Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

OWASP Top 10 : Let’s know & solve


Published on

Published in: Technology
  • Be the first to comment

OWASP Top 10 : Let’s know & solve

  1. 1. OWASP Top 10 : Let’s know & solve Harit Kothari
  2. 2. Top 10 <ul><li>Cross Site Scripting (XSS) </li></ul><ul><li>Injection Flaws </li></ul><ul><li>Malicious File Execution </li></ul><ul><li>Insecure Direct Object Reference </li></ul><ul><li>Cross Site Request Forgery (CSRF) </li></ul><ul><li>Information Leakage and Improper Error Handling </li></ul><ul><li>Broken Authentication and Session Management </li></ul><ul><li>Insecure Cryptographic Storage </li></ul><ul><li>Insecure Communications </li></ul><ul><li>Failure to Restrict URL Access </li></ul>
  3. 3. Cross Site Scripting (XSS)
  4. 4. Remedies <ul><li>Client side validation (using JavaScript etc.) </li></ul><ul><li>Specify character set (e.g. UTF-8, 8859_1) in HTML with CHARSET header </li></ul><ul><li>Server side validation </li></ul><ul><li>Best practse : Error reporting / Server logs </li></ul>
  5. 5. Examples <ul><li>Replace special character(s) with blanks ‘ ’ </li></ul><ul><li>final String filterPattern=&quot;[<>{};amp;]&quot;; </li></ul><ul><li>String inputStr = s.replaceAll(filterPattern,&quot; &quot;); </li></ul><ul><li>Another – check if String matches any of characters except numeric, using RegEx </li></ul><ul><li>final String inputStr = request.getParameter(&quot;input&quot;); </li></ul><ul><li>final String numericPattern = &quot;^+$&quot;; </li></ul><ul><li>if (!inputStr.matches(numericPattern)) </li></ul><ul><li>{ </li></ul><ul><li>/* invalid input, do something with error*/ </li></ul><ul><li>} </li></ul><ul><li>Yet another, change characters representation into decimal equivalent, of course paying performance penalty </li></ul><ul><li>public static String encode(String data) </li></ul><ul><li>{ </li></ul><ul><li>final StringBuffer buf = new StringBuffer(); </li></ul><ul><li>final char[] chars = data.toCharArray(); </li></ul><ul><li>for (int i = 0; i < chars.length; i++) </li></ul><ul><li>{ </li></ul><ul><li>buf.append(&quot;&#&quot; + (int) chars[i]); </li></ul><ul><li>} </li></ul><ul><li>return buf.toString(); </li></ul><ul><li>} </li></ul>
  6. 6. Examples continued <ul><li>Secure Exceptions thrown at server pages </li></ul><ul><li><!-- Maps the 404 Not Found response code to the error page /errPage404 --> </li></ul><ul><li><error-page> </li></ul><ul><li><error-code>404</error-code> </li></ul><ul><li><location>/errPage404</location> </li></ul><ul><li></error-page> </li></ul><ul><li><!-- Maps any thrown ServletExceptions to the error page /errPageServ --> </li></ul><ul><li><error-page> </li></ul><ul><li><exception-type>javax.servlet.ServletException</exception-type> </li></ul><ul><li><location>/errPageServ</location> </li></ul><ul><li></error-page> </li></ul><ul><li><!-- Maps any other thrown exceptions to a generic error page /errPageGeneric --> </li></ul><ul><li><error-page> </li></ul><ul><li><exception-type>java.lang.Throwable</exception-type> </li></ul><ul><li><location>/errPageGeneric</location> </li></ul><ul><li></error-page> </li></ul>
  7. 7. Injection Flaws
  8. 8. Remedies <ul><li>Input validation </li></ul><ul><li>Strongly typed query APIs (PreparedStatement in JDBC & ORM in Hibernate) </li></ul><ul><li>Avoid dynamic query APIs (Statement in JDBC) </li></ul><ul><li>Use of escape characters as prefix and sufix to values to eliminate LDAP injection </li></ul>
  9. 9. Examples <ul><li>Using PreparedStatement </li></ul><ul><li>try </li></ul><ul><li>{ </li></ul><ul><li>// Prepare a statement to insert a record </li></ul><ul><li>String sql = &quot;INSERT INTO my_table (columnName) VALUES(?)&quot;; </li></ul><ul><li>PreparedStatement pstmt = connection.prepareStatement(sql); </li></ul><ul><li>// Insert 10 rows </li></ul><ul><li>for (int i=0; i<10; i++) </li></ul><ul><li>{ </li></ul><ul><li>// Set the value </li></ul><ul><li>pstmt.setString(1, &quot;row &quot;+i); </li></ul><ul><li>// Insert the row </li></ul><ul><li>pstmt.executeUpdate(); </li></ul><ul><li>} </li></ul><ul><li>} </li></ul><ul><li>catch (SQLException e) </li></ul><ul><li>{ </li></ul><ul><li>} </li></ul>
  10. 10. Examples Continued <ul><li>To add Escape Chars </li></ul><ul><li>public static String escapeDN(String name) </li></ul><ul><li>{ </li></ul><ul><li>StringBuffer sb = new StringBuffer(); // If using JDK >= 1.5 consider using StringBuilder </li></ul><ul><li>if ((name.length() > 0) && ((name.charAt(0) == ' ') || (name.charAt(0) == '#'))) </li></ul><ul><li>sb.append('apos;); // add the leading backslash if needed </li></ul><ul><li>for (int i = 0; i < name.length(); i++) </li></ul><ul><li>{ </li></ul><ul><li>char curChar = name.charAt(i); </li></ul><ul><li>switch (curChar) </li></ul><ul><li>{ </li></ul><ul><li>case 'apos;: sb.append(&quot;&quot;); break; </li></ul><ul><li>case ',': sb.append(&quot;&quot;); break; </li></ul><ul><li>case '+' sb.append(&quot;&quot;); break; </li></ul><ul><li>case '&quot;': sb.append(&quot;amp;quot;&quot;); break; </li></ul><ul><li>case '<': sb.append(&quot;lt;&quot;); break; </li></ul><ul><li>case '>': sb.append(&quot;gt;&quot;); break; </li></ul><ul><li>case ';': sb.append(&quot;&quot;); break; </li></ul><ul><li>default: sb.append(curChar); </li></ul><ul><li>} </li></ul><ul><li>} </li></ul><ul><li>if ((name.length() > 1) && (name.charAt(name.length() - 1) == ' ')) </li></ul><ul><li>sb.insert(sb.length() - 1, 'apos;); // add the trailing backslash if needed </li></ul><ul><li>return sb.toString(); </li></ul><ul><li>} </li></ul>
  11. 11. <ul><li>To filter Escape Chars </li></ul><ul><li>public static final String escapeLDAPSearchFilter(String filter) </li></ul><ul><li>{ </li></ul><ul><li>StringBuffer sb = new StringBuffer(); // If using JDK >= 1.5 consider using StringBuilder </li></ul><ul><li>for (int i = 0; i < filter.length(); i++) </li></ul><ul><li>{ </li></ul><ul><li>char curChar = filter.charAt(i); </li></ul><ul><li>switch (curChar) </li></ul><ul><li>{ </li></ul><ul><li>case 'apos;: </li></ul><ul><li>sb.append(&quot;c&quot;); </li></ul><ul><li>break; </li></ul><ul><li>case '*': </li></ul><ul><li>sb.append(&quot;a&quot;); </li></ul><ul><li>break; </li></ul><ul><li>case '(': </li></ul><ul><li>sb.append(&quot;8&quot;); </li></ul><ul><li>break; </li></ul><ul><li>case ')': </li></ul><ul><li>sb.append(&quot;9&quot;); </li></ul><ul><li>break; </li></ul><ul><li>case 'u0000': </li></ul><ul><li>sb.append(&quot;0&quot;); </li></ul><ul><li>break; </li></ul><ul><li>default: </li></ul><ul><li>sb.append(curChar); </li></ul><ul><li>} </li></ul><ul><li>} </li></ul><ul><li>return sb.toString(); </li></ul><ul><li>} </li></ul>
  12. 12. Malicious File Execution
  13. 13. Remedies <ul><li>Strongly validate user </li></ul><ul><li>Add firewall </li></ul><ul><li>Check any user supplied files or filenames </li></ul><ul><li>Consider implementing a chroot jail / SandBox </li></ul>
  14. 14. Insecure Direct Object Reference
  15. 15. Remedies <ul><li>Limit direct reference (public access) to secure entities (objects) </li></ul><ul><li>Use some alternate parameter to check for access permission, e.g. userID </li></ul><ul><li>Use of index values to avoid actual name / parameter manipulation </li></ul>
  16. 16. Example <ul><li>int bankAccountNo = Integer.parseInt( request.getParameter( &quot;AccountNo&quot; ) ); </li></ul><ul><li>User user = (User)request.getSession().getAttribute( &quot;user&quot; ); </li></ul><ul><li>String query = &quot;SELECT * FROM account_master WHERE ac_no=&quot; + bankAccountNo + &quot; AND userID=&quot; + user.getID(); </li></ul>
  17. 17. Cross Site Request Forgery (XSRF) <ul><li>Also knows as… </li></ul><ul><ul><li>Session Riding </li></ul></ul><ul><ul><li>One-Click Attacks </li></ul></ul><ul><ul><li>Hostile Linking </li></ul></ul><ul><ul><li>Automation Attack </li></ul></ul>
  18. 18. Example <ul><li>Applications e.g. </li></ul><ul><ul><li>Ask for current password to change to new </li></ul></ul><ul><ul><li>Avoid hidden form fields </li></ul></ul><ul><ul><li>Use cryptographic tokens </li></ul></ul>
  19. 19. Remedies <ul><li>Limit direct reference (public access) to secure entities (objects) </li></ul><ul><li>Use some alternate parameter to check for access permission, e.g. userID </li></ul><ul><li>Use of index values to avoid actual name / parameter manipulation </li></ul><ul><li>Extensive use of SessionID (JSessionID In case of JavaEE), which is unpredictable </li></ul>
  20. 20. Information Leakage and Improper Error Handling
  21. 21. Remedies <ul><li>Exception handling & simplified message (that too only if required) on user end – a key! </li></ul><ul><li>Define error pages at AppServer level. E.g. 40X – Page related errors </li></ul>
  22. 22. Broken Authentication and Session Management
  23. 23. Example <ul><li>On logout, </li></ul><ul><ul><li>Session.invalidate(); </li></ul></ul>
  24. 24. Remedies <ul><li>Proper session management </li></ul><ul><ul><li>No other routine then application server’s default mechanism </li></ul></ul><ul><li>Session timeout after specific time </li></ul><ul><li>Destruction of session on logout / time out. </li></ul><ul><li>No session details in logs or URL </li></ul>
  25. 25. Insecure Cryptographic Storage
  26. 26. Remedies <ul><li>Really secure encryption algorithm </li></ul><ul><li>Ensure that every sensitive piece of information is encrypted well </li></ul><ul><li>Use publicly aproved algoriths instead of user defined </li></ul><ul><li>Store private keys in extremely secure location (offline) </li></ul><ul><li>Ensure encrypted data is not easily decrypted </li></ul>
  27. 27. Insecure Communications
  28. 28. Remedies <ul><li>Use of secure encryption while sending important data over network (SSL) </li></ul><ul><li>Encryption of sensitive data </li></ul><ul><li>Ensure communication between infrastructure elements (e.g. DB &Server) uses transport layer security or protocol level encryption </li></ul>
  29. 29. Failure to Restrict URL Access
  30. 30. Remedies <ul><li>Access control matrix </li></ul><ul><li>No read access to unauthorized user </li></ul><ul><li>Hidden URLs known only to the users, it is meant for, is wrong assumption </li></ul><ul><li>Include / Header files out of public scope, outside root of application </li></ul><ul><li>Block access to the type of files not entertained by application </li></ul>
  31. 31. References <ul><li> </li></ul><ul><li> </li></ul>