Today's Agenda • ASR 5 - Broken Access Control Exercise • ASR 6 – Security Misconfiguration • ASR 7 – Cross-site Scripting Exercise • ASR 8 – Insecure Deserialization • ASR 9 – Using Components with Known Vulnerabilities • ASR 10 – Insufficient Logging & Monitoring • Responsible Disclosure
Introduction • Who am I? • Who are you? • What are you hoping to learn this week? • Project overview • Project requirements • PHP, SQLite, (Docker, maybe)
Setup • Clone the project repository git clone https://github.com/ericmann/bobby-tables.git php-owasp • Run the "smoke test" script in the repo to test your system cd php-owasp && php smoke.php cd php-owasp && ./dockphp smoke.php
OWASP • Open Web Application Security Project • International non-profit est ~2001 • Coordinates training, guidelines, development checklists • Polls and publishes "top ten" application security risks • Updated every ~3 years • Last published in late 2018 • Results based on feedback and in-the-wild experiences surveyed from > 500 developers • Data spans info about > 100,000 real world applications • The OWASP Top Ten is not exhaustive!
Injection Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker's hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. • Injected SQL • Injected CLI
Injection • Run the demo application php -S localhost:8888 -t asr1-injection • Visit the query interface in a browser http://localhost:8888/query • Inject yourself as a speaker into the database • Now … fix the injection attack by parameterizing your statement
Injection • Run the same demo application php -S localhost:8888 -t asr1-injection • Visit the files interface in a browser and download my PDF http://localhost:8888/get/?file=evolution.pdf • Use the vulnerability to "liberate" your private SSH key curl http://localhost:8888/?file=;cat ~/.ssh/id_rsa • Now … fix the injection attack by sanitizing the filename
Broken Authentication Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users' identities. • Authentication bypass • Unauthorized impersonation
Broken Authentication • Run the demo application php -S localhost:8888 -t asr2-broken-authentication • Visit the query interface in a browser http://localhost:8888/ • Log in as "reader" with the password "1234567" • Modify your cookies to impersonate "admin" • Now … fix the impersonation attack by leveraging server storage
Sensitive Data Exposure Many web applications do not adequately protect sensitive data, such as credit cards, tax IDs, and authentication credentials. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data deserves extra protection such as encryption at rest or in transit, as well as special precautions when exchanged with the browser. • Example: Equifax
Sensitive Data Exposure • Open /asr3-data-exposure in your editor • View the "encrypted" secret message text file • Modify the secret text to say something else • Now … use Libsodium to actually encrypt the text
XML External Entities XML eXternal Entity injection (XXE) is a type of attack against an application that parses XML input. This attack occurs when untrusted XML input containing a reference to an external entity is processed by a weakly configured XML parser. • Data exposure • Simple DOS attacks
Broken Access Control Restrictions on what authenticated users are allowed to do are not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users' accounts, view sensitive files, modify other users' data, change access rights, etc. • Authentication != Authorization
Broken Authentication • Run the demo application php -S localhost:8888 -t asr5-broken-access • Visit the query interface in a browser http://localhost:8888/ • Log in as "bob" with the password "bobisevil" • Modify your form to target Alice's user ID (4) – change her favorite ice cream • Verify it changed – Alice's password is "aliceisnice" • Now … fix the attack by verifying user IDs match authentication
Security Misconfiguration Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. Secure settings should be defined, implemented, and maintained, as defaults are often insecure. Additionally, software should be kept up to date.
Cross-site Scripting XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim's browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites. • Stored • Reflected
Cross-site Scripting • Run the demo application php -S localhost:8888 -t asr1-injection • Visit the query interface in a browser http://localhost:8888/query • Inject malicious JavaScript by searching for:
• Now … fix the injection attack by parameterizing your statement
Insecure Deserialization Native formats usually offer more features than JSON or XML, including customizability of the serialization process. Unfortunately, the features of these native deserialization mechanisms can be repurposed for malicious effect when operating on untrusted data. • Denial of service • Access control • Remote code execution
Insufficient Logging & Monitoring Exploitation of insufficient logging and monitoring is the bedrock of nearly every major incident. Attackers rely on the lack of monitoring and timely response to achieve their goals without being detected. • Attackers' attempts go unnoticed • Insider threats exploit access
ericmann
dskst
t88
jacopen
masashi_sutou
miyakemito
yoshinagaiwnl
iotengineer22
sakaik
6onoda
toshiaizawa
kako351
regonn
smashingmag
lynnandtonic
jennybc
ddemaree
roundedbygravity
brettharned
erikaheidi
deanohume
jcasabona
marktimemedia
chrislema