Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Testing the OWASP Top 10

1,509 views

Published on

OWASP has identified the top 10 security risks for web applications. How do we as testers look for these problems in our application? This presentation discusses some ideas.

Presentation that fellow Magenicon Zach Bergman and I did at the Twin Cities Quality Assurance Association meeting in January.

Published in: Technology
  • Be the first to comment

Testing the OWASP Top 10

  1. 1. Andy Tinkham & Zach Bergman, Magenic TechnologiesContact Us1600 Utica Avenue South, Suite 800St. Louis Park, MN 554161 (877)-277-1044info@magenic.com
  2. 2. » Magenic: Leading consultancy providing custom application development, testing and QA services» Andy » 17 years of testing experience, focusing on automation, performance & other technical testing » Principal Consultant at Magenic, leading all our technical testing activities» Zach » 3 years of testing experience, focusing on security & test automation » Consultant at Magenic, driving internal security growth & initiatives
  3. 3. » Testing focused on 3 aspects of a system » Authentication – determining an entity is who they claim to be » Authorization – determining whether an entity is allowed to use a requested action or resource » Accounting – documenting what occurs in the system Authentication Authorization Accounting
  4. 4. » Talk about the most prevalent security vulnerabilities» Structure that talk using the OWASP Top 10 list » Andy will describe issue » Zach will demonstrate issue and talk about techniques to identify it» Cover some very basic testing techniques to find these» Only begin to scratch the surface of security testing
  5. 5. » Open Web Application Security Project» Non-profit organization focused on improving the security of software» Around since 2001» Not affiliated with any technology company» Provide a variety of free tools, education, and information around application security» Local chapter: https://www.owasp.org/index.php/Minneapolis_St_Paul Next meeting: 1/21/2013, Gunnar Peterson, “Mobile AppSec – How iOS and Android Apps fail and what to do to protect them”
  6. 6. • Most critical web application security flaws• Occur frequently• Easy to find• Easy to exploit 10. Unvalidated Redirects and Forwards 5. Cross-Site Request Forgery 9. Insufficient Transport Layer Protection 4. Insecure Direct Object References 8. Failure to Restrict URL Access 3. Broken Authentication & Session Management 7. Insecure Cryptographic Storage 2. Cross-Site Scripting 6. Security Misconfiguration 1. Injection
  7. 7. » Security is a big deal » 77 million user accounts compromised on Sony PlayStation network » $1 trillion dollars worth of intellectual property stolen in 2008 (McAfee) » Symantec estimates the global price tag of consumer cybercrime to be $110 billion with 18 victims every second » 90% of businesses suffered some sort of hack in last 12 months (Research Ponemon/Juniper Networks, June 2011) » 83% of websites have had a high, critical or urgent issue (WhiteHat Security, 2009)» Poor security can lead to » Unwanted information disclosure » Compromised data » Financial and Reputational Costs » Legal Issues (HIPAA, other industry information security governance)
  8. 8. » Burp Suite (http://www.portswigger.net/burp/)» Awesome Cookie Manager (Chrome App Store)» BodgeIt Store (http://code.google.com/p/bodgeit/)» REST Console (Chrome App Store)
  9. 9. » Use of an app’s built-in redirect to access an unintended location » http://yoursite.com/redirect.php?url=http://yoursite.com/admin.php » http://yoursite.com/redirect.php?url=http://badsite.com» Users can be convinced to give information thinking they’re giving it to you» Example Exploitability: Average Prevalence: Uncommon Detectability: Easy Impact: Moderate Testing Technique: Look for redirect functions throughout application in URL or request parameters
  10. 10. » Unencrypted data traversing networks can be seen, manipulated, and used without user knowledge » The session information from browser » User personally-identifiable information Exploitability: Difficult Prevalence: Common Detectability: Easy Impact: Moderate Testing Technique: See if HTTPS and TLS 1.1+ is being used on appropriate secure pages
  11. 11. Request over HTTP Request over HTTPS (SSL)
  12. 12. » Typically happens when assumptions are made regarding users’ knowledge of the app’s layout/functionality – security by obscurity » http://www.mysite.com/MySecretAdminConsole.php » http://www.mysite.com/ManagerReports» Hidden or Unlisted resources » Only show the user functionality they can use Exploitability: Easy Prevalence: Uncommon Detectability: Average Impact: Moderate Testing Technique: Look for exposed URLs. If unlisted, check if URLs may be accessed with wrong authentication
  13. 13. » Apps may not secure sensitive data with appropriate cryptography or may not store the artifacts around the cryptography securely» Inside or Outside of the physical data storage » Stored plaintext » Weak algorithm used » Unrestricted access to decrypt function » Private keys accessible Exploitability: Difficult Prevalence: Uncommon Detectability: Difficult Impact: Severe Testing Technique: Look for sensitive data in plaintext. Look for encryption in transit. (#9)
  14. 14. » Default settings of platform being used » Configuration » Default usernames/passwords » Default error messages » Debugger sessions open » Lack of updates being applied Exploitability: Easy Prevalence: Common Detectability: Easy Impact: Moderate Testing Technique: Look for custom error messages. Look for debugger session being allowed.
  15. 15. » 200 - OK» 401 - Unauthorized» 403 - Forbidden
  16. 16. » Targets user’s session information in order to act as the user » http://www.store.com/AddToCart.aspx?itemID=1234 » http://www.blog.com/ChangePassword.php?NewPass=password» Attacker takes advantage of user’s currently stored sessions » In other tabs of browser » In browser if cookies haven’t been cleared after closing Exploitability: Average Prevalence: Widespread Detectability: Easy Impact: Moderate Testing Technique: Look for actions, which can be completed by visiting a URL.
  17. 17. » The image is right here:» <img src=“http://10.30.46.15/bodgeit/basket.jsp?productid=17&price=4.1&qu antity=1” >
  18. 18. » Some application resources are accessible without going through access control » http://www.mysite.com/Report00032 » http://www.mysite.com/files/BugsToFix.pdf» Manipulate requests to access resources » hƩp://www.mysite.com/Report00032 → http://www.mysite.com/Report00033 » http://www.mysite.com/MyAccount.php?user=bob → Exploitability: Easy http://www.mysite.com/MyAccount.php?user=joan Prevalence: Common Detectability: Easy Impact: Moderate Testing Technique: Look for references to objects, and attempt to access other similar objects.
  19. 19. » Poorly implemented protections can still be insecure, leading to additional vulnerabilities» Sessions should expire» Logout should revoke the user’s session» Login should revoke any active sessions for same user» User shouldn’t be able to manipulate or guess session» Key actions should revoke certain session permissions Exploitability: Average» Session fixation Prevalence: Common Detectability: Average Impact: Severe Testing Technique: Verify that sessions are actually revoked following key actions.
  20. 20. » Untrusted input is not cleaned prior to being passed back to the browser» Can involve rendered HTML, JavaScript or any other web content Exploitability: Average Prevalence: Very Widespread Detectability: Easy Impact: Moderate Testing Technique: Verify that input is being validated or escaped so that it does not execute.
  21. 21. » Untrusted input is not cleaned prior to being used by the application» Users may inject their own code into » The App » SQL Queries » XPath Queries » Operating System » Browser/DOM » Anywhere data is combined into executable statements Exploitability: Easy Prevalence: Common Detectability: Average Impact: Severe Testing Technique: Verify that input is being validated so that it is not executed server-side.
  22. 22. » SELECT Username FROM Users WHERE Password = ‘our input here’» SELECT Username FROM Users WHERE Password = ‘a’ or ‘b’=‘b’
  23. 23. » Security is a big deal» As testers, we can begin to look for obvious issues in the course of our normal work» OWASP Top 10 lists 10 most prevalent web security issues & is a good starting point» All of these security issues require deeper analysis beyond these techniques
  24. 24. » OWASP Top 10 document (http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf)» Troy Hunt’s OWASP Top 10 for .NET Developers eBook (https://asafaweb.com/OWASP%20Top%2010%20for%20.NET%20developers.pdf)» The Web Application Hacker’s Handbook, 2nd Ed. Dafydd Stuttard and Marcus Pinto
  25. 25. Contact us:AndyT@magenic.comZachB@magenic.com

×