Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Web App Security - OWASP Top 10 2013

Driss Amri
December 05, 2013

Web App Security - OWASP Top 10 2013

A quick overview about the OWASP top 10 (2013 Edition). For some of the attacks references are made to the Java solutions but most of them are not shown on slide but brought verbally. For more information contact me at @drams88 on Twitter. This presentation was presented during a Optis (www.optis.be) team meeting on 05/12/2013.

www.drissamri.be

Driss Amri

December 05, 2013
Tweet

More Decks by Driss Amri

Other Decks in Technology

Transcript

  1. Web Application Security

    View Slide

  2. Hi, I’m Driss
    @drams88
    https://speakerdeck.com/drissamri

    View Slide

  3. View Slide

  4. View Slide

  5. Internally developed
    Commercial
    Open Source
    Applications by Supplier Type

    View Slide

  6. Open Web Application Security Project
    (OWASP)
    Top 10
    Cheat Sheets
    Development guides
    ESAPI - Security API
    WebGoat - JEE web application
    Zed Attack Proxy - Penetration testing

    View Slide

  7. A1 - Injection
    A2 - Broken Auth. & Session Management
    A3 - Cross-Site Scripting (XSS)
    A4 - Insecure Direct Object References
    A5 - Security Misconfiguration
    A6 - Sensitive Data Exposure
    A7 - Missing Function Level Access Control
    A8 - Cross-Site Request Forgery (CSRF)
    A9 - Using Components with Known Vulnerabilities
    A10 - Unvalidated Redirects and Forwards
    OWASP Top 10 - 2013
    The Ten Most Critical Web Application Security Risks

    View Slide

  8. A1 - Injection
    “Financial injection” - @Doug88888, http://www.flickr.com/photos/doug88888/4561376850/

    View Slide

  9. SELECT * FROM Users WHERE username = ‘“ + userName + “‘;
    SQL Injection
    tobbawi
    SELECT * FROM Users WHERE username = ‘tobbawi’;
    QUERY
    INPUT
    RESULT
    SELECT * FROM Users WHERE username = ‘tobbawi' OR 'a' = 'a’;
    tobbawi’ OR 'a' = 'a
    INPUT
    RESULT

    View Slide

  10. String query = “SELECT * FROM Users WHERE name = ?”;
    PreparedStatement statement = connection.prepareStatement(query);
    statement.setString(1, userName);
    String query = “SELECT * FROM USERS WHERE name = :userName”;
    TypedQuery query = em.createQuery(query , User.class);
    query.setParameter(“userName”, userName)
    SQL Injection

    View Slide

  11. XML External Entity (XXE) Processing


    ]>

    &include;
    ...

    root:x:0:0:root:/root:/bin/bash
    daemon:x:1:1:daemon:/usr/sbin:/bin/sh
    bin:x:2:2:bin:/bin:/bin/sh
    sys:x:3:3:sys:/dev:/bin/sh
    sync:x:4:65534:sync:/bin:/bin/sync
    games:x:5:60:games:/usr/games:/bin/sh
    man:x:6:12:man:/var/cache/man:/bin/sh
    lp:x:7:7:lp:/var/spool/lpd:/bin/sh
    mail:x:8:8:mail:/var/mail:/bin/sh
    news:x:9:9:news:/var/spool/news:/bin/

    View Slide

  12. XML External Entity (XXE) Processing
    Do not include external entities by setting this feature to
    false
    String FEATURE = "http://xml.org/sax/features/external-general-entities";
    dbf.setFeature(FEATURE, false);
    Disallow an inline DTD by setting this feature to true
    String FEATURE = "http://apache.org/xml/features/disallow-doctype-decl";
    dbf.setFeature(FEATURE, true);

    View Slide

  13. A2 - Broken Auth. & Session Management
    “Lion secured” - ericmcgregor, http://www.flickr.com/photos/ericmcgregor/103895441/

    View Slide

  14. Password management
    Credentials in Transit
    Session Protection
    Browser Caching
    Trust Relationships

    View Slide

  15. Servlet 3.0

    View Slide

  16. View Slide

  17. Level 0: No Plaintext Anywhere

    View Slide

  18. Level 1: Don’t Just Hash It

    View Slide

  19. Level 2: Salt it!

    View Slide

  20. Level 3: Computational Cost

    View Slide

  21. Level 4: Encryption

    View Slide

  22. Level 5: Distributed Data Storage

    View Slide

  23. A3 - XSS

    View Slide

  24. victim is the application user
    malicious content delivered to users using
    JavaScript

    View Slide

  25. Stored XSS Attacks (Persistent, Type-I XSS)

    View Slide

  26. Stored XSS Attacks (Persistent, Type-I XSS)

    View Slide

  27. Reflected XSS Attacks (Non-Persistent, Type-II XSS)

    View Slide

  28. Reflected XSS Attacks (Non-Persistent, Type-II XSS)

    View Slide

  29. “HTML5 broke my XSS filter!”
    Validate user input

    Use a whitelist

    Business validation checks
    Output encoding

    Encode user data so it isn’t treated as markup
    Input filtering

    Strip dangerous characters and tags from user data

    View Slide

  30. 1;--(#default#time2)';'`/onbegin=[�=\u00
    54;1lert(1)]//y,z\>

    View Slide

  31. [][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+
    []]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+
    (!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])
    [+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+
    [+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([]
    [(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]
    +(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+
    []]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!!
    []+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+
    [])[+[]]+(![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!
    +[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]+[+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+
    []+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+
    [+[]]])()
    alert(1)

    View Slide

  32. <br/>p { color: {{USER_COLOR}} ; }<br/>

    Hello {{USER_NAME}}, view your
    Account.

    <br/>var id = {{USER_ID}};<br/>

    View Slide

  33. https://github.com/chrisisbeef/jquery-encoder

    View Slide

  34. Content-Security-Policy
    New browser feature for mitigating XSS and data-injection attacks
    1.0 W3C Candidate Recommendation (1.1 underway)
    Whitelists "safe" script hosts
    Content-Security-Policy HTTP header

    View Slide

  35. Content-Security-Policy
    default-src ‘none’;
    style-src: https://www.opt.is;
    frame-src https://www.youtube.com
    https://www.speakerdeck.com;
    script-src https://www.opt.is
    https://ssl.google-analytics.com;
    img-src ‘self’
    https://www.opt.is;
    font-src https://www.opt.is;
    report-uri https://www.opt.is/csp-violation

    View Slide

  36. Content-Security-Policy: Chrome 25+, Firefox 23.0+, Opera 15+
    X-WebKit-CSP: Chrome 25, Safari 5.1+
    X-Content-Security-Policy: Firefox 22.0, Internet Explorer 10+*
    http://www.html5rocks.com/en/tutorials/security/content-security-policy/

    View Slide


  37. X-Frame-Options: DENY

    Content-Security-Policy: …

    X-XSS-Protection: 1; mode=block

    X-Content-Type-Options: nosniff
    HTTP Headers
    https://securityheaders.com/

    View Slide

  38. A4 - Insecure Direct Object References
    “Parallel lines” - theilr, http://www.flickr.com/photos/90863480@N00/10268837315/

    View Slide

  39. Avoid exposing your private object references
    Validate any private object references
    Verify authorization to all references objects

    View Slide

  40. A5 - Security Misconfiguration
    “Unlocked” - BlakJakDavy, http://www.flickr.com/photos/74221558@N00/3653039689/

    View Slide

  41. Apply software updates
    Disable unnecessary features
    Disable default accounts
    Don’t reveal stack traces

    View Slide

  42. A6 - Sensitive Data Exposure
    “Watching YouTube” - Hero ♪, http://www.flickr.com/photos/60507644@N06/9677923769/

    View Slide

  43. No data stored in clear text
    Don’t transmit in clear text
    Weak crypto algorithms & keys
    Don’t store sensitive data unnecessarily
    Disable auto-complete and caching

    View Slide

  44. A7 - Missing Function Level Access Control
    “Escape artist” - Amanda Tipton, http://www.flickr.com/photos/34039290@N06/7454420422/

    View Slide

  45. Deny all by default
    Authorization not (only) on front-end

    View Slide

  46. A8 - Cross-Site Request Forgery
    “Rustic 'Throne'” - RightBrainPhotography, http://www.flickr.com/photos/21757951@N00/2291533525/

    View Slide

  47. POST /transfer HTTP/1.1 Host: bank.example.com Cookie: JSESSIONID=randomid;
    Domain=bank.example; HttpOnly Content-Type: application/x-www-form-urlencoded
    amount=100.00&routingNumber=1234&account=9876


    />

    View Slide

  48. CSRF tokens
    ■ Spring Security 3.2



    Use proper HTTP Verbs
    Synchronizer Token Pattern

    View Slide

  49. A9 - Using Components with Known Vuln.
    “Sharp edged view” - lucymagoo_images, http://www.flickr.com/photos/lucymagoo/9286276021/

    View Slide

  50. Apache CXF Authentication Bypass
    Spring Remote Code Execution
    Struts2 Remote Code Execution

    View Slide

  51. Common Vulnerabilities and Exposures
    http://cve.mitre.org/
    https://github.com/jeremylong/DependencyCheck
    National Vulnerability Database
    http://nvd.nist.gov/home.cfm
    mvn versions:display-dependency-updates

    View Slide

  52. A10 - Unvalidated Redirects and Forwards
    “One Almond Tree Under the Storm” - DavidFrutos, http://www.flickr.com/photos/davidfe2/5546540291/lightbox/

    View Slide

  53. Review all redirects and forwards
    Spider site for redirects

    View Slide

  54. View Slide

  55. Developer awareness
    Software Development Lifecycle (SDLC)
    Security automation

    View Slide

  56. View Slide