The OWASP top 10 is a list of the most prolific security issues facing web developers today. In this talk, Robert, will take you through all 10 and demonstrate the problems (we will hack for real… in a safe way) and talk about the solutions. This is an introductory talk, so no prior experience is needed in web dev or security. Not doing web dev? Many of these apply to all development! So join in for a lively session of demos, learning and fun
Video of this talk: https://www.youtube.com/watch?v=p5YCHNnQNyg
5. What is OWASP?
Non-profit foundation for the improvement of security
of software
Join as a member to support them and get
conference discounts
Local meetups available
Cape Town: meetup.com/en-AU/OWASP-Cape-Town-
Chapter-Meetup
Produce tools: Zap, Dependency Scanner
Guidance
5
6. OWASPTOP 10
Using the 2017 guidance as 2020 guidance is still
underway
As it evolves, items are added, merged and removed
This is the bar for security
Focused on web security but a lot is broadly
applicable
10 areas which can be implemented and exploited in
a variety of ways
Based on real world feedback from OWASP members
See: owasp.org/www-project-top-ten
Each scored on 4 axis (scale is 1 to 3):
Attack Vector: Exploitability
Security Weakness: Prevalence
Security Weakness: Detectability
Impact: Technical
6
7. OWASPTOP 10
1. Injection
2. Broken Authentication
3. Sensitive Data Exposure
4. XML External Entities (XXE)
5. Broken Access Control
6. Security Misconfiguration
7. Cross-Site Scripting (XSS)
8. Insecure Deserialization
9. Using Components with Known Vulnerabilities
10.Insufficient Logging & Monitoring
7
8. Ten: Insufficient Logging & Monitoring
Not logging and auditing logins, fails, high-value transactions
Not enough information
Locally stored
Logs disabled or configured to ignore pen tests
Not alerting on logs & metrics
8
Exploitability: 2
Prevalence: 3
Detectability: 1
Technical: 2
9. Nine: Using Components with KnownVulnerabilities
3rd party code runs in same permissions as the system
OS, database etc… all need to be checked too
Scan on a continuous basis
• Library tools like dependency check and npm audit
• Container scanning
• OS patching
Only obtain code from official sources
9
Exploitability: 2
Prevalence: 3
Detectability: 2
Technical: 2
10. Eight: Insecure Deserialization
A specially crafted data structure causes the execution of code
Focused on any time you use serialisation
10
Exploitability: 1
Prevalence: 2
Detectability: 2
Technical: 3
12. Eight: Insecure Deserialization
User input should not be trusted
Don’t accept serialised data
• If you must, encrypt and/or sign the payloads
Use safe deserialization options
12
13. Seven: Cross-Site Scripting (XSS)
Reflected XSS: Not validating input & returning it back to the user
Stored XSS: Not validating input, putting it in the DB and then raising it later
DOM XSS: APIs sending attackable content to the UI
Can lead to account take overs, spam, multi-factor bypasses, key logging
13
Exploitability: 3
Prevalence: 3
Detectability: 3
Technical: 2
16. Seven: Cross-Site Scripting (XSS)
User input should not be trusted
HTML escape any dynamic content (tags, attribute, css etc..)
Use a safer format for input, say markdown
Make use of HTTPOnly cookies
Make use of CORS
Make use of CSP
Make use of audit tools
16
17. Six: Security Misconfiguration
Unused ports and services running on machines
Default credentials
Error handling returning too much info
Using code with known issues
17
Exploitability: 3
Prevalence: 3
Detectability: 3
Technical: 2
19. Six: Security Misconfiguration
User input should not be trusted
Get security audits done
Go on security training
Automate checking of settings and code
Remove (or block) anything not needed
19
20. Five: Broken Access Control
Authentication vs. Authorization
Bypassing access by edit URL or anything on the client side
IDORs
20
Exploitability: 2
Prevalence: 2
Detectability: 2
Technical: 3
22. Five: Broken Access Control
User input should not be trusted
Deny by default
Rate limits
Disable web server directory listing
22
23. Four: XML External Entities (XXE)
Untrusted XML is provided
• SAML auth
The XML parser has lots of features and those features are exploited
23
Exploitability: 2
Prevalence: 2
Detectability: 3
Technical: 3
26. Four: XML External Entities (XXE)
User input should not be trusted
Run static code analysis tools
Run dependency analysis tools
• NPM & Yarn Audit
• Dependency Check for JVM
Disable SOAP prior to 1.2
Disable features you do not need
• XML external entities & DTD in XML
26
27. Three: Sensitive Data Exposure
Man-in-the-middle attacks
Stealing records off the server or servers it was sent through
Weak crypto
No hashing on the passwords
Sharing data which should be private
27
Exploitability: 2
Prevalence: 3
Detectability: 2
Technical: 3
29. Three: Sensitive Data Exposure
Classify data processed, stored and transmitted.
Identify risk for business, law (GDPR)
Only store information you must
Encrypt sensitive data at rest
Encrypt all data in transit
Disable caching of sensitive data
HSTS Preload
29
30. Two: Broken Auth
Default admin accounts
Credential Stuffing, brute force and dictionary attacks
Unexpired session tokens
Weak or ineffective forgot password and recovery processes
Plaintext passwords, not hashed passwords
Not invalidating session IDs
30
Exploitability: 3
Prevalence: 2
Detectability: 2
Technical: 3
33. Two: Broken Auth
Do not build auth unless needed – make use of the existing team
Credential Stuffing, brute force and dictionary attacks
• haveibeenpwned.com/Passwords
• Rate limits
Unexpired session tokens
Weak or ineffective forgot password and recovery processes
• Avoid knowledge questions
• Do users need passwords
• Two factor auth
Plaintext passwords
• Just don’t
Hash & salt passwords
• Pick hashing algorithms which are slow and don’t have collisions
33
34. One: Injection
Attacker sends data to the interpreter to get it to return the incorrect answer, change settings they shouldn’t be
able to or increase privileges
SQL Injection is a vector, but this could be any database, environmental variables, JSON, SOAP, XML, headers,
cookies, etc…
34
Exploitability: 3
Prevalence: 2
Detectability: 3
Technical: 3
36. One: Injection
User input should not be trusted
Use SQL parameters for SQL
Avoid building strings in code based on user input
Use approval lists to check content
“I use an ORM, so I am safe” – By default, most likely but you should check
Use tools like ZAP to look for these
36
37. Done?
No, this is the minimum bar
Join your local OWASP group
Run your checks all the time
Get a red team
Practice incidents
Secure by default is a great first principal
37
Leonard H. Courtney \ Lies — damned lies — and statistics \ The price of peace is eternal vigilance
A PHP forum uses PHP object serialization to save a “super” cookie, containing the user’s user ID, role, password hash, and other state:a:4:{i:0;i:132;i:1;s:7:"Mallory";i:2;s:4:"user";i:3;s:32:"b6a8b3bea87fe0e05022f8f3c88bc960";}An attacker changes the serialized object to give themselves admin privileges:a:4:{i:0;i:1;i:1;s:5:"Alice";i:2;s:5:"admin";i:3;s:32:"b6a8b3bea87fe0e05022f8f3c88bc960";}
Photo by Denny Ryanto on Unsplash
https://juice-shop.herokuapp.com/api-docs/
{
"cid": "JS0815DE",
"orderLines": [{
"product": "(function dos() { while(true); })()"
}]
}
var x = 'var y = {"name":(function hi() { console.log(1) })()}’
JSON.parse(x)
eval(x)
Photo by kevin laminto on Unsplash
Talk about alert
Try search for <script>alert(“1”)</script>
Show network tab is filtering it out… smart
<iframe src="javascript:alert(`xss`)">
Directory listing is not disabled on the server. An attacker discovers they can simply list directories. The attacker finds and downloads the compiled Java classes, which they decompile and reverse engineer to view the code. The attacker then finds a serious access control flaw in the application.
Photo by JJ Ying on Unsplash
https://obscure-chamber-62037.herokuapp.com/#/deluxe-membership
Photo by Victor Li on Unsplash
Just go to https://juice-shop.herokuapp.com/ftp
Tell story about query param for user ID
Photo by Oleksandr Zhabin on Unsplash
https://juice-shop.herokuapp.com/admin#/saved-payment-methods
Show how credit card number is in network tab
Photo by Alexander Popov on Unsplash
bjoern@juice-sh.op & West-2082
https://juice-shop.herokuapp.com/admin#/forgot-password
https://tools.kali.org/password-attacks/hydra
rockyou.txt contains 14,341,564 unique passwords, used in 32,603,388 accounts.
https://www.kaggle.com/wjburns/common-password-list-rockyoutxt
Photo by Levon Vardanyan on Unsplash
https://juice-shop.herokuapp.com/#/
Make sure to open network diagnostic
Try quote for email and show error
Talk about limiting errors back to users
Then use a single quote for the email
1' OR '1=1' --
SELECT * FROM Users WHERE email = '1' OR '1=1' -- AND password = 'a8f5f167f44f4964e6c998dee827110c' AND deletedAt IS NULL