2. Where We Are? Recent Attacks on e-commerce sites shows the
vulnerability when the intruder was able to make unauthorized calls
to see and manipulate the data. Transaction system calls are open
publicly. Some of Web API calls are still on HTTP. Same
username/password are used across multiple clients/channels. Most
of internal applications are open publicly.
3. Top 10 OWASP Security Guidelines A1 Injection A2 Broken Auth
and Session Mgmt A3 Cross site scripting - XSS A4 Insecure Direct
Object References A5 Security Misconfigura tion A6 Sensitive Data
Exposure A7 Missing Function Level Access Control A8 CSRF A9 Using
components with known vulnerabilities A10 Unvalidated Redirects and
Forwards
4. A1 - Injection How ? SQL Injection, LDAP query Impact
Unintended commands are executed. Data can be accessed without
proper authentication.
5. A2 Broken Auth & Session Mgmt. How ? Authentication and
Session management not implemented properly. Impact Assume user
identities and gain access. Get hold of password, token, session
keys.
6. A3 Cross Site Scripting How ? Application takes un-trusted
data and sends it to a web browser without proper validation or
escaping. Impact Hijack user sessions. Redirect users to malicious
sites.
7. A4 Insecure Direct Object References How ? Developer exposes
references to files, XML objects, DB keys. Impact Attackers can
manipulate these references to access unauthorized data.
8. A5 Security Misconfiguration How ? Web Servers and DB
servers do not implement adequate security policies Impact Unable
to trace the origin of a command. Cannot have good control to
9. A6 Security Data ExposureHow ? Hashing and Encryption
techniques not adequate while storing Payment info such as
passwords, CC etc .. Payment info transmitted over plain text.
Impact Intruder can get access to Payment info and there by cause
brand damage.
10. A7 Missing Function Level Access Control How ? Function
level access absent on the server at the time of request. Attackers
forge request. Impact Unauthorized access.
11. A8 Cross Site Request Forgery How ? Authentication tokens
or cookies are used to forge HTTP requests from victims browser.
Impact The forged requests come as legitimate and there by
compromising the application.
12. A9 Components With Vulnerabilities How ? Frameworks and
components run on full privileges. Impact Any issue on these will
in turn cause issues on the main application.
13. A10 Unvalidated Requests and Forwards How ? No validation
in place while redirecting to other pages and applications. Impact
Phishing attacks will redirect to applications through which
sensitive information can be captured.
14. Next Steps... Proactive approach. Its Better to beef-up
rather than repent on later. Security should be constantly reviewed
and during code reviews emphasis needs to provided.