$30 off During Our Annual Pro Sale. View Details »

OWASP 201: Request-based Security

OWASP 201: Request-based Security

Half of the application security risks (ASRs) covered by the OWASP Top Ten list address requests made by visitors or third parties against your web application. Learn what each ASR is, how to identify it in your application, and how to protect against potential abuse.

Eric Mann

May 22, 2019
Tweet

More Decks by Eric Mann

Other Decks in Programming

Transcript

  1. OWASP 201:
    Request-Based Security
    Eric Mann

    View Slide

  2. ASR 1 - Injection

    View Slide

  3. The attacker's hostile data can
    trick the interpreter into
    executing unintended
    commands or accessing data
    without proper authorization.

    View Slide

  4. xkcd: Exploits of a Mom - https://xkcd.com/327/

    View Slide

  5. $db = new \PDO(...);
    $name = $_POST['name'];
    $sql = "SELECT * FROM users WHERE email='$name'";
    foreach($db->query($sql) as $user) {
    // ...
    }
    curl -X POST -d "[email protected]' OR 1=1;--" http://yoursite.com
    SELECT * FROM users WHERE email='[email protected]' OR 1=1;--'

    View Slide

  6. $db = new \PDO(...);
    $name = $_POST['name'];
    $sql = "SELECT * FROM users WHERE email=:email";
    $statement = $db->prepare($sql);
    $params = [':email' => $name];
    foreach($db->execute($statement, $params) as $user) {
    // ...
    }
    curl -X POST -d "[email protected]' OR 1=1;--" http://yoursite.com
    SELECT * FROM users WHERE email='[email protected]\' OR 1=1;--'

    View Slide

  7. function serve_file($filename) {
    header("Content-Type: application/octet-stream");
    header("Content-Disposition: attachment; filename=\"{$filename}\"");
    header("Content-Length: 11111");
    passthru("cat /home/uploads/" . $filename);
    exit();
    }
    curl -X GET -d "filename=;cat+/etc/letsencrypt/site.com/privkey.pem" http://site.com
    cat /home/uploads/;cat /etc/letsencrypt/site.com/privkey.pem

    View Slide

  8. function serve_file($filename) {
    // Sanitize the filename before it's used
    $sanitized = basename($filename);
    header("Content-Type: application/octet-stream");
    header("Content-Disposition: attachment; filename=\"{$sanitized}\"");
    header("Content-Length: 11111");
    $path = "/home/uploads/{$sanitized}";
    passthru('cat ' . escapeshellarg($path));
    exit();
    }
    curl -X GET -d "filename=;cat+/etc/letsencrypt/site.com/privkey.pem" http://site.com
    cat /home/uploads/privkey.pem

    View Slide

  9. ASR 2 - Broken
    Authentication

    View Slide

  10. Application functions related
    to authentication and session
    management are often not
    implemented correctly...

    View Slide

  11. Client-side Sessions
    Don’t trust the user to store sensitive information
    Don’t trust information provided by the user
    Don’t store sensitive information with an untrusted party
    Don’t use cookies to store sensitive data
    (If you are using cookies, use secure cookies - but only store identifiers)

    View Slide

  12. Password Management
    Passwords should NEVER be stored in plaintext.
    Passwords should NEVER be stored with encryption.
    Passwords should ONLY be stored using one-way hashes.
    Try to avoid passwords in the first place...

    View Slide

  13. View Slide

  14. (Full image slide. No text)

    View Slide

  15. Problems with JWT
    Leaking sensitive information
    The `none` algorithm is required by the spec
    Algorithm confusion - RSA vs HMAC
    Weak algorithms are allowed

    View Slide

  16. What you should do
    Only store session data on the server
    Ensure strong authentication protects user identities
    Lock down insecure algorithms and primitives
    Only use trusted third-party library implementations

    View Slide

  17. ASR 4 - XML External
    Entities

    View Slide

  18. Untrusted XML input
    containing a reference to an
    external entity is processed by
    a weakly configured XML
    parser ...

    View Slide


  19. ]>

    Friend of &name;
    &name;
    &name; - 2019

    "php://filter/read=convert.base64-encode/resource=/var/www/config.ini">]>

    &info;

    View Slide









  20. ]>

    &bomb;

    View Slide

  21. $default = libxml_disable_entity_loader(true);
    $dom = new DOMDocument();
    $dom->loadXML($xml);
    // Do things with XML
    // Restore the previous value
    libxml_disable_entity_loader($default);
    What you should do

    View Slide

  22. ASR 7 - Cross-Site
    Scripting (XSS)

    View Slide

  23. An application takes
    untrusted data and sends it to
    a web browser without
    proper validation or escaping.

    View Slide


  24. Search results for: ""




    title; ?>



    No results for ''



    Search results for:
    No results for ''

    View Slide



  25. Search results for: ""



    title; ?>



    No results for ''



    Search results for: ""
    No results for ''

    View Slide

  26. ASR 8 - Insecure
    Deserialization

    View Slide

  27. Languages’ native
    deserialization mechanisms
    can be repurposed for
    malicious effect when
    operating on untrusted data.

    View Slide

  28. class CartCache {
    $cache_file;
    $data = [];
    // ...
    /**
    * Automatically purge the cache file from disk to clean up
    */
    public function __destruct() {
    $file = "/var/www/cache/tmp/carts/{$this->cache_file}";
    if ($this->cleanup && file_exists($file)) {
    @unlink($file);
    }
    }
    }
    $data = unserialize($_GET['data']);
    https://yoursite.com/endpoint.php?data=O:9:"CartCache":2:{s:10:"cache_file";s:18:"../../../i
    ndex.php";s:4:"data";a:0:{}}

    View Slide

  29. Do not pass untrusted user
    input to unserialize()
    regardless of the options
    value of allowed_classes.

    View Slide

  30. Questions?

    View Slide

  31. Thank you
    [email protected] | 503.925.6266

    View Slide