Owasp for dummies handouts
-
Upload
bcc -
Category
Technology
-
view
10.585 -
download
7
Transcript of Owasp for dummies handouts
![Page 1: Owasp for dummies handouts](https://reader034.fdocuments.in/reader034/viewer/2022042521/558bf575d8b42a63578b464e/html5/thumbnails/1.jpg)
OWASP
Bart ten Brinke
![Page 2: Owasp for dummies handouts](https://reader034.fdocuments.in/reader034/viewer/2022042521/558bf575d8b42a63578b464e/html5/thumbnails/2.jpg)
• https://www.owasp.org/
• Owasp gathers statistics of internet hacks and uses this to generate their security top 10.
The Open Web Application Security Project (OWASP)
![Page 3: Owasp for dummies handouts](https://reader034.fdocuments.in/reader034/viewer/2022042521/558bf575d8b42a63578b464e/html5/thumbnails/3.jpg)
Availablity
IntegrityConfidentiality
Data
“Doctor specific patient records cannot be viewed by Nurses,which means they are not as well informed as they could be.”
“Putting stuff on wikipedia makesit very available, but not very confidential.”
“Wikipedia always has the latest newsavailable, but how can you be sure
that all the facts are checked?”
![Page 4: Owasp for dummies handouts](https://reader034.fdocuments.in/reader034/viewer/2022042521/558bf575d8b42a63578b464e/html5/thumbnails/4.jpg)
• http://en.wikipedia.org/wiki/Information_security
• The safest door is one you can’t walk through at all.
• De nuances of the CIA triangle are lost in the current media reports: something either safe or unsafe.
Every solution is a compromise betweenConfidentiality, Integrity & Availability.
![Page 5: Owasp for dummies handouts](https://reader034.fdocuments.in/reader034/viewer/2022042521/558bf575d8b42a63578b464e/html5/thumbnails/5.jpg)
Unsafe
Safe
![Page 6: Owasp for dummies handouts](https://reader034.fdocuments.in/reader034/viewer/2022042521/558bf575d8b42a63578b464e/html5/thumbnails/6.jpg)
During the design of the dutch public transportation card (Ov-chipkaart)the designers make the decision to use less secure rfid cards,
because the savings of these cheap rfid-cards where much higher thenthe loss of revenue to hackers.
This was not reflected by the media at all.
![Page 7: Owasp for dummies handouts](https://reader034.fdocuments.in/reader034/viewer/2022042521/558bf575d8b42a63578b464e/html5/thumbnails/7.jpg)
OWASP Top 10
![Page 8: Owasp for dummies handouts](https://reader034.fdocuments.in/reader034/viewer/2022042521/558bf575d8b42a63578b464e/html5/thumbnails/8.jpg)
1. SQL injection
![Page 9: Owasp for dummies handouts](https://reader034.fdocuments.in/reader034/viewer/2022042521/558bf575d8b42a63578b464e/html5/thumbnails/9.jpg)
We have a website where you can log in using yourusername and password:
Username john
Password 1234
![Page 10: Owasp for dummies handouts](https://reader034.fdocuments.in/reader034/viewer/2022042521/558bf575d8b42a63578b464e/html5/thumbnails/10.jpg)
The application checks these credentials with a database:
Username john
Password 1234
SELECT * FROM usersWHERE username = ”john”AND password = ”1234”
![Page 11: Owasp for dummies handouts](https://reader034.fdocuments.in/reader034/viewer/2022042521/558bf575d8b42a63578b464e/html5/thumbnails/11.jpg)
Give me all users with thename ”john” en password ”1234”.If there is one, you will be logged in.
Username john
Password 1234
SELECT * FROM usersWHERE username = ”john”AND password = ”1234”
![Page 12: Owasp for dummies handouts](https://reader034.fdocuments.in/reader034/viewer/2022042521/558bf575d8b42a63578b464e/html5/thumbnails/12.jpg)
Username administrator
Password ” OR 1=”1
SELECT * FROM usersWHERE username = ”administrator”AND password = ”” OR 1=”1”
![Page 13: Owasp for dummies handouts](https://reader034.fdocuments.in/reader034/viewer/2022042521/558bf575d8b42a63578b464e/html5/thumbnails/13.jpg)
SELECT * FROM usersWHERE username = ”administrator”AND password = ”” OR 1=”1”
Give me all users wherewith the name ”administrator”
who has an empty password OR where 1=1.
1=1 is always true, so you will be loggedin as the administrator.
![Page 14: Owasp for dummies handouts](https://reader034.fdocuments.in/reader034/viewer/2022042521/558bf575d8b42a63578b464e/html5/thumbnails/14.jpg)
2. XSS - Cross site Scripting
![Page 15: Owasp for dummies handouts](https://reader034.fdocuments.in/reader034/viewer/2022042521/558bf575d8b42a63578b464e/html5/thumbnails/15.jpg)
As an example we will be using a catblog which has a guestbook where you can post messages.
![Page 16: Owasp for dummies handouts](https://reader034.fdocuments.in/reader034/viewer/2022042521/558bf575d8b42a63578b464e/html5/thumbnails/16.jpg)
My weblog
Story about my cat
Comments:john: I have a cat just like that!
Name john
Comment I have a cat just like that!
![Page 17: Owasp for dummies handouts](https://reader034.fdocuments.in/reader034/viewer/2022042521/558bf575d8b42a63578b464e/html5/thumbnails/17.jpg)
• Visitors can be redirected to another site.
• Visitors can be presented with a popup containing a virus download link.
If the guestbook is poorly secured, it is possible tostore other things then messages.
For example you might be able to store javascript.
Because other people can read the guestbook, it is possible to abuse the catblog to help you spread your
javascript to other readers of the blog.
![Page 18: Owasp for dummies handouts](https://reader034.fdocuments.in/reader034/viewer/2022042521/558bf575d8b42a63578b464e/html5/thumbnails/18.jpg)
Name hacker
Comment window.location = ”badstuff.tv”
Hacker posts on blog.John visits blog.
John gets redirected to adifferent website.
![Page 19: Owasp for dummies handouts](https://reader034.fdocuments.in/reader034/viewer/2022042521/558bf575d8b42a63578b464e/html5/thumbnails/19.jpg)
3. Broken session management
![Page 20: Owasp for dummies handouts](https://reader034.fdocuments.in/reader034/viewer/2022042521/558bf575d8b42a63578b464e/html5/thumbnails/20.jpg)
• Has to be secret.
• Should be very hard to guess.
• May not be changed by other people.
Each visitor to a website receives a unique number from the webserver: your session_id.
Through this number the webserver is able to keeptrack of who you are. This is why the number:
![Page 21: Owasp for dummies handouts](https://reader034.fdocuments.in/reader034/viewer/2022042521/558bf575d8b42a63578b464e/html5/thumbnails/21.jpg)
_session_id My session_id +1
Guessing a session_id can be very easy.
![Page 22: Owasp for dummies handouts](https://reader034.fdocuments.in/reader034/viewer/2022042521/558bf575d8b42a63578b464e/html5/thumbnails/22.jpg)
Email to administrator of website:
I can’t log in! Could you try it for me?https://catblog.com/?PHP_SESSION_ID=123456
Greets, hacker
Sometimes it is possible to send other people yoursession_id, forcing a shared session.
This might cause credentials of users to be combined.
![Page 23: Owasp for dummies handouts](https://reader034.fdocuments.in/reader034/viewer/2022042521/558bf575d8b42a63578b464e/html5/thumbnails/23.jpg)
4. Insecure direct object reference
![Page 24: Owasp for dummies handouts](https://reader034.fdocuments.in/reader034/viewer/2022042521/558bf575d8b42a63578b464e/html5/thumbnails/24.jpg)
As an example we will take a website with a “change your password” form:
![Page 25: Owasp for dummies handouts](https://reader034.fdocuments.in/reader034/viewer/2022042521/558bf575d8b42a63578b464e/html5/thumbnails/25.jpg)
<form id="form" method="post" action="/employees/1234"> <input type="text" name="username" /> <input type="password" name="password" value="" /> <input type="hidden" name="employee_id" value="1234" /></form>
If you select “view source” in your browser, youwill see something like this:
What happens if you change the actionor the employee_id?
Could you can reset somebody else’s password?
![Page 26: Owasp for dummies handouts](https://reader034.fdocuments.in/reader034/viewer/2022042521/558bf575d8b42a63578b464e/html5/thumbnails/26.jpg)
5. Cross site request forgery
![Page 27: Owasp for dummies handouts](https://reader034.fdocuments.in/reader034/viewer/2022042521/558bf575d8b42a63578b464e/html5/thumbnails/27.jpg)
Complex variant of Cross Site Scripting (XSS), so we willbe reusing the catblog example with a guestbook.
![Page 28: Owasp for dummies handouts](https://reader034.fdocuments.in/reader034/viewer/2022042521/558bf575d8b42a63578b464e/html5/thumbnails/28.jpg)
My weblog
Story about my cat
Comments:john: I have a cat just like that!
Name john
Comment I have a cat just like that!
![Page 29: Owasp for dummies handouts](https://reader034.fdocuments.in/reader034/viewer/2022042521/558bf575d8b42a63578b464e/html5/thumbnails/29.jpg)
If the guestbook is poorly, secured, it might be possibleto store other things like javascript in the message box.
Because other visitors can read the guestbook, it is possible to abuse the catblog to help you spread your javascript to other
readers of the blog.
By using ajax we can abuse active sessions visitors might have with other services (like Gmail), to send spam
through their account.
![Page 30: Owasp for dummies handouts](https://reader034.fdocuments.in/reader034/viewer/2022042521/558bf575d8b42a63578b464e/html5/thumbnails/30.jpg)
Name hacker
Comment
$.ajax({ type: 'POST', url: ”www.gmail.com/new”, data: { to: ”[email protected]”, subject: ”NOT SPAM!”, body: ”Need Viagra?” }, success: success, dataType: dataType});
![Page 31: Owasp for dummies handouts](https://reader034.fdocuments.in/reader034/viewer/2022042521/558bf575d8b42a63578b464e/html5/thumbnails/31.jpg)
Hacker posts on blog.John visits blog.
Jan sends Spam to Anne via Gmail, without noticing it.
![Page 32: Owasp for dummies handouts](https://reader034.fdocuments.in/reader034/viewer/2022042521/558bf575d8b42a63578b464e/html5/thumbnails/32.jpg)
5. Security misconfiguration
![Page 33: Owasp for dummies handouts](https://reader034.fdocuments.in/reader034/viewer/2022042521/558bf575d8b42a63578b464e/html5/thumbnails/33.jpg)
• Check if your provider/hoster has a maintenance window to do updates.
Every system needs periodic updates, to ensurethe latest versions are installed.
![Page 34: Owasp for dummies handouts](https://reader034.fdocuments.in/reader034/viewer/2022042521/558bf575d8b42a63578b464e/html5/thumbnails/34.jpg)
7. Insecure Cryptographic
Storage
![Page 35: Owasp for dummies handouts](https://reader034.fdocuments.in/reader034/viewer/2022042521/558bf575d8b42a63578b464e/html5/thumbnails/35.jpg)
Username Email Password
jantje [email protected] jantje1
pietje [email protected] welkom123
Incorrectly secure data.For example: this should NEVER be in your
database in plaintext:
![Page 36: Owasp for dummies handouts](https://reader034.fdocuments.in/reader034/viewer/2022042521/558bf575d8b42a63578b464e/html5/thumbnails/36.jpg)
8. Failure to restrict URL access
![Page 37: Owasp for dummies handouts](https://reader034.fdocuments.in/reader034/viewer/2022042521/558bf575d8b42a63578b464e/html5/thumbnails/37.jpg)
• http://catblog.com/admin.php
• http://test.com/employee/1234 => 1235?
• http://ibm.com/annualreport/2011 => 2012?
Modify the URL of a website.This is very popular by journalists, because
you can do it with any browser.
![Page 38: Owasp for dummies handouts](https://reader034.fdocuments.in/reader034/viewer/2022042521/558bf575d8b42a63578b464e/html5/thumbnails/38.jpg)
9. Insufficient Transport Layer
Protection
![Page 39: Owasp for dummies handouts](https://reader034.fdocuments.in/reader034/viewer/2022042521/558bf575d8b42a63578b464e/html5/thumbnails/39.jpg)
• Virusses sometimes turn the encryption level of a browser down to the lowest possible setting.
• Badly configured severs agree with the low setting and set up a badly encrypted connection.
• Eavesdropping the secure traffic between the server and the client is now possible.
With HTTPS the server and client negotiate about the level of security. Together they figure out
what the highest level of encryption is that theycan use for the connection.
![Page 40: Owasp for dummies handouts](https://reader034.fdocuments.in/reader034/viewer/2022042521/558bf575d8b42a63578b464e/html5/thumbnails/40.jpg)
If people can not reach our website, but you can, thereis a good possibility that our server wont drop to
their suggested encryption level.Browsers give very bad error messages when this
happens.
![Page 41: Owasp for dummies handouts](https://reader034.fdocuments.in/reader034/viewer/2022042521/558bf575d8b42a63578b464e/html5/thumbnails/41.jpg)
10. Unvalidated Redirects and
Forwards (rickroll)
![Page 42: Owasp for dummies handouts](https://reader034.fdocuments.in/reader034/viewer/2022042521/558bf575d8b42a63578b464e/html5/thumbnails/42.jpg)
When you open a link to a secure section of a website, andyou are not logged in, you are often redirected to the login page. After you log in you will be sent back to the original
page you where trying to open.
http://catblog.com/login.php?return_url=/admin.php
![Page 43: Owasp for dummies handouts](https://reader034.fdocuments.in/reader034/viewer/2022042521/558bf575d8b42a63578b464e/html5/thumbnails/43.jpg)
Sometimes it is possible to abuse this and send people a link, which looks legit & contains a website they trust.
However, after they log in, they are sent to somewhere else.
http://catblog.com/login.php?return_url=http://www.youtube.com/
watch?v=oHg5SJYRHA0
![Page 44: Owasp for dummies handouts](https://reader034.fdocuments.in/reader034/viewer/2022042521/558bf575d8b42a63578b464e/html5/thumbnails/44.jpg)
Solutions?
![Page 45: Owasp for dummies handouts](https://reader034.fdocuments.in/reader034/viewer/2022042521/558bf575d8b42a63578b464e/html5/thumbnails/45.jpg)
• Using a framework like JBoss, Rails or Zend will fix 90% of the problems addressed in the OWASP top 10.
• To fix the other 10% you need to periodically have your application audited by an external party.
• Make sure you point out the responsibility of the end-user. Often the weakest link is a employee who is careless with printed files or leaves his computer logged in.