Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
OWASP TOP
10
Setting the bar for security
2
Hi
Robert MacLean
@rmaclean | sadev.co.za
DevConf | DevUG | Equal
Experts
Cape Town | South Africa
3
Mandatoryhackerphoto
Content
warning
Do not try this at home. Hacking
is illegal without permission.
One demo contains F***
4
What is OWASP?
Non-profit foundation for the improvement of security
of software
Join as a member to support them and get
...
OWASPTOP 10
Using the 2017 guidance as 2020 guidance is still
underway
As it evolves, items are added, merged and removed
...
OWASPTOP 10
1. Injection
2. Broken Authentication
3. Sensitive Data Exposure
4. XML External Entities (XXE)
5. Broken Acce...
Ten: Insufficient Logging & Monitoring
Not logging and auditing logins, fails, high-value transactions
Not enough informat...
Nine: Using Components with KnownVulnerabilities
3rd party code runs in same permissions as the system
OS, database etc… a...
Eight: Insecure Deserialization
A specially crafted data structure causes the execution of code
Focused on any time you us...
Demo
11
Eight: Insecure Deserialization
User input should not be trusted
Don’t accept serialised data
• If you must, encrypt and/o...
Seven: Cross-Site Scripting (XSS)
Reflected XSS: Not validating input & returning it back to the user
Stored XSS: Not vali...
Demo
14
Demos
<script>alert(`xss`)</script>
<iframe src="javascript:alert(`xss`)">
<<a|ascript>alert(`xss`)</script>
<SCRIPT/XSS S...
Seven: Cross-Site Scripting (XSS)
User input should not be trusted
HTML escape any dynamic content (tags, attribute, css e...
Six: Security Misconfiguration
Unused ports and services running on machines
Default credentials
Error handling returning ...
Demo
18
Six: Security Misconfiguration
User input should not be trusted
Get security audits done
Go on security training
Automate ...
Five: Broken Access Control
Authentication vs. Authorization
Bypassing access by edit URL or anything on the client side
I...
Demo
21
Five: Broken Access Control
User input should not be trusted
Deny by default
Rate limits
Disable web server directory list...
Four: XML External Entities (XXE)
Untrusted XML is provided
• SAML auth
The XML parser has lots of features and those feat...
Demos
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/pas...
Demos
25
a: &a ["lol","lol","lol","lol","lol","lol","lol","lol","lol"]
b: &b [*a,*a,*a,*a,*a,*a,*a,*a,*a]
c: &c [*b,*b,*b,...
Four: XML External Entities (XXE)
User input should not be trusted
Run static code analysis tools
Run dependency analysis ...
Three: Sensitive Data Exposure
Man-in-the-middle attacks
Stealing records off the server or servers it was sent through
We...
Demo
28
Three: Sensitive Data Exposure
Classify data processed, stored and transmitted.
Identify risk for business, law (GDPR)
Onl...
Two: Broken Auth
Default admin accounts
Credential Stuffing, brute force and dictionary attacks
Unexpired session tokens
W...
Demo
31
Demos
$ hydra -l admin@juice-sh.op 
-P /usr/share/wordlists/rockyou.txt 127.0.0.1 
http-post-form '/#/login:email=^USER^&p...
Two: Broken Auth
Do not build auth unless needed – make use of the existing team
Credential Stuffing, brute force and dict...
One: Injection
Attacker sends data to the interpreter to get it to return the incorrect answer, change settings they shoul...
Demo
35
One: Injection
User input should not be trusted
Use SQL parameters for SQL
Avoid building strings in code based on user in...
Done?
No, this is the minimum bar
Join your local OWASP group
Run your checks all the time
Get a red team
Practice inciden...
Thank You
Robert MacLean
robert@sadev.co.za
Upcoming SlideShare
Loading in …5
×

OWASP TOP 10

The OWASP top 10 is a list of the most prolific security issues facing web developers today. In this talk, Robert, will take you through all 10 and demonstrate the problems (we will hack for real… in a safe way) and talk about the solutions. This is an introductory talk, so no prior experience is needed in web dev or security. Not doing web dev? Many of these apply to all development! So join in for a lively session of demos, learning and fun

Video of this talk: https://www.youtube.com/watch?v=p5YCHNnQNyg

Related Books

Free with a 30 day trial from Scribd

See all
  • Be the first to comment

  • Be the first to like this

OWASP TOP 10

  1. 1. OWASP TOP 10 Setting the bar for security
  2. 2. 2 Hi Robert MacLean @rmaclean | sadev.co.za DevConf | DevUG | Equal Experts Cape Town | South Africa
  3. 3. 3 Mandatoryhackerphoto
  4. 4. Content warning Do not try this at home. Hacking is illegal without permission. One demo contains F*** 4
  5. 5. What is OWASP? Non-profit foundation for the improvement of security of software Join as a member to support them and get conference discounts Local meetups available Cape Town: meetup.com/en-AU/OWASP-Cape-Town- Chapter-Meetup Produce tools: Zap, Dependency Scanner Guidance 5
  6. 6. OWASPTOP 10 Using the 2017 guidance as 2020 guidance is still underway As it evolves, items are added, merged and removed This is the bar for security Focused on web security but a lot is broadly applicable 10 areas which can be implemented and exploited in a variety of ways Based on real world feedback from OWASP members See: owasp.org/www-project-top-ten Each scored on 4 axis (scale is 1 to 3): Attack Vector: Exploitability Security Weakness: Prevalence Security Weakness: Detectability Impact: Technical 6
  7. 7. OWASPTOP 10 1. Injection 2. Broken Authentication 3. Sensitive Data Exposure 4. XML External Entities (XXE) 5. Broken Access Control 6. Security Misconfiguration 7. Cross-Site Scripting (XSS) 8. Insecure Deserialization 9. Using Components with Known Vulnerabilities 10.Insufficient Logging & Monitoring 7
  8. 8. Ten: Insufficient Logging & Monitoring Not logging and auditing logins, fails, high-value transactions Not enough information Locally stored Logs disabled or configured to ignore pen tests Not alerting on logs & metrics 8 Exploitability: 2 Prevalence: 3 Detectability: 1 Technical: 2
  9. 9. Nine: Using Components with KnownVulnerabilities 3rd party code runs in same permissions as the system OS, database etc… all need to be checked too Scan on a continuous basis • Library tools like dependency check and npm audit • Container scanning • OS patching Only obtain code from official sources 9 Exploitability: 2 Prevalence: 3 Detectability: 2 Technical: 2
  10. 10. Eight: Insecure Deserialization A specially crafted data structure causes the execution of code Focused on any time you use serialisation 10 Exploitability: 1 Prevalence: 2 Detectability: 2 Technical: 3
  11. 11. Demo 11
  12. 12. Eight: Insecure Deserialization User input should not be trusted Don’t accept serialised data • If you must, encrypt and/or sign the payloads Use safe deserialization options 12
  13. 13. Seven: Cross-Site Scripting (XSS) Reflected XSS: Not validating input & returning it back to the user Stored XSS: Not validating input, putting it in the DB and then raising it later DOM XSS: APIs sending attackable content to the UI Can lead to account take overs, spam, multi-factor bypasses, key logging 13 Exploitability: 3 Prevalence: 3 Detectability: 3 Technical: 2
  14. 14. Demo 14
  15. 15. Demos <script>alert(`xss`)</script> <iframe src="javascript:alert(`xss`)"> <<a|ascript>alert(`xss`)</script> <SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT> /*iframe/src*/<iframe/src="<iframe/src=@"/onload=prompt(1) /*iframe/src*/> &lt;SCRIPT&gt;alert("XSS");&lt;/SCRIPT&gt; 15 _=`${`${{}}`[!![]<<!![]<<!![]|!![]]}${`${{}}`[!!{}<<![]]}${`${[][~[]]}`[!!{}<<![]]}${`${!![][~[]]}`[(!![]< <!![])|!![]]}${`${![][~[]]}`[!{}<<![]]}${`${![][~[]]}`[!!{}<<![]]}${`${![][~[]]}`[!!{}<<!![]]}${`${{}}`[!! []<<!![]<<!![]|!![]]}${`${![][~[]]}`[!{}<<![]]}${`${{}}`[!!{}<<![]]}${`${![][~[]]}`[!!{}<<![]]}`,__=`${`${ {}}`[!!{}<<![]]}${`${{}}`[!!{}<<!![]]}${`${!![][~[]]}`[[]<<[]]}${`${![][~[]]}`[!!{}<<!![]]}${`${!![][~[]]} `[(!![]<<!![])|!![]]}${`${{}}`[!![]<<!![]<<!![]|!![]]}${`${!![][~[]]}`[!!{}<<![]]}${`${![][~[]]}`[!{}<<![] ]}${`${[][~[]]}`[!![]<<!![]<<!![]|!![]]}${`${{}}`[!!{}<<![]]}${`${[][~[]]}`[!!{}<<![]]}!`,[][_][_](`${`${{ }}`[!![]<<!![]<<!![]|!![]]}${`${{}}`[!!{}<<![]]}${`${[][~[]]}`[!!{}<<![]]}${`${!![][~[]]}`[(!![]<<!![])|!! []]}${`${{}}`[!!{}<<![]]}${`${!![][~[]]}`[!!{}<<!![]]}${`${![][~[]]}`[(!![]<<!![])|!![]]}${`${{}}`[[]<<[]] }'${`${!![][~[]]}`[!!{}<<!![]]}${`${{}}`[!!{}<<![]]}${`${``[_]}`[!![]<<!![]<<!![]<<!![]^!![]<<!![]<<!![]|! !{}<<!![]]}'${`${{}}`[!![]<<!![]<<!![]<<!![]^!![]<<!![]<<!![]|!!{}<<!![]]}(__)`)()
  16. 16. Seven: Cross-Site Scripting (XSS) User input should not be trusted HTML escape any dynamic content (tags, attribute, css etc..) Use a safer format for input, say markdown Make use of HTTPOnly cookies Make use of CORS Make use of CSP Make use of audit tools 16
  17. 17. Six: Security Misconfiguration Unused ports and services running on machines Default credentials Error handling returning too much info Using code with known issues 17 Exploitability: 3 Prevalence: 3 Detectability: 3 Technical: 2
  18. 18. Demo 18
  19. 19. Six: Security Misconfiguration User input should not be trusted Get security audits done Go on security training Automate checking of settings and code Remove (or block) anything not needed 19
  20. 20. Five: Broken Access Control Authentication vs. Authorization Bypassing access by edit URL or anything on the client side IDORs 20 Exploitability: 2 Prevalence: 2 Detectability: 2 Technical: 3
  21. 21. Demo 21
  22. 22. Five: Broken Access Control User input should not be trusted Deny by default Rate limits Disable web server directory listing 22
  23. 23. Four: XML External Entities (XXE) Untrusted XML is provided • SAML auth The XML parser has lots of features and those features are exploited 23 Exploitability: 2 Prevalence: 2 Detectability: 3 Technical: 3
  24. 24. Demos <?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///etc/passwd" >]> <foo>&xxe;</foo> 24 <?xml version="1.0"?> <!DOCTYPE lolz [ <!ENTITY lol "lol"> <!ELEMENT lolz (#PCDATA)> <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"> <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;"> <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;"> <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;"> <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;"> <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;"> <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;"> <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;"> <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;"> ]> <lolz>&lol9;</lolz>
  25. 25. Demos 25 a: &a ["lol","lol","lol","lol","lol","lol","lol","lol","lol"] b: &b [*a,*a,*a,*a,*a,*a,*a,*a,*a] c: &c [*b,*b,*b,*b,*b,*b,*b,*b,*b] d: &d [*c,*c,*c,*c,*c,*c,*c,*c,*c] e: &e [*d,*d,*d,*d,*d,*d,*d,*d,*d] f: &f [*e,*e,*e,*e,*e,*e,*e,*e,*e] g: &g [*f,*f,*f,*f,*f,*f,*f,*f,*f] h: &h [*g,*g,*g,*g,*g,*g,*g,*g,*g] i: &i [*h,*h,*h,*h,*h,*h,*h,*h,*h] 100 1000 10 000 100 000 1 000 000 10 000 000 100 000 000 1 BILLION
  26. 26. Four: XML External Entities (XXE) User input should not be trusted Run static code analysis tools Run dependency analysis tools • NPM & Yarn Audit • Dependency Check for JVM Disable SOAP prior to 1.2 Disable features you do not need • XML external entities & DTD in XML 26
  27. 27. Three: Sensitive Data Exposure Man-in-the-middle attacks Stealing records off the server or servers it was sent through Weak crypto No hashing on the passwords Sharing data which should be private 27 Exploitability: 2 Prevalence: 3 Detectability: 2 Technical: 3
  28. 28. Demo 28
  29. 29. Three: Sensitive Data Exposure Classify data processed, stored and transmitted. Identify risk for business, law (GDPR) Only store information you must Encrypt sensitive data at rest Encrypt all data in transit Disable caching of sensitive data HSTS Preload 29
  30. 30. Two: Broken Auth Default admin accounts Credential Stuffing, brute force and dictionary attacks Unexpired session tokens Weak or ineffective forgot password and recovery processes Plaintext passwords, not hashed passwords Not invalidating session IDs 30 Exploitability: 3 Prevalence: 2 Detectability: 2 Technical: 3
  31. 31. Demo 31
  32. 32. Demos $ hydra -l admin@juice-sh.op -P /usr/share/wordlists/rockyou.txt 127.0.0.1 http-post-form '/#/login:email=^USER^&password=^PASS^:Invalid email or password.’ -fV -s 3000 -t 1 32
  33. 33. Two: Broken Auth Do not build auth unless needed – make use of the existing team Credential Stuffing, brute force and dictionary attacks • haveibeenpwned.com/Passwords • Rate limits Unexpired session tokens Weak or ineffective forgot password and recovery processes • Avoid knowledge questions • Do users need passwords • Two factor auth Plaintext passwords • Just don’t Hash & salt passwords • Pick hashing algorithms which are slow and don’t have collisions 33
  34. 34. One: Injection Attacker sends data to the interpreter to get it to return the incorrect answer, change settings they shouldn’t be able to or increase privileges SQL Injection is a vector, but this could be any database, environmental variables, JSON, SOAP, XML, headers, cookies, etc… 34 Exploitability: 3 Prevalence: 2 Detectability: 3 Technical: 3
  35. 35. Demo 35
  36. 36. One: Injection User input should not be trusted Use SQL parameters for SQL Avoid building strings in code based on user input Use approval lists to check content “I use an ORM, so I am safe” – By default, most likely but you should check Use tools like ZAP to look for these 36
  37. 37. Done? No, this is the minimum bar Join your local OWASP group Run your checks all the time Get a red team Practice incidents Secure by default is a great first principal 37
  38. 38. Thank You Robert MacLean robert@sadev.co.za

×