Overview of OWASP Top 10 – 2010

Akash Mahajan – Chapter Lead for null Bangalore

TOP 10 WEB APPLICATION SECURITY RISKS

CONNECT THIS IMAGE TO WEB SECURITY

AKASH MAHAJAN | ABOUT ME

• Independent Web Security Consultant

• Chapter lead for null Bangalore

• I test, hack, secure web applications and servers.

• I consult companies on secure deployments on AWS etc.

• Been doing application security for 5+ years.

• Wrote IDS sigs for malware and vulnerabilities for 3 years

as well.

AGENDA

• OWASP

• OWASP Top 10

• Application Security Risks

• OWASP Top 10 Details

• The Beginning

• Contact Details

OPEN WEB APPLICATION SECURITY PROJECT

• OWASP is a worldwide non-profit open community dedicated to web

application security.

• OWASP offers free tools, books, documents etc. to developers, security

practitioners and anyone interested in application security.

• Some of the most popular OWASP projects are

• OWASP Top 10

• OWASP Web Goat Project

• OWASP Testing Guide

• OWASP Developer Guide

• Definitely visit and track updates on http://www.owasp.org

OWASP TOP 10

• OWASP TOP 10 is a document listing the top 10 most critical risks faced by

web applications currently.

• It is purely about managing risk and not just avoiding vulnerabilities.

• It is meant to be consumed by the developers and not just security dudes.

• You should consider using it if you are in-charge of keeping web apps safe.

• Also If your organization doesn’t have a app sec program and would like to

start now.

• Top 10 implies that these risks should be mitigated first to ensure safety of

the web application.

• There are other risks but the less severe than the top 10.

OWASP TOP 10

• Who else is using it?

• The PCI Council, US Department of Defense, US Federal Trade

Commission, Data Interchange Standards Association

• Companies like Microsoft, Citibank, IBM, HP, British Telecom, Oracle

• How do they use it?

• Microsoft uses it as part of Security Development Lifecycle

• PCI Council uses it as part of the PCI Data Security Standard

• Oracle, NSA use it as part of developer awareness

• Others use it to ensure minimal level of security audit of web applications

APPLICATION SECURITY RISKS

• Applications can have many attack vectors

• A form that submits to the database

• A database login for a partner for direct access.

• FTP login for third party content team

• These attack vectors can be used to exploit security weaknesses.

• For example stolen FTP credentials for an Amazon EC2 server might allow

the EC2 credentials to be stolen as well.

• Once stolen all services based on your Amazon account are vulnerable to

hijack.

• You could end up paying for someone else misusing your Amazon services!

OWASP TOP 10 – A1 INJECTION

• Injection flaws, such as SQL, OS injection, occur when untrusted data is sent to an

interpreter as part of a command.

• The attacker’s hostile data can trick the interpreter into executing commands or

accessing unauthorized data.

• SQL Injection is one of the most used vectors when malicious people want to create

a new botnet.

• First a vulnerable web facing application is identified. Automated roBOTs/scripts

crawl the world wide web looking for the identified application. Once found they

inject HTML/JS with links pointing to trojan downloaders etc.

• Users with insecure browsers/OS come to the infected websites they get

infected in turn creating a NETwork

• In some cases up to 10,00,000 sites have been infected in a single day.

OWASP TOP 10 – A2 CROSS SITE SCRIPTING

XSS

• XSS flaws occur whenever an application takes untrusted data and sends it

to a web browser without proper validation and escaping. XSS allows

attackers to execute scripts in the victim’s browser which can hijack user

sessions, deface web sites, or redirect the user to malicious sites.

• Frequently used to steal your session.

• One of the most in-famous example is the MySpace Samy worm. In less

than a day he got more a million friends and MySpace had to be

shutdown.

• A XSS bug occurring on the website registration page can enable theft of

registration details.

• Would you like your competitor to find out about all your new users?

OWASP TOP 10 – A3 BROKEN AUTHENTICATION

AND SESSION MANAGEMENT

• Application functions related to authentication and session management are

often not implemented correctly, allowing attackers to compromise

passwords, keys, session tokens, or exploit other implementation flaws to

assume other users’ identities

• Developers tend to build custom authentication schemes which aren’t tested

enough and may contain logical flaws as well.

• Technical impact include login theft to malicious users getting access to all

account details.

• Generating a new password every time someone enters an email id in

forgot password will cause a denial of service attack!

• Not destroying the session after a fixed time.

CONNECT THIS IMAGE TO WEB SECURITY

Paris Hilton

Tinkerbell

OWASP TOP 10 – A4 INSECURE DIRECT OBJECT

REFERENCE

• A direct object reference occurs when a developer exposes a reference to an

internal implementation object, such as a file, directory, or database key.

Without an access control check or other protection, attackers can

manipulate these references to access unauthorized data.

• Technical impact can be letting unauthorized users download files not meant

for them.

• Real world website has a page to display invoice for the user. It contains

an id parameter. If we change the parameter, it shows the details for

another user.

• Most people mistakenly think that if a file or folder is not linked from any

web page it can’t be found by a malicious user.

OWASP TOP 10 – A5 CROSS SITE REQUEST

FORGERY

• A CSRF attack forces a logged-on victim’s browser to send a forged

HTTP request, including the victim’s session cookie and any other

automatically included authentication information, to a vulnerable web

application.

• This allows the attacker to force the victim’s browser to generate

requests the vulnerable application thinks are legitimate requests from

the victim

• Log you out of your email account.

• Add a rouge DNS entry in your ADSL modem!

• Create a filter in webmail to forward all email to a malicious user.

OWASP TOP 10 – A6 SECURITY

MISCONFIGURATION

• Good security requires having a secure configuration defined

and deployed for the application, frameworks, application

server, web server, database server, and platform.

• This includes keeping all software up to date, including all code

libraries used by the application.

• Network Solutions were offering wordpress installations on a

shared server. The main configuration file wp-config.php was

world readable. Mass hack of wordpress based websites

• Shipping with default passwords!

OWASP TOP 10 – A7 INSECURE

CRYPTOGRAPHIC STORAGE

• Many web applications do not properly protect sensitive data, such as credit cards, SSNs, and authentication credentials, with appropriate encryption or hashing.

• Attackers may steal or modify such weakly protected data to conduct identity theft, credit card fraud, or other crimes

• Storing unsalted hashes in a known weak hash algorithm like md5. Using rainbow tables attackers can figure out stolen passwords in no time at all.

• Storing the encryption key in the same location as the encrypted files.

OWASP TOP 10 – A8 FAILURE TO RESTRICT URL

ACCESS

• Many web applications check URL access rights before rendering protected

links and buttons. However, applications need to perform similar access

control checks each time these pages are accessed, or attackers will be able

to forge URLs to access these hidden pages anyway

• This can be due either

• Simple misconfiguration

• Flawed coding or logic.

• Assuming that if it is hidden so it will be never found doesn’t usually end

up well. Anonymous users accessing pages meant for authenticated

users and authenticated users accessing admin pages can have a

negative impact.

OWASP TOP 10 – A9 INSUFFICIENT TRANSPORT

LAYER PROTECTION

• Applications frequently fail to authenticate, encrypt, and

protect the confidentiality and integrity of sensitive

network traffic. When they do, they sometimes support

weak algorithms, use expired or invalid certificates, or

do not use them correctly.

• Login and password passed in clear text over the wire.

Anyone monitoring the traffic can get hold of the

credentials.

OWASP TOP 10 – A10 UNVALIDATED REDIRECTS

AND FORWARDS

• Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages.

• Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages.

• Malicious user creating a redirect that points to another site for phishing

• Forward parameter coded to send user to admin section or to normal section

THE BEGINNING

• These risks only cover the top 10 of them all. There are many that are very

dangerous and should be guarded against like

• Clickjacking, Denial of service, Information Leakage, Improper Error

Handling, Insufficient Anti-automation, Lack of intrusion detection,

Malicious file execution

• To develop secure code ‘OWASP Developers Guide’

• To test web applications for security ‘OWASP Testing Guide’

• To review web applications ‘OWASP Code Review Guide’

• Keep yourself updated join a local OWASP chapter

• Get on the mailing lists.

AKASH MAHAJAN | REACH ME

• Reach me on

• Website: akashm.com

• Email: akashmahajan@gmail.com

• Twitter: @makash

• Linkedin: www.linkedin.com/in/akashm