OWASP 201: Request-based Security

OWASP 201: Request-based Security

Half of the application security risks (ASRs) covered by the OWASP Top Ten list address requests made by visitors or third parties against your web application. Learn what each ASR is, how to identify it in your application, and how to protect against potential abuse.


Eric Mann

May 22, 2019


  1. OWASP 201: Request-Based Security Eric Mann

  2. ASR 1 - Injection

  3. The attacker's hostile data can trick the interpreter into executing

    unintended commands or accessing data without proper authorization.
  4. xkcd: Exploits of a Mom - https://xkcd.com/327/

  5. $db = new \PDO(...); $name = $_POST['name']; $sql = "SELECT

    * FROM users WHERE email='$name'"; foreach($db->query($sql) as $user) { // ... } curl -X POST -d "name=a@b.com' OR 1=1;--" http://yoursite.com SELECT * FROM users WHERE email='a@b.com' OR 1=1;--'
  6. $db = new \PDO(...); $name = $_POST['name']; $sql = "SELECT

    * FROM users WHERE email=:email"; $statement = $db->prepare($sql); $params = [':email' => $name]; foreach($db->execute($statement, $params) as $user) { // ... } curl -X POST -d "name=a@b.com' OR 1=1;--" http://yoursite.com SELECT * FROM users WHERE email='a@b.com\' OR 1=1;--'
  7. function serve_file($filename) { header("Content-Type: application/octet-stream"); header("Content-Disposition: attachment; filename=\"{$filename}\""); header("Content-Length: 11111");

    passthru("cat /home/uploads/" . $filename); exit(); } curl -X GET -d "filename=;cat+/etc/letsencrypt/site.com/privkey.pem" http://site.com cat /home/uploads/;cat /etc/letsencrypt/site.com/privkey.pem
  8. function serve_file($filename) { // Sanitize the filename before it's used

    $sanitized = basename($filename); header("Content-Type: application/octet-stream"); header("Content-Disposition: attachment; filename=\"{$sanitized}\""); header("Content-Length: 11111"); $path = "/home/uploads/{$sanitized}"; passthru('cat ' . escapeshellarg($path)); exit(); } curl -X GET -d "filename=;cat+/etc/letsencrypt/site.com/privkey.pem" http://site.com cat /home/uploads/privkey.pem
  9. ASR 2 - Broken Authentication

  10. Application functions related to authentication and session management are often

    not implemented correctly...
  11. Client-side Sessions Don’t trust the user to store sensitive information

    Don’t trust information provided by the user Don’t store sensitive information with an untrusted party Don’t use cookies to store sensitive data (If you are using cookies, use secure cookies - but only store identifiers)
  12. Password Management Passwords should NEVER be stored in plaintext. Passwords

    should NEVER be stored with encryption. Passwords should ONLY be stored using one-way hashes. Try to avoid passwords in the first place...
  13. None
  14. (Full image slide. No text)

  15. Problems with JWT Leaking sensitive information The `none` algorithm is

    required by the spec Algorithm confusion - RSA vs HMAC Weak algorithms are allowed
  16. What you should do Only store session data on the

    server Ensure strong authentication protects user identities Lock down insecure algorithms and primitives Only use trusted third-party library implementations
  17. ASR 4 - XML External Entities

  18. Untrusted XML input containing a reference to an external entity

    is processed by a weakly configured XML parser ...
  19. <?xml version="1.0"?> <!DOCTYPE info [<!ENTITY name "php[tek]">]> <info> <author>Friend of

    &name;</author> <conference>&name;</conference> <event>&name; - 2019</event> </info> <!DOCTYPE vulnerable [<!ENTITY info SYSTEM "php://filter/read=convert.base64-encode/resource=/var/www/config.ini">]> <vulnerable> <config>&info;</config> </vulnerable>
  20. <!DOCTYPE bomb [ <!ENTITY x0 "BOOM!"> <!ENTITY x1 "&x0;&x0;"> <!ENTITY

    x2 "&x1;&x1;"> <!ENTITY x3 "&x2;&x2;"> <!ENTITY x4 "&x3;&x3;"> <!-- ... Repeat for entities from x5 through x98 --> <!ENTITY x99 "&x98;&x98;"> <!ENTITY bomb "&x99;&x99;"> ]> <vulnerable> <explosive>&bomb;</explosive> </vulnerable>
  21. $default = libxml_disable_entity_loader(true); $dom = new DOMDocument(); $dom->loadXML($xml); // Do

    things with XML // Restore the previous value libxml_disable_entity_loader($default); What you should do
  22. ASR 7 - Cross-Site Scripting (XSS)

  23. An application takes untrusted data and sends it to a

    web browser without proper validation or escaping.
  24. <div id="results"> <span>Search results for: "<?php echo $data['s']; ?>"</span> <?php

    if ($results) : ?> <ul> <?php foreach( $results as $result ) : ?> <li><a href="<?php echo $result->href; ?>"> <?php echo $result->title; ?></a></li> <?php endforeach; ?> </ul> <?php else : ?> <span>No results for '<?php echo $data['s']; ?>'</span> <?php endif; ?> </div> <div id="results"> <span>Search results for: <script src="..."></script></span> <span>No results for '<script src="..."></script>'</span> </div>
  25. <?php $query = filter_var( $data['s'], FILTER_SANITIZE_STRING ); ?> <div id="results">

    <span>Search results for: "<?php echo $query; ?>"</span> <?php if ($results) : ?> <ul> <?php foreach( $results as $result ) : ?> <li><a href="<?php echo $result->href; ?>"><?php echo $result->title; ?></a></li> <?php endforeach; ?> </ul> <?php else : ?> <span>No results for '<?php echo $query ?>'</span> <?php endif; ?> </div> <div id="results"> <span>Search results for: ""</span> <span>No results for ''</span> </div>
  26. ASR 8 - Insecure Deserialization

  27. Languages’ native deserialization mechanisms can be repurposed for malicious effect

    when operating on untrusted data.
  28. class CartCache { $cache_file; $data = []; // ... /**

    * Automatically purge the cache file from disk to clean up */ public function __destruct() { $file = "/var/www/cache/tmp/carts/{$this->cache_file}"; if ($this->cleanup && file_exists($file)) { @unlink($file); } } } $data = unserialize($_GET['data']); https://yoursite.com/endpoint.php?data=O:9:"CartCache":2:{s:10:"cache_file";s:18:"../../../i ndex.php";s:4:"data";a:0:{}}
  29. Do not pass untrusted user input to unserialize() regardless of

    the options value of allowed_classes.
  30. Questions?

  31. Thank you eric.mann@vacasa.com | 503.925.6266