Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

„OWASP Top Ten in Latvia“ by Agris Krusts from IT Centrs SIA at Security focused 64th DevClub.lv

2,906 views

Published on

Most common web security problems from OWASP Top 10 in Latvia in recent years and compare with similar statistics from couple of years ago. Presentation will include most common mobile application security problems. For some vulnerabilities there will be demos in test and live systems.

Agris is founder of security consulting and pen-testing company IT Centrs, SIA and works in the the field for more than 10 years.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

„OWASP Top Ten in Latvia“ by Agris Krusts from IT Centrs SIA at Security focused 64th DevClub.lv

  1. 1. OWASP Top Ten in Latvia Most common web security problems Agris Krusts, IT Centrs, SIA 2018
  2. 2. Who am I • Agris Krusts, founder of IT Centrs, security consultant • Managing pen-tes;ng engagements, pen-tests, security audits, training • E-mail: Agris.Krusts@itcentrs.lv • TwiCer: @agris_krusts • www.itcentrs.lv © Agris Krusts, SIA IT Centrs, 2018 2
  3. 3. www.itcentrs.lv/files/devclub-2018.pdf © Agris Krusts, SIA IT Centrs, 2018 3
  4. 4. © OWASP Top 10 2017 4
  5. 5. Data source • Pen-tests for last 2 - 3 years • ~ 130 systems • Usually test environments • According to appropriate OWASP TesBng Guide v4 control • Detailed staBsBcs shows only most "popular" problems • Comparing to similar data from 2011 - 2014 © Agris Krusts, SIA IT Centrs, 2018 5
  6. 6. Excep&ons from OWASP Top 10 2017 • No stats for: • A8:2017-Insecure Deserializa;on • A10:2017-Insufficient Logging & Monitoring © Agris Krusts, SIA IT Centrs, 2018 6
  7. 7. Injec&ons • Down from ~40% to less than 10% • S6ll majority is SQLi (7) • The rest: XML and code injec6ons © Agris Krusts, SIA IT Centrs, 2018 7
  8. 8. Broken Authen,ca,on and session management Vulnerable systems Session fixa+on 11% Logout problems 15% Session +meouts 13% Bypassing authen+ca+on 18% Problems in password reset 7% Weak passwords 13% © Agris Krusts, SIA IT Centrs, 2018 8
  9. 9. Broken Authen,ca,on and session management • Session fixa,on down from 30% to 11% • Missing Secure and HttpOnly down from 44% to 5% • S,ll some do not learn © Agris Krusts, SIA IT Centrs, 2018 9
  10. 10. Sensi&ve Data Exposure Systems Browser caching 21% SSL problems 31% Sensi8ve informa8on over HTTP 10% © Agris Krusts, SIA IT Centrs, 2018 10
  11. 11. Sensi&ve Data Exposure • SSL problems up from 27% to 31% • Sensi7ve informa7on over HTTP down from 40% to 10% © Agris Krusts, SIA IT Centrs, 2018 11
  12. 12. XML External En--es • Separate category • Only couple in Latvia • Something like this ... <?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:///c:/inetpub/secret.xml" >]> <login> <username>&xxe;</username> </login> © Agris Krusts, SIA IT Centrs, 2018 12
  13. 13. Broken Access Control Systems Directory traversal 1% Bypassing authoriza7on 9% Direct object reference 11% © Agris Krusts, SIA IT Centrs, 2018 13
  14. 14. Broken Access Control • Authoriza+on problems in general down from 40% • Direct object reference down from 33% to 11% © Agris Krusts, SIA IT Centrs, 2018 14
  15. 15. Security Misconfigura1on (most popular) Systems Pla$orm configura.on errors 17% Old backups and unreferenced files with sensi.ve informa.on 13% Accessible admin interfaces 9% No HSTS headers 26% © Agris Krusts, SIA IT Centrs, 2018 15
  16. 16. Using Components with Known Vulnerabili6es 239 instances in 130 systems! © Agris Krusts, SIA IT Centrs, 2018 16
  17. 17. Cross-site scrip,ng Systems Reflected XSS 21% DOM XSS 7% Stored XSS 18% © Agris Krusts, SIA IT Centrs, 2018 17
  18. 18. Cross-site scrip,ng • Down from 46% for dynamic and 36% for stored • Less risk in dynamic because blocked by browsers • Higher risk because of data may travel across many systems © Agris Krusts, SIA IT Centrs, 2018 18
  19. 19. © Agris Krusts, SIA IT Centrs, 2018 19
  20. 20. © Agris Krusts, SIA IT Centrs, 2018 20
  21. 21. Summary © Agris Krusts, SIA IT Centrs, 2018 21
  22. 22. Number of issues A1: Injec*on 10 A2: Broken Authen*ca*on and session management 134 A3 Sensi*ve Data Exposure 89 A4: XML External En**es 2 A5: Broken Access Control 27 A6: Security Misconfigura*on 97 A7: Cross-Site Scrip*ng 59 A9: Using Components with Known Vulnerabili*es 239 © Agris Krusts, SIA IT Centrs, 2018 22
  23. 23. • Web applica+ons are becoming more secure, at least some • Frameworks help • Some developers produce more secure code than others • Old problems, if exit, are more difficult to exploit • More problems in "new" technologies © Agris Krusts, SIA IT Centrs, 2018 23
  24. 24. Thank You! Ques%on and answers! Agris Krusts, @agris_krusts, +371 29151412, www.itcentrs.lv 24
  25. 25. Agris Krusts SIA IT Centrs E-mail: agris.krusts@itcentrs.lv Phone: +371 29151412 Twi$er: @agris_krusts www.itcentrs.lv © Agris Krusts, SIA IT Centrs, 2018 25

×