Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Web App Security - OWASP Top 10 2013

Driss Amri
December 05, 2013

Web App Security - OWASP Top 10 2013

A quick overview about the OWASP top 10 (2013 Edition). For some of the attacks references are made to the Java solutions but most of them are not shown on slide but brought verbally. For more information contact me at @drams88 on Twitter. This presentation was presented during a Optis (www.optis.be) team meeting on 05/12/2013.

www.drissamri.be

Driss Amri

December 05, 2013
Tweet

More Decks by Driss Amri

Other Decks in Technology

Transcript

  1. Web Application Security

    View full-size slide

  2. Hi, I’m Driss
    @drams88
    https://speakerdeck.com/drissamri

    View full-size slide

  3. Internally developed
    Commercial
    Open Source
    Applications by Supplier Type

    View full-size slide

  4. Open Web Application Security Project
    (OWASP)
    Top 10
    Cheat Sheets
    Development guides
    ESAPI - Security API
    WebGoat - JEE web application
    Zed Attack Proxy - Penetration testing

    View full-size slide

  5. A1 - Injection
    A2 - Broken Auth. & Session Management
    A3 - Cross-Site Scripting (XSS)
    A4 - Insecure Direct Object References
    A5 - Security Misconfiguration
    A6 - Sensitive Data Exposure
    A7 - Missing Function Level Access Control
    A8 - Cross-Site Request Forgery (CSRF)
    A9 - Using Components with Known Vulnerabilities
    A10 - Unvalidated Redirects and Forwards
    OWASP Top 10 - 2013
    The Ten Most Critical Web Application Security Risks

    View full-size slide

  6. A1 - Injection
    “Financial injection” - @Doug88888, http://www.flickr.com/photos/doug88888/4561376850/

    View full-size slide

  7. SELECT * FROM Users WHERE username = ‘“ + userName + “‘;
    SQL Injection
    tobbawi
    SELECT * FROM Users WHERE username = ‘tobbawi’;
    QUERY
    INPUT
    RESULT
    SELECT * FROM Users WHERE username = ‘tobbawi' OR 'a' = 'a’;
    tobbawi’ OR 'a' = 'a
    INPUT
    RESULT

    View full-size slide

  8. String query = “SELECT * FROM Users WHERE name = ?”;
    PreparedStatement statement = connection.prepareStatement(query);
    statement.setString(1, userName);
    String query = “SELECT * FROM USERS WHERE name = :userName”;
    TypedQuery query = em.createQuery(query , User.class);
    query.setParameter(“userName”, userName)
    SQL Injection

    View full-size slide

  9. XML External Entity (XXE) Processing


    ]>

    &include;
    ...

    root:x:0:0:root:/root:/bin/bash
    daemon:x:1:1:daemon:/usr/sbin:/bin/sh
    bin:x:2:2:bin:/bin:/bin/sh
    sys:x:3:3:sys:/dev:/bin/sh
    sync:x:4:65534:sync:/bin:/bin/sync
    games:x:5:60:games:/usr/games:/bin/sh
    man:x:6:12:man:/var/cache/man:/bin/sh
    lp:x:7:7:lp:/var/spool/lpd:/bin/sh
    mail:x:8:8:mail:/var/mail:/bin/sh
    news:x:9:9:news:/var/spool/news:/bin/

    View full-size slide

  10. XML External Entity (XXE) Processing
    Do not include external entities by setting this feature to
    false
    String FEATURE = "http://xml.org/sax/features/external-general-entities";
    dbf.setFeature(FEATURE, false);
    Disallow an inline DTD by setting this feature to true
    String FEATURE = "http://apache.org/xml/features/disallow-doctype-decl";
    dbf.setFeature(FEATURE, true);

    View full-size slide

  11. A2 - Broken Auth. & Session Management
    “Lion secured” - ericmcgregor, http://www.flickr.com/photos/ericmcgregor/103895441/

    View full-size slide

  12. Password management
    Credentials in Transit
    Session Protection
    Browser Caching
    Trust Relationships

    View full-size slide

  13. Level 0: No Plaintext Anywhere

    View full-size slide

  14. Level 1: Don’t Just Hash It

    View full-size slide

  15. Level 2: Salt it!

    View full-size slide

  16. Level 3: Computational Cost

    View full-size slide

  17. Level 4: Encryption

    View full-size slide

  18. Level 5: Distributed Data Storage

    View full-size slide

  19. victim is the application user
    malicious content delivered to users using
    JavaScript

    View full-size slide

  20. Stored XSS Attacks (Persistent, Type-I XSS)

    View full-size slide

  21. Stored XSS Attacks (Persistent, Type-I XSS)

    View full-size slide

  22. Reflected XSS Attacks (Non-Persistent, Type-II XSS)

    View full-size slide

  23. Reflected XSS Attacks (Non-Persistent, Type-II XSS)

    View full-size slide

  24. “HTML5 broke my XSS filter!”
    Validate user input

    Use a whitelist

    Business validation checks
    Output encoding

    Encode user data so it isn’t treated as markup
    Input filtering

    Strip dangerous characters and tags from user data

    View full-size slide

  25. 1;--(#default#time2)';'`/onbegin=[�=\u00
    54;1lert(1)]//y,z\>

    View full-size slide

  26. [][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+
    []]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+
    (!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])
    [+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+
    [+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([]
    [(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]
    +(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+
    []]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!!
    []+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+
    [])[+[]]+(![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!
    +[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]+[+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+
    []+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+
    [+[]]])()
    alert(1)

    View full-size slide

  27. <br/>p { color: {{USER_COLOR}} ; }<br/>

    Hello {{USER_NAME}}, view your
    Account.

    <br/>var id = {{USER_ID}};<br/>

    View full-size slide

  28. https://github.com/chrisisbeef/jquery-encoder

    View full-size slide

  29. Content-Security-Policy
    New browser feature for mitigating XSS and data-injection attacks
    1.0 W3C Candidate Recommendation (1.1 underway)
    Whitelists "safe" script hosts
    Content-Security-Policy HTTP header

    View full-size slide

  30. Content-Security-Policy
    default-src ‘none’;
    style-src: https://www.opt.is;
    frame-src https://www.youtube.com
    https://www.speakerdeck.com;
    script-src https://www.opt.is
    https://ssl.google-analytics.com;
    img-src ‘self’
    https://www.opt.is;
    font-src https://www.opt.is;
    report-uri https://www.opt.is/csp-violation

    View full-size slide

  31. Content-Security-Policy: Chrome 25+, Firefox 23.0+, Opera 15+
    X-WebKit-CSP: Chrome 25, Safari 5.1+
    X-Content-Security-Policy: Firefox 22.0, Internet Explorer 10+*
    http://www.html5rocks.com/en/tutorials/security/content-security-policy/

    View full-size slide


  32. X-Frame-Options: DENY

    Content-Security-Policy: …

    X-XSS-Protection: 1; mode=block

    X-Content-Type-Options: nosniff
    HTTP Headers
    https://securityheaders.com/

    View full-size slide

  33. A4 - Insecure Direct Object References
    “Parallel lines” - theilr, http://www.flickr.com/photos/90863480@N00/10268837315/

    View full-size slide

  34. Avoid exposing your private object references
    Validate any private object references
    Verify authorization to all references objects

    View full-size slide

  35. A5 - Security Misconfiguration
    “Unlocked” - BlakJakDavy, http://www.flickr.com/photos/74221558@N00/3653039689/

    View full-size slide

  36. Apply software updates
    Disable unnecessary features
    Disable default accounts
    Don’t reveal stack traces

    View full-size slide

  37. A6 - Sensitive Data Exposure
    “Watching YouTube” - Hero ♪, http://www.flickr.com/photos/60507644@N06/9677923769/

    View full-size slide

  38. No data stored in clear text
    Don’t transmit in clear text
    Weak crypto algorithms & keys
    Don’t store sensitive data unnecessarily
    Disable auto-complete and caching

    View full-size slide

  39. A7 - Missing Function Level Access Control
    “Escape artist” - Amanda Tipton, http://www.flickr.com/photos/34039290@N06/7454420422/

    View full-size slide

  40. Deny all by default
    Authorization not (only) on front-end

    View full-size slide

  41. A8 - Cross-Site Request Forgery
    “Rustic 'Throne'” - RightBrainPhotography, http://www.flickr.com/photos/21757951@N00/2291533525/

    View full-size slide

  42. POST /transfer HTTP/1.1 Host: bank.example.com Cookie: JSESSIONID=randomid;
    Domain=bank.example; HttpOnly Content-Type: application/x-www-form-urlencoded
    amount=100.00&routingNumber=1234&account=9876


    />

    View full-size slide

  43. CSRF tokens
    ■ Spring Security 3.2



    Use proper HTTP Verbs
    Synchronizer Token Pattern

    View full-size slide

  44. A9 - Using Components with Known Vuln.
    “Sharp edged view” - lucymagoo_images, http://www.flickr.com/photos/lucymagoo/9286276021/

    View full-size slide

  45. Apache CXF Authentication Bypass
    Spring Remote Code Execution
    Struts2 Remote Code Execution

    View full-size slide

  46. Common Vulnerabilities and Exposures
    http://cve.mitre.org/
    https://github.com/jeremylong/DependencyCheck
    National Vulnerability Database
    http://nvd.nist.gov/home.cfm
    mvn versions:display-dependency-updates

    View full-size slide

  47. A10 - Unvalidated Redirects and Forwards
    “One Almond Tree Under the Storm” - DavidFrutos, http://www.flickr.com/photos/davidfe2/5546540291/lightbox/

    View full-size slide

  48. Review all redirects and forwards
    Spider site for redirects

    View full-size slide

  49. Developer awareness
    Software Development Lifecycle (SDLC)
    Security automation

    View full-size slide