Web Application Security 101

Transcript

1. Web Application Security 101 Hasan Tayyar Besik @htayyar

2. Learning Objectives OWASP Top 10 A quick introduction of OWASP

   Top 10 report Examples Real world examples for each OWASP Top 10 vulnerabilities Adoption Strategies to adopt the OWASP Top 10 in your team 2

3. OWASP The Open Web Application Security Project is an international

   non-profit organization focused web application security. 3

4. OWASP TOP 10 “The OWASP Top 10 is a standard

   awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications.” https://owasp.org/www-project-top-ten/ Other reports https://owasp.org/www-pdf-archive/ 4

5. 5

6. OWASP Top 10 https://owasp.org/www-project-top-ten/ 6 ▪ Injection ▪ Broken Authentication

   ▪ Sensitive Data Exposure ▪ Broken Access Control ▪ Security Misconfiguration ▪ XSS ▪ XML External Entities (XXE) ▪ Insecure deserialization ▪ Using Components with Known Vulnerabilities ▪ Insufficient Logging & Monitoring

7. Top 10 with examples 7

8. Injection The most common and critical vulnerability 1.

9. SQL Injection The problem query = "SELECT email FROM user

   WHERE email= '" + email + "'" 9

10. SQL Injection The problem query = "SELECT email FROM user

    WHERE email= '" + email + "'" mysqlDriver.executeRaw(query) 10

11. SQL Injection Hostile User Inputs are The problem [email protected]' UNION

    ALL SELECT concat_ws(0x3a, version(), user(), database())-- [email protected]' UNION ALL SELECT TABLE_NAME FROM information_schema.TABLES WHERE table_schema=database()-- 11

12. SQL Injection The problem query = "SELECT email FROM user

    WHERE email= '" + email + "'" mysqlDriver.execRaw(query) mysqlDriver.execRaw("SELECT email FROM user WHERE email='[email protected]' UNION ALL SELECT concat_ws(0x3a, version(), user(), database())") 12

13. SQL Injection Some Sql injection payloads 1 AND (SELECT *

    FROM Users) = 1 OR 1=1 ' or sleep(5)=' '-' https://github.com/payloadbox/sql-injection-payload-list 13

14. SQL Injection The solution Do not trust user input. 14

15. SQL Injection Possible Mitigations 15

16. SQL Injection Possible Mitigations Do not trust user input. 16

17. SQL Injection Possible Mitigations ▪ Escape all inputs ▪ Parameterized

    Queries - (you still don’t use an ORM) ▪ Whitelist Input Validation 17

18. Broken Authentication Another most common vulnerability 2.

19. Broken Auth. How to Avoid ▪ Attackers often use password

    dumps on the net (or darknet). Try to rotate passwords and encourage your users to rotate their passwords 19

20. Broken Auth. How to Avoid ▪ A good password policy

    20

21. 21

22. Broken Auth. How to Avoid ▪ Limiting the request rate

    to the sensitive endpoints 22

23. Broken Auth. How to Avoid ▪ Limiting the request rate

    to the sensitive endpoints ▪ Limit or increasingly delay the failed logins ▪ I don’t even mention to use a server side and securely generated session id etc 23

24. Sensitive Data Exposure Protect your data in transit and at

    rest 3.

25. Protect Data 25 https://www.sealpath.com/protecting-the-three-states-of-data/

26. Protect Data: HTTPS Everywhere Do I need to use HTTPS

    : YES All the answers https://doesmysiteneedhttps.com/ 26

27. Protect Data: Weak crypto Can I just use MD5 :

    NO Weak cryptographic algorithms can be broken quickly See HASHCAT https://hashcat.net/hashcat/ 27

28. Protect Data: Weak Crypto Keys A common example: using JWT

    private token for development and production purposes. 28

29. Broken Access Control 4.

30. Public Buckets ‍♂ The most common version of “Broken Access

    Control” vulnerability To avoid similar situations, “Deny” by default 30

31. Others Long living JWT tokens, directory listing, public logs, bad/weak

    permission models, missing CORS 31

32. Security Misconfiguration 5.

33. Scan and Patch Often ▪ Insecure default configurations - shodan.io

    ▪ Public buckets ▪ Verbose error messages 33

34. Update Often Setting automatic update may cause problems like compatibility,

    loss of availability on critical businesses but there are usually stable update channels for OSs, libraries or apps. Stable channels always contain critical patches. 34

35. XSS The darling of the bug bounty hunters. 6.

36. What exactly? “XSS allows attackers to execute scripts in the

    victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.” That’s all about it. 36

37. Important to understand Practice here https://xss-game.appspot.com/ Payload: <script>alert(1)</script> 37

38. What’s the big deal “XSS is the second most prevalent

    issue in the OWASP Top 10, and is found in around two thirds of all applications.” - https://owasp.org/ 38

39. What’s the big deal Attacker can trick user - https://google.com?q=<script>document.location.href=https://att

    acker.com</script> Attacker can steal sensitive information by posting localstorage to somewhere else. 39

40. How to avoid 40

41. How to avoid Guess what? 41

42. Do not trust user! 42

43. How to avoid Seriously ▪ Escape all possible user inputs.

    It can be a data which is already stored on your db. Escape it before rendering as HTML ▪ Escape ▪ Escape 43

44. How to avoid Seriously ▪ Enabling Content Security Policy (CSP)

    * and configuring a radical one will solve most of the critical effects of XSS. ▪ Escape ▪ Escape * https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP 44

45. How to avoid Seriously Thanks to OWASP there is a

    very well prepared guide shows how to avoid the XSS https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_ Scripting_Prevention_Cheat_Sheet.html 45

46. XEE Meh. I will skip this. Important but ancient vulnerability.

    7.

47. Insecure deserialization Remote code execution 8.

48. How to avoid ? 48

49. How to avoid yes... 49

50. How to avoid Do not trust user! 50

51. Seriously... ▪ Integrity checks ▪ Enforce strict type constraints ▪

    Isolating and running code ▪ Execute at low privilege environments when possible. 51

52. Components with Known Vulnerabilities The most recent topic that is

    added to OWASP top 10 9.

53. How to avoid ▪ Scan dependencies: npm audit, 3rd party

    tools like snyk.io (my favourite), OWASP has some open source tools ▪ Scan containers - Gitlab uses an open source project Klar □ Google Cloud has it as a free service ▪ React to vulnerability reports ▪ Recommended to add to Ci/Cd pipelines before going live 53

54. Insufficient Logging & Monitoring Better to be safe than sorry

    10.

55. Better to be ready “Most breach studies show time to

    detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.” 55

56. What to do ▪ Anomaly detection ▪ Audit logs -

    not only logging but also monitoring of audit logs. ▪ Alerting - update alert policies with the changing nature of the app and technologies 56

57. Adoption How to adopt security practices in your team? OWASP

    checklist is a good start. 57

58. Red Team in Your Team Read teaming is a very

    proactive way of protecting your product. Try to exploit your product before someone else does. 58

59. Educate yourself Here is an amazing start focused on OWASP

    Top 10 A free interactive Application Security Training https://application.security/free-application-security-training 59

60. Better to be safe than sorry 60

61. Ask me 61 https://twitter.com/AlanSla90124663/status/1256468607984336896 @htayyar

62. Photo Credits https://unsplash.com/@freakingdash https://unsplash.com/@atharva_tulsi https://unsplash.com/@suicide_chewbacca https://unsplash.com/@giorgiotrovato https://unsplash.com/@dimhou https://unsplash.com/@bithinrajxlr8 https://unsplash.com/@sarabakhshi 62