Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Web App Security - OWASP Top 10 2013

Driss Amri
December 05, 2013
Technology
3
900

Web App Security - OWASP Top 10 2013

A quick overview about the OWASP top 10 (2013 Edition). For some of the attacks references are made to the Java solutions but most of them are not shown on slide but brought verbally. For more information contact me at @drams88 on Twitter. This presentation was presented during a Optis (www.optis.be) team meeting on 05/12/2013.

www.drissamri.be

Driss Amri

December 05, 2013
Tweet

More Decks by Driss Amri

See All by Driss Amri
Getting started w/ Serverless @ AWS UG
drissamri
0
5
Serverless - Lessons Learned - Nike Brown Bag
drissamri
0
210
Serverless on AWS - Lessons learned
drissamri
4
170
Introduction to JHipster
drissamri
0
300
Social Business with IBM Connections
drissamri
0
120
Smarter Commerce with WebSphere Commerce
drissamri
0
180

Other Decks in Technology

See All in Technology
私と Nature Remo E / Nature Remo E
orgachem
0
390
ZOZOTOWNの裏側に迫る! Javaで作られたBFFの開発事例を紹介
yutaro527
0
420
ZOZOTOWNの検索APIにキャッシュを導入、実装時の工夫や効果について
sattosan
0
400
Cloudflare WorkersとKVで キャッシュを非同期に更新する | Cloudflare Meetup Nagoya
aiji42
0
130
ITエンジニアとして大切にしている3つのこと
korodroid
1
600
計測できるレガシーさを捉え、コード改善に対処する / phperkaigi2023
blue_goheimochi
0
230
Privacy Techによる新しいデータ活用の形
line_developers
PRO
1
230
AWS Lambda PHPのProduction利用を続ける僕がAWS App Runnerの可能性を探る
seike460
PRO
3
440
【5分でわかる】セーフィー エンジニア向け会社紹介
safie_recruit
0
260
チームで定期的にブログを書けるようにした / Tips for writing regular technical blog posts with your team
nttcom
0
130
サクッとAWS入門+モダン開発の基本
minorun365
6
2.8k
ビギナー向け エッジランタイムのすすめ | エッジランタイムを意識した開発をはじめよう
aiji42
1
710

Featured

See All Featured
jQuery: Nuts, Bolts and Bling
dougneiner
57
6.7k
Facilitating Awesome Meetings
lara
34
4.7k
Side Projects
sachag
451
38k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
224
50k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
38
3.7k
Optimizing for Happiness
mojombo
366
65k
VelocityConf: Rendering Performance Case Studies
addyosmani
317
22k
Teambox: Starting and Learning
jrom
124
8k
Building Applications with DynamoDB
mza
86
5k
The Web Native Designer (August 2011)
paulrobertlloyd
77
2.3k
A designer walks into a library…
pauljervisheath
199
16k
Pencils Down: Stop Designing & Start Developing
hursman
114
10k

Transcript

  1. Web Application Security

    View Slide

  2. Hi, I’m Driss
    @drams88
    https://speakerdeck.com/drissamri

    View Slide

  3. View Slide

  4. View Slide

  5. Internally developed
    Commercial
    Open Source
    Applications by Supplier Type

    View Slide

  6. Open Web Application Security Project
    (OWASP)
    Top 10
    Cheat Sheets
    Development guides
    ESAPI - Security API
    WebGoat - JEE web application
    Zed Attack Proxy - Penetration testing

    View Slide

  7. A1 - Injection
    A2 - Broken Auth. & Session Management
    A3 - Cross-Site Scripting (XSS)
    A4 - Insecure Direct Object References
    A5 - Security Misconfiguration
    A6 - Sensitive Data Exposure
    A7 - Missing Function Level Access Control
    A8 - Cross-Site Request Forgery (CSRF)
    A9 - Using Components with Known Vulnerabilities
    A10 - Unvalidated Redirects and Forwards
    OWASP Top 10 - 2013
    The Ten Most Critical Web Application Security Risks

    View Slide

  8. A1 - Injection
    “Financial injection” - @Doug88888, http://www.flickr.com/photos/doug88888/4561376850/

    View Slide

  9. SELECT * FROM Users WHERE username = ‘“ + userName + “‘;
    SQL Injection
    tobbawi
    SELECT * FROM Users WHERE username = ‘tobbawi’;
    QUERY
    INPUT
    RESULT
    SELECT * FROM Users WHERE username = ‘tobbawi' OR 'a' = 'a’;
    tobbawi’ OR 'a' = 'a
    INPUT
    RESULT

    View Slide

  10. String query = “SELECT * FROM Users WHERE name = ?”;
    PreparedStatement statement = connection.prepareStatement(query);
    statement.setString(1, userName);
    String query = “SELECT * FROM USERS WHERE name = :userName”;
    TypedQuery query = em.createQuery(query , User.class);
    query.setParameter(“userName”, userName)
    SQL Injection

    View Slide

  11. XML External Entity (XXE) Processing



    ]>

    &include;
    ...

    root:x:0:0:root:/root:/bin/bash
    daemon:x:1:1:daemon:/usr/sbin:/bin/sh
    bin:x:2:2:bin:/bin:/bin/sh
    sys:x:3:3:sys:/dev:/bin/sh
    sync:x:4:65534:sync:/bin:/bin/sync
    games:x:5:60:games:/usr/games:/bin/sh
    man:x:6:12:man:/var/cache/man:/bin/sh
    lp:x:7:7:lp:/var/spool/lpd:/bin/sh
    mail:x:8:8:mail:/var/mail:/bin/sh
    news:x:9:9:news:/var/spool/news:/bin/

    View Slide

  12. XML External Entity (XXE) Processing
    Do not include external entities by setting this feature to
    false
    String FEATURE = "http://xml.org/sax/features/external-general-entities";
    dbf.setFeature(FEATURE, false);
    Disallow an inline DTD by setting this feature to true
    String FEATURE = "http://apache.org/xml/features/disallow-doctype-decl";
    dbf.setFeature(FEATURE, true);

    View Slide

  13. A2 - Broken Auth. & Session Management
    “Lion secured” - ericmcgregor, http://www.flickr.com/photos/ericmcgregor/103895441/

    View Slide

  14. Password management
    Credentials in Transit
    Session Protection
    Browser Caching
    Trust Relationships

    View Slide

  15. Servlet 3.0

    View Slide

  16. View Slide

  17. Level 0: No Plaintext Anywhere

    View Slide

  18. Level 1: Don’t Just Hash It

    View Slide

  19. Level 2: Salt it!

    View Slide

  20. Level 3: Computational Cost

    View Slide

  21. Level 4: Encryption

    View Slide

  22. Level 5: Distributed Data Storage

    View Slide

  23. A3 - XSS

    View Slide

  24. victim is the application user
    malicious content delivered to users using
    JavaScript

    View Slide

  25. Stored XSS Attacks (Persistent, Type-I XSS)

    View Slide

  26. Stored XSS Attacks (Persistent, Type-I XSS)

    View Slide

  27. Reflected XSS Attacks (Non-Persistent, Type-II XSS)

    View Slide

  28. Reflected XSS Attacks (Non-Persistent, Type-II XSS)

    View Slide

  29. “HTML5 broke my XSS filter!”
    Validate user input

    Use a whitelist

    Business validation checks
    Output encoding

    Encode user data so it isn’t treated as markup
    Input filtering

    Strip dangerous characters and tags from user data

    View Slide

  30. 1;--(#default#time2)';'`/onbegin=[�=\u00
    54;1lert(1)]//y,z\>

    View Slide

  31. [][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+
    []]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+
    (!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])
    [+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+
    [+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([]
    [(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]
    +(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+
    []]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!!
    []+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+
    [])[+[]]+(![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!
    +[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]+[+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+
    []+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+
    [+[]]])()
    alert(1)

    View Slide

  32. <br/>p { color: {{USER_COLOR}} ; }<br/>

    Hello {{USER_NAME}}, view your
    Account.

    <br/>var id = {{USER_ID}};<br/>

    View Slide

  33. https://github.com/chrisisbeef/jquery-encoder

    View Slide

  34. Content-Security-Policy
    New browser feature for mitigating XSS and data-injection attacks
    1.0 W3C Candidate Recommendation (1.1 underway)
    Whitelists "safe" script hosts
    Content-Security-Policy HTTP header

    View Slide

  35. Content-Security-Policy
    default-src ‘none’;
    style-src: https://www.opt.is;
    frame-src https://www.youtube.com
    https://www.speakerdeck.com;
    script-src https://www.opt.is
    https://ssl.google-analytics.com;
    img-src ‘self’
    https://www.opt.is;
    font-src https://www.opt.is;
    report-uri https://www.opt.is/csp-violation

    View Slide

  36. Content-Security-Policy: Chrome 25+, Firefox 23.0+, Opera 15+
    X-WebKit-CSP: Chrome 25, Safari 5.1+
    X-Content-Security-Policy: Firefox 22.0, Internet Explorer 10+*
    http://www.html5rocks.com/en/tutorials/security/content-security-policy/

    View Slide


  37. X-Frame-Options: DENY

    Content-Security-Policy: …

    X-XSS-Protection: 1; mode=block

    X-Content-Type-Options: nosniff
    HTTP Headers
    https://securityheaders.com/

    View Slide

  38. A4 - Insecure Direct Object References
    “Parallel lines” - theilr, http://www.flickr.com/photos/[email protected]/10268837315/

    View Slide

  39. Avoid exposing your private object references
    Validate any private object references
    Verify authorization to all references objects

    View Slide

  40. A5 - Security Misconfiguration
    “Unlocked” - BlakJakDavy, http://www.flickr.com/photos/[email protected]/3653039689/

    View Slide

  41. Apply software updates
    Disable unnecessary features
    Disable default accounts
    Don’t reveal stack traces

    View Slide

  42. A6 - Sensitive Data Exposure
    “Watching YouTube” - Hero ♪, http://www.flickr.com/photos/[email protected]/9677923769/

    View Slide

  43. No data stored in clear text
    Don’t transmit in clear text
    Weak crypto algorithms & keys
    Don’t store sensitive data unnecessarily
    Disable auto-complete and caching

    View Slide

  44. A7 - Missing Function Level Access Control
    “Escape artist” - Amanda Tipton, http://www.flickr.com/photos/[email protected]/7454420422/

    View Slide

  45. Deny all by default
    Authorization not (only) on front-end

    View Slide

  46. A8 - Cross-Site Request Forgery
    “Rustic 'Throne'” - RightBrainPhotography, http://www.flickr.com/photos/[email protected]/2291533525/

    View Slide

  47. POST /transfer HTTP/1.1 Host: bank.example.com Cookie: JSESSIONID=randomid;
    Domain=bank.example; HttpOnly Content-Type: application/x-www-form-urlencoded
    amount=100.00&routingNumber=1234&account=9876


    />

    View Slide

  48. CSRF tokens
    ■ Spring Security 3.2



    Use proper HTTP Verbs
    Synchronizer Token Pattern

    View Slide

  49. A9 - Using Components with Known Vuln.
    “Sharp edged view” - lucymagoo_images, http://www.flickr.com/photos/lucymagoo/9286276021/

    View Slide

  50. Apache CXF Authentication Bypass
    Spring Remote Code Execution
    Struts2 Remote Code Execution

    View Slide

  51. Common Vulnerabilities and Exposures
    http://cve.mitre.org/
    https://github.com/jeremylong/DependencyCheck
    National Vulnerability Database
    http://nvd.nist.gov/home.cfm
    mvn versions:display-dependency-updates

    View Slide

  52. A10 - Unvalidated Redirects and Forwards
    “One Almond Tree Under the Storm” - DavidFrutos, http://www.flickr.com/photos/davidfe2/5546540291/lightbox/

    View Slide

  53. Review all redirects and forwards
    Spider site for redirects

    View Slide

  54. View Slide

  55. Developer awareness
    Software Development Lifecycle (SDLC)
    Security automation

    View Slide

  56. View Slide