Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Web App Security - OWASP Top 10 2013

Driss Amri
December 05, 2013

Web App Security - OWASP Top 10 2013

A quick overview about the OWASP top 10 (2013 Edition). For some of the attacks references are made to the Java solutions but most of them are not shown on slide but brought verbally. For more information contact me at @drams88 on Twitter. This presentation was presented during a Optis (www.optis.be) team meeting on 05/12/2013.


Driss Amri

December 05, 2013

More Decks by Driss Amri

Other Decks in Technology


  1. Open Web Application Security Project (OWASP) Top 10 Cheat Sheets

    Development guides ESAPI - Security API WebGoat - JEE web application Zed Attack Proxy - Penetration testing
  2. A1 - Injection A2 - Broken Auth. & Session Management

    A3 - Cross-Site Scripting (XSS) A4 - Insecure Direct Object References A5 - Security Misconfiguration A6 - Sensitive Data Exposure A7 - Missing Function Level Access Control A8 - Cross-Site Request Forgery (CSRF) A9 - Using Components with Known Vulnerabilities A10 - Unvalidated Redirects and Forwards OWASP Top 10 - 2013 The Ten Most Critical Web Application Security Risks
  3. SELECT * FROM Users WHERE username = ‘“ + userName

    + “‘; SQL Injection tobbawi SELECT * FROM Users WHERE username = ‘tobbawi’; QUERY INPUT RESULT SELECT * FROM Users WHERE username = ‘tobbawi' OR 'a' = 'a’; tobbawi’ OR 'a' = 'a INPUT RESULT
  4. String query = “SELECT * FROM Users WHERE name =

    ?”; PreparedStatement statement = connection.prepareStatement(query); statement.setString(1, userName); String query = “SELECT * FROM USERS WHERE name = :userName”; TypedQuery<User> query = em.createQuery(query , User.class); query.setParameter(“userName”, userName) SQL Injection
  5. XML External Entity (XXE) Processing <?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE request

    [ <!ENTITY include SYSTEM “file=/etc/passwd" > ]> <request> <description> &include; </description> ... </request> root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/
  6. XML External Entity (XXE) Processing Do not include external entities

    by setting this feature to false String FEATURE = "http://xml.org/sax/features/external-general-entities"; dbf.setFeature(FEATURE, false); Disallow an inline DTD by setting this feature to true String FEATURE = "http://apache.org/xml/features/disallow-doctype-decl"; dbf.setFeature(FEATURE, true);
  7. A2 - Broken Auth. & Session Management “Lion secured” -

    ericmcgregor, http://www.flickr.com/photos/ericmcgregor/103895441/
  8. “HTML5 broke my XSS filter!” Validate user input • Use

    a whitelist • Business validation checks Output encoding • Encode user data so it isn’t treated as markup Input filtering • Strip dangerous characters and tags from user data
  9. <style> p { color: {{USER_COLOR}} ; } </style> <p> Hello

    {{USER_NAME}}, view your <a href=”{{USER_URL}}“>Account</a>. </p> <script> var id = {{USER_ID}}; </script> <!-- DEBUG {{INFO}} -->
  10. Content-Security-Policy New browser feature for mitigating XSS and data-injection attacks

    1.0 W3C Candidate Recommendation (1.1 underway) Whitelists "safe" script hosts Content-Security-Policy HTTP header
  11. Content-Security-Policy default-src ‘none’; style-src: https://www.opt.is; frame-src https://www.youtube.com https://www.speakerdeck.com; script-src https://www.opt.is

    https://ssl.google-analytics.com; img-src ‘self’ https://www.opt.is; font-src https://www.opt.is; report-uri https://www.opt.is/csp-violation
  12. Content-Security-Policy: Chrome 25+, Firefox 23.0+, Opera 15+ X-WebKit-CSP: Chrome 25,

    Safari 5.1+ X-Content-Security-Policy: Firefox 22.0, Internet Explorer 10+* http://www.html5rocks.com/en/tutorials/security/content-security-policy/
  13. • X-Frame-Options: DENY • Content-Security-Policy: … • X-XSS-Protection: 1; mode=block

    • X-Content-Type-Options: nosniff HTTP Headers https://securityheaders.com/
  14. A4 - Insecure Direct Object References “Parallel lines” - theilr,

  15. Avoid exposing your private object references Validate any private object

    references Verify authorization to all references objects
  16. A6 - Sensitive Data Exposure “Watching YouTube” - Hero ♪,

  17. No data stored in clear text Don’t transmit in clear

    text Weak crypto algorithms & keys Don’t store sensitive data unnecessarily Disable auto-complete and caching
  18. A7 - Missing Function Level Access Control “Escape artist” -

    Amanda Tipton, http://www.flickr.com/photos/34039290@N06/7454420422/
  19. POST /transfer HTTP/1.1 Host: bank.example.com Cookie: JSESSIONID=randomid; Domain=bank.example; HttpOnly Content-Type:

    application/x-www-form-urlencoded amount=100.00&routingNumber=1234&account=9876 <form action="https://bank.example.com/transfer" method="post"> <input type="hidden" name="amount" value="100.00"/> <input type="hidden" name="routingNumber" value="evilsRoutingNumber" /> <input type="hidden" name="account" value="evilsAccountNumber"/> <input type="submit" value="Win Money!'/> </form>
  20. CSRF tokens ▪ Spring Security 3.2 <http …> <csrf />

    </http> Use proper HTTP Verbs Synchronizer Token Pattern
  21. A9 - Using Components with Known Vuln. “Sharp edged view”

    - lucymagoo_images, http://www.flickr.com/photos/lucymagoo/9286276021/
  22. A10 - Unvalidated Redirects and Forwards “One Almond Tree Under

    the Storm” - DavidFrutos, http://www.flickr.com/photos/davidfe2/5546540291/lightbox/