Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Owasp Indy Q2 2012 Cheat Sheet Overview


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Owasp Indy Q2 2012 Cheat Sheet Overview

  1. 1. OWASP Cheat Sheet Series Overview
  2. 2. About MeBrian Boswell | Technical Lead/ISM @ Apparatus, CISSP
  3. 3. • OWASP Cheat Sheet Series – Created to provide a collection of great information with regards to web application security in one location
  4. 4. Active Cheat Sheets• Current Active Cheat Sheet Topics – Authentication – Logging – Cross-Site Request Forgery – Application Security Arch – Transport Layer Protection – XSS Prevention – Input Validation – Cryptographic Storage – Forgot Password – DOM based XSS – SQL Injection Prevention – Session Management – HTML5 – Web Service
  5. 5. Draft Cheat Sheets• Draft Cheat Sheet Topics – Access – Secure Coding – REST Security – Threat Modeling – Abridged XSS – Clickjacking – PHP Security – Virtual Patching – Password Storage – Secure SDLC
  6. 6. Transport Layer Protection
  7. 7. Transport Layer Protection• Benefits – Provide protection against eavesdroppers and tampering of data while in transit – Validation of the server or services being communicated with – Additional factor of authentication with client side certificates• Requirements – PKI and CRL or OSCP availability
  8. 8. Transport Layer Protection• Rules – Use TLS for login/authentication Pages – Use TLS regardless of the network – Do not allow for both TLS and non-TLS to be mixed in with the page content – Keep sensitive information out of URLs s=test
  9. 9. Transport Layer Protection• Rules – Provide support for only strong Ciphers – Disable SSLv2 • Apache SSLProtocol -ALL +SSLv3 +TLSv1 SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH :+MEDIUM
  10. 10. Transport Layer Protection• Rules – Provide support for only strong Ciphers – Disable SSLv2 • Windows To disable weak ciphers, a new DWORD needs to be created with a value name of Enabled and a value of 00000000 under the following registry keys: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphe rsDES 56/56 HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphe rsRC2 40/128 HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphe rsRC4 40/128 HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphe rsRC4 56/128 HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphe rsNULL To disable the SSLv2, a new DWORD needs to be created with a value name of Enabled and a value of 00000000 under the following registry key: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProto colsSSL2.0Server
  11. 11. Transport Layer Protection• Testing SSLv2 or Weak Ciphersopenssl s_client -connect -no_tls1 -no_ssl3openssl s_client -connect -cipher DES-CBC-SHA
  12. 12. Transport Layer Protection• Additional Uses – Client-side certificates – Protect other backend connections
  13. 13. Logging
  14. 14. Logging• Purpose – Help provide guidance on building logging into applications – Normal Firewall, Web Server, Database, etc logs may not be enough or contain enough information
  15. 15. Logging• Event Sources – Client software – Firewalls – NIDS/HIDS – Databases
  16. 16. Logging• Where are events recorded? – File system – Database – Local database used by the application
  17. 17. Logging• What events should we be logging? – Authentication attempts – Authorization failures – Modifications to privileges – System startup and shutdown events – Input validation failures
  18. 18. Logging• What attributes should we be logging? – Data and time – Application identifier – Event severity – User name or identity
  19. 19. Logging• What activities should we not be logging? – Session identification values – Personal Identifiable Information – Passwords – Database connection strings
  20. 20. Logging• Testing – Ensure permissions are set appropriately – Test for log injection possibilities Apr 26 15:09:05 fry sshd[19119]: User root from not allowed because not listed in AllowUsers ssh “root from not allowed because not listed in AllowUsers”@
  21. 21. ReferencesOWASP Cheat Sheet Site To Computer Security Log Management Injection Attack and Defence