Upload
aristotle-carter
View
24
Download
0
Embed Size (px)
DESCRIPTION
OWASP – an Introduction. Simon Bennetts OWASP chapter and project lead [email protected]. Manchester Linux Users Group February 2011. What is OWASP?. Open Web Application Security Project Promotes secure software development Oriented to the delivery of web oriented services - PowerPoint PPT Presentation
Citation preview
Copyright 2007 © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation
OWASP
http://www.owasp.org
OWASP – an Introduction
Simon BennettsOWASP chapter and project [email protected]
Manchester Linux Users GroupFebruary 2011
OWASP 2
What is OWASP?
Open Web Application Security ProjectPromotes secure software developmentOriented to the delivery of web oriented
servicesFocused primarily on the “back-end” than web-
design issuesAn open forum for discussionA free resource for any development team
OWASP 3
What is OWASP?
Open Web Application Security ProjectNon-profit, volunteer driven organization
All members are volunteers All work is donated by sponsors
Provide free resources to the community Software, Publications, Articles, Standards Testing and Training Software Local Chapters & Mailing Lists
Supported through sponsorships Corporate support through financial or project
sponsorship Personal sponsorships from members
OWASP
OWASP Top Ten
4
Category: Detection
Type: Documentation
Status: Release quality
An awareness document that describes the top ten most common web application security risks
OWASP
OWASP Developers Guide
5
Category: Protection
Type: Documentation
Status: Release quality
Guidance on building security in to web applications and web services
OWASP
OWASP Code Review Guide
6
Category: Detection
Type: Documentation
Status: Release quality
Best practices for reviewing source code for application defects
OWASP
OWASP Testing Guide
7
Category: Detection
Type: Documentation
Status: Release quality
Application security tests and testing methodology
OWASP
OWASP AntiSamy
8
Category: Protection
Type: Tool
Status: Release quality
API (available in Java and .NET) for validating rich HTML/CSS input from users to prevent exposure to cross-site scripting and phishing attacks
OWASP
OWASP Enterprise Security API
9
Category: Protection
Type: Tool
Status: Release quality
A collection of security methods needed to build secure web applications (Java EE, .NET, classic ASP, PHP, ColdFusion, Python, JavaScript, Objective C, Force.com, Ruby, Swingset)
OWASP
OWASP ModSecurity Core Rule Set
10
Category: Protection
Type: Tool
Status: Release quality
A set of critical protections against attacks across most every web architecture, for the ModSecurity web application firewall Apache web server module
OWASP
OWASP WebScarab
11
Category: Detection
Type: Tool
Status: Release quality
HTTP intercepting proxy and tool for performing security testing on web applications
OWASP
OWASP JBroFuzz
12
Category: Detection
Type: Tool
Status: Release quality
A web application protocol fuzzer for requests being made over HTTP and/or HTTPS
OWASP
OWASP WebGoat
13
Category: Life cycle
Type: Tool
Status: Release quality
A deliberately insecure J2EE web application designed to provide web application security lessons
OWASP
OWASP AppSensor project
14
Category: Protection
Type: Documentation (& Tool)
Status: Beta
A framework for detecting and responding to attacks from within the application – application layer intrusion detection and prevention
OWASP
OWASP Zed Attack Proxy
15
Category: Detection
Type: Tool
Status: Beta
HTTP intercepting proxy / penetration testing tool for developers and functional testers
OWASP 16
OWASP AppSec Tutorial Series
OWASP
What else is there?
17
Scores of other projects Common numbering scheme Wiki Cheat sheet series Codes of Conduct Committees Collaborative activities Podcast and newsletter Mailing lists Local chapters
OWASP
The OWASP top 10
A1: Injection Especially SQL:
A2: Cross-Site Scripting (XSS) Injecting HTML / Javascript:
A3: Broken Authentication and Session Management A multitude of sins, including session hijacking
A4: Insecure Direct Object References Not checking that the user is allowed to access the specified object https://www.mybank.com/AccDetails?acc=12345678
A5: Cross-Site Request Forgery (CSRF) Performing an action on a GET request, like: https://www.mybank.com/Transfer?
dest=bad.hacker&amount=100000 <img src="https://www.mybank.com/Transfer?... height="0"
width="0"/>18
' OR 1=1 --
<script>alert('XSS!');</script>
OWASP
The OWASP top 10
A6: Security Misconfiguration Out of date software, default passwords, detailed error
messages, …
A7: Insecure Cryptographic Storage E.g. storing passwords hashed with DES (hello Gawker!)
A8: Failure to Restrict URL Access E.g. Hoping https://example.com/admin wont be found
A9: Insufficient Transport Layer Protection http:// instead of https://
A10: Unvalidated Redirects and Forwards http://www.example.com/redirect.jsp?url=evil.com http://www.example.com/boring.jsp?fwd=admin.jsp
19
OWASP 20
Questions