Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013
-
Upload
lostar -
Category
Technology
-
view
390 -
download
1
Transcript of Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013
![Page 1: Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013](https://reader034.fdocuments.in/reader034/viewer/2022042714/556575cfd8b42a7b518b51e1/html5/thumbnails/1.jpg)
The “Top 10” Web Application Security Risks
Murat Lostar
![Page 2: Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013](https://reader034.fdocuments.in/reader034/viewer/2022042714/556575cfd8b42a7b518b51e1/html5/thumbnails/2.jpg)
Why Web Application Security?
• Mid – late 90s.• Early – 2000s.• Today
• Tomorrow - Cloud, M2M• Always - People
![Page 3: Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013](https://reader034.fdocuments.in/reader034/viewer/2022042714/556575cfd8b42a7b518b51e1/html5/thumbnails/3.jpg)
OWASP – Top101. Injection 2. Broken Authentication
and Session Management
3. Cross-Site Scripting (XSS)4. Insecure Direct Object
References5. Security Misconfiguration
6. Sensitive Data Exposure7. Missing Functional Level
Access Control 8. Cross-Site Request
Forgery (CSRF)9. Using Known Vulnerable
Components10. Unvalidated Redirects and
Forwards
![Page 4: Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013](https://reader034.fdocuments.in/reader034/viewer/2022042714/556575cfd8b42a7b518b51e1/html5/thumbnails/4.jpg)
1. Injection
• Application sends untrusted data to an interpreter
• Types: SQL, LDAP, Xpath, NoSQL queries; OS commands; XML parsers, SMTP Headers, program arguments, etc.
![Page 5: Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013](https://reader034.fdocuments.in/reader034/viewer/2022042714/556575cfd8b42a7b518b51e1/html5/thumbnails/5.jpg)
Injection Example
• If exist (Select * from users where id= ‘@Name’ and pw= ‘@Pass’;) then logon successful
![Page 6: Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013](https://reader034.fdocuments.in/reader034/viewer/2022042714/556575cfd8b42a7b518b51e1/html5/thumbnails/6.jpg)
Injection Example
• Username: admin• Password: ‘ or 1=1 --
• If exist (Select * from users where id= ‘admin‘ and pw= ‘‘ or 1=1 --’;)
• Logon successful
![Page 7: Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013](https://reader034.fdocuments.in/reader034/viewer/2022042714/556575cfd8b42a7b518b51e1/html5/thumbnails/7.jpg)
Free Injection Scanner (example)• http://www.mavitunasecurity.com/
communityedition/
![Page 8: Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013](https://reader034.fdocuments.in/reader034/viewer/2022042714/556575cfd8b42a7b518b51e1/html5/thumbnails/8.jpg)
2. Broken Authentication and Session ManagementReinventing the wheel…… not quite.
![Page 9: Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013](https://reader034.fdocuments.in/reader034/viewer/2022042714/556575cfd8b42a7b518b51e1/html5/thumbnails/9.jpg)
Example: Session Fixation
![Page 10: Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013](https://reader034.fdocuments.in/reader034/viewer/2022042714/556575cfd8b42a7b518b51e1/html5/thumbnails/10.jpg)
3. Cross-Site Scripting (XSS)
• Using the vulnerable web site to attack another user (victim)
![Page 11: Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013](https://reader034.fdocuments.in/reader034/viewer/2022042714/556575cfd8b42a7b518b51e1/html5/thumbnails/11.jpg)
Different XSS Types
XSS
Persistent
Stored Distributed
Non-Persistent
Reflected DOM-Based
Combined
![Page 12: Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013](https://reader034.fdocuments.in/reader034/viewer/2022042714/556575cfd8b42a7b518b51e1/html5/thumbnails/12.jpg)
4. Insecure Direct Object References• User logs into the application• Can see own account information
http://example.com/app/accountInfo?acct=MyAcctNumber
• Is it possible to get other account infos?http://example.com/app/accountInfo?acct=NotMyAcctNumber
![Page 13: Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013](https://reader034.fdocuments.in/reader034/viewer/2022042714/556575cfd8b42a7b518b51e1/html5/thumbnails/13.jpg)
5. Security Misconfiguration
![Page 14: Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013](https://reader034.fdocuments.in/reader034/viewer/2022042714/556575cfd8b42a7b518b51e1/html5/thumbnails/14.jpg)
Questions to ask• Software out of date? (OS, Web/App Server, DBMS,
applications, and all code libraries) • Unnecessary features enabled or installed? (ports,
services, pages, accounts, privileges, …)• Default accounts and their passwords still the same?• Default error messages?• Insecure development frameworks settings?
![Page 15: Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013](https://reader034.fdocuments.in/reader034/viewer/2022042714/556575cfd8b42a7b518b51e1/html5/thumbnails/15.jpg)
6. Sensitive Data Exposure
• Data stored in clear text long term, including backups
• Data transmitted in clear text, internally or externally
• Old / weak cryptographic algorithms • Weak crypto keys generated /
No proper key management
![Page 16: Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013](https://reader034.fdocuments.in/reader034/viewer/2022042714/556575cfd8b42a7b518b51e1/html5/thumbnails/16.jpg)
Test yourself
• HTTPS/SSL: http://www.ssllabs.com/ssltest/
• EMAIL/TLS: http://www.checktls.com
![Page 17: Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013](https://reader034.fdocuments.in/reader034/viewer/2022042714/556575cfd8b42a7b518b51e1/html5/thumbnails/17.jpg)
7. Missing Functional Level Access Control • Using the URL independent of logon
process without authorization
![Page 18: Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013](https://reader034.fdocuments.in/reader034/viewer/2022042714/556575cfd8b42a7b518b51e1/html5/thumbnails/18.jpg)
8. Cross-Site Request Forgery (CSRF)• Money transfer app for the bank:
– GET http://bank.com/transfer.do?acct=BOB&amount=100 HTTP/1.1
• Preparing false URL:– http://bank.com/transfer.do?acct=MARIA&amount=100000
• Trick the user to send this URL:– <a href="http://bank.com/transfer.do?
acct=MARIA&amount=100000">View my Pictures!</a>– <img src="http://bank.com/transfer.do?
acct=MARIA&amount=100000" width="1" height="1" border="0">
![Page 19: Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013](https://reader034.fdocuments.in/reader034/viewer/2022042714/556575cfd8b42a7b518b51e1/html5/thumbnails/19.jpg)
CSRF Testing
www.owasp.org/index.php/CSRFTester
![Page 20: Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013](https://reader034.fdocuments.in/reader034/viewer/2022042714/556575cfd8b42a7b518b51e1/html5/thumbnails/20.jpg)
9. Using Known Vulnerable Components• Using old, unpatched components within
applications• Most difficult to discover• Requires detailed inventory of components
to mitigate
![Page 21: Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013](https://reader034.fdocuments.in/reader034/viewer/2022042714/556575cfd8b42a7b518b51e1/html5/thumbnails/21.jpg)
10. Unvalidated Redirects and Forwards• http://www.example.com/redirect.jsp?
url=evil.com• http://www.example.com/boring.jsp?
fwd=admin.jsp• Check for spider 300-307 (302) responses
![Page 22: Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013](https://reader034.fdocuments.in/reader034/viewer/2022042714/556575cfd8b42a7b518b51e1/html5/thumbnails/22.jpg)
How to prevent/solve these?- %80 - %20 rule
![Page 23: Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013](https://reader034.fdocuments.in/reader034/viewer/2022042714/556575cfd8b42a7b518b51e1/html5/thumbnails/23.jpg)
Input validation• White-listing (BEST)• Black-listing• Sanitizing
• Data type• Data format• Data lenght
![Page 24: Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013](https://reader034.fdocuments.in/reader034/viewer/2022042714/556575cfd8b42a7b518b51e1/html5/thumbnails/24.jpg)
Use strong authentication
• Something you know– Passwords, PINS, etc
• Something you have– Mobile phones (SMS), bank cards, OTP, etc
• Something you are– Fingerprint, retina, voice, etc
![Page 25: Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013](https://reader034.fdocuments.in/reader034/viewer/2022042714/556575cfd8b42a7b518b51e1/html5/thumbnails/25.jpg)
Last words
• Web application security requires– Secure software lifecycle • Risk management• Security KPIs • Code security review (automated & automatic)
– Continuous monitoring and pen testing– Management commitment
![Page 26: Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013](https://reader034.fdocuments.in/reader034/viewer/2022042714/556575cfd8b42a7b518b51e1/html5/thumbnails/26.jpg)
Thank you.
• Murat Lostar– Linkedin.com/in/lostar– www.lostar.com
– Refs: OWASP, CERT, WIKIPEDIA, ISACA