SlideShare una empresa de Scribd logo

OWASP TOP 10 by Team xbios

Vi Vek
Vi Vek

OWASP Top 10 vulnerabilities in 2013 and its avoiding techniques.

Tecnología
1 de 46
Descargar para leer sin conexión
By team Xbios
INJECTION flaws ‘ or 1 = 1 ’- -
Injection means… Tricking an application into including unintended commands in the data sent to an interpreter Interpreter Take strings and interpret them as commands Eg : SQL, OS Shell, LDAP, XPath, Hibernate, etc…
SQL Injection Example $username = $_POST[‘username’]; $password = $_POST[‘password’]; $query = “SELECT * FROM user WHERE username = ‘$username’ AND password = ‘$password’”; $user = $db->query($query);
Recommendations Avoid the interpreter entirely, or Use an interface that supports bind variables (e.g., prepared statements, or stored procedures), Encode all user input before passing it to the interpreter References For more details, read the new http://www.owasp.org/index.php/SQL_Injection_ Prevention_Cheat_Sheet
HTTP is a “stateless” protocol • SESSION ID used to track state since HTTP doesn’t and it is just as good as credentials to an attacker. • SESSION ID is typically exposed on the network, in browser, in logs, … Beware of side-doors Change my password, remember my password, forgot my password, secret question, logout, email address, etc…
Site uses URL rewriting (i.e., put session in URL) 3 2 Hacker uses JSESSIONID and takes over victim’s account 4 Bus. Functions E-Commerce Knowledge Mgmt Transactions Custom Code User clicks on a link to http://www.hacker.com in a forum Hacker checks referrer logs on www.hacker.com and finds user’s JSESSIONID 5 Communication www.boi.com?JSESSIONID=9FA1DB9EA... Administration User sends credentials Accounts 1 Finance Attack Illustration
Impacts User accounts compromised or user sessions hijacked Recommendations • Verify your architecture • Verify the implementation References Follow the guidance from http://www.owasp.org/index.php/Authentication_Cheat_Sheet
XSS <script> alert(”cross site scripting”); </script> ‘
Occurs any time… Raw data from attacker is sent to an innocent user’s browser Raw Data…. • Stored in database • Reflected from web input (form field, hidden field, URL, etc…) • Sent directly into rich JavaScript client
Impacts • Steal user’s session, steal sensitive data, rewrite web page, redirect user to phishing or malware site • Most Severe: Install XSS proxy which allows attacker to observe and direct all user’s behavior on vulnerable site and force user to other sites
Recommendations • Don’t include user supplied input in the output page • Defend Against the Flaw Primary Recommendation: Use OWASP’s ESAPI to output encode: • For large chunks of user supplied HTML, use OWASP’s AntiSamy References For how to output encode properly, read the new http://www.owasp.org/index.php/XSS_(Cross Site Scripting) Prevention Cheat Sheet
Insecure Direct Object References
Occurs when… • Developer exposes a reference to an internal implementation object. • Without an access control check or other protection, attackers can manipulate Impacts • Users are able to access unauthorized files or data
Insecure Direct Object References Illustrated https://www.onlinebank.com/user?acct=6065 • Attacker notices his acct parameter is 6065 ?acct=6065 • He modifies it to a nearby number ?acct=6066 • Attacker views the victim’s account information
Recommendations • Eliminate the direct object reference • Validate the direct object reference
Security Misconfiguration
Risks • Default settings can be insecure, and intended for development not production. • Attackers can use misconfigured software to gain knowledge and access. Impacts • XSS flaw exploits due to missing application framework patches. • Unauthorized access to default accounts, application functionality or data.
Recommendations • Know the tools you use, and configure them correctly. • Keep up to date on vulnerabilities in the tools you use. • Remove/disable any services/features you aren’t using.
Sensitive Data Exposure
Storing and transmitting sensitive data insecurely • Failure to identify all sensitive data • Failure to identify all the places that this sensitive data gets stored • Failure to properly protect this data in every location Impacts • Attackers access or modify confidential or private information • Attackers extract secrets to use in additional attacks • Expense of cleaning up the incident • Business gets sued and/or fined
1 Victim enters credit card number in form Accounts Finance Administration Transactions Communication Knowledge Mgmt E-Commerce Bus. Functions Insecure Cryptographic Storage Illustrated Custom Code 4 Log files Malicious insider steals 4 million credit card numbers Logs are accessible to all members of IT staff for debugging purposes Error handler logs CC details because merchant gateway is unavailable 3 2
Recommendations • • • • Verify your architecture Protect with appropriate mechanisms Use the mechanisms correctly Verify the implementation
Missing Function Level Access Control
Risks • Hidden things can easily be found. • Creative people will eventually find your hidden URLs Impacts • Attackers invoke functions and services they’re not authorized for • Access other user’s accounts and data • Perform privileged actions
Failure to Restrict URL Access Illustrated https://www.onlinebank.com/user/getAccounts • Attacker notices the URL indicates his role /user/getAccounts • He modifies it to another directory (role) /admin/getAccounts, or /manager/getAccounts • Attacker views more accounts than just their own
Recommendations • For each URL, a site needs to do 3 things • Verify your architecture • Verify the implementation
Cross Site Request Forgery
Risks • Evil websites can perform actions for users logged into your site. • Vulnerability is caused by browsers automatically including user authentication data with each request Impacts • Initiate transactions (transfer funds, logout user, close account) • Access sensitive data • Change account details
CSRF Illustrated While logged into vulnerable site, victim views attacker site Communication Knowledge Mgmt E-Commerce Bus. Functions 2 Administration Transactions Hidden <img> tag contains attack against vulnerable site Application with CSRF vulnerability Accounts Finance 1 Attacker sets the trap on some website on the internet (or simply via an e-mail) Custom Code 3 <img> tag loaded by browser – sends GET request (including credentials) to vulnerable site Vulnerable site sees legitimate request from victim and performs the action requested
Prevention • Add opaque expiring tokens to all forms. • Requests missing tokens or containing invalid tokens should be rejected.
Using Known Vulnerable Components
Vulnerable components are common The full range of weaknesses is possible, including injection, broken access control, XSS, etc. The impact could range from minimal to complete host takeover and data compromise Impacts The full range of weaknesses is possible, including injection, broken access control, XSS, etc. The impact could range from minimal to complete host takeover and data compromise
Preventing Known Vulnerable Components • One option is not to use components that you didn’t write. But that’s not very realistic. • Most component projects do not create vulnerability patches for old versions. Instead, most simply fix the problem in the next version. So upgrading to these new versions is critical.
Unvalidated Redirects and Forwards
Web application redirects are very common • And frequently include user supplied parameters in the destination URL • If they aren’t validated, attacker can send victim to a site of their choice Impacts • Redirect victim to phishing or malware site • Attacker’s request is forwarded past security checks, allowing unauthorized function or data access
Unvalidated Redirect Illustrated Attacker sends attack to victim via email or webpage Bus. Functions E-Commerce Communication Knowledge Mgmt Transactions Victim clicks link containing invalidated parameter Application redirects victim to attacker’s site Administration 2 3 Finance From: Internal Revenue Service Subject: Your Unclaimed Tax Refund Our records show you have an unclaimed federal tax refund. Please click here to initiate your claim. Accounts 1 Custom Code Request sent to vulnerable site, including attacker’s destination site as parameter. Redirect sends victim to attacker site http://www.irs.gov/taxrefund/claim.jsp?year=2006 & … &dest=www.evilsite.com Evil Site 4 Evil site installs malware on victim, or phish’s for private information
Avoiding Unvalidated Redirects and Forwards • Avoid using redirects and forwards as much as you can • If used, don’t involve user parameters in defining the target URL • If you ‘must’ involve user parameters, then either • Validate each parameter • Use server side mapping
How do you address these problems? • Develop Secure Code • Review Your Applications • Have an expert team review your applications • Review your applications yourselves following OWASP Guidelines
How do you address these problems? • Develop Secure Code • Review Your Applications
OWASP TOP 10 by Team xbios
OWASP TOP 10 by Team xbios
OWASP TOP 10 by Team xbios

Recomendados

Vulnerabilities in Web Applications
Vulnerabilities in Web ApplicationsVulnerabilities in Web Applications
Vulnerabilities in Web ApplicationsVenkat Ramana Reddy Parine
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationshipn|u - The Open Security Community
 
Owasp Top 10-2013
Owasp Top 10-2013Owasp Top 10-2013
Owasp Top 10-2013n|u - The Open Security Community
 
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Security Innovation
 
A7 Missing Function Level Access Control
A7 Missing Function Level Access ControlA7 Missing Function Level Access Control
A7 Missing Function Level Access Controlstevil1224
 
Secure Code Warrior - Trust no input
Secure Code Warrior - Trust no inputSecure Code Warrior - Trust no input
Secure Code Warrior - Trust no inputSecure Code Warrior
 
Secure Code Warrior - Defense in depth
Secure Code Warrior - Defense in depthSecure Code Warrior - Defense in depth
Secure Code Warrior - Defense in depthSecure Code Warrior
 
Owasp security testing methodlogies –part2
Owasp security testing methodlogies –part2Owasp security testing methodlogies –part2
Owasp security testing methodlogies –part2robin_bene
 

Recomendados

Vulnerabilities in Web Applications
Vulnerabilities in Web ApplicationsVulnerabilities in Web Applications
Vulnerabilities in Web ApplicationsVenkat Ramana Reddy Parine
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationshipn|u - The Open Security Community
 
Owasp Top 10-2013
Owasp Top 10-2013Owasp Top 10-2013
Owasp Top 10-2013n|u - The Open Security Community
 
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Security Innovation
 
A7 Missing Function Level Access Control
A7 Missing Function Level Access ControlA7 Missing Function Level Access Control
A7 Missing Function Level Access Controlstevil1224
 
Secure Code Warrior - Trust no input
Secure Code Warrior - Trust no inputSecure Code Warrior - Trust no input
Secure Code Warrior - Trust no inputSecure Code Warrior
 
Secure Code Warrior - Defense in depth
Secure Code Warrior - Defense in depthSecure Code Warrior - Defense in depth
Secure Code Warrior - Defense in depthSecure Code Warrior
 
Owasp security testing methodlogies –part2
Owasp security testing methodlogies –part2Owasp security testing methodlogies –part2
Owasp security testing methodlogies –part2robin_bene
 
The Complete Web Application Security Testing Checklist
The Complete Web Application Security Testing ChecklistThe Complete Web Application Security Testing Checklist
The Complete Web Application Security Testing ChecklistCigital
 
Web application attacks
Web application attacksWeb application attacks
Web application attackshruth
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLFn|u - The Open Security Community
 
Security Testing Training With Examples
Security Testing Training With ExamplesSecurity Testing Training With Examples
Security Testing Training With ExamplesAlwin Thayyil
 
Application Security-Understanding The Horizon
Application Security-Understanding The HorizonApplication Security-Understanding The Horizon
Application Security-Understanding The HorizonLalit Kale
 
Top 10 Web App Security Risks
Top 10 Web App Security RisksTop 10 Web App Security Risks
Top 10 Web App Security RisksSperasoft
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top TenSecurity Innovation
 
Injection attacks
Injection attacksInjection attacks
Injection attacksAdamu Muhammad
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013tmd800
 
Web Application Penetration Tests - Information Gathering Stage
Web Application Penetration Tests - Information Gathering StageWeb Application Penetration Tests - Information Gathering Stage
Web Application Penetration Tests - Information Gathering StageNetsparker
 
Core defense mechanisms against security attacks on web applications
Core defense mechanisms against security attacks on web applicationsCore defense mechanisms against security attacks on web applications
Core defense mechanisms against security attacks on web applicationsKaran Nagrecha
 
OWASP A7 and A8
OWASP A7 and A8OWASP A7 and A8
OWASP A7 and A8Pavan M
 
Get Ready for Web Application Security Testing
Get Ready for Web Application Security TestingGet Ready for Web Application Security Testing
Get Ready for Web Application Security TestingAlan Kan
 
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense MechanismsCh 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense MechanismsSam Bowne
 
InsecureDirectObjectReferences
InsecureDirectObjectReferencesInsecureDirectObjectReferences
InsecureDirectObjectReferencesmacanazon
 
Attackers Vs Programmers
Attackers Vs ProgrammersAttackers Vs Programmers
Attackers Vs Programmersrobin_bene
 
Session3 data-validation-sql injection
Session3 data-validation-sql injectionSession3 data-validation-sql injection
Session3 data-validation-sql injectionzakieh alizadeh
 
Testing Web Application Security
Testing Web Application SecurityTesting Web Application Security
Testing Web Application SecurityTed Husted
 
Security testing presentation
Security testing presentationSecurity testing presentation
Security testing presentationConfiz
 
A10 - Unvalidated Redirects and Forwards
A10 - Unvalidated Redirects and ForwardsA10 - Unvalidated Redirects and Forwards
A10 - Unvalidated Redirects and ForwardsShane Stanley
 
ค่ายอาเซียน
ค่ายอาเซียนค่ายอาเซียน
ค่ายอาเซียนAonaon Krubpom
 
น้ำผึ้ง 4 10 เลขที่ 3
น้ำผึ้ง 4 10 เลขที่ 3น้ำผึ้ง 4 10 เลขที่ 3
น้ำผึ้ง 4 10 เลขที่ 3Yuan Yuan'
 

Más contenido relacionado

La actualidad más candente

The Complete Web Application Security Testing Checklist
The Complete Web Application Security Testing ChecklistThe Complete Web Application Security Testing Checklist
The Complete Web Application Security Testing ChecklistCigital
 
Web application attacks
Web application attacksWeb application attacks
Web application attackshruth
 
Security Testing Training With Examples
Security Testing Training With ExamplesSecurity Testing Training With Examples
Security Testing Training With ExamplesAlwin Thayyil
 
Application Security-Understanding The Horizon
Application Security-Understanding The HorizonApplication Security-Understanding The Horizon
Application Security-Understanding The HorizonLalit Kale
 
Top 10 Web App Security Risks
Top 10 Web App Security RisksTop 10 Web App Security Risks
Top 10 Web App Security RisksSperasoft
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top TenSecurity Innovation
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013tmd800
 
Web Application Penetration Tests - Information Gathering Stage
Web Application Penetration Tests - Information Gathering StageWeb Application Penetration Tests - Information Gathering Stage
Web Application Penetration Tests - Information Gathering StageNetsparker
 
Core defense mechanisms against security attacks on web applications
Core defense mechanisms against security attacks on web applicationsCore defense mechanisms against security attacks on web applications
Core defense mechanisms against security attacks on web applicationsKaran Nagrecha
 
OWASP A7 and A8
OWASP A7 and A8OWASP A7 and A8
OWASP A7 and A8Pavan M
 
Get Ready for Web Application Security Testing
Get Ready for Web Application Security TestingGet Ready for Web Application Security Testing
Get Ready for Web Application Security TestingAlan Kan
 
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense MechanismsCh 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense MechanismsSam Bowne
 
InsecureDirectObjectReferences
InsecureDirectObjectReferencesInsecureDirectObjectReferences
InsecureDirectObjectReferencesmacanazon
 
Attackers Vs Programmers
Attackers Vs ProgrammersAttackers Vs Programmers
Attackers Vs Programmersrobin_bene
 
Session3 data-validation-sql injection
Session3 data-validation-sql injectionSession3 data-validation-sql injection
Session3 data-validation-sql injectionzakieh alizadeh
 
Testing Web Application Security
Testing Web Application SecurityTesting Web Application Security
Testing Web Application SecurityTed Husted
 
Security testing presentation
Security testing presentationSecurity testing presentation
Security testing presentationConfiz
 
A10 - Unvalidated Redirects and Forwards
A10 - Unvalidated Redirects and ForwardsA10 - Unvalidated Redirects and Forwards
A10 - Unvalidated Redirects and ForwardsShane Stanley
 

La actualidad más candente (20)

The Complete Web Application Security Testing Checklist
The Complete Web Application Security Testing ChecklistThe Complete Web Application Security Testing Checklist
The Complete Web Application Security Testing Checklist
 
Web application attacks
Web application attacksWeb application attacks
Web application attacks
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
 
Security Testing Training With Examples
Security Testing Training With ExamplesSecurity Testing Training With Examples
Security Testing Training With Examples
 
Application Security-Understanding The Horizon
Application Security-Understanding The HorizonApplication Security-Understanding The Horizon
Application Security-Understanding The Horizon
 
Top 10 Web App Security Risks
Top 10 Web App Security RisksTop 10 Web App Security Risks
Top 10 Web App Security Risks
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
 
Injection attacks
Injection attacksInjection attacks
Injection attacks
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013
 
Web Application Penetration Tests - Information Gathering Stage
Web Application Penetration Tests - Information Gathering StageWeb Application Penetration Tests - Information Gathering Stage
Web Application Penetration Tests - Information Gathering Stage
 
Core defense mechanisms against security attacks on web applications
Core defense mechanisms against security attacks on web applicationsCore defense mechanisms against security attacks on web applications
Core defense mechanisms against security attacks on web applications
 
OWASP A7 and A8
OWASP A7 and A8OWASP A7 and A8
OWASP A7 and A8
 
Get Ready for Web Application Security Testing
Get Ready for Web Application Security TestingGet Ready for Web Application Security Testing
Get Ready for Web Application Security Testing
 
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense MechanismsCh 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
 
InsecureDirectObjectReferences
InsecureDirectObjectReferencesInsecureDirectObjectReferences
InsecureDirectObjectReferences
 
Attackers Vs Programmers
Attackers Vs ProgrammersAttackers Vs Programmers
Attackers Vs Programmers
 
Session3 data-validation-sql injection
Session3 data-validation-sql injectionSession3 data-validation-sql injection
Session3 data-validation-sql injection
 
Testing Web Application Security
Testing Web Application SecurityTesting Web Application Security
Testing Web Application Security
 
Security testing presentation
Security testing presentationSecurity testing presentation
Security testing presentation
 
A10 - Unvalidated Redirects and Forwards
A10 - Unvalidated Redirects and ForwardsA10 - Unvalidated Redirects and Forwards
A10 - Unvalidated Redirects and Forwards
 

Destacado

ค่ายอาเซียน
ค่ายอาเซียนค่ายอาเซียน
ค่ายอาเซียนAonaon Krubpom
 
น้ำผึ้ง 4 10 เลขที่ 3
น้ำผึ้ง 4 10 เลขที่ 3น้ำผึ้ง 4 10 เลขที่ 3
น้ำผึ้ง 4 10 เลขที่ 3Yuan Yuan'
 
หน่วยที่ 02
หน่วยที่ 02หน่วยที่ 02
หน่วยที่ 02Nuytoo Naruk
 
คู่มือการใช้งานระบบ Back office ของ seacon square draft1
คู่มือการใช้งานระบบ Back office ของ seacon square draft1คู่มือการใช้งานระบบ Back office ของ seacon square draft1
คู่มือการใช้งานระบบ Back office ของ seacon square draft1Somjet Sareerom
 
Surat lamaran kerja1
Surat lamaran kerja1Surat lamaran kerja1
Surat lamaran kerja1Siti Permana
 

Destacado (6)

ค่ายอาเซียน
ค่ายอาเซียนค่ายอาเซียน
ค่ายอาเซียน
 
น้ำผึ้ง 4 10 เลขที่ 3
น้ำผึ้ง 4 10 เลขที่ 3น้ำผึ้ง 4 10 เลขที่ 3
น้ำผึ้ง 4 10 เลขที่ 3
 
หน่วยที่ 02
หน่วยที่ 02หน่วยที่ 02
หน่วยที่ 02
 
คู่มือการใช้งานระบบ Back office ของ seacon square draft1
คู่มือการใช้งานระบบ Back office ของ seacon square draft1คู่มือการใช้งานระบบ Back office ของ seacon square draft1
คู่มือการใช้งานระบบ Back office ของ seacon square draft1
 
Surat lamaran kerja1
Surat lamaran kerja1Surat lamaran kerja1
Surat lamaran kerja1
 
Three IT Kingdoms
Three IT KingdomsThree IT Kingdoms
Three IT Kingdoms
 

Similar a OWASP TOP 10 by Team xbios

2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10bilcorry
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application SecurityPrateek Jain
 
Secure code practices
Secure code practicesSecure code practices
Secure code practicesHina Rawal
 
Web application security part 01
Web application security part 01Web application security part 01
Web application security part 01G Prachi
 
Secure Coding BSSN Semarang Material.pdf
Secure Coding BSSN Semarang Material.pdfSecure Coding BSSN Semarang Material.pdf
Secure Coding BSSN Semarang Material.pdfnanangAris1
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...IBM Security
 
Owasp top 10 vulnerabilities 2013
Owasp top 10 vulnerabilities 2013Owasp top 10 vulnerabilities 2013
Owasp top 10 vulnerabilities 2013Vishrut Sharma
 
Jonathan Singer - Wheezing The Juice.pdf
Jonathan Singer - Wheezing The Juice.pdfJonathan Singer - Wheezing The Juice.pdf
Jonathan Singer - Wheezing The Juice.pdfJonathan Singer
 
Detailed Developer Report.pdf
Detailed Developer Report.pdfDetailed Developer Report.pdf
Detailed Developer Report.pdfnalla14
 
Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentationowasp-pune
 
Watch How the Giants Fall
Watch How the Giants FallWatch How the Giants Fall
Watch How the Giants Falljtmelton
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSebastien Deleersnyder
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks Ahmed Sherif
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelinesZakaria SMAHI
 

Similar a OWASP TOP 10 by Team xbios (20)

2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application Security
 
Secure code practices
Secure code practicesSecure code practices
Secure code practices
 
Web application security part 01
Web application security part 01Web application security part 01
Web application security part 01
 
Secure Coding BSSN Semarang Material.pdf
Secure Coding BSSN Semarang Material.pdfSecure Coding BSSN Semarang Material.pdf
Secure Coding BSSN Semarang Material.pdf
 
Owasp top 10 2017
Owasp top 10 2017Owasp top 10 2017
Owasp top 10 2017
 
Lets Make our Web Applications Secure
Lets Make our Web Applications SecureLets Make our Web Applications Secure
Lets Make our Web Applications Secure
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
 
Owasp top 10 vulnerabilities 2013
Owasp top 10 vulnerabilities 2013Owasp top 10 vulnerabilities 2013
Owasp top 10 vulnerabilities 2013
 
Jonathan Singer - Wheezing The Juice.pdf
Jonathan Singer - Wheezing The Juice.pdfJonathan Singer - Wheezing The Juice.pdf
Jonathan Singer - Wheezing The Juice.pdf
 
Detailed Developer Report.pdf
Detailed Developer Report.pdfDetailed Developer Report.pdf
Detailed Developer Report.pdf
 
Owasp web security
Owasp web securityOwasp web security
Owasp web security
 
Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentation
 
Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentation
 
Watch How the Giants Fall
Watch How the Giants FallWatch How the Giants Fall
Watch How the Giants Fall
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 seba
 
Nii sample pt_report
Nii sample pt_reportNii sample pt_report
Nii sample pt_report
 
Security testing
Security testingSecurity testing
Security testing
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 

Último

Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 

Último (20)

Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 

OWASP TOP 10 by Team xbios

  • 2.
  • 3.
  • 4. INJECTION flaws ‘ or 1 = 1 ’- -
  • 5. Injection means… Tricking an application into including unintended commands in the data sent to an interpreter Interpreter Take strings and interpret them as commands Eg : SQL, OS Shell, LDAP, XPath, Hibernate, etc…
  • 6. SQL Injection Example $username = $_POST[‘username’]; $password = $_POST[‘password’]; $query = “SELECT * FROM user WHERE username = ‘$username’ AND password = ‘$password’”; $user = $db->query($query);
  • 7. Recommendations Avoid the interpreter entirely, or Use an interface that supports bind variables (e.g., prepared statements, or stored procedures), Encode all user input before passing it to the interpreter References For more details, read the new http://www.owasp.org/index.php/SQL_Injection_ Prevention_Cheat_Sheet
  • 8.
  • 9. HTTP is a “stateless” protocol • SESSION ID used to track state since HTTP doesn’t and it is just as good as credentials to an attacker. • SESSION ID is typically exposed on the network, in browser, in logs, … Beware of side-doors Change my password, remember my password, forgot my password, secret question, logout, email address, etc…
  • 10. Site uses URL rewriting (i.e., put session in URL) 3 2 Hacker uses JSESSIONID and takes over victim’s account 4 Bus. Functions E-Commerce Knowledge Mgmt Transactions Custom Code User clicks on a link to http://www.hacker.com in a forum Hacker checks referrer logs on www.hacker.com and finds user’s JSESSIONID 5 Communication www.boi.com?JSESSIONID=9FA1DB9EA... Administration User sends credentials Accounts 1 Finance Attack Illustration
  • 11. Impacts User accounts compromised or user sessions hijacked Recommendations • Verify your architecture • Verify the implementation References Follow the guidance from http://www.owasp.org/index.php/Authentication_Cheat_Sheet
  • 12. XSS <script> alert(”cross site scripting”); </script> ‘
  • 13. Occurs any time… Raw data from attacker is sent to an innocent user’s browser Raw Data…. • Stored in database • Reflected from web input (form field, hidden field, URL, etc…) • Sent directly into rich JavaScript client
  • 14. Impacts • Steal user’s session, steal sensitive data, rewrite web page, redirect user to phishing or malware site • Most Severe: Install XSS proxy which allows attacker to observe and direct all user’s behavior on vulnerable site and force user to other sites
  • 15. Recommendations • Don’t include user supplied input in the output page • Defend Against the Flaw Primary Recommendation: Use OWASP’s ESAPI to output encode: • For large chunks of user supplied HTML, use OWASP’s AntiSamy References For how to output encode properly, read the new http://www.owasp.org/index.php/XSS_(Cross Site Scripting) Prevention Cheat Sheet
  • 17. Occurs when… • Developer exposes a reference to an internal implementation object. • Without an access control check or other protection, attackers can manipulate Impacts • Users are able to access unauthorized files or data
  • 18. Insecure Direct Object References Illustrated https://www.onlinebank.com/user?acct=6065 • Attacker notices his acct parameter is 6065 ?acct=6065 • He modifies it to a nearby number ?acct=6066 • Attacker views the victim’s account information
  • 19. Recommendations • Eliminate the direct object reference • Validate the direct object reference
  • 21. Risks • Default settings can be insecure, and intended for development not production. • Attackers can use misconfigured software to gain knowledge and access. Impacts • XSS flaw exploits due to missing application framework patches. • Unauthorized access to default accounts, application functionality or data.
  • 22. Recommendations • Know the tools you use, and configure them correctly. • Keep up to date on vulnerabilities in the tools you use. • Remove/disable any services/features you aren’t using.
  • 24. Storing and transmitting sensitive data insecurely • Failure to identify all sensitive data • Failure to identify all the places that this sensitive data gets stored • Failure to properly protect this data in every location Impacts • Attackers access or modify confidential or private information • Attackers extract secrets to use in additional attacks • Expense of cleaning up the incident • Business gets sued and/or fined
  • 25. 1 Victim enters credit card number in form Accounts Finance Administration Transactions Communication Knowledge Mgmt E-Commerce Bus. Functions Insecure Cryptographic Storage Illustrated Custom Code 4 Log files Malicious insider steals 4 million credit card numbers Logs are accessible to all members of IT staff for debugging purposes Error handler logs CC details because merchant gateway is unavailable 3 2
  • 26. Recommendations • • • • Verify your architecture Protect with appropriate mechanisms Use the mechanisms correctly Verify the implementation
  • 28. Risks • Hidden things can easily be found. • Creative people will eventually find your hidden URLs Impacts • Attackers invoke functions and services they’re not authorized for • Access other user’s accounts and data • Perform privileged actions
  • 29. Failure to Restrict URL Access Illustrated https://www.onlinebank.com/user/getAccounts • Attacker notices the URL indicates his role /user/getAccounts • He modifies it to another directory (role) /admin/getAccounts, or /manager/getAccounts • Attacker views more accounts than just their own
  • 30. Recommendations • For each URL, a site needs to do 3 things • Verify your architecture • Verify the implementation
  • 32. Risks • Evil websites can perform actions for users logged into your site. • Vulnerability is caused by browsers automatically including user authentication data with each request Impacts • Initiate transactions (transfer funds, logout user, close account) • Access sensitive data • Change account details
  • 33. CSRF Illustrated While logged into vulnerable site, victim views attacker site Communication Knowledge Mgmt E-Commerce Bus. Functions 2 Administration Transactions Hidden <img> tag contains attack against vulnerable site Application with CSRF vulnerability Accounts Finance 1 Attacker sets the trap on some website on the internet (or simply via an e-mail) Custom Code 3 <img> tag loaded by browser – sends GET request (including credentials) to vulnerable site Vulnerable site sees legitimate request from victim and performs the action requested
  • 34. Prevention • Add opaque expiring tokens to all forms. • Requests missing tokens or containing invalid tokens should be rejected.
  • 36. Vulnerable components are common The full range of weaknesses is possible, including injection, broken access control, XSS, etc. The impact could range from minimal to complete host takeover and data compromise Impacts The full range of weaknesses is possible, including injection, broken access control, XSS, etc. The impact could range from minimal to complete host takeover and data compromise
  • 37. Preventing Known Vulnerable Components • One option is not to use components that you didn’t write. But that’s not very realistic. • Most component projects do not create vulnerability patches for old versions. Instead, most simply fix the problem in the next version. So upgrading to these new versions is critical.
  • 39. Web application redirects are very common • And frequently include user supplied parameters in the destination URL • If they aren’t validated, attacker can send victim to a site of their choice Impacts • Redirect victim to phishing or malware site • Attacker’s request is forwarded past security checks, allowing unauthorized function or data access
  • 40. Unvalidated Redirect Illustrated Attacker sends attack to victim via email or webpage Bus. Functions E-Commerce Communication Knowledge Mgmt Transactions Victim clicks link containing invalidated parameter Application redirects victim to attacker’s site Administration 2 3 Finance From: Internal Revenue Service Subject: Your Unclaimed Tax Refund Our records show you have an unclaimed federal tax refund. Please click here to initiate your claim. Accounts 1 Custom Code Request sent to vulnerable site, including attacker’s destination site as parameter. Redirect sends victim to attacker site http://www.irs.gov/taxrefund/claim.jsp?year=2006 & … &dest=www.evilsite.com Evil Site 4 Evil site installs malware on victim, or phish’s for private information
  • 41. Avoiding Unvalidated Redirects and Forwards • Avoid using redirects and forwards as much as you can • If used, don’t involve user parameters in defining the target URL • If you ‘must’ involve user parameters, then either • Validate each parameter • Use server side mapping
  • 42. How do you address these problems? • Develop Secure Code • Review Your Applications • Have an expert team review your applications • Review your applications yourselves following OWASP Guidelines
  • 43. How do you address these problems? • Develop Secure Code • Review Your Applications