SlideShare a Scribd company logo
1 of 60
Web Application Vulnerabilities and Security Flaws Root Causes: The OWASP Top 10 Cincinnati Chapter Meeting May 26 th ,  2009 Marco Morana  Cincinnati Chapter Lead
Agenda ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
The OWASP Top 10 ,[object Object],[object Object],[object Object],[object Object],[object Object]
Tactical Approach to the OWASP T10 ,[object Object],[object Object],[object Object],[object Object]
Mapping OWASP T10 to Security Flaws
OWASP T10  Mitigated Risks ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Mapping OWASP T10 To Web Architecture  Phishing Privacy  Violations S y s t e m- Data  Distruction Financial  Loss Reputation Loss I d e n t i t y  Theft XSS, Weak authN-AuthZ (A4,A7,A10) Poor validation, business rule and weak authZ(A2,A4,A6,A7,A10) Weak Crypto (A8,A9) malicious file exec(A3) and AuthN-AuthZ (A4,A7,A10) Inject. Flaws  (A2),  remote file incl (A3) Obj Ref (A4), CSRF (A5),AuthN & SessM (A7), No URL Access Rest (A10) All T10
What is more actionable than a checklist? ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Mapping Threats, Vulnerability Conditions and Countermeasures Using Threat Trees Source: OWASP Application Threat Modeling,  https://www.owasp.org/index.php/Application_Threat_Modeling
A1: Cross Site Scripting ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
A1: Cross Site Scripting – Security Flaws Phishing, Identity Theft XSS XSS http://server/cgibin/testcgi.exe?<SCRIPT>alert(“Cookie”+document.cookie)</SCRIPT> NSAPI/ISAPI filter ESAPI Filtering
A2: Injection Flaws –SQL Injection ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
A2: Injection Flaws-SQL Injection Identity Theft System Compromise, Data Alteration, Destruction SQLI  SQLI NSAPI/ ISAPI filter, Custom Errors Filtering, DB API use Prepared Statements/Store Procedures DB Least Principle Privileges, Store Procedure errors SQLI OR ‘1’=’1—‘ aaa’; DROP TABLE Docs;--
A3: Insecure Remote File Include ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
A3: Insecure Remote File Include Privacy Violations, System Compromise, Alteration, Destruction A3 A3 Cmd=%3B+mkdir+hackerDirectory No File uploads on the web server! File upload Filtering, File Type/Format Validations. AV, Segregation, Permissions A3 DB Privileges  A3 No file uploads
A4:  Insecure Direct Object Reference ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
A4: Insecure Direct Object Reference Phishing, Privacy Violations, Financial Loss A4  A4 &quot;../../../../etc/passwd%00&quot; Hardened Web Root/Server Rely on server side-R B A C not URL params, Secure Shopping cart logic  A4 No PK exposed as URL parameter http://www.shopcart?CartID http://www.abc.com?RoleID
A5: Cross Site Request Forgery ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
A5: Cross Site Request Forgery (CSRF) Privacy Violations, Financial Loss CSRF <img src=&quot;http://www.example.com/logout.php&quot;> Re-issue session and cookies at POST CSRF Form Authentication Via Tokens (OTPs),  Secondary Authentication, Default POST for sensitive transactions <form action=&quot;/transfer.do&quot; method=&quot;post&quot;> <input type=&quot;hidden&quot; ACC#=&quot;8438927730&quot; … </form>
A6: Information Leakage and Improper Error Handling ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
A6: Information Leakage and Improper Error Handling Privacy Violations A6 “ The password you entered was not recognized.  Please enter it again A6 No stack traces to user errors Generic error validations [ SqlException (0x80131904): An error has occurred while establishing a connection to the server. A6 A6 Web.config custom errors=ON Set custom error Web pages, Clean Webroot No SQL exception errors in user’s error messages No transaction message error codes in user’s error messages
[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],A7: Broken Authentication (BA) and Session Management (SM)
A7: Broken Authentication Phishing, Privacy Violations, Financial Loss A7-BA A7-BA Autocomplete OFF, Strong AuthN/ Trusted AuthN SSO/tokens Cache Headers Set No Cache A7-BA A7-BA SSL Trusted User AuthN Mutual AuthN A7-BA SSL A7-BA User Trusted AuthN-SSO /Server to Server Mutual Authentication A7-BA SSL/JDBC-S Trusted User AuthN A7-BA Hash Pwds AUTHN Attacks: Guess PWD/secrets Credential Harvesting Brute Force PWD,  MiTM, MITB, Caching, POST reply
[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],A7:Broken Authentication and Session  Management
A7: Broken Session Mgmt Phishing, Privacy Violations, Financial Loss A7-SM A7-SM SSL Coordinate  Session  Mgmt A7-SM A7-SM ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],HTTP Redirection Session Hijacking
[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],A8: Insecure Cryptographic Storage
A8: Insecure Cryptographic Storage Identity Theft A8 A8 No Secrets Stored in the DMZ A8 A8 ,[object Object],[object Object],[object Object],Crypto Attacks, Reverse engineering Un-authorized access to keys, secrets Break Homegrown Crypto ,[object Object],[object Object],[object Object],Encrypt  PINs, PWDs A8 Encrypt  Secrets, PII, DOBs, ACC#,Card#
[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],A9: Insecure Communication
A9: Insecure Communication Identity Theft, Financial Loss A9 SSL/VPN A9 A9 JDBC/S Crypto Attacks Against Weak Cypto/Keys Unsecure Certs, Spoofing/Sniffing clear sensitive data in transit SSL Strong Ciphers/Min Standard Key Lengths SSL A9
[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],A10: Failure to restrict URL access
A10:  Failure to restrict URL access Phishing Privacy Violations Financial Loss A10 ,[object Object],[object Object],[object Object],A10 Forceful Browsing URL parameter tampering Web-root sanity
Strategic Approach to the OWASP T10 ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Security By Design  ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
The Scope Of Security By Design  ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Secure Architecture Requirements ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Secure Design Guidelines: Authentication and Authorization ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Secure Design Guidelines : Cryptography ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Secure Design Guidelines: Session Management ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Secure Design Guidelines: Data Management  And Validation ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Security Controls Design Guidelines: Secure Auditing And Logging, Error and Exception Handling ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Secure Architecture an Design Patterns ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Conclusions ,[object Object],[object Object],[object Object],[object Object],[object Object]
Q & Q U E S T I O N S A N S W E R S
APPENDIX: Application Threat Modeling From Insecure Magazine,  http://www.net-security.org/dl/insecure/INSECURE-Mag-17.pdf
OWASP Threat Risk Modeling Cycle OWASP Threat Risk Modeling  http://www.owasp.org/index.php/Threat_Risk_Modeling
Step 1: Identify Security Objectives  ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Step 2: Application Overview
Step 3: Decompose the Application ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Use and Abuse Cases  From OWASP Security Testing Guide https://www.owasp.org/index.php/Testing_Guide_Introduction#Security_Requirements_Test_Derivation
Understanding the Application: Data Flow Diagrams OWASP Application Threat Modeling  https://www.owasp.org/index.php/Application_Threat_Modeling
Step 4: Threat Identification ,[object Object],[object Object],[object Object],[object Object],[object Object]
STRIDE Threat Categorization OWASP Application Threat Modeling  https://www.owasp.org/index.php/Application_Threat_Modeling
Threat Categorization: ASF Threat List https:// www.owasp.org/index.php/Application_Threat_Modeling
Step 5: Vulnerability Identification ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Threats, Vulnerability Conditions and Mitigations: Threat Trees OWASP Application Threat Modeling  https://www.owasp.org/index.php/Application_Threat_Modeling
STRIDE Threat And Countermeasures OWASP Application Threat Modeling  https://www.owasp.org/index.php/Application_Threat_Modeling
Countermeasure Identification https://www.owasp.org/index.php/Application_Threat_Modeling
Risk Factors ,[object Object],OWASP Application Threat Modeling  https://www.owasp.org/index.php/Application_Threat_Modeling
Threats and Risk Models ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Risk Mitigation Strategies ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

More Related Content

What's hot

Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASP
Marco Morana
 
Web application security & Testing
Web application security  & TestingWeb application security  & Testing
Web application security & Testing
Deepu S Nath
 
Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and Awareness
Abdul Rahman Sherzad
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
Abdul Wahid
 

What's hot (20)

OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASP
 
Security testing
Security testingSecurity testing
Security testing
 
Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application Security
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
 
Web application security & Testing
Web application security  & TestingWeb application security  & Testing
Web application security & Testing
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
 
Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and Awareness
 
security misconfigurations
security misconfigurationssecurity misconfigurations
security misconfigurations
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodology
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]
 
OWASP Top Ten in Practice
OWASP Top Ten in PracticeOWASP Top Ten in Practice
OWASP Top Ten in Practice
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
 
OWASP TOP 10 VULNERABILITIS
OWASP TOP 10 VULNERABILITISOWASP TOP 10 VULNERABILITIS
OWASP TOP 10 VULNERABILITIS
 

Viewers also liked

Web application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresWeb application security: Threats & Countermeasures
Web application security: Threats & Countermeasures
Aung Thu Rha Hein
 
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Jeremiah Grossman
 
Cehv8 module 01 introduction to ethical hacking
Cehv8 module 01 introduction to ethical hackingCehv8 module 01 introduction to ethical hacking
Cehv8 module 01 introduction to ethical hacking
polichen
 
Digital Astroturfing: Definition, typology, and countermeasures.
Digital Astroturfing: Definition, typology, and countermeasures.Digital Astroturfing: Definition, typology, and countermeasures.
Digital Astroturfing: Definition, typology, and countermeasures.
Marko Kovic
 
Iis Security Programming Countermeasures
Iis Security Programming CountermeasuresIis Security Programming Countermeasures
Iis Security Programming Countermeasures
guestc27cd9
 
Designing Countermeasures For Tomorrows Threats
Designing Countermeasures For Tomorrows ThreatsDesigning Countermeasures For Tomorrows Threats
Designing Countermeasures For Tomorrows Threats
Darwish Ahmad
 
Google Hacking for Cryptographic Secrets
Google Hacking for Cryptographic SecretsGoogle Hacking for Cryptographic Secrets
Google Hacking for Cryptographic Secrets
Dr. Emin İslam Tatlı
 

Viewers also liked (20)

Web application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresWeb application security: Threats & Countermeasures
Web application security: Threats & Countermeasures
 
Oracle UCM Security: Challenges and Best Practices
Oracle UCM Security: Challenges and Best PracticesOracle UCM Security: Challenges and Best Practices
Oracle UCM Security: Challenges and Best Practices
 
Patent Risk and Countermeasures Related to Open Management in Interaction Design
Patent Risk and Countermeasures Related to Open Management in Interaction DesignPatent Risk and Countermeasures Related to Open Management in Interaction Design
Patent Risk and Countermeasures Related to Open Management in Interaction Design
 
Antivirus Evasion Techniques and Countermeasures
Antivirus  Evasion Techniques and CountermeasuresAntivirus  Evasion Techniques and Countermeasures
Antivirus Evasion Techniques and Countermeasures
 
Skyjacking A Cisco Wlan Attack Analysis And Countermeasures
Skyjacking A Cisco Wlan Attack Analysis And CountermeasuresSkyjacking A Cisco Wlan Attack Analysis And Countermeasures
Skyjacking A Cisco Wlan Attack Analysis And Countermeasures
 
Email phishing and countermeasures
Email phishing and countermeasuresEmail phishing and countermeasures
Email phishing and countermeasures
 
Dstl Medical Countermeasures for Dangerous Pathogens
Dstl   Medical Countermeasures for Dangerous PathogensDstl   Medical Countermeasures for Dangerous Pathogens
Dstl Medical Countermeasures for Dangerous Pathogens
 
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
 
VoIP: Attacks & Countermeasures in the Corporate World
VoIP: Attacks & Countermeasures in the Corporate WorldVoIP: Attacks & Countermeasures in the Corporate World
VoIP: Attacks & Countermeasures in the Corporate World
 
Seminar Presentation
Seminar PresentationSeminar Presentation
Seminar Presentation
 
Bone Loss in Long-Duration Spaceflight: Measurements and Countermeasures
Bone Loss in Long-Duration Spaceflight: Measurements and CountermeasuresBone Loss in Long-Duration Spaceflight: Measurements and Countermeasures
Bone Loss in Long-Duration Spaceflight: Measurements and Countermeasures
 
Table 4: Unit 4 Reactor: Fukushima Daiichi Nuclear Power Plant - 18 May 2011
Table 4: Unit 4 Reactor: Fukushima Daiichi Nuclear Power Plant - 18 May 2011Table 4: Unit 4 Reactor: Fukushima Daiichi Nuclear Power Plant - 18 May 2011
Table 4: Unit 4 Reactor: Fukushima Daiichi Nuclear Power Plant - 18 May 2011
 
Cehv8 module 01 introduction to ethical hacking
Cehv8 module 01 introduction to ethical hackingCehv8 module 01 introduction to ethical hacking
Cehv8 module 01 introduction to ethical hacking
 
Digital Astroturfing: Definition, typology, and countermeasures.
Digital Astroturfing: Definition, typology, and countermeasures.Digital Astroturfing: Definition, typology, and countermeasures.
Digital Astroturfing: Definition, typology, and countermeasures.
 
Return oriented programming
Return oriented programmingReturn oriented programming
Return oriented programming
 
Iis Security Programming Countermeasures
Iis Security Programming CountermeasuresIis Security Programming Countermeasures
Iis Security Programming Countermeasures
 
Designing Countermeasures For Tomorrows Threats
Designing Countermeasures For Tomorrows ThreatsDesigning Countermeasures For Tomorrows Threats
Designing Countermeasures For Tomorrows Threats
 
Webinar Gratuito: "Herramientas Graficas en Kali Linux 2.0"
Webinar Gratuito: "Herramientas Graficas en Kali Linux 2.0"Webinar Gratuito: "Herramientas Graficas en Kali Linux 2.0"
Webinar Gratuito: "Herramientas Graficas en Kali Linux 2.0"
 
Google Hacking for Cryptographic Secrets
Google Hacking for Cryptographic SecretsGoogle Hacking for Cryptographic Secrets
Google Hacking for Cryptographic Secrets
 
Irregularity Countermeasures in Massively Parallel BigData Processors
Irregularity Countermeasures in Massively Parallel BigData ProcessorsIrregularity Countermeasures in Massively Parallel BigData Processors
Irregularity Countermeasures in Massively Parallel BigData Processors
 

Similar to Owasp Top 10 And Security Flaw Root Causes

OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesOWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root Causes
Marco Morana
 
AppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services HackingAppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services Hacking
Shreeraj Shah
 
Hack applications
Hack applicationsHack applications
Hack applications
enrizmoore
 

Similar to Owasp Top 10 And Security Flaw Root Causes (20)

OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesOWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root Causes
 
Web application security I
Web application security IWeb application security I
Web application security I
 
AppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services HackingAppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services Hacking
 
Web application security (eng)
Web application security (eng)Web application security (eng)
Web application security (eng)
 
Web application sec_3
Web application sec_3Web application sec_3
Web application sec_3
 
Developing Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common AttacksDeveloping Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common Attacks
 
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo)
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo) Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo)
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo)
 
Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Owasp top 10_openwest_2019
Owasp top 10_openwest_2019
 
Owasp top 10_-_2010 presentation
Owasp top 10_-_2010 presentationOwasp top 10_-_2010 presentation
Owasp top 10_-_2010 presentation
 
Hack applications
Hack applicationsHack applications
Hack applications
 
OWASP Top 10 List Overview for Web Developers
OWASP Top 10 List Overview for Web DevelopersOWASP Top 10 List Overview for Web Developers
OWASP Top 10 List Overview for Web Developers
 
Hacking web applications
Hacking web applicationsHacking web applications
Hacking web applications
 
Top 10 Web App Security Risks
Top 10 Web App Security RisksTop 10 Web App Security Risks
Top 10 Web App Security Risks
 
Secure SDLC for Software
Secure SDLC for Software Secure SDLC for Software
Secure SDLC for Software
 
Security in the cloud protecting your cloud apps
Security in the cloud   protecting your cloud appsSecurity in the cloud   protecting your cloud apps
Security in the cloud protecting your cloud apps
 
gpt.AI.docx
gpt.AI.docxgpt.AI.docx
gpt.AI.docx
 
Why You Need A Web Application Firewall
Why You Need A Web Application FirewallWhy You Need A Web Application Firewall
Why You Need A Web Application Firewall
 
Become a Security Ninja
Become a Security NinjaBecome a Security Ninja
Become a Security Ninja
 
C01461422
C01461422C01461422
C01461422
 
4.Xss
4.Xss4.Xss
4.Xss
 

More from Marco Morana

Owasp atlanta-ciso-guidevs1
Owasp atlanta-ciso-guidevs1Owasp atlanta-ciso-guidevs1
Owasp atlanta-ciso-guidevs1
Marco Morana
 
Owasp e crime-london-2012-final
Owasp e crime-london-2012-finalOwasp e crime-london-2012-final
Owasp e crime-london-2012-final
Marco Morana
 
Owasp security summit_2012_milanovs_final
Owasp security summit_2012_milanovs_finalOwasp security summit_2012_milanovs_final
Owasp security summit_2012_milanovs_final
Marco Morana
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security Testing
Marco Morana
 
Owasp Forum Web Services Security
Owasp Forum Web Services SecurityOwasp Forum Web Services Security
Owasp Forum Web Services Security
Marco Morana
 
Software Security Frameworks
Software Security FrameworksSoftware Security Frameworks
Software Security Frameworks
Marco Morana
 
Software Open Source, Proprierio, Interoperabilita'
Software Open Source, Proprierio, Interoperabilita'Software Open Source, Proprierio, Interoperabilita'
Software Open Source, Proprierio, Interoperabilita'
Marco Morana
 
Progetti Open Source Per La Sicurezza Delle Web Applications
Progetti Open Source Per La Sicurezza Delle Web ApplicationsProgetti Open Source Per La Sicurezza Delle Web Applications
Progetti Open Source Per La Sicurezza Delle Web Applications
Marco Morana
 
Cross Site Request Forgery Vulnerabilities
Cross Site Request Forgery VulnerabilitiesCross Site Request Forgery Vulnerabilities
Cross Site Request Forgery Vulnerabilities
Marco Morana
 

More from Marco Morana (20)

Is talent shortage ws marco morana
Is talent shortage ws marco moranaIs talent shortage ws marco morana
Is talent shortage ws marco morana
 
Isaca conference threat_modeling_marco_morana_short.pdf
Isaca conference threat_modeling_marco_morana_short.pdfIsaca conference threat_modeling_marco_morana_short.pdf
Isaca conference threat_modeling_marco_morana_short.pdf
 
Owasp atlanta-ciso-guidevs1
Owasp atlanta-ciso-guidevs1Owasp atlanta-ciso-guidevs1
Owasp atlanta-ciso-guidevs1
 
Owasp e crime-london-2012-final
Owasp e crime-london-2012-finalOwasp e crime-london-2012-final
Owasp e crime-london-2012-final
 
Security And Privacy Cagliari 2012
Security And Privacy Cagliari 2012Security And Privacy Cagliari 2012
Security And Privacy Cagliari 2012
 
Presentation sso design_security
Presentation sso design_securityPresentation sso design_security
Presentation sso design_security
 
Owasp security summit_2012_milanovs_final
Owasp security summit_2012_milanovs_finalOwasp security summit_2012_milanovs_final
Owasp security summit_2012_milanovs_final
 
Security Summit Rome 2011
Security Summit Rome 2011Security Summit Rome 2011
Security Summit Rome 2011
 
Risk Analysis Of Banking Malware Attacks
Risk Analysis Of Banking Malware AttacksRisk Analysis Of Banking Malware Attacks
Risk Analysis Of Banking Malware Attacks
 
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...
 
Security Exploit of Business Logic Flaws, Business Logic Attacks
Security Exploit of Business Logic Flaws, Business Logic AttacksSecurity Exploit of Business Logic Flaws, Business Logic Attacks
Security Exploit of Business Logic Flaws, Business Logic Attacks
 
Software Security Initiatives
Software Security InitiativesSoftware Security Initiatives
Software Security Initiatives
 
Business cases for software security
Business cases for software securityBusiness cases for software security
Business cases for software security
 
Security Compliance Web Application Risk Management
Security Compliance Web Application Risk ManagementSecurity Compliance Web Application Risk Management
Security Compliance Web Application Risk Management
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security Testing
 
Owasp Forum Web Services Security
Owasp Forum Web Services SecurityOwasp Forum Web Services Security
Owasp Forum Web Services Security
 
Software Security Frameworks
Software Security FrameworksSoftware Security Frameworks
Software Security Frameworks
 
Software Open Source, Proprierio, Interoperabilita'
Software Open Source, Proprierio, Interoperabilita'Software Open Source, Proprierio, Interoperabilita'
Software Open Source, Proprierio, Interoperabilita'
 
Progetti Open Source Per La Sicurezza Delle Web Applications
Progetti Open Source Per La Sicurezza Delle Web ApplicationsProgetti Open Source Per La Sicurezza Delle Web Applications
Progetti Open Source Per La Sicurezza Delle Web Applications
 
Cross Site Request Forgery Vulnerabilities
Cross Site Request Forgery VulnerabilitiesCross Site Request Forgery Vulnerabilities
Cross Site Request Forgery Vulnerabilities
 

Recently uploaded

“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
Muhammad Subhan
 
Revolutionizing SAP® Processes with Automation and Artificial Intelligence
Revolutionizing SAP® Processes with Automation and Artificial IntelligenceRevolutionizing SAP® Processes with Automation and Artificial Intelligence
Revolutionizing SAP® Processes with Automation and Artificial Intelligence
Precisely
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider  Progress from Awareness to Implementation.pptxTales from a Passkey Provider  Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
FIDO Alliance
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc
 

Recently uploaded (20)

WebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceWebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM Performance
 
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
 
(Explainable) Data-Centric AI: what are you explaininhg, and to whom?
(Explainable) Data-Centric AI: what are you explaininhg, and to whom?(Explainable) Data-Centric AI: what are you explaininhg, and to whom?
(Explainable) Data-Centric AI: what are you explaininhg, and to whom?
 
Syngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdfSyngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdf
 
Revolutionizing SAP® Processes with Automation and Artificial Intelligence
Revolutionizing SAP® Processes with Automation and Artificial IntelligenceRevolutionizing SAP® Processes with Automation and Artificial Intelligence
Revolutionizing SAP® Processes with Automation and Artificial Intelligence
 
WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024
 
The Metaverse: Are We There Yet?
The  Metaverse:    Are   We  There  Yet?The  Metaverse:    Are   We  There  Yet?
The Metaverse: Are We There Yet?
 
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
 
Working together SRE & Platform Engineering
Working together SRE & Platform EngineeringWorking together SRE & Platform Engineering
Working together SRE & Platform Engineering
 
Oauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftOauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoft
 
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsContinuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
 
Introduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptxIntroduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptx
 
2024 May Patch Tuesday
2024 May Patch Tuesday2024 May Patch Tuesday
2024 May Patch Tuesday
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider  Progress from Awareness to Implementation.pptxTales from a Passkey Provider  Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
 
Event-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream ProcessingEvent-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream Processing
 
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
 
Microsoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireMicrosoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - Questionnaire
 
Generative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdfGenerative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdf
 
JavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuideJavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate Guide
 

Owasp Top 10 And Security Flaw Root Causes

  • 1. Web Application Vulnerabilities and Security Flaws Root Causes: The OWASP Top 10 Cincinnati Chapter Meeting May 26 th , 2009 Marco Morana Cincinnati Chapter Lead
  • 2.
  • 3.
  • 4.
  • 5. Mapping OWASP T10 to Security Flaws
  • 6.
  • 7. Mapping OWASP T10 To Web Architecture Phishing Privacy Violations S y s t e m- Data Distruction Financial Loss Reputation Loss I d e n t i t y Theft XSS, Weak authN-AuthZ (A4,A7,A10) Poor validation, business rule and weak authZ(A2,A4,A6,A7,A10) Weak Crypto (A8,A9) malicious file exec(A3) and AuthN-AuthZ (A4,A7,A10) Inject. Flaws (A2), remote file incl (A3) Obj Ref (A4), CSRF (A5),AuthN & SessM (A7), No URL Access Rest (A10) All T10
  • 8.
  • 9. Mapping Threats, Vulnerability Conditions and Countermeasures Using Threat Trees Source: OWASP Application Threat Modeling, https://www.owasp.org/index.php/Application_Threat_Modeling
  • 10.
  • 11. A1: Cross Site Scripting – Security Flaws Phishing, Identity Theft XSS XSS http://server/cgibin/testcgi.exe?<SCRIPT>alert(“Cookie”+document.cookie)</SCRIPT> NSAPI/ISAPI filter ESAPI Filtering
  • 12.
  • 13. A2: Injection Flaws-SQL Injection Identity Theft System Compromise, Data Alteration, Destruction SQLI SQLI NSAPI/ ISAPI filter, Custom Errors Filtering, DB API use Prepared Statements/Store Procedures DB Least Principle Privileges, Store Procedure errors SQLI OR ‘1’=’1—‘ aaa’; DROP TABLE Docs;--
  • 14.
  • 15. A3: Insecure Remote File Include Privacy Violations, System Compromise, Alteration, Destruction A3 A3 Cmd=%3B+mkdir+hackerDirectory No File uploads on the web server! File upload Filtering, File Type/Format Validations. AV, Segregation, Permissions A3 DB Privileges A3 No file uploads
  • 16.
  • 17. A4: Insecure Direct Object Reference Phishing, Privacy Violations, Financial Loss A4 A4 &quot;../../../../etc/passwd%00&quot; Hardened Web Root/Server Rely on server side-R B A C not URL params, Secure Shopping cart logic A4 No PK exposed as URL parameter http://www.shopcart?CartID http://www.abc.com?RoleID
  • 18.
  • 19. A5: Cross Site Request Forgery (CSRF) Privacy Violations, Financial Loss CSRF <img src=&quot;http://www.example.com/logout.php&quot;> Re-issue session and cookies at POST CSRF Form Authentication Via Tokens (OTPs), Secondary Authentication, Default POST for sensitive transactions <form action=&quot;/transfer.do&quot; method=&quot;post&quot;> <input type=&quot;hidden&quot; ACC#=&quot;8438927730&quot; … </form>
  • 20.
  • 21. A6: Information Leakage and Improper Error Handling Privacy Violations A6 “ The password you entered was not recognized. Please enter it again A6 No stack traces to user errors Generic error validations [ SqlException (0x80131904): An error has occurred while establishing a connection to the server. A6 A6 Web.config custom errors=ON Set custom error Web pages, Clean Webroot No SQL exception errors in user’s error messages No transaction message error codes in user’s error messages
  • 22.
  • 23. A7: Broken Authentication Phishing, Privacy Violations, Financial Loss A7-BA A7-BA Autocomplete OFF, Strong AuthN/ Trusted AuthN SSO/tokens Cache Headers Set No Cache A7-BA A7-BA SSL Trusted User AuthN Mutual AuthN A7-BA SSL A7-BA User Trusted AuthN-SSO /Server to Server Mutual Authentication A7-BA SSL/JDBC-S Trusted User AuthN A7-BA Hash Pwds AUTHN Attacks: Guess PWD/secrets Credential Harvesting Brute Force PWD, MiTM, MITB, Caching, POST reply
  • 24.
  • 25.
  • 26.
  • 27.
  • 28.
  • 29. A9: Insecure Communication Identity Theft, Financial Loss A9 SSL/VPN A9 A9 JDBC/S Crypto Attacks Against Weak Cypto/Keys Unsecure Certs, Spoofing/Sniffing clear sensitive data in transit SSL Strong Ciphers/Min Standard Key Lengths SSL A9
  • 30.
  • 31.
  • 32.
  • 33.
  • 34.
  • 35.
  • 36.
  • 37.
  • 38.
  • 39.
  • 40.
  • 41.
  • 42.
  • 43. Q & Q U E S T I O N S A N S W E R S
  • 44. APPENDIX: Application Threat Modeling From Insecure Magazine, http://www.net-security.org/dl/insecure/INSECURE-Mag-17.pdf
  • 45. OWASP Threat Risk Modeling Cycle OWASP Threat Risk Modeling http://www.owasp.org/index.php/Threat_Risk_Modeling
  • 46.
  • 48.
  • 49. Use and Abuse Cases From OWASP Security Testing Guide https://www.owasp.org/index.php/Testing_Guide_Introduction#Security_Requirements_Test_Derivation
  • 50. Understanding the Application: Data Flow Diagrams OWASP Application Threat Modeling https://www.owasp.org/index.php/Application_Threat_Modeling
  • 51.
  • 52. STRIDE Threat Categorization OWASP Application Threat Modeling https://www.owasp.org/index.php/Application_Threat_Modeling
  • 53. Threat Categorization: ASF Threat List https:// www.owasp.org/index.php/Application_Threat_Modeling
  • 54.
  • 55. Threats, Vulnerability Conditions and Mitigations: Threat Trees OWASP Application Threat Modeling https://www.owasp.org/index.php/Application_Threat_Modeling
  • 56. STRIDE Threat And Countermeasures OWASP Application Threat Modeling https://www.owasp.org/index.php/Application_Threat_Modeling
  • 58.
  • 59.
  • 60.