OWASP Top Ten in Review

1

View Slide

2
Injection
Broken Authentication
Sensitive Data Exposure
XML External Entities
Broken Access Control
Security Misconﬁguration
Cross-Site Scripting (XSS)
Insecure Deserialization
Using Components with Known
Vulnerabilities
Insufﬁcient Logging & Monitoring
1
2
3
4
5
6
7
8
9
10

View Slide

3

View Slide

The attacker's hostile data can
trick the interpreter into
executing unintended
commands or accessing data
without proper authorization.

View Slide

xkcd: Exploits of a Mom - https://xkcd.com/327/

View Slide

6
$db = new \PDO(...);
$name = $_POST['name'];
$sql = "SELECT * FROM users WHERE email='$name'";
foreach($db->query($sql) as $user) {
// ...
}
curl -X POST -d "[email protected]' OR 1=1;--" http://yoursite.com
SELECT * FROM users WHERE email='[email protected]' OR 1=1;--'

View Slide

7
$db = new \PDO(...);
$name = $_POST['name'];
$sql = "SELECT * FROM users WHERE email=:email";
$statement = $db->prepare($sql);
$params = [':email' => $name];
foreach($db->execute($statement, $params) as $user) {
// ...
}
curl -X POST -d "[email protected]' OR 1=1;--" http://yoursite.com
SELECT * FROM users WHERE email='[email protected]\' OR 1=1;--'

View Slide

8
function serve_file($filename) {
header("Content-Type: application/octet-stream");
header("Content-Disposition: attachment; filename=\"{$filename}\"");
header("Content-Length: 11111");
passthru("cat /home/uploads/" . $filename);
exit();
}
curl -X GET -d "filename=;cat+/etc/letsencrypt/site.com/privkey.pem" http://site.com
cat /home/uploads/;cat /etc/letsencrypt/site.com/privkey.pem

View Slide

9
function serve_file($filename) {
// Sanitize the filename before it's used
$sanitized = basename($filename);
header("Content-Type: application/octet-stream");
header("Content-Disposition: attachment; filename=\"{$sanitized}\"");
header("Content-Length: 11111");
$path = "/home/uploads/{$sanitized}";
passthru('cat ' . escapeshellarg($path));
exit();
}
curl -X GET -d "filename=;cat+/etc/letsencrypt/site.com/privkey.pem" http://site.com
cat /home/uploads/privkey.pem

View Slide

10

View Slide

Application functions related
to authentication and session
management are often not
implemented correctly...

View Slide

12
Client-side Sessions
Don’t trust the user to store sensitive information
Don’t trust information provided by the user
Don’t store sensitive information with an untrusted party
Don’t use cookies to store sensitive data
(If you are using cookies, use secure cookies - but only store identiﬁers)

View Slide

13
Password Management
Passwords should NEVER be stored in plaintext.
Passwords should NEVER be stored with encryption.
Passwords should ONLY be stored using one-way hashes.
Try to avoid passwords in the ﬁrst place...

View Slide

View Slide

(Full image slide. No text)

View Slide

16
Problems with JWT
Leaking sensitive information
The `none` algorithm is required by the spec
Algorithm confusion - RSA vs HMAC
Weak algorithms are allowed

View Slide

17
What you should do
Only store session data on the server
Ensure strong authentication protects user identities
Lock down insecure algorithms and primitives
Only use trusted third-party library implementations

View Slide

18

View Slide

Many web applications do not
adequately protect sensitive
data, such as credit cards, tax
IDs, and authentication
credentials.

View Slide

Photo borrowed from Schneier on Security:
https://www.schneier.com/blog/archives/2005/02/the_weakest_lin.html

View Slide

21
Sensitive Data Retention
What data do you retain?
Why do you need this data in the ﬁrst place?
Who has access to the data?
Where are backups stored?
Who has access to the data via the backup system?

View Slide

Encoding is not
encryption!

View Slide

23
function encodeString($str) {
for ($i = 0; $i < 5; $i++) {
$str = strrev(base64_encode($str));
}
return $str;
}
function decodeString($str) {
for ($i = 0; $i < 5; $i++) {
$str = base64_decode(strrev($str));
}
return $str;
}
encodeString('this is a secret');
QVlRHZlbopUYxQWShRkTUR1aaVUWuB3UNdlR2NmRWplUuJkVUxGcPFGbGVkVqp0VUJjUZdVVaNVTtVUP

View Slide

24

View Slide

Untrusted XML input
containing a reference to an
external entity is processed by
a weakly conﬁgured XML
parser ...

View Slide

26

]>

Friend of &name;
&name;
&name; - 2019

"php://filter/read=convert.base64-encode/resource=/var/www/config.ini">]>

&info;

View Slide

27

]>

&bomb;

View Slide

28
$default = libxml_disable_entity_loader(true);
$dom = new DOMDocument();
$dom->loadXML($xml);
// Do things with XML
// Restore the previous value
libxml_disable_entity_loader($default);
What you should do

View Slide

29

View Slide

Restrictions on what
authenticated users are
allowed to do are not properly
enforced.

View Slide

31
$app->post( '/profile',
function ($request, $response, $args) {
if (!isset($_SESSION['user_id']) ||
!$this->users->get($_SESSION['user_id'])) {
return $response->withRedirect('/?error=notloggedin');
}
$userID = $request->getParam('user_id');
$fname = $request->getParam('fname');
$lname = $request->getParam('lname');
$email = $request->getParam('email');
// Retrieve the user's account from the database (via the app container)
$user = $this->users->get(intval($userID));
$user->profile->fname = filter_var($fname, FILTER_SANITIZE_STRING);
$user->profile->lname = filter_var($lname, FILTER_SANITIZE_STRING);
$user->profile->email = filter_var($email, FILTER_SANITIZE_EMAIL);
$this->users->update($user);
}
);

View Slide

United Airlines experienced this vulnerability in their mobile app in 2015 -
https://randywestergren.com/united-airlines-bug-bounty-an-experience-in-reporting-a-serious-vulnerability//

View Slide

33

View Slide

Secure settings should be
deﬁned, implemented, and
maintained, as defaults are
often insecure.

View Slide

35
PHP Settings
Disable error display (display_errors)
Disable remote includes (allow_url_fopen and allow_url_include)
Set reasonable resource maximums (upload_max_filesize and memory_limit)
Leverage the disable_functions directive to block dangerous functions:
exec, passthru, shell_exec, system, proc_open, popen,
parse_ini_file, show_source, eval, create_function

View Slide

36
Webserver Settings (Nginx / Apache / etc)
Disable server tokens and signature disclosure
Configure a static server name (don’t trust potentially malicious HOST headers)
Disable directory traversal
ALWAYS configure strong SSL certificates for secure access
Return proper error codes

View Slide

37
Database (MySQL) Settings
Set an appropriate bind-address
Ensure users are conﬁgured from the correct host, not a % wildcard
Limit user permissions on the database to just what the application needs

View Slide

38

View Slide

An application takes
untrusted data and sends it to
a web browser without
proper validation or escaping.

View Slide

40

Search results for: ""

title; ?>

No results for ''

Search results for:
No results for ''

View Slide

41


title; ?>

No results for ''

No results for ''

View Slide

42

View Slide

Languages’ native
deserialization mechanisms
can be repurposed for
malicious effect when
operating on untrusted data.

View Slide

44
class CartCache {
$cache_file;
$data = [];
// ...
/**
* Automatically purge the cache file from disk to clean up
*/
public function __destruct() {
$file = "/var/www/cache/tmp/carts/{$this->cache_file}";
if ($this->cleanup && file_exists($file)) {
@unlink($file);
}
}
}
$data = unserialize($_GET['data']);
https://yoursite.com/endpoint.php?data=O:9:"CartCache":2:{s:10:"cache_file";s:18:"../../../i
ndex.php";s:4:"data";a:0:{}}

View Slide

Do not pass untrusted user
input to unserialize()
regardless of the options
value of allowed_classes.

View Slide

46

View Slide

Applications using
components with known
vulnerabilities may undermine
application defenses and
enable a range of possible
attacks and impacts.

View Slide

48
Audit Application Dependencies
Monitor Composer-installed dependencies for outdated or vulnerable libraries
Leverage unattended-upgrades to keep system packages up-to-date
Audit the packages installed on your server - don’t install things you don’t need

View Slide

Custom error messages can help demonstrate when a security hole has been plugged. Or
annoy those who were exploiting it in the ﬁrst place...

View Slide

50
Audit Application Dependencies
Monitor Composer-installed dependencies for outdated or vulnerable libraries
Leverage unattended-upgrades to keep system packages up-to-date
Audit the packages installed on your server - don’t install things you don’t need
Only run current, supported versions of PHP!!!

View Slide

51

View Slide

Attackers rely on the lack of
monitoring and timely
response to achieve their
goals without being detected.

View Slide

53
It’s Important to Track:
What happened
When it happened
Where it happened (in terms of code and the IP of the server)
To whom it happened
What input triggered the event

View Slide

54
Event Classes
Input Validation Errors
Output Validation Errors
Authentication Events
Authorization (Access Control) Failures
Application Errors
Application Startup/Shutdown
High-risk Operations

View Slide

(Full image slide. No text)

View Slide

56

View Slide

57

View Slide

OWASP Top Ten in Review

OWASP Top Ten in Review

Eric Mann

More Decks by Eric Mann

Other Decks in Technology

Featured

Transcript