Christian Wenz presented on the OWASP Top 10 web application security risks. The presentation covered the top risks including injection, broken authentication, sensitive data exposure, XML external entities, broken access control, security misconfiguration, cross-site scripting, insecure deserialization, use of vulnerable components, and insufficient logging. For each risk, Wenz provided examples of attacks and recommendations for mitigation strategies.
Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.
OWASP Top Ten 2017
1. Christian Wenz
OWASP TOP TEN 2017
WEB APPLICATION SECURITY UP-TO-DATE
Confoo 2019
Christian Wenz
info@christianwenz.de
@chwenz
2. Christian Wenz
Agenda
1. INJECTION
2. BROKEN AUTHENTICATION
3. CROSS-SITE SCRIPTING (XSS)
4. BROKEN ACCESS CONTROL
5. SECURITY
MISCONFIGURATION
6. SENSITIVE DATA EXPOSURE
7. INSUFFICIENT ATTACK PROTECTION
8. CROSS-SITE REQUEST FORGERY
(CSRF)
9. USING COMPONENTS WITH KNOWN
VULNERABILITIES
10.UNDERPROTECTED APIS
3. Christian Wenz
Agenda
1. INJECTION
2. BROKEN AUTHENTICATION
3. SENSITIVE DATA EXPOSURE
4. XML EXTERNAL ENTITIES
(XEE)
5. BROKEN ACCESS CONTROL
6. SECURITY MISCONFIGURATION
7. CROSS-SITE SCRIPTING
8. INSECURE DESERIALIZATION
9. USING COMPONENTS WITH KNOWN
VULNERABILITIES
10.INSUFFICIENT LOGGING AND
MONITORING
4. Christian Wenz
#1: Injection
Different kinds of injections
SQL Injection
LDAP Injection
XPath Injection
Regex Injection
We are actually talking about SQL Injection
OR Mappers help. Parametrized queries/prepared statements, too. If you must,
database-specific escaping APIs.
5. Christian Wenz
#2: Broken Authentication
HTTP is a stateless protocol
Session management is, essentially, a hack
Different attack vectors
Session hijacking
Session fixation
Other issues: insufficient session timeout, unencrypted passwords, …
6. Christian Wenz
#3: Sensitive Data Exposure
Use encryption throughout
HTTPS only (if possible, enforce it)
HTTP Strict Transport Security
„secure“ cookie flag
7. Christian Wenz
#4: XML External Entities (XXE)
XML processors evaluating an external entity
Is XML still a thing? ;-)
Fantastic writeup of XXE vs. Facebook: https://sensepost.com/blog/2014/revisting-
xxe-and-abusing-protocols/
8. Christian Wenz
XXE Technology Overview
https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/XML_Exter
nal_Entity_Prevention_Cheat_Sheet.md
PHP
libxml_disable_entity_loader(true);
.NET
Secure by default since .NET 4.5.2+
8
9. Christian Wenz
#5: Broken Access Control
2013 list: Insecure Direct Object References & Missing Function Level Access
Control
Access control to data
Access control to functions
10. Christian Wenz
Abusing CORS
Cross-Origin Resource Sharing
Cirvumvents SOP
There is some protection in place: Origin header, server needs to set Access-
Control-Allow-Origin
12. Christian Wenz
#6: Security Misconfiguration
I´m not an admin!
In the days of DevOps, maybe I am
Harden server/OS
Do not send detailled error messages to the client
Use browser security headers
13. Christian Wenz
#7: Cross-Site Scripting (XSS)
One of the oldest attacks around
Injecting content (usually JavaScript) into server output
Might bring friends: if there is XSS, it‘s very hard to defend against CSRF
14. Christian Wenz
Types of XSS
DOM-based (type 0): Everything happens in the client
Persistent (type 1): Server stores malicious input
Non-persistent (type 2): Server echoes back malicious input
16. Christian Wenz
Protecting Against XSS
Escape output (< > " ' &)
Use browser protection (X-XSS-Protection)
Use Content Security Policy
17. Christian Wenz
#8: Insecure Deserialization
Rule #1: Validate input
Paper based on .NET: https://speakerdeck.com/pwntester/attacking-net-
serialization
Payload generator: https://github.com/pwntester/ysoserial.net
18. Christian Wenz
#9: Using Components with Known Vulnerabilities
https://twitter.com/jacobhusted69/status/863151760118083584/photo/1