OWASP -Top 5 Jagjit

OWASP - The Open Web Application Security Project
OWASP Top 5
 By Jagjit Singh Brar
 LinkedIN : https://au.linkedin.com/in/jagjit-singh-brar-3634ba5
1
Agenda
 What is OWASP?
 What OWASP do?
 Why Web Application Security?
 Discussion about OWASP top 5

What is OWASP?
 Founded in 2001 by Mark Churphey
 Not-for-profit organization focused on improving the security of web applications and web services
 Issues software tools and knowledge-based documentation on application security
 http://www.owasp.org
 Hundreds of volunteer experts from around the world
 Cutting edge application security research
2

How does OWASP help?
Publications and Resources
 OWASP Top Ten: List for awareness about application security by identifying some of the most
critical risks
 OWASP Software Assurance Maturity Model: Framework to help organizations formulate and
implement a strategy for application security
 OWASP Development Guide: Provide sample codes and development guide covers an
extensive array of application-level security issues, from SQL injection through modern
concerns such as phishing, credit card handling, session fixation, cross-site request forgeries,
compliance, and privacy issues
 OWASP Testing Guide: "best practice" penetration testing framework and a "low level"
penetration testing guide
 OWASP ZAP Project: Zed Attack Proxy is an easy to use integrated penetration testing tool for
finding vulnerabilities
 OWASP Code Review Guide:
 OWASP Application Security Verification Standard (ASVS):
3

Why Web Application Security?
Application is core
 Network Security Mostly Ignores the Contents of HTTP Traffic
 Securing the “custom code” that drives a web application
 Securing libraries
 Securing backend systems
 Securing web and application servers, Operating System Hardening, Database Hardening
Web Application Architecture
4

Web-application Vulnerabilities cause
 Data Loss or corruption
 Data could be stolen
 Unauthorized access
 Denial of access
 Legal action if system is used for other attacks
5

OWASP Top Ten (last update in 2013)?
A variety of security experts from around the world shared their expertise to produce this list.
List based on higher to low risk:
 A1:Injection:
 A2:Broken Authentication and Session Management:
 A3:Cross Site Scripting:
 A4:Insecure Direct Object References:
 A5:Security Misconfiguration:
 A6:Sensitive Data Exposure:
 A7:Missing Function Level Access Control:
 A8:Cross Site Request Forgery (CSRF):
 A9:Using Components with Known Vulnerabilities:
 A10:Unvalidated Redirects and Forwards
6

A1: Injection: e.g. (?id=‘ or ‘1’=1)
Hackers “inject” their code to run on server-side to read/modify/delete data
 SQL-injection: Permits query manipulation
 Data entered by users is sent to the SQL interpreter as part of an SQL query
 SQL Injection attack exploits security vulnerabilities at the database layer by exploiting the SQL injection flaw
 Attackers can create, read, modify or delete sensitive data
 Command Injection: Permit arbitrary shell commands
 File Injection: Upload executable files
 XML injection
 SSL injection
 Buffer Overflow
7

A1: Injection: Protection
Hackers “inject” their code to run on server-side
 Must use trusted framework
 Use safe API instead of interpreter
 Escape special characters and validate input
 Use prepared statements
 Use “Web Application Firewall”- specially header manipulation
8

A2: Broken authentication and session management
A Vulnerability that allows the capture or bypass of authentication or capture session
Weak Authentication
 Single factor authentication
 Easily guessable usernames (admin, administrator etc.)
 Rest password options
 Unencrypted secrets
Backend Password Store
 Not being stored hashed
 Trust relationship between hosts
Weak Session
 Session id in URL
 Session timeout
 Session id sent over insecure connection(HTTP)
9

A2: Broken authentication and session management : Protection
 Password Strength
 Password Expiry
 Password Change Control
 Encryption in transit
 Session ID not in URL
 Session timeout
10

A3: Cross-Site Scripting(XSS)
Attacker uses trusted application/company to inject malicious code through the URL
 Social engineering: Email an innocent URL or image
 Cookie Steaking: Exploiting cookies
 Database Infecting: Self replicating worms
: Protection
 Keep untrusted data separate from active browser content
 White list output validation
 User/customer education
Example:
1. Attacker injects malicious code into vulnerable web server
2. Victim visits vulnerable web server
3. Malicious code is served to victim by web server
4. Malicious code executes on the victims with web server’s
privileges
11

A4: Insecure Direct Object References
A direct object reference occurs when a developer exposes a reference to an internal implementation
object(a file, directory or database key) without any validation mechanism
: Protection
 Send indirect random access reference map value
 Add access control for unauthorized access
12

A5: Security misconfiguration
Improper server or web application configuration leading to various flaws
 Debugging enabled
 Incorrect folder permissions
 Using default accounts or passwords
 Setup/configuration pages enabled
: Protection
 Regular Hardening of framework
 Disabling unnecessary services/features
 Periodic scan
 Updating security patch
13

Conclusion:
 Multilayered security
 Best practice while Web Application Design
 Regular review security policy and procedures
Thanks for your valuable time.
Regards,
Jagjit Singh Brar
14

OWASP -Top 5 Jagjit

More Related Content

What's hot

Viewers also liked

Similar to OWASP -Top 5 Jagjit

OWASP -Top 5 Jagjit