Web App Security - OWASP Top 10 2013

4f58cc9aea7be8afbeede693832984c8?s=47 Driss Amri
December 05, 2013

Web App Security - OWASP Top 10 2013

A quick overview about the OWASP top 10 (2013 Edition). For some of the attacks references are made to the Java solutions but most of them are not shown on slide but brought verbally. For more information contact me at @drams88 on Twitter. This presentation was presented during a Optis (www.optis.be) team meeting on 05/12/2013.

www.drissamri.be

4f58cc9aea7be8afbeede693832984c8?s=128

Driss Amri

December 05, 2013
Tweet

Transcript

  1. Web Application Security

  2. Hi, I’m Driss @drams88 https://speakerdeck.com/drissamri

  3. None
  4. None
  5. Internally developed Commercial Open Source Applications by Supplier Type

  6. Open Web Application Security Project (OWASP) Top 10 Cheat Sheets

    Development guides ESAPI - Security API WebGoat - JEE web application Zed Attack Proxy - Penetration testing
  7. A1 - Injection A2 - Broken Auth. & Session Management

    A3 - Cross-Site Scripting (XSS) A4 - Insecure Direct Object References A5 - Security Misconfiguration A6 - Sensitive Data Exposure A7 - Missing Function Level Access Control A8 - Cross-Site Request Forgery (CSRF) A9 - Using Components with Known Vulnerabilities A10 - Unvalidated Redirects and Forwards OWASP Top 10 - 2013 The Ten Most Critical Web Application Security Risks
  8. A1 - Injection “Financial injection” - @Doug88888, http://www.flickr.com/photos/doug88888/4561376850/

  9. SELECT * FROM Users WHERE username = ‘“ + userName

    + “‘; SQL Injection tobbawi SELECT * FROM Users WHERE username = ‘tobbawi’; QUERY INPUT RESULT SELECT * FROM Users WHERE username = ‘tobbawi' OR 'a' = 'a’; tobbawi’ OR 'a' = 'a INPUT RESULT
  10. String query = “SELECT * FROM Users WHERE name =

    ?”; PreparedStatement statement = connection.prepareStatement(query); statement.setString(1, userName); String query = “SELECT * FROM USERS WHERE name = :userName”; TypedQuery<User> query = em.createQuery(query , User.class); query.setParameter(“userName”, userName) SQL Injection
  11. XML External Entity (XXE) Processing <?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE request

    [ <!ENTITY include SYSTEM “file=/etc/passwd" > ]> <request> <description> &include; </description> ... </request> root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/
  12. XML External Entity (XXE) Processing Do not include external entities

    by setting this feature to false String FEATURE = "http://xml.org/sax/features/external-general-entities"; dbf.setFeature(FEATURE, false); Disallow an inline DTD by setting this feature to true String FEATURE = "http://apache.org/xml/features/disallow-doctype-decl"; dbf.setFeature(FEATURE, true);
  13. A2 - Broken Auth. & Session Management “Lion secured” -

    ericmcgregor, http://www.flickr.com/photos/ericmcgregor/103895441/
  14. Password management Credentials in Transit Session Protection Browser Caching Trust

    Relationships
  15. Servlet 3.0

  16. None
  17. Level 0: No Plaintext Anywhere

  18. Level 1: Don’t Just Hash It

  19. Level 2: Salt it!

  20. Level 3: Computational Cost

  21. Level 4: Encryption

  22. Level 5: Distributed Data Storage

  23. A3 - XSS

  24. victim is the application user malicious content delivered to users

    using JavaScript
  25. Stored XSS Attacks (Persistent, Type-I XSS)

  26. Stored XSS Attacks (Persistent, Type-I XSS)

  27. Reflected XSS Attacks (Non-Persistent, Type-II XSS)

  28. Reflected XSS Attacks (Non-Persistent, Type-II XSS)

  29. “HTML5 broke my XSS filter!” Validate user input • Use

    a whitelist • Business validation checks Output encoding • Encode user data so it isn’t treated as markup Input filtering • Strip dangerous characters and tags from user data
  30. 1;--<?f><x:!μ!:x\/style=`b&#x5c;65h\0061vio\r:url (#def&#x61ult#time2)';'`/onbegin=&#x5b�=\u00&#0 54;1le&#114t&#40&#x31)&#x5d&#x2f/&#xy,z\>

  31. [][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+ []]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+ (!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]]) [+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+ [+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([] [(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]] +(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+ []]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!! []+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+ [])[+[]]+(![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!

    +[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]+[+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+ []+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+ [+[]]])() alert(1)
  32. <style> p { color: {{USER_COLOR}} ; } </style> <p> Hello

    {{USER_NAME}}, view your <a href=”{{USER_URL}}“>Account</a>. </p> <script> var id = {{USER_ID}}; </script> <!-- DEBUG {{INFO}} -->
  33. https://github.com/chrisisbeef/jquery-encoder

  34. Content-Security-Policy New browser feature for mitigating XSS and data-injection attacks

    1.0 W3C Candidate Recommendation (1.1 underway) Whitelists "safe" script hosts Content-Security-Policy HTTP header
  35. Content-Security-Policy default-src ‘none’; style-src: https://www.opt.is; frame-src https://www.youtube.com https://www.speakerdeck.com; script-src https://www.opt.is

    https://ssl.google-analytics.com; img-src ‘self’ https://www.opt.is; font-src https://www.opt.is; report-uri https://www.opt.is/csp-violation
  36. Content-Security-Policy: Chrome 25+, Firefox 23.0+, Opera 15+ X-WebKit-CSP: Chrome 25,

    Safari 5.1+ X-Content-Security-Policy: Firefox 22.0, Internet Explorer 10+* http://www.html5rocks.com/en/tutorials/security/content-security-policy/
  37. • X-Frame-Options: DENY • Content-Security-Policy: … • X-XSS-Protection: 1; mode=block

    • X-Content-Type-Options: nosniff HTTP Headers https://securityheaders.com/
  38. A4 - Insecure Direct Object References “Parallel lines” - theilr,

    http://www.flickr.com/photos/90863480@N00/10268837315/
  39. Avoid exposing your private object references Validate any private object

    references Verify authorization to all references objects
  40. A5 - Security Misconfiguration “Unlocked” - BlakJakDavy, http://www.flickr.com/photos/74221558@N00/3653039689/

  41. Apply software updates Disable unnecessary features Disable default accounts Don’t

    reveal stack traces
  42. A6 - Sensitive Data Exposure “Watching YouTube” - Hero ♪,

    http://www.flickr.com/photos/60507644@N06/9677923769/
  43. No data stored in clear text Don’t transmit in clear

    text Weak crypto algorithms & keys Don’t store sensitive data unnecessarily Disable auto-complete and caching
  44. A7 - Missing Function Level Access Control “Escape artist” -

    Amanda Tipton, http://www.flickr.com/photos/34039290@N06/7454420422/
  45. Deny all by default Authorization not (only) on front-end

  46. A8 - Cross-Site Request Forgery “Rustic 'Throne'” - RightBrainPhotography, http://www.flickr.com/photos/21757951@N00/2291533525/

  47. POST /transfer HTTP/1.1 Host: bank.example.com Cookie: JSESSIONID=randomid; Domain=bank.example; HttpOnly Content-Type:

    application/x-www-form-urlencoded amount=100.00&routingNumber=1234&account=9876 <form action="https://bank.example.com/transfer" method="post"> <input type="hidden" name="amount" value="100.00"/> <input type="hidden" name="routingNumber" value="evilsRoutingNumber" /> <input type="hidden" name="account" value="evilsAccountNumber"/> <input type="submit" value="Win Money!'/> </form>
  48. CSRF tokens ▪ Spring Security 3.2 <http …> <csrf />

    </http> Use proper HTTP Verbs Synchronizer Token Pattern
  49. A9 - Using Components with Known Vuln. “Sharp edged view”

    - lucymagoo_images, http://www.flickr.com/photos/lucymagoo/9286276021/
  50. Apache CXF Authentication Bypass Spring Remote Code Execution Struts2 Remote

    Code Execution
  51. Common Vulnerabilities and Exposures http://cve.mitre.org/ https://github.com/jeremylong/DependencyCheck National Vulnerability Database http://nvd.nist.gov/home.cfm

    mvn versions:display-dependency-updates
  52. A10 - Unvalidated Redirects and Forwards “One Almond Tree Under

    the Storm” - DavidFrutos, http://www.flickr.com/photos/davidfe2/5546540291/lightbox/
  53. Review all redirects and forwards Spider site for redirects

  54. None
  55. Developer awareness Software Development Lifecycle (SDLC) Security automation

  56. None