Top 10 Web Security Vulnerabilities
•Download as ODP, PDF•
12 likes•7,731 views
Top 10 Web Security Vulnerabilities as defined by the OWASP, and what you can do to protect your application
![About the Speaker ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]](data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7)
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (20)
Similar to Top 10 Web Security Vulnerabilities
Similar to Top 10 Web Security Vulnerabilities (20)
More from Carol McDonald
More from Carol McDonald (20)
Top 10 Web Security Vulnerabilities
- 1. OWASP Top 10 Web Security Vulnerabilities Carol McDonald Sun Microsystems
- 4. WebGoat and WebScarab from OWASP
- 5. Enterprise Security API http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
- 15. Validation, Encoding, and Injection http://owasp-esapi-java.googlecode.com/files/OWASP%20ESAPI.ppt Any Encoding Any Interpreter Set Character Set Encode For HTML Global Validate Canonicalize Specific Validate Sanitize Canonicalize Validate
- 16. Handling Validation, and Encoding http://owasp-esapi-java.googlecode.com/files/OWASP%20ESAPI.ppt encodeForURL encodeForJavaScript encodeForVBScript encodeForDN encodeForHTML encodeForHTMLAttribute encodeForLDAP encodeForSQL encodeForXML encodeForXMLAttribute encodeForXPath isValidDirectoryPath isValidCreditCard isValidDataFromBrowser isValidListItem isValidFileContent isValidFileName isValidHTTPRequest isValidRedirectLocation isValidSafeHTML isValidPrintable safeReadLine Canonicalization Double Encoding Protection Normalization Sanitization
- 30. Handling Validation, and Encoding http://owasp-esapi-java.googlecode.com/files/OWASP%20ESAPI.ppt encodeForURL encodeForJavaScript encodeForVBScript encodeForDN encodeForHTML encodeForHTMLAttribute encodeForLDAP encodeForSQL encodeForXML encodeForXMLAttribute encodeForXPath isValidDirectoryPath isValidCreditCard isValidDataFromBrowser isValidListItem isValidFileContent isValidFileName isValidHTTPRequest isValidRedirectLocation isValidSafeHTML isValidPrintable safeReadLine Canonicalization Double Encoding Protection Normalization Sanitization
- 33. Real Attack on Australian Tax office attacker changed the tax id in the url , got info on 17,000 companies
- 37. Handling Direct Object References http://app?file=7d3J93 Report123.xls Web Service Database Mainframe File System User Etc… Access Reference Map Indirect Reference Direct Reference Indirect Reference Direct Reference
- 47. Handling Authentication and Identity http://owasp-esapi-java.googlecode.com/files/OWASP%20ESAPI.ppt Strong Passwords Random Tokens CSRF Tokens Lockout Remember Me Screen Name Roles Timeout Users
- 55. ESAPI Handling Authentication and Identity http://owasp-esapi-java.googlecode.com/files/OWASP%20ESAPI.ppt Strong Passwords Random Tokens CSRF Tokens Lockout Remember Me Screen Name Roles Timeout Users
- 60. Handling Sensitive Information http://owasp-esapi-java.googlecode.com/files/OWASP%20ESAPI.ppt Encryption Digital Signatures Integrity Seals Strong GUID Random Tokens Timestamp Salted Hash Safe Config Details
- 70. ESAPI Handling Access Control isAuthorizedForURL isAuthorizedForFunction isAuthorizedForFunction isAuthorizedForService isAuthorizedForData isAuthorizedForFile
Editor's Notes
- The attacker can send data in any encoding. And the interpreters downstream from your application may decide to handle any encoding. Canonicalize Input could be in any character set Double-encoding Multiple encoding schemes Double-encoding with multiple encoding schemes Validation Simple to configure for positive rules Impossible to do perfectly, since you need special characters GetSafeValue Rich content – strip out bad stuff and continue Difficult – need to fully parse HTML Canonicalize and Validate from database Watch out mass SQL injection? EncodeForHTML Not perfect since browsers allow encoded characters to execute (particularly in attributes) Have to avoid double-encoding SetCharacterSet Browser will try to guess the encoding
- The attacker can send data in any encoding. And the interpreters downstream from your application may decide to handle any encoding. Canonicalize Input could be in any character set Double-encoding Multiple encoding schemes Double-encoding with multiple encoding schemes Validation Simple to configure for positive rules Impossible to do perfectly, since you need special characters GetSafeValue Rich content – strip out bad stuff and continue Difficult – need to fully parse HTML Canonicalize and Validate from database Watch out mass SQL injection? EncodeForHTML Not perfect since browsers allow encoded characters to execute (particularly in attributes) SetCharacterSet Browser will try to guess the encoding
- The attacker can send data in any encoding. And the interpreters downstream from your application may decide to handle any encoding. Canonicalize Input could be in any character set Double-encoding Multiple encoding schemes Double-encoding with multiple encoding schemes Validation Simple to configure for positive rules Impossible to do perfectly, since you need special characters GetSafeValue Rich content – strip out bad stuff and continue Difficult – need to fully parse HTML Canonicalize and Validate from database Watch out mass SQL injection? EncodeForHTML Not perfect since browsers allow encoded characters to execute (particularly in attributes) SetCharacterSet Browser will try to guess the encoding
- If an online bank allowed its application to process requests, such as transfer funds, a similar attack might allow high risk transactions such as money transfers The form itself contains the fields name and lastname and the button submit to prevent this to be forgged we add another field which contains the name of the current session identifier cookie name and the current session identifier cookie value <form> <input type=&quot;test&quot; name=&quot;name&quot; value=&quot;John&quot;/> <input type=&quot;test&quot; name=&quot;lastname&quot; value=&quot;Dawson&quot;/> <input type=&quot;test&quot; name=&quot;JSPSESSIONID&quot; value=&quot;7af7a55caff365ca594510586&quot;/> <input type=&quot;submit&quot;/> </form>
- If an online bank allowed its application to process requests, such as transfer funds, a similar attack might allow high risk transactions such as money transfers The form itself contains the fields name and lastname and the button submit to prevent this to be forgged we add another field which contains the name of the current session identifier cookie name and the current session identifier cookie value <form> <input type=&quot;test&quot; name=&quot;name&quot; value=&quot;John&quot;/> <input type=&quot;test&quot; name=&quot;lastname&quot; value=&quot;Dawson&quot;/> <input type=&quot;test&quot; name=&quot;JSPSESSIONID&quot; value=&quot;7af7a55caff365ca594510586&quot;/> <input type=&quot;submit&quot;/> </form>
- If an online bank allowed its application to process requests, such as transfer funds, a similar attack might allow high risk transactions such as money transfers The form itself contains the fields name and lastname and the button submit to prevent this to be forgged we add another field which contains the name of the current session identifier cookie name and the current session identifier cookie value <form> <input type=&quot;test&quot; name=&quot;name&quot; value=&quot;John&quot;/> <input type=&quot;test&quot; name=&quot;lastname&quot; value=&quot;Dawson&quot;/> <input type=&quot;test&quot; name=&quot;JSPSESSIONID&quot; value=&quot;7af7a55caff365ca594510586&quot;/> <input type=&quot;submit&quot;/> </form>
- The attacker can send data in any encoding. And the interpreters downstream from your application may decide to handle any encoding. Canonicalize Input could be in any character set Double-encoding Multiple encoding schemes Double-encoding with multiple encoding schemes Validation Simple to configure for positive rules Impossible to do perfectly, since you need special characters GetSafeValue Rich content – strip out bad stuff and continue Difficult – need to fully parse HTML Canonicalize and Validate from database Watch out mass SQL injection? EncodeForHTML Not perfect since browsers allow encoded characters to execute (particularly in attributes) SetCharacterSet Browser will try to guess the encoding
- If an online bank allowed its application to process requests, such as transfer funds, a similar attack might allow high risk transactions such as money transfers The form itself contains the fields name and lastname and the button submit to prevent this to be forgged we add another field which contains the name of the current session identifier cookie name and the current session identifier cookie value <form> <input type=&quot;test&quot; name=&quot;name&quot; value=&quot;John&quot;/> <input type=&quot;test&quot; name=&quot;lastname&quot; value=&quot;Dawson&quot;/> <input type=&quot;test&quot; name=&quot;JSPSESSIONID&quot; value=&quot;7af7a55caff365ca594510586&quot;/> <input type=&quot;submit&quot;/> </form>
- If an online bank allowed its application to process requests, such as transfer funds, a similar attack might allow high risk transactions such as money transfers The form itself contains the fields name and lastname and the button submit to prevent this to be forgged we add another field which contains the name of the current session identifier cookie name and the current session identifier cookie value <form> <input type=&quot;test&quot; name=&quot;name&quot; value=&quot;John&quot;/> <input type=&quot;test&quot; name=&quot;lastname&quot; value=&quot;Dawson&quot;/> <input type=&quot;test&quot; name=&quot;JSPSESSIONID&quot; value=&quot;7af7a55caff365ca594510586&quot;/> <input type=&quot;submit&quot;/> </form>