OWASP - A7, A8, A9

Transcript

1. OWASP Vulnerabilities A9:2017-Using Components with Known Vulnerabilities A8:2017-Insecure Deserialization A7:2017-Cross-Site

   Scripting (XSS) Shreeram Vaidhyanathan

2. About Organization š Cart-Delivery is a U.S. based company that

   operates by serving the pick-up and delivery of groceries to customers. š Users can order their groceries through websites or mobile apps in all U.S states. š Cart-Delivery promises 2-hour delivery for certain locations and limited items and rest are just 2-day shipping. š As part of daily transaction, Cart-Delivery stores PII information for 2 months and purges it across the system

3. Using Components with Known Vulnerabilities

4. Component and Dependency Component is an independent entity that does

   some atomic task which is clubbed together with multiple entity to do a large task. Component Dependency is a relationship among activities and specifies some order in which they need to be performed which arise in every decision making, planning and developing process. In programming world, this is mostly achieved with importing libraries. Dependency

5. When can a component be Vulnerable? IF SOME ENTITY OF

   THE COMPONENT IS OUT-OF-DATE OR NOT UPGRADED. COMPONENT INCLUDES SERVERS, OS, DB OR JUST THE LIBRARY ITSELF. IF THE COMPONENT IS NOT COMPATIBLE WITH ANY OF THE LIBRARIES IN THE ECO- SYSTEM (INCLUDING NESTED DEPENDENCIES). IF THE CONFIGURATION IS INSECURE OR IF THERE IS ANY MIS-CONFIGURATION RELATED TO SPECIFIC LIBRARY.

6. So, How do we prevent? ANY UNUSED DEPENDENCIES, UNNECESSARY FEATURES,

   COMPONENTS, FILES SHOULD BE REMOVED IMPORTING THE COMPONENTS ONLY FROM OFFICIAL SOURCES OVER SECURE LINKS. MAKE SURE IF THE PACKAGE IS SIGNED WITH SOME ENCRYPTION. PGP IS MOSTLY USED. WHEN A PATCH IS FOUND FOR A VULNERABLE PACKAGE, PLAN TO FIX IT IMMEDIATELY, OR STOP USING THE PACKAGE. PERIODICALLY PULL THE INVENTORY OF THE VERSIONS OF ALL PACKAGES AND FRAMEWORKS TO UNDERSTAND IF ANY PATCHES FOR VULNERABILITY.

7. Insecure Deserialization

8. Understanding Serialization Serialization: A process to convert an object into

   byte-stream. Deserialization: A process to recreate the object from the byte stream. This will persist the object in memory.

9. Issues with In- secure deserialization Data tampering is the most

   prominent issue if deserialization is insecure. Attacker tampers the data sent through the wire. If it is not sanitized, this can cause harm to the client where the byte code is deserialized Logic Modification is the other one. Attacker can modify the logic of application when sending malicious code to the client that extracts the object from byte-code which ultimately runs the malicious code.

10. Prevention Always check the integrity of the serialized objects to

    make sure the data is from right source. Have a strong constraints to deserialize any bytes that are sent Decentralizing the deserialization can give huge security benefit to prevent from security issues. But this is little expensive Log any failures or exceptions in deserialization and monitor it in real-time as priority

11. Cross-Site Scripting (XSS)

12. Understanding XSS Cross-site scripting (XSS) is a web security vulnerability

    that allows an attacker to compromise the interactions that users have with a vulnerable application. XSS allows an attacker to circumvent the same origin policy, which is designed to segregate different websites from each other.

13. Types of XSS Reflected XSS Malicious script comes from the

    current HTTP request. This arises when an application receives data in an HTTP request and includes that data within the immediate response in an unsafe way. Stored XSS Malicious script comes from the website's database. This arises when an application receives data from an untrusted source and includes that data within its later HTTP responses in an unsafe way. DOM-based XSS Vulnerability exists in client-side code rather than server-side code. This arises when an application contains some client-side JavaScript that processes data from an untrusted source in an unsafe way, usually by writing the data back to the DOM.

14. Issues with XSS If the application holding sensitive data, such

    as banking transactions, emails, or healthcare records, which is XSS attacked, those sensitive data will be compromised. If the privileges of compromised users are elevated in the application, the attacker can take all the control of the application and the data.

15. Prevention Using frameworks that automatically escape XSS by design. Ruby

    on Rails, React JS Escaping untrusted HTTP request data based on the context in the HTML output (body, attribute, JavaScript, CSS, or URL) will resolve Reflected and Stored XSS vulnerabilities. Applying context-sensitive encoding when modifying the browser document on the client side acts against DOM XSS. Enabling a Content Security Policy (CSP) as a defense-in-depth mitigating control against XSS.

16. Actions from stakeholders

17. Stakeholder Responsibilities Non-technical managers Ensure to prioritize all top 10

    OWASP related validations before pushing application to production Technical managers Choosing the right libraries that are secure, that don’t allow XSS attack Guide development to write secure code Developers Implementing the framework in secure way and making sure deserialization is secure always. DevOps Create dashboards and set up alerts for any of the issues from centralized logs to detect the issue immediately Testers Creating test cases and check for any security flaws that include XSS, and ensuring right libraries are used. Incident Response Team (IRT) Create the playbooks ready for each of incidents and how to react to each of them quickly.

18. Thank you