout, create
account, change password, forgot password,
timeouts, remember me, secret question,
account update, etc.
● Finding such flaws can sometimes be difficult,
as each implementation is unique.
● Impersonate users
● Privileged accounts
are frequently
targeted.
Depends on:
● Business value of
affected data;
● Application
functions
● Business impact
from public
exposure of the
vulnerability.
Security
Weakness
Security
Weakness
Attack
Vectors
Attack
Vectors
Technical
Impacts
Technical
ImpactsThreat
Agents
Business
Impacts
Business
Impacts

Am I Vulnerable?
https://my-app.com/sale/saleitems;jsessionid=2P0OC2JSNDLPSKHCJUN2JV?dest=Hawaii
Session IDs in the URL
Sharing the URL allows:
Session reuse;
Others to access your account;
Impersonate you on further
transactions.

Am I Vulnerable?
Session Timeout
If session lasts forever, accessing the account on a public
computer and closing browser’s window without logging out,
may allow others to access the account next time they open
the browser.

How Do I Prevent?
Meet all Authentication and Session Management requirements defined in
OWASP’s Application Security Verification Standard;
Follow OWASP’s Secure Coding Practices guidelines about Authentication and Password
Management and Session Management.

A3 – Cross-Site Scripting (XSS)
Exploitability
AVERAGE
Prevalence
VERY WIDESPREAD
Detectability
AVERAGE
Impact
MODERATE
Specific
Consider anyone who
can send untrusted data
to the system, including
external users, business
partners, other systems,
internal users, and
administrators.
Attackers send text-
based attack scripts that
exploit the interpreter in
the browser. Almost any
source of data can be an
attack vector, including
internal sources such as
data from the database.
XSS flaws occur when an application updates a web
page with attacker controlled data without properly
escaping that content or using a safe JavaScript API.
There are two primary categories of XSS flaws: (1)
Stored, and (2) Reflected, and each of these can
occur on (a) the Server or (b) on the Client.
Detection of most Server XSS flaws is fairly easy via
testing or code analysis. Client XSS can be very
difficult to identify.
Attackers can execute
scripts in a victim’s
browser to hijack user
sessions, deface web
sites, insert hostile
content, redirect users,
hijack the user’s browser
using malware, etc.
Consider the business
value of the affected
system and all the data it
processes.
Also consider the
business impact of
public exposure of the
vulnerability.
Security
Weakness
Security
Weakness
Attack
Vectors
Attack
Vectors
Technical
Impacts
Technical
ImpactsThreat
Agents
Business
Impacts
Business
Impacts

Am I Vulnerable?
Inputs
INSERT
INTO Users
(Id, Name,
Surname)
VALUES
(1, “Jane”, ”Doe”)
$name=”Jane”
$surname=”Doe”
SELECT
Name, Surname
FROM Users
WHERE
Id = 1
<h2>
<?php
echo $name + “ “ + $surname
?>
</h2>
persist
read
display

Am I Vulnerable?

Am I Vulnerable?
Inputs INSERT
INTO Users
(Id, Name,
Surname)
VALUES
(1, “Jane”,
”<script>alert(1)<
/script>”)
$name=”Jane”
$surname=”<script>alert(1)</script>”
SELECT
Name, Surname
FROM Users
WHERE
Id = 1
<h2>
<?php
?>
</h2>
persist
read
display

Am I Vulnerable?

Am I Vulnerable?
Inputs INSERT
INTO Users
(Id, Name,
Surname)
VALUES
(1,
“Jane<script”,
”>alert(1)</script
>”)
$name=”Jane<script”
$surname=”>alert(1)</script>”
SELECT
Name, Surname
FROM Users
WHERE
Id = 1
<h2>
<?php
?>
</h2>
persist
read
display

Am I Vulnerable?

How Do I Prevent?
Preventing XSS requires separation of untrusted data from
active browser content.
Escape data based on the HTML context (body, attribute, JavaScript, CSS, or URL)
that the data will be placed into (Server XSS);
Avoid passing untrusted data to JavaScript and other browser APIs that can
generate active content (Client XSS);
For rich content, consider auto-sanitization libraries;
Consider Content Security Policy (CSP) to defend against XSS across your entire
site.

A4 – Broken Access Control
Exploitability
EASY
Prevalence
WIDESPREAD
Detectability
EASY
Impact
MODERATE
Specific
Authorized users of your
system:
● Are users restricted
to certain functions
and data?
● Are unauthenticated
users allowed access
to any functionality
or data?
Attackers, who are
authorized users, simply
change a parameter
value to another
resource they aren’t
authorized for. Is access
to this functionality or
data granted?
For data, applications and APIs frequently use the
actual name or key of an object when generating
web pages. For functions, URLs and function names
are frequently easy to guess. Applications and APIs
don’t always verify the user is authorized for the
target resource. This results in an access control
flaw. Testers can easily manipulate parameters to
detect such flaws. Code analysis quickly shows
whether authorization is correct.
Such flaws can
compromise all the
functionality or data that
is accessible. Unless
references are
unpredictable, or access
control is enforced, data
and functionality can be
stolen, or abused.
value of the exposed
data and functionality.
Also consider the
business impact of
public exposure of the
vulnerability.
Security
Weakness
Security
Weakness
Attack
Vectors
Attack
Vectors
Technical
Impacts
Technical
ImpactsThreat
Agents
Business
Impacts
Business
Impacts

Am I Vulnerable?
Relying on unknown URLs
http://my-app.com/product/1
Varying the product ID may allow access to unpublished products
http://my-app.com/product/10001
Adding query string parameters may allow access to reserved features like
product editing
http://my-app.com/product/1?edit

How Do I Prevent?
Access Control check for every resource requiring authorization;
Per user or session indirect object references (do not use your objects’ database
primary key on Users’ Interface);
Automated verification: a single and audited verification control.

A5 – Security Misconfiguration
Exploitability
EASY
Prevalence
COMMON
Detectability
EASY
Impact
MODERATE
Specific
Consider anonymous
external attackers as well
as authorized users that
may . Also consider
insiders wanting to
disguise their actions.
Attackers access default
accounts, unused pages,
unpatched flaws,
unprotected files and
directories, etc. to gain
unauthorized access to
or knowledge of the
system.
Security misconfiguration can happen at any level of
an application stack, including the platform, web
server, application server, database, frameworks,
and custom code. Developers and system
administrators need to work together to ensure
that the entire stack is configured properly.
Automated scanners are useful for detecting
missing patches, misconfigurations, use of default
accounts, unnecessary services, etc.
Such flaws frequently
give attackers
some system data or
functionality.
Occasionally, such flaws
result in a complete
system compromise.
The system could be
completely
compromised without
you knowing it. All of
your data could be
stolen or modified slowly
over time.
Recovery costs could be
expensive.
Security
Weakness
Security
Weakness
Attack
Vectors
Attack
Vectors
Technical
Impacts
Technical
ImpactsThreat
Agents
Business
Impacts
Business
Impacts

Am I Vulnerable?
Out of date software (e.g. OS, Web/App Server, DBMS,…);
Unnecessary features enabled or installed (e.g., ports, services, pages, accounts,
privileges);
Unchanged default accounts and their passwords;
Stack traces on error messages;
Bad security settings configurations (e.g. application servers, application
frameworks, libraries, databases).

How Do I Prevent?
A repeatable hardening process that makes it fast and easy to deploy another
environment that is properly locked down.
All environments should be configured the same way but using different credentials.
Well defined update process to all system and dependencies.
Application components isolation.
Environment configuration validation.

A6 – Sensitive Data Exposure
Exploitability
DIFFICULT
Prevalence
UNCOMMON
Detectability
AVERAGE
Impact
SEVERE
Specific
Consider who can gain
access to your sensitive
data and any backups of
that data. This includes
the data at rest, in
transit, and even in your
customers’ browsers.
Include both external
and internal threats.
Attackers typically don’t
break crypto directly.
They break something
else, such as steal keys,
do man-in-the-middle
attacks, or steal clear
text data off the server,
while in transit, or from
the user’s browser.
The most common flaw is simply not encrypting
sensitive data. When crypto is employed, weak key
generation and management, and weak algorithm
usage is common, particularly weak password
hashing techniques. Browser weaknesses are very
common and easy to detect, but hard to exploit on
a large scale. External attackers have difficulty
detecting server side flaws due to limited access
and they are also usually hard to exploit.
Failure frequently
compromises all data
that should have been
protected. Typically, this
information includes
sensitive data such as
health records,
credentials, personal
data, credit cards, etc.
value of the lost data
and impact to your
reputation. What is your
legal liability if this data
is exposed? Also
consider the damage to
your reputation.
Security
Weakness
Security
Weakness
Attack
Vectors
Attack
Vectors
Technical
Impacts
Technical
ImpactsThreat
Agents
Business
Impacts
Business
Impacts

Am I Vulnerable?
Passwords database using unsalted hashes
INSERT INTO accounts VALUES ($username, MD5($password))
Database
Username Password
root 63a9f0ea7bb98050796b649e85481845
User1 21232f297a57a5a743894a0e4a801fc3
User2 e10adc3949ba59abbe56e057f20f883e
Rainbow Table
MD5 Hash Plain
63a9f0ea7bb98050796b649e85481845 root
21232f297a57a5a743894a0e4a801fc3 admin
e10adc3949ba59abbe56e057f20f883e 123456

How Do I Prevent?
Don’t store unnecessary data, discard it ASAP (e.g. Credit Cards);
Ensure strong standard algorithms, strong keys and proper key management;
Ensure passwords are stored using a proper algorithm like bcrypt, PBKDF2 or scrypt;
Disable auto complete on forms requesting sensitive data and caching for pages that
contain sensitive data.

A7 – Insufficient Attack Protection
Exploitability
EASY
Prevalence
COMMON
Detectability
AVERAGE
Impact
MODERATE
Specific
Consider anyone with
network access can send
your application a
request. Does your
application detect and
respond to both manual
and automated attacks?
Attackers, known users
or anonymous, send in
attacks. Does the
application or API detect
the attack? How does it
respond? Can it thwart
attacks against known
vulnerabilities?
Applications and APIs are attacked all the time.
Most applications and APIs detect invalid input, but
simply reject it, letting the attacker attack again and
again. Such attacks indicate a malicious or
compromised user probing or exploiting
vulnerabilities. Detecting and blocking both manual
and automated attacks, is one of the most effective
ways to increase security. How quickly can you
patch a critical vulnerability you just discovered?
Most successful attacks
start with vulnerability
probing. Allowing such
probes to continue can
raise the likelihood of
successful exploit to
100%. Not quickly
deploying patches aids
attackers.
Consider the impact of
insufficient attack
protection on the
business. Successful
attacks may not be
prevented, go
undiscovered for long
periods of time, and
expand far beyond their
initial footprint.
Security
Weakness
Security
Weakness
Attack
Vectors
Attack
Vectors
Technical
Impacts
Technical
ImpactsThreat
Agents
Business
Impacts
Business
Impacts

Am I Vulnerable?
Detect unexpected behavior
High volume requests to a single URL;
Request pattern detection.
Automated tools such as OWASP ZAP or SQLMap do have a pattern, allowing them to be
distinguished from regular users.

How Do I Prevent?
Is the application being used in a way that an ordinary user would never do?
Decide whether to automatically block request, IP addresses or IP ranges. Disable or
monitor user accounts.
If application patching takes longer, go with a virtual patch.
Detect Attacks
Respond to Attacks
Patch Quickly

A8 – Cross-Site Request Forgery (CSRF)
110
Exploitability
AVERAGE
Prevalence
UNCOMMON
Detectability
EASY
Impact
MODERATE
Specific
Consider anyone who
can load content into
your users’ browsers,
and thus force them to
submit a request to your
website, including any
website or other HTML
feed that your users
visit.
Attackers create forged
HTTP requests and trick
a victim into submitting
them via image tags,
iframes, XSS, or various
other techniques. If the
user is authenticated,
the attack succeeds.
CSRF takes advantage of the fact that most web
apps allow attackers to predict all the details of a
particular action.
Because browsers send credentials like session
cookies automatically, attackers can create
malicious web pages which generate forged
requests that are indistinguishable from legitimate
ones.
Detection of CSRF flaws is fairly easy via penetration
testing or code analysis.
Attackers can trick
victims into performing
any state changing
operation the victim is
authorized to perform
(e.g., updating account
details, making
purchases, modifying
data).
value of the affected
data or application
functions. Imagine not
being sure if users
intended to take these
actions.
Consider the impact to
your reputation.
Security
Weakness
Security
Weakness
Attack
Vectors
Attack
Vectors
Technical
Impacts
Technical
ImpactsThreat
Agents
Business
Impacts
Business
Impacts

Am I Vulnerable?
<form action=”https://yapp.com/signin“ method=”post”>
<input type=”email” name=”email” />
<input type=”password” name=”password” />
<input type=”submit” value=”submit” />
</form>
Not using CSRF tokens

How Do I Prevent?
Using CSRF tokens
Generated server-side;
Unpredictable;
Short TTL;
One time only;
Unique per user session;
Requests without or with invalid CSRF token should be
discarded.

How Do I Prevent?
<form action=”https://yapp.com/signin“ method=”post”>
<input type=”hidden” name=”csrf” value=”MTc1MjUK” />
<input type=”email” name=”email” />
<input type=”password” name=”password” />
<input type=”submit” value=”submit” />
</form>
Using CSRF tokens

A9 – Using Components with Known Vulnerabilities
114
Exploitability
AVERAGE
Prevalence
COMMON
Detectability
AVERAGE
Impact
MODERATE
Specific
Some vulnerable
components (e.g.,
framework libraries) can
be identified and
exploited with
automated tools,
expanding the threat
agent pool beyond
targeted attackers to
include chaotic actors.
Attackers identify a weak
component through
scanning or manual
analysis. They customize
the exploit as needed
and execute the attack.
It gets more difficult if
the used component is
deep in the application.
Many applications and APIs have these issues
because their development teams don’t focus on
ensuring their components and libraries are up to
date. In some cases, the developers don’t even
know all the components they are using, never
mind their versions. Component dependencies
make things even worse. Tools are becoming
commonly available to help detect components
with known vulnerabilities.
The full range of
weaknesses is possible,
including injection,
broken access control,
XSS, etc. The impact
could range from
minimal to complete
host takeover and data
compromise.
Consider what each
vulnerability might mean
for the business
controlled by the
affected application. It
could be trivial or it
could mean complete
compromise.
Security
Weakness
Security
Weakness
Attack
Vectors
Attack
Vectors
Technical
Impacts
Technical
ImpactsThreat
Agents
Business
Impacts
Business
Impacts
Checkmarx | All Rights Reserved

Am I Vulnerable?
Using vulnerable components
Component
# Vulnerabilities
2016 2015 2014
OpenSSL 34 34 24
Microsoft IIS - 1 1
Microsoft Sharepoint 23 21 7
MySQL 1 1 38
MongoDB 1 1 2

How Do I Prevent?
Continuously inventory the version of both client-side and server-side components;
Auditing dependencies to known vulnerabilities (e.g. using static code analysis tools);
Continuously monitor sources like CVE and NVD

A10 – Underprotected APIs
Exploitability
AVERAGE
Prevalence
COMMON
Detectability
DIFFICULT
Impact
MODERATE
Specific
Consider anyone with
the ability to send
requests to your APIs.
Client software is easily
reversed and
communications are
easily intercepted, so
obscurity is no defense
for APIs.
Attackers can reverse
engineer APIs by
examining client code, or
simply monitoring
communications. Some
API vulnerabilities can be
automatically
discovered, others only
by experts.
Modern web applications and APIs are increasingly
composed of rich clients (browser, mobile, desktop)
that connect to backend APIs (XML, JSON, RPC,
GWT, custom). APIs (microservices, services,
endpoints) can be vulnerable to the full range of
attacks. Unfortunately, dynamic and sometimes
even static tools don’t work well on APIs, and they
can be difficult to analyze manually, so these
vulnerabilities are often undiscovered.
The full range of
negative outcomes is
possible, including data
theft, corruption, and
destruction;
the entire application;
and complete host
takeover.
Consider the impact of
an API attack on the
business. Does the API
access critical data or
functions? Many APIs
are mission critical, so
also consider the impact
of denial of service
attacks.
Security
Weakness
Security
Weakness
Attack
Vectors
Attack
Vectors
Technical
Impacts
Technical
ImpactsThreat
Agents
Business
Impacts
Business
Impacts

How Do I Prevent?
Ensure that you have secured communications between the client and your APIs. (e.g. SSL);
Ensure that you have a strong authentication scheme for your APIs, and that all credentials,
keys, and tokens have been secured;
Ensure that whatever data format your requests use, that the parser configuration is
hardened against attack;
Implement an access control scheme that protects APIs from being improperly invoked,
including unauthorized function and data references;
Protect against injection of all forms, as these attacks are just as viable through APIs as
they are for normal apps.

Question 4
Why should I still read the OWASP TOP 10?

Why should I still read the OWASP TOP 10?
Because
I told you just part of the story;
OWASP TOP 10 includes:
– +D What’s Next for Developers
– +T What’s Next for Security Testing
– +O What’s Next for Organizations
OWASP TOP 10 is accepted as an industry standard

Question 5
How can I join OWASP?

How can I join OWASP?
Join your local chapter
https://lists.owasp.org/mailman/listinfo/owasp-portuguese-project

Question 6
How can I contribute?

How can I contribute?
Join your local chapter
https://lists.owasp.org/mailman/listinfo/owasp-portuguese-project
Helping translate OWASP contents to your language,
Helping review OWASP contents;
Using & reporting issues on OWASP software;
Creating security awareness;
...

Question 7
Let’s have a ?

OWASP Top 10 - Checkmarx Presentation at Polytechnic Institute of Cávado and Ave

OWASP Top 10 - Checkmarx Presentation at Polytechnic Institute of Cávado and Ave

OWASP Top 10 - Checkmarx Presentation at Polytechnic Institute of Cávado and Ave

Recommended

More Related Content

What's hot

What's hot(20)

Similar to OWASP Top 10 - Checkmarx Presentation at Polytechnic Institute of Cávado and Ave

Similar to OWASP Top 10 - Checkmarx Presentation at Polytechnic Institute of Cávado and Ave(20)

Recently uploaded

Recently uploaded(20)

OWASP Top 10 - Checkmarx Presentation at Polytechnic Institute of Cávado and Ave