Introduction to OWASP 2013 By Jay Vardhan and Parichay Rai | Lucideus Tech Internship
“OWASP TOP 10”
OWASP(Open Web Application Security Project)
The Open Web Application Security Project (OWASP) is a non-profit worldwide charitable
organization. It's main goal is to improve the security of application software. Their main moto is to
make application security visible to all, so that people and organizations can make true decisions
about application security risks. Everyone is free to participate in OWASP and all of the materials
are available under a free and open software license.
OWASP is not affiliated to any organization or technology and support the informed use of
commercial security technology. OWASP produces many types of materials in a collaborative, open
way. OWASP follow following principles :- )
Free & Open
Governed by rough consensus & running code
Abide by a code of ethics (see ethics)
Not driven by commercial interests
Risk based approach
In year 2013 OWASP introduced Top 10 web application vulnerability which is an updated
version of 2007. The primary goal of OWASP Top 10 is to educate the developers, designers,
security engineers, managers and organization about the consequence of most important webapplication security weakness and provide the guidelines to mitigate these security issue.
Here is the list of OWASP Top 10 vulnerability :-)
A1 - Injection
A2 - Broken Authentication and Session Management
A3 - Cross-Site Scripting
A4 - Insecure Direct Object References
A5 - Security Misconfiguration
A6 - Sensitive Data Exposure
A7 - Missing Function Level Access Control
A8 - Cross-site Request Forgery (CSRF)
A9 - Using Components with Known Vulnerabilities
A10 - Unvalidated Redirects and Forwards
SQL injection is one of the top most vulnerability in web application. In 2013 OWASP top
ten vulnerability, SQL injection is at the top most position as it was in OWASP 2010 list. SQL
injection is a application layer attack, by the SQL injection hacker steal whole data of organization.
In this attack a attacker adds Structured Query Language code to a web application to gain access to
resource or make change data.
There are many type of injection like LDAP injection, XML injection, XPath injection, OS
command injection and HTML injection. The risk of SQL injection exploit is now high due to the
availability of automated tools. In the past, exploit was carried out manually where the attacker had
to type the SQL statement into the input box.
An example of SQL injection, here is HTML form with two input login and password.
<form method=”post” action=”http://www.example.com/login.asp”>
<input name=”Name” type=”text” id=”admin”>
<input name=”Pass” type=”password” id=”admin”>
At the back end the query look like
WHERE username = ‘$username’
AND password = ‘$password’
Here the $username and $password are requested from user's input, this can be easily
compromised. Suppose user name is “admin” and 'anything' OR '0'='0 provided into the password
box. The query look like
WHERE username = ‘admin’
AND password = ‘anything’ OR ‘0’='0
As the input of web application is not properly sanitized, the use of the single quotes has
turned the WHERE SQL command into a two-component clause.
This will allow the attacker to bypass the login form without actually knowing a valid
username and password.
Prevention From SQL Injection
SQL injection can be protected if the input from users is authenticated against a set rules,
length, type and syntax. Ensure that the users has least privileges to access the database. If you
allow single quote ( ' ) for validation, you should sanitize the input data. The means of sanitizing the
input data is, to transform into “non-threating” data. For sanitizing the single quote you can use the
HTML encoding and URL encoding. In HTML encoding ( ' ) become ( "e; ) and in URL
encoding it become (%27). Before sanitized the input data you should make sure that you decode
the string before it is displayed to the user, because it is annoying for any one if the user name is
“Shaun O'Corner” and its look like “Shaun O%27Corner” or “Shaun O"eCorner”.
References:- http://www.owasp.com, http://bretthard.in, http://www.codeproject.com,
A2- Broken Authentication and Session Management
According to OWASP “Application functions related to authentication and session
management are often not implemented correctly, allowing attackers to compromise passwords,
keys, session tokens, or exploit other implementation flaws to assume other users’ identities.”
Authentication is the validation for user to access the desire webpage. The most common
authentication are involves by the use of “userid”, “sid” etc and password. The authentication
vulnerability occur when programmer fails to deploy proper authentication methods.
Session management vulnerability occur when programmer fail to secure the uers's sensitive
information like “sessionid”, “userid”, “authentication_token” or “session_token” etc.
Example of broken authentication:In this example we have used mutillidae web application provided by OWASP.
Step 1- Create an account and logged in, it will give you a uid.
Here you can see we have logged in as “fred” and the uid = 17 as you see in red circle.
Step 2- Now create another account and log in.
As you see in the red circle, Sam is logged in with uid = 18
Step 3- Change the uid = 18 to 17 in the “sam's” account by using cookie manager,the
firefox addon and refresh the page!
As you'll refresh the page you'll get log in into fred's account ...
Example of session management:Step 1:- Create an account in any website and log in.
Step 2- Copy the cookie using “export cookie” extension when logged in and save the
cookie in notepad file and then logout.
Step 3- After few hours import the same cookie using “import cookie” extension, if you log
in again it means that the cookie was not expired and the victim will loose his account.
Prevention From Broken Authentication and Session Management
To protect the cookie or session is very important, if the cookie is not secure the attacker can
hijack the victim cookie and get access into the victim account. To prevent these type of
vulnerabilities first you should ensure that SSL(Secure Socket Layer) is implemented and working
properly and verify that user's credentials that is username, password, sessionid, userid are stored in
References:- http://www.owasp.com, http://bretthard.in, https://hackerone.com/reports/284
http://kb.entersoft.co.in/ and OWASP mutillidae web application.
A3- Cross Site Scripting(XSS)
XSS (Cross-Site-Scripting) is one of the most common and the most easy to be exploited
vulnerability in a website! XSS is like cockroaches of the web always lurking at some corner of the
website regardless of the size of the website, the popularity of the website or the sophisticated
security team that has been working hard to secure it.
XSS is generally described as HTML injection! An XSS attack rewrites the source code of
the website which generally happens when the website asks for a user input like the 'username' a
user wants to have, the email-address of the user, payment details. Lets take an example of a search
box in a website. An attacker can give some input to this search box and can get the desired result.
This search can be related to their own interest say for instance a user may search for his favorite
book,CD or movie.
Now if an attacker searches for the movie named Dhoom3, this search will go to various
places to the HTML Source code.
Note: XSS vulnerability comes into picture when the user is allowed to use HTML
characters as an input to the search query. So,what if we try changing out search query to some
nasty one :P
This wont show up as Dhoom3<script>alert..... as an output but will rather give you a popup saying “dhoommachale”.
Prompts are very common example of XSS. There are a lot many things that an attacker can
do if he finds a XSS bug by using a variety of payloads which can help him in:
1:- Stealing cookies letting him impersonate the victim
2:- Capture Keystrokes
3:- Deface a website
4:- Redirect to a malicious site
A mechanism to protect your website from such attacks can be done simply by sanitizing the
HTML special characters!
& –> &
< –> <
> –> >
” –> "
‘ –> '
/ –> /
For this, you can use the htmlspecialchars() function in PHP. It encodes all HTML tags and
References:- http://www.owasp.com, OWASP_Testing_Guide_v3
A4- Insecure Direct Object Reference
According to OWASP “A direct object reference occurs when a developer exposes a
reference to an internal implementation object, such as a file, directory, database record, or key, as a
URL or form parameter.”
Insecure direct object reference represent the flaw when web application show an internal
implementation object to the user like database key, file, directory or internal id in the url which the
attacker can manipulate to gain access of the victim account. The most common vulnerability in
insecure direct object reference is directory traversal.
Here is an example on a demo site: http://demo.testfire.net
Now remove the content “business_deposit.htm” and try something like:
Above you can see in the red circle “ directory D” which becomes available for attacker.
References:- http://www.owasp.com, http://www.cyberintruder.com, http://stackoverflow.com
A5- Security Misconfiguration
Security misconfiguration is one of the OWASP top ten vulnerability of web application that
give an attacker an unauthorized access to system data or functionality. Security mis configuration
can happen at any level of application including the platform, web server, application server,
framework, and source code. Automated tools are very useful for detecting this vulnerability.
Above image describes about the server “Apache Tomcat/6.0.16.”
If an attacker finds any security vulnerability associated with Apache Tomcat/6.0.16, then by
using metasploit he can easily exploit.
A6- Sensitive Data Exposure
A simple robots.txt file is used to stop certain web crawlers to index content, no matter if
they are browsers or bots like google bot. This file is generally placed in the root folder.
To access the robots.txt just type
If accessed by everyone can let the attacker gain sensitive information, if stored in robots.txt.
I am sure that many of you must still be thinking of what actually is stored in the file robots.txt. In
simple words we can say that a robot.txt is a file that consists of path that cannot be crawled by
bots or the web browsers. It tells the search engine that this directory is private and should not be
crawled by them!
A very common error that we frequently see during surfing over internet is the HTTP 404
Notfound. This error can at times reveal alot of juicy information about the underlying web
server,say for example :
The requested Url was not found on this server.
Apache/2.2.3 (unix) mod_ssl/2.2.3 openSSL?0.9.7g Server at localport 80
This error message can be generated by requesting some page which is not actually available
on the server that means requesting a non-existing Url. As you can clearly see above, the normal
error message and a lot of information about the web server version the OS is revealed!
Lets take Another example:
Microsoft OLE DB Provider for ODBC Drivers (0x80004005)
[DBNETLIB][ConnectionOpen(Connect())] - SQL server does not exist or access
Now here 8004005 is a generic IIS error code which indicates that the server cannot cannot
cannot to the database. In many condition the error message will detail the type of database. Let's
now test for IIS Error Handling or ASP.net
Fire up your browser and type a random page!
if the server returns,page not found
HTTP 404 -File not found
Internet Information services
This means that IIS custom errors are not configured properly! Now try
if the server returns
Server Error in '/' Application
The resource cannot be found
Custom Errors for .net are not configured!
A7- Missing Function Level Access Control
In function level access control an attacker can directly access resource or data from server
or web-application by bypassing normal application flaw or bypassing any security access control.
It is a logical flaw, it is the result of improper session management. Failure of function level access
control can result in compromising a wide variety of data and resource.
All application should be verified by all the access level function before it is displayed to
the user interface.
Exploiting this attack
Step1:- Login into the website.
Step2:- Now I am intercepting the request using a tool Tamper data
Step3:- .If userlevel=user. I will get this page.
Step4:- Now I am changing userlevel=admin,
Now you are logged in as “admin”
1- Every function should be consider as public and private.
2- For authentication give some kind of check or validation.
References:- http://www.owasp.com, http://www.triadsquare.com,
A8- Cross Site Request Forgery(CSRF)
CSRF(Cross-site request forgery) also called as session riding or XSRF is an attack where in
the attacker fools the victims browser into making a request that the user didn't intend to. This
reminds me of a famous saying:
"We are what we pretend to be,so we must be careful about what we pretend to be."
-Kurt Vonnegut,Mother Night.
For any website your browser is who you are. The website recognizes you on the base of IP
address of its traffic,header,cookies and links it request.
The CSRF attacks holds the mix identity by manipulating the victims browser into making
request against a website on the attacker's behalf. The attacker relation to the site is immaterial,
infact the website never sees traffic from the attacker. Some people consider phishing attack as
CSRF,although it can be a part of one. In a phishing attack we manipulate the user into initiating a
request from the browser whereas in CSRF forces the browser into initiating a request. It's not that
the attacker has gained access to the victims browser but yes he has made the browser do something
that the user is unaware of.
So to summarize CSRF is an attack where the attacker crafts a link which when requested by
the victim performs an action that is beneficial to the attacker!
The application allow's a user to submit a state changing request that does not include anything
So, the attacker constructs the request that will transfer money from the victims account to the
attacker's account and then embed this attack in an image request or iframe store on various sites
under the attacker's control :
if the victim clicks on any such link while he's is logged in,the forged request will automatically
tranfer funds to the accouunt 87654321
References:- http://www.owasp.com, http://www.w3schools.com,
A9 - Using Components with Known Vulnerabilities
Using Components with Known Vulnerabilities is considered as the most successful attack
because in this type of attack the attacker exploit know vulnerabilities.
Almost every application has this issue because because most of the developers do not focus
on ensuring if their components are up to date. There are times when the developers don't even
know all the components that they are using becuase a large amount of the application is not
actually developed in house.
Component vulnerabilities can lead to any type of risk. Components in an application
always run with the full privilege of the application,so a minor flaw in the component can be
There were few vulnerable components that were downloaded around 22 million times in
2011 which must have been used in a number of the application! Some of such vulnerable
components are :)
Apache CXF Authentication Bypass – By failing to provide an identity token, attackers
could invoke any web service with full permission. (Apache CXF is a services framework, not to be
confused with the Apache Application Server.
Spring Remote Code Execution – Abuse of the Expression Language implementation in
Spring allowed attackers to execute arbitrary code, effectively taking over the server.
A10- Unvalidated Redirection and Forwards
An unvalidated redirection and forwards is an open redirection vulnerability which takes
application parameter and redirect victim to another website. Attackers exploit this vulnerability by
modification of url, redirect victim toward phishing e-mails that cause victim to visit malicious sites
inadvertently. Without proper validation an attacker is able to redirect victim to another malicious
site or a phishing page which is made by the attacker.
attacker use this attack on a victim to send a malicious link, in which the URL looks like a trusted
website. When the victim clicks the link, he is redirected to the malicious site inadvertently.
Php code for redirection
$redirect_url = $_GET ['url'];
Header ("Location: “. $redirect_url);
Example:2(.net code) Dangerous URL Redirects
String url =request.QueryString [“url”];
Response. Redirect (url);
Here is the example :Attackers make a page with a redirect on it:
http:/ / www.mytrustedsite.com/Redirect.aspx?Url=http://troyhunt.com
http:/ / www.mytrustedsite.com/Redirect.aspx?Url=http://myuntrustedsite.com
On clicking the link provided by the attacker which have trusted host name site, victim is now redirected toward
the attacker's phishing page.
Avoid using redirects and forwards.
If the destination parameter is unavoidable, ensure the parameter supplied is valid and verified by the
Applications can use ESAPI to override the sendRedirect() method to make sure all redirect
destinations are safe.
References:- http://www.owasp.com , http://www.w3schools.com, http://manojkumarponraj.blogspot.in ,
“Web Security Researcher”
Student (Cyber law & information security ) IIIT- Allahabad
Intern – Lucideus Tech Pvt. Ltd.