Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Web Application Security 101

Web Application Security 101

Web Application Security 101
Dive into OWASP Top 10

E80bb03522c1606b401d0a87266e8910?s=128

Hasan Tayyar BEŞİK

May 07, 2020
Tweet

Transcript

  1. Web Application Security 101 Hasan Tayyar Besik @htayyar

  2. Learning Objectives OWASP Top 10 A quick introduction of OWASP

    Top 10 report Examples Real world examples for each OWASP Top 10 vulnerabilities Adoption Strategies to adopt the OWASP Top 10 in your team 2
  3. OWASP The Open Web Application Security Project is an international

    non-profit organization focused web application security. 3
  4. OWASP TOP 10 “The OWASP Top 10 is a standard

    awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications.” https://owasp.org/www-project-top-ten/ Other reports https://owasp.org/www-pdf-archive/ 4
  5. 5

  6. OWASP Top 10 https://owasp.org/www-project-top-ten/ 6 ▪ Injection ▪ Broken Authentication

    ▪ Sensitive Data Exposure ▪ Broken Access Control ▪ Security Misconfiguration ▪ XSS ▪ XML External Entities (XXE) ▪ Insecure deserialization ▪ Using Components with Known Vulnerabilities ▪ Insufficient Logging & Monitoring
  7. Top 10 with examples 7

  8. Injection The most common and critical vulnerability 1.

  9. SQL Injection The problem query = "SELECT email FROM user

    WHERE email= '" + email + "'" 9
  10. SQL Injection The problem query = "SELECT email FROM user

    WHERE email= '" + email + "'" mysqlDriver.executeRaw(query) 10
  11. SQL Injection Hostile User Inputs are The problem info@fbi.gov' UNION

    ALL SELECT concat_ws(0x3a, version(), user(), database())-- angela@merkel.com' UNION ALL SELECT TABLE_NAME FROM information_schema.TABLES WHERE table_schema=database()-- 11
  12. SQL Injection The problem query = "SELECT email FROM user

    WHERE email= '" + email + "'" mysqlDriver.execRaw(query) mysqlDriver.execRaw("SELECT email FROM user WHERE email='info@fbi.gov' UNION ALL SELECT concat_ws(0x3a, version(), user(), database())") 12
  13. SQL Injection Some Sql injection payloads 1 AND (SELECT *

    FROM Users) = 1 OR 1=1 ' or sleep(5)=' '-' https://github.com/payloadbox/sql-injection-payload-list 13
  14. SQL Injection The solution Do not trust user input. 14

  15. SQL Injection Possible Mitigations 15

  16. SQL Injection Possible Mitigations Do not trust user input. 16

  17. SQL Injection Possible Mitigations ▪ Escape all inputs ▪ Parameterized

    Queries - (you still don’t use an ORM) ▪ Whitelist Input Validation 17
  18. Broken Authentication Another most common vulnerability 2.

  19. Broken Auth. How to Avoid ▪ Attackers often use password

    dumps on the net (or darknet). Try to rotate passwords and encourage your users to rotate their passwords 19
  20. Broken Auth. How to Avoid ▪ A good password policy

    20
  21. 21

  22. Broken Auth. How to Avoid ▪ Limiting the request rate

    to the sensitive endpoints 22
  23. Broken Auth. How to Avoid ▪ Limiting the request rate

    to the sensitive endpoints ▪ Limit or increasingly delay the failed logins ▪ I don’t even mention to use a server side and securely generated session id etc 23
  24. Sensitive Data Exposure Protect your data in transit and at

    rest 3.
  25. Protect Data 25 https://www.sealpath.com/protecting-the-three-states-of-data/

  26. Protect Data: HTTPS Everywhere Do I need to use HTTPS

    : YES All the answers https://doesmysiteneedhttps.com/ 26
  27. Protect Data: Weak crypto Can I just use MD5 :

    NO Weak cryptographic algorithms can be broken quickly See HASHCAT https://hashcat.net/hashcat/ 27
  28. Protect Data: Weak Crypto Keys A common example: using JWT

    private token for development and production purposes. 28
  29. Broken Access Control 4.

  30. Public Buckets ‍♂ The most common version of “Broken Access

    Control” vulnerability To avoid similar situations, “Deny” by default 30
  31. Others Long living JWT tokens, directory listing, public logs, bad/weak

    permission models, missing CORS 31
  32. Security Misconfiguration 5.

  33. Scan and Patch Often ▪ Insecure default configurations - shodan.io

    ▪ Public buckets ▪ Verbose error messages 33
  34. Update Often Setting automatic update may cause problems like compatibility,

    loss of availability on critical businesses but there are usually stable update channels for OSs, libraries or apps. Stable channels always contain critical patches. 34
  35. XSS The darling of the bug bounty hunters. 6.

  36. What exactly? “XSS allows attackers to execute scripts in the

    victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.” That’s all about it. 36
  37. Important to understand Practice here https://xss-game.appspot.com/ Payload: <script>alert(1)</script> 37

  38. What’s the big deal “XSS is the second most prevalent

    issue in the OWASP Top 10, and is found in around two thirds of all applications.” - https://owasp.org/ 38
  39. What’s the big deal Attacker can trick user - https://google.com?q=<script>document.location.href=https://att

    acker.com</script> Attacker can steal sensitive information by posting localstorage to somewhere else. 39
  40. How to avoid 40

  41. How to avoid Guess what? 41

  42. Do not trust user! 42

  43. How to avoid Seriously ▪ Escape all possible user inputs.

    It can be a data which is already stored on your db. Escape it before rendering as HTML ▪ Escape ▪ Escape 43
  44. How to avoid Seriously ▪ Enabling Content Security Policy (CSP)

    * and configuring a radical one will solve most of the critical effects of XSS. ▪ Escape ▪ Escape * https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP 44
  45. How to avoid Seriously Thanks to OWASP there is a

    very well prepared guide shows how to avoid the XSS https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_ Scripting_Prevention_Cheat_Sheet.html 45
  46. XEE Meh. I will skip this. Important but ancient vulnerability.

    7.
  47. Insecure deserialization Remote code execution 8.

  48. How to avoid ? 48

  49. How to avoid yes... 49

  50. How to avoid Do not trust user! 50

  51. Seriously... ▪ Integrity checks ▪ Enforce strict type constraints ▪

    Isolating and running code ▪ Execute at low privilege environments when possible. 51
  52. Components with Known Vulnerabilities The most recent topic that is

    added to OWASP top 10 9.
  53. How to avoid ▪ Scan dependencies: npm audit, 3rd party

    tools like snyk.io (my favourite), OWASP has some open source tools ▪ Scan containers - Gitlab uses an open source project Klar □ Google Cloud has it as a free service ▪ React to vulnerability reports ▪ Recommended to add to Ci/Cd pipelines before going live 53
  54. Insufficient Logging & Monitoring Better to be safe than sorry

    10.
  55. Better to be ready “Most breach studies show time to

    detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.” 55
  56. What to do ▪ Anomaly detection ▪ Audit logs -

    not only logging but also monitoring of audit logs. ▪ Alerting - update alert policies with the changing nature of the app and technologies 56
  57. Adoption How to adopt security practices in your team? OWASP

    checklist is a good start. 57
  58. Red Team in Your Team Read teaming is a very

    proactive way of protecting your product. Try to exploit your product before someone else does. 58
  59. Educate yourself Here is an amazing start focused on OWASP

    Top 10 A free interactive Application Security Training https://application.security/free-application-security-training 59
  60. Better to be safe than sorry 60

  61. Ask me 61 https://twitter.com/AlanSla90124663/status/1256468607984336896 @htayyar

  62. Photo Credits https://unsplash.com/@freakingdash https://unsplash.com/@atharva_tulsi https://unsplash.com/@suicide_chewbacca https://unsplash.com/@giorgiotrovato https://unsplash.com/@dimhou https://unsplash.com/@bithinrajxlr8 https://unsplash.com/@sarabakhshi 62