Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Upcoming SlideShare
What to Upload to SlideShare
Next
Download to read offline and view in fullscreen.

Share

OWASP Top 10 - Checkmarx Presentation at Polytechnic Institute of Cávado and Ave

Download to read offline

Presented by Paulo Silva, Security Researcher at Checkmarx on October 31, 2018 at Polytechnic Institute of Cávado and Ave.
Learn all about the OWASP Top 10 from his talk:
Part I
Web Application architecture
The HTTP protocol
HTTP Request walk-through
Part II
What is OWASP
What is the OWASP TOP 10
OWASP Top 10 walk - through

Related Books

Free with a 30 day trial from Scribd

See all

OWASP Top 10 - Checkmarx Presentation at Polytechnic Institute of Cávado and Ave

  1. 1. OWASP TOP 10 Polytechnic Institute of Cávado and Ave October 31st , 2018
  2. 2. Paulo Silva Security Researcher Researcher @ Checkmarx Researcher/Team Leader/Software Developer @ Jscrambler Volunteer @ OWASP +13 years as Software Developer Master in Innovation and Technological Entrepreneurship @ FEUP Bachelor degree in Computer Sciences @ UMinho 2Checkmarx | All Rights Reserved Who am I
  3. 3. Who am I 3Checkmarx | All Rights Reserved
  4. 4. Who am I 4Checkmarx | All Rights Reserved
  5. 5. Agenda Part I Web Application architecture The HTTP protocol HTTP Request walk-through Part II What is OWASP What is the OWASP TOP 10 OWASP Top 10 walk-through 5Checkmarx | All Rights Reserved
  6. 6. Part I
  7. 7. Web Application Architecture Checkmarx | All Rights Reserved 7
  8. 8. Web Application Architecture 8Checkmarx | All Rights Reserved Client Server HTTP WAF HTTP Servers Backend Servers Database Servers 3rd party services
  9. 9. The HTTP Protocol Checkmarx | All Rights Reserved 9
  10. 10. Quiz Show
  11. 11. 11Checkmarx | All Rights Reserved Question 1 What does HTTP stand for?
  12. 12. What does HTTP stand for? Checkmarx | All Rights Reserved 12 Hypertext Transfer Protocol
  13. 13. 13Checkmarx | All Rights Reserved Question 2 What’s the HTTP protocol author’s name?
  14. 14. What’s the HTTP protocol author’s name? Checkmarx | All Rights Reserved 14 Sir Tim Berners-Lee (Turing Award 2016)
  15. 15. 15Checkmarx | All Rights Reserved Question 3 When was the HTTP protocol first proposed?
  16. 16. When was the HTTP protocol first proposed? Checkmarx | All Rights Reserved 16 1990
  17. 17. A little bit of history Checkmarx | All Rights Reserved 17
  18. 18. 18Checkmarx | All Rights Reserved HTTP/0.9 (1991) Connection: Client-server TCP-IP link. Request: Single ASCII characters line terminated by a CR LF. Response: Hypertext mark-up language (HTML) document (byte stream of ASCII characters). Disconnection: TCP-IP connection is broken by the server when the whole document has been transferred.
  19. 19. HTTP/0.9 (1991) 19Checkmarx | All Rights Reserved <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1- strict.dtd"> <html dir="ltr" lang="pt-PT"> <head><meta name="GENERATOR" content="Microsoft SharePoint" /><meta http-equiv="Content-type" content="text/html; charset=utf-8" /><meta http- equiv="X-UA-Compatible" content="IE=10" /><meta http-equiv="Expires" content="0" /><meta name="msapplication-TileImage" content="/_layouts/15/images/SharePointMetroAppTi le.png" /><meta name="msapplication-TileColor" content="#0072C6" /><title> Universidade do Minho </title> $ telnet www.uminho.pt 80 GET /
  20. 20. 20Checkmarx | All Rights Reserved HTTP/1.0 (1996) Purpose Serve more than just http documents, Provide richer meta data about the request and the response, Enable content negotiation and more. New Features Additional Request Methods Additional Header Field Definitions
  21. 21. HTTP/1.0 (1996) $ telnet www.uminho.pt 80 GET / HTTP/1.0 21Checkmarx | All Rights Reserved HTTP/1.1 200 OK Connection: close Date: Tue, 11 Apr 2017 23:01:57 GMT Content-Type: text/html; charset=utf-8 Last-Modified: Tue, 11 Apr 2017 23:01:57 GMT <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1- strict.dtd"> <html dir="ltr" lang="pt-PT"> <head><meta name="GENERATOR" content="Microsoft SharePoint" />
  22. 22. 22Checkmarx | All Rights Reserved HTTP/1.1 (1997) New Features Persistent Connections (Connection: Keep-Alive), Internet address conservation (Host header became mandatory), State Management (Netscape cookies standardization).
  23. 23. HTTP/1.1 (1997) $ telnet www.uminho.pt 80 GET / HTTP/1.1 Host: www.uminho.pt 23Checkmarx | All Rights Reserved HTTP/1.1 200 OK Connection: Keep-Alive Date: Tue, 11 Apr 2017 23:01:57 GMT Content-Type: text/html; charset=utf-8 Last-Modified: Tue, 11 Apr 2017 23:01:57 GMT <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1- strict.dtd"> <html dir="ltr" lang="pt-PT"> <head><meta name="GENERATOR" content="Microsoft SharePoint" />
  24. 24. 24Checkmarx | All Rights Reserved HTTP/2 (2012) Purpose Improve transport performance, Lower latency, Higher throughput. New Features Is binary, instead of textual. Is fully multiplexed, instead of ordered and blocking. Can therefore use one connection for parallelism. Uses header compression to reduce overhead. Allows servers to “push” responses proactively into client caches.
  25. 25. HTTP Request walk-through Checkmarx | All Rights Reserved 25
  26. 26. Type the URL 26Checkmarx | All Rights Reserved
  27. 27. The HTTP GET Request 27Checkmarx | All Rights Reserved GET / HTTP/1.1 Host: www.uminho.pt User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: keep-alive Upgrade-Insecure-Requests: 1
  28. 28. HTTP method aka verb 28Checkmarx | All Rights Reserved GET / HTTP/1.1 Host: www.uminho.pt User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: keep-alive Upgrade-Insecure-Requests: 1
  29. 29. Request URI (Uniform Resource Identifier) 29Checkmarx | All Rights Reserved GET / HTTP/1.1 Host: www.uminho.pt User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: keep-alive Upgrade-Insecure-Requests: 1
  30. 30. Protocol Version 30Checkmarx | All Rights Reserved GET / HTTP/1.1 Host: www.uminho.pt User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: keep-alive Upgrade-Insecure-Requests: 1
  31. 31. The “Host” header 31Checkmarx | All Rights Reserved GET / HTTP/1.1 Host: www.uminho.pt User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: keep-alive Upgrade-Insecure-Requests: 1
  32. 32. The “User-Agent” header 32Checkmarx | All Rights Reserved GET / HTTP/1.1 Host: www.uminho.pt User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: keep-alive Upgrade-Insecure-Requests: 1
  33. 33. The “Accept” header 33Checkmarx | All Rights Reserved GET / HTTP/1.1 Host: www.uminho.pt User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: keep-alive Upgrade-Insecure-Requests: 1
  34. 34. The “Accept-Language” header 34Checkmarx | All Rights Reserved GET / HTTP/1.1 Host: www.uminho.pt User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: keep-alive Upgrade-Insecure-Requests: 1
  35. 35. The “Accept-Encoding” header 35Checkmarx | All Rights Reserved GET / HTTP/1.1 Host: www.uminho.pt User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: keep-alive Upgrade-Insecure-Requests: 1
  36. 36. The “Do Not Track” header 36Checkmarx | All Rights Reserved GET / HTTP/1.1 Host: www.uminho.pt User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: keep-alive Upgrade-Insecure-Requests: 1 Working Draft
  37. 37. The “Connection” header 37Checkmarx | All Rights Reserved GET / HTTP/1.1 Host: www.uminho.pt User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: keep-alive Upgrade-Insecure-Requests: 1
  38. 38. The “Upgrade-Insecure-Requests” header 38Checkmarx | All Rights Reserved GET / HTTP/1.1 Host: www.uminho.pt User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: keep-alive Upgrade-Insecure-Requests: 1 Candidate Recommendation
  39. 39. DNS 39Checkmarx | All Rights Reserved DNS 1 DNS 2 www.uminho.pt 1 2 3 4 5 What is the address of www.uminho.pt? I don’t know it, but I will ask. Awesome, I will call it. On my cache it maps to 193.137.9.114 Thanks, I will cache it for a while.
  40. 40. Let’s query Google DNS (8.8.8.8) 40Checkmarx | All Rights Reserved $ dig @8.8.8.8 www.uminho.pt ; <<>> DiG 9.10.4-P6-RedHat-9.10.4-4.P6.fc25 <<>> @8.8.8.8 www.uminho.pt ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27263 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;www.uminho.pt. IN A ;; ANSWER SECTION: www.uminho.pt. 12866 IN A 193.137.9.114 ;; Query time: 53 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Mon Apr 17 22:38:30 IST 2017 ;; MSG SIZE rcvd: 58
  41. 41. Let’s connect and send the HTTP Request 41Checkmarx | All Rights Reserved IP Address : 193.137.9.114 Port : 80 GET / HTTP/1.1 Host: User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: keep-alive Upgrade-Insecure-Requests: 1
  42. 42. HTTP Response 42Checkmarx | All Rights Reserved HTTP/1.1 302 Object Moved Date: Mon, 17 Apr 2017 18:27:06 GMT Connection: Keep-Alive Content-Length: 0 Location: https://www.uminho.pt/
  43. 43. HTTP Response - Protocol Version 43Checkmarx | All Rights Reserved HTTP/1.1 302 Object Moved Date: Mon, 17 Apr 2017 18:27:06 GMT Connection: Keep-Alive Content-Length: 0 Location: https://www.uminho.pt/
  44. 44. HTTP Response - Status Code 44Checkmarx | All Rights Reserved HTTP/1.1 302 Object Moved Date: Mon, 17 Apr 2017 18:27:06 GMT Connection: Keep-Alive Content-Length: 0 Location: https://www.uminho.pt/ Code Type 1xx Informational responses 2xx Success 3xx Redirection 4xx Client error 5xx Server error
  45. 45. HTTP Response - Reason Phrase 45Checkmarx | All Rights Reserved HTTP/1.1 302 Object Moved Date: Mon, 17 Apr 2017 18:27:06 GMT Connection: Keep-Alive Content-Length: 0 Location: https://www.uminho.pt/ The standard says: 302 Found “The requested resource resides temporarily under a different URI. Since the redirection might be altered on occasion, the client SHOULD continue to use the Request-URI for future requests. (…) The temporary URI SHOULD be given by the Location field in the response.”
  46. 46. HTTP Response - Date 46Checkmarx | All Rights Reserved HTTP/1.1 302 Object Moved Date: Mon, 17 Apr 2017 18:27:06 GMT Connection: Keep-Alive Content-Length: 0 Location: https://www.uminho.pt/
  47. 47. HTTP Response - Connection 47Checkmarx | All Rights Reserved HTTP/1.1 302 Object Moved Date: Mon, 17 Apr 2017 18:27:06 GMT Connection: Keep-Alive Content-Length: 0 Location: https://www.uminho.pt/
  48. 48. HTTP Response - Content-Length 48Checkmarx | All Rights Reserved HTTP/1.1 302 Object Moved Date: Mon, 17 Apr 2017 18:27:06 GMT Connection: Keep-Alive Content-Length: 0 Location: https://www.uminho.pt/
  49. 49. HTTP Response - Location 49Checkmarx | All Rights Reserved HTTP/1.1 302 Object Moved Date: Mon, 17 Apr 2017 18:27:06 GMT Connection: Keep-Alive Content-Length: 0 Location: https://www.uminho.pt/
  50. 50. Establish a secure connection - TLS 50Checkmarx | All Rights Reserved
  51. 51. 51Checkmarx | All Rights Reserved Send the exact same HTTP Request GET / HTTP/1.1 Host: www.uminho.pt User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: keep-alive Upgrade-Insecure-Requests: 1
  52. 52. New redirection 52Checkmarx | All Rights Reserved HTTP/1.1 302 Found Date: Mon, 17 Apr 2017 18:27:05 GMT Content-Type: text/html; charset=utf-8 Last-Modified: Mon, 17 Apr 2017 18:27:05 GMT Expires: Sun, 02 Apr 2017 18:27:05 GMT Cache-Control: private, max-age=0 Connection: Keep-Alive Content-Length: 141 Location: https://www.uminho.pt/PT MicrosoftSharePointTeamServices: 15.0.0.4653 Server: Microsoft-IIS/8.5 X-AspNet-Version: 4.0.30319 X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-MS-InvokeApp: 1; RequireReadOnly X-SharePointHealthScore: 0 request-id: 7ef5e89d-7982-e023-72c7-2200d957d925 x-powered-by: ASP.NET
  53. 53. And finally the Hypertext document 53Checkmarx | All Rights Reserved HTTP/1.1 200 OK Date: Mon, 17 Apr 2017 18:27:05 GMT Content-Type: text/html; charset=utf-8 Expires: Sun, 02 Apr 2017 18:27:06 GMT Last-Modified: Mon, 17 Apr 2017 18:27:06 GMT Cache-Control: private, max-age=0 Connection: Keep-Alive <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/ xhtml1-strict.dtd"> <html dir="ltr" lang="pt-PT"><head><meta name="GENERATOR" content="Microsoft SharePoint" / ><meta http-equiv="Content-type" content="text/html; charset=utf-8" /><meta http-equiv="X- UA-Compatible" content="IE=10" /><meta http-equiv="Expires" content="0" /><meta name="msapplication-TileImage" content="/_layouts/15/images/SharePointMetroAppTile.png" /><meta name="msapplication-TileColor" content="#0072C6" /><title> Universidade do Minho
  54. 54. What's Next? 54Checkmarx | All Rights Reserved Parsing HTTP Response header Security headers (e.g. CSP) Cookies Caching headers Parsing HTTP Response body Parse response body as text/html (according to Content-Type header) Identify resources to download  JavaScript resources have to be downloaded, parsed and evaluated  CSS files have to be downloaded, parsed and then browser repaint is triggered
  55. 55. Statistics 55Checkmarx | All Rights Reserved 100 HTTP Requests (including redirects) 20.80MB data transferred 8.33 seconds
  56. 56. How does a POST HTTP Request looks like? 56Checkmarx | All Rights Reserved POST / HTTP/1.1 Host: login.uminho.pt User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: https://login.uminho.pt/adfs/ls/?wa=wsignin1.0&wtrealm=urn%3auminho %3aalunos&wctx=https%3a%2f%2falunos.uminho.pt%2fEN%2f_layouts%2f15%2fAuthenticate.aspx %3fSource%3d%252Fpt%252Fprivate Connection: keep-alive Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 196 ctl00%24ContentPlaceHolder1%24UsernameTextBox=A50515&ctl00%24ContentPlaceHolder1%24Passwo rdTextBox=Checkmarx-Research-Team&ctl00%24ContentPlaceHolder1%24SubmitButton=Iniciar+sess %C3%A3o+%2F+Sign+in
  57. 57. How does a POST HTTP Request looks like? 57Checkmarx | All Rights Reserved POST / HTTP/1.1 Host: login.uminho.pt User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: https://login.uminho.pt/adfs/ls/?wa=wsignin1.0&wtrealm=urn%3auminho %3aalunos&wctx=https%3a%2f%2falunos.uminho.pt%2fEN%2f_layouts%2f15%2fAuthenticate.aspx %3fSource%3d%252Fpt%252Fprivate Connection: keep-alive Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 196 ctl00%24ContentPlaceHolder1%24UsernameTextBox=A50515&ctl00%24ContentPlaceHolder1%24Passwo rdTextBox=Checkmarx-Research-Team&ctl00%24ContentPlaceHolder1%24SubmitButton=Iniciar+sess %C3%A3o+%2F+Sign+in
  58. 58. What the hell is a cookie? 58Checkmarx | All Rights Reserved HTTP Response header set by the server <name>=<value> can be anything but control characters or spaces and tabs. It also must not contain the following characters: ( ) < > @ , ; : “ / [ ] ? = { } Expires=<data> cookie lifetime. Session cookies do not specify this. Domain=<domain-value> Specifies those hosts to which the cookie will be sent. Path=<path-value> Indicates a URL path that must exist in the requested resource before sending the Cookie header. Secure Secure Cookies are only sent to the server when a request is made using SSL. HttpOnly HTTP-only Cookies are not accessible via JavaScript though. Document.cookie (and other APIs) to mitigate XSS attacks.
  59. 59. What the hell is a cookie? 59Checkmarx | All Rights Reserved HTTP/1.1 200 OK Date: Sun, 23 Apr 2017 09:39:22 GMT Content-Type: text/html; charset=utf-8 Content-Encoding: gzip Set-Cookie: UserName=A50515; expires=Sat, 22-Apr-2017 09:39:22 GMT; path=/ Password=checkmarx-research-team; expires=Sat, 22-Apr-2017 09:39:22 GMT; path=/ Cache-Control: no-cache Expires: -1 Pragma: no-cache Server: Microsoft-IIS/8.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Connection: Keep-Alive ...
  60. 60. Part II
  61. 61. What is OWASP Checkmarx | All Rights Reserved 61
  62. 62. What is OWASP 62Checkmarx | All Rights Reserved Worldwide not-for-profit charitable organization; Focuses on improving software security; Provides impartial and practical information to AppSec individuals; Issues software tools and knowledge-based documentation.
  63. 63. How does it work? 63Checkmarx | All Rights Reserved “as a community of like-minded professionals”
  64. 64. What is the OWASP TOP 10 Checkmarx | All Rights Reserved 64
  65. 65. OWASP TOP 10 65Checkmarx | All Rights Reserved For each risk it provides: A description Example vulnerabilities Example attacks Guidance on how to avoid References to OWASP and other related resources “A list of the 10 Most Critical Web Application Security Risks”
  66. 66. OWASP TOP 10 walk-through Checkmarx | All Rights Reserved 66
  67. 67. A1 - Injection 67Checkmarx | All Rights Reserved Application Specific Exploitability EASY Prevalence COMMON Detectability AVERAGE Impact SEVERE Application / Business Specific Anyone who can send untrusted data to the system, including: ● external users, ● business partners, ● other systems, ● internal users, and ● administrators. Attackers send simple text-based attacks that exploit the syntax of the targeted interpreter. ● Injection flaws occur when an application sends untrusted data to an interpreter. ● Injection flaws are very prevalent, particularly in legacy code. ● They are often found in SQL, LDAP, XPath, or NoSQL queries; OS commands; XML parsers, SMTP Headers, expression languages, etc. ● Injection flaws are easy to discover when examining code, but frequently hard to discover via testing. Scanners and fuzzers can help attackers find injection flaws. Injection can result in: ● data loss or corruption, ● lack of accountability, ● denial of access, ● complete host takeover. Depends on: ● business value of affected data; ● the platform running the interpreter. ● How your reputation can get harm Security Weakness Security Weakness Attack Vectors Attack Vectors Technical Impacts Technical ImpactsThreat Agents Business Impacts Business Impacts
  68. 68. Am I Vulnerable? 68Checkmarx | All Rights Reserved SQL Injection
  69. 69. Am I Vulnerable? 69Checkmarx | All Rights Reserved Your database query SELECT * FROM Users WHERE Username='$username' AND Password='$password'
  70. 70. Am I Vulnerable? 70Checkmarx | All Rights Reserved Inputs SELECT * FROM Users WHERE Username='john' AND Password='h3ll0' $username=”john” $password=”h3ll0”
  71. 71. Am I Vulnerable? 71Checkmarx | All Rights Reserved Inputs SELECT * FROM Users WHERE Username='1' or '1' = '1' AND Password='1' or '1' = '1' $username=”1' or '1' = '1” $password=”1' or '1' = '1”
  72. 72. Am I Vulnerable? 72Checkmarx | All Rights Reserved Inputs SELECT * FROM Users WHERE Username='1' or '1' = '1' AND Password='1' or '1' = '1' $username=”1' or '1' = '1” $password=”1' or '1' = '1” False OR True AND False OR True True
  73. 73. Am I Vulnerable? 73Checkmarx | All Rights Reserved Yes you are!
  74. 74. Am I Vulnerable? 74Checkmarx | All Rights Reserved Your database query SELECT * FROM Products WHERE id=$id The URL: https://my-app.com/product/?id=10 Sometimes we have to use the back door!
  75. 75. Am I Vulnerable? 75Checkmarx | All Rights Reserved SELECT * FROM Products WHERE id=10; INSERT INTO users (...) The URL https://my-app.com/product/?id=10; INSERT INTO users (...)
  76. 76. Am I Vulnerable? 76Checkmarx | All Rights Reserved But, I’m using NoSQL ;-)
  77. 77. Am I Vulnerable? 77Checkmarx | All Rights Reserved Your database query db.accounts.find({ “username”: username, “password”: password });
  78. 78. Am I Vulnerable? 78Checkmarx | All Rights Reserved Inputs db.accounts.find({ “username”: “john”, “password”: {$gt: “”} }); username=”john” password={$gt: “”}
  79. 79. Am I Vulnerable? 79Checkmarx | All Rights Reserved You’re still vulnerable ¯_( ツ )_/¯
  80. 80. How Do I Prevent? 80Checkmarx | All Rights Reserved Keep untrusted data separated from commands and queries “SELECT * FROM Users WHERE Username='” + $username + ”' AND Password='” + $password + ”'”
  81. 81. How Do I Prevent? 81Checkmarx | All Rights Reserved Use a parameterized interface Most databases support Prepared Statements $stmt = db.prepare(“SELECT * FROM Users WHERE Username=? AND Password=?”); $stmt.exec($username, $password);
  82. 82. How Do I Prevent? 82Checkmarx | All Rights Reserved Escape Special Characters You should carefully escape special characters using the specific escape syntax for the target interpreter (e.g. database query engine)
  83. 83. How Do I Prevent? 83Checkmarx | All Rights Reserved Escape Special Characters SELECT * FROM Users WHERE Username='1' or '1' = '1' AND Password='1' or '1' = '1'
  84. 84. How Do I Prevent? 84Checkmarx | All Rights Reserved Input Validation If you’re expecting a number do not allow letters; This is not a complete defense, especially if your input requires special characters; Avoid writing your own validators: OWASP ESAPI.
  85. 85. Remember 85Checkmarx | All Rights Reserved This is not database specific LDAP; XPath; OS commands; XML parsers; SMTP Headers; Regular Expressions
  86. 86. A2 – Broken Authentication and Session Management 86Checkmarx | All Rights Reserved Application Specific Exploitability AVERAGE Prevalence COMMON Detectability AVERAGE Impact SEVERE Application / Business Specific  External attackers (steal accounts from others)  Authorized users (steal accounts from others)  insiders (wanting to disguise their actions) Attackers use leaks or flaws in the authentication or session management functions (e.g., exposed accounts, passwords, session IDs) to temporarily or permanently impersonate users. ● Build custom authentication and session management schemes is hard and error prone ● Common flaws in areas such as logout, create account, change password, forgot password, timeouts, remember me, secret question, account update, etc. ● Finding such flaws can sometimes be difficult, as each implementation is unique. ● Impersonate users ● Privileged accounts are frequently targeted. Depends on: ● Business value of affected data; ● Application functions ● Business impact from public exposure of the vulnerability. Security Weakness Security Weakness Attack Vectors Attack Vectors Technical Impacts Technical ImpactsThreat Agents Business Impacts Business Impacts
  87. 87. Am I Vulnerable? 87Checkmarx | All Rights Reserved https://my-app.com/sale/saleitems;jsessionid=2P0OC2JSNDLPSKHCJUN2JV?dest=Hawaii Session IDs in the URL Sharing the URL allows: Session reuse; Others to access your account; Impersonate you on further transactions.
  88. 88. Am I Vulnerable? 88Checkmarx | All Rights Reserved Session Timeout If session lasts forever, accessing the account on a public computer and closing browser’s window without logging out, may allow others to access the account next time they open the browser.
  89. 89. How Do I Prevent? 89Checkmarx | All Rights Reserved Meet all Authentication and Session Management requirements defined in OWASP’s Application Security Verification Standard; Follow OWASP’s Secure Coding Practices guidelines about Authentication and Password Management and Session Management.
  90. 90. A3 – Cross-Site Scripting (XSS) 90Checkmarx | All Rights Reserved Application Specific Exploitability AVERAGE Prevalence VERY WIDESPREAD Detectability AVERAGE Impact MODERATE Application / Business Specific Consider anyone who can send untrusted data to the system, including external users, business partners, other systems, internal users, and administrators. Attackers send text- based attack scripts that exploit the interpreter in the browser. Almost any source of data can be an attack vector, including internal sources such as data from the database. XSS flaws occur when an application updates a web page with attacker controlled data without properly escaping that content or using a safe JavaScript API. There are two primary categories of XSS flaws: (1) Stored, and (2) Reflected, and each of these can occur on (a) the Server or (b) on the Client. Detection of most Server XSS flaws is fairly easy via testing or code analysis. Client XSS can be very difficult to identify. Attackers can execute scripts in a victim’s browser to hijack user sessions, deface web sites, insert hostile content, redirect users, hijack the user’s browser using malware, etc. Consider the business value of the affected system and all the data it processes. Also consider the business impact of public exposure of the vulnerability. Security Weakness Security Weakness Attack Vectors Attack Vectors Technical Impacts Technical ImpactsThreat Agents Business Impacts Business Impacts
  91. 91. Am I Vulnerable? 91Checkmarx | All Rights Reserved Inputs INSERT INTO Users (Id, Name, Surname) VALUES (1, “Jane”, ”Doe”) $name=”Jane” $surname=”Doe” SELECT Name, Surname FROM Users WHERE Id = 1 <h2> <?php echo $name + “ “ + $surname ?> </h2> persist read display
  92. 92. Am I Vulnerable? 92Checkmarx | All Rights Reserved
  93. 93. Am I Vulnerable? 93Checkmarx | All Rights Reserved Inputs INSERT INTO Users (Id, Name, Surname) VALUES (1, “Jane”, ”<script>alert(1)< /script>”) $name=”Jane” $surname=”<script>alert(1)</script>” SELECT Name, Surname FROM Users WHERE Id = 1 <h2> <?php echo $name + “ “ + $surname ?> </h2> persist read display
  94. 94. Am I Vulnerable? 94Checkmarx | All Rights Reserved
  95. 95. Am I Vulnerable? 95Checkmarx | All Rights Reserved Inputs INSERT INTO Users (Id, Name, Surname) VALUES (1, “Jane<script”, ”>alert(1)</script >”) $name=”Jane<script” $surname=”>alert(1)</script>” SELECT Name, Surname FROM Users WHERE Id = 1 <h2> <?php echo $name + “ “ + $surname ?> </h2> persist read display
  96. 96. Am I Vulnerable? 96Checkmarx | All Rights Reserved
  97. 97. How Do I Prevent? 97Checkmarx | All Rights Reserved Preventing XSS requires separation of untrusted data from active browser content. Escape data based on the HTML context (body, attribute, JavaScript, CSS, or URL) that the data will be placed into (Server XSS); Avoid passing untrusted data to JavaScript and other browser APIs that can generate active content (Client XSS); For rich content, consider auto-sanitization libraries; Consider Content Security Policy (CSP) to defend against XSS across your entire site.
  98. 98. A4 – Broken Access Control 98Checkmarx | All Rights Reserved Application Specific Exploitability EASY Prevalence WIDESPREAD Detectability EASY Impact MODERATE Application / Business Specific Authorized users of your system: ● Are users restricted to certain functions and data? ● Are unauthenticated users allowed access to any functionality or data? Attackers, who are authorized users, simply change a parameter value to another resource they aren’t authorized for. Is access to this functionality or data granted? For data, applications and APIs frequently use the actual name or key of an object when generating web pages. For functions, URLs and function names are frequently easy to guess. Applications and APIs don’t always verify the user is authorized for the target resource. This results in an access control flaw. Testers can easily manipulate parameters to detect such flaws. Code analysis quickly shows whether authorization is correct. Such flaws can compromise all the functionality or data that is accessible. Unless references are unpredictable, or access control is enforced, data and functionality can be stolen, or abused. Consider the business value of the exposed data and functionality. Also consider the business impact of public exposure of the vulnerability. Security Weakness Security Weakness Attack Vectors Attack Vectors Technical Impacts Technical ImpactsThreat Agents Business Impacts Business Impacts
  99. 99. Am I Vulnerable? 99Checkmarx | All Rights Reserved Relying on unknown URLs http://my-app.com/product/1 Varying the product ID may allow access to unpublished products http://my-app.com/product/10001 Adding query string parameters may allow access to reserved features like product editing http://my-app.com/product/1?edit
  100. 100. How Do I Prevent? 100Checkmarx | All Rights Reserved Access Control check for every resource requiring authorization; Per user or session indirect object references (do not use your objects’ database primary key on Users’ Interface); Automated verification: a single and audited verification control.
  101. 101. A5 – Security Misconfiguration 101Checkmarx | All Rights Reserved Application Specific Exploitability EASY Prevalence COMMON Detectability EASY Impact MODERATE Application / Business Specific Consider anonymous external attackers as well as authorized users that may . Also consider insiders wanting to disguise their actions. Attackers access default accounts, unused pages, unpatched flaws, unprotected files and directories, etc. to gain unauthorized access to or knowledge of the system. Security misconfiguration can happen at any level of an application stack, including the platform, web server, application server, database, frameworks, and custom code. Developers and system administrators need to work together to ensure that the entire stack is configured properly. Automated scanners are useful for detecting missing patches, misconfigurations, use of default accounts, unnecessary services, etc. Such flaws frequently give attackers unauthorized access to some system data or functionality. Occasionally, such flaws result in a complete system compromise. The system could be completely compromised without you knowing it. All of your data could be stolen or modified slowly over time. Recovery costs could be expensive. Security Weakness Security Weakness Attack Vectors Attack Vectors Technical Impacts Technical ImpactsThreat Agents Business Impacts Business Impacts
  102. 102. Am I Vulnerable? 102Checkmarx | All Rights Reserved Out of date software (e.g. OS, Web/App Server, DBMS,…); Unnecessary features enabled or installed (e.g., ports, services, pages, accounts, privileges); Unchanged default accounts and their passwords; Stack traces on error messages; Bad security settings configurations (e.g. application servers, application frameworks, libraries, databases).
  103. 103. How Do I Prevent? 103Checkmarx | All Rights Reserved A repeatable hardening process that makes it fast and easy to deploy another environment that is properly locked down. All environments should be configured the same way but using different credentials. Well defined update process to all system and dependencies. Application components isolation. Environment configuration validation.
  104. 104. A6 – Sensitive Data Exposure 104Checkmarx | All Rights Reserved Application Specific Exploitability DIFFICULT Prevalence UNCOMMON Detectability AVERAGE Impact SEVERE Application / Business Specific Consider who can gain access to your sensitive data and any backups of that data. This includes the data at rest, in transit, and even in your customers’ browsers. Include both external and internal threats. Attackers typically don’t break crypto directly. They break something else, such as steal keys, do man-in-the-middle attacks, or steal clear text data off the server, while in transit, or from the user’s browser. The most common flaw is simply not encrypting sensitive data. When crypto is employed, weak key generation and management, and weak algorithm usage is common, particularly weak password hashing techniques. Browser weaknesses are very common and easy to detect, but hard to exploit on a large scale. External attackers have difficulty detecting server side flaws due to limited access and they are also usually hard to exploit. Failure frequently compromises all data that should have been protected. Typically, this information includes sensitive data such as health records, credentials, personal data, credit cards, etc. Consider the business value of the lost data and impact to your reputation. What is your legal liability if this data is exposed? Also consider the damage to your reputation. Security Weakness Security Weakness Attack Vectors Attack Vectors Technical Impacts Technical ImpactsThreat Agents Business Impacts Business Impacts
  105. 105. Am I Vulnerable? 105Checkmarx | All Rights Reserved Passwords database using unsalted hashes INSERT INTO accounts VALUES ($username, MD5($password)) Database Username Password root 63a9f0ea7bb98050796b649e85481845 User1 21232f297a57a5a743894a0e4a801fc3 User2 e10adc3949ba59abbe56e057f20f883e Rainbow Table MD5 Hash Plain 63a9f0ea7bb98050796b649e85481845 root 21232f297a57a5a743894a0e4a801fc3 admin e10adc3949ba59abbe56e057f20f883e 123456
  106. 106. How Do I Prevent? 106Checkmarx | All Rights Reserved Don’t store unnecessary data, discard it ASAP (e.g. Credit Cards); Ensure strong standard algorithms, strong keys and proper key management; Ensure passwords are stored using a proper algorithm like bcrypt, PBKDF2 or scrypt; Disable auto complete on forms requesting sensitive data and caching for pages that contain sensitive data.
  107. 107. A7 – Insufficient Attack Protection 107Checkmarx | All Rights Reserved Application Specific Exploitability EASY Prevalence COMMON Detectability AVERAGE Impact MODERATE Application / Business Specific Consider anyone with network access can send your application a request. Does your application detect and respond to both manual and automated attacks? Attackers, known users or anonymous, send in attacks. Does the application or API detect the attack? How does it respond? Can it thwart attacks against known vulnerabilities? Applications and APIs are attacked all the time. Most applications and APIs detect invalid input, but simply reject it, letting the attacker attack again and again. Such attacks indicate a malicious or compromised user probing or exploiting vulnerabilities. Detecting and blocking both manual and automated attacks, is one of the most effective ways to increase security. How quickly can you patch a critical vulnerability you just discovered? Most successful attacks start with vulnerability probing. Allowing such probes to continue can raise the likelihood of successful exploit to 100%. Not quickly deploying patches aids attackers. Consider the impact of insufficient attack protection on the business. Successful attacks may not be prevented, go undiscovered for long periods of time, and expand far beyond their initial footprint. Security Weakness Security Weakness Attack Vectors Attack Vectors Technical Impacts Technical ImpactsThreat Agents Business Impacts Business Impacts
  108. 108. Am I Vulnerable? 108Checkmarx | All Rights Reserved Detect unexpected behavior High volume requests to a single URL; Request pattern detection. Automated tools such as OWASP ZAP or SQLMap do have a pattern, allowing them to be distinguished from regular users.
  109. 109. How Do I Prevent? 109Checkmarx | All Rights Reserved Is the application being used in a way that an ordinary user would never do? Decide whether to automatically block request, IP addresses or IP ranges. Disable or monitor user accounts. If application patching takes longer, go with a virtual patch. Detect Attacks Respond to Attacks Patch Quickly
  110. 110. A8 – Cross-Site Request Forgery (CSRF) 110 Application Specific Exploitability AVERAGE Prevalence UNCOMMON Detectability EASY Impact MODERATE Application / Business Specific Consider anyone who can load content into your users’ browsers, and thus force them to submit a request to your website, including any website or other HTML feed that your users visit. Attackers create forged HTTP requests and trick a victim into submitting them via image tags, iframes, XSS, or various other techniques. If the user is authenticated, the attack succeeds. CSRF takes advantage of the fact that most web apps allow attackers to predict all the details of a particular action. Because browsers send credentials like session cookies automatically, attackers can create malicious web pages which generate forged requests that are indistinguishable from legitimate ones. Detection of CSRF flaws is fairly easy via penetration testing or code analysis. Attackers can trick victims into performing any state changing operation the victim is authorized to perform (e.g., updating account details, making purchases, modifying data). Consider the business value of the affected data or application functions. Imagine not being sure if users intended to take these actions. Consider the impact to your reputation. Security Weakness Security Weakness Attack Vectors Attack Vectors Technical Impacts Technical ImpactsThreat Agents Business Impacts Business Impacts
  111. 111. Am I Vulnerable? 111Checkmarx | All Rights Reserved <form action=”https://yapp.com/signin“ method=”post”> <input type=”email” name=”email” /> <input type=”password” name=”password” /> <input type=”submit” value=”submit” /> </form> Not using CSRF tokens
  112. 112. How Do I Prevent? 112Checkmarx | All Rights Reserved Using CSRF tokens Generated server-side; Unpredictable; Short TTL; One time only; Unique per user session; Requests without or with invalid CSRF token should be discarded.
  113. 113. How Do I Prevent? 113Checkmarx | All Rights Reserved <form action=”https://yapp.com/signin“ method=”post”> <input type=”hidden” name=”csrf” value=”MTc1MjUK” /> <input type=”email” name=”email” /> <input type=”password” name=”password” /> <input type=”submit” value=”submit” /> </form> Using CSRF tokens
  114. 114. A9 – Using Components with Known Vulnerabilities 114 Application Specific Exploitability AVERAGE Prevalence COMMON Detectability AVERAGE Impact MODERATE Application / Business Specific Some vulnerable components (e.g., framework libraries) can be identified and exploited with automated tools, expanding the threat agent pool beyond targeted attackers to include chaotic actors. Attackers identify a weak component through scanning or manual analysis. They customize the exploit as needed and execute the attack. It gets more difficult if the used component is deep in the application. Many applications and APIs have these issues because their development teams don’t focus on ensuring their components and libraries are up to date. In some cases, the developers don’t even know all the components they are using, never mind their versions. Component dependencies make things even worse. Tools are becoming commonly available to help detect components with known vulnerabilities. The full range of weaknesses is possible, including injection, broken access control, XSS, etc. The impact could range from minimal to complete host takeover and data compromise. Consider what each vulnerability might mean for the business controlled by the affected application. It could be trivial or it could mean complete compromise. Security Weakness Security Weakness Attack Vectors Attack Vectors Technical Impacts Technical ImpactsThreat Agents Business Impacts Business Impacts Checkmarx | All Rights Reserved
  115. 115. Am I Vulnerable? 115Checkmarx | All Rights Reserved Using vulnerable components Component # Vulnerabilities 2016 2015 2014 OpenSSL 34 34 24 Microsoft IIS - 1 1 Microsoft Sharepoint 23 21 7 MySQL 1 1 38 MongoDB 1 1 2
  116. 116. How Do I Prevent? 116Checkmarx | All Rights Reserved Continuously inventory the version of both client-side and server-side components; Auditing dependencies to known vulnerabilities (e.g. using static code analysis tools); Continuously monitor sources like CVE and NVD
  117. 117. A10 – Underprotected APIs 117Checkmarx | All Rights Reserved Application Specific Exploitability AVERAGE Prevalence COMMON Detectability DIFFICULT Impact MODERATE Application / Business Specific Consider anyone with the ability to send requests to your APIs. Client software is easily reversed and communications are easily intercepted, so obscurity is no defense for APIs. Attackers can reverse engineer APIs by examining client code, or simply monitoring communications. Some API vulnerabilities can be automatically discovered, others only by experts. Modern web applications and APIs are increasingly composed of rich clients (browser, mobile, desktop) that connect to backend APIs (XML, JSON, RPC, GWT, custom). APIs (microservices, services, endpoints) can be vulnerable to the full range of attacks. Unfortunately, dynamic and sometimes even static tools don’t work well on APIs, and they can be difficult to analyze manually, so these vulnerabilities are often undiscovered. The full range of negative outcomes is possible, including data theft, corruption, and destruction; unauthorized access to the entire application; and complete host takeover. Consider the impact of an API attack on the business. Does the API access critical data or functions? Many APIs are mission critical, so also consider the impact of denial of service attacks. Security Weakness Security Weakness Attack Vectors Attack Vectors Technical Impacts Technical ImpactsThreat Agents Business Impacts Business Impacts
  118. 118. How Do I Prevent? 118Checkmarx | All Rights Reserved Ensure that you have secured communications between the client and your APIs. (e.g. SSL); Ensure that you have a strong authentication scheme for your APIs, and that all credentials, keys, and tokens have been secured; Ensure that whatever data format your requests use, that the parser configuration is hardened against attack; Implement an access control scheme that protects APIs from being improperly invoked, including unauthorized function and data references; Protect against injection of all forms, as these attacks are just as viable through APIs as they are for normal apps.
  119. 119. Quiz show, again
  120. 120. 120Checkmarx | All Rights Reserved Question 4 Why should I still read the OWASP TOP 10?
  121. 121. Why should I still read the OWASP TOP 10? Checkmarx | All Rights Reserved 121 Because I told you just part of the story; OWASP TOP 10 includes: – +D What’s Next for Developers – +T What’s Next for Security Testing – +O What’s Next for Organizations OWASP TOP 10 is accepted as an industry standard
  122. 122. 122Checkmarx | All Rights Reserved Question 5 How can I join OWASP?
  123. 123. How can I join OWASP? Checkmarx | All Rights Reserved 123 Join your local chapter https://lists.owasp.org/mailman/listinfo/owasp-portuguese-project
  124. 124. 124Checkmarx | All Rights Reserved Question 6 How can I contribute?
  125. 125. How can I contribute? Checkmarx | All Rights Reserved 125 Join your local chapter https://lists.owasp.org/mailman/listinfo/owasp-portuguese-project Helping translate OWASP contents to your language, Helping review OWASP contents; Using & reporting issues on OWASP software; Creating security awareness; ...
  126. 126. 126Checkmarx | All Rights Reserved Question 7 Let’s have a ?
  127. 127. Proprietary & Confidential | All Rights Reserved | 127 W
  128. 128. Proprietary & Confidential | All Rights Reserved | 128 MakeyourMark MakeYourMark Challenge yourself! Join us!
  • MehdiRazmjoo

    Feb. 27, 2019

Presented by Paulo Silva, Security Researcher at Checkmarx on October 31, 2018 at Polytechnic Institute of Cávado and Ave. Learn all about the OWASP Top 10 from his talk: Part I Web Application architecture The HTTP protocol HTTP Request walk-through Part II What is OWASP What is the OWASP TOP 10 OWASP Top 10 walk - through

Views

Total views

569

On Slideshare

0

From embeds

0

Number of embeds

3

Actions

Downloads

37

Shares

0

Comments

0

Likes

1

×