Upload
akash-mahajan
View
2.472
Download
3
Embed Size (px)
DESCRIPTION
Looking at the Top 10 web application security risks according to OWASP Top 2010
Citation preview
Overview of OWASP Top 10 – 2010
Akash Mahajan – Chapter Lead for null Bangalore
TOP 10 WEB APPLICATION SECURITY RISKS
CONNECT THIS IMAGE TO WEB SECURITY
AKASH MAHAJAN | ABOUT ME
• Independent Web Security Consultant
• Chapter lead for null Bangalore
• I test, hack, secure web applications and servers.
• I consult companies on secure deployments on AWS etc.
• Been doing application security for 5+ years.
• Wrote IDS sigs for malware and vulnerabilities for 3 years
as well.
AGENDA
• OWASP
• OWASP Top 10
• Application Security Risks
• OWASP Top 10 Details
• The Beginning
• Contact Details
OPEN WEB APPLICATION SECURITY PROJECT
• OWASP is a worldwide non-profit open community dedicated to web
application security.
• OWASP offers free tools, books, documents etc. to developers, security
practitioners and anyone interested in application security.
• Some of the most popular OWASP projects are
• OWASP Top 10
• OWASP Web Goat Project
• OWASP Testing Guide
• OWASP Developer Guide
• Definitely visit and track updates on http://www.owasp.org
OWASP TOP 10
• OWASP TOP 10 is a document listing the top 10 most critical risks faced by
web applications currently.
• It is purely about managing risk and not just avoiding vulnerabilities.
• It is meant to be consumed by the developers and not just security dudes.
• You should consider using it if you are in-charge of keeping web apps safe.
• Also If your organization doesn’t have a app sec program and would like to
start now.
• Top 10 implies that these risks should be mitigated first to ensure safety of
the web application.
• There are other risks but the less severe than the top 10.
OWASP TOP 10
• Who else is using it?
• The PCI Council, US Department of Defense, US Federal Trade
Commission, Data Interchange Standards Association
• Companies like Microsoft, Citibank, IBM, HP, British Telecom, Oracle
• How do they use it?
• Microsoft uses it as part of Security Development Lifecycle
• PCI Council uses it as part of the PCI Data Security Standard
• Oracle, NSA use it as part of developer awareness
• Others use it to ensure minimal level of security audit of web applications
APPLICATION SECURITY RISKS
• Applications can have many attack vectors
• A form that submits to the database
• A database login for a partner for direct access.
• FTP login for third party content team
• These attack vectors can be used to exploit security weaknesses.
• For example stolen FTP credentials for an Amazon EC2 server might allow
the EC2 credentials to be stolen as well.
• Once stolen all services based on your Amazon account are vulnerable to
hijack.
• You could end up paying for someone else misusing your Amazon services!
OWASP TOP 10 – A1 INJECTION
• Injection flaws, such as SQL, OS injection, occur when untrusted data is sent to an
interpreter as part of a command.
• The attacker’s hostile data can trick the interpreter into executing commands or
accessing unauthorized data.
• SQL Injection is one of the most used vectors when malicious people want to create
a new botnet.
• First a vulnerable web facing application is identified. Automated roBOTs/scripts
crawl the world wide web looking for the identified application. Once found they
inject HTML/JS with links pointing to trojan downloaders etc.
• Users with insecure browsers/OS come to the infected websites they get
infected in turn creating a NETwork
• In some cases up to 10,00,000 sites have been infected in a single day.
OWASP TOP 10 – A2 CROSS SITE SCRIPTING
XSS
• XSS flaws occur whenever an application takes untrusted data and sends it
to a web browser without proper validation and escaping. XSS allows
attackers to execute scripts in the victim’s browser which can hijack user
sessions, deface web sites, or redirect the user to malicious sites.
• Frequently used to steal your session.
• One of the most in-famous example is the MySpace Samy worm. In less
than a day he got more a million friends and MySpace had to be
shutdown.
• A XSS bug occurring on the website registration page can enable theft of
registration details.
• Would you like your competitor to find out about all your new users?
OWASP TOP 10 – A3 BROKEN AUTHENTICATION
AND SESSION MANAGEMENT
• Application functions related to authentication and session management are
often not implemented correctly, allowing attackers to compromise
passwords, keys, session tokens, or exploit other implementation flaws to
assume other users’ identities
• Developers tend to build custom authentication schemes which aren’t tested
enough and may contain logical flaws as well.
• Technical impact include login theft to malicious users getting access to all
account details.
• Generating a new password every time someone enters an email id in
forgot password will cause a denial of service attack!
• Not destroying the session after a fixed time.
CONNECT THIS IMAGE TO WEB SECURITY
Paris Hilton
Tinkerbell
OWASP TOP 10 – A4 INSECURE DIRECT OBJECT
REFERENCE
• A direct object reference occurs when a developer exposes a reference to an
internal implementation object, such as a file, directory, or database key.
Without an access control check or other protection, attackers can
manipulate these references to access unauthorized data.
• Technical impact can be letting unauthorized users download files not meant
for them.
• Real world website has a page to display invoice for the user. It contains
an id parameter. If we change the parameter, it shows the details for
another user.
• Most people mistakenly think that if a file or folder is not linked from any
web page it can’t be found by a malicious user.
OWASP TOP 10 – A5 CROSS SITE REQUEST
FORGERY
• A CSRF attack forces a logged-on victim’s browser to send a forged
HTTP request, including the victim’s session cookie and any other
automatically included authentication information, to a vulnerable web
application.
• This allows the attacker to force the victim’s browser to generate
requests the vulnerable application thinks are legitimate requests from
the victim
• Log you out of your email account.
• Add a rouge DNS entry in your ADSL modem!
• Create a filter in webmail to forward all email to a malicious user.
OWASP TOP 10 – A6 SECURITY
MISCONFIGURATION
• Good security requires having a secure configuration defined
and deployed for the application, frameworks, application
server, web server, database server, and platform.
• This includes keeping all software up to date, including all code
libraries used by the application.
• Network Solutions were offering wordpress installations on a
shared server. The main configuration file wp-config.php was
world readable. Mass hack of wordpress based websites
• Shipping with default passwords!
OWASP TOP 10 – A7 INSECURE
CRYPTOGRAPHIC STORAGE
• Many web applications do not properly protect sensitive data, such as credit cards, SSNs, and authentication credentials, with appropriate encryption or hashing.
• Attackers may steal or modify such weakly protected data to conduct identity theft, credit card fraud, or other crimes
• Storing unsalted hashes in a known weak hash algorithm like md5. Using rainbow tables attackers can figure out stolen passwords in no time at all.
• Storing the encryption key in the same location as the encrypted files.
OWASP TOP 10 – A8 FAILURE TO RESTRICT URL
ACCESS
• Many web applications check URL access rights before rendering protected
links and buttons. However, applications need to perform similar access
control checks each time these pages are accessed, or attackers will be able
to forge URLs to access these hidden pages anyway
• This can be due either
• Simple misconfiguration
• Flawed coding or logic.
• Assuming that if it is hidden so it will be never found doesn’t usually end
up well. Anonymous users accessing pages meant for authenticated
users and authenticated users accessing admin pages can have a
negative impact.
OWASP TOP 10 – A9 INSUFFICIENT TRANSPORT
LAYER PROTECTION
• Applications frequently fail to authenticate, encrypt, and
protect the confidentiality and integrity of sensitive
network traffic. When they do, they sometimes support
weak algorithms, use expired or invalid certificates, or
do not use them correctly.
• Login and password passed in clear text over the wire.
Anyone monitoring the traffic can get hold of the
credentials.
OWASP TOP 10 – A10 UNVALIDATED REDIRECTS
AND FORWARDS
• Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages.
• Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages.
• Malicious user creating a redirect that points to another site for phishing
• Forward parameter coded to send user to admin section or to normal section
THE BEGINNING
• These risks only cover the top 10 of them all. There are many that are very
dangerous and should be guarded against like
• Clickjacking, Denial of service, Information Leakage, Improper Error
Handling, Insufficient Anti-automation, Lack of intrusion detection,
Malicious file execution
• To develop secure code ‘OWASP Developers Guide’
• To test web applications for security ‘OWASP Testing Guide’
• To review web applications ‘OWASP Code Review Guide’
• Keep yourself updated join a local OWASP chapter
• Get on the mailing lists.
AKASH MAHAJAN | REACH ME
• Reach me on
• Website: akashm.com
• Email: [email protected]
• Twitter: @makash
• Linkedin: www.linkedin.com/in/akashm