OWASP TOP 10

Transcript

1. OWASP TOP 10 2013 Zubair Ansari

2. Who I'm? • DSC Lead @ Google Developers • Open

   Contributor @ Cybrary.it • Founder of Arcotic Solution – arcotics.com

3. Who’re you? • Web Application Penetration Tester? • Web Developer?

4. About OWASP • Open Web Application Security Project (OWASP) •

   Produces articles, methodologies, documentation, tools and technologies in the field of web application security. • Presentation & Videos • Open Community • Volunteerism • TOP 10 – Project | OWASP ZAP

5. About OWASP • Cheat sheets on many common topics •

   standard security control and libraries • Local chapters worldwide • Extensive conferences worldwide • Mailing List Learn more at: https://www.owasp.org

6. OWASP Top 10 2013

7. TOP 10 2013 A1 – Injection A2 – Broken Authentication

   and Session Management A3 – Cross-Site Scripting (XSS) A4 – Insecure Direct Object References A5 – Security Misconfiguration A6 – Sensitive Data Exposure A7 – Missing Function Level Access Control A8 – Cross-Site Request Forgery (CSRF) A9 – Using Components with Known Vulnerabilities A10 – Unvalidated Redirects and Forwards

8. Why OWASP Top 10 2013 ?

9. Comparison OWASP Top 10 2013 OWASP Top 10 2017 A1

   – Injection A1:2017 – Injection A2 – Broken Authentication and Session Management A2:2017 – Broken Authentication and Session Management A3 – Cross-Site Scripting (XSS) A3:2013 – Sensitive Data Exposure A4 – Insecure Direct Object References [Merged+A7] A4:2017 – XML External Entity (XXE) [NEW] A5 – Security Misconfiguration A5:2017 – Broken Access Control [Merged] A6 – Sensitive Data Exposure A6:2017 – Security Misconfiguration A7 – Missing Function Level Access Contra [Merged+A4] A7:2017 – Cross-Site Scripting (XSS) A8 – Cross-Site Request Forgery (CSRF) A8:2017 – Insecure Deserialization [NEW, Community] A9 – Using Components with Known Vulnerabilities A9:2017 – Using Components with Known Vulnerabilities A10 – Unvalidated Redirects and Forwards A10:2017 – Insufficient Logging & Monitoring [NEW, Comm.]

10. Lets Start .

11. Checklist ✔ Internet Connection ✔ Mozilla Firefox ✔ Foxy Proxy

    ✔ Burp Suit ✔ bWAPP

12. OWASP ASR Module

13. A1 – Injection Injection flaws, such as SQL, OS, and

    LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.

14. Prevention of A1 – Injection • Don’t Trust anyone •

    Avoiding administrative privileges • Input Validation • Parameterized queries • Update and patch • Firewall (WAF)

15. A2 – Broken authentication and session management Application functions related

    to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities.

16. Prevention of A2 – Broken authentication and session management •

    Protection of user’s credentials (Encryption) • Proper session management (Timeout or exposure of session ID in url) • Strong password • Two factor authentication (2FA) • Password change controls

17. A3 – Cross-site scripting XSS flaws occur whenever an application

    takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.

18. Prevention of A3 – Cross-site scripting • Escaping • Input

    Validation • Content Security Policy

19. A4 – Insecure Direct Object References (IDOR) A direct object

    reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data.

20. Prevention of A4 – IDOR • Use Indirect References •

    Avoid Exposing Object References • Avoid Directory Traversal • Access Control Check

21. A5 – Security Misconfiguration Good security requires having a secure

    configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. Secure settings should be defined, implemented, and maintained, as defaults are often insecure. Additionally, software should be kept up to date.

22. Prevention of A5 – Security Misconfiguration • Developing a repeatable

    patching schedule • Keeping software up to date • Disable default accounts • Enforcing strong access controls

23. A6 – Sensitive Data Exposure Many web applications do not

    properly protect sensitive data, such as credit cards, tax IDs, and authentication credentials. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data deserves extra protection such as encryption at rest or in transit, as well as special precautions when exchanged with the browser.

24. Prevention of A6 – Sensitive Data Exposure • Encrypt data

    while transport and at rest. • Use the latest encryption algorithm • Disable autocomplete and caching on the form that collect data.

25. A7 – Missing Function Level Access Control Most web applications

    verify function level access rights before making that functionality visible in the UI. However, applications need to perform the same access control checks on the server when each function is accessed. If requests are not verified, attackers will be able to forge requests in order to access functionality without proper authorization.

26. Prevention of A7 – Missing Function Level Access Control •

    Deny access to functionality by default • Use access control lists and role-based authentication mechanism • Do not just hide functions

27. A8 – Cross-site Request Forgery (CSRF) A CSRF attack forces

    a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim.

28. Prevention of A8 – CSRF • Implementing Anti-CSRF Tokens •

    HTTP Bearer Authentication • Using the Same-site Flag in Cookies

29. A9 – Using Components With Known Vulnerabilities A CSRF attack

    forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim.

30. Prevention of A9 – Using Component with Known Vulnerabilities •

    Manual Updates • Update and patch • Avoiding untrusted component

31. A10 – Unvalidated Redirects and Forwards Web applications frequently redirect

    and forward users to other pages and websites, and use untrusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages.

32. Prevention of A10 – Unvalidated Redirects and Forwards • Avoiding

    Redirects, Or else forwards • Validate all URLs

33. Earning with HACKING

34. Earning with HACKING is really really easy … BUT Learning

    HACKING is too much hard . . .‍

35. All you’ve to pay is… • Passion • Time ⏰

36. What is BUG bounty & BUG hunting? • Process of

    earning ❌ • Process of doing experiment ✅

37. What & Why BUG bounty platforms is ? • Researchers

    do their experiments • Companies make their business secure and safe

38. How to start BUG hunting? • How application works? API

    Some programming languages (Javascript,PHP,Python) Logics Databases Data Encryption Data transmission BRAIN

39. What next? Reading (OWASP TOP 10) Experiment(bWAPP)

40. Get started with testing for security and weakness

41. PRACTICE + RESEARCH + READING

42. References & Links https://www.owasp.org/index.php/Top_10_2013-Top_10 https://www.checkpoint.com/downloads/products/cp-ngtp-waf-owasp-top-10-comparison-tech-brief. pdf https://resources.infosecinstitute.com/owasp-2017-top-10-vs-2013-top-10/#gref https://www.owasp.org/index.php/Islamabad https://sites.google.com/google.com/developerstudentclubleads/home https://www.facebook.com/officialzubairansari

    https://www.linkedin.com/in/zubair-ansari-26b863144/ https://cybrary.it/members/officialzubairansari

43. Questions..?

44. Thank You