Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this documentunder the terms of the OWASP License.
The OWASP Foundation
ConfooConferenceMarch 10th Montreal
http://www.owasp.org/
OWASP Top 10 - 2010 rc1
The Top 10 Most Critical Web Application Security Risks
Antonio FontesOWASP Geneva Chapter Leader
2
Agenda
• 10 ways to attack web applications• The OWASP Top 10 rc1 Project• Integrating the Top 10 in an existing
SDLC/SALC• Q&A
Antonio Fontes / Confoo Conference, Montreal / 2010
3
About the OWASP
• Open Web Application Security Project• “Helping organizations secure their web
applications.”• Documentation and tools projects• 130 local chapters worldwide• http://www.owasp.org
Antonio Fontes / Confoo Conference, Montreal / 2010
4
About me…
• Antonio Fontes, from Geneva (Switzerland)• >1999: Web developer• >2005: Ethical hacker / Security analyst• >2008: Security & Privacy manager (banking
software ISV)• >2008: OWASP Geneva Chapter Leader • >2010: Information Security Consultant • SANS/CWE Top 25 Most Dangerous
Programming Errors contributorAntonio Fontes / Confoo Conference, Montreal / 2010
5
And about you?
• Coders? • Testers?• Managers?• Hardcore OWASP Top 10 users?
Antonio Fontes / Confoo Conference, Montreal / 2010
6
Just taking the temperature…©
Ran
dal M
unro
e (x
kcd.
com
)
Antonio Fontes / Confoo Conference, Montreal / 2010
7
Part 1: Top 10 major web application
attack techniques
Antonio Fontes / Confoo Conference, Montreal / 2010
8
Attacking the infrastructureAttacking the applicationAttacking the usersOther attacks
Antonio Fontes / Confoo Conference, Montreal / 2010
9
Attacking the infrastructurehitting the weakest layer
Antonio Fontes / Confoo Conference, Montreal / 2010
10
Web application
Application Server
Web Server
Operating System
Network devices
Are all unnecessary paths closed?Are all unnecessary ports closed?Is the admin interface reachable from the web?Can an administrative account be broken?Is the device up to date?
Are all unnecessary services disabled?Are all unnecessary accounts disabled?Have all default passwords been changed?Is the system up to date?
Are all unnecessary scripts removed?Are there any backup/test/unused resources?Is the web server up to date?Have all default passwords been changed?
Are all demo apps removed?Is the web server up to date?Is the admin area protected from external access?Is directory indexing been disabled?Were all default passwords changed?
; )
© D
arw
in B
ell@
flick
r
Antonio Fontes / Confoo Conference, Montreal / 2010
11
Risk A6: Security misconfiguration
Antonio Fontes / Confoo Conference, Montreal / 2010
12
• What is the risk?– If there is a weaker link than the web application
itself, the attacker will switch to the flawed layer.
• What are the countermeasures?– Harden all layers• Reduce services and accounts to the minimum• No default passwords• Keep everything up to date• Apply security guidelines (OS security, Web server
security, Application server security, etc.)• Keep default web application configuration safe• “Deploy securely on a secure architecture”
Antonio Fontes / Confoo Conference, Montreal / 2010
13
Attacking the infrastructureAttacking the applicationAttacking the usersOther attacks
Antonio Fontes / Confoo Conference, Montreal / 2010
14
Attacking the applicationinjecting hostile code…
Antonio Fontes / Confoo Conference, Montreal / 2010
15
what if?
Antonio Fontes / Confoo Conference, Montreal / 2010
16
SELECT * FROM users usr WHERE usr.username = 'admin ';-- ‘AND usr.password = ‘bb21158c733229347bd4e681891e213d94c685be’
what if?
Antonio Fontes / Confoo Conference, Montreal / 2010
17
what if?
Antonio Fontes / Confoo Conference, Montreal / 2010
18
what if?
Antonio Fontes / Confoo Conference, Montreal / 2010
19
Any user input is a potential attack vector.
Antonio Fontes / Confoo Conference, Montreal / 2010
20
Risk A1: Injections
Antonio Fontes / Confoo Conference, Montreal / 2010
21
• RISK?– Any application entry point can be used as a
vector to inject hostile content that will modify expected behaviors.
• GOOD TO KNOW– All non-binding query languages are exposed!
(LDAP and Xpath….)
Antonio Fontes / Confoo Conference, Montreal / 2010
22
• COUNTERMEASURES?– All input can be modified client-side. Be sure to
validate:• Querystring parameters• Form fields (hidden fields also count)• File submissions : if you’re expecting a picture, then
make sure it is a picture!• Cookies• HTTP headers: all fields, including referrer are “user
input”
Antonio Fontes / Confoo Conference, Montreal / 2010
23
COUNTERMEASURES? (cont’d)• Never paste user input into query commands (SQL,
Xpath, LDAP, OS commands, etc.):• Use binding variables such as SQL parameters:
• If no binding model, encode input before pasting:• Doubled quotes (‘’) for SQL server• Escaped quotes (\’) for MySQL (PHP addslashes is helpful!)• Etc.
Antonio Fontes / Confoo Conference, Montreal / 2010
24
COUNTERMEASURES ?(cont’d)• Choose best validation strategy!• Best: Whitelist– When all possible values are known (enums, if/else if
statements, regular expressions, …)• Graylist:– Enforce business rules:
• Type: string, numeric, byte, …• Range: >0, <MaxInt, [a-z]{3,20}
• Weakest: Blacklistif(input.IndexOf(“<script>”)>=0)
//reject
Antonio Fontes / Confoo Conference, Montreal / 2010
25
Attacking the applicationplaying with obvious identifiers…
Antonio Fontes / Confoo Conference, Montreal / 2010
26
what if?
99999999
Antonio Fontes / Confoo Conference, Montreal / 2010
27
what if?
1234567
Antonio Fontes / Confoo Conference, Montreal / 2010
28
Risk A4: Insecure direct object references
Antonio Fontes / Confoo Conference, Montreal / 2010
29
• What is the risk?– All references can modified client-side. An attacker
might be able to access and/or modify confidential information.
• What are the countermeasures?– Never send internal references to the browser:
• Use temporary or random number mapping (#0, #1, #2, #3, etc.)
– OR combine referenced access with access control:• SELECT * FROM item WHERE id = $id AND owner = $uID• UPDATE item … WHERE id = $id AND owner = $id
Antonio Fontes / Confoo Conference, Montreal / 2010
30
Attacking the applicationbreaking session and
authentication mechanisms…
Antonio Fontes / Confoo Conference, Montreal / 2010
31
what if?
Antonio Fontes / Confoo Conference, Montreal / 2010
32
what if?
Antonio Fontes / Confoo Conference, Montreal / 2010
33
what if?
Antonio Fontes / Confoo Conference, Montreal / 2010
34
Risk A3: Broken authentication or session
management
Antonio Fontes / Confoo Conference, Montreal / 2010
35
• What is the risk?– HTTP is a stateless protocol. Each request must
transmit ‘session’ information over the network.– Authentication mechanisms are highly targeted by
attackers , at all levels: forms, traffic, stored data.
• What are the countermeasures?– Use simple, centralized and standardized session
mechanism– Enable cookie security attributes (secure flag,
httponly flag, encryption and integrity control)– Validate session identifiers
• Is the sessionID coming from the right place?Antonio Fontes / Confoo Conference, Montreal / 2010
36
• countermeasures? (cont’d)– Make sure ‘logoff’ actually invalidates the session.– Prevent bruteforcing attacks, but also prevent
denial of service on legitimate accounts– Enforce secure password recovery• Authenticate before resetting
– Review, review, review authentication (and logoff) code manually!
Antonio Fontes / Confoo Conference, Montreal / 2010
37
Attacking the applicationfinding hidden “secret” URLs…
Antonio Fontes / Confoo Conference, Montreal / 2010
38
what if?
Antonio Fontes / Confoo Conference, Montreal / 2010
39
what if?
Antonio Fontes / Confoo Conference, Montreal / 2010
40
Risk A7: Failure to restrict URL access
Antonio Fontes / Confoo Conference, Montreal / 2010
41
• What is the risk?– URLs that lead to confidential resources can be
easily sent, stored (bookmarks), monitored (proxies, security devices) and sometimes, guessed.
• What are the countermeasures?– Completely disallow access to sensitive file types– Validate ALL incoming requests
• Authorize explicitly (web.xml, ASP.Net page lifecycle, etc.)
– Don’t expose physical documents with permanent or guessable URLs
Antonio Fontes / Confoo Conference, Montreal / 2010
42
Attacking the infrastructureAttacking the applicationAttacking the usersOther attacks
Antonio Fontes / Confoo Conference, Montreal / 2010
43
Attacking the usersredirecting users elsewhere…
Antonio Fontes / Confoo Conference, Montreal / 2010
44
what if?
Antonio Fontes / Confoo Conference, Montreal / 2010
45
Risk A8: Non-validated redirects and
forwards
Antonio Fontes / Confoo Conference, Montreal / 2010
46
• What is the risk?– An attacker may use your website reputation as a
vector to redirect victims to a hostile website.
• What are the countermeasures?– Never allow absolute URL redirection.– If not possible: • Use a whitelist of valid hosts• Show a warning before redirecting the user
– If using a “web portal”, make sure redirect pages do not include sensitive information in URLs (aka single-signon-on information)
Antonio Fontes / Confoo Conference, Montreal / 2010
47
Attacking the usersrunning client hostile code in the
website…
Antonio Fontes / Confoo Conference, Montreal / 2010
48
what if?
Antonio Fontes / Confoo Conference, Montreal / 2010
49
what if?
Antonio Fontes / Confoo Conference, Montreal / 2010
50
Risk A2: Cross-site scripting
Antonio Fontes / Confoo Conference, Montreal / 2010
51
• What is the risk?– An attacker might inject client-side hostile code in
the web application, which will be returned to a victim.
Antonio Fontes / Confoo Conference, Montreal / 2010
52
What are the countermeasures?• Sanitize output. Encode to destination
format.– For HTML output, use HtmlEntities:• <div id=“comment”>Here is my
<script>attack</script></div>
<div id=“comment”>Here is my <script>attack</script></div>
Antonio Fontes / Confoo Conference, Montreal / 2010
53
What are the countermeasures?• Sanitize output, encode to destination
format:– For XML output, use predefined entities:• <says>“here is my <script>”</says>
<says><![CDATA[here is my <script>]]></says>
• <says>my input is <script></says> <says>my input is <script></says>
Antonio Fontes / Confoo Conference, Montreal / 2010
54
Attacking the usersreplaying predictable requests…
Antonio Fontes / Confoo Conference, Montreal / 2010
55
what if?
Antonio Fontes / Confoo Conference, Montreal / 2010
56
what if?
Antonio Fontes / Confoo Conference, Montreal / 2010
57
Risk A5: Cross-site Request Forgery
Antonio Fontes / Confoo Conference, Montreal / 2010
58
• What is the risk?– An attacker might build her own website and
trigger requests on the visitor’s browser. (yes, that’s exactly what it seems to be...)
Antonio Fontes / Confoo Conference, Montreal / 2010
59
What are the countermeasures?• Implement unpredictable requests for all
sensitive actions– Use temporary random hidden control fields:
<input type=hidden name=check value=ab23b4a/>
– Link forms to the user session:if(!(Request.Form[“checker”]).Equals(SessionID))
// return error
– Use CAPTCHA– Use out-of-band verification:• SMS / Voice call / Cryptographic tokens, etc.
Antonio Fontes / Confoo Conference, Montreal / 2010
60
Attacking the infrastructureAttacking the applicationAttacking the usersOther attacks
Antonio Fontes / Confoo Conference, Montreal / 2010
61
Other attacksbreaking weak cryptography…
Antonio Fontes / Confoo Conference, Montreal / 2010
62
what if?
Encrypting with Base64
$cookie = base64($sessionId);
It’s not encryption, it’s encoding!
Antonio Fontes / Confoo Conference, Montreal / 2010
63
what if?
Encrypting user passwords with AES256$password = encrypt($get_[“password”],AES256,key);
reversible encryption!
Antonio Fontes / Confoo Conference, Montreal / 2010
64
what if?
Hashing user passwords with md5
$password = md5($get_[“password”]);
weak algorithm!
Antonio Fontes / Confoo Conference, Montreal / 2010
65
what if?
Hashing user passwords with SHA-256$password = sha($get_[“password”]);
Missing seed!
Antonio Fontes / Confoo Conference, Montreal / 2010
66
what if?
Building keys with Math.RandomByte[] key = Math.RandBytes(128);
Weak random number generator!
Antonio Fontes / Confoo Conference, Montreal / 2010
67
what if?
Deriving a key from human entered secret$key = md5($GET_[“secret”]);
Weak key entropy!
Antonio Fontes / Confoo Conference, Montreal / 2010
68
what if?
Using ECB mode of operation$bytes = encrypt($text, key);// returns: {0xAF00CADACCE34A4D}$bytes2 = encrypt($text, key);// returns: {0xAF00CADACCE34A4D}
Weak mode of operation!
Antonio Fontes / Confoo Conference, Montreal / 2010
69
what if?
Using CBC mode of operation$bytes = encrypt($text, key);// returns: {0xAF00CADACCE34A4D}$bytes2 = encrypt($text, key);// returns: {0xAF00CADACCE34A4D}
Non-random initialization vectors!
Antonio Fontes / Confoo Conference, Montreal / 2010
70
what if?
Decrypting with internal secretString clearText = CryptUtils.Decrypt($bytes, Parameters.SecretKey);
Hard-coded secret!
Antonio Fontes / Confoo Conference, Montreal / 2010
71
what if?
blablabla
Another problem.
Antonio Fontes / Confoo Conference, Montreal / 2010
72
Risk A9: Insecure cryptographic storage
Antonio Fontes / Confoo Conference, Montreal / 2010
73
• What is the risk?– An attacker might not need as much time as you
expected to decrypt your data.– If one of these words sounds foggy to you, there is
a risk:• Asymmetric/symmetric encryption, offline encryption,
online encryption, CBC, key entropy, initialization vector, ECB, message authentication code, PBKDF2 (RFC2898), constant time operation, Rijndael, AES, 3DES, DSA, RSA, ECC, SHA, keyring, DPAPI, …
Antonio Fontes / Confoo Conference, Montreal / 2010
74
What are the countermeasures?• Don’t do cryptography by yourself– Use business level APIs:
Use open-source reference implementations (OpenSSL, Truecrypt, etc.)
Use expert-community-driven libraries (OWASP ESAPI, …)
• Take classes…
Antonio Fontes / Confoo Conference, Montreal / 2010
75
Other attacksobserving the environment…
Antonio Fontes / Confoo Conference, Montreal / 2010
76
© d
aque
llam
aner
a @
flick
r ?Antonio Fontes / Confoo Conference, Montreal / 2010
77
Risk A10: Insufficient transport layer
protection
Antonio Fontes / Confoo Conference, Montreal / 2010
78
• What is the risk?– Traffic eavesdropping, due to insufficient transport
layer protection.
• What are the countermeasures?– Require an SSL encrypted link.– Use appropriate certificates (signed and valid).– Prevent cookies from leaving the encrypted link
(“secure” flag enabled).
Antonio Fontes / Confoo Conference, Montreal / 2010
79 Antonio Fontes / Confoo Conference, Montreal / 2010
Security Misconfigurati
onInjection
Insecure Direct Object
References
Broken Authentication and
Session Management
Failure to Restrict URL
Access
Unvalidated Redirects and
Forwards
Cross Site Scripting (XSS)
Cross Site Request
Forgery (CSRF)
Insecure Cryptographic
Storage
Insufficient Transport Layer
Protection
WHAT IS THE RISK LEVEL ?LOW HIGH
80
Part 2: Assessing the risks induced by
these 10 attacks
Antonio Fontes / Confoo Conference, Montreal / 2010
81
Hopefully, someone did it…
Antonio Fontes / Confoo Conference, Montreal / 2010
82
rating the risks
Antonio Fontes / Confoo Conference, Montreal / 2010
Threat agent Attack vector Prevalance Detectability Technical Impact Business impact
?Easy Widespread Easy Severe
?Average Common Average ModerateDifficult Uncommon Difficult Minor
2 1 1 2
3 * 1.3 * 2 ? = 2,6x?
XSS (example)
83 Antonio Fontes / Confoo Conference, Montreal / 2010
A1: Injection
A2: Cross Site Scripting (XSS)
A3: Broken Authentication and
Session Management
A4: Insecure Direct Object References
A5: Cross Site Request
Forgery (CSRF)
A6: Security Misconfigurati
on
A7: Failure to Restrict URL
Access
A8: Unvalidated Redirects and
Forwards
A9: Insecure Cryptographic
Storage
A10: Insufficient Transport Layer
Protection
OWASP Top 10 – 2010 RC1The top ten web application security risks
84
Risk Managers- exploitability- prevalence- detectability- impact (CIA, AAA)
Testers- search patterns- typical cases- myths
Developers- mitigation steps
(agnostic)- best practices
Teachers / Students- example scenarios
Advanced material- detailed attack scenarios- mitigation techniques (per
technology)- further references
Antonio Fontes / Confoo Conference, Montreal / 2010
85
Migration info- removed entries- new entries- gap analysis
Antonio Fontes / Confoo Conference, Montreal / 2010
86
Part 3: Integrating the Top 10 into an
existing software development / acquisition lifecycle
Antonio Fontes / Confoo Conference, Montreal / 2010
87 Antonio Fontes / Confoo Conference, Montreal / 2010
The Top 10 in your SDLC/SALC
Analyze Design Implement Verify Deploy Support
Soft
war
e ve
ndor
Soft
war
e bu
yer
Secure design
Secure codingSecurity testing
Contract conditions
Design review reports
Security test results
Penetration test
SLA support
PERSONEL TRAINING
QUALITY ASSURANCE
Metrics analysis
88
Conclusion
Your web application will be hacked. ; )
Antonio Fontes / Confoo Conference, Montreal / 2010
89
Conclusion
But if you use the Top 10…
Antonio Fontes / Confoo Conference, Montreal / 2010
90
Conclusion
It won’t be the cheap way…
Antonio Fontes / Confoo Conference, Montreal / 2010
91
Conclusion
And it won’t be the embarrassing way…
Antonio Fontes / Confoo Conference, Montreal / 2010
92
Conclusion
You now know the 10 riskiest flaws in web applications.
Antonio Fontes / Confoo Conference, Montreal / 2010
93
Conclusion
But there’s still a lot to see…
WASC Threat Classification
CWE/SANS Top 25 Programming errors
Threat modeling
Open Software Assurance Maturity Model
Antonio Fontes / Confoo Conference, Montreal / 2010
OWASP Application Security Verification Standard (ASVS)
94
Conclusion
before becoming “secure”.
Antonio Fontes / Confoo Conference, Montreal / 2010
95
http://owasp.org/index.php/Top10(final version: end of March 2010)
Antonio Fontes / Confoo Conference, Montreal / 2010
thank you :)
96 Antonio Fontes / Confoo Conference, Montreal / 2010
97
Copyright
• You are free:– To share (copy, distribute, transmit)– To remix
• But only if: – You attribute this work– You use it for non-commercial purposes– And you keep sharing your result the
same way I did
Antonio Fontes / Confoo Conference, Montreal / 2010
Top Related