Learning Center
Plans & pricing Sign in
Sign Out

OWASP Plan - Strawman.ppt


									                      Detecting Web Application
                      Vulnerabilities Using Open
                      Source Means

                                  Konstantinos Papapanagiotou
                                  Committee Member
                                  OWASP Greek Chapter
3rd Free / Libre / Open Source
Software (FLOSS) Conference
27/5/2008                  Copyright © The OWASP Foundation
                                Permission is granted to copy, distribute and/or modify this document
                                under the terms of the OWASP License.

                                The OWASP Foundation
What is OWASP?

The Open Web Application Security Project
Worldwide, free and open community
Mission: improve application software security
  Information and awareness
      Documentation
      Guidelines
      Forums, mailing lists, conferences, local chapters
  Practical aspects
      Open Source Tools
Non-profit, charitable organization
  Members: VISA, Deloitte, Unisys, Foundstone, …
                                                            OWASP   2
The Greek Chapter

Created in 2005 but active since early 2007
Mission: raise security awareness in Greece
  Translation of OWASP documentation
  Mailing list
  Monthly newsletter
  Participation in working groups and conferences
  Software tools: Web Vulnerability Scanner
~60 members
Soon:                   OWASP   3

Motivation: The need for web security
OWASP Top10: 10 most important vulnerabilities
Detection Tools
  OWASP Web Scarab
  WVS (Web Vulnerability Scanner)

                                         OWASP    4
Web Security

Rapid growth of the Internet in the last 2-3
  Increase of population and bandwidth
  Dynamic web sites
Hacker trends have changed
  Used to be: viruses, worms, defacements
  Now: phishing, zombie networks, web application
Weakest links
                                             OWASP   5
Web Application Vulnerabilities

Some vocabulary
Web Applications: new category of applications
  Widely available
  Can access local resources
New code – old code
                                        OWASP     6
Tackling the problem

Security is not a one-off project
Secure Development Lifecycle:
  1.   Getting informed, raise awareness
  2.   Secure design and implementation
  3.   Product Launch
  4.   Vulnerability detection
  5.   Patching
  6.   Monitoring
  7.   Keep the track
Not a end-user or developer only matter
                                           OWASP   7
Step 1: Awareness - The OWASP Top 10

Document that lists the 10 most important web
Aim: educate developers, designers, architects
 and organizations about the consequences of
 the most common web application security
  Brief description
  basic methods for protection
2007: second version
                                        OWASP     8
The Vulnerabilities

A1 - Cross Site Scripting (XSS)
  User supplied data are sent to web browser without
   validating or encoding that content.
  Result: can allow script execution that can lead to
   user sessions hijacking, web site defacement, etc.
A2 - Injection Flaws (e.g. SQL injection)
  User supplied data are sent to an interpreter as part
   of a command or query.
  Result: the interpreter is tricked into executing
   unintended commands or changing data.

                                                OWASP      9
The Vulnerabilities (2)

A3 - Malicious File Execution (e.g. remote file
 inclusion (RFI)
  Can allow attackers to include hostile code and data
  Result: up to total server compromise.
  Target: PHP, XML and any framework which accepts
   filenames or files from users.
A4 - Insecure Direct Object Reference
  Reference to an internal implementation object (file,
   directory, database record, key, etc) as a URL or form
   parameter is accidentally exposed by the developer.
  Result: Attackers can manipulate those references to
   access other objects without authorization.
                                               OWASP        10
The Vulnerabilities (3)

A5 - Cross Site Request Forgery (CSRF)
  Forces a logged-on victim's browser to send a pre-
   authenticated request to a vulnerable web
   application, which then forces the victim's browser to
   perform a hostile action to the benefit of the attacker.
A6 - Information Leakage and Improper Error
  Unintentional leak of information regarding
   configuration, internal workings, or privacy violation
  Result: Attackers use this weakness to steal sensitive
   data, or conduct more serious attacks.

                                                 OWASP        11
The Vulnerabilities (4)

A7 - Broken Authentication and Session
  Account credentials and session tokens are often not
   properly protected.
  Result: Attackers compromise passwords, keys, or
   authentication tokens to assume other users'
A8 - Insecure Cryptographic Storage
  Web applications rarely use cryptographic functions
   properly to protect data and credentials.
  Result: can lead to identity theft, credit card fraud,
                                                 OWASP      12
The Vulnerabilities (5)

A9 - Insecure Communications
  Applications frequently fail to encrypt network traffic
   when it is necessary to protect sensitive
A10 - Failure to Restrict URL Access
  Frequently, an application only protects sensitive
   functionality by preventing the display of links or
   URLs to unauthorized users.
  Result: Attackers can use this weakness to access
   and perform unauthorized operations by accessing
   those URLs directly.

                                                 OWASP       13
Step 2: Detection – OWASP WebScarab

Framework for analysing applications that
 communicate using HTTP and HTTPS.
Written in Java for portability
Operates as an intercepting proxy
  The operator can review and modify requests created
   by the browser before they are sent to the server
  He can also review and modify responses returned
   from the server before they are received by the
Several modes of operation and plugins

                                             OWASP       14
Step 2: Detection – OWASP WebScarab (2)

Target Groups:
  Developers can debug otherwise difficult problems
  Security specialists can identify vulnerabilities in the
   way that the application has been designed or
Under Development: OWASP Web Scarab Next
  Complete rewrite
  New user interface
                                                   OWASP      15
Step 2: Detection – WVS

Web Vulnerability Scanner
Started off as a university student project
Goal: test a web site or application (not the
 server in the back end)
Target group: security specialists, penetration
 testers, developers
Functional but still under development
Beta version at:

                                             OWASP      16
WVS – Design and Implementation

Three tier architecture:
  Vulnerability database
      SQLite
      Data retrieval API
      Update API
  Communication API
      Communication with server (GET, POST, etc)
  Presentation Level
      Plaintext output, graphical interface, html, etc

                                                          OWASP   17
WVS – Advantages

Less false negatives
  “Paranoid scanning”
      User-enabled
      Retrieves the site’s structure
      Makes all possible checks in the entire site
Less false positives
  Static sites: MD5 hash checking
  Future work: dynamic sites
  Use of open and portable technologies (SQLite,
   libcurl, etc)
  Future work: POSIX threads                 OWASP   18
WVS – Future Work

Eliminate false positives in dynamic sites
Enhance Portability
  POSIX threads
  Java implementation (?)
Sophisticated checks for XSS and SQL injection
Fuzzing algorithms
Other suggestions…

                                              OWASP   19

Web Application Security is a continuous process
  have the skills
  Are not always well informed
  Follow deadlines
  Worry about security after release
End users
  Low awareness
  Continuous effort to raise awareness   OWASP     20
                       OWASP   21

To top