OWASP TOP10 2017 - Nowa lista przebojów podatnościklagrz
Społeczność OWASP tworzy listę 10 najczęstszych i najpopularniejszych podatności w świecie web aplikacji. Często podatności z tej listy znalezione w produktach blokują release nowej wersji oprogramowania.
Czym jest OWASP? Co wchodzi w skład listy OWASP TOP10, i co się zmieniło w stosunku do poprzedniej edycji (OWASP TOP10 2013)? Odpowiem na te pytania, opowiadając tym samym o poszczególnych podatnościach i przedstawiając praktyczne wykorzystanie wybranych podatności z listy.
OWASP TOP10 2017 - Nowa lista przebojów podatnościklagrz
Społeczność OWASP tworzy listę 10 najczęstszych i najpopularniejszych podatności w świecie web aplikacji. Często podatności z tej listy znalezione w produktach blokują release nowej wersji oprogramowania.
Czym jest OWASP? Co wchodzi w skład listy OWASP TOP10, i co się zmieniło w stosunku do poprzedniej edycji (OWASP TOP10 2013)? Odpowiem na te pytania, opowiadając tym samym o poszczególnych podatnościach i przedstawiając praktyczne wykorzystanie wybranych podatności z listy.
Best Practices Guide: Introducing Web Application Firewallsalexmeisel
Web applications of all kinds, whether online shops or partner portals, have in recent years increasingly become the target of hacker attacks. The attackers are using methods which are specifically aimed at exploiting potential weak spots in the web application software itself – and this is why they are not detected, or are not detected with sufficient accuracy, by traditional IT security systems such as network firewalls or IDS/IPS systems. OWASP develops tools and best practices to
support developers, project managers and security testers in the development and operation of secure
web applications. Additional protection against attacks, in particular for already productive web applications, is offered by what is still a emerging category of IT security systems, known as Web Application Firewalls (hereinafter referred to simply as WAF), often also called Web Application Shields or Web Application Security Filters.
OWASP CSRF Protector has been implemented as a php library and an Apache 2.2.x module which helps web developer/ system administrator to mitigate CSRF vulnerability in their web application with ease.
Presentation of my talk at FOSSASIA 2015
Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...gmaran23
Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech Talk - Dec 22 - 2015
Screen Recording: https://vimeo.com/gmaran23/AutomatingWebApplicationSecurityWithOWASPZAPDOTNETAPI
OWASP DefectDojo - Open Source Security SanityMatt Tesauro
Originally given at the project showcase at Global AppSec DC 2019, this talk covered what DefectDojo is, what's new and why you should be using it in your security program.
Cross Site Scripting (XSS) Defense with JavaJim Manico
Cross Site Scripting Defense is difficult. The Java Programming language does not provide native key defenses necessary to throughly prevent XSS. As technologies such as Content Security Policy emerge, we still need pragmatic advice to stop XSS in legacy applications as well as new applications using traditional Java frameworks. First generation encoding libraries had both performance and completeness problems that prevent developers from through, production-safe XSS defense. This talk will deeply review the OWASP Java Encoder Project and the OWASP HTML Sanitizer Project and give detailed code samples highlighting their use. Additional advice on next-generation JavaScript and JSON workflows using the OWASP JSON Sanitizer will also be reviewed.
Best Practices Guide: Introducing Web Application Firewallsalexmeisel
Web applications of all kinds, whether online shops or partner portals, have in recent years increasingly become the target of hacker attacks. The attackers are using methods which are specifically aimed at exploiting potential weak spots in the web application software itself – and this is why they are not detected, or are not detected with sufficient accuracy, by traditional IT security systems such as network firewalls or IDS/IPS systems. OWASP develops tools and best practices to
support developers, project managers and security testers in the development and operation of secure
web applications. Additional protection against attacks, in particular for already productive web applications, is offered by what is still a emerging category of IT security systems, known as Web Application Firewalls (hereinafter referred to simply as WAF), often also called Web Application Shields or Web Application Security Filters.
OWASP CSRF Protector has been implemented as a php library and an Apache 2.2.x module which helps web developer/ system administrator to mitigate CSRF vulnerability in their web application with ease.
Presentation of my talk at FOSSASIA 2015
Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...gmaran23
Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech Talk - Dec 22 - 2015
Screen Recording: https://vimeo.com/gmaran23/AutomatingWebApplicationSecurityWithOWASPZAPDOTNETAPI
OWASP DefectDojo - Open Source Security SanityMatt Tesauro
Originally given at the project showcase at Global AppSec DC 2019, this talk covered what DefectDojo is, what's new and why you should be using it in your security program.
Cross Site Scripting (XSS) Defense with JavaJim Manico
Cross Site Scripting Defense is difficult. The Java Programming language does not provide native key defenses necessary to throughly prevent XSS. As technologies such as Content Security Policy emerge, we still need pragmatic advice to stop XSS in legacy applications as well as new applications using traditional Java frameworks. First generation encoding libraries had both performance and completeness problems that prevent developers from through, production-safe XSS defense. This talk will deeply review the OWASP Java Encoder Project and the OWASP HTML Sanitizer Project and give detailed code samples highlighting their use. Additional advice on next-generation JavaScript and JSON workflows using the OWASP JSON Sanitizer will also be reviewed.
4. Accessibility
Accessibility is
mandatory by law
Except for “justifiable
hardship”
Corporations and
governments
No choice - do it!
Personal web sites
No one will come after
you... but...
OWASP AppSec Europe 2006
6. Back Button
The most used button
Ajax toolkits often
destroy or hide it
Support the Back Button!
OWASP AppSec Europe 2006
7. Privacy
“ ”
You have no privacy.
Get over it.
Scott McNealy
OWASP AppSec Europe 2006
8. Privacy
“
Nothing that we have
authorized conflicts with any
law regarding privacy or any
”
provision of the constitution.
John Ashcroft
OWASP AppSec Europe 2006
9. Privacy
“
Relying on the
government to protect
your privacy is like asking
a peeping tom to install
”
your window blinds.
John Perry Barlow
OWASP AppSec Europe 2006
11. Privacy ... not
Javascript is clear text
often cached regardless of browser settings
Not private in any way
OWASP AppSec Europe 2006
12. Privacy ... not
DOM can be manipulated by hostile code
Not private in any way
OWASP AppSec Europe 2006
13. Privacy ... not
Dojo.Storage uses Flash
“Solution” for client-side persistent storage
Not private in any way
Often used for cross-domain postings... ARGH
OWASP AppSec Europe 2006
14. Mash ups
Who owns the data?
Who gets the data?
How are they going to handle it?
OWASP AppSec Europe 2006
22. Authentication
Don’t let any old caller in
What’s okay without authentication?
Authenticate new XMLHttpRequest sessions
OWASP AppSec Europe 2006
23. Ask...
o
m a! N
ok s!
Lo kie
coo
OWASP AppSec Europe 2006
24. and ye shall receive
eah !
Y y
Bab
e
om pa!
C a
to p
OWASP AppSec Europe 2006
25. Authorization
Would you let Bart call
your admin function?
OWASP AppSec Europe 2006
26. Authorization
Use same authorization methods
Default deny; all actions should be denied unless
allowed
Error responses for no authorization
OWASP AppSec Europe 2006
28. Session Fixation
Use toolkits which send session tokens
Use proper session management to maintain the
session
OWASP Guide - Session Management chapter
OWASP AppSec Europe 2006
29. Cross-domain XML Http Requests
By security design, no browser supports this
Many designs want to do this
or already do this (Google Maps, etc)
How to do it safely?
Only with federated security
OWASP AppSec Europe 2006
30. State management
In the good olde days, state was on the server
With Ajax, a lot more state is on the client
Think “hidden fields” but so much worse
OWASP AppSec Europe 2006
31. Sending state
Validate all state before use
Sending state to the client for display
DOM injections
HTML injections
Only send changed state back
OWASP AppSec Europe 2006
32. Exposing internal state
Just because it’s faster doesn’t mean it’s wiser
Keep sensitive state on the server, always
Don’t obfuscate JavaScript - it’s hard enough now
OWASP AppSec Europe 2006
34. Injection Attacks
PHP toolkits: look for code injection attacks
JSON injection: be careful how you decode!
DOM injection - client side attacks now much
easier
XML injection - both client and server side
Code injection - both client and server side
OWASP AppSec Europe 2006
35. Data validation
Data from XMLHttpRequest must be validated
Perform validation after authorization checks
Validate using same paths as existing code
If you (de-)serialize, be aware of XML injection
OWASP AppSec Europe 2006
37. Reconstructing Ajax API
Many Ajax apps have
been “decoded”
e.g. libgmail, GMail Agent API,
gmail.py, etc
Spawned GMailFS, Win32 Gmail
clients, etc
Do not assume your app
is special - it will be
decoded!
GMail Agent API in action
OWASP AppSec Europe 2006
39. Pseudo API Injection
Almost all Ajax toolkits use GET by default
Force them to use POST
Most PHP AJAX tool kits allow remote code
injection by allowing client-side server code
invocation
eg: AJason, JPSpan and CPAINT (1.x)
OWASP AppSec Europe 2006