OWASP AppSec 2009 Presentation

OWASP Top 10 - 2010 rc1

The OWASP Top 10 is dead, long live the OWASP Top 10 !

Sebastien DeleersnyderOWASP Foundation Board Member

seba@owasp.org Copyright The OWASP FoundationPermission is granted to copy, distribute and/or modify this documentunder the terms of the OWASP License.The OWASP FoundationOWASP Belgium2010http://www.owasp.org/OWASP Belgium 2010Who Am I?5 years developer experience10 years information security experienceManaging Technical ConsultantICT Security Zenitel

Belgian OWASP chapter founderOWASP board member

OWASP Belgium 201025 March 2010type here level of Sensitivity "Unrestricted", Internal Use Only" or "Confidential"Slide 2 | OWASP World

OWASP is a worldwide free and open community focused on improving the security of application software.

Our mission is to make application security visible so that people and organizations can make informed decisions about application security risks.Everyone is free to participate in OWASP and all of our materials are available under a free and open software license.

The OWASP Foundation is a 501c3 not-for-profit charitable organization that ensures the ongoing availability and support for our work. OWASP Belgium 2010REMEMBER OWASP IS JUST PEOPLE

You are all probably familiar with OWASP, so Id like to take this opportunity to share a few metrics and give you an idea of where OWASP is headed.

Ive been the volunteer chair of OWASP since 2004, and Ive spent quite a lot of time, effort, and my own money developing the organization. Why do I do all this? Why do I care?

AppSec is about not about tools or technology its about people. OWASP is about community.

______________

3OWASP 2009 in NumbersWiki:6,381 articles (76,865 edits)200 updates / dayOver 100.000 views / weekNearly 32M views so far21,000 people actively involved326 OWASP mailing lists7 Global Committees39 Committee Volunteers159 chapters117 projects17 OWASP Books18 full day or multi-day events and conferences around the world3 employees (Kate, Paulo & Alison)

4OWASP Belgium 2010OWASP in numbers:

Our worldwide community is growing rapidly: 21,000 people who are actively involved with OWASP.These are the people who attend chapter meetings, participate in mailing lists, and have accounts on our wiki.There are 326 OWASP mailing lists (projects, committees, events and chapters)

7 Global Committees39 Committee Volunteers159 chapters117 projects17 OWASP Books18 full day or multi-day events and conferences around the world3 employees (Kate, Paulo & Alison)

WikiPage edits since the wiki was set up: 76,865With almost 6,381 articles, OWASP is the largest knowledgebase of application security information anywhere. OWASP gets about 200 updates to the wiki every day. We have over 100,000 pageviews per week.Views total 31,903,633

4|5OWASP Top 10Previously: The Ten Most Critical Web Application Security Vulnerabilities2010RC1 Release A great start, but not a standard

OWASP Belgium 20105The primary aim of the OWASP Top 10 is to educate developers, designers, architects and organizations about the consequences of the most common web application security vulnerabilities. The Top 10 provides basic methods to protect against these vulnerabilities a great start to your secure coding security program. Security is not a one-time event. It is insufficient to secure your code just once. By 2008, this Top 10 will have changed, and without changing a line of your applications code, you may be vulnerable. Please review the advice in Where to go from here for more information.A secure coding initiative must deal with all stages of a programs lifecycle. Secure web applications are only possible when a secure SDLC is used. Secure programs are secure by design, during development, and by default. There are at least 300 issues that affect the overall security of a web application. These 300+ issues are detailed in the OWASP Guide, which is essential reading for anyone developing web applications today.This document is first and foremost an education piece, not a standard. Please do not adopt this document as a policy or standard without talking to us first! If you need a secure coding policy or standard, OWASP has secure coding policies and standards projects in progress. Whats Changed?OWASP Belgium 2010Mapping from 2007 to 2010 Top 10OWASP Top 10 2007 (Previous)OWASP Top 10 2010 (New)A2 Injection FlawsA1 InjectionA1 Cross Site Scripting (XSS)A2 Cross Site Scripting (XSS)A7 Broken Authentication and Session ManagementA3 Broken Authentication and Session ManagementA4 Insecure Direct Object ReferenceA4 Insecure Direct Object ReferencesA5 Cross Site Request Forgery (CSRF)A5 Cross Site Request Forgery (CSRF)

A6 Security Misconfiguration (NEW)A10 Failure to Restrict URL AccessA7 Failure to Restrict URL Access

A8 Unvalidated Redirects and Forwards (NEW)A8 Insecure Cryptographic StorageA9 Insecure Cryptographic StorageA9 Insecure CommunicationsA10 Insufficient Transport Layer ProtectionA3 Malicious File Execution

A6 Information Leakage and Improper Error Handling

++--==OWASP Belgium 2010OWASP Top 10 Risk Rating MethodologyThreatAgentAttackVectorWeakness PrevalenceWeakness DetectabilityTechnical ImpactBusiness Impact?EasyWidespreadEasySevere?AverageCommonAverageModerateDifficultUncommonDifficultMinor21121.3*2

2.6 weighted risk ratingXSS Example123

OWASP Belgium 2010The new OWASP Top Ten (2010 rc1)

http://www.owasp.org/index.php/Top_10OWASP Belgium 2010This is the new proposed Top 10 list. The items in Red are new. Some of the existing items moved around.A1 InjectionOWASP Belgium 201010SQL Injection IllustratedFirewallHardened OSWeb ServerApp ServerFirewallDatabasesLegacy SystemsWeb ServicesDirectoriesHuman ResrcsBillingCustom Code

APPLICATIONATTACKNetwork LayerApplication LayerAccountsFinanceAdministrationTransactionsCommunicationKnowledge MgmtE-CommerceBus. FunctionsHTTP requestSQL queryDB Table HTTP response "SELECT * FROM accounts WHERE acct= OR 1=1--"1. Application presents a form to the attacker2. Attacker sends an attack in the form data3. Application forwards attack to the database in a SQL queryAccount Summary

Acct:5424-6066-2134-4334Acct:4128-7574-3921-0192Acct:5424-9383-2039-4029Acct:4128-0004-1234-02934. Database runs query containing attack and sends encrypted results back to application5. Application decrypts data as normal and sends results to the user

Account: SKU:

Account: SKU: OWASP Belgium 2010Main PointThe flow of a SQL injection attack goes from attacker to application to database, then back.Teaching PointsSQL injection is a simple attack that exploits the trust relationship between the database and the application. In essence, the attacker tricks the application into sending the wrong query to the database. The database trusts the application, and so complies with the request.Even if the data is encrypted in the database, this type of attack can access the data. In the example depicted above, the attacker sends an attack in the data that tricks the database into returning all the credit cards from the database instead of only one. Normally, the application would decrypt the account owners credit card number (or other sensitive data) and display it. When attacked, the application decrypts all the card numbers and displays them all to the attacker.Examples, Demonstrations, Stories, Notes

A1 Avoid Injection FlawsRecommendationsAvoid the interpreter entirely, orUse an interface that supports bind variables (e.g., prepared statements, or stored procedures),Bind variables allow the interpreter to distinguish between code and dataEncode all user input before passing it to the interpreterAlways perform white list input validation on all user supplied inputAlways minimize database privileges to reduce the impact of a flaw

ReferencesFor more details, read the new http://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet

OWASP Belgium 2010A2 Cross-Site Scripting (XSS)OWASP Belgium 201013Cross-Site Scripting IllustratedApplication with stored XSS vulnerability

32Attacker sets the trap update my profile

Attacker enters a malicious script into a web page that stores the data on the server1Victim views page sees attacker profileScript silently sends attacker Victims session cookieScript runs inside victims browser with full access to the DOM and cookiesCustom CodeAccountsFinanceAdministrationTransactionsCommunicationKnowledge MgmtE-CommerceBus. Functions

OWASP Belgium 201014

(AntiSamy)A2 Avoiding XSS FlawsRecommendationsEliminate FlawDont include user supplied input in the output page

Defend Against the FlawPrimary Recommendation: Output encode all user supplied input(Use OWASPs ESAPI to output encode:http://www.owasp.org/index.php/ESAPI Perform white list input validation on all user input to be included in pageFor large chunks of user supplied HTML, use OWASPs AntiSamy to sanitize this HTML to make it safe See: http://www.owasp.org/index.php/AntiSamy

ReferencesFor how to output encode properly, read the new http://www.owasp.org/index.php/XSS_(Cross Site Scripting) Prevention Cheat Sheet OWASP Belgium 2010Safe Escaping Schemes in Various HTML Execution Contexts

HTML Style Property Values(e.g., .pdiv a:hover {color: red; text-decoration: underline} )JavaScript Data(e.g., some javascript )HTML Attribute Values(e.g., )HTML Element Content(e.g., some text to display )URI Attribute Values(e.g.,