Embed Size (px)
Citation preview
The Open Web Application Security Project (OWASP) is an open-source application security project.
OWASP is an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted.
OWASP TOP 10 lists the most prevalent attacks in a generic order
OWASP Top 10 Web Application Vulnerabilities
Injection Flaws
Broken Authentication and Session Management
Cross Site Scripting (XSS)
Insecure Direct Object References
Security Mis-configuration
Sensitive Data Exposure
Missing Function Level Action Control
Cross Site Request Forgery (CSRF)
Using Known Vulnerable Components
Unvalidated Redirects and Forwards
Injection Flaws
Injection flaws such as SQL, Command occur when untrusted data is sent to the application as a part of user input. Types of Injection flaws
• Command Injection Targets under lying Operating System of the Web Server (Ex: Password field contains : “somepassword; rm –rf /” ) • Code Injection Targets Application/ Web Broswer (Ex: <script>alert(“your are hacked”); </script>) • SQL Injection Targets backend Database of the Web Application. (Ex: SELECT * FROM users WHERE name = '' OR '1'='1' -- '; )
Do rigorous input data validation
Do server-side validation
Each parameter should be checked against a white list that specifies exactly what input will be allowed
Validation Criteria
Data type (string, integer, real, etc…)
Allowed character set or numeric range
Minimum and maximum length
Whether null is allowed
Whether duplicates are allowed
Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, session tokens, or exploit other implementation flaws to assume other user’s identity.
Commonly flawed credential management functions include password change, forgot my password, accounts update and other related functions.
Typical Impact
User accounts compromised or user sessions hijacked
Password strength
Password use
Password change controls
Password Storage
Browser caching
Re-authentication for critical functions
Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites.
It involves tricking the browser into executing code. The browser believes that the code is part of the site runs it in that context. As a result the malicious script can access any cookies, session tokens, or other sensitive information retained by your browser and used with that site.
Typical Impact
Steal sensitive data, rewrite web page, redirect user to phishing or malware site
Use HTML Encoding
<script>XSS example</script> gets encoded as <script>XSS example</script>
Use URL encoding
<script>XSS example</script> gets encoded as %3Cscript%3EXSS%20example%3C%2Fscript%3E
Filter input for any special characters
Use tools such as XSS Me for Firefox or XSS Rays for Chrome to test your website for any XSS vulnerability
A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, database record, or key, as a URL or form parameter.
An attacker can manipulate direct object references to access other users without authorization.
Typical Impact
Sensitive information disclosure
Avoid exposing your private object references to users whenever possible
Minimize user ability to predict object IDs/Names
Verify user authorization each time sensitive objects/files/contents are accessed
Use an indirect reference map to create alternative ID/Name for server side object/data so that exact ID/Name of object/data is not exposed
Some common server configuration problems that can plague the security of a site include
Unpatched security flaws in the server software
Improper file and directory permissions
Unnecessary services enabled, including content management and remote administration
Default accounts with default passwords
Overly informative error messages
Typical Impact
Server or application compromise
Configuring all security mechanisms
Turning off all unused services
Setting up roles, permissions, and accounts, including disabling all default accounts or changing their passwords
Logging and alerts
Applying the latest security patches (OS, DBMS, Web server and code libraries)
Regular vulnerability scanning from both internal and external perspectives
Sensitive data like passwords and credit cards information deserves extra protection such as encryption at rest or in transit.
Common problems leading to Sensitive data exposure :
Not encrypting sensitive data
Insecure use of strong algorithms
Continued use of proven weak algorithms
Improper key management
Typical Impact
Sensitive information disclosure
Ensure that critical data is encrypted everywhere it is stored long term, including backups of this data
Strong encryption algorithms are used for encryption
Strong keys are generated, and proper key management is in place
Access Control is a mechanism of authorizing requests to a system resource or determining if that functionality should be granted or denied.
Attacks on Access Control can be
Vertical Horizontal
Typical Impact
Elevation of privileges and disclosure of confidential data
Implement role based access control to assign permissions to application users for vertical access control
Implement data-contextual access control to assign permissions to application users in the context of specific data items for horizontal access control
Where possible restrict administrator access to machines located on the local area network (i.e. it’s best to avoid remote administrator access from public facing access points)
Cross-Site Request Forgery (CSRF) is an attack that tricks the victim into loading a page that contains a malicious request to perform an action on victim’s behalf.
For example, using CSRF, an attacker makes the victim perform actions that they didn't intend to, such as logout, purchase item, change account information, or any other function provided by the vulnerable website.
Typical Impact
Attackers can persuade victims to perform any function on the web application in which the user is currently authenticated
• Secret (non predictable) Validation Token
• Referrer Validation
• User re-authentication for any account related tasks (password change)
• Use of two factor authentication for any sensitive tasks (online payment)
Vulnerable software components can be identified and exploited by attackers via automated tools and vulnerability databases.
Typical Impact
The full range of weaknesses is possible, including injection, broken access control, XSS, etc.
Identify the components and their versions you are using, including all dependencies. (e.g., the versions plugin)
Monitor the security of these components in public databases, project mailing lists, and security mailing lists, and keep them up-to-date
Unvalidated redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within
untrusted input.
Typical Impact
Redirect victim to phishing or malware site or bypass security checks to perform unauthorized function or data access
http://mytrustedsite.com/Redirect.aspx?Url=http://myuntrustedsite.com
Malicious Redirection
Simply avoid using redirects and forwards
Spider the site to see if it generates any redirects (check for HTTP response codes)
All input must be validated against a whitelist of acceptable value ranges
