Secure Code Review OWASP Top 10 by Sherif Koussa

Secure Code Review OWASP Top 10 by Sherif Koussa

Secure Code Review is the best approach to uncover the largest number of security flaws in addition to the most stealth and hard to uncover security vulnerabilities. During this session, you will learn how to perform security code review and uncover vulnerabilities such as OWASP Top 10: Cross-site Scripting, SQL Injection, Access Control and much more in early stages of development. You will use a real life application "SecureTickers" pulled from SourceForge. You will get an introduction to Static Code Analysis tools and how you can extend PMD (http://pmd.sourceforge.net/), the open source static code analysis tool, to catch security flaws like OWASP Top 10. Expect lots of code, tools, hacking and fun! *(Please note that the exercises will be mainly in Java.)

OWASP Montreal - November 2012

https://www.owasp.org/index.php/Montr%C3%A9al

09905cce02942fb076f958f4b69fd8f6?s=128

OWASP Montréal

November 22, 2012
Tweet

Transcript

  1. Softwar S cur OWASP SECURE CODE REVIEW OWASP TOP 10

    OWASP Montreal - November 2012 Sherif Koussa sherif.koussa@owasp.org - sherif@softwaresecured.com Wednesday, 21 November, 12
  2. Softwar S cur OWASP 2006 2008 2009 2011 2 Today

    ABOUT ME Wednesday, 21 November, 12
  3. Softwar S cur OWASP 2006 2008 2009 2011 2 Today

    ABOUT ME Wednesday, 21 November, 12
  4. Softwar S cur OWASP 2006 2008 2009 2011 2 Today

    ABOUT ME Wednesday, 21 November, 12
  5. Softwar S cur OWASP 2006 2008 2009 2011 2 Today

    ABOUT ME Wednesday, 21 November, 12
  6. Softwar S cur OWASP 2006 2008 2009 2011 2 Today

    ABOUT ME Wednesday, 21 November, 12
  7. Softwar S cur OWASP TAKE AWAYS • Components of an

    effective secure code review process • How to kickoff your internal security code review process 3 Wednesday, 21 November, 12
  8. Softwar S cur OWASP WHAT DOES CODE REVIEW DO BEST?

    4 Wednesday, 21 November, 12
  9. Softwar S cur OWASP • Systematic approach to uncover security

    flaws WHAT DOES CODE REVIEW DO BEST? 4 Wednesday, 21 November, 12
  10. Softwar S cur OWASP • Systematic approach to uncover security

    flaws • Close to 100% code coverage WHAT DOES CODE REVIEW DO BEST? 4 Wednesday, 21 November, 12
  11. Softwar S cur OWASP • Systematic approach to uncover security

    flaws • Close to 100% code coverage • Better at finding design flaws WHAT DOES CODE REVIEW DO BEST? 4 Wednesday, 21 November, 12
  12. Softwar S cur OWASP • Systematic approach to uncover security

    flaws • Close to 100% code coverage • Better at finding design flaws • Find all instances of a certain vulnerability WHAT DOES CODE REVIEW DO BEST? 4 Wednesday, 21 November, 12
  13. Softwar S cur OWASP • Systematic approach to uncover security

    flaws • Close to 100% code coverage • Better at finding design flaws • Find all instances of a certain vulnerability • The only way to find certain types of vulnerabilities WHAT DOES CODE REVIEW DO BEST? 4 Wednesday, 21 November, 12
  14. Softwar S cur OWASP WHAT ARE WE LOOKING FOR? 5

    Wednesday, 21 November, 12
  15. Softwar S cur OWASP WHAT ARE WE LOOKING FOR? •

    Software Weaknesses 5 Wednesday, 21 November, 12
  16. Softwar S cur OWASP WHAT ARE WE LOOKING FOR? •

    Software Weaknesses • Application Logic Issues 5 Wednesday, 21 November, 12
  17. Softwar S cur OWASP WHAT ARE WE LOOKING FOR? •

    Software Weaknesses • Application Logic Issues • Dead\Debug Code 5 Wednesday, 21 November, 12
  18. Softwar S cur OWASP WHAT ARE WE LOOKING FOR? •

    Software Weaknesses • Application Logic Issues • Dead\Debug Code • Misconfiguration Issues 5 Wednesday, 21 November, 12
  19. Softwar S cur OWASP 6 Wednesday, 21 November, 12

  20. Softwar S cur OWASP Security Code Review Mindset 6 Wednesday,

    21 November, 12
  21. Softwar S cur OWASP Security Code Review Mindset + 6

    Wednesday, 21 November, 12
  22. Softwar S cur OWASP Security Code Review Mindset Effective Security

    Code Review Process + 6 Wednesday, 21 November, 12
  23. Softwar S cur OWASP 7 Wednesday, 21 November, 12

  24. Softwar S cur OWASP 7 Wednesday, 21 November, 12

  25. Softwar S cur OWASP SECURITY CODE REVIEW MINDSET 7 Wednesday,

    21 November, 12
  26. Softwar S cur OWASP SECURITY CODE REVIEW MINDSET • Where

    is the data coming from? 7 Wednesday, 21 November, 12
  27. Softwar S cur OWASP SECURITY CODE REVIEW MINDSET • Where

    is the data coming from? • Original Intent -> Malicious Intent? 7 Wednesday, 21 November, 12
  28. Softwar S cur OWASP SECURITY CODE REVIEW MINDSET • Where

    is the data coming from? • Original Intent -> Malicious Intent? • Any mitigating controls? 7 Wednesday, 21 November, 12
  29. Softwar S cur OWASP IMPORTANT ASPECTS IN ANY PROCESS 8

    Wednesday, 21 November, 12
  30. Softwar S cur OWASP IMPORTANT ASPECTS IN ANY PROCESS •

    Reconnaissance: Understand the app 8 Wednesday, 21 November, 12
  31. Softwar S cur OWASP IMPORTANT ASPECTS IN ANY PROCESS •

    Reconnaissance: Understand the app • Threat Modeling: Enumerate inputs, threats and attack surface 8 Wednesday, 21 November, 12
  32. Softwar S cur OWASP IMPORTANT ASPECTS IN ANY PROCESS •

    Reconnaissance: Understand the app • Threat Modeling: Enumerate inputs, threats and attack surface • Automation: Low hanging fruits 8 Wednesday, 21 November, 12
  33. Softwar S cur OWASP IMPORTANT ASPECTS IN ANY PROCESS •

    Reconnaissance: Understand the app • Threat Modeling: Enumerate inputs, threats and attack surface • Automation: Low hanging fruits • Manual Review: High-risk modules 8 Wednesday, 21 November, 12
  34. Softwar S cur OWASP IMPORTANT ASPECTS IN ANY PROCESS •

    Reconnaissance: Understand the app • Threat Modeling: Enumerate inputs, threats and attack surface • Automation: Low hanging fruits • Manual Review: High-risk modules • Confirmation and PoC: Weed out false positive and confirm high-risk vulns 8 Wednesday, 21 November, 12
  35. Softwar S cur OWASP IMPORTANT ASPECTS IN ANY PROCESS •

    Reconnaissance: Understand the app • Threat Modeling: Enumerate inputs, threats and attack surface • Automation: Low hanging fruits • Manual Review: High-risk modules • Confirmation and PoC: Weed out false positive and confirm high-risk vulns • Reporting: Communicate back to the development team 8 Wednesday, 21 November, 12
  36. Softwar S cur OWASP 9 Wednesday, 21 November, 12

  37. Softwar S cur OWASP FULL APPLICATION SECURITY CODE REVIEW PROCESS

    10 Reconnaissance! Threat Modeling! Automation! Manual Review! Confirmation & PoC! Reporting! Checklists! Tools! OWASP Top 10! Wednesday, 21 November, 12
  38. Softwar S cur OWASP MEET SECURE TICKETS • J2EE Application

    • MDB backend database • Eclipse as IDE • Maven as Build System 11 Wednesday, 21 November, 12
  39. RECONNAISSANCE Softwar S cur 12 Reconnaissance! Threat Modeling! Automation! Manual

    Review! Confirmation & PoC! Reporting! Checklists! Tools! OWASP Top 10! Wednesday, 21 November, 12
  40. Softwar S cur OWASP RECONNAISSANCE • Primary Business Goal of

    the Application • Use Cases\Abuse Cases • Different User Roles • Technology Stack of the Application • Environment Discovery • Use the Application 13 Wednesday, 21 November, 12
  41. Softwar S cur OWASP APPLICATION ARCHITECTURE 14 Use Case Diagram

    Wednesday, 21 November, 12
  42. Softwar S cur OWASP APPLICATION ARCHITECTURE 14 Use Case Diagram

    Wednesday, 21 November, 12
  43. Softwar S cur OWASP APPLICATION ARCHITECTURE 14 Use Case Diagram

    Wednesday, 21 November, 12
  44. Softwar S cur OWASP DEMO Reconnaissance 15 Wednesday, 21 November,

    12
  45. THREAT ASSESSMENT 16 Reconnaissance! Threat Modeling! Automation! Manual Review! Confirmation

    & PoC! Reporting! Checklists! Tools! OWASP Top 10! Wednesday, 21 November, 12
  46. Softwar S cur ENUMERATE THREAT AGENTS 17 View Schedule Admin

    Anonymous Registered Register\Login View Movie Info Buy Tickets Account Management Add User Add Theatres Add Movie Add Credit Disk SecureTickets Use Cases Script Kiddie Blackhat\CyberCriminal State Sponsored Hackers Hacktivists Wednesday, 21 November, 12
  47. Softwar S cur ENUMERATE THREAT AGENTS 17 View Schedule Admin

    Anonymous Registered Register\Login View Movie Info Buy Tickets Account Management Add User Add Theatres Add Movie Add Credit Disk SecureTickets Use Cases Script Kiddie Blackhat\CyberCriminal State Sponsored Hackers Hacktivists ✔ Wednesday, 21 November, 12
  48. Softwar S cur ENUMERATE THREAT AGENTS 17 View Schedule Admin

    Anonymous Registered Register\Login View Movie Info Buy Tickets Account Management Add User Add Theatres Add Movie Add Credit Disk SecureTickets Use Cases Script Kiddie Blackhat\CyberCriminal State Sponsored Hackers Hacktivists ✔ ✔ Wednesday, 21 November, 12
  49. Softwar S cur ENUMERATE THREAT AGENTS 17 View Schedule Admin

    Anonymous Registered Register\Login View Movie Info Buy Tickets Account Management Add User Add Theatres Add Movie Add Credit Disk SecureTickets Use Cases Script Kiddie Blackhat\CyberCriminal State Sponsored Hackers Hacktivists ✔ ✔ ✘ Wednesday, 21 November, 12
  50. Softwar S cur ENUMERATE THREAT AGENTS 17 View Schedule Admin

    Anonymous Registered Register\Login View Movie Info Buy Tickets Account Management Add User Add Theatres Add Movie Add Credit Disk SecureTickets Use Cases Script Kiddie Blackhat\CyberCriminal State Sponsored Hackers Hacktivists ✔ ✔ ✘ ✘ Wednesday, 21 November, 12
  51. Softwar S cur ENUMERATE ATTACKS 18 Script Kiddie Blackhat\CyberCriminal Wednesday,

    21 November, 12
  52. Softwar S cur ENUMERATE ATTACKS 18 Script Kiddie Blackhat\CyberCriminal Wednesday,

    21 November, 12
  53. Softwar S cur ENUMERATE ATTACKS 18 • Payment Information •

    Free\Premium Seats • Personal Data • Application’s Infrastructure • Application’s Users Script Kiddie Blackhat\CyberCriminal Wednesday, 21 November, 12
  54. Softwar S cur ENUMERATE ATTACKS 18 • Payment Information •

    Free\Premium Seats • Personal Data • Application’s Infrastructure • Application’s Users Script Kiddie Blackhat\CyberCriminal Wednesday, 21 November, 12
  55. Softwar S cur ENUMERATE ATTACKS 18 • Payment Information •

    Free\Premium Seats • Personal Data • Application’s Infrastructure • Application’s Users Script Kiddie Blackhat\CyberCriminal • SQL Injection • Cross-Site Scripting • Cross-Site Request Forgery • Command Injection • Insecure Redirects Forwards • Insecure Authentication • Insecure Authorization • Insecure Direct Object Reference Wednesday, 21 November, 12
  56. Softwar S cur View Schedule Admin Anonymous Registered Register\Login View

    Movie Info Buy Tickets Account Management Add User Add Theatres Add Movie Add Credit Disk SecureTickets Use Cases ENUMERATING ASSETS 19 Wednesday, 21 November, 12
  57. Softwar S cur View Schedule Admin Anonymous Registered Register\Login View

    Movie Info Buy Tickets Account Management Add User Add Theatres Add Movie Add Credit Disk SecureTickets Use Cases ENUMERATING ASSETS • Payment Information 19 Wednesday, 21 November, 12
  58. Softwar S cur View Schedule Admin Anonymous Registered Register\Login View

    Movie Info Buy Tickets Account Management Add User Add Theatres Add Movie Add Credit Disk SecureTickets Use Cases ENUMERATING ASSETS • Payment Information • Free\Premium Seats 19 Wednesday, 21 November, 12
  59. Softwar S cur View Schedule Admin Anonymous Registered Register\Login View

    Movie Info Buy Tickets Account Management Add User Add Theatres Add Movie Add Credit Disk SecureTickets Use Cases ENUMERATING ASSETS • Payment Information • Free\Premium Seats • Personal Data 19 Wednesday, 21 November, 12
  60. Softwar S cur View Schedule Admin Anonymous Registered Register\Login View

    Movie Info Buy Tickets Account Management Add User Add Theatres Add Movie Add Credit Disk SecureTickets Use Cases ENUMERATING ASSETS • Payment Information • Free\Premium Seats • Personal Data • Application’s Infrastructure 19 Wednesday, 21 November, 12
  61. Softwar S cur View Schedule Admin Anonymous Registered Register\Login View

    Movie Info Buy Tickets Account Management Add User Add Theatres Add Movie Add Credit Disk SecureTickets Use Cases ENUMERATING ASSETS • Payment Information • Free\Premium Seats • Personal Data • Application’s Infrastructure • Application’s Users 19 Wednesday, 21 November, 12
  62. AUTOMATION 20 Reconnaissance! Threat Assessment! Automation! Manual Review! Confirmation &

    PoC! Reporting! Checklists! Tools! OWASP Top 10! Wednesday, 21 November, 12
  63. Softwar S cur OWASP • Super Greps (keyword Search) •

    Automated Unit-Tests • Static Code Analysis Tools AUTOMATION 21 Wednesday, 21 November, 12
  64. Softwar S cur OWASP AUTOMATION STATIC CODE ANALYSIS TOOLS •

    Security Code Review <> Running a Tool Pros Cons Scales Well False Positives Low Hanging Fruit Application Logic Issues Can be Taught New Tricks Collections Frameworks 22 Wednesday, 21 November, 12
  65. Softwar S cur OWASP OPEN-SOURCE STATIC CODE ANALYSIS TOOLS Java

    .NET C++ 23 Wednesday, 21 November, 12
  66. Softwar S cur OWASP OPEN-SOURCE STATIC CODE ANALYSIS TOOLS Java

    .NET C++ 23 Wednesday, 21 November, 12
  67. Softwar S cur OWASP TOP 10 • A1. Injection •

    A2. Cross-site Scripting • A3. Broken Authentication and Session Management • A4. Insecure Direct Object Reference • A5. Cross-Site Request • A6. Security Misconfiguration • A7. Insecure Cryptography Storage • A8. Failure to Restrict URL • A9. Insufficient Transport Layer Protection • A10. Unvalidated Redirects and Forwards 24 Wednesday, 21 November, 12
  68. Softwar S cur A1. INJECTION 25 Manual Automatic Wednesday, 21

    November, 12
  69. Softwar S cur A1. INJECTION 25 Manual Automatic • Start

    With Automation Wednesday, 21 November, 12
  70. Softwar S cur A1. INJECTION 25 Manual Automatic • Start

    With Automation • Database Script (*.sql, *.txt, etc) Wednesday, 21 November, 12
  71. Softwar S cur A1. INJECTION 25 Manual Automatic • Start

    With Automation • Database Script (*.sql, *.txt, etc) • Pay Attention to Patterns & Coding Styles Wednesday, 21 November, 12
  72. Softwar S cur QUIZ-O-CODE 26 Wednesday, 21 November, 12

  73. Softwar S cur QUIZ-O-CODE 26 Will  it  catch   “UNI/**/ON”,

      “SEL/**?ECT”? Wednesday, 21 November, 12
  74. Softwar S cur OWASP A2. CROSS-SITE SCRIPTING 27 Manual Automatic

    Wednesday, 21 November, 12
  75. Softwar S cur OWASP A2. CROSS-SITE SCRIPTING 27 Manual Automatic

    • Start With Automation Wednesday, 21 November, 12
  76. Softwar S cur OWASP A2. CROSS-SITE SCRIPTING 27 Manual Automatic

    • Start With Automation • JS Files, AJAX Scripts. Wednesday, 21 November, 12
  77. Softwar S cur OWASP A2. CROSS-SITE SCRIPTING 27 Manual Automatic

    Wednesday, 21 November, 12
  78. Softwar S cur OWASP A2. CROSS-SITE SCRIPTING 27 Manual Automatic

    Wednesday, 21 November, 12
  79. Softwar S cur OWASP A2. CROSS-SITE SCRIPTING 27 Manual Automatic

    https://www.paypal.com/us/webapps/mpp/security/seller- problem-resolution#><img src=x onerror=prompt(‘PWNED’)> Wednesday, 21 November, 12
  80. Softwar S cur OWASP DEMO Automation Using PMD 28 Wednesday,

    21 November, 12
  81. MANUAL REVIEW Softwar S cur 29 Reconnaissance! Threat Modeling! Automation!

    Manual Review! Confirmation & PoC! Reporting! Checklists! Tools! OWASP Top 10! Wednesday, 21 November, 12
  82. Softwar S cur OWASP WHY MANUAL REVIEW? 30 Wednesday, 21

    November, 12
  83. Softwar S cur OWASP WHY MANUAL REVIEW? • Authentication &

    Authorization Controls • Encryption Modules • File Upload and Download Operations • Validation Controls\Input Filters • Security-Sensitive Application Logic 30 Wednesday, 21 November, 12
  84. Softwar S cur OWASP A3. BROKEN AUTHENTICATION AND SESSION MANAGEMENT

    31 Manual Automatic Wednesday, 21 November, 12
  85. Softwar S cur OWASP A3. BROKEN AUTHENTICATION AND SESSION MANAGEMENT

    31 Manual Automatic • Main Authentication Point(s) Wednesday, 21 November, 12
  86. Softwar S cur OWASP A3. BROKEN AUTHENTICATION AND SESSION MANAGEMENT

    31 Manual Automatic • Main Authentication Point(s) • Fail Paths Wednesday, 21 November, 12
  87. Softwar S cur OWASP A3. BROKEN AUTHENTICATION AND SESSION MANAGEMENT

    31 Manual Automatic • Main Authentication Point(s) • Fail Paths • Change\Reset Password Wednesday, 21 November, 12
  88. Softwar S cur OWASP A3. BROKEN AUTHENTICATION AND SESSION MANAGEMENT

    31 Manual Automatic • Main Authentication Point(s) • Fail Paths • Change\Reset Password • Registration Pages Wednesday, 21 November, 12
  89. Softwar S cur OWASP A3. BROKEN AUTHENTICATION AND SESSION MANAGEMENT

    31 Manual Automatic • Main Authentication Point(s) • Fail Paths • Change\Reset Password • Registration Pages • Session Handling Practices Wednesday, 21 November, 12
  90. Softwar S cur OWASP A3. BROKEN AUTHENTICATION AND SESSION MANAGEMENT

    31 Manual Automatic Wednesday, 21 November, 12
  91. Softwar S cur AUTHENTICATION & AUTHORIZATION FLAWS 32 Wednesday, 21

    November, 12
  92. Softwar S cur AUTHENTICATION & AUTHORIZATION FLAWS 32 Wednesday, 21

    November, 12
  93. Softwar S cur AUTHENTICATION & AUTHORIZATION FLAWS Web Methods Do

    Not Follow Regular ASP.NET Page Life Cycle 32 Wednesday, 21 November, 12
  94. Softwar S cur OWASP A4. INSECURE DIRECT OBJECT REFERENCE •

    Start with automation to find leads for IDOR • Find the relation with the database keys • Find modules that uploads\downloads files • Easier to confirm with the live application 33 Manual Automatic Wednesday, 21 November, 12
  95. Softwar S cur OWASP A4. INSECURE DIRECT OBJECT REFERENCE 33

    Manual Automatic Wednesday, 21 November, 12
  96. Softwar S cur FILE UPLOAD\DOWNLOAD FLAWS 34 Wednesday, 21 November,

    12
  97. Softwar S cur FILE UPLOAD\DOWNLOAD FLAWS 34 Wednesday, 21 November,

    12
  98. Softwar S cur FILE UPLOAD\DOWNLOAD FLAWS 34 Wednesday, 21 November,

    12
  99. Softwar S cur FILE UPLOAD\DOWNLOAD FLAWS 34 An attacker can

    bypass validation control Wednesday, 21 November, 12
  100. Softwar S cur OWASP A5. CROSS-SITE REQUEST FORGERY 35 Manual

    Automatic Wednesday, 21 November, 12
  101. Softwar S cur A6. SECURITY MISCONFIGURATION • Start with Automation

    • Continue with Checklists 36 Manual Automatic • Error Pages • Secure & HTTPOnly Flags • Proper Authentication • Session Timeout • Cookies for Session Tracking Wednesday, 21 November, 12
  102. Softwar S cur OWASP A7. INSECURE CRYPTOGRAPHIC STORAGE • Use

    Automation to Find Crypto Modules • Examine Each Module. • Encrypting\Hashing the correct data • Using the proper algorithms • Proper key storage and management 37 Manual Automatic Wednesday, 21 November, 12
  103. Softwar S cur ENCRYPTION FLAWS 38 Wednesday, 21 November, 12

  104. Softwar S cur ENCRYPTION FLAWS 38 Wednesday, 21 November, 12

  105. Softwar S cur ENCRYPTION FLAWS 38 There is a possibility

    of returning empty hashes on error Wednesday, 21 November, 12
  106. Softwar S cur OWASP • Unprotected Modules • Unprotected Pages

    • Unprotected Static Files A8. FAILURE TO RESTRICT URL ACCESS 39 Manual Automatic Wednesday, 21 November, 12
  107. Softwar S cur OWASP • Unprotected Modules • Unprotected Pages

    • Unprotected Static Files A8. FAILURE TO RESTRICT URL ACCESS 39 Manual Automatic https://vulnerable.com/admin Wednesday, 21 November, 12
  108. Softwar S cur OWASP • Unprotected Modules • Unprotected Pages

    • Unprotected Static Files A8. FAILURE TO RESTRICT URL ACCESS 39 Manual Automatic https://vulnerable.com/admin https://vulnerable.com/addUser.jsp Wednesday, 21 November, 12
  109. Softwar S cur OWASP • Unprotected Modules • Unprotected Pages

    • Unprotected Static Files A8. FAILURE TO RESTRICT URL ACCESS 39 Manual Automatic https://vulnerable.com/admin https://vulnerable.com/addUser.jsp https://vulnerable.com/files/bill001.pdf Wednesday, 21 November, 12
  110. Softwar S cur OWASP A9. INSUFFICIENT TRANSPORT LAYER PROTECTION •

    SSL Enforcement Controls • Algorithm Used • Validate Certificates 40 Manual Automatic Wednesday, 21 November, 12
  111. Softwar S cur OWASP A10. UNVALIDATED REDIRECTS AND FORWARDS 41

    Manual Automatic • Scripts that redirects users to a file or a server • Internal site search result pages • Tracking clicks for affiliate programs • Proxy sites • Login\Logout Pages Wednesday, 21 November, 12
  112. Softwar S cur OWASP A10. UNVALIDATED REDIRECTS AND FORWARDS 41

    Manual Automatic • Scripts that redirects users to a file or a server • Internal site search result pages • Tracking clicks for affiliate programs • Proxy sites • Login\Logout Pages victim.com/redirect.jsp?url= Wednesday, 21 November, 12
  113. Softwar S cur OWASP A10. UNVALIDATED REDIRECTS AND FORWARDS 41

    Manual Automatic • Scripts that redirects users to a file or a server • Internal site search result pages • Tracking clicks for affiliate programs • Proxy sites • Login\Logout Pages victim.com/redirect.jsp?url= victim.com/search?q=search&url= Wednesday, 21 November, 12
  114. Softwar S cur OWASP A10. UNVALIDATED REDIRECTS AND FORWARDS 41

    Manual Automatic • Scripts that redirects users to a file or a server • Internal site search result pages • Tracking clicks for affiliate programs • Proxy sites • Login\Logout Pages victim.com/redirect.jsp?url= victim.com/search?q=search&url= victim.com/track?code=12345&url= Wednesday, 21 November, 12
  115. Softwar S cur OWASP A10. UNVALIDATED REDIRECTS AND FORWARDS 41

    Manual Automatic • Scripts that redirects users to a file or a server • Internal site search result pages • Tracking clicks for affiliate programs • Proxy sites • Login\Logout Pages victim.com/redirect.jsp?url= victim.com/search?q=search&url= victim.com/track?code=12345&url= proxy.victim.com/?url= Wednesday, 21 November, 12
  116. Softwar S cur OWASP A10. UNVALIDATED REDIRECTS AND FORWARDS 41

    Manual Automatic • Scripts that redirects users to a file or a server • Internal site search result pages • Tracking clicks for affiliate programs • Proxy sites • Login\Logout Pages victim.com/redirect.jsp?url= victim.com/search?q=search&url= victim.com/track?code=12345&url= proxy.victim.com/?url= victim.com/login?url= Wednesday, 21 November, 12
  117. Softwar S cur OWASP FULL APPLICATION SECURITY CODE REVIEW PROCESS

    42 Reconnaissance! Threat Modeling! Automation! Manual Review! Confirmation & PoC! Reporting! Checklists! Tools! OWASP Top 10! Wednesday, 21 November, 12
  118. Softwar S cur OWASP TAILOR YOUR TOOLS! 43 Wednesday, 21

    November, 12
  119. Softwar S cur OWASP DEMO Manual Review Confirmation Proof-of-Concept 44

    Wednesday, 21 November, 12
  120. CHECKLISTS Softwar S cur 45 Reconnaissance! Threat Assessment! Automation! Manual

    Review! Confirmation & PoC! Reporting! Checklist! Tools! Security Skills! Wednesday, 21 November, 12
  121. Softwar S cur OWASP USAGE OF CHECKLISTS • Aviation: led

    the modern airplanes evolution after Major Hill’s famous 1934 incident • ICU: usage of checklists brought down infection rates in Michigan by 66% 46 Wednesday, 21 November, 12
  122. Softwar S cur OWASP SECURITY CODE REVIEW CHECKLIST • Data

    Validation and Encoding Controls • Encryption Controls • Authentication and Authorization Controls • Session Management • Exception Handling • Auditing and Logging • Security Configurations 47 Wednesday, 21 November, 12
  123. Softwar S cur OWASP RESOURCES TO CONDUCT YOUR CHECKLIST •

    NIST Checklist Project - http://checklists.nist.gov/ • Mozilla’s Secure Coding QA Checklist - https://wiki.mozilla.org/ WebAppSec/Secure_Coding_QA_Checklist • Oracle’s Secure Coding Checklist - http://www.oracle.com/ technetwork/java/seccodeguide-139067.html 48 Wednesday, 21 November, 12
  124. REPORTING Softwar S cur 49 Reconnaissance! Threat Modeling! Automation! Manual

    Review! Confirmation & PoC! Reporting! Checklists! Tools! OWASP Top 10! Wednesday, 21 November, 12
  125. Softwar S cur REPORTING • Weakness Metadata • Thorough Description

    • Recommendation • Assign Appropriate Priority SQL Injection: Location: \source\ACMEPortal\updateinfo.aspx.cs: Description: The code below is build dynamic sql statement using unvalidated data (i.e. name) which can lead to SQL Injection 51 SqlDataAdapter myCommand = new SqlDataAdapter( 52 "SELECT au_lname, au_fname FROM author WHERE au_id = '" + 53 SSN.Text + "'", myConnection); Priority: High Recommendation: Use paramaterized SQL instead of dynamic concatenation, refer to http://msdn.microsoft.com/en-us/library/ ff648339.aspx for details. Owner: John Smith 50 Wednesday, 21 November, 12
  126. Softwar S cur OWASP APPLICATION SECURITY CODE REVIEW PROCESS 51

    Reconnaissance! Threat Modeling! Automation! Manual Review! Confirmation & PoC! Reporting! Checklists! Tools! OWASP Top 10! Wednesday, 21 November, 12
  127. QUESTIONS? SHERIF.KOUSSA@OWASP.COM SHERIF@SOFTWARESECURED.COM Softwar S cur 52 Wednesday, 21 November,

    12
  128. Softwar S cur OWASP REFERENCES • http://googlewebmastercentral.blogspot.ca/2009/01/open- redirect-urls-is-your-site-being.html • http://www.veracode.com/security/insecure-crypto

    53 Wednesday, 21 November, 12