Axa Assurance Maroc - Insurer Innovation Award 2024
Owasp Top 10 And Security Flaw Root Causes
1. Web Application Vulnerabilities and Security Flaws Root Causes: The OWASP Top 10 Cincinnati Chapter Meeting May 26 th , 2009 Marco Morana Cincinnati Chapter Lead
7. Mapping OWASP T10 To Web Architecture Phishing Privacy Violations S y s t e m- Data Distruction Financial Loss Reputation Loss I d e n t i t y Theft XSS, Weak authN-AuthZ (A4,A7,A10) Poor validation, business rule and weak authZ(A2,A4,A6,A7,A10) Weak Crypto (A8,A9) malicious file exec(A3) and AuthN-AuthZ (A4,A7,A10) Inject. Flaws (A2), remote file incl (A3) Obj Ref (A4), CSRF (A5),AuthN & SessM (A7), No URL Access Rest (A10) All T10
8.
9. Mapping Threats, Vulnerability Conditions and Countermeasures Using Threat Trees Source: OWASP Application Threat Modeling, https://www.owasp.org/index.php/Application_Threat_Modeling
13. A2: Injection Flaws-SQL Injection Identity Theft System Compromise, Data Alteration, Destruction SQLI SQLI NSAPI/ ISAPI filter, Custom Errors Filtering, DB API use Prepared Statements/Store Procedures DB Least Principle Privileges, Store Procedure errors SQLI OR ‘1’=’1—‘ aaa’; DROP TABLE Docs;--
14.
15. A3: Insecure Remote File Include Privacy Violations, System Compromise, Alteration, Destruction A3 A3 Cmd=%3B+mkdir+hackerDirectory No File uploads on the web server! File upload Filtering, File Type/Format Validations. AV, Segregation, Permissions A3 DB Privileges A3 No file uploads
16.
17. A4: Insecure Direct Object Reference Phishing, Privacy Violations, Financial Loss A4 A4 "../../../../etc/passwd%00" Hardened Web Root/Server Rely on server side-R B A C not URL params, Secure Shopping cart logic A4 No PK exposed as URL parameter http://www.shopcart?CartID http://www.abc.com?RoleID
18.
19. A5: Cross Site Request Forgery (CSRF) Privacy Violations, Financial Loss CSRF <img src="http://www.example.com/logout.php"> Re-issue session and cookies at POST CSRF Form Authentication Via Tokens (OTPs), Secondary Authentication, Default POST for sensitive transactions <form action="/transfer.do" method="post"> <input type="hidden" ACC#="8438927730" … </form>
20.
21. A6: Information Leakage and Improper Error Handling Privacy Violations A6 “ The password you entered was not recognized. Please enter it again A6 No stack traces to user errors Generic error validations [ SqlException (0x80131904): An error has occurred while establishing a connection to the server. A6 A6 Web.config custom errors=ON Set custom error Web pages, Clean Webroot No SQL exception errors in user’s error messages No transaction message error codes in user’s error messages
22.
23. A7: Broken Authentication Phishing, Privacy Violations, Financial Loss A7-BA A7-BA Autocomplete OFF, Strong AuthN/ Trusted AuthN SSO/tokens Cache Headers Set No Cache A7-BA A7-BA SSL Trusted User AuthN Mutual AuthN A7-BA SSL A7-BA User Trusted AuthN-SSO /Server to Server Mutual Authentication A7-BA SSL/JDBC-S Trusted User AuthN A7-BA Hash Pwds AUTHN Attacks: Guess PWD/secrets Credential Harvesting Brute Force PWD, MiTM, MITB, Caching, POST reply
24.
25.
26.
27.
28.
29. A9: Insecure Communication Identity Theft, Financial Loss A9 SSL/VPN A9 A9 JDBC/S Crypto Attacks Against Weak Cypto/Keys Unsecure Certs, Spoofing/Sniffing clear sensitive data in transit SSL Strong Ciphers/Min Standard Key Lengths SSL A9
49. Use and Abuse Cases From OWASP Security Testing Guide https://www.owasp.org/index.php/Testing_Guide_Introduction#Security_Requirements_Test_Derivation
50. Understanding the Application: Data Flow Diagrams OWASP Application Threat Modeling https://www.owasp.org/index.php/Application_Threat_Modeling