• ASR 6 – Security Misconfiguration • ASR 7 – Cross-site Scripting Exercise • ASR 8 – Insecure Deserialization • ASR 9 – Using Components with Known Vulnerabilities • ASR 10 – Insufficient Logging & Monitoring • Responsible Disclosure
est ~2001 • Coordinates training, guidelines, development checklists • Polls and publishes "top ten" application security risks • Updated every ~3 years • Last published in late 2018 • Results based on feedback and in-the-wild experiences surveyed from > 500 developers • Data spans info about > 100,000 real world applications • The OWASP Top Ten is not exhaustive!
occur when untrusted data is sent to an interpreter as part of a command or query. The attacker's hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. • Injected SQL • Injected CLI
asr1-injection • Visit the query interface in a browser http://localhost:8888/query • Inject yourself as a speaker into the database • Now … fix the injection attack by parameterizing your statement
-t asr1-injection • Visit the files interface in a browser and download my PDF http://localhost:8888/get/?file=evolution.pdf • Use the vulnerability to "liberate" your private SSH key curl http://localhost:8888/?file=;cat ~/.ssh/id_rsa • Now … fix the injection attack by sanitizing the filename
are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users' identities. • Authentication bypass • Unauthorized impersonation
-t asr2-broken-authentication • Visit the query interface in a browser http://localhost:8888/ • Log in as "reader" with the password "1234567" • Modify your cookies to impersonate "admin" • Now … fix the impersonation attack by leveraging server storage
sensitive data, such as credit cards, tax IDs, and authentication credentials. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data deserves extra protection such as encryption at rest or in transit, as well as special precautions when exchanged with the browser. • Example: Equifax
type of attack against an application that parses XML input. This attack occurs when untrusted XML input containing a reference to an external entity is processed by a weakly configured XML parser. • Data exposure • Simple DOS attacks
to do are not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users' accounts, view sensitive files, modify other users' data, change access rights, etc. • Authentication != Authorization
-t asr5-broken-access • Visit the query interface in a browser http://localhost:8888/ • Log in as "bob" with the password "bobisevil" • Modify your form to target Alice's user ID (4) – change her favorite ice cream • Verify it changed – Alice's password is "aliceisnice" • Now … fix the attack by verifying user IDs match authentication
and deployed for the application, frameworks, application server, web server, database server, and platform. Secure settings should be defined, implemented, and maintained, as defaults are often insecure. Additionally, software should be kept up to date.
data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim's browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites. • Stored • Reflected
-t asr1-injection • Visit the query interface in a browser http://localhost:8888/query • Inject malicious JavaScript by searching for: <img src=x onerror=alert("hi") /> • Now … fix the injection attack by parameterizing your statement
or XML, including customizability of the serialization process. Unfortunately, the features of these native deserialization mechanisms can be repurposed for malicious effect when operating on untrusted data. • Denial of service • Access control • Remote code execution
is the bedrock of nearly every major incident. Attackers rely on the lack of monitoring and timely response to achieve their goals without being detected. • Attackers' attempts go unnoticed • Insider threats exploit access
ericmann
kesompochy
nagix
kanamasa
fujiwara3
caddi_eng
terara
htan
mixi_engineers
grimoh
opelab
cyberagentdevelopers
quramy
paulrobertlloyd
bkeepers
ddemaree
swwweet
rasmusluckow
lynnandtonic
aleyda
destraynor
chrisshort
garrettdimon
jlugia
![Little Bobby Tables Isn't Welcome Here php[tek] 2018 ∙ Eric](https://files.speakerdeck.com/presentations/8b98d0e0652a467298f63e19127f154f/slide_2.jpg){kind=link}
![XML External Entities <?xml version="1.0"?> <!DOCTYPE info [<!ENTITY name "php[architect]">]>](https://files.speakerdeck.com/presentations/8b98d0e0652a467298f63e19127f154f/slide_25.jpg){kind=link}
