SlideShare a Scribd company logo
1 of 97
OWASP Top 10 - 2010 rc1The Top 10 Most Critical Web Application Security RisksAntonio FontesOWASP Geneva Chapter Leaderantonio.fontes@owasp.org
Agenda 10 ways to attack web applications The OWASP Top 10 rc1 Project Integrating the Top 10 in an existing SDLC/SALC Q&A 2 Antonio Fontes / Confoo Conference, Montreal / 2010
About the OWASP Open Web Application Security Project “Helping organizations secure their web applications.” Documentation and tools projects 130 local chapters worldwide http://www.owasp.org Antonio Fontes / Confoo Conference, Montreal / 2010 3
About me… Antonio Fontes, from Geneva (Switzerland) >1999: Web developer >2005: Ethical hacker / Security analyst >2008: Security & Privacy manager (banking software ISV) >2008: OWASP Geneva Chapter Leader  >2010: Information Security Consultant  SANS/CWE Top 25 Most Dangerous Programming Errors contributor 4 Antonio Fontes / Confoo Conference, Montreal / 2010
And about you? Coders?  Testers? Managers? Hardcore OWASP Top 10 users? 5 Antonio Fontes / Confoo Conference, Montreal / 2010
Just taking the temperature… 6 © Randal Munroe (xkcd.com) Antonio Fontes / Confoo Conference, Montreal / 2010
Part 1:  Top 10 major web application attack techniques 7 Antonio Fontes / Confoo Conference, Montreal / 2010
Attacking the infrastructure Attacking the application Attacking the users Other attacks 8 Antonio Fontes / Confoo Conference, Montreal / 2010
Attacking the infrastructure hitting the weakest layer 9 Antonio Fontes / Confoo Conference, Montreal / 2010
10  ; )  Are all demo apps removed? Is the web server up to date? Is the admin area protected from external access? Is directory indexing been disabled? Were all default passwords changed? Are all unnecessary scripts removed? Are there any backup/test/unused resources? Is the web server up to date? Have all default passwords been changed? Are all unnecessary services disabled? Are all unnecessary accounts disabled? Have all default passwords been changed? Is the system up to date? © Darwin Bell@flickr Are all unnecessary paths closed? Are all unnecessary ports closed? Is the admin interface reachable from the web? Can an administrative account be broken? Is the device up to date? Antonio Fontes / Confoo Conference, Montreal / 2010
Risk A6:  Security misconfiguration 11 Antonio Fontes / Confoo Conference, Montreal / 2010
What is the risk? If there is a weaker link than the web application itself, the attacker will switch to the flawed layer.  What are the countermeasures? Harden all layers Reduce services and accounts to the minimum No default passwords Keep everything up to date Apply security guidelines (OS security, Web server security, Application server security, etc.) Keep default web application configuration safe “Deploy securely on a secure architecture” 12 Antonio Fontes / Confoo Conference, Montreal / 2010
Attacking the infrastructure Attacking the application Attacking the users Other attacks 13 Antonio Fontes / Confoo Conference, Montreal / 2010
Attacking the application injecting hostile code… 14 Antonio Fontes / Confoo Conference, Montreal / 2010
what if? 15 Antonio Fontes / Confoo Conference, Montreal / 2010
16 what if? SELECT * FROM users usrWHERE usr.username = 'admin ';--‘AND usr.password = ‘bb21158c733229347bd4e681891e213d94c685be’ Antonio Fontes / Confoo Conference, Montreal / 2010
17 what if? Antonio Fontes / Confoo Conference, Montreal / 2010
what if? 18 Antonio Fontes / Confoo Conference, Montreal / 2010
19 	Any user input is a potential attack vector. Antonio Fontes / Confoo Conference, Montreal / 2010
Risk A1:  Injections 20 Antonio Fontes / Confoo Conference, Montreal / 2010
RISK? Any application entry point can be used as a vector to inject hostile content that will modify expected behaviors. GOOD TO KNOW All non-binding query languages are exposed! (LDAP and Xpath….) 21 Antonio Fontes / Confoo Conference, Montreal / 2010
COUNTERMEASURES? All input can be modified client-side. Be sure to validate: Querystring parameters Form fields (hidden fields also count) File submissions : if you’re expecting a picture, then make sure it is a picture! Cookies HTTP headers: all fields, including referrer are “user input” 22 Antonio Fontes / Confoo Conference, Montreal / 2010
COUNTERMEASURES? (cont’d) Neverpaste user input into query commands (SQL, Xpath, LDAP, OS commands, etc.): Use binding variables such as SQL parameters: If no binding model, encode input before pasting: Doubled quotes (‘’) for SQL server Escaped quotes ()  for MySQL (PHP addslashes is helpful!) Etc. 23 Antonio Fontes / Confoo Conference, Montreal / 2010
COUNTERMEASURES ?(cont’d) Choose best validation strategy! Best: Whitelist When all possible values are known (enums, if/else if statements, regular expressions, …) Graylist: Enforce business rules: Type: string, numeric, byte, … Range: >0,  <MaxInt,  [a-z]{3,20} Weakest: Blacklist if(input.IndexOf(“<script>”)>=0) //reject 24 Antonio Fontes / Confoo Conference, Montreal / 2010
Attacking the application playing with obvious identifiers… 25 Antonio Fontes / Confoo Conference, Montreal / 2010
what if? 26 99999999 Antonio Fontes / Confoo Conference, Montreal / 2010
what if? 27 1234567 Antonio Fontes / Confoo Conference, Montreal / 2010
Risk A4:  Insecure direct object references 28 Antonio Fontes / Confoo Conference, Montreal / 2010
What is the risk? All references can modified client-side. An attacker might be able to access and/or modify confidential information. What are the countermeasures? Never send internal references to the browser: Use temporary or random number mapping (#0, #1, #2, #3, etc.) OR combine referenced access with access control: SELECT * FROM item WHERE id = $id AND owner = $uID UPDATE item … WHERE id = $id AND owner = $id 29 Antonio Fontes / Confoo Conference, Montreal / 2010
Attacking the application breaking session and authentication mechanisms… 30 Antonio Fontes / Confoo Conference, Montreal / 2010
what if? 31 Antonio Fontes / Confoo Conference, Montreal / 2010
what if? 32 Antonio Fontes / Confoo Conference, Montreal / 2010
what if? 33 Antonio Fontes / Confoo Conference, Montreal / 2010
Risk A3:  Broken authentication or session management 34 Antonio Fontes / Confoo Conference, Montreal / 2010
What is the risk? HTTP is a stateless protocol. Each request must transmit ‘session’ information over the network. Authentication mechanisms are highly targeted by attackers , at all levels: forms, traffic, stored data. What are the countermeasures? Use simple, centralized and standardized session mechanism Enable cookie security attributes (secure flag, httponly flag, encryption and integrity control) Validate session identifiers  Is the sessionID coming from the right place? 35 Antonio Fontes / Confoo Conference, Montreal / 2010
countermeasures? (cont’d) Make sure ‘logoff’ actually invalidates the session. Prevent bruteforcing attacks, but also prevent denial of service on legitimate accounts Enforce secure password recovery Authenticate before resetting Review, review, review authentication (and logoff) code manually! 36 Antonio Fontes / Confoo Conference, Montreal / 2010
Attacking the application finding hidden “secret” URLs… 37 Antonio Fontes / Confoo Conference, Montreal / 2010
what if? 38 Antonio Fontes / Confoo Conference, Montreal / 2010
what if? 39 Antonio Fontes / Confoo Conference, Montreal / 2010
Risk A7:  Failure to restrict URL access 40 Antonio Fontes / Confoo Conference, Montreal / 2010
What is the risk? URLs that lead to confidential resources can be easily sent, stored (bookmarks), monitored (proxies, security devices) and sometimes, guessed.  What are the countermeasures? Completely disallow access to sensitive file types Validate ALL incoming requests Authorize explicitly (web.xml, ASP.Net page lifecycle, etc.) Don’t expose physical documents with permanent or guessable URLs 41 Antonio Fontes / Confoo Conference, Montreal / 2010
Attacking the infrastructure Attacking the application Attacking the users Other attacks 42 Antonio Fontes / Confoo Conference, Montreal / 2010
Attacking the users redirecting users elsewhere… 43 Antonio Fontes / Confoo Conference, Montreal / 2010
what if? 44 Antonio Fontes / Confoo Conference, Montreal / 2010
Risk A8:  Non-validated redirects and forwards 45 Antonio Fontes / Confoo Conference, Montreal / 2010
What is the risk? An attacker may use your website reputation as a vector to redirect victims to a hostile website. What are the countermeasures? Never allow absolute URL redirection. If not possible:  Use a whitelist of valid hosts Show a warning before redirecting the user If using a “web portal”, make sure redirect pages do not include sensitive information in URLs (aka single-signon-on information) 46 Antonio Fontes / Confoo Conference, Montreal / 2010
Attacking the users running client hostile code in the website… 47 Antonio Fontes / Confoo Conference, Montreal / 2010
what if? 48 Antonio Fontes / Confoo Conference, Montreal / 2010
what if? 49 Antonio Fontes / Confoo Conference, Montreal / 2010
Risk A2:  Cross-site scripting 50 Antonio Fontes / Confoo Conference, Montreal / 2010
What is the risk? An attacker might inject client-side hostile code in the web application, which will be returned to a victim. 51 Antonio Fontes / Confoo Conference, Montreal / 2010
What are the countermeasures? Sanitize output. Encode to destination format. For HTML output, use HtmlEntities: <div id=“comment”>Here is my <script>attack</script></div>  <div id=“comment”>Here is my &lt;script&gt;attack&lt;/script&gt;</div> 52 Antonio Fontes / Confoo Conference, Montreal / 2010
What are the countermeasures? Sanitize output, encode to destination format: For XML output, use predefined entities: <says>“here is my <script>”</says>  <says><![CDATA[here is my <script>]]></says> <says>my input is <script></says> <says>my input is &lt;script&gt;</says> 53 Antonio Fontes / Confoo Conference, Montreal / 2010
Attacking the users replaying predictable requests… 54 Antonio Fontes / Confoo Conference, Montreal / 2010
what if? 55 Antonio Fontes / Confoo Conference, Montreal / 2010
what if? 56 Antonio Fontes / Confoo Conference, Montreal / 2010
Risk A5:  Cross-site Request Forgery 57 Antonio Fontes / Confoo Conference, Montreal / 2010
What is the risk? An attacker might build her own website and trigger requests on the visitor’s browser. (yes, that’s exactly what it seems to be...) 58 Antonio Fontes / Confoo Conference, Montreal / 2010
What are the countermeasures? Implement unpredictable requests for all sensitive actions Use temporary random hidden control fields: <input type=hidden name=check value=ab23b4a/> Link forms to the user session: if(!(Request.Form[“checker”]).Equals(SessionID))	// return error Use CAPTCHA Use out-of-band verification: SMS / Voice call / Cryptographic tokens, etc. 59 Antonio Fontes / Confoo Conference, Montreal / 2010
Attacking the infrastructure Attacking the application Attacking the users Other attacks 60 Antonio Fontes / Confoo Conference, Montreal / 2010
Other attacks breaking weak cryptography… 61 Antonio Fontes / Confoo Conference, Montreal / 2010
what if? Encrypting with Base64 $cookie = base64($sessionId); 62 It’s not encryption, it’s encoding! Antonio Fontes / Confoo Conference, Montreal / 2010
what if? Encrypting user passwords with AES256 $password = encrypt($get_[“password”],AES256,key); 63 reversible encryption! Antonio Fontes / Confoo Conference, Montreal / 2010
what if? Hashing user passwords with md5 $password = md5($get_[“password”]); 64 weak algorithm! Antonio Fontes / Confoo Conference, Montreal / 2010
what if? Hashing user passwords with SHA-256 $password = sha($get_[“password”]); 65 Missing seed! Antonio Fontes / Confoo Conference, Montreal / 2010
what if? Building keys with Math.Random Byte[] key = Math.RandBytes(128); 66 Weak random number generator! Antonio Fontes / Confoo Conference, Montreal / 2010
what if? Deriving a key from human entered secret $key = md5($GET_[“secret”]); 67 Weak key entropy! Antonio Fontes / Confoo Conference, Montreal / 2010
what if? Using ECB mode of operation $bytes = encrypt($text, key); // returns: {0xAF00CADACCE34A4D} $bytes2 = encrypt($text, key); // returns: {0xAF00CADACCE34A4D} 68 Weak mode of operation! Antonio Fontes / Confoo Conference, Montreal / 2010
what if? Using CBC mode of operation $bytes = encrypt($text, key); // returns: {0xAF00CADACCE34A4D} $bytes2 = encrypt($text, key); // returns: {0xAF00CADACCE34A4D} 69 Non-random initialization vectors! Antonio Fontes / Confoo Conference, Montreal / 2010
what if? Decrypting with internal secret String clearText = CryptUtils.Decrypt($bytes, Parameters.SecretKey); 70 Hard-coded secret! Antonio Fontes / Confoo Conference, Montreal / 2010
what if? blablabla 71 Another problem. Antonio Fontes / Confoo Conference, Montreal / 2010
Risk A9:  Insecure cryptographic storage 72 Antonio Fontes / Confoo Conference, Montreal / 2010
What is the risk? An attacker might not need as much time as you expected to decrypt your data. If one of these words sounds foggy to you, there is a risk: Asymmetric/symmetric encryption, offline encryption, online encryption, CBC, key entropy, initialization vector,  ECB, message authentication code,  PBKDF2 (RFC2898), constant time operation, Rijndael, AES, 3DES, DSA, RSA, ECC, SHA, keyring, DPAPI, …  73 Antonio Fontes / Confoo Conference, Montreal / 2010
What are the countermeasures? Don’t do cryptography by yourself Use business level APIs: Use open-source reference implementations (OpenSSL, Truecrypt, etc.) Use expert-community-driven libraries (OWASP ESAPI, …) Take classes… 74 Antonio Fontes / Confoo Conference, Montreal / 2010
Other attacks observing the environment… 75 Antonio Fontes / Confoo Conference, Montreal / 2010
76 ? © daquellamanera @flickr Antonio Fontes / Confoo Conference, Montreal / 2010
Risk A10:  Insufficient transport layer protection 77 Antonio Fontes / Confoo Conference, Montreal / 2010
What is the risk? Traffic eavesdropping, due to insufficient transport layer protection. What are the countermeasures? Require an SSL encrypted link. Use appropriate certificates (signed and valid). Prevent cookies from leaving the encrypted link (“secure” flag enabled). 78 Antonio Fontes / Confoo Conference, Montreal / 2010
79 Antonio Fontes / Confoo Conference, Montreal / 2010 WHAT IS THE RISK LEVEL ? LOW HIGH
Part 2:  Assessing the risks induced by  these 10 attacks 80 Antonio Fontes / Confoo Conference, Montreal / 2010
Hopefully, someone did it… 81 Antonio Fontes / Confoo Conference, Montreal / 2010
rating the risks Antonio Fontes / Confoo Conference, Montreal / 2010 82 XSS (example) = 2,6x?
83 Antonio Fontes / Confoo Conference, Montreal / 2010 OWASP Top 10 – 2010 RC1The top ten web application security risks
84 Risk Managers ,[object Object]
 prevalence
detectability
 impact (CIA, AAA)Testers ,[object Object]
 typical cases
 mythsDevelopers ,[object Object]
 best practicesAdvanced material ,[object Object]
 mitigation techniques (per technology)
 further referencesTeachers / Students ,[object Object],Antonio Fontes / Confoo Conference, Montreal / 2010
85 Migration info ,[object Object]
 new entries
 gap analysisAntonio Fontes / Confoo Conference, Montreal / 2010
Part 3:  Integrating the Top 10 into an existing software development / acquisition lifecycle 86 Antonio Fontes / Confoo Conference, Montreal / 2010
Antonio Fontes / ConfooConference, Montreal / 2010 The Top 10 in your SDLC/SALC 87 Secure coding Metrics analysis Security testing Secure design Software vendor PERSONEL TRAINING QUALITY ASSURANCE Software buyer Penetration test Design review reports Security test results Contract conditions SLA support

More Related Content

Similar to Owasp Top10 2010 rc1

Higgins active clients and personal data stores v2
Higgins active clients and personal data stores v2Higgins active clients and personal data stores v2
Higgins active clients and personal data stores v2
Paul Trevithick
 
CompTIA Security+ Objectives
CompTIA Security+ ObjectivesCompTIA Security+ Objectives
CompTIA Security+ Objectives
sombat nirund
 
Analyzing The Audit Statement Provided By The Information...
Analyzing The Audit Statement Provided By The Information...Analyzing The Audit Statement Provided By The Information...
Analyzing The Audit Statement Provided By The Information...
April Charlton
 

Similar to Owasp Top10 2010 rc1 (20)

VoIp Security Services Technical Description Cyber51
VoIp Security Services Technical Description Cyber51VoIp Security Services Technical Description Cyber51
VoIp Security Services Technical Description Cyber51
 
INSECURE Magazine - 35
INSECURE Magazine - 35INSECURE Magazine - 35
INSECURE Magazine - 35
 
Professional Open Source
Professional Open SourceProfessional Open Source
Professional Open Source
 
Higgins active clients and personal data stores v2
Higgins active clients and personal data stores v2Higgins active clients and personal data stores v2
Higgins active clients and personal data stores v2
 
Module 12 (web application vulnerabilities)
Module 12 (web application vulnerabilities)Module 12 (web application vulnerabilities)
Module 12 (web application vulnerabilities)
 
Ivanti Patch Tuesday for April 2020
Ivanti Patch Tuesday for April 2020Ivanti Patch Tuesday for April 2020
Ivanti Patch Tuesday for April 2020
 
Data Protection & Privacy During the Coronavirus Pandemic
Data Protection & Privacy During the Coronavirus PandemicData Protection & Privacy During the Coronavirus Pandemic
Data Protection & Privacy During the Coronavirus Pandemic
 
Lime broker
Lime brokerLime broker
Lime broker
 
Module 6.Security in Evolving Technology
Module 6.Security in Evolving TechnologyModule 6.Security in Evolving Technology
Module 6.Security in Evolving Technology
 
Module 6.pdf
Module 6.pdfModule 6.pdf
Module 6.pdf
 
CompTIA Security+ Objectives
CompTIA Security+ ObjectivesCompTIA Security+ Objectives
CompTIA Security+ Objectives
 
Analyzing The Audit Statement Provided By The Information...
Analyzing The Audit Statement Provided By The Information...Analyzing The Audit Statement Provided By The Information...
Analyzing The Audit Statement Provided By The Information...
 
ICT Security 2010: Le minacce delle nuove tecnologie
ICT Security 2010: Le minacce delle nuove tecnologieICT Security 2010: Le minacce delle nuove tecnologie
ICT Security 2010: Le minacce delle nuove tecnologie
 
Nt1320 Unit 6
Nt1320 Unit 6Nt1320 Unit 6
Nt1320 Unit 6
 
Secureview 3
Secureview 3Secureview 3
Secureview 3
 
Can Containers be Secured in a PaaS?
Can Containers be Secured in a PaaS?Can Containers be Secured in a PaaS?
Can Containers be Secured in a PaaS?
 
Can Containers be secured in a PaaS?
Can Containers be secured in a PaaS?Can Containers be secured in a PaaS?
Can Containers be secured in a PaaS?
 
Secure client
Secure clientSecure client
Secure client
 
Patch Tuesday August 2020
Patch Tuesday August 2020 Patch Tuesday August 2020
Patch Tuesday August 2020
 
Open source softwares and its applications
Open source softwares and its applicationsOpen source softwares and its applications
Open source softwares and its applications
 

More from Antonio Fontes

Confoo 2012 - Web security keynote
Confoo 2012 - Web security keynoteConfoo 2012 - Web security keynote
Confoo 2012 - Web security keynote
Antonio Fontes
 

More from Antonio Fontes (13)

Sécurité des applications web: attaque et défense
Sécurité des applications web: attaque et défenseSécurité des applications web: attaque et défense
Sécurité des applications web: attaque et défense
 
Owasp ottawa training-day_2012-secure_design-final
Owasp ottawa training-day_2012-secure_design-finalOwasp ottawa training-day_2012-secure_design-final
Owasp ottawa training-day_2012-secure_design-final
 
Securing your web apps before they hurt the organization
Securing your web apps before they hurt the organizationSecuring your web apps before they hurt the organization
Securing your web apps before they hurt the organization
 
Modéliser les menaces d'une application web
Modéliser les menaces d'une application webModéliser les menaces d'une application web
Modéliser les menaces d'une application web
 
Trouvez la faille! - Confoo 2012
Trouvez la faille! - Confoo 2012Trouvez la faille! - Confoo 2012
Trouvez la faille! - Confoo 2012
 
Confoo 2012 - Web security keynote
Confoo 2012 - Web security keynoteConfoo 2012 - Web security keynote
Confoo 2012 - Web security keynote
 
Threat Modeling web applications (2012 update)
Threat Modeling web applications (2012 update)Threat Modeling web applications (2012 update)
Threat Modeling web applications (2012 update)
 
Rapid Threat Modeling : case study
Rapid Threat Modeling : case studyRapid Threat Modeling : case study
Rapid Threat Modeling : case study
 
Sécurité dans les contrats d'externalisation de services de développement et ...
Sécurité dans les contrats d'externalisation de services de développement et ...Sécurité dans les contrats d'externalisation de services de développement et ...
Sécurité dans les contrats d'externalisation de services de développement et ...
 
Meet the OWASP
Meet the OWASPMeet the OWASP
Meet the OWASP
 
IT Security Days - Threat Modeling
IT Security Days - Threat ModelingIT Security Days - Threat Modeling
IT Security Days - Threat Modeling
 
Threat modeling web application: a case study
Threat modeling web application: a case studyThreat modeling web application: a case study
Threat modeling web application: a case study
 
Cyber-attaques: mise au point
Cyber-attaques: mise au pointCyber-attaques: mise au point
Cyber-attaques: mise au point
 

Recently uploaded

Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
FIDO Alliance
 
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxHarnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
FIDO Alliance
 

Recently uploaded (20)

Google I/O Extended 2024 Warsaw
Google I/O Extended 2024 WarsawGoogle I/O Extended 2024 Warsaw
Google I/O Extended 2024 Warsaw
 
Overview of Hyperledger Foundation
Overview of Hyperledger FoundationOverview of Hyperledger Foundation
Overview of Hyperledger Foundation
 
UiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overviewUiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overview
 
JavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuideJavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate Guide
 
Design Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptxDesign Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptx
 
WebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceWebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM Performance
 
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
 
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
 
Working together SRE & Platform Engineering
Working together SRE & Platform EngineeringWorking together SRE & Platform Engineering
Working together SRE & Platform Engineering
 
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxHarnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
 
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
 
Vector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptxVector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptx
 
ADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptx
 
Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe
 
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
 
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdfLinux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
 
Introduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptxIntroduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptx
 
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
 
AI mind or machine power point presentation
AI mind or machine power point presentationAI mind or machine power point presentation
AI mind or machine power point presentation
 
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfWhere to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
 

Owasp Top10 2010 rc1

  • 1. OWASP Top 10 - 2010 rc1The Top 10 Most Critical Web Application Security RisksAntonio FontesOWASP Geneva Chapter Leaderantonio.fontes@owasp.org
  • 2. Agenda 10 ways to attack web applications The OWASP Top 10 rc1 Project Integrating the Top 10 in an existing SDLC/SALC Q&A 2 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 3. About the OWASP Open Web Application Security Project “Helping organizations secure their web applications.” Documentation and tools projects 130 local chapters worldwide http://www.owasp.org Antonio Fontes / Confoo Conference, Montreal / 2010 3
  • 4. About me… Antonio Fontes, from Geneva (Switzerland) >1999: Web developer >2005: Ethical hacker / Security analyst >2008: Security & Privacy manager (banking software ISV) >2008: OWASP Geneva Chapter Leader >2010: Information Security Consultant SANS/CWE Top 25 Most Dangerous Programming Errors contributor 4 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 5. And about you? Coders? Testers? Managers? Hardcore OWASP Top 10 users? 5 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 6. Just taking the temperature… 6 © Randal Munroe (xkcd.com) Antonio Fontes / Confoo Conference, Montreal / 2010
  • 7. Part 1: Top 10 major web application attack techniques 7 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 8. Attacking the infrastructure Attacking the application Attacking the users Other attacks 8 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 9. Attacking the infrastructure hitting the weakest layer 9 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 10. 10 ; ) Are all demo apps removed? Is the web server up to date? Is the admin area protected from external access? Is directory indexing been disabled? Were all default passwords changed? Are all unnecessary scripts removed? Are there any backup/test/unused resources? Is the web server up to date? Have all default passwords been changed? Are all unnecessary services disabled? Are all unnecessary accounts disabled? Have all default passwords been changed? Is the system up to date? © Darwin Bell@flickr Are all unnecessary paths closed? Are all unnecessary ports closed? Is the admin interface reachable from the web? Can an administrative account be broken? Is the device up to date? Antonio Fontes / Confoo Conference, Montreal / 2010
  • 11. Risk A6: Security misconfiguration 11 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 12. What is the risk? If there is a weaker link than the web application itself, the attacker will switch to the flawed layer. What are the countermeasures? Harden all layers Reduce services and accounts to the minimum No default passwords Keep everything up to date Apply security guidelines (OS security, Web server security, Application server security, etc.) Keep default web application configuration safe “Deploy securely on a secure architecture” 12 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 13. Attacking the infrastructure Attacking the application Attacking the users Other attacks 13 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 14. Attacking the application injecting hostile code… 14 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 15. what if? 15 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 16. 16 what if? SELECT * FROM users usrWHERE usr.username = 'admin ';--‘AND usr.password = ‘bb21158c733229347bd4e681891e213d94c685be’ Antonio Fontes / Confoo Conference, Montreal / 2010
  • 17. 17 what if? Antonio Fontes / Confoo Conference, Montreal / 2010
  • 18. what if? 18 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 19. 19 Any user input is a potential attack vector. Antonio Fontes / Confoo Conference, Montreal / 2010
  • 20. Risk A1: Injections 20 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 21. RISK? Any application entry point can be used as a vector to inject hostile content that will modify expected behaviors. GOOD TO KNOW All non-binding query languages are exposed! (LDAP and Xpath….) 21 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 22. COUNTERMEASURES? All input can be modified client-side. Be sure to validate: Querystring parameters Form fields (hidden fields also count) File submissions : if you’re expecting a picture, then make sure it is a picture! Cookies HTTP headers: all fields, including referrer are “user input” 22 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 23. COUNTERMEASURES? (cont’d) Neverpaste user input into query commands (SQL, Xpath, LDAP, OS commands, etc.): Use binding variables such as SQL parameters: If no binding model, encode input before pasting: Doubled quotes (‘’) for SQL server Escaped quotes () for MySQL (PHP addslashes is helpful!) Etc. 23 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 24. COUNTERMEASURES ?(cont’d) Choose best validation strategy! Best: Whitelist When all possible values are known (enums, if/else if statements, regular expressions, …) Graylist: Enforce business rules: Type: string, numeric, byte, … Range: >0, <MaxInt, [a-z]{3,20} Weakest: Blacklist if(input.IndexOf(“<script>”)>=0) //reject 24 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 25. Attacking the application playing with obvious identifiers… 25 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 26. what if? 26 99999999 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 27. what if? 27 1234567 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 28. Risk A4: Insecure direct object references 28 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 29. What is the risk? All references can modified client-side. An attacker might be able to access and/or modify confidential information. What are the countermeasures? Never send internal references to the browser: Use temporary or random number mapping (#0, #1, #2, #3, etc.) OR combine referenced access with access control: SELECT * FROM item WHERE id = $id AND owner = $uID UPDATE item … WHERE id = $id AND owner = $id 29 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 30. Attacking the application breaking session and authentication mechanisms… 30 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 31. what if? 31 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 32. what if? 32 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 33. what if? 33 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 34. Risk A3: Broken authentication or session management 34 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 35. What is the risk? HTTP is a stateless protocol. Each request must transmit ‘session’ information over the network. Authentication mechanisms are highly targeted by attackers , at all levels: forms, traffic, stored data. What are the countermeasures? Use simple, centralized and standardized session mechanism Enable cookie security attributes (secure flag, httponly flag, encryption and integrity control) Validate session identifiers Is the sessionID coming from the right place? 35 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 36. countermeasures? (cont’d) Make sure ‘logoff’ actually invalidates the session. Prevent bruteforcing attacks, but also prevent denial of service on legitimate accounts Enforce secure password recovery Authenticate before resetting Review, review, review authentication (and logoff) code manually! 36 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 37. Attacking the application finding hidden “secret” URLs… 37 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 38. what if? 38 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 39. what if? 39 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 40. Risk A7: Failure to restrict URL access 40 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 41. What is the risk? URLs that lead to confidential resources can be easily sent, stored (bookmarks), monitored (proxies, security devices) and sometimes, guessed. What are the countermeasures? Completely disallow access to sensitive file types Validate ALL incoming requests Authorize explicitly (web.xml, ASP.Net page lifecycle, etc.) Don’t expose physical documents with permanent or guessable URLs 41 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 42. Attacking the infrastructure Attacking the application Attacking the users Other attacks 42 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 43. Attacking the users redirecting users elsewhere… 43 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 44. what if? 44 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 45. Risk A8: Non-validated redirects and forwards 45 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 46. What is the risk? An attacker may use your website reputation as a vector to redirect victims to a hostile website. What are the countermeasures? Never allow absolute URL redirection. If not possible: Use a whitelist of valid hosts Show a warning before redirecting the user If using a “web portal”, make sure redirect pages do not include sensitive information in URLs (aka single-signon-on information) 46 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 47. Attacking the users running client hostile code in the website… 47 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 48. what if? 48 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 49. what if? 49 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 50. Risk A2: Cross-site scripting 50 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 51. What is the risk? An attacker might inject client-side hostile code in the web application, which will be returned to a victim. 51 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 52. What are the countermeasures? Sanitize output. Encode to destination format. For HTML output, use HtmlEntities: <div id=“comment”>Here is my <script>attack</script></div> <div id=“comment”>Here is my &lt;script&gt;attack&lt;/script&gt;</div> 52 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 53. What are the countermeasures? Sanitize output, encode to destination format: For XML output, use predefined entities: <says>“here is my <script>”</says>  <says><![CDATA[here is my <script>]]></says> <says>my input is <script></says> <says>my input is &lt;script&gt;</says> 53 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 54. Attacking the users replaying predictable requests… 54 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 55. what if? 55 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 56. what if? 56 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 57. Risk A5: Cross-site Request Forgery 57 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 58. What is the risk? An attacker might build her own website and trigger requests on the visitor’s browser. (yes, that’s exactly what it seems to be...) 58 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 59. What are the countermeasures? Implement unpredictable requests for all sensitive actions Use temporary random hidden control fields: <input type=hidden name=check value=ab23b4a/> Link forms to the user session: if(!(Request.Form[“checker”]).Equals(SessionID)) // return error Use CAPTCHA Use out-of-band verification: SMS / Voice call / Cryptographic tokens, etc. 59 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 60. Attacking the infrastructure Attacking the application Attacking the users Other attacks 60 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 61. Other attacks breaking weak cryptography… 61 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 62. what if? Encrypting with Base64 $cookie = base64($sessionId); 62 It’s not encryption, it’s encoding! Antonio Fontes / Confoo Conference, Montreal / 2010
  • 63. what if? Encrypting user passwords with AES256 $password = encrypt($get_[“password”],AES256,key); 63 reversible encryption! Antonio Fontes / Confoo Conference, Montreal / 2010
  • 64. what if? Hashing user passwords with md5 $password = md5($get_[“password”]); 64 weak algorithm! Antonio Fontes / Confoo Conference, Montreal / 2010
  • 65. what if? Hashing user passwords with SHA-256 $password = sha($get_[“password”]); 65 Missing seed! Antonio Fontes / Confoo Conference, Montreal / 2010
  • 66. what if? Building keys with Math.Random Byte[] key = Math.RandBytes(128); 66 Weak random number generator! Antonio Fontes / Confoo Conference, Montreal / 2010
  • 67. what if? Deriving a key from human entered secret $key = md5($GET_[“secret”]); 67 Weak key entropy! Antonio Fontes / Confoo Conference, Montreal / 2010
  • 68. what if? Using ECB mode of operation $bytes = encrypt($text, key); // returns: {0xAF00CADACCE34A4D} $bytes2 = encrypt($text, key); // returns: {0xAF00CADACCE34A4D} 68 Weak mode of operation! Antonio Fontes / Confoo Conference, Montreal / 2010
  • 69. what if? Using CBC mode of operation $bytes = encrypt($text, key); // returns: {0xAF00CADACCE34A4D} $bytes2 = encrypt($text, key); // returns: {0xAF00CADACCE34A4D} 69 Non-random initialization vectors! Antonio Fontes / Confoo Conference, Montreal / 2010
  • 70. what if? Decrypting with internal secret String clearText = CryptUtils.Decrypt($bytes, Parameters.SecretKey); 70 Hard-coded secret! Antonio Fontes / Confoo Conference, Montreal / 2010
  • 71. what if? blablabla 71 Another problem. Antonio Fontes / Confoo Conference, Montreal / 2010
  • 72. Risk A9: Insecure cryptographic storage 72 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 73. What is the risk? An attacker might not need as much time as you expected to decrypt your data. If one of these words sounds foggy to you, there is a risk: Asymmetric/symmetric encryption, offline encryption, online encryption, CBC, key entropy, initialization vector, ECB, message authentication code, PBKDF2 (RFC2898), constant time operation, Rijndael, AES, 3DES, DSA, RSA, ECC, SHA, keyring, DPAPI, … 73 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 74. What are the countermeasures? Don’t do cryptography by yourself Use business level APIs: Use open-source reference implementations (OpenSSL, Truecrypt, etc.) Use expert-community-driven libraries (OWASP ESAPI, …) Take classes… 74 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 75. Other attacks observing the environment… 75 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 76. 76 ? © daquellamanera @flickr Antonio Fontes / Confoo Conference, Montreal / 2010
  • 77. Risk A10: Insufficient transport layer protection 77 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 78. What is the risk? Traffic eavesdropping, due to insufficient transport layer protection. What are the countermeasures? Require an SSL encrypted link. Use appropriate certificates (signed and valid). Prevent cookies from leaving the encrypted link (“secure” flag enabled). 78 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 79. 79 Antonio Fontes / Confoo Conference, Montreal / 2010 WHAT IS THE RISK LEVEL ? LOW HIGH
  • 80. Part 2: Assessing the risks induced by these 10 attacks 80 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 81. Hopefully, someone did it… 81 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 82. rating the risks Antonio Fontes / Confoo Conference, Montreal / 2010 82 XSS (example) = 2,6x?
  • 83. 83 Antonio Fontes / Confoo Conference, Montreal / 2010 OWASP Top 10 – 2010 RC1The top ten web application security risks
  • 84.
  • 87.
  • 89.
  • 90.
  • 91. mitigation techniques (per technology)
  • 92.
  • 93.
  • 95. gap analysisAntonio Fontes / Confoo Conference, Montreal / 2010
  • 96. Part 3: Integrating the Top 10 into an existing software development / acquisition lifecycle 86 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 97. Antonio Fontes / ConfooConference, Montreal / 2010 The Top 10 in your SDLC/SALC 87 Secure coding Metrics analysis Security testing Secure design Software vendor PERSONEL TRAINING QUALITY ASSURANCE Software buyer Penetration test Design review reports Security test results Contract conditions SLA support
  • 98. Conclusion Your web application will be hacked. ; ) 88 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 99. Conclusion But if you use the Top 10… 89 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 100. Conclusion It won’t be the cheap way… 90 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 101. Conclusion And it won’t be the embarrassing way… 91 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 102. Conclusion You now know the 10 riskiest flaws in web applications. 92 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 103. Conclusion But there’s still a lot to see… 93 CWE/SANS Top 25 Programming errors WASC Threat Classification Threat modeling OWASP Application Security Verification Standard (ASVS) Open Software Assurance Maturity Model Antonio Fontes / Confoo Conference, Montreal / 2010
  • 104. Conclusion before becoming “secure”. 94 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 105. http://owasp.org/index.php/Top10 (final version: end of March 2010) 95 Antonio Fontes / Confoo Conference, Montreal / 2010 thank you :)
  • 106. 96 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 107. Copyright You are free: To share (copy, distribute, transmit) To remix But only if: You attribute this work You use it for non-commercial purposes And you keep sharing your result the same way I did 97 Antonio Fontes / Confoo Conference, Montreal / 2010