$30 off During Our Annual Pro Sale. View Details »

OWASP Top Ten in Review

OWASP Top Ten in Review

Eric Mann

August 28, 2020
Tweet

More Decks by Eric Mann

Other Decks in Technology

Transcript

  1. 1

    View Slide

  2. 2
    Injection
    Broken Authentication
    Sensitive Data Exposure
    XML External Entities
    Broken Access Control
    Security Misconfiguration
    Cross-Site Scripting (XSS)
    Insecure Deserialization
    Using Components with Known
    Vulnerabilities
    Insufficient Logging & Monitoring
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10

    View Slide

  3. 3

    View Slide

  4. The attacker's hostile data can
    trick the interpreter into
    executing unintended
    commands or accessing data
    without proper authorization.

    View Slide

  5. xkcd: Exploits of a Mom - https://xkcd.com/327/

    View Slide

  6. 6
    $db = new \PDO(...);
    $name = $_POST['name'];
    $sql = "SELECT * FROM users WHERE email='$name'";
    foreach($db->query($sql) as $user) {
    // ...
    }
    curl -X POST -d "[email protected]' OR 1=1;--" http://yoursite.com
    SELECT * FROM users WHERE email='[email protected]' OR 1=1;--'

    View Slide

  7. 7
    $db = new \PDO(...);
    $name = $_POST['name'];
    $sql = "SELECT * FROM users WHERE email=:email";
    $statement = $db->prepare($sql);
    $params = [':email' => $name];
    foreach($db->execute($statement, $params) as $user) {
    // ...
    }
    curl -X POST -d "[email protected]' OR 1=1;--" http://yoursite.com
    SELECT * FROM users WHERE email='[email protected]\' OR 1=1;--'

    View Slide

  8. 8
    function serve_file($filename) {
    header("Content-Type: application/octet-stream");
    header("Content-Disposition: attachment; filename=\"{$filename}\"");
    header("Content-Length: 11111");
    passthru("cat /home/uploads/" . $filename);
    exit();
    }
    curl -X GET -d "filename=;cat+/etc/letsencrypt/site.com/privkey.pem" http://site.com
    cat /home/uploads/;cat /etc/letsencrypt/site.com/privkey.pem

    View Slide

  9. 9
    function serve_file($filename) {
    // Sanitize the filename before it's used
    $sanitized = basename($filename);
    header("Content-Type: application/octet-stream");
    header("Content-Disposition: attachment; filename=\"{$sanitized}\"");
    header("Content-Length: 11111");
    $path = "/home/uploads/{$sanitized}";
    passthru('cat ' . escapeshellarg($path));
    exit();
    }
    curl -X GET -d "filename=;cat+/etc/letsencrypt/site.com/privkey.pem" http://site.com
    cat /home/uploads/privkey.pem

    View Slide

  10. 10

    View Slide

  11. Application functions related
    to authentication and session
    management are often not
    implemented correctly...

    View Slide

  12. 12
    Client-side Sessions
    Don’t trust the user to store sensitive information
    Don’t trust information provided by the user
    Don’t store sensitive information with an untrusted party
    Don’t use cookies to store sensitive data
    (If you are using cookies, use secure cookies - but only store identifiers)

    View Slide

  13. 13
    Password Management
    Passwords should NEVER be stored in plaintext.
    Passwords should NEVER be stored with encryption.
    Passwords should ONLY be stored using one-way hashes.
    Try to avoid passwords in the first place...

    View Slide

  14. View Slide

  15. (Full image slide. No text)

    View Slide

  16. 16
    Problems with JWT
    Leaking sensitive information
    The `none` algorithm is required by the spec
    Algorithm confusion - RSA vs HMAC
    Weak algorithms are allowed

    View Slide

  17. 17
    What you should do
    Only store session data on the server
    Ensure strong authentication protects user identities
    Lock down insecure algorithms and primitives
    Only use trusted third-party library implementations

    View Slide

  18. 18

    View Slide

  19. Many web applications do not
    adequately protect sensitive
    data, such as credit cards, tax
    IDs, and authentication
    credentials.

    View Slide

  20. Photo borrowed from Schneier on Security:
    https://www.schneier.com/blog/archives/2005/02/the_weakest_lin.html

    View Slide

  21. 21
    Sensitive Data Retention
    What data do you retain?
    Why do you need this data in the first place?
    Who has access to the data?
    Where are backups stored?
    Who has access to the data via the backup system?

    View Slide

  22. Encoding is not
    encryption!

    View Slide

  23. 23
    function encodeString($str) {
    for ($i = 0; $i < 5; $i++) {
    $str = strrev(base64_encode($str));
    }
    return $str;
    }
    function decodeString($str) {
    for ($i = 0; $i < 5; $i++) {
    $str = base64_decode(strrev($str));
    }
    return $str;
    }
    encodeString('this is a secret');
    QVlRHZlbopUYxQWShRkTUR1aaVUWuB3UNdlR2NmRWplUuJkVUxGcPFGbGVkVqp0VUJjUZdVVaNVTtVUP

    View Slide

  24. 24

    View Slide

  25. Untrusted XML input
    containing a reference to an
    external entity is processed by
    a weakly configured XML
    parser ...

    View Slide

  26. 26

    ]>

    Friend of &name;
    &name;
    &name; - 2019

    "php://filter/read=convert.base64-encode/resource=/var/www/config.ini">]>

    &info;

    View Slide

  27. 27








    ]>

    &bomb;

    View Slide

  28. 28
    $default = libxml_disable_entity_loader(true);
    $dom = new DOMDocument();
    $dom->loadXML($xml);
    // Do things with XML
    // Restore the previous value
    libxml_disable_entity_loader($default);
    What you should do

    View Slide

  29. 29

    View Slide

  30. Restrictions on what
    authenticated users are
    allowed to do are not properly
    enforced.

    View Slide

  31. 31
    $app->post( '/profile',
    function ($request, $response, $args) {
    if (!isset($_SESSION['user_id']) ||
    !$this->users->get($_SESSION['user_id'])) {
    return $response->withRedirect('/?error=notloggedin');
    }
    $userID = $request->getParam('user_id');
    $fname = $request->getParam('fname');
    $lname = $request->getParam('lname');
    $email = $request->getParam('email');
    // Retrieve the user's account from the database (via the app container)
    $user = $this->users->get(intval($userID));
    $user->profile->fname = filter_var($fname, FILTER_SANITIZE_STRING);
    $user->profile->lname = filter_var($lname, FILTER_SANITIZE_STRING);
    $user->profile->email = filter_var($email, FILTER_SANITIZE_EMAIL);
    $this->users->update($user);
    }
    );

    View Slide

  32. United Airlines experienced this vulnerability in their mobile app in 2015 -
    https://randywestergren.com/united-airlines-bug-bounty-an-experience-in-reporting-a-serious-vulnerability//

    View Slide

  33. 33

    View Slide

  34. Secure settings should be
    defined, implemented, and
    maintained, as defaults are
    often insecure.

    View Slide

  35. 35
    PHP Settings
    Disable error display (display_errors)
    Disable remote includes (allow_url_fopen and allow_url_include)
    Set reasonable resource maximums (upload_max_filesize and memory_limit)
    Leverage the disable_functions directive to block dangerous functions:
    exec, passthru, shell_exec, system, proc_open, popen,
    parse_ini_file, show_source, eval, create_function

    View Slide

  36. 36
    Webserver Settings (Nginx / Apache / etc)
    Disable server tokens and signature disclosure
    Configure a static server name (don’t trust potentially malicious HOST headers)
    Disable directory traversal
    ALWAYS configure strong SSL certificates for secure access
    Return proper error codes

    View Slide

  37. 37
    Database (MySQL) Settings
    Set an appropriate bind-address
    Ensure users are configured from the correct host, not a % wildcard
    Limit user permissions on the database to just what the application needs

    View Slide

  38. 38

    View Slide

  39. An application takes
    untrusted data and sends it to
    a web browser without
    proper validation or escaping.

    View Slide

  40. 40

    Search results for: ""




    title; ?>



    No results for ''



    Search results for:
    No results for ''

    View Slide

  41. 41


    Search results for: ""



    title; ?>



    No results for ''



    Search results for: ""
    No results for ''

    View Slide

  42. 42

    View Slide

  43. Languages’ native
    deserialization mechanisms
    can be repurposed for
    malicious effect when
    operating on untrusted data.

    View Slide

  44. 44
    class CartCache {
    $cache_file;
    $data = [];
    // ...
    /**
    * Automatically purge the cache file from disk to clean up
    */
    public function __destruct() {
    $file = "/var/www/cache/tmp/carts/{$this->cache_file}";
    if ($this->cleanup && file_exists($file)) {
    @unlink($file);
    }
    }
    }
    $data = unserialize($_GET['data']);
    https://yoursite.com/endpoint.php?data=O:9:"CartCache":2:{s:10:"cache_file";s:18:"../../../i
    ndex.php";s:4:"data";a:0:{}}

    View Slide

  45. Do not pass untrusted user
    input to unserialize()
    regardless of the options
    value of allowed_classes.

    View Slide

  46. 46

    View Slide

  47. Applications using
    components with known
    vulnerabilities may undermine
    application defenses and
    enable a range of possible
    attacks and impacts.

    View Slide

  48. 48
    Audit Application Dependencies
    Monitor Composer-installed dependencies for outdated or vulnerable libraries
    Leverage unattended-upgrades to keep system packages up-to-date
    Audit the packages installed on your server - don’t install things you don’t need

    View Slide

  49. Custom error messages can help demonstrate when a security hole has been plugged. Or
    annoy those who were exploiting it in the first place...

    View Slide

  50. 50
    Audit Application Dependencies
    Monitor Composer-installed dependencies for outdated or vulnerable libraries
    Leverage unattended-upgrades to keep system packages up-to-date
    Audit the packages installed on your server - don’t install things you don’t need
    Only run current, supported versions of PHP!!!

    View Slide

  51. 51

    View Slide

  52. Attackers rely on the lack of
    monitoring and timely
    response to achieve their
    goals without being detected.

    View Slide

  53. 53
    It’s Important to Track:
    What happened
    When it happened
    Where it happened (in terms of code and the IP of the server)
    To whom it happened
    What input triggered the event

    View Slide

  54. 54
    Event Classes
    Input Validation Errors
    Output Validation Errors
    Authentication Events
    Authorization (Access Control) Failures
    Application Errors
    Application Startup/Shutdown
    High-risk Operations

    View Slide

  55. (Full image slide. No text)

    View Slide

  56. 56

    View Slide

  57. 57

    View Slide