The document discusses root causes of common web application security flaws and vulnerabilities known as the OWASP Top 10. It provides an overview of tactical and strategic approaches to address these issues, including threat modeling, mapping vulnerabilities to application architecture, and implementing security by design principles. Specific guidelines are given for securely handling authentication, authorization, cryptography, sessions, input validation, errors and logging.

1. Web Application Vulnerabilities and Security Flaws Root Causes: The OWASP Top 10 Cincinnati Chapter Meeting May 26 th , 2009 Marco Morana Cincinnati Chapter Lead

5. Mapping OWASP T10 to Security Flaws

7. Mapping OWASP T10 To Web Architecture Phishing Privacy Violations S y s t e m- Data Distruction Financial Loss Reputation Loss I d e n t i t y Theft XSS, Weak authN-AuthZ (A4,A7,A10) Poor validation, business rule and weak authZ(A2,A4,A6,A7,A10) Weak Crypto (A8,A9) malicious file exec(A3) and AuthN-AuthZ (A4,A7,A10) Inject. Flaws (A2), remote file incl (A3) Obj Ref (A4), CSRF (A5),AuthN & SessM (A7), No URL Access Rest (A10) All T10

9. Mapping Threats, Vulnerability Conditions and Countermeasures Using Threat Trees Source: OWASP Application Threat Modeling, https://www.owasp.org/index.php/Application_Threat_Modeling

11. A1: Cross Site Scripting – Security Flaws Phishing, Identity Theft XSS XSS http://server/cgibin/testcgi.exe?<SCRIPT>alert(“Cookie”+document.cookie)</SCRIPT> NSAPI/ISAPI filter ESAPI Filtering

13. A2: Injection Flaws-SQL Injection Identity Theft System Compromise, Data Alteration, Destruction SQLI SQLI NSAPI/ ISAPI filter, Custom Errors Filtering, DB API use Prepared Statements/Store Procedures DB Least Principle Privileges, Store Procedure errors SQLI OR ‘1’=’1—‘ aaa’; DROP TABLE Docs;--

15. A3: Insecure Remote File Include Privacy Violations, System Compromise, Alteration, Destruction A3 A3 Cmd=%3B+mkdir+hackerDirectory No File uploads on the web server! File upload Filtering, File Type/Format Validations. AV, Segregation, Permissions A3 DB Privileges A3 No file uploads

17. A4: Insecure Direct Object Reference Phishing, Privacy Violations, Financial Loss A4 A4 &quot;../../../../etc/passwd%00&quot; Hardened Web Root/Server Rely on server side-R B A C not URL params, Secure Shopping cart logic A4 No PK exposed as URL parameter http://www.shopcart?CartID http://www.abc.com?RoleID

19. A5: Cross Site Request Forgery (CSRF) Privacy Violations, Financial Loss CSRF <img src=&quot;http://www.example.com/logout.php&quot;> Re-issue session and cookies at POST CSRF Form Authentication Via Tokens (OTPs), Secondary Authentication, Default POST for sensitive transactions <form action=&quot;/transfer.do&quot; method=&quot;post&quot;> <input type=&quot;hidden&quot; ACC#=&quot;8438927730&quot; … </form>

21. A6: Information Leakage and Improper Error Handling Privacy Violations A6 “ The password you entered was not recognized. Please enter it again A6 No stack traces to user errors Generic error validations [ SqlException (0x80131904): An error has occurred while establishing a connection to the server. A6 A6 Web.config custom errors=ON Set custom error Web pages, Clean Webroot No SQL exception errors in user’s error messages No transaction message error codes in user’s error messages

23. A7: Broken Authentication Phishing, Privacy Violations, Financial Loss A7-BA A7-BA Autocomplete OFF, Strong AuthN/ Trusted AuthN SSO/tokens Cache Headers Set No Cache A7-BA A7-BA SSL Trusted User AuthN Mutual AuthN A7-BA SSL A7-BA User Trusted AuthN-SSO /Server to Server Mutual Authentication A7-BA SSL/JDBC-S Trusted User AuthN A7-BA Hash Pwds AUTHN Attacks: Guess PWD/secrets Credential Harvesting Brute Force PWD, MiTM, MITB, Caching, POST reply

29. A9: Insecure Communication Identity Theft, Financial Loss A9 SSL/VPN A9 A9 JDBC/S Crypto Attacks Against Weak Cypto/Keys Unsecure Certs, Spoofing/Sniffing clear sensitive data in transit SSL Strong Ciphers/Min Standard Key Lengths SSL A9

43. Q & Q U E S T I O N S A N S W E R S

44. APPENDIX: Application Threat Modeling From Insecure Magazine, http://www.net-security.org/dl/insecure/INSECURE-Mag-17.pdf

45. OWASP Threat Risk Modeling Cycle OWASP Threat Risk Modeling http://www.owasp.org/index.php/Threat_Risk_Modeling

47. Step 2: Application Overview

49. Use and Abuse Cases From OWASP Security Testing Guide https://www.owasp.org/index.php/Testing_Guide_Introduction#Security_Requirements_Test_Derivation

50. Understanding the Application: Data Flow Diagrams OWASP Application Threat Modeling https://www.owasp.org/index.php/Application_Threat_Modeling

52. STRIDE Threat Categorization OWASP Application Threat Modeling https://www.owasp.org/index.php/Application_Threat_Modeling

53. Threat Categorization: ASF Threat List https:// www.owasp.org/index.php/Application_Threat_Modeling

55. Threats, Vulnerability Conditions and Mitigations: Threat Trees OWASP Application Threat Modeling https://www.owasp.org/index.php/Application_Threat_Modeling

56. STRIDE Threat And Countermeasures OWASP Application Threat Modeling https://www.owasp.org/index.php/Application_Threat_Modeling

57. Countermeasure Identification https://www.owasp.org/index.php/Application_Threat_Modeling