This document summarizes a presentation on web application security given on January 29th, 2014. The presentation covered common web application vulnerabilities like injection flaws, broken authentication, insecure direct object references, cross-site scripting, and more. It also discussed the OWASP Top 10 risks and how to address them through practices like following the OWASP Application Security Verification Standard (ASVS) and implementing a secure software development lifecycle with security testing throughout. Attendees were given an assignment to participate in an "ASVS Bingo" verification exercise of the OWASP requirements.
08448380779 Call Girls In Friends Colony Women Seeking Men
WebAppSec @ Ibuildings in 2014
1. Web Application Security 2014
@ Ibuildings
Boy Baukema
29th January 2014, Vlissingen
Wednesday, February 5, 14
2. Fear Uncertainty and Doubt (FUD)
Adobe / Apple / Drupal.org / Evernote / LinkedIn
Facebook / NYT / PHP.net
Java 0-days
SSL BREACH
High Profile customers targets:
‣ AbuseHub
‣ MijnDomein
‣ RTLNieuws
Windows XP EOL in April ’14
Wednesday, February 5, 14
2
3. What to do?
‣ OWASP Top 10 2013
‣ Status (Secure) Software Development Lifecycle
‣ OWASP ASVS 2013
‣ OWASP ASVS Bingo!
3
Wednesday, February 5, 14
4. Security is a cross-cutting concern
'Thuisrouter directeur ook interessant voor hackers'
4
Wednesday, February 5, 14
5. OWASP Top 10 (2013) time!
5
Wednesday, February 5, 14
6. A1-Injection
‣ SQL Injection
‣ HTML Injection
‣ XML Injection
• XML External Entities (XXE)
‣ JavaScript Injection
‣ CSS Injection
6
Wednesday, February 5, 14
7. A2-Broken Authentication and Session Management
‣ Session Fixation
‣ Missing Session Timeout
‣ Login over HTTP
‣ Unprotected Password Reset
7
Wednesday, February 5, 14
8. HTTP Strict Transport Security
Strict-Transport-Security:
‣ max-age=60000;
‣ includeSubDomains
8
Wednesday, February 5, 14
12. A5-Security Misconfiguration
‣ Out of date PHP version (PHP<5.3, <5.4 after July)
‣ admin/admin
‣ Stack traces
‣ php.ini
• max_execution_time= 0
• session.cookie_httponly = Off
• session.cookie_secure = Off
• allow_url_fopen = On
• See: PhpSecInfo
12
Wednesday, February 5, 14
13. A6-Sensitive Data Exposure
‣ Unsalted passwords
‣ Unencrypted Credit Cards
‣ Passwords / Session tokens over HTTP
13
Wednesday, February 5, 14
19. X-Frame-Options
DENY
The page cannot be displayed in a frame, regardless
of the site attempting to do so.
SAMEORIGIN
The page can only be displayed in a frame on the
same origin as the page itself.
ALLOW-FROM uri
The page can only be displayed in a frame on the
specified origin.
IE8+,Chrome 4+, FF 3.6+ Safari 4+
Wednesday, February 5, 14
19
21. Secure Software Development Life Cycle
Source: http://pentestmag.com/security-and-the-software-development-life-cycle/
Wednesday, February 5, 14
21
25. Development: Secure Coding Guidelines
‣ Use only POST for credentials
‣ Notify users when a password reset occurs
‣ Re-authenticate users prior to performing critical
operations
‣ Logout functionality should be available from all pages
protected by authorization
‣ Generate a new session identifier on any reauthentication
‣ Logging controls should support both success and failure
of specified security events
Source: https://www.owasp.org/images/0/08/OWASP_SCP_Quick_Reference_Guide_v2.pdf 25
Wednesday, February 5, 14
38. An AASVS Requirement has...
‣ Short Title
‣ Long Title
‣ Verification PASS
‣ Verification FAIL
‣ Verification Help
‣ [Verification Help for PHP]
‣ [Verification Help for Drupal]
‣ [Verification Help for Symfony 2]
‣ Related Resources
38
Wednesday, February 5, 14
48. Your Script for today
100 Fork the Template to your personal space.
220 Pop the ‘TODO’ stack of Requirements
221 If no Requirement, GOTO 350
230 Assign the Requirement (mark with your name).
231 Verify Requirement.
232 Report the results.
240 Push Requirement in the ‘DONE’ stack
241 GOTO 220
350 Review the DONE stack.
Wednesday, February 5, 14
48