7
Application Security 1 Spring, 2009 © 2009 Stephen Wolff OWASP Top Ten Ten most critical WebApp security flaws. The top 2 are: 1. XSS – Cross Site Scripting Unvalidated data sent to a browser 2. Injection Flaws User supplied data (unvalidated) sent to SQL This is the consensus of security experts globally Some of the best are right here in Central Texas! http://www.youtube.com/watch?v=GsRbpshqqII

© 2009 Stephen Wolff Application Security 1 Spring, 2009 OWASP Top Ten Ten most critical WebApp security flaws. The top 2 are: 1. XSS – Cross Site Scripting

Embed Size (px)

Citation preview

Page 1: © 2009 Stephen Wolff Application Security 1 Spring, 2009 OWASP Top Ten  Ten most critical WebApp security flaws. The top 2 are: 1. XSS – Cross Site Scripting

Application Security 1Spring, 2009© 2009 Stephen Wolff

OWASP Top Ten

Ten most critical WebApp security flaws. The top 2 are:1. XSS – Cross Site Scripting

Unvalidated data sent to a browser

2. Injection Flaws User supplied data (unvalidated) sent to SQL

This is the consensus of security experts globally Some of the best are right here in Central Texas!

http://www.youtube.com/watch?v=GsRbpshqqII

Page 2: © 2009 Stephen Wolff Application Security 1 Spring, 2009 OWASP Top Ten  Ten most critical WebApp security flaws. The top 2 are: 1. XSS – Cross Site Scripting

Application Security 2Spring, 2009© 2009 Stephen Wolff

SQL Basic Terminology

SQL is a Relational Database Management System - RDBMS Table - Rows that have the same attributes Row - collection of related information Column - attributes of an object, e.g., an Employee Primary Key - unique for each row

Name Emp# Title Mgr Pay

Dick 101 Sales Spot $50Jane 102 IT Spot $60Spot 103 Exec BoD $100

Employee Table

Page 3: © 2009 Stephen Wolff Application Security 1 Spring, 2009 OWASP Top Ten  Ten most critical WebApp security flaws. The top 2 are: 1. XSS – Cross Site Scripting

Application Security 3Spring, 2009© 2009 Stephen Wolff

SQL Basic Query Format

Select – From – Where SELECT * FROM employee WHERE (emp# = 102)

This will returnwhich can beused or printed.

SELECT * FROM employee WHERE (TRUE) will return all rows.

Jane 102 IT Spot $60

tablename condition

Page 4: © 2009 Stephen Wolff Application Security 1 Spring, 2009 OWASP Top Ten  Ten most critical WebApp security flaws. The top 2 are: 1. XSS – Cross Site Scripting

Application Security 4Spring, 2009© 2009 Stephen Wolff

Other SQL Syntax

-- is the comment sequence used for documenting code. It causes the SQL interpreter to ignore all else that follows.

; ends one SQL statement and starts another.

‘ in matched sets is used to enclose a character string.

Page 5: © 2009 Stephen Wolff Application Security 1 Spring, 2009 OWASP Top Ten  Ten most critical WebApp security flaws. The top 2 are: 1. XSS – Cross Site Scripting

Application Security 5Spring, 2009© 2009 Stephen Wolff

SQL Injection Tutorial (YouTube)

www.youtube.com/watch?v=z7eXjBvB2B4&feature=channel_page

Note: there are plenty of SQL Injection automated tools available, and of course, some are better than others.

Page 6: © 2009 Stephen Wolff Application Security 1 Spring, 2009 OWASP Top Ten  Ten most critical WebApp security flaws. The top 2 are: 1. XSS – Cross Site Scripting

Application Security 6Spring, 2009© 2009 Stephen Wolff

Simple XSS Tutorial (YouTube)

Stored and Reflected XSS Similar, but reflected doesn’t require login credentials! Failure on both due to no input or output sanitization.

Storedwww.youtube.com/watch?v=7M-R6U2i5iI&feature=related

Reflectedwww.youtube.com/watch?v=V79Dp7i4LRM&feature=channel

Page 7: © 2009 Stephen Wolff Application Security 1 Spring, 2009 OWASP Top Ten  Ten most critical WebApp security flaws. The top 2 are: 1. XSS – Cross Site Scripting

Application Security 7Spring, 2009© 2009 Stephen Wolff

Final Thoughts…

Why consider Application Security? It’s the most current category of vulnerabilities and

attacks, it is widespread, and it is devastating. Barriers to entry (code skilz) are high but coming down,

i.e., more tools like MetaSploit On Whitehat side: more teaching of secure coding

practices, groups like OWASP• More tools like MetaSploit, WebGoat

Significant local expertise! • Rsnake, Matt Tesauro, The Denim Group, others in OWASP