SEC835

OWASP Top Ten Project

Top Ten Web App VulnerabilitiesOWASP top ten web application vulnerabilities – 2007 reportVulnerabilities

A1 - Cross Site Scripting (XSS) A2 - Injection Flaws A3 - Malicious File Execution A4 - Insecure Direct Object Reference A5 - Cross Site Request Forgery (CSRF) A6 - Information Leakage and Improper Error Handling A7 - Broken Authentication and Session Management A8 - Insecure Cryptographic Storage A9 - Insecure Communications A10 - Failure to Restrict URL Access

Top Ten Web App VulnerabilitiesOWASP top ten web application vulnerabilities – 2010 reportVulnerabilities

A1 - Injection Flaws A2 - Cross Site Scripting (XSS) A3 – Broken Authentication and Session Management A4 - Insecure Direct Object Reference A5 - Cross Site Request Forgery (CSRF) A6 – Security misconfigurationA7 - Insecure Cryptographic Storage A8 - Failure to Restrict URL Access A9 – Insufficient transport layer protection A10 – Unvalidated redirect and forwards

Cross-Site Scripting and Injection Flows

See Week 10 materials

Insecure Direct Object Reference

A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, database record, or key, as a URL or form parameter. Attackers can manipulate those references to access other objects without authorization.

IDOR ProtectionAvoid exposing direct object references to users by using either of

an index, indirect reference map, or other indirect method that is easy to validate.

If a direct object reference must be used, ensure that the user is authorized before using it. Validate any private object references extensively with a white list approach

Cross-Site Request ForgeryCSRF forces a victim browser to send a request to a vulnerable application, after a user is logged-on. A user can be tricked by an image link for example. A vulnerable application (or html page) starts acting on behalf of a user, using the opened session. It can perform actions designed by the attacker, e.g. transfer money from the victim accountAffected page performs the action that appears to come from a legitimate user The malicious code often resides on other site, not on the victim site, that’s why named as cross-site

Cross-Site Request Forgery

XSS exploits the trust a user has for a particular site, when CSRF exploits the trust a site has for a particular user

CSRF occurs when the application rely solely on automatically submitted credentials such as session cookies, basic authentication credentials, source IP addresses, SSL certificates, or Windows domain credentials.

CSRF ProtectionA user must be re-authenticated by generating and then requiring some type of authorization token that is not automatically submitted by the browser. Insert custom random tokens into every form and URL that will not be automatically submitted by the browser For sensitive data or value transactions, re-authenticate or use transaction signing Do not use GET requests (URLs) for sensitive data or to perform value transactions. Use only POST methods when processing sensitive data from the user POST alone is not sufficient. It must be combined with random tokens and re-authenticationLimit the lifetime of authentication cookiesEnsure that there are no XSS vulnerabilities in your application. XSS vulnerabilities are not required for CSRF success but may aggravate the CSRF result

Security misconfiguration

Security holes that occur due to wrong, weak, or contradicted configuration parameters

Mostly relate to network and servers configuration

Security misconfiguration protection

Standard hardening procedures must apply to all infrastructure sw/hw

Updates and patching

Application code version control

Insecure cryptographic store

The most common problems are: Not encrypting sensitive data

Using home grown algorithms

Insecure use of strong algorithms

Continued use of proven weak algorithms (MD5, SHA-1, RC3, RC4, etc…)

Hard coding keys, and storing keys in unprotected stores

Strong crypto mechanismDo not create cryptographic algorithms. Only use approved public algorithms such as AES, RSA public key cryptography, and SHA-256 or better for hashing. Do not use weak algorithms, such as MD5 / SHA1. Favor safer alternatives, such as SHA-256 or better. Generate keys offline and store private keys with extreme care. Never transmit private keys over insecure channels Ensure that infrastructure credentials such as database credentials or MQ queue access details are properly secured (via tight file system permissions and controls), or securely encrypted and not easily decrypted by local or remote users Ensure that encrypted data stored on disk is not easy to decrypt. For example, database encryption is worthless if the database connection pool provides unencrypted access.

Strong crypto mechanism (cont)Data in rest must be encrypted with the highest possible granularity, relevant to the data’s sensitivity classification.

Field encryption will be implemented for highly sensitive data.

Data files, folders, or whole-disk encryption can be used to protect data as a batch function. However, if the data contains sensitive items, then field encryption must be implemented prior to using bulk encryption

Encryption keys must be protected at the same level or higher as the data.

Strong crypto mechanism (cont)All keying materials must be destroyed immediately after use.

Encryption keys must not be hardcoded

Encryption keys must not be stored in audit logs.

An encryption key can be used for one purpose only.

Memory protectionAllocate two different buffers used for:

• Plaintext data

• Encrypted data

Erase data traces from the buffers immediately after use.

Failure to restrict URL accessAccess to web pages thru “hidden" or "special" URLs, rendered only to administrators or privileged users in the presentation layer, but accessible to all users if they know it exists Access to “hidden” files, such as static xml files without authorizationCode that enforces an access control policy but is out of date or insufficient Code that evaluates privileges on the client but not on the server

URL access protection

Role-based access control to the application functionsAlways ensure that administrative and high privilege actions are protected Locate application libraries outside of the web rootBlock access to all file types that your application should never serve

Insufficient transport layer protection

Failure to encrypt network traffic for all authenticated connections

Common flaws:Only login activity is protected with SSL

Backend communication is not protected

Insufficient transport layer protection

Communication to end user always occurs over SSL

All sensitive actions are protected, not only login

Backend communication is protected with TLS

Unvalidated redirects and forwards

Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages.

Unvalidated redirects and forwards - protection

Avoid using redirects and forwards

If used, don’t involve user parameters in calculating the destination.

If destination parameters can’t be avoided, ensure that the supplied value is valid, and authorized for the user.

For 2007 items

See below

Malicious File Execution

Occurs when a developer accepts file names or files from a user without validationTypical examples include: .NET assemblies which allow URL file name arguments, or code which accepts the user’s choice of filename to include local files.A common vulnerable construct:

include $_REQUEST['filename’];

Malicious File Execution (cont)

Other methods of attacks:Hostile data being uploaded to session files, log data, and via image uploads (typical of forum software)

XML documents submitted by an attacker may have a hostile DTD that forces the XML parser to load a remote DTD, and parse and process the results

ProtectionThis vulnerability is difficult to determine

Automatic testing is not capable to validate the use of parameters

Security remedy must start from the architecture and design

Ensure that the application will not use user-supplied input in any filename for any server-based resource (such as images, XML and XSL transform documents, or script inclusions), and will have firewall rules in place preventing new outbound connections to the Internet or internally back to any other server.

Protection (cont.)

RecommendationsUse indirect object reference map

Strong user data input validation (white list strategy)

Check any user supplied filenames or files

In Java, consider implementing a chroot jail or other sandbox mechanisms in order to isolate applications

In J2EE, ensure that security manager is enabled and permissions are controlled

Information leakage

See week 9 materials

Lab task

Read OWASP Top Ten Project Articles

Work on your spreadsheetCrypto: cells E3, A19

IDOR: cells D3, A26

XSRF: cells F3, A21, A23

URL access: cells C3, A5

Transport Layer: cells G3, A24

Redirects and forwards: cells H3, A25

Useful linkshttps://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)

https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet

https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet

https://www.owasp.org/index.php/Authentication_Cheat_Sheet