SlideShare a Scribd company logo

Owasp v8 analysis

Download as PPTX, PDF
O
ObaidullahIzam

Describes some points of analysis OF MediaWiki for verification requirement of OWASP standard V8.

Software
1 of 13
ANALYSIS OF MEDIAWIKI V8: ERROR HANDLING AND LOGGING VERIFICATION REQUIREMENT MOHAMAD HASSAN OBAIDULLAH IZAM ELIAS TOSS MAY 30,2018
TOOLS USED FOR ANALYSIS RIPS VCG VEGA ACUNETIX
A GLANCE OWASP Security Knowledge Framework. The OWASP Security Knowledge Framework is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. MediaWiki is a free and open-source server based application, It was originally developed by the Wikimedia Foundation and It is written in the PHP programming language and allows its users to add, modify or remove content through a web browser.
V8 ANALYSIS # Description Satisfied 8. 1 Verify that the application does not output error messages or stack traces containing sensitive data that could assist an attacker, including session id, software/framework versions and personal information Partial 8. 2 Verify that error handling logic in security controls denies access by default. YES 8. 3 Verify security logging controls provide the ability to log success and particularly failure events that are identified as security-relevant. YES 8. 4 Verify that each log event includes necessary information that would allow for a detailed investigation of the timeline when an event happens. YES 8. 5 Verify that all events that include untrusted data will not execute as code in the intended log viewing software. Partial
V8 ANALYSIS # Description Satisfied 8.6 Verify that security logs are protected from unauthorized access and modification. YES 8.7 Verify that the application does not log sensitive data as defined under local privacy laws or regulations, organizational sensitive data as defined by a risk assessment, or sensitive authentication data that could assist an attacker, including user’s session identifiers, passwords, hashes, or API tokens. Partial 8.8 Verify that all non-printable symbols and field separators are properly encoded in log entries, to prevent log injection YES 8.9 Verify that log fields from trusted and untrusted sources are distinguishable in log entries. YES 8.1 0 Verify that an audit log or similar allows for nonrepudiation of key transactions. YES
V8 ANALYSIS # Description Satisfied 8.1 1 Verify that security logs have some form of integrity checking or controls to prevent unauthorized modification. Don’t know 8.1 2 Verify that the logs are stored on a different partition than the application is running with proper log rotation. YES 8.1 3 Time sources should be synchronized to ensure logs have the correct time YES
V8.1 • Verify that the application does not output error messages or stack traces containing sensitive data that could assist an attacker, including session id, software/framework versions and personal information. • Analysed with Acunetix • It contains possible sensitive information (e.g. a password parameter) and could be potentially cached. Even in secure SSL channels sensitive data could be stored by intermediary proxies and SSL terminators. To prevent this, a Cache-Control header should be specified • How to fix this vulnerability Prevent caching by adding "Cache Control: No-store" and "Pragma: no-cache" to the HTTP response header.
V8.1 • Analysed with VCG • This debugging function can expose sensitive data to an attacker. • Potentially Unsafe Code – phpinfo • Line: 1385 - C:xampphtdocsmediawikivendorsymfonyprocessProcess.php • if (!function_exists('phpinfo') || defined('HHVM_VERSION')) {
V8.4 • Verify that each log event includes necessary information that would allow for a detailed investigation of the timeline when an event happens. • Manual Review • Manual reviewing was performed for verification of V8.4 and was seen that all the log events include information which could allow for detailed investigation and below is a snapshot of the log file.
V8.7 • Verify that the application does not log sensitive data as defined under local privacy laws or regulations, organizational sensitive data as defined by a risk assessment, or sensitive authentication data that could assist an attacker, including user’s session identifiers, passwords, hashes, or API tokens. • Analysed with Acunetix • This application contains a session token in the query parameters. A session token is sensitive information and should not be stored in the URL. URLs could be logged or leaked via the Referrer header. • The impact of this vulnerability • Possible sensitive information disclosure. • How to fix this vulnerability • The session should be maintained using cookies (or hidden input fields).
V8.8 • Verify that all non-printable symbols and field separators are properly encoded in log entries, to prevent log injection • Manual Review • Conducted a manual reveiw of the log entries and detected that log entries are encoded with non-printable symbols which avoids the log injection.
CONCLUSION • About tools: We used different tools for the analysis such as (RIPS, ZAP, VEGA, VCG and ACCUNETIX) and among them we found RIPS, VCG and ACCUNETIX more efficient and fruitful for performing the source code analysis in terms of ease of use, fast and accurate detection of the vulnerabilities. • Security: We consider that to test the safety of an application is very necessary to a direct discussion about the design choices with the developers.
Thanks for your attention! Questions

Recommended

Serverless Security Checklist
Serverless Security ChecklistServerless Security Checklist
Serverless Security ChecklistSimform
 
Soteria Cybersecurity Healthcheck-FB01
Soteria Cybersecurity Healthcheck-FB01Soteria Cybersecurity Healthcheck-FB01
Soteria Cybersecurity Healthcheck-FB01Richard Sullivan
 
Prevoty Integri Datasheet
Prevoty Integri DatasheetPrevoty Integri Datasheet
Prevoty Integri DatasheetPrevoty
 
IT security : Keep calm and monitor PowerShell
IT security : Keep calm and monitor PowerShellIT security : Keep calm and monitor PowerShell
IT security : Keep calm and monitor PowerShellManageEngine
 
Owasp top 10 2017
Owasp top 10 2017Owasp top 10 2017
Owasp top 10 2017ibrahimumer2
 
8 must dos for a perfect privileged account management strategy
8 must dos for a perfect privileged account management strategy8 must dos for a perfect privileged account management strategy
8 must dos for a perfect privileged account management strategyManageEngine
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on itWSO2
 
Owasp Top 10
Owasp Top 10Owasp Top 10
Owasp Top 10Shivam Porwal
 

Recommended

Serverless Security Checklist
Serverless Security ChecklistServerless Security Checklist
Serverless Security ChecklistSimform
 
Soteria Cybersecurity Healthcheck-FB01
Soteria Cybersecurity Healthcheck-FB01Soteria Cybersecurity Healthcheck-FB01
Soteria Cybersecurity Healthcheck-FB01Richard Sullivan
 
Prevoty Integri Datasheet
Prevoty Integri DatasheetPrevoty Integri Datasheet
Prevoty Integri DatasheetPrevoty
 
IT security : Keep calm and monitor PowerShell
IT security : Keep calm and monitor PowerShellIT security : Keep calm and monitor PowerShell
IT security : Keep calm and monitor PowerShellManageEngine
 
Owasp top 10 2017
Owasp top 10 2017Owasp top 10 2017
Owasp top 10 2017ibrahimumer2
 
8 must dos for a perfect privileged account management strategy
8 must dos for a perfect privileged account management strategy8 must dos for a perfect privileged account management strategy
8 must dos for a perfect privileged account management strategyManageEngine
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on itWSO2
 
Owasp Top 10
Owasp Top 10Owasp Top 10
Owasp Top 10Shivam Porwal
 
Owasp top 10
Owasp top 10Owasp top 10
Owasp top 10YasserElsnbary
 
Cybersecurity - Mobile Application Security
Cybersecurity - Mobile Application SecurityCybersecurity - Mobile Application Security
Cybersecurity - Mobile Application SecurityEryk Budi Pratama
 
Building better security for your API platform using Azure API Management
Building better security for your API platform using Azure API ManagementBuilding better security for your API platform using Azure API Management
Building better security for your API platform using Azure API ManagementEldert Grootenboer
 
Multi-Agent System for APT Detection
Multi-Agent System for APT DetectionMulti-Agent System for APT Detection
Multi-Agent System for APT DetectionThibault Debatty
 
HIPAA 101 Compliance Threat Landscape & Best Practices
HIPAA 101 Compliance Threat Landscape & Best PracticesHIPAA 101 Compliance Threat Landscape & Best Practices
HIPAA 101 Compliance Threat Landscape & Best PracticesHostway|HOSTING
 
Mule anypointenterprisesecurity
Mule anypointenterprisesecurityMule anypointenterprisesecurity
Mule anypointenterprisesecurityhimajareddys
 
Mule anypoint enterprise security
Mule anypoint enterprise securityMule anypoint enterprise security
Mule anypoint enterprise securityD.Rajesh Kumar
 
Anypoint enterprise security
Anypoint enterprise securityAnypoint enterprise security
Anypoint enterprise securityD.Rajesh Kumar
 
OWASP TOP 10 & .NET
OWASP TOP 10 & .NETOWASP TOP 10 & .NET
OWASP TOP 10 & .NETDaniel Krasnokucki
 
Data-driven API Security
Data-driven API SecurityData-driven API Security
Data-driven API SecurityApigee | Google Cloud
 
Best Security Focussed CMS: Drupal 8
Best Security Focussed CMS: Drupal 8Best Security Focussed CMS: Drupal 8
Best Security Focussed CMS: Drupal 8OpenSense Labs
 
Logsign Data Policy Manager(DPM)
Logsign Data Policy Manager(DPM)Logsign Data Policy Manager(DPM)
Logsign Data Policy Manager(DPM)Logsign
 
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security RisksOWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security RisksAndre Van Klaveren
 
Owasp top 10 & Web vulnerabilities
Owasp top 10 & Web vulnerabilitiesOwasp top 10 & Web vulnerabilities
Owasp top 10 & Web vulnerabilitiesRIZWAN HASAN
 
Owasp Mobile Risk Series : M4 : Unintended Data Leakage
Owasp Mobile Risk Series : M4 : Unintended Data LeakageOwasp Mobile Risk Series : M4 : Unintended Data Leakage
Owasp Mobile Risk Series : M4 : Unintended Data LeakageAnant Shrivastava
 
Application Security
Application SecurityApplication Security
Application SecurityReggie Niccolo Santos
 
APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...
APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...
APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...apidays
 
Api days 2018 - API Security by Sqreen
Api days 2018 - API Security by SqreenApi days 2018 - API Security by Sqreen
Api days 2018 - API Security by SqreenSqreen
 
Owasp
Owasp Owasp
Owasp penetration Tester
 
ObserveIT Version 6.7 Release Highlights
ObserveIT Version 6.7 Release HighlightsObserveIT Version 6.7 Release Highlights
ObserveIT Version 6.7 Release HighlightsObserveIT
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelinesSathyanarayana Panduranga
 
Fragments-Plug the vulnerabilities in your App
Fragments-Plug the vulnerabilities in your AppFragments-Plug the vulnerabilities in your App
Fragments-Plug the vulnerabilities in your AppAppsecco
 

More Related Content

What's hot

Cybersecurity - Mobile Application Security
Cybersecurity - Mobile Application SecurityCybersecurity - Mobile Application Security
Cybersecurity - Mobile Application SecurityEryk Budi Pratama
 
Building better security for your API platform using Azure API Management
Building better security for your API platform using Azure API ManagementBuilding better security for your API platform using Azure API Management
Building better security for your API platform using Azure API ManagementEldert Grootenboer
 
Multi-Agent System for APT Detection
Multi-Agent System for APT DetectionMulti-Agent System for APT Detection
Multi-Agent System for APT DetectionThibault Debatty
 
HIPAA 101 Compliance Threat Landscape & Best Practices
HIPAA 101 Compliance Threat Landscape & Best PracticesHIPAA 101 Compliance Threat Landscape & Best Practices
HIPAA 101 Compliance Threat Landscape & Best PracticesHostway|HOSTING
 
Mule anypointenterprisesecurity
Mule anypointenterprisesecurityMule anypointenterprisesecurity
Mule anypointenterprisesecurityhimajareddys
 
Mule anypoint enterprise security
Mule anypoint enterprise securityMule anypoint enterprise security
Mule anypoint enterprise securityD.Rajesh Kumar
 
Anypoint enterprise security
Anypoint enterprise securityAnypoint enterprise security
Anypoint enterprise securityD.Rajesh Kumar
 
Best Security Focussed CMS: Drupal 8
Best Security Focussed CMS: Drupal 8Best Security Focussed CMS: Drupal 8
Best Security Focussed CMS: Drupal 8OpenSense Labs
 
Logsign Data Policy Manager(DPM)
Logsign Data Policy Manager(DPM)Logsign Data Policy Manager(DPM)
Logsign Data Policy Manager(DPM)Logsign
 
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security RisksOWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security RisksAndre Van Klaveren
 
Owasp top 10 & Web vulnerabilities
Owasp top 10 & Web vulnerabilitiesOwasp top 10 & Web vulnerabilities
Owasp top 10 & Web vulnerabilitiesRIZWAN HASAN
 
Owasp Mobile Risk Series : M4 : Unintended Data Leakage
Owasp Mobile Risk Series : M4 : Unintended Data LeakageOwasp Mobile Risk Series : M4 : Unintended Data Leakage
Owasp Mobile Risk Series : M4 : Unintended Data LeakageAnant Shrivastava
 
APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...
APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...
APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...apidays
 
Api days 2018 - API Security by Sqreen
Api days 2018 - API Security by SqreenApi days 2018 - API Security by Sqreen
Api days 2018 - API Security by SqreenSqreen
 
ObserveIT Version 6.7 Release Highlights
ObserveIT Version 6.7 Release HighlightsObserveIT Version 6.7 Release Highlights
ObserveIT Version 6.7 Release HighlightsObserveIT
 

What's hot (20)

Owasp top 10
Owasp top 10Owasp top 10
Owasp top 10
 
Cybersecurity - Mobile Application Security
Cybersecurity - Mobile Application SecurityCybersecurity - Mobile Application Security
Cybersecurity - Mobile Application Security
 
Building better security for your API platform using Azure API Management
Building better security for your API platform using Azure API ManagementBuilding better security for your API platform using Azure API Management
Building better security for your API platform using Azure API Management
 
Multi-Agent System for APT Detection
Multi-Agent System for APT DetectionMulti-Agent System for APT Detection
Multi-Agent System for APT Detection
 
HIPAA 101 Compliance Threat Landscape & Best Practices
HIPAA 101 Compliance Threat Landscape & Best PracticesHIPAA 101 Compliance Threat Landscape & Best Practices
HIPAA 101 Compliance Threat Landscape & Best Practices
 
Mule anypointenterprisesecurity
Mule anypointenterprisesecurityMule anypointenterprisesecurity
Mule anypointenterprisesecurity
 
Mule anypoint enterprise security
Mule anypoint enterprise securityMule anypoint enterprise security
Mule anypoint enterprise security
 
Anypoint enterprise security
Anypoint enterprise securityAnypoint enterprise security
Anypoint enterprise security
 
OWASP TOP 10 & .NET
OWASP TOP 10 & .NETOWASP TOP 10 & .NET
OWASP TOP 10 & .NET
 
Data-driven API Security
Data-driven API SecurityData-driven API Security
Data-driven API Security
 
Best Security Focussed CMS: Drupal 8
Best Security Focussed CMS: Drupal 8Best Security Focussed CMS: Drupal 8
Best Security Focussed CMS: Drupal 8
 
Logsign Data Policy Manager(DPM)
Logsign Data Policy Manager(DPM)Logsign Data Policy Manager(DPM)
Logsign Data Policy Manager(DPM)
 
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security RisksOWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
 
Owasp top 10 & Web vulnerabilities
Owasp top 10 & Web vulnerabilitiesOwasp top 10 & Web vulnerabilities
Owasp top 10 & Web vulnerabilities
 
Owasp Mobile Risk Series : M4 : Unintended Data Leakage
Owasp Mobile Risk Series : M4 : Unintended Data LeakageOwasp Mobile Risk Series : M4 : Unintended Data Leakage
Owasp Mobile Risk Series : M4 : Unintended Data Leakage
 
Application Security
Application SecurityApplication Security
Application Security
 
APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...
APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...
APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...
 
Api days 2018 - API Security by Sqreen
Api days 2018 - API Security by SqreenApi days 2018 - API Security by Sqreen
Api days 2018 - API Security by Sqreen
 
Owasp
Owasp Owasp
Owasp
 
ObserveIT Version 6.7 Release Highlights
ObserveIT Version 6.7 Release HighlightsObserveIT Version 6.7 Release Highlights
ObserveIT Version 6.7 Release Highlights
 

Similar to Owasp v8 analysis

Fragments-Plug the vulnerabilities in your App
Fragments-Plug the vulnerabilities in your AppFragments-Plug the vulnerabilities in your App
Fragments-Plug the vulnerabilities in your AppAppsecco
 
Cm4 secure code_training_1day_error handling and logging
Cm4 secure code_training_1day_error handling and loggingCm4 secure code_training_1day_error handling and logging
Cm4 secure code_training_1day_error handling and loggingdcervigni
 
APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...
APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...
APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...apidays
 
How to Use OWASP Security Logging
How to Use OWASP Security LoggingHow to Use OWASP Security Logging
How to Use OWASP Security LoggingMilton Smith
 
2022 APIsecure_The Real World, API Security Edition
2022 APIsecure_The Real World, API Security Edition2022 APIsecure_The Real World, API Security Edition
2022 APIsecure_The Real World, API Security EditionAPIsecure_ Official
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top TenSecurity Innovation
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Moataz Kamel
 
Top 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle softwareTop 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle softwareRogue Wave Software
 
owasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWEowasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWEArun Voleti
 
Web application vulnerability assessment
Web application vulnerability assessmentWeb application vulnerability assessment
Web application vulnerability assessmentRavikumar Paghdal
 
OWASP Secure Coding Quick Reference Guide
OWASP Secure Coding Quick Reference GuideOWASP Secure Coding Quick Reference Guide
OWASP Secure Coding Quick Reference GuideAryan G
 
Choosing the Best Business Intelligence Security Model for Your App
Choosing the Best Business Intelligence Security Model for Your AppChoosing the Best Business Intelligence Security Model for Your App
Choosing the Best Business Intelligence Security Model for Your AppLogi Analytics
 
Self-Protecting Technology for Web Applications
Self-Protecting Technology for Web ApplicationsSelf-Protecting Technology for Web Applications
Self-Protecting Technology for Web ApplicationsIRJET Journal
 

Similar to Owasp v8 analysis (20)

Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
Fragments-Plug the vulnerabilities in your App
Fragments-Plug the vulnerabilities in your AppFragments-Plug the vulnerabilities in your App
Fragments-Plug the vulnerabilities in your App
 
Cm4 secure code_training_1day_error handling and logging
Cm4 secure code_training_1day_error handling and loggingCm4 secure code_training_1day_error handling and logging
Cm4 secure code_training_1day_error handling and logging
 
APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...
APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...
APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...
 
OWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-DiveOWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-Dive
 
How to Use OWASP Security Logging
How to Use OWASP Security LoggingHow to Use OWASP Security Logging
How to Use OWASP Security Logging
 
2022 APIsecure_The Real World, API Security Edition
2022 APIsecure_The Real World, API Security Edition2022 APIsecure_The Real World, API Security Edition
2022 APIsecure_The Real World, API Security Edition
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
 
Top 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle softwareTop 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle software
 
owasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWEowasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWE
 
Secure Software Engineering
Secure Software EngineeringSecure Software Engineering
Secure Software Engineering
 
Web application vulnerability assessment
Web application vulnerability assessmentWeb application vulnerability assessment
Web application vulnerability assessment
 
Securing RESTful API
Securing RESTful APISecuring RESTful API
Securing RESTful API
 
OWASP Secure Coding Quick Reference Guide
OWASP Secure Coding Quick Reference GuideOWASP Secure Coding Quick Reference Guide
OWASP Secure Coding Quick Reference Guide
 
OWASP Top 10 2017
OWASP Top 10 2017OWASP Top 10 2017
OWASP Top 10 2017
 
C01461422
C01461422C01461422
C01461422
 
Choosing the Best Business Intelligence Security Model for Your App
Choosing the Best Business Intelligence Security Model for Your AppChoosing the Best Business Intelligence Security Model for Your App
Choosing the Best Business Intelligence Security Model for Your App
 
Self-Protecting Technology for Web Applications
Self-Protecting Technology for Web ApplicationsSelf-Protecting Technology for Web Applications
Self-Protecting Technology for Web Applications
 
Microservice architecture-api-gateway-considerations
Microservice architecture-api-gateway-considerationsMicroservice architecture-api-gateway-considerations
Microservice architecture-api-gateway-considerations
 

Recently uploaded

Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024
Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024
Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024MulesoftMunichMeetup
 
Novo Nordisk: When Knowledge Graphs meet LLMs
Novo Nordisk: When Knowledge Graphs meet LLMsNovo Nordisk: When Knowledge Graphs meet LLMs
Novo Nordisk: When Knowledge Graphs meet LLMsNeo4j
 
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...Lisi Hocke
 
Auto Affiliate AI Earns First Commission in 3 Hours..pdf
Auto Affiliate AI Earns First Commission in 3 Hours..pdfAuto Affiliate AI Earns First Commission in 3 Hours..pdf
Auto Affiliate AI Earns First Commission in 3 Hours..pdfSelfMade bd
 
The mythical technical debt. (Brooke, please, forgive me)
The mythical technical debt. (Brooke, please, forgive me)The mythical technical debt. (Brooke, please, forgive me)
The mythical technical debt. (Brooke, please, forgive me)Roberto Bettazzoni
 
Navigation in flutter – how to add stack, tab, and drawer navigators to your ...
Navigation in flutter – how to add stack, tab, and drawer navigators to your ...Navigation in flutter – how to add stack, tab, and drawer navigators to your ...
Navigation in flutter – how to add stack, tab, and drawer navigators to your ...Flutter Agency
 
Lessons Learned from Building a Serverless Notifications System.pdf
Lessons Learned from Building a Serverless Notifications System.pdfLessons Learned from Building a Serverless Notifications System.pdf
Lessons Learned from Building a Serverless Notifications System.pdfSrushith Repakula
 
BusinessGPT - Security and Governance for Generative AI
BusinessGPT - Security and Governance for Generative AIBusinessGPT - Security and Governance for Generative AI
BusinessGPT - Security and Governance for Generative AIAGATSoftware
 
Effective Strategies for Wix's Scaling challenges - GeeCon
Effective Strategies for Wix's Scaling challenges - GeeConEffective Strategies for Wix's Scaling challenges - GeeCon
Effective Strategies for Wix's Scaling challenges - GeeConNatan Silnitsky
 
Evolving Data Governance for the Real-time Streaming and AI Era
Evolving Data Governance for the Real-time Streaming and AI EraEvolving Data Governance for the Real-time Streaming and AI Era
Evolving Data Governance for the Real-time Streaming and AI Eraconfluent
 
architecting-ai-in-the-enterprise-apis-and-applications.pdf
architecting-ai-in-the-enterprise-apis-and-applications.pdfarchitecting-ai-in-the-enterprise-apis-and-applications.pdf
architecting-ai-in-the-enterprise-apis-and-applications.pdfWSO2
 
Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...
Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...
Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...drm1699
 
Abortion Pill Prices Jane Furse ](+27832195400*)[ 🏥 Women's Abortion Clinic i...
Abortion Pill Prices Jane Furse ](+27832195400*)[ 🏥 Women's Abortion Clinic i...Abortion Pill Prices Jane Furse ](+27832195400*)[ 🏥 Women's Abortion Clinic i...
Abortion Pill Prices Jane Furse ](+27832195400*)[ 🏥 Women's Abortion Clinic i...Abortion Clinic
 
From Knowledge Graphs via Lego Bricks to scientific conversations.pptx
From Knowledge Graphs via Lego Bricks to scientific conversations.pptxFrom Knowledge Graphs via Lego Bricks to scientific conversations.pptx
From Knowledge Graphs via Lego Bricks to scientific conversations.pptxNeo4j
 
GraphSummit Milan - Visione e roadmap del prodotto Neo4j
GraphSummit Milan - Visione e roadmap del prodotto Neo4jGraphSummit Milan - Visione e roadmap del prodotto Neo4j
GraphSummit Milan - Visione e roadmap del prodotto Neo4jNeo4j
 
Your Ultimate Web Studio for Streaming Anywhere | Evmux
Your Ultimate Web Studio for Streaming Anywhere | EvmuxYour Ultimate Web Studio for Streaming Anywhere | Evmux
Your Ultimate Web Studio for Streaming Anywhere | Evmuxevmux96
 
Automate your OpenSIPS config tests - OpenSIPS Summit 2024
Automate your OpenSIPS config tests - OpenSIPS Summit 2024Automate your OpenSIPS config tests - OpenSIPS Summit 2024
Automate your OpenSIPS config tests - OpenSIPS Summit 2024Andreas Granig
 
[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse
[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse
[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypseTomasz Kowalczewski
 
Food Delivery Business App Development Guide 2024
Food Delivery Business App Development Guide 2024Food Delivery Business App Development Guide 2024
Food Delivery Business App Development Guide 2024Chirag Panchal
 

Recently uploaded (20)

Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024
Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024
Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024
 
Novo Nordisk: When Knowledge Graphs meet LLMs
Novo Nordisk: When Knowledge Graphs meet LLMsNovo Nordisk: When Knowledge Graphs meet LLMs
Novo Nordisk: When Knowledge Graphs meet LLMs
 
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
 
Auto Affiliate AI Earns First Commission in 3 Hours..pdf
Auto Affiliate AI Earns First Commission in 3 Hours..pdfAuto Affiliate AI Earns First Commission in 3 Hours..pdf
Auto Affiliate AI Earns First Commission in 3 Hours..pdf
 
The mythical technical debt. (Brooke, please, forgive me)
The mythical technical debt. (Brooke, please, forgive me)The mythical technical debt. (Brooke, please, forgive me)
The mythical technical debt. (Brooke, please, forgive me)
 
Navigation in flutter – how to add stack, tab, and drawer navigators to your ...
Navigation in flutter – how to add stack, tab, and drawer navigators to your ...Navigation in flutter – how to add stack, tab, and drawer navigators to your ...
Navigation in flutter – how to add stack, tab, and drawer navigators to your ...
 
Lessons Learned from Building a Serverless Notifications System.pdf
Lessons Learned from Building a Serverless Notifications System.pdfLessons Learned from Building a Serverless Notifications System.pdf
Lessons Learned from Building a Serverless Notifications System.pdf
 
BusinessGPT - Security and Governance for Generative AI
BusinessGPT - Security and Governance for Generative AIBusinessGPT - Security and Governance for Generative AI
BusinessGPT - Security and Governance for Generative AI
 
Effective Strategies for Wix's Scaling challenges - GeeCon
Effective Strategies for Wix's Scaling challenges - GeeConEffective Strategies for Wix's Scaling challenges - GeeCon
Effective Strategies for Wix's Scaling challenges - GeeCon
 
Evolving Data Governance for the Real-time Streaming and AI Era
Evolving Data Governance for the Real-time Streaming and AI EraEvolving Data Governance for the Real-time Streaming and AI Era
Evolving Data Governance for the Real-time Streaming and AI Era
 
architecting-ai-in-the-enterprise-apis-and-applications.pdf
architecting-ai-in-the-enterprise-apis-and-applications.pdfarchitecting-ai-in-the-enterprise-apis-and-applications.pdf
architecting-ai-in-the-enterprise-apis-and-applications.pdf
 
Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...
Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...
Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...
 
Abortion Pill Prices Jane Furse ](+27832195400*)[ 🏥 Women's Abortion Clinic i...
Abortion Pill Prices Jane Furse ](+27832195400*)[ 🏥 Women's Abortion Clinic i...Abortion Pill Prices Jane Furse ](+27832195400*)[ 🏥 Women's Abortion Clinic i...
Abortion Pill Prices Jane Furse ](+27832195400*)[ 🏥 Women's Abortion Clinic i...
 
Abortion Clinic In Johannesburg ](+27832195400*)[ 🏥 Safe Abortion Pills in Jo...
Abortion Clinic In Johannesburg ](+27832195400*)[ 🏥 Safe Abortion Pills in Jo...Abortion Clinic In Johannesburg ](+27832195400*)[ 🏥 Safe Abortion Pills in Jo...
Abortion Clinic In Johannesburg ](+27832195400*)[ 🏥 Safe Abortion Pills in Jo...
 
From Knowledge Graphs via Lego Bricks to scientific conversations.pptx
From Knowledge Graphs via Lego Bricks to scientific conversations.pptxFrom Knowledge Graphs via Lego Bricks to scientific conversations.pptx
From Knowledge Graphs via Lego Bricks to scientific conversations.pptx
 
GraphSummit Milan - Visione e roadmap del prodotto Neo4j
GraphSummit Milan - Visione e roadmap del prodotto Neo4jGraphSummit Milan - Visione e roadmap del prodotto Neo4j
GraphSummit Milan - Visione e roadmap del prodotto Neo4j
 
Your Ultimate Web Studio for Streaming Anywhere | Evmux
Your Ultimate Web Studio for Streaming Anywhere | EvmuxYour Ultimate Web Studio for Streaming Anywhere | Evmux
Your Ultimate Web Studio for Streaming Anywhere | Evmux
 
Automate your OpenSIPS config tests - OpenSIPS Summit 2024
Automate your OpenSIPS config tests - OpenSIPS Summit 2024Automate your OpenSIPS config tests - OpenSIPS Summit 2024
Automate your OpenSIPS config tests - OpenSIPS Summit 2024
 
[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse
[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse
[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse
 
Food Delivery Business App Development Guide 2024
Food Delivery Business App Development Guide 2024Food Delivery Business App Development Guide 2024
Food Delivery Business App Development Guide 2024
 

Owasp v8 analysis

  • 1. ANALYSIS OF MEDIAWIKI V8: ERROR HANDLING AND LOGGING VERIFICATION REQUIREMENT MOHAMAD HASSAN OBAIDULLAH IZAM ELIAS TOSS MAY 30,2018
  • 2. TOOLS USED FOR ANALYSIS RIPS VCG VEGA ACUNETIX
  • 3. A GLANCE OWASP Security Knowledge Framework. The OWASP Security Knowledge Framework is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. MediaWiki is a free and open-source server based application, It was originally developed by the Wikimedia Foundation and It is written in the PHP programming language and allows its users to add, modify or remove content through a web browser.
  • 4. V8 ANALYSIS # Description Satisfied 8. 1 Verify that the application does not output error messages or stack traces containing sensitive data that could assist an attacker, including session id, software/framework versions and personal information Partial 8. 2 Verify that error handling logic in security controls denies access by default. YES 8. 3 Verify security logging controls provide the ability to log success and particularly failure events that are identified as security-relevant. YES 8. 4 Verify that each log event includes necessary information that would allow for a detailed investigation of the timeline when an event happens. YES 8. 5 Verify that all events that include untrusted data will not execute as code in the intended log viewing software. Partial
  • 5. V8 ANALYSIS # Description Satisfied 8.6 Verify that security logs are protected from unauthorized access and modification. YES 8.7 Verify that the application does not log sensitive data as defined under local privacy laws or regulations, organizational sensitive data as defined by a risk assessment, or sensitive authentication data that could assist an attacker, including user’s session identifiers, passwords, hashes, or API tokens. Partial 8.8 Verify that all non-printable symbols and field separators are properly encoded in log entries, to prevent log injection YES 8.9 Verify that log fields from trusted and untrusted sources are distinguishable in log entries. YES 8.1 0 Verify that an audit log or similar allows for nonrepudiation of key transactions. YES
  • 6. V8 ANALYSIS # Description Satisfied 8.1 1 Verify that security logs have some form of integrity checking or controls to prevent unauthorized modification. Don’t know 8.1 2 Verify that the logs are stored on a different partition than the application is running with proper log rotation. YES 8.1 3 Time sources should be synchronized to ensure logs have the correct time YES
  • 7. V8.1 • Verify that the application does not output error messages or stack traces containing sensitive data that could assist an attacker, including session id, software/framework versions and personal information. • Analysed with Acunetix • It contains possible sensitive information (e.g. a password parameter) and could be potentially cached. Even in secure SSL channels sensitive data could be stored by intermediary proxies and SSL terminators. To prevent this, a Cache-Control header should be specified • How to fix this vulnerability Prevent caching by adding "Cache Control: No-store" and "Pragma: no-cache" to the HTTP response header.
  • 8. V8.1 • Analysed with VCG • This debugging function can expose sensitive data to an attacker. • Potentially Unsafe Code – phpinfo • Line: 1385 - C:xampphtdocsmediawikivendorsymfonyprocessProcess.php • if (!function_exists('phpinfo') || defined('HHVM_VERSION')) {
  • 9. V8.4 • Verify that each log event includes necessary information that would allow for a detailed investigation of the timeline when an event happens. • Manual Review • Manual reviewing was performed for verification of V8.4 and was seen that all the log events include information which could allow for detailed investigation and below is a snapshot of the log file.
  • 10. V8.7 • Verify that the application does not log sensitive data as defined under local privacy laws or regulations, organizational sensitive data as defined by a risk assessment, or sensitive authentication data that could assist an attacker, including user’s session identifiers, passwords, hashes, or API tokens. • Analysed with Acunetix • This application contains a session token in the query parameters. A session token is sensitive information and should not be stored in the URL. URLs could be logged or leaked via the Referrer header. • The impact of this vulnerability • Possible sensitive information disclosure. • How to fix this vulnerability • The session should be maintained using cookies (or hidden input fields).
  • 11. V8.8 • Verify that all non-printable symbols and field separators are properly encoded in log entries, to prevent log injection • Manual Review • Conducted a manual reveiw of the log entries and detected that log entries are encoded with non-printable symbols which avoids the log injection.
  • 12. CONCLUSION • About tools: We used different tools for the analysis such as (RIPS, ZAP, VEGA, VCG and ACCUNETIX) and among them we found RIPS, VCG and ACCUNETIX more efficient and fruitful for performing the source code analysis in terms of ease of use, fast and accurate detection of the vulnerabilities. • Security: We consider that to test the safety of an application is very necessary to a direct discussion about the design choices with the developers.
  • 13. Thanks for your attention! Questions