Web Application Security Made Easy_06212012

8/6/2019 Web Application Security Made Easy_06212012

http://slidepdf.com/reader/full/web-application-security-made-easy06212012 1/29

Roy Wattanasin

@Boston Security Meetup

July 21, 2011



Disclaimer

You do not hold the presenter liable and accept fullresponsibility for your actions.

You will use these tools in an ethical, professional and legalmanner and RTFM.

You will always get permission before running any of thesetools on the network.

The presentation does not endorse or approve and assumesno responsibility for the content, accuracy or completeness

of the information presented.

This presentation does not represent the opinions of any ofthe organizations that I have worked for.



Overview

How Do Breaches Occur?

Attack Patterns are growing

What are the underlying problems?

What is web application security?

OWASP Top 10

Toolz & Recommendations Resources

Final Words



How Do Breaches Occur?

Source: Verizon 2011DBIR



Attack Patterns are growing




What are the underlying problems?

Majority of web applications areinsecure

The web (HTTP) was not designed to be

secure

Security was “bolted-on” rather than

“built-in”



Web Applications are still a problem


“79% of breached records are web application attacks" as stated from the 2009 Data Breach Investigations

Report conducted by Verizon Business Risk Team.

"30% of the 57 attacks were carried out by SQL injection" from the 2008 Web Hacking Incidents Database Annual

Report conducted by Breach Security.



Web Applications are still a problem

Source: Lulz Security



What is web application security?

Securing “anything” that drives the web

application

Writing defensive code

Look at our applications from an attacker’s

mindset and perspective

What flaws would they be aware of?



Source: OWASP





Source: OWASP



Source: OWASP

What is the risk?



OWASP Top 10



Injection protect with white listing, escape special characters and safe API

= SQL Injection Source: OWASP



Cross Site Scripting (XSS)protect with escape all untrusted data, whitelist input validation

= Session Hijacking Source: OWASP



Broken Authentication & Session Mgmt.protect with a single set of strong authentication and session management controls

= You’re 0wned

Source: OWASP



Insecure Direct Object Referencesprotect with using per user or session indirect object references, review access from each untrusted source to include access control

Source: OWASP

= Access any account



Cross-Site Request Forgery (CSRF)protect with minimum be unique per user session, but can also be unique per request.

= Change requests and redirectSource: OWASP



Insecure Cryptographic Storageprotect using encryption, hashed passwords, strong algorithms, physical security of keys etc.

Source: OWASP

= Clear data to be shared



Security Misconfigurationprotect with hardening process

= Open / unknown access

Source: OWASP



Restrict URL Accessprotect with enforced roles-based policies

= Access private pagesSource: OWASP



Insufficient Transport Layer

Protection protect with SSL and secure flags

= Insecure browsing and sniffing

Source: OWASP



Invalidated redirects & forwardsprotect with avoid using redirects and forwards

= Phishing, bogus and MITM

Source: OWASP



Toolz

Burp suite

Nikto

Paros Proxy

WebScarab

Whisker/libwhisker

Wikto

Firesheep

Blacksheep



Recommendations

Establish common security controls andschedules

Code Reviews

Testing White box

Black box

Automated and Penetration testing Education, educate and train again

Software Development Lifecycle (SDLC)



Resources About OWASP

https://www.owasp.org/index.php/About_The_Open_Web_Application_Security_Project https://www.owasp.org/index.php/Main_Page

OWASP WebGoat Projecthttps://www.owasp.org/index.php/Category:OWASP_WebGoat_Project

Recommended books

Chase, Scott. Thompson, Herbert. The Software Vulnerability Guide .Charles River Media, Inc., 2005

Dhanjani, Riosa & Hardin. Hacking The Next Generation . O’Reilly, 2009

McGraw, Gary. Software Security: Building Security In . Addison-Wesley,2006.

Thompson, Herbert. Whittaker, James. How to Break Software Security.Addison Wesley, 2003.

Nagappan, Ramesh. Lai, Ray. Steel, Christopher. Core Security Patterns: Best Practices and Strategies for J2EE, Web Services, and Identity Management . Prentice Hill, 2006.

https://www.owasp.org/index.php/About_The_Open_Web_Application_Security_Project


https://www.owasp.org/index.php/Main_Page

https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project

https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project

https://www.owasp.org/index.php/Main_Page





References

Brandeis University Graduate Professional Studies (GPS)http://www.brandeis.edu/gps/

Brandeis University Graduate Health Medical Informatics Programhttp://www.brandeis.edu/gps/programscourses/programs/hmi.html

Brandeis University Graduate Information Assurance Programhttp://www.brandeis.edu/gps/programscourses/programs/ias.html

OWASP Top 10 Application Security Riskshttps://www.owasp.org/index.php/Top_10_2010-Main

Threat Risk Modeling https://www.owasp.org/index.php/Threat_Risk_Modeling

Verizon 2011 DBIR http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2011_en_xg.pdf

http://www.brandeis.edu/gps/

http://www.brandeis.edu/gps/programscourses/programs/hmi.html

http://www.brandeis.edu/gps/programscourses/programs/ias.html

https://www.owasp.org/index.php/Top_10_2010-Main

https://www.owasp.org/index.php/Threat_Risk_Modeling

http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2011_en_xg.pdf











https://www.owasp.org/index.php/Threat_Risk_Modeling




http://www.brandeis.edu/gps/programscourses/programs/ias.html

http://www.brandeis.edu/gps/programscourses/programs/hmi.html

http://www.brandeis.edu/gps/



Final Words

websecr at gmail dot com

twitter: wr0

Thank you !

Documents

Web Application Security Made Easy_06212012