This document summarizes a presentation on web application security given on January 29th, 2014. The presentation covered common web application vulnerabilities like injection flaws, broken authentication, insecure direct object references, cross-site scripting, and more. It also discussed the OWASP Top 10 risks and how to address them through practices like following the OWASP Application Security Verification Standard (ASVS) and implementing a secure software development lifecycle with security testing throughout. Attendees were given an assignment to participate in an "ASVS Bingo" verification exercise of the OWASP requirements.

1. Web Application Security 2014
@ Ibuildings
Boy Baukema
29th January 2014, Vlissingen
Wednesday, February 5, 14

2. Fear Uncertainty and Doubt (FUD)
Adobe / Apple / Drupal.org / Evernote / LinkedIn
Facebook / NYT / PHP.net
Java 0-days
SSL BREACH
High Profile customers targets:
‣ AbuseHub
‣ MijnDomein
‣ RTLNieuws
Windows XP EOL in April ’14
Wednesday, February 5, 14
2

3. What to do?
‣ OWASP Top 10 2013
‣ Status (Secure) Software Development Lifecycle
‣ OWASP ASVS 2013
‣ OWASP ASVS Bingo!
3
Wednesday, February 5, 14

4. Security is a cross-cutting concern
'Thuisrouter directeur ook interessant voor hackers'
4
Wednesday, February 5, 14

5. OWASP Top 10 (2013) time!
5
Wednesday, February 5, 14

6. A1-Injection
‣ SQL Injection
‣ HTML Injection
‣ XML Injection
• XML External Entities (XXE)
‣ JavaScript Injection
‣ CSS Injection
6
Wednesday, February 5, 14

7. A2-Broken Authentication and Session Management
‣ Session Fixation
‣ Missing Session Timeout
‣ Login over HTTP
‣ Unprotected Password Reset
7
Wednesday, February 5, 14

8. HTTP Strict Transport Security
Strict-Transport-Security:
‣ max-age=60000;
‣ includeSubDomains
8
Wednesday, February 5, 14

9. A3-Cross-Site Scripting (XSS)
‣ Stored
‣ Reflected
‣ DOM based
See Injection.
9
Wednesday, February 5, 14

10. Content-Security-Policy
Content-Security-Policy(-Report-Only):
‣ default-src 'none';
‣ script-src https://cdn.mybank.net;
‣ style-src https://cdn.mybank.net;
‣ img-src https://cdn.mybank.net;
‣ connect-src https://api.mybank.com;
‣ frame-src 'self'
‣ report-uri /my_amazing_csp_report_parser;
IE10+, FF4+, Chrome 14+, (iOS)Safari 5.1+, Android 4.4+
http://caniuse.com/contentsecuritypolicy
Wednesday, February 5, 14
10

11. A4-Insecure Direct Object References
11
Wednesday, February 5, 14

12. A5-Security Misconfiguration
‣ Out of date PHP version (PHP<5.3, <5.4 after July)
‣ admin/admin
‣ Stack traces
‣ php.ini
• max_execution_time= 0
• session.cookie_httponly = Off
• session.cookie_secure = Off
• allow_url_fopen = On
• See: PhpSecInfo
12
Wednesday, February 5, 14

13. A6-Sensitive Data Exposure
‣ Unsalted passwords
‣ Unencrypted Credit Cards
‣ Passwords / Session tokens over HTTP
13
Wednesday, February 5, 14

14. A7-Missing Function Level Access Control
14
Wednesday, February 5, 14

15. A8-Cross-Site Request Forgery (CSRF)
15
Wednesday, February 5, 14

16. A9-Using Components with Known Vulnerabilities
16
Wednesday, February 5, 14

17. A10-Unvalidated Redirects and Forwards
17
Wednesday, February 5, 14

18. BONUS: Clickjacking
18
Wednesday, February 5, 14

19. X-Frame-Options
DENY
The page cannot be displayed in a frame, regardless
of the site attempting to do so.
SAMEORIGIN
The page can only be displayed in a frame on the
same origin as the page itself.
ALLOW-FROM uri
The page can only be displayed in a frame on the
specified origin.
IE8+,Chrome 4+, FF 3.6+ Safari 4+
Wednesday, February 5, 14
19

20. SSDLC
Secure Software Development LifeCycle
20
Wednesday, February 5, 14

21. Secure Software Development Life Cycle
Source: http://pentestmag.com/security-and-the-software-development-life-cycle/
Wednesday, February 5, 14
21

22. Requirements / Functional Design
Threat
modeling
Security
Requirements
22
Wednesday, February 5, 14

23. Architecture & Design / Technical Design
‣ Web App Review
23
Wednesday, February 5, 14

24. Development / Implementation
‣ Secure Coding Practices
‣ Whitebox Testing
24
Wednesday, February 5, 14

25. Development: Secure Coding Guidelines
‣ Use only POST for credentials
‣ Notify users when a password reset occurs
‣ Re-authenticate users prior to performing critical
operations
‣ Logout functionality should be available from all pages
protected by authorization
‣ Generate a new session identifier on any reauthentication
‣ Logging controls should support both success and failure
of specified security events
Source: https://www.owasp.org/images/0/08/OWASP_SCP_Quick_Reference_Guide_v2.pdf 25
Wednesday, February 5, 14

26. Development: (360) Code Reviews
26
Wednesday, February 5, 14

27. Testing
‣ Greybox testing
27
Wednesday, February 5, 14

28. Deployment
‣ Greybox security testing by third party
28
Wednesday, February 5, 14

29. Maintenance / SLA
‣ Black box quarterly
‣ Grey box annually
‣ Monitoring
‣ Security Patches
29
Wednesday, February 5, 14

30. Training
‣ Basic WebAppSec training
‣ Secure Coding training
‣ QA & Testing training
30
Wednesday, February 5, 14

31. OWASP ASVS 2013
31
Wednesday, February 5, 14

32. Security Checklist
32
Wednesday, February 5, 14

33. Leveling up
Requirements:
164
136
47
33
Wednesday, February 5, 14

34. Scope
34
Wednesday, February 5, 14

35. Requirements
V1. Authentication
V8. Communication Security
V2. Session Management
V9. HTTP Security
V3. Access Control
V10. Malicious Controls
V4. Input Validation
V11. Business Logic
V5. Cryptography (at Rest)
V12. Files and Resources
V6. Error Handling and
Logging
V13. Mobile
V7. Data Protection
35
Wednesday, February 5, 14

36. An example
36
Wednesday, February 5, 14

37. Annotated ASVS 2013
37
Wednesday, February 5, 14

38. An AASVS Requirement has...
‣ Short Title
‣ Long Title
‣ Verification PASS
‣ Verification FAIL
‣ Verification Help
‣ [Verification Help for PHP]
‣ [Verification Help for Drupal]
‣ [Verification Help for Symfony 2]
‣ Related Resources
38
Wednesday, February 5, 14

39. Security Audit Template
‣ Introduction
• Target Of Verification
• Scope
• Confidentiality
‣ Document History, TOC
‣ Conclusions
‣ V1 - V13
‣ Appendix A: Source Code analysis
‣ Appendix B: Third Party libraries
39
Wednesday, February 5, 14

40. Risk Rating
Source: https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology
Wednesday, February 5, 14
40

41. OWASP ASVS 2013 and the SSDLC
41
Wednesday, February 5, 14

42. FAQ
‣ So we must be fully
ASVS compliant?
‣ ...?
42
Wednesday, February 5, 14

43. ASVS BINGO!
43
Wednesday, February 5, 14

44. BINGO!
44
Wednesday, February 5, 14

45. Prizes
45
Wednesday, February 5, 14

46. Bootcamp
46
Wednesday, February 5, 14

47. Verify it
47
Wednesday, February 5, 14

48. Your Script for today
100 Fork the Template to your personal space.
220 Pop the ‘TODO’ stack of Requirements
221 If no Requirement, GOTO 350
230 Assign the Requirement (mark with your name).
231 Verify Requirement.
232 Report the results.
240 Push Requirement in the ‘DONE’ stack
241 GOTO 220
350 Review the DONE stack.
Wednesday, February 5, 14
48