SlideShare a Scribd company logo

OWASP_Top_10_Introduction_and_Remedies_2017.ppt

Download as PPT, PDF
J
jangomanso

OWASP_Top_10_Introduction_and_Remedies_2017

Engineering
1 of 56
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org OWASP Top 10 Introduction & Remedies Module (to be combined) Education Project
OWASP 2 Introduction
OWASP 3 OWASP Top 10 The Ten Most Critical Web Application Security Vulnerabilities 2007 Release A great start, but not a standard
OWASP 4 OWASP Top 10 2007 1. Cross Site Scripting (XSS) 2. Injection Flaws 3. Insecure Remote File Include 4. Insecure Direct Object Reference 5. Cross Site Request Forgery (CSRF) 6. Information Leakage and Improper Error Handling 7. Broken Authentication and Session Management 8. Insecure Cryptographic Storage 9. Insecure Communications 10. Failure to Restrict URL Access http://www.owasp.org/index.php/Top_10
OWASP 5 Top 10 Methodology Take the MITRE Vulnerability Trends for 2006, and distill the Top 10 web application security issues
OWASP 6 OWASP Top 10 2007 OWASP Top 10 2004 MITRE 2006 Raw Ranking 1. Cross Site Scripting (XSS) 4. Cross Site Scripting (XSS) 1 2. Injection Flaws 6. Injection Flaws 2 3. Insecure Remote File Include (NEW) 3 4. Insecure Direct Object Reference 2. Broken Access Control (split in 2007 T10) 5 5. Cross Site Request Forgery (CSRF) (NEW) 36 6. Info Leakage and Improper Error Handling 7. Improper Error Handling 6 7. Broken Auth. and Session Management 3. Broken Authentication and Session Management 14 8. Insecure Cryptographic Storage 8. Insecure Storage 8 9. Insecure Communications (NEW) Discussed under 10 8 10. Failure to Restrict URL Access 2. Broken Access Control (split in 2007 T10) 14 1. Unvalidated Input 7 5. Buffer Overflows 4, 8, and 10 9. Denial of Service 17 10. Insecure Configuration Management 29 Top 10 Mapping
OWASP 7 Cross Site Scripting (XSS)
OWASP 8 1. Cross-Site Scripting (XSS) Description Most prevalent web application security issue Allows attackers to execute script in the victim’s browser Affected Environments All web application frameworks are vulnerable to cross site scripting
OWASP 9 1. Cross-Site Scripting (XSS) Vulnerabilities Three types:  Reflected  Stored  DOM injection Attacks are normally implemented in JavaScript or direct manipulation of request objects
OWASP 10 1. Cross-Site Scripting (XSS) Verifying Security All input parameters are validated and/or encoded Code Reviews are useful to detect Centralized validation and encoding mechanism Protection Combination of whitelist validation of all incoming data and appropriate encoding of all output data
OWASP 11 1. Cross-Site Scripting (XSS)  References  OWASP – Cross site scripting, http://www.owasp.org/index.php/Cross_Site_Scripting  OWASP – Testing for XSS, http://www.owasp.org/index.php/Testing_for_Cross_site_scripting  OWASP Stinger Project (A Java EE validation filter) – http://www.owasp.org/index.php/Category:OWASP_Stinger_Project  OWASP PHP Filter Project - http://www.owasp.org/index.php/OWASP_PHP_Filters  OWASP Encoding Project - http://www.owasp.org/index.php/Category:OWASP_Encoding_Project  RSnake, XSS Cheat Sheet, http://ha.ckers.org/xss.html  Klein, A., DOM Based Cross Site Scripting, http://www.webappsec.org/projects/articles/071105.shtml  .NET Anti-XSS Library - http://www.microsoft.com/downloads/details.aspx?FamilyID=efb9c819-53ff- 4f82-bfaf-e11625130c25&DisplayLang=en  Wikipedia Definition – http://en.wikipedia.org/wiki/Cross-site_scripting
OWASP 12 Injection Flaws
OWASP 13 2. Injection Flaws Description Injection occurs when user-supplied data is sent to an interpreter as part of a command or query SQL injection is the most common Affected Environments All web application frameworks that use interpreters are vulnerable to injection attacks.
OWASP 14 2. Injection Flaws Vulnerabilities If user input is passed into an interpreter without validation or encoding, the application is vulnerable. Check to see if user input is supplied directly to dynamic queries
OWASP 15 2. Injection Flaws Verifying Security Verify that the user can not modify commands or queries sent to any interpreter used by the application Code Reviews are useful to detect Protection Avoid interpreters where possible Enforce least privilege Stored procedures are susceptible too User input validation
OWASP 16 2. Injection Flaws  References  OWASP, http://www.owasp.org/index.php/SQL_Injection  OWASP, http://www.owasp.org/index.php/Guide_to_SQL_Injection  OWASP, http://www.owasp.org/index.php/Reviewing_Code_for_SQL_Injection  OWASP, http://www.owasp.org/index.php/Testing_for_SQL_Injection  SQL Injection, http://www.spidynamics.com/papers/SQLInjectionWhitePaper.pdf  Advanced SQL Injection, http://www.ngssoftware.com/papers/advanced_sql_injection.pdf  More Advanced SQL Injection, http://www.nextgenss.com/papers/more_advanced_sql_injection.pdf  Hibernate, an advanced object relational manager (ORM) for J2EE and .NET, http://www.hibernate.org/  J2EE Prepared Statements, http://java.sun.com/docs/books/tutorial/jdbc/basics/prepared.html  How to: Protect from SQL injection in ASP.Net, http://msdn2.microsoft.com/en-us/library/ms998271.aspx  PHP PDO functions, http://php.net/pdo
OWASP 17 Insecure Remote File Include
OWASP 18 3. Malicious File Injection Description Allows attackers to perform remote code execution etc by compromising input files or streams; commonly caused by improperly trusting input files Affected Environments All web application frameworks that allow uploaded files to be executed are vulnerable Environments are susceptible if they allow file upload into web directories.
OWASP 19 3. Malicious File Injection Vulnerabilities Hostile data being uploaded to session files or log data PHP is most common, other technologies are accessible too  Java and .Net  Hostile DTD in XML Documents
OWASP 20 3. Malicious File Injection Verifying Security Code Reviews are useful to detect Automated tools are useful Protection Do not allow a user defined file name to supply server-based resources Properly configured and implemented security protocols User input validation
OWASP 21 3. Malicious File Injection  References  OWASP Guide, http://www.owasp.org/index.php/File_System#Includes_and_Remote_files  OWASP Testing Guide, http://www.owasp.org/index.php/Testing_for_Directory_Traversal  OWASP PHP Top 5, http://www.owasp.org/index.php/PHP_Top_5#P1:_Remote_Code_Execution  Stefan Esser, http://blog.php-security.org/archives/45-PHP-5.2.0-and-allow_url_include.html  [SIF01] Sift Networks, Web Services: Teaching an old dog new tricks, http://www.ruxcon.org.au/files/2006/web_services_security.ppt  http://www.owasp.org/index.php/OWASP_Java_Table_of_Contents#Defining_a_J ava_Security_Policy  Microsoft - Programming for Partial Trust, http://msdn2.microsoft.com/en- us/library/ms364059(VS.80).aspx
OWASP 22 Insecure Direct Object Reference
OWASP 23 4. Insecure Direct Object Reference Description Occurs when a developer exposes an invalidated reference to an internal implementation object, such as a file, directory, database record, or key, as a URL or form parameter Affected Environments All web application frameworks are vulnerable to attacks on insecure direct object references
OWASP 24 4. Insecure Direct Object Reference Vulnerabilities Exposed internal object references Attackers use parameter tampering to change references and violate the intended but unenforced access control policy References to database keys are frequently exposed
OWASP 25 4. Insecure Direct Object Reference Verifying Security Remove any direct object references that can be manipulated by an attacker Difficult for both automated and manual approaches Protection Best protection is to avoid exposing direct object references to users Verify authorization to all referenced objects
OWASP 26 4. Insecure Direct Object Reference References  OWASP, http://www.owasp.org/index.php/Testing_for_business_logic  OWASP, http://www.owasp.org/index.php/Testing_for_Directory_Traversal  OWASP, http://www.owasp.org/index.php/Category:Access_Control_Vulnerability
OWASP 27 Cross Site Request Forgery (CSRF)
OWASP 28 5. Cross Site Request Forgery (CSRF) Description An attack that tricks the victim into loading a page that contains a malicious request. Also known as Session Riding, One-Click Attacks, Cross Site Reference Forgery, Hostile Linking, and Automation Attack Affected Environments All web application frameworks are vulnerable to CSRF.
OWASP 29 5. Cross Site Request Forgery (CSRF) Vulnerabilities In a forum, the attack may direct the user to invoke a logout function  Can be combined with XSS
OWASP 30 5. Cross Site Request Forgery (CSRF) Verifying Security Use an authorization token that is not automatically submitted by browser Protection Eliminate any XSS vulnerabilities in your application Add a per-request nonce to URL and all forms in addition to the standard session; if it is not built into your web app framework. Require additional login screens for sensitive data Do not use GET requests for sensitive data
OWASP 31 5. Cross Site Request Forgery (CSRF)  References  OWASP CSRF, http://www.owasp.org/index.php/Cross- Site_Request_Forgery  OWASP, https://www.owasp.org/index.php/Testing_for_CSRF  OWASP CSRF Guard, http://www.owasp.org/index.php/CSRF_Guard  OWASP PHP CSRF Guard, http://www.owasp.org/index.php/PHP_CSRF_Guard  RSnake, "What is CSRF?", http://ha.ckers.org/blog/20061030/what-is- csrf/  Microsoft, ViewStateUserKey details, http://msdn2.microsoft.com/en- us/library/ms972969.aspx#securitybarriers_topic2
OWASP 32 Information Leakage and Improper Error Handling
OWASP 33 6. Information Leakage and Improper Error Handling Description Applications can unintentionally leak information about their configuration, internal workings, or violate privacy through a variety of application problems Affected Environments All web application frameworks are vulnerable to information leakage and improper error handling.
OWASP 34 6. Information Leakage and Improper Error Handling Vulnerabilities Error message with too much detail  Stack Traces  SQL Statements Improper logging of detailed messages
OWASP 35 6. Information Leakage and Improper Error Handling Verifying Security The goal is for the application to not leak detailed error messages Automated and Manual approaches are useful, but automated can not properly determine the meaning of the message and manual is time consuming Protection Use testing to generate error messages and perform ongoing evaluations in development Disable or limit detailed error handling
OWASP 36 6. Information Leakage and Improper Error Handling References  OWASP http://www.owasp.org/index.php/Error_Handling  OWASP http://www.owasp.org/index.php/Category:Sensitive_Data_Protection_ Vulnerability
OWASP 37 Broken Authentication and Session Management
OWASP 38 7. Broken Authentication and Session Management Description Flaws in authentication and session management most frequently involve the failure to protect credentials and session tokens through their lifecycle. Affected Environments All web application frameworks are vulnerable to authentication and session management flaws
OWASP 39 7. Broken Authentication and Session Management Vulnerabilities Flaws in main authentication mechanism Password management Session Timeout
OWASP 40 7. Broken Authentication and Session Management  Verifying Security  Application should properly authenticate users and protect their credentials  Automated tool have difficulty  Combination of Code Reviews and Testing are effective  Protection  Maintain secure communication and credential storage  Use single authentication mechanism where applicable  Create a new session upon authentication  Ensure the logout link destroys all pertinent data  Do not expose any credentials in URL or logs
OWASP 41 7. Broken Authentication and Session Management References  OWASP, http://www.owasp.org/index.php/Guide_to_Authentication  OWASP, http://www.owasp.org/index.php/Reviewing_Code_for_Authentication  OWASP, http://www.owasp.org/index.php/Testing_for_authentication
OWASP 42 Insecure Cryptographic Storage
OWASP 43 8. Insecure Cryptographic Storage Description Simply failing to encrypt sensitive data is very widespread. Applications that do encrypt frequently contain poorly designed cryptography, either using inappropriate ciphers or making serious mistakes using strong ciphers. Affected Environments All web application frameworks are vulnerable to insecure cryptographic storage.
OWASP 44 8. Insecure Cryptographic Storage Vulnerabilities Not encrypting sensitive data Using home grown algorithms Insecure use of strong algorithms Continued use of proven weak algorithms (MD5, SHA- 1, RC3, RC4, etc…) Hard coding keys, and storing keys in unprotected stores
OWASP 45 8. Insecure Cryptographic Storage Verifying Security Verify that the application properly encrypts sensitive information in storage Automated vulnerability tools are not effective Code Review is the best way to verify that an application encrypts sensitive data Protection Use only approved public algorithms Check to make sure all sensitive data is being encrypted
OWASP 46 8. Insecure Cryptographic Storage  References  OWASP, http://www.owasp.org/index.php/Cryptography  OWASP, http://www.owasp.org/index.php/Guide_to_Cryptography  OWASP, http://www.owasp.org/index.php/Insecure_Storage  OWASP, http://www.owasp.org/index.php/How_to_protect_sensitive_data_in_U RL’s  PCI Data Security Standard v1.1, https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf  Bruce Schneier, http://www.schneier.com/  CryptoAPI Next Generation, http://msdn2.microsoft.com/en- us/library/aa376210.aspx
OWASP 47 Insecure Communications
OWASP 48 9. Insecure Communications Description Applications frequently fail to encrypt network traffic when it is necessary to protect sensitive communications SSL must be used for all authenticated connections Affected Environments All web application frameworks are vulnerable to insecure communications.
OWASP 49 9. Insecure Communications Vulnerabilities Network sniffing All authenticated traffic needs to go over SSL because HTTP includes authentication credentials or a session token with every single request; not just the actual login request Always use SSL with sensitive data
OWASP 50 9. Insecure Communications Verifying Security Verify that the application properly encrypts all authenticated and sensitive communications Vulnerability scanning tools can verify that SSL is used on the front end, and can find many SSL related flaws Code review is quite efficient for verifying the proper use of SSL for all backend connections Protection Always use SSL with sensitive data
OWASP 51 9. Insecure Communications  References  OWASP Testing Guide, Testing for SSL / TLS, https://www.owasp.org/index.php/Testing_for_SSL-TLS  OWASP Guide, http://www.owasp.org/index.php/Guide_to_Cryptography  Foundstone - SSL Digger, http://www.foundstone.com/index.htm?subnav=services/navigation.ht m&subcontent=/services/overview_s3i_des.htm  NIST, SP 800-52 Guidelines for the selection and use of transport layer security (TLS) Implementations, http://csrc.nist.gov/publications/nistpubs/800-52/SP800-52.pdf  NIST SP 800-95 Guide to secure web services, http://csrc.nist.gov/publications/drafts.html#sp800-95
OWASP 52 Failure to Restrict URL Access
OWASP 53 10. Failure to Restrict URL Access Description Relying on security by obscurity to restrict URL access Not using access control checks for URLs Affected Environments All web application frameworks are vulnerable to failure to restrict URL access
OWASP 54 10. Failure to Restrict URL Access Vulnerabilities Forced browsing “Hidden” URLs and files Outdated security mechanism Evaluating privileges only on the client
OWASP 55 10. Failure to Restrict URL Access Verifying Security Verify that access control is enforced consistently for all URLs in the application Automated tools have difficulty verifying URL access control Combination of Code Reviews and Testing are effective Protection Properly architecting and implementing roles for URL access Ensure all URLs are part of this process Do not use “hidden” URLs
OWASP 56 10. Failure to Restrict URL Access References  OWASP, http://www.owasp.org/index.php/Testing_for_Directory_Traversal  OWASP, http://www.owasp.org/index.php/Forced_browsing  OWASP, http://www.owasp.org/index.php/Guide_to_Authorization

Recommended

OWASP App Sec US - 2010
OWASP App Sec US - 2010OWASP App Sec US - 2010
OWASP App Sec US - 2010Aditya K Sood
 
OWASP Top10 2010
OWASP Top10 2010OWASP Top10 2010
OWASP Top10 2010Tommy Tracx Xaypanya
 
OWASP -Top 5 Jagjit
OWASP -Top 5 JagjitOWASP -Top 5 Jagjit
OWASP -Top 5 JagjitJagjit Singh Brar
 
Owasp top 10
Owasp top 10Owasp top 10
Owasp top 10Aravindharamanan S
 
Owasp top 10_-_2010 presentation
Owasp top 10_-_2010 presentationOwasp top 10_-_2010 presentation
Owasp top 10_-_2010 presentationIslam Azeddine Mennouchi
 
Application Security Vulnerabilities: OWASP Top 10 -2007
Application Security Vulnerabilities: OWASP Top 10 -2007Application Security Vulnerabilities: OWASP Top 10 -2007
Application Security Vulnerabilities: OWASP Top 10 -2007Vaibhav Gupta
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101Cybersecurity Education and Research Centre
 
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities Braindev Kyiv
 

Recommended

OWASP App Sec US - 2010
OWASP App Sec US - 2010OWASP App Sec US - 2010
OWASP App Sec US - 2010Aditya K Sood
 
OWASP Top10 2010
OWASP Top10 2010OWASP Top10 2010
OWASP Top10 2010Tommy Tracx Xaypanya
 
OWASP -Top 5 Jagjit
OWASP -Top 5 JagjitOWASP -Top 5 Jagjit
OWASP -Top 5 JagjitJagjit Singh Brar
 
Owasp top 10
Owasp top 10Owasp top 10
Owasp top 10Aravindharamanan S
 
Owasp top 10_-_2010 presentation
Owasp top 10_-_2010 presentationOwasp top 10_-_2010 presentation
Owasp top 10_-_2010 presentationIslam Azeddine Mennouchi
 
Application Security Vulnerabilities: OWASP Top 10 -2007
Application Security Vulnerabilities: OWASP Top 10 -2007Application Security Vulnerabilities: OWASP Top 10 -2007
Application Security Vulnerabilities: OWASP Top 10 -2007Vaibhav Gupta
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101Cybersecurity Education and Research Centre
 
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities Braindev Kyiv
 
WebApps_Lecture_15.ppt
WebApps_Lecture_15.pptWebApps_Lecture_15.ppt
WebApps_Lecture_15.pptOmprakashVerma56
 
OWASP Serbia - A5 cross-site request forgery
OWASP Serbia - A5 cross-site request forgeryOWASP Serbia - A5 cross-site request forgery
OWASP Serbia - A5 cross-site request forgeryNikola Milosevic
 
OWASP Top 10 2007 for JavaEE
OWASP Top 10 2007 for JavaEE OWASP Top 10 2007 for JavaEE
OWASP Top 10 2007 for JavaEE Magno Logan
 
Cyber ppt
Cyber pptCyber ppt
Cyber pptkarthik menon
 
OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesOWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesMarco Morana
 
OWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfigurationOWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfigurationNikola Milosevic
 
Web application Security tools
Web application Security toolsWeb application Security tools
Web application Security toolsNico Penaredondo
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersLewis Ardern
 
Owasp Top 10
Owasp Top 10Owasp Top 10
Owasp Top 10Shivam Porwal
 
2009: Securing Applications With Web Application Firewalls and Vulnerability ...
2009: Securing Applications With Web Application Firewalls and Vulnerability ...2009: Securing Applications With Web Application Firewalls and Vulnerability ...
2009: Securing Applications With Web Application Firewalls and Vulnerability ...Neil Matatall
 
OWASP TOP 10 VULNERABILITIS
OWASP TOP 10 VULNERABILITISOWASP TOP 10 VULNERABILITIS
OWASP TOP 10 VULNERABILITISNull Bhubaneswar
 
supraja technologies material for secure coding
supraja technologies material for secure codingsupraja technologies material for secure coding
supraja technologies material for secure codingSri Latha
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxFernandoVizer
 
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...Quek Lilian
 
Owasp london training course 2010 - Matteo Meucci
Owasp london training course 2010 - Matteo MeucciOwasp london training course 2010 - Matteo Meucci
Owasp london training course 2010 - Matteo MeucciMatteo Meucci
 
2022 APIsecure_Secure your APIs with WAF in AWS
2022 APIsecure_Secure your APIs with WAF in AWS2022 APIsecure_Secure your APIs with WAF in AWS
2022 APIsecure_Secure your APIs with WAF in AWSAPIsecure_ Official
 
Security Testing - Zap It
Security Testing - Zap ItSecurity Testing - Zap It
Security Testing - Zap ItManjyot Singh
 
Security testing zap it
Security testing zap itSecurity testing zap it
Security testing zap itvodqancr
 
Owasp top 10 Vulnerabilities by cyberops infosec
Owasp top 10 Vulnerabilities by cyberops infosecOwasp top 10 Vulnerabilities by cyberops infosec
Owasp top 10 Vulnerabilities by cyberops infosecCyberops Infosec LLP
 
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka IrongeekMutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka IrongeekMagno Logan
 
Call Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile serviceCall Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile servicerehmti665
 
HARMONY IN THE NATURE AND EXISTENCE - Unit-IV
HARMONY IN THE NATURE AND EXISTENCE - Unit-IVHARMONY IN THE NATURE AND EXISTENCE - Unit-IV
HARMONY IN THE NATURE AND EXISTENCE - Unit-IVRajaP95
 

More Related Content

Similar to OWASP_Top_10_Introduction_and_Remedies_2017.ppt

OWASP Serbia - A5 cross-site request forgery
OWASP Serbia - A5 cross-site request forgeryOWASP Serbia - A5 cross-site request forgery
OWASP Serbia - A5 cross-site request forgeryNikola Milosevic
 
OWASP Top 10 2007 for JavaEE
OWASP Top 10 2007 for JavaEE OWASP Top 10 2007 for JavaEE
OWASP Top 10 2007 for JavaEE Magno Logan
 
OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesOWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesMarco Morana
 
OWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfigurationOWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfigurationNikola Milosevic
 
Web application Security tools
Web application Security toolsWeb application Security tools
Web application Security toolsNico Penaredondo
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersLewis Ardern
 
2009: Securing Applications With Web Application Firewalls and Vulnerability ...
2009: Securing Applications With Web Application Firewalls and Vulnerability ...2009: Securing Applications With Web Application Firewalls and Vulnerability ...
2009: Securing Applications With Web Application Firewalls and Vulnerability ...Neil Matatall
 
supraja technologies material for secure coding
supraja technologies material for secure codingsupraja technologies material for secure coding
supraja technologies material for secure codingSri Latha
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxFernandoVizer
 
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...Quek Lilian
 
Owasp london training course 2010 - Matteo Meucci
Owasp london training course 2010 - Matteo MeucciOwasp london training course 2010 - Matteo Meucci
Owasp london training course 2010 - Matteo MeucciMatteo Meucci
 
2022 APIsecure_Secure your APIs with WAF in AWS
2022 APIsecure_Secure your APIs with WAF in AWS2022 APIsecure_Secure your APIs with WAF in AWS
2022 APIsecure_Secure your APIs with WAF in AWSAPIsecure_ Official
 
Security Testing - Zap It
Security Testing - Zap ItSecurity Testing - Zap It
Security Testing - Zap ItManjyot Singh
 
Security testing zap it
Security testing zap itSecurity testing zap it
Security testing zap itvodqancr
 
Owasp top 10 Vulnerabilities by cyberops infosec
Owasp top 10 Vulnerabilities by cyberops infosecOwasp top 10 Vulnerabilities by cyberops infosec
Owasp top 10 Vulnerabilities by cyberops infosecCyberops Infosec LLP
 
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka IrongeekMutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka IrongeekMagno Logan
 

Similar to OWASP_Top_10_Introduction_and_Remedies_2017.ppt (20)

WebApps_Lecture_15.ppt
WebApps_Lecture_15.pptWebApps_Lecture_15.ppt
WebApps_Lecture_15.ppt
 
OWASP Serbia - A5 cross-site request forgery
OWASP Serbia - A5 cross-site request forgeryOWASP Serbia - A5 cross-site request forgery
OWASP Serbia - A5 cross-site request forgery
 
OWASP Top 10 2007 for JavaEE
OWASP Top 10 2007 for JavaEE OWASP Top 10 2007 for JavaEE
OWASP Top 10 2007 for JavaEE
 
Cyber ppt
Cyber pptCyber ppt
Cyber ppt
 
OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesOWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root Causes
 
OWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfigurationOWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfiguration
 
Web application Security tools
Web application Security toolsWeb application Security tools
Web application Security tools
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript Developers
 
Owasp Top 10
Owasp Top 10Owasp Top 10
Owasp Top 10
 
2009: Securing Applications With Web Application Firewalls and Vulnerability ...
2009: Securing Applications With Web Application Firewalls and Vulnerability ...2009: Securing Applications With Web Application Firewalls and Vulnerability ...
2009: Securing Applications With Web Application Firewalls and Vulnerability ...
 
OWASP TOP 10 VULNERABILITIS
OWASP TOP 10 VULNERABILITISOWASP TOP 10 VULNERABILITIS
OWASP TOP 10 VULNERABILITIS
 
supraja technologies material for secure coding
supraja technologies material for secure codingsupraja technologies material for secure coding
supraja technologies material for secure coding
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
 
Owasp london training course 2010 - Matteo Meucci
Owasp london training course 2010 - Matteo MeucciOwasp london training course 2010 - Matteo Meucci
Owasp london training course 2010 - Matteo Meucci
 
2022 APIsecure_Secure your APIs with WAF in AWS
2022 APIsecure_Secure your APIs with WAF in AWS2022 APIsecure_Secure your APIs with WAF in AWS
2022 APIsecure_Secure your APIs with WAF in AWS
 
Security Testing - Zap It
Security Testing - Zap ItSecurity Testing - Zap It
Security Testing - Zap It
 
Security testing zap it
Security testing zap itSecurity testing zap it
Security testing zap it
 
Owasp top 10 Vulnerabilities by cyberops infosec
Owasp top 10 Vulnerabilities by cyberops infosecOwasp top 10 Vulnerabilities by cyberops infosec
Owasp top 10 Vulnerabilities by cyberops infosec
 
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka IrongeekMutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
 

Recently uploaded

Call Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile serviceCall Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile servicerehmti665
 
HARMONY IN THE NATURE AND EXISTENCE - Unit-IV
HARMONY IN THE NATURE AND EXISTENCE - Unit-IVHARMONY IN THE NATURE AND EXISTENCE - Unit-IV
HARMONY IN THE NATURE AND EXISTENCE - Unit-IVRajaP95
 
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...ranjana rawat
 
microprocessor 8085 and its interfacing
microprocessor 8085 and its interfacingmicroprocessor 8085 and its interfacing
microprocessor 8085 and its interfacingjaychoudhary37
 
Internship report on mechanical engineering
Internship report on mechanical engineeringInternship report on mechanical engineering
Internship report on mechanical engineeringmalavadedarshan25
 
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube ExchangerStudy on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube ExchangerAnamika Sarkar
 
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...srsj9000
 
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escortsranjana rawat
 
Past, Present and Future of Generative AI
Past, Present and Future of Generative AIPast, Present and Future of Generative AI
Past, Present and Future of Generative AIabhishek36461
 
College Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service NashikCollege Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service NashikCall Girls in Nagpur High Profile
 
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...Soham Mondal
 
Call Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call GirlsCall Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call Girlsssuser7cb4ff
 
What are the advantages and disadvantages of membrane structures.pptx
What are the advantages and disadvantages of membrane structures.pptxWhat are the advantages and disadvantages of membrane structures.pptx
What are the advantages and disadvantages of membrane structures.pptxwendy cai
 
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICSAPPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICSKurinjimalarL3
 
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur High Profile
 
Biology for Computer Engineers Course Handout.pptx
Biology for Computer Engineers Course Handout.pptxBiology for Computer Engineers Course Handout.pptx
Biology for Computer Engineers Course Handout.pptxDeepakSakkari2
 
VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...
VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...
VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...VICTOR MAESTRE RAMIREZ
 
Heart Disease Prediction using machine learning.pptx
Heart Disease Prediction using machine learning.pptxHeart Disease Prediction using machine learning.pptx
Heart Disease Prediction using machine learning.pptxPoojaBan
 

Recently uploaded (20)

Call Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile serviceCall Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile service
 
HARMONY IN THE NATURE AND EXISTENCE - Unit-IV
HARMONY IN THE NATURE AND EXISTENCE - Unit-IVHARMONY IN THE NATURE AND EXISTENCE - Unit-IV
HARMONY IN THE NATURE AND EXISTENCE - Unit-IV
 
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
 
microprocessor 8085 and its interfacing
microprocessor 8085 and its interfacingmicroprocessor 8085 and its interfacing
microprocessor 8085 and its interfacing
 
Internship report on mechanical engineering
Internship report on mechanical engineeringInternship report on mechanical engineering
Internship report on mechanical engineering
 
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube ExchangerStudy on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
 
young call girls in Rajiv Chowk🔝 9953056974 🔝 Delhi escort Service
young call girls in Rajiv Chowk🔝 9953056974 🔝 Delhi escort Serviceyoung call girls in Rajiv Chowk🔝 9953056974 🔝 Delhi escort Service
young call girls in Rajiv Chowk🔝 9953056974 🔝 Delhi escort Service
 
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...
 
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
 
Past, Present and Future of Generative AI
Past, Present and Future of Generative AIPast, Present and Future of Generative AI
Past, Present and Future of Generative AI
 
College Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service NashikCollege Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
 
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
 
Call Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call GirlsCall Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call Girls
 
What are the advantages and disadvantages of membrane structures.pptx
What are the advantages and disadvantages of membrane structures.pptxWhat are the advantages and disadvantages of membrane structures.pptx
What are the advantages and disadvantages of membrane structures.pptx
 
Exploring_Network_Security_with_JA3_by_Rakesh Seal.pptx
Exploring_Network_Security_with_JA3_by_Rakesh Seal.pptxExploring_Network_Security_with_JA3_by_Rakesh Seal.pptx
Exploring_Network_Security_with_JA3_by_Rakesh Seal.pptx
 
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICSAPPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
 
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
 
Biology for Computer Engineers Course Handout.pptx
Biology for Computer Engineers Course Handout.pptxBiology for Computer Engineers Course Handout.pptx
Biology for Computer Engineers Course Handout.pptx
 
VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...
VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...
VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...
 
Heart Disease Prediction using machine learning.pptx
Heart Disease Prediction using machine learning.pptxHeart Disease Prediction using machine learning.pptx
Heart Disease Prediction using machine learning.pptx
 

OWASP_Top_10_Introduction_and_Remedies_2017.ppt

  • 1. Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org OWASP Top 10 Introduction & Remedies Module (to be combined) Education Project
  • 3. OWASP 3 OWASP Top 10 The Ten Most Critical Web Application Security Vulnerabilities 2007 Release A great start, but not a standard
  • 4. OWASP 4 OWASP Top 10 2007 1. Cross Site Scripting (XSS) 2. Injection Flaws 3. Insecure Remote File Include 4. Insecure Direct Object Reference 5. Cross Site Request Forgery (CSRF) 6. Information Leakage and Improper Error Handling 7. Broken Authentication and Session Management 8. Insecure Cryptographic Storage 9. Insecure Communications 10. Failure to Restrict URL Access http://www.owasp.org/index.php/Top_10
  • 5. OWASP 5 Top 10 Methodology Take the MITRE Vulnerability Trends for 2006, and distill the Top 10 web application security issues
  • 6. OWASP 6 OWASP Top 10 2007 OWASP Top 10 2004 MITRE 2006 Raw Ranking 1. Cross Site Scripting (XSS) 4. Cross Site Scripting (XSS) 1 2. Injection Flaws 6. Injection Flaws 2 3. Insecure Remote File Include (NEW) 3 4. Insecure Direct Object Reference 2. Broken Access Control (split in 2007 T10) 5 5. Cross Site Request Forgery (CSRF) (NEW) 36 6. Info Leakage and Improper Error Handling 7. Improper Error Handling 6 7. Broken Auth. and Session Management 3. Broken Authentication and Session Management 14 8. Insecure Cryptographic Storage 8. Insecure Storage 8 9. Insecure Communications (NEW) Discussed under 10 8 10. Failure to Restrict URL Access 2. Broken Access Control (split in 2007 T10) 14 1. Unvalidated Input 7 5. Buffer Overflows 4, 8, and 10 9. Denial of Service 17 10. Insecure Configuration Management 29 Top 10 Mapping
  • 7. OWASP 7 Cross Site Scripting (XSS)
  • 8. OWASP 8 1. Cross-Site Scripting (XSS) Description Most prevalent web application security issue Allows attackers to execute script in the victim’s browser Affected Environments All web application frameworks are vulnerable to cross site scripting
  • 9. OWASP 9 1. Cross-Site Scripting (XSS) Vulnerabilities Three types:  Reflected  Stored  DOM injection Attacks are normally implemented in JavaScript or direct manipulation of request objects
  • 10. OWASP 10 1. Cross-Site Scripting (XSS) Verifying Security All input parameters are validated and/or encoded Code Reviews are useful to detect Centralized validation and encoding mechanism Protection Combination of whitelist validation of all incoming data and appropriate encoding of all output data
  • 11. OWASP 11 1. Cross-Site Scripting (XSS)  References  OWASP – Cross site scripting, http://www.owasp.org/index.php/Cross_Site_Scripting  OWASP – Testing for XSS, http://www.owasp.org/index.php/Testing_for_Cross_site_scripting  OWASP Stinger Project (A Java EE validation filter) – http://www.owasp.org/index.php/Category:OWASP_Stinger_Project  OWASP PHP Filter Project - http://www.owasp.org/index.php/OWASP_PHP_Filters  OWASP Encoding Project - http://www.owasp.org/index.php/Category:OWASP_Encoding_Project  RSnake, XSS Cheat Sheet, http://ha.ckers.org/xss.html  Klein, A., DOM Based Cross Site Scripting, http://www.webappsec.org/projects/articles/071105.shtml  .NET Anti-XSS Library - http://www.microsoft.com/downloads/details.aspx?FamilyID=efb9c819-53ff- 4f82-bfaf-e11625130c25&DisplayLang=en  Wikipedia Definition – http://en.wikipedia.org/wiki/Cross-site_scripting
  • 13. OWASP 13 2. Injection Flaws Description Injection occurs when user-supplied data is sent to an interpreter as part of a command or query SQL injection is the most common Affected Environments All web application frameworks that use interpreters are vulnerable to injection attacks.
  • 14. OWASP 14 2. Injection Flaws Vulnerabilities If user input is passed into an interpreter without validation or encoding, the application is vulnerable. Check to see if user input is supplied directly to dynamic queries
  • 15. OWASP 15 2. Injection Flaws Verifying Security Verify that the user can not modify commands or queries sent to any interpreter used by the application Code Reviews are useful to detect Protection Avoid interpreters where possible Enforce least privilege Stored procedures are susceptible too User input validation
  • 16. OWASP 16 2. Injection Flaws  References  OWASP, http://www.owasp.org/index.php/SQL_Injection  OWASP, http://www.owasp.org/index.php/Guide_to_SQL_Injection  OWASP, http://www.owasp.org/index.php/Reviewing_Code_for_SQL_Injection  OWASP, http://www.owasp.org/index.php/Testing_for_SQL_Injection  SQL Injection, http://www.spidynamics.com/papers/SQLInjectionWhitePaper.pdf  Advanced SQL Injection, http://www.ngssoftware.com/papers/advanced_sql_injection.pdf  More Advanced SQL Injection, http://www.nextgenss.com/papers/more_advanced_sql_injection.pdf  Hibernate, an advanced object relational manager (ORM) for J2EE and .NET, http://www.hibernate.org/  J2EE Prepared Statements, http://java.sun.com/docs/books/tutorial/jdbc/basics/prepared.html  How to: Protect from SQL injection in ASP.Net, http://msdn2.microsoft.com/en-us/library/ms998271.aspx  PHP PDO functions, http://php.net/pdo
  • 17. OWASP 17 Insecure Remote File Include
  • 18. OWASP 18 3. Malicious File Injection Description Allows attackers to perform remote code execution etc by compromising input files or streams; commonly caused by improperly trusting input files Affected Environments All web application frameworks that allow uploaded files to be executed are vulnerable Environments are susceptible if they allow file upload into web directories.
  • 19. OWASP 19 3. Malicious File Injection Vulnerabilities Hostile data being uploaded to session files or log data PHP is most common, other technologies are accessible too  Java and .Net  Hostile DTD in XML Documents
  • 20. OWASP 20 3. Malicious File Injection Verifying Security Code Reviews are useful to detect Automated tools are useful Protection Do not allow a user defined file name to supply server-based resources Properly configured and implemented security protocols User input validation
  • 21. OWASP 21 3. Malicious File Injection  References  OWASP Guide, http://www.owasp.org/index.php/File_System#Includes_and_Remote_files  OWASP Testing Guide, http://www.owasp.org/index.php/Testing_for_Directory_Traversal  OWASP PHP Top 5, http://www.owasp.org/index.php/PHP_Top_5#P1:_Remote_Code_Execution  Stefan Esser, http://blog.php-security.org/archives/45-PHP-5.2.0-and-allow_url_include.html  [SIF01] Sift Networks, Web Services: Teaching an old dog new tricks, http://www.ruxcon.org.au/files/2006/web_services_security.ppt  http://www.owasp.org/index.php/OWASP_Java_Table_of_Contents#Defining_a_J ava_Security_Policy  Microsoft - Programming for Partial Trust, http://msdn2.microsoft.com/en- us/library/ms364059(VS.80).aspx
  • 22. OWASP 22 Insecure Direct Object Reference
  • 23. OWASP 23 4. Insecure Direct Object Reference Description Occurs when a developer exposes an invalidated reference to an internal implementation object, such as a file, directory, database record, or key, as a URL or form parameter Affected Environments All web application frameworks are vulnerable to attacks on insecure direct object references
  • 24. OWASP 24 4. Insecure Direct Object Reference Vulnerabilities Exposed internal object references Attackers use parameter tampering to change references and violate the intended but unenforced access control policy References to database keys are frequently exposed
  • 25. OWASP 25 4. Insecure Direct Object Reference Verifying Security Remove any direct object references that can be manipulated by an attacker Difficult for both automated and manual approaches Protection Best protection is to avoid exposing direct object references to users Verify authorization to all referenced objects
  • 26. OWASP 26 4. Insecure Direct Object Reference References  OWASP, http://www.owasp.org/index.php/Testing_for_business_logic  OWASP, http://www.owasp.org/index.php/Testing_for_Directory_Traversal  OWASP, http://www.owasp.org/index.php/Category:Access_Control_Vulnerability
  • 27. OWASP 27 Cross Site Request Forgery (CSRF)
  • 28. OWASP 28 5. Cross Site Request Forgery (CSRF) Description An attack that tricks the victim into loading a page that contains a malicious request. Also known as Session Riding, One-Click Attacks, Cross Site Reference Forgery, Hostile Linking, and Automation Attack Affected Environments All web application frameworks are vulnerable to CSRF.
  • 29. OWASP 29 5. Cross Site Request Forgery (CSRF) Vulnerabilities In a forum, the attack may direct the user to invoke a logout function  Can be combined with XSS
  • 30. OWASP 30 5. Cross Site Request Forgery (CSRF) Verifying Security Use an authorization token that is not automatically submitted by browser Protection Eliminate any XSS vulnerabilities in your application Add a per-request nonce to URL and all forms in addition to the standard session; if it is not built into your web app framework. Require additional login screens for sensitive data Do not use GET requests for sensitive data
  • 31. OWASP 31 5. Cross Site Request Forgery (CSRF)  References  OWASP CSRF, http://www.owasp.org/index.php/Cross- Site_Request_Forgery  OWASP, https://www.owasp.org/index.php/Testing_for_CSRF  OWASP CSRF Guard, http://www.owasp.org/index.php/CSRF_Guard  OWASP PHP CSRF Guard, http://www.owasp.org/index.php/PHP_CSRF_Guard  RSnake, "What is CSRF?", http://ha.ckers.org/blog/20061030/what-is- csrf/  Microsoft, ViewStateUserKey details, http://msdn2.microsoft.com/en- us/library/ms972969.aspx#securitybarriers_topic2
  • 32. OWASP 32 Information Leakage and Improper Error Handling
  • 33. OWASP 33 6. Information Leakage and Improper Error Handling Description Applications can unintentionally leak information about their configuration, internal workings, or violate privacy through a variety of application problems Affected Environments All web application frameworks are vulnerable to information leakage and improper error handling.
  • 34. OWASP 34 6. Information Leakage and Improper Error Handling Vulnerabilities Error message with too much detail  Stack Traces  SQL Statements Improper logging of detailed messages
  • 35. OWASP 35 6. Information Leakage and Improper Error Handling Verifying Security The goal is for the application to not leak detailed error messages Automated and Manual approaches are useful, but automated can not properly determine the meaning of the message and manual is time consuming Protection Use testing to generate error messages and perform ongoing evaluations in development Disable or limit detailed error handling
  • 36. OWASP 36 6. Information Leakage and Improper Error Handling References  OWASP http://www.owasp.org/index.php/Error_Handling  OWASP http://www.owasp.org/index.php/Category:Sensitive_Data_Protection_ Vulnerability
  • 37. OWASP 37 Broken Authentication and Session Management
  • 38. OWASP 38 7. Broken Authentication and Session Management Description Flaws in authentication and session management most frequently involve the failure to protect credentials and session tokens through their lifecycle. Affected Environments All web application frameworks are vulnerable to authentication and session management flaws
  • 39. OWASP 39 7. Broken Authentication and Session Management Vulnerabilities Flaws in main authentication mechanism Password management Session Timeout
  • 40. OWASP 40 7. Broken Authentication and Session Management  Verifying Security  Application should properly authenticate users and protect their credentials  Automated tool have difficulty  Combination of Code Reviews and Testing are effective  Protection  Maintain secure communication and credential storage  Use single authentication mechanism where applicable  Create a new session upon authentication  Ensure the logout link destroys all pertinent data  Do not expose any credentials in URL or logs
  • 41. OWASP 41 7. Broken Authentication and Session Management References  OWASP, http://www.owasp.org/index.php/Guide_to_Authentication  OWASP, http://www.owasp.org/index.php/Reviewing_Code_for_Authentication  OWASP, http://www.owasp.org/index.php/Testing_for_authentication
  • 43. OWASP 43 8. Insecure Cryptographic Storage Description Simply failing to encrypt sensitive data is very widespread. Applications that do encrypt frequently contain poorly designed cryptography, either using inappropriate ciphers or making serious mistakes using strong ciphers. Affected Environments All web application frameworks are vulnerable to insecure cryptographic storage.
  • 44. OWASP 44 8. Insecure Cryptographic Storage Vulnerabilities Not encrypting sensitive data Using home grown algorithms Insecure use of strong algorithms Continued use of proven weak algorithms (MD5, SHA- 1, RC3, RC4, etc…) Hard coding keys, and storing keys in unprotected stores
  • 45. OWASP 45 8. Insecure Cryptographic Storage Verifying Security Verify that the application properly encrypts sensitive information in storage Automated vulnerability tools are not effective Code Review is the best way to verify that an application encrypts sensitive data Protection Use only approved public algorithms Check to make sure all sensitive data is being encrypted
  • 46. OWASP 46 8. Insecure Cryptographic Storage  References  OWASP, http://www.owasp.org/index.php/Cryptography  OWASP, http://www.owasp.org/index.php/Guide_to_Cryptography  OWASP, http://www.owasp.org/index.php/Insecure_Storage  OWASP, http://www.owasp.org/index.php/How_to_protect_sensitive_data_in_U RL’s  PCI Data Security Standard v1.1, https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf  Bruce Schneier, http://www.schneier.com/  CryptoAPI Next Generation, http://msdn2.microsoft.com/en- us/library/aa376210.aspx
  • 48. OWASP 48 9. Insecure Communications Description Applications frequently fail to encrypt network traffic when it is necessary to protect sensitive communications SSL must be used for all authenticated connections Affected Environments All web application frameworks are vulnerable to insecure communications.
  • 49. OWASP 49 9. Insecure Communications Vulnerabilities Network sniffing All authenticated traffic needs to go over SSL because HTTP includes authentication credentials or a session token with every single request; not just the actual login request Always use SSL with sensitive data
  • 50. OWASP 50 9. Insecure Communications Verifying Security Verify that the application properly encrypts all authenticated and sensitive communications Vulnerability scanning tools can verify that SSL is used on the front end, and can find many SSL related flaws Code review is quite efficient for verifying the proper use of SSL for all backend connections Protection Always use SSL with sensitive data
  • 51. OWASP 51 9. Insecure Communications  References  OWASP Testing Guide, Testing for SSL / TLS, https://www.owasp.org/index.php/Testing_for_SSL-TLS  OWASP Guide, http://www.owasp.org/index.php/Guide_to_Cryptography  Foundstone - SSL Digger, http://www.foundstone.com/index.htm?subnav=services/navigation.ht m&subcontent=/services/overview_s3i_des.htm  NIST, SP 800-52 Guidelines for the selection and use of transport layer security (TLS) Implementations, http://csrc.nist.gov/publications/nistpubs/800-52/SP800-52.pdf  NIST SP 800-95 Guide to secure web services, http://csrc.nist.gov/publications/drafts.html#sp800-95
  • 52. OWASP 52 Failure to Restrict URL Access
  • 53. OWASP 53 10. Failure to Restrict URL Access Description Relying on security by obscurity to restrict URL access Not using access control checks for URLs Affected Environments All web application frameworks are vulnerable to failure to restrict URL access
  • 54. OWASP 54 10. Failure to Restrict URL Access Vulnerabilities Forced browsing “Hidden” URLs and files Outdated security mechanism Evaluating privileges only on the client
  • 55. OWASP 55 10. Failure to Restrict URL Access Verifying Security Verify that access control is enforced consistently for all URLs in the application Automated tools have difficulty verifying URL access control Combination of Code Reviews and Testing are effective Protection Properly architecting and implementing roles for URL access Ensure all URLs are part of this process Do not use “hidden” URLs
  • 56. OWASP 56 10. Failure to Restrict URL Access References  OWASP, http://www.owasp.org/index.php/Testing_for_Directory_Traversal  OWASP, http://www.owasp.org/index.php/Forced_browsing  OWASP, http://www.owasp.org/index.php/Guide_to_Authorization