Owasp Top 10

G A U R A V N A R W A N I
Learning the OWASP’s Ten Most
Critical Web Application Security
Vulnerabilities

2
About Gaurav Narwani
• Final Year Computer Science Engineering Student
• Bug Bounty Hunter
• Penetration Tester Intern at Olcademy
• Top 700 Security Researchers on Bugcrowd

3
AGENDA
• Purpose of this Session
- Provide an overview of Web Application Security
threats and Defenses.
• Using the Open Web Application Security Project
( OWASP ) Top 10 List we will:
- Define the vulnerabilities
- Illustrate the Web Application Vulnerabilities
- Explain how to protect against the
vulnerabilities.

EQUIFAX Encountered with
a massive data breach for a
bug that was about to be
patched.
Around 143 Million
customer details were
leaked.

Open Web Application
Security Project ( OWASP )

9
A1 - Injection
Code = Data = Command

10
A1 - Injection
Command(Code)
Interpreter
Run the Program

11
A1 - Injection
Command(Command)
Interpreter
Run the Program
Instead of code,
command is passed as
data.

12
A1 - Injection
Access Control
The most important property violated here is:
Data is leaked to people without any access.
Access should only be given to system
administrators.

14
A1 - Injection
Application to search for movies

15
A1 - Injection
Query running backend:

16
A1 - Injection
After inserting a ‘

17
A1 - Injection
What if we insert ‘ ‘

18
A1 - Injection
What's Happening in the background
SELECT * FROM movies WHERE title LIKE %” . sqli($title) . “% ”
ORIGINAL QUERY
MODIFIED QUERY BY ADDING ‘ IN THE TEXT BOX
SELECT * FROM movies WHERE title LIKE ‘%” . ’
The Query Now is completed by the quote and
there is a missing double quote(”) in the query.
Hence the Error.
Query
Incomplete

19
A1 - Injection
What's Happening in the background
MODIFIED QUERY BY ADDING ‘ ‘ IN THE TEXT BOX
The Query is now well formed with complete
parentheses
SELECT * FROM movies WHERE title LIKE %” . . “% ”
Query
Complete
and no
input as
such

20
A1 - Injection
Lets Insert a query to check the data is entered into which
column
Query: iron' union select 1,2,3,4,5,6,7 #
Escape the
query to add
our own
command Union gives
us the ability
to merge
two queries
Select gives
us the ability
to show
results in the
query
These are
the values
which will be
inserted in
the columns

21
A1 - Injection
Lets Insert a query to check the data is entered into which
column

22
A1 - Injection
Let’s get the Login Credentials
Query: iron' union select 1,login,password,email,5,6,7
from users #
Escape the
query to add
our own
command
Union gives
us the ability
to merge
two queries
Select gives
us the ability
to show
results in the
query
These are
the values
which will be
retrieved
from Table
users

23
A1 - Injection
User’s Login Credentials

24
A1 - Injection
How to prevent?
• For server products and
libraries, keep up with the
latest bug reports for the
products you are using.
• Periodically scan your web site
with one or more of the
commonly available scanners
that look for buffer overflow
flaws in your server products
and your custom web
applications.
• Size checking on all input.
• Ensure the web application
runs with only the privileges
it absolutely needs to
perform its function.

26
A2 - Broken Authentication
Authentication
• Who are you?
• What is yours?

27
Session
• Active account?
• In use by account owner?

28
What could go wrong?

29
Social Engineering
• How to trick someone to give you their username and
password

30
Automated Attacks
• Credential Stuffing
• Brute-force attacks

31
Broken Application Logic
1. User clicks on Sign out
2. Session ID destroyed
3. User Logs in again with
username and
password

32
How to prevent?
• Careful and proper use of authentication and session
management mechanisms should significantly reduce the
likelihood of a problem.
• Security rules:
- Password strength
- Password storage (hashed or encrypted)
- Session ID protection

A3 – Sensitive Data Exposure

34
A3 - Sensitive Data Exposure
Credit Card Numbers
Encrypted
Decrypted
Users
SQL Injection
• An application encrypts credit
card numbers in a database
using automatic database
encryption.
• However, this data is
automatically decrypted when
retrieved, allowing an SQL
injection flaw to retrieve
credit card numbers in clear
text.

35
• Imagine you’re at a coffee
shop an using the public Wi-Fi
and you’re browsing Facebook.
• An attacker monitors network
traffic ,downgrades
connections from HTTPS to
HTTP, intercepts requests, and
steals the user's session cookie
or even the credentials. The
attacker basically has control
over your account.

36
How to prevent?
• Make sure to encrypt all sensitive data at rest.
• Encrypt all data in transit with secure protocols such as TLS
with perfect forward secrecy (PFS) ciphers, cipher prioritization
by the server, and secure parameters. Enforce encryption using
directives like HTTP Strict Transport Security (HSTS).
• Don’t store sensitive data unnecessarily. Discard it as soon as
possible.

A4 – XML External Entities
( XXE )

38
A4 - XML External Entities (XXE)
GET/POST Request Response
Normal Request and response
The Request is now modified and a malicious XML is
added to the request. This Malicious XML if accepted can
attempt to extract data from the server like credentials
Modified GET/POST
Request with
Malicious XML
Normal Response combined
with Server data

39
Let’s say we click the button “Any bugs?”
The server makes the post request and response with entity bee

40
Now what if we add a Malicious XML in the POST request
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE root [
<!ENTITY popped SYSTEM "file:///etc/passwd">
]>
XML version and the character encoding
Doctype declares all of the
document's element types
Private external entities are identified by the keyword
SYSTEM
And add our malicious entity to the POST request
POST data in original request:
<reset><login>bee</login><secret>Any bugs?</secret></reset>
POST data in modified request:
<reset><login>&popped;</login><secret>Any bugs?</secret></reset>

41
The New Request and Response

42
Billion Laughs Attack / Dos attack
<?xml version="1.0"?>
<!DOCTYPE lolz [
<!ENTITY lol "lol">
<!ELEMENT lolz (#PCDATA)>
<!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
<!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
]>
<lolz>&lol9;</lolz>

43
How to prevent?
Developer training is essential to identify and mitigate XXE
besides that, preventing XXE requires:
• Whenever possible, use less complex data formats such as
JSON, and avoiding serialization of sensitive data.
• Disable XML external entity and DTD processing in all XML
parsers in the application.

45
Authentication
• Who are you?
• What is yours?
A5 - Broken Access Control

46
Authorization

47
Gaurav
Pavan
Admin
Gaurav’s Account
Pavan’s Account
Admin’s Account

48
Insecure Direct Object References
https://LinkedIn.com/app/accountInfo?acct=Gaurav
Direct Reference to a
restricted resource
What if I change the acct parameter to Pavan?
https://LinkedIn.com/app/accountInfo?acct=Pavan
I have full access to Pavan’s account

49
How to prevent?
• Only admin should be able to view or modify the user’s
profile. Access shouldn’t be given to users to view or
modify another users profile. It should show a same
response for all ID’s that is 404 Error Code for all inputs.
• Implement access control mechanisms once and re-use
them throughout the application, including minimizing
CORS usage.

A6 – Security Misconfiguration

51
A6 - Security Misconfiguration
Directory Listing Enabled
• Directory listing is not
disabled on the server. An
attacker discovers they can
simply list directories.
• The attacker finds and
downloads the compiled Java
classes, which they decompile
and reverse engineer to view
the code.
• The attacker then finds a
serious access control flaw in
the application
Source Code available to hackers

52
No valid SPF Record
• The attackers check if
there is a valid SPF record
for the domain.
• If there is no SPF Records
or the records ore
misconfigured, the
attacker can spoof mails
on behalf of the domain
leading to loss of user
data.
Attackers can spoof mails using
an email address of domain,
which comes in Inbox not spam.
Domain.com Sender Policy
Framework Record Check

53
How to prevent?
• A minimal platform without any unnecessary features,
components, documentation, and samples. Remove or do
not install unused features and frameworks
• Check if you application is using components with known
vulnerabilities
• Disable web server directory listing and ensure file
metadata (e.g. .git) and backup files are not present within
web roots.

A7 – Cross-Site Scripting
(XSS)

55
A7 - Cross-Site Scripting (XSS)
HTML
• Hypertext Markup Language is the standard markup language for
creating web pages and web applications.
• HTML elements are the building blocks of HTML pages
• HTML elements are represented by tags
• HTML tags label pieces of content such as "heading", "paragraph",
"table", and so on
• Browsers do not display the HTML tags, but use them to render the
content of the page

56
<b>Hello</b>
Hello Hello
<i>Hello</i>
Hello
<u>Hello</u>
Tags are used to specify contents and styles in website. There are
different types tags used to specify contents such as <h1> to <h6>
for headings, <p> for paragraphs. Different types of tags used to
specify styles are <b> to make the text bold, <i> to make the text
italics and <u> to make the text underlined.

57
The HTML <script> Tag
• The <script> tag is used to define a client-side script (JavaScript).
• The <script> element either contains scripting statements, or it points to an external script file
through the src attribute.
• Common uses for JavaScript are image manipulation, form validation, and dynamic changes of
content.
Do Cool Things in HTML
JavaScript can change HTML content for
Example:
<script>document.getElementById("de
mo").style.fontSize = "25px";</script>
Do Malicious Things such as steal users
cookies, session id or redirect them to a
phishing page
For example:
<script>alert(document.cookie)</script>

58
Name
Email
Password
Submit
Address
A sample registration form. Each of the fields represent a parameter

59
Suppose we put a malicious JavaScript inside address
parameter

60
How to prevent?
• Escaping untrusted HTTP request data based on the
context in the HTML output (body, attribute, JavaScript,
CSS, or URL) will resolve Reflected and Stored XSS
vulnerabilities.
• Using frameworks that automatically escape XSS by design,
such as the latest Ruby on Rails, React JS.

A8 – Insecure Deserialization

62
A8 - Insecure Deserialization
Newly Added to top10 list!
Serialization and Deserialization

63
House A
House B
Note: We cant move the furniture
directly. We have to break them into
parts and send them together.
Suppose you have to move your furniture from
House A to House B

64
Serialization

65
Deserialization

66
What happens in transit? Does it get tampered

67
How to prevent?
The only safe architectural pattern is not to accept serialized
objects from untrusted sources or to use serialization mediums
that only permit primitive data types.
If that is not possible, consider one of more of the following:
• Implementing integrity checks such as digital signatures.
• Monitoring deserialization, alerting if a user deserializes
constantly.

A9 – Using Components with
known vulnerabilities

69
A9 - Using Components with known vulnerabilities
Software has Bugs
UnpatchedPatched
Vendors Issue a release
with the patched bug
such that it doesn’t
affect it users
The Bug may be in the
stage of fixation or the
developer ignores the
bug leading to data
leaks

70

71

72
Software depends on
other software

73
2. Fixed the problem by getting the
car replaced
1. I was notified by the company that there
is a problem in my Airbags. What would I
do?

74
What if I don’t fix the airbag
problem?
Serious Injuries

75
Fix the problem before it becomes harmful

76
How to prevent?
• Remove unused dependencies, unnecessary features,
components, files, and documentation.
• Only obtain components from official sources over secure
links. Prefer signed packages to reduce the chance of
including a modified, malicious component.
• Continuously monitor sources like CVE and NVD for
vulnerabilities in the components. Use software
composition analysis tools to automate the process

A10 – Insufficient Logging
and Monitoring

78
A10 - Insufficient Logging and Monitoring
Logging
Recording Events as they happen

79
Captures all failures and transactions detecting malicious activity

80
Monitoring
Checking Logs to detect Malicious Activity

81
Monitoring Log to look for suspicious activity

82
Attacker
Hacked
Deleted Files
EMPTY
• An open source project forum
software run by a small team
was hacked using a flaw in its
software. The attackers
managed to wipe out the
internal source code
repository containing the next
version
• Although source could be
recovered, the lack of
monitoring, logging or alerting
led to a far worse breach
Recovered Files

83
SUMMARY
• By using the OWASP Top 10 List we saw how to:
- Define the vulnerabilities
- Illustrate the Web Application Vulnerabilities
- Explain how to protect against the
vulnerabilities.
Any questions?

84
The Videos Shown in this session
can be found at:
https://drive.google.com/open?id=1P1cyMDpa7aOSUESs9y41A1Fw32KGRl2F

85
THANK YOU!
CONTACT ME AT:
Gaurav Narwani
me@Gauravnarwani.com
8879499881

Owasp Top 10

More Related Content

What's hot

Similar to Owasp Top 10

Recently uploaded

Owasp Top 10