OWASP

Bart ten Brinke

• https://www.owasp.org/

• Owasp gathers statistics of internet hacks and uses this to generate their security top 10.

The Open Web Application Security Project (OWASP)

Availablity

IntegrityConfidentiality

Data

“Doctor specific patient records cannot be viewed by Nurses,which means they are not as well informed as they could be.”

“Putting stuff on wikipedia makesit very available, but not very confidential.”

“Wikipedia always has the latest newsavailable, but how can you be sure

that all the facts are checked?”

• http://en.wikipedia.org/wiki/Information_security

• The safest door is one you can’t walk through at all.

• De nuances of the CIA triangle are lost in the current media reports: something either safe or unsafe.

Every solution is a compromise betweenConfidentiality, Integrity & Availability.

Unsafe

Safe

During the design of the dutch public transportation card (Ov-chipkaart)the designers make the decision to use less secure rfid cards,

because the savings of these cheap rfid-cards where much higher thenthe loss of revenue to hackers.

This was not reflected by the media at all.

OWASP Top 10

1. SQL injection

We have a website where you can log in using yourusername and password:

Username john

Password 1234

The application checks these credentials with a database:

Username john

Password 1234

SELECT  *  FROM  usersWHERE  username  =  ”john”AND  password  =  ”1234”

Give me all users with thename ”john” en password ”1234”.If there is one, you will be logged in.

Username john

Password 1234

SELECT  *  FROM  usersWHERE  username  =  ”john”AND  password  =  ”1234”

Username administrator

Password ”  OR  1=”1

SELECT  *  FROM  usersWHERE  username  =  ”administrator”AND  password  =  ””  OR  1=”1”

SELECT  *  FROM  usersWHERE  username  =  ”administrator”AND  password  =  ””  OR  1=”1”

Give me all users wherewith the name ”administrator”

who has an empty password OR where 1=1.

1=1 is always true, so you will be loggedin as the administrator.

2. XSS - Cross site Scripting

As an example we will be using a catblog which has a guestbook where you can post messages.

My weblog

Story about my cat

Comments:john: I have a cat just like that!

Name john

Comment I  have  a  cat  just  like  that!

• Visitors can be redirected to another site.

• Visitors can be presented with a popup containing a virus download link.

If the guestbook is poorly secured, it is possible tostore other things then messages.

For example you might be able to store javascript.

Because other people can read the guestbook, it is possible to abuse the catblog to help you spread your

javascript to other readers of the blog.

Name hacker

Comment window.location  =  ”badstuff.tv”

Hacker posts on blog.John visits blog.

John gets redirected to adifferent website.

3. Broken session management

• Has to be secret.

• Should be very hard to guess.

• May not be changed by other people.

Each visitor to a website receives a unique number from the webserver: your session_id.

Through this number the webserver is able to keeptrack of who you are. This is why the number:

_session_id My  session_id  +1

Guessing a session_id can be very easy.

Email to administrator of website:

I can’t log in! Could you try it for me?https://catblog.com/?PHP_SESSION_ID=123456

Greets, hacker

Sometimes it is possible to send other people yoursession_id, forcing a shared session.

This might cause credentials of users to be combined.

4. Insecure direct object reference

As an example we will take a website with a “change your password” form:

<form  id="form"  method="post"  action="/employees/1234">    <input  type="text"  name="username"  />    <input  type="password"  name="password"  value=""  />    <input  type="hidden"  name="employee_id"  value="1234"  /></form>

If you select “view source” in your browser, youwill see something like this:

What happens if you change the actionor the employee_id?

Could you can reset somebody else’s password?

5. Cross site request forgery

Complex variant of Cross Site Scripting (XSS), so we willbe reusing the catblog example with a guestbook.

My weblog

Story about my cat

Comments:john: I have a cat just like that!

Name john

Comment I  have  a  cat  just  like  that!

If the guestbook is poorly, secured, it might be possibleto store other things like javascript in the message box.

Because other visitors can read the guestbook, it is possible to abuse the catblog to help you spread your javascript to other

readers of the blog.

By using ajax we can abuse active sessions visitors might have with other services (like Gmail), to send spam

through their account.

Name hacker

Comment

$.ajax({    type:  'POST',    url:  ”www.gmail.com/new”,    data:  {        to:  ”anne@hotmail.com”,        subject:  ”NOT  SPAM!”,        body:  ”Need  Viagra?”    },    success:  success,    dataType:  dataType});

Hacker posts on blog.John visits blog.

Jan sends Spam to Anne via Gmail, without noticing it.

5. Security misconfiguration

• Check if your provider/hoster has a maintenance window to do updates.

Every system needs periodic updates, to ensurethe latest versions are installed.

7. Insecure Cryptographic

Storage

Username Email Password

jantje jantje@hotmail.com jantje1

pietje pietje@hotmail.com welkom123

Incorrectly secure data.For example: this should NEVER be in your

database in plaintext:

8. Failure to restrict URL access

• http://catblog.com/admin.php

• http://test.com/employee/1234 => 1235?

• http://ibm.com/annualreport/2011 => 2012?

Modify the URL of a website.This is very popular by journalists, because

you can do it with any browser.

9. Insufficient Transport Layer

Protection

• Virusses sometimes turn the encryption level of a browser down to the lowest possible setting.

• Badly configured severs agree with the low setting and set up a badly encrypted connection.

• Eavesdropping the secure traffic between the server and the client is now possible.

With HTTPS the server and client negotiate about the level of security. Together they figure out

what the highest level of encryption is that theycan use for the connection.

If people can not reach our website, but you can, thereis a good possibility that our server wont drop to

their suggested encryption level.Browsers give very bad error messages when this

happens.

10. Unvalidated Redirects and

Forwards (rickroll)

When you open a link to a secure section of a website, andyou are not logged in, you are often redirected to the login page. After you log in you will be sent back to the original

page you where trying to open.

http://catblog.com/login.php?return_url=/admin.php

Sometimes it is possible to abuse this and send people a link, which looks legit & contains a website they trust.

However, after they log in, they are sent to somewhere else.

http://catblog.com/login.php?return_url=http://www.youtube.com/

watch?v=oHg5SJYRHA0

Solutions?

• Using a framework like JBoss, Rails or Zend will fix 90% of the problems addressed in the OWASP top 10.

• To fix the other 10% you need to periodically have your application audited by an external party.

• Make sure you point out the responsibility of the end-user. Often the weakest link is a employee who is careless with printed files or leaves his computer logged in.