The OWASP 2010 Top 10 Jason Montgomery, CISSP OWASP Cincinnati
Aug 30, 2011
Slide 2
Cyber Security Engineering Team, AEP Author / Technical Editor
Professional K2 blackpearl, Wiley Press 2009 Professional C#,
Beginning C#, etc. SANS Institute sans.org DEV 532: Essential
Secure Coding in ASP.NET DEV 544: Secure Coding in.NET: Developing
Defensible Applications GIAC GSSP.NET Steering Committee Developer
Sys Admin 2011 Jason Montgomery
Slide 3
Code is Law - Lawrence Lessig 2011 Jason Montgomery
Slide 4
Slide 5
When first tested, more than half of all applications fail to
meet acceptable security quality, and more than 8 out of 10 web
applications fail OWASP Top 10. VERACODE State of Software Security
Report, 2011
http://info.veracode.com/rs/veracode/images/soss-v3.pdf Whose
Vulnerable? 2011 Jason Montgomery
2011 Jason Montgomery Window of Exposure Source: Whitehat
Website Security Statistics Report, Winter 2011
http://www.whitehatsec.com/home/resource/stats.html Figure 1. 2010
at a Glance Sorted by Industry The average number of serious*
vulnerabilities per website, the percentage of reported
vulnerabilities that have been resolved (Remediation Rate), and
average that a website is exposed to at least one serious
vulnerability (Window of Exposure).
Slide 8
What are some challenges to Secure Applications?
Slide 9
Business (features) drives development, not security
(non-functional requirements) 2011 Jason Montgomery Challenges to
App Sec
Slide 10
Dont Worry, Be Crappy Guy Kawasaki 2011 Jason Montgomery Market
Forces
Slide 11
Our developers are pretty smart. Im sure theyve got it covered.
Our developers do amazing things. Im sure they already understand
these issues. We havent been hacked yet. 2011 Jason Montgomery
Knowledge Gap
Slide 12
We dont have the time. Its too expensive. We dont have anyone
here with the expertise. 2011 Jason Montgomery Constraints
Slide 13
No security in Software Development Lifecycle Rely on Black box
or white box scanning Only fix whats found Little or no assurance
2011 Jason Montgomery No Process to Incorporate Security
Slide 14
6 Billion Crash Test Dummies - David Rice Geekonomics: The Real
Cost of Insecure Software 2011 Jason Montgomery
Slide 15
Common Weakness Enumeration (CWE) Top x Lists OWASP Top 10
2010: The 10 Most Critical Web Application Security Risks
http://www.owasp.org/index.php/Category:OWASP_Top _Ten_Project
http://www.owasp.org/index.php/Category:OWASP_Top _Ten_Project 2010
CWE-SANS Top 25 Most Dangerous Software Errors
http://cwe.mitre.org/top25/ http://www.sans.org/top25-softwa
re-errors/ 2011 Jason Montgomery Software and Security
Slide 16
Why are these important? Raise Awareness / Education Industry
Accepted Mitigation Techniques Collaboration Define common terms
and Language for describing issues Makes security measurable Help
Prioritize 2011 Jason Montgomery Software and Security
Slide 17
Software Bugs vs. Flaws CWE defines ~658 Software Weaknesses
356 can be introduced during design 578 can be introduced during
implementation 100% Security? Goal: Secureor Defensible? 2011 Jason
Montgomery Secure vs. Defensible
Slide 18
The Building Security In Maturity Model (BSIMM2) Software
Assurance Maturity Model (SAMM) OWASP Microsoft SDLC 2011 Jason
Montgomery Add Security to the Development Lifecycle
Slide 19
A1: Injection A2: Cross-Site Scripting (XSS) A3: Broken
Authentication and Session Management A4: Insecure Direct Object
References A5: Cross-Site Request Forgery (CSRF) A6: Security
Misconfiguration A7: Insecure Cryptographic Storage A8: Failure to
Restrict URL Access A9: Insufficient Transport Layer Protection
A10: Unvalidated Redirects and Forwards 2011 Jason Montgomery OWASP
Top 10 - 2010
Slide 20
The software does not sufficiently validate, filter, escape,
and/or encode user-controllable input before it is placed in output
that is used as a web page that is served to other users. CWE-79
2011 Jason Montgomery A2: Cross-Site Scripting (XSS)
Slide 21
2011 Jason Montgomery CWE Taxonomy of XSS CWE-20: Improper
Input Validation (Category) CWE-74: Injection (Class) CWE-79:
Cross-Site Scripting (Base) CWE-80: Basic XSS (V) CWE-81: Improper
Sanitization of Script in an Error Message Web Page (V) CWE-83:
Improper Neutralization of Script in Attributes in a Web Page(V)
CWE-84: Failure to Resolve Encoded URI Schemes in a Web Page (V)
CWE-85: Doubled Character XSS Manipulations (V) CWE-86: Improper
Neutralization of Invalid Characters in Identifiers in Web Pages
(V) CWE-87: Failure to Sanitize Alternate XSS Syntax (V)
Slide 22
Stored XSS Persisted to a data store, embedded into DOM
server-side Reflected XSS Reflected from client into the DOM from
Server DOM Based Reflected through URL back to client, embedded
into DOM by JavaScript Cross-site Scripting Types 2011 Jason
Montgomery
Slide 23
Reflected XSS Example The following error occurred:
http://site.com/Error.aspx?msg=
%3Cscript%3Ealert('xss')%3B%3C%2Fscript%3E Error.aspx Code URL 2011
Jason Montgomery
Slide 24
Reflected XSS Example The following error occurred:
http://site.com/Error.aspx?msg=
%3Cscript%3Ealert('xss')%3B%3C%2Fscript%3E Error.aspx Code URL The
following error occurred: alert('xss'); Output HTML 2011 Jason
Montgomery
Slide 25
Web Html Entities Html Attributes JavaScript URL CSS / Style
2011 Jason Montgomery Context Matters
Slide 26 2011 Jason Montgomery"> 2011 Jason Montgomery">
2011 Jason Montgomery" title="XSS Injection Points HTML Element
HTML Attribute HTML Comments --> " src=... /> 2011 Jason
Montgomery">
XSS Injection Points HTML Element HTML Attribute HTML Comments
--> " src=... /> 2011 Jason Montgomery
Slide 27 ">link 2011 Jason Montgomery">
XSS Injection Points Cont. JavaScript variables / data Styles
Attributes / CSS Files URL function Redirect() { document.location
= ' '; } function Redirect() { document.location = ' '; } "...
/> ">link 2011 Jason Montgomery
Slide 28
Real XSS Examples
http://www.ninjaproxy.com/cgiproxy/nph-proxy.pl/010110A/"
alert('boo') Source:
http://sla.ckers.org/forum/read.php?3,44,632http://sla.ckers.org/forum/read.php?3,44,632
http://h20000.www2.hp.com/bizsupport/TechSupport/ProdSearch.jsp?lang=en&cc=us&t
askId=135&prod=%22%3E%3CSCRIPT%3Ealert(%22kefka%20was%20here%22)%3C/SCR
IPT%3E
http://www.jlist.com/SEARCH/%3Cbody_onload=alert('XSS')%3E/1/
http://photobucket.com/feedback.php?action=contact&email=asdf&subject=&feedback
=%3C/textarea%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E&send=Send
http://accessories.us.dell.com/sna/category.aspx?k=%22%3e%3Cscript%3Ealert('XSS')%3
C/script%3E&_nks=true&c=us&cs=19&l=en&s=dhs&x=0&y=0
http://www.pcworld.com/search/results?qt=
%22onmouseover=%22alert('XSS')%22 2011 Jason Montgomery
Slide 29
Facebook (Oct. 5 th, 2010) - wormable Twitter (Sept. 21 st,
2010) wormable 2011 Jason Montgomery XSS In the News
Slide 30
Constrain input through input validation 2011 Jason Montgomery
A1 / A2: Injection Defense in Depth
Slide 31
Must encode special characters 2011 Jason Montgomery A1 / A2:
Injection Solution
Slide 32
Injection: Ask Two Questions Web Application Should I consume?
Should I emit? Inbound data Outbound data Info Store Outbound data
Inbound data 2011 Jason Montgomery
Slide 33
Defense in Depth Assume all input is malicious (Re)use a vetted
library Enforce Length Checks Enforce Type Checks Validate Input
Whitelists/Blacklists Escape/Encode Output Properly encode/escape
data * Take care with regular expressions 2011 Jason Montgomery
Injection Mitigation
Slide 34
Defense In Depth Set consistent encoding Encode using
whitelists Constrain Input Sanitize dangerous tags/attributes Avoid
allowing HTML input (if possible) Prefer lightweight markup
language (e.g. BBCode) and convert to stylistic input Not always an
option with WYSIWYG controls on sites 2011 Jason Montgomery
Cross-Site Scripting (XSS) Mitigation +ADw-script+AD4-
Slide 35
AKA AntiXSS 4.0 Whitelists Narrowly defines allowable character
sets and encodes everything else Microsoft Web Protection Library
(WPL) 2011 Jason Montgomery
Slide 36
Web Protection Library Sanitizer Class transforms and filters
HTML of executable scripts. A safe list of tags and attributes are
used to strip dangerous scripts from the HTML. HTML is also
normalized where tags are properly closed and attributes are
properly formatted. [1] 2011 Jason Montgomery WPL Cross-Site
Scripting (XSS) Sanitation Sanitizer.GetSafeHtml() Sanitizes an
entire HTML Document. Sanitizer.GetSafeHtmlFragment() Sanitizes a
fragment of an HTML document.
Slide 37
UnicodeCharacterEncoder.MarkAsSafe() Configures Encoder class
with valid ranges of Unicode Choose expected Lower, Lower Middle,
Middle, Upper Middle, and Upper from code chart codes: 2011 Jason
Montgomery
Slide 38
Encoding Static Methods for Web Encoder.CssEncode()
Encoder.HtmlEncode() Encoder.HtmlAttributeEncode()
Encoder.UrlEncode() Encoder.HtmlFormEncode()
Encoder.JavaScriptEncode() Encoder.VisualBasicScriptEncode() WPL
Encoder Class
XSS Injection Fixed HTML Element HTML Attribute 2011 Jason
Montgomery
Slide 40 '; } function Redirect() { document.location = ''; }
2011 Jason Montgomery">
XSS Injection Fixed Cont. JavaScript variables / data Styles
Attributes / CSS Files function Redirect() { document.location =
''; } function Redirect() { document.location = ''; } 2011 Jason
Montgomery
Slide 41
ASP.NET 4.0 Encoding Change Default Encoding New Abbreviated
Syntax 2011 Jason Montgomery
Slide 42 and range 0x0a 0xFF Default Encoder Blacklist 2011
Jason Montgomery">
ASP.NET 4.0 Encoding New Abbreviated Syntax * Does NOT
completely encode for HTML Attributes, JavaScript, VBScript, URL,
or CSS. @variableToEncode MVC 3 Razor View Engine & '" and
range 0x0a 0xFF Default Encoder Blacklist 2011 Jason
Montgomery
XSS Exploit Demo BeEF: Browser Exploitation Framework 2011
Jason Montgomery
Slide 45
Email [email protected] (put OWASP in the subject) LinkedIn
http://www.linkedin.com/in/jmonty http://www.twitter.com/j_monty
http://www.twitter.com/SANSecDotNet Blog
http://www.securitythroughabsurdity.com 2011 Jason Montgomery
Contact