AKASH MAHAJAN | ABOUT ME
• Independent Web Security Consultant
• Chapter lead for null Bangalore
• I test, hack, secure web applications and servers.
• I consult companies on secure deployments on AWS etc.
• Been doing application security for 5+ years.
• Wrote IDS sigs for malware and vulnerabilities for 3 years
• OWASP Top 10
• Application Security Risks
• OWASP Top 10 Details
• The Beginning
• Contact Details
OPEN WEB APPLICATION SECURITY PROJECT
• OWASP is a worldwide non-profit open community dedicated to web
• OWASP offers free tools, books, documents etc. to developers, security
practitioners and anyone interested in application security.
• Some of the most popular OWASP projects are
• OWASP Top 10
• OWASP Web Goat Project
• OWASP Testing Guide
• OWASP Developer Guide
• Definitely visit and track updates on http://www.owasp.org
OWASP TOP 10
• OWASP TOP 10 is a document listing the top 10 most critical risks faced by
web applications currently.
• It is purely about managing risk and not just avoiding vulnerabilities.
• It is meant to be consumed by the developers and not just security dudes.
• You should consider using it if you are in-charge of keeping web apps safe.
• Also If your organization doesn’t have a app sec program and would like to
• Top 10 implies that these risks should be mitigated first to ensure safety of
the web application.
• There are other risks but the less severe than the top 10.
OWASP TOP 10
• Who else is using it?
• The PCI Council, US Department of Defense, US Federal Trade
Commission, Data Interchange Standards Association
• Companies like Microsoft, Citibank, IBM, HP, British Telecom, Oracle
• How do they use it?
• Microsoft uses it as part of Security Development Lifecycle
• PCI Council uses it as part of the PCI Data Security Standard
• Oracle, NSA use it as part of developer awareness
• Others use it to ensure minimal level of security audit of web applications
APPLICATION SECURITY RISKS
• Applications can have many attack vectors
• A form that submits to the database
• A database login for a partner for direct access.
• FTP login for third party content team
• These attack vectors can be used to exploit security weaknesses.
• For example stolen FTP credentials for an Amazon EC2 server might allow
the EC2 credentials to be stolen as well.
• Once stolen all services based on your Amazon account are vulnerable to
• You could end up paying for someone else misusing your Amazon services!
OWASP TOP 10 – A1 INJECTION
• Injection flaws, such as SQL, OS injection, occur when untrusted data is sent to an
interpreter as part of a command.
• The attacker’s hostile data can trick the interpreter into executing commands or
accessing unauthorized data.
• SQL Injection is one of the most used vectors when malicious people want to create
a new botnet.
• First a vulnerable web facing application is identified. Automated roBOTs/scripts
crawl the world wide web looking for the identified application. Once found they
inject HTML/JS with links pointing to trojan downloaders etc.
• Users with insecure browsers/OS come to the infected websites they get
infected in turn creating a NETwork
• In some cases up to 10,00,000 sites have been infected in a single day.
OWASP TOP 10 – A2 CROSS SITE SCRIPTING
• XSS flaws occur whenever an application takes untrusted data and sends it
to a web browser without proper validation and escaping. XSS allows
attackers to execute scripts in the victim’s browser which can hijack user
sessions, deface web sites, or redirect the user to malicious sites.
• Frequently used to steal your session.
• One of the most in-famous example is the MySpace Samy worm. In less
than a day he got more a million friends and MySpace had to be
• A XSS bug occurring on the website registration page can enable theft of
• Would you like your competitor to find out about all your new users?
OWASP TOP 10 – A3 BROKEN AUTHENTICATION
AND SESSION MANAGEMENT
• Application functions related to authentication and session management are
often not implemented correctly, allowing attackers to compromise
passwords, keys, session tokens, or exploit other implementation flaws to
assume other users’ identities
• Developers tend to build custom authentication schemes which aren’t tested
enough and may contain logical flaws as well.
• Technical impact include login theft to malicious users getting access to all
• Generating a new password every time someone enters an email id in
forgot password will cause a denial of service attack!
• Not destroying the session after a fixed time.
CONNECT THIS IMAGE TO WEB SECURITY
OWASP TOP 10 – A4 INSECURE DIRECT OBJECT
• A direct object reference occurs when a developer exposes a reference to an
internal implementation object, such as a file, directory, or database key.
Without an access control check or other protection, attackers can
manipulate these references to access unauthorized data.
• Technical impact can be letting unauthorized users download files not meant
• Real world website has a page to display invoice for the user. It contains
an id parameter. If we change the parameter, it shows the details for
• Most people mistakenly think that if a file or folder is not linked from any
web page it can’t be found by a malicious user.
OWASP TOP 10 – A5 CROSS SITE REQUEST
• A CSRF attack forces a logged-on victim’s browser to send a forged
HTTP request, including the victim’s session cookie and any other
automatically included authentication information, to a vulnerable web
• This allows the attacker to force the victim’s browser to generate
requests the vulnerable application thinks are legitimate requests from
• Log you out of your email account.
• Add a rouge DNS entry in your ADSL modem!
• Create a filter in webmail to forward all email to a malicious user.
OWASP TOP 10 – A6 SECURITY
• Good security requires having a secure configuration defined
and deployed for the application, frameworks, application
server, web server, database server, and platform.
• This includes keeping all software up to date, including all code
libraries used by the application.
• Network Solutions were offering wordpress installations on a
shared server. The main configuration file wp-config.php was
world readable. Mass hack of wordpress based websites
• Shipping with default passwords!
OWASP TOP 10 – A7 INSECURE
• Many web applications do not properly protect sensitive data,
such as credit cards, SSNs, and authentication credentials, with
appropriate encryption or hashing.
• Attackers may steal or modify such weakly protected data to
conduct identity theft, credit card fraud, or other crimes
• Storing unsalted hashes in a known weak hash algorithm
like md5. Using rainbow tables attackers can figure out
stolen passwords in no time at all.
• Storing the encryption key in the same location as the
OWASP TOP 10 – A8 FAILURE TO RESTRICT URL
• Many web applications check URL access rights before rendering protected
links and buttons. However, applications need to perform similar access
control checks each time these pages are accessed, or attackers will be able
to forge URLs to access these hidden pages anyway
• This can be due either
• Simple misconfiguration
• Flawed coding or logic.
• Assuming that if it is hidden so it will be never found doesn’t usually end
up well. Anonymous users accessing pages meant for authenticated
users and authenticated users accessing admin pages can have a
OWASP TOP 10 – A9 INSUFFICIENT TRANSPORT
• Applications frequently fail to authenticate, encrypt, and
protect the confidentiality and integrity of sensitive
network traffic. When they do, they sometimes support
weak algorithms, use expired or invalid certificates, or
do not use them correctly.
• Login and password passed in clear text over the wire.
Anyone monitoring the traffic can get hold of the
OWASP TOP 10 – A10 UNVALIDATED REDIRECTS
• Web applications frequently redirect and forward users to other
pages and websites, and use untrusted data to determine the
• Without proper validation, attackers can redirect victims to
phishing or malware sites, or use forwards to access
• Malicious user creating a redirect that points to another site
• Forward parameter coded to send user to admin section or
to normal section
• These risks only cover the top 10 of them all. There are many that are very
dangerous and should be guarded against like
• Clickjacking, Denial of service, Information Leakage, Improper Error
Handling, Insufficient Anti-automation, Lack of intrusion detection,
Malicious file execution
• To develop secure code ‘OWASP Developers Guide’
• To test web applications for security ‘OWASP Testing Guide’
• To review web applications ‘OWASP Code Review Guide’
• Keep yourself updated join a local OWASP chapter
• Get on the mailing lists.
AKASH MAHAJAN | REACH ME
• Reach me on
• Website: akashm.com
• Email: firstname.lastname@example.org
• Twitter: @makash
• Linkedin: www.linkedin.com/in/akashm