SlideShare a Scribd company logo

Oh, WASP! Security Essentials for Web Apps

T
TechWell

The document presents a session on web application security, focusing on the OWASP Top 10 vulnerabilities that organizations should recognize and address. It explains the nature of web application security, highlights common vulnerabilities such as injection and broken authentication, and provides preventative measures for each risk. The session aims to create awareness about the importance of securing web applications and offers resources like the OWASP guidelines for further learning.

Technology
1 of 56
Downloaded 246 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
BW8 Concurrent Session 11/13/2013 2:15 PM "Oh, WASP! Security Essentials for Web Apps" Presented by: Benny Paul Cognizant Technology Solutions Brought to you by: 340 Corporate Way, Suite 300, Orange Park, FL 32073 888 268 8770 904 278 0524 sqeinfo@sqe.com www.sqe.com
Benny Paul Cognizant Technology Solutions Benny Paul brings more than fifteen years of IT experience to Cognizant Testing Services where he is responsible for program management, strategic planning, and delivery of QA Services. Benny is experienced in building and managing large scale QA programs in multiple domains, with resolute focus on improving QA maturity practices, enhancing quality engineering and delivery, incorporating optimization techniques, and implementing practical and effective process improvement methods. Benny’s passion for business development, maintaining customer relationships and people management through motivation and inspiration, further contributes to his ability to manage large programs and deliver business value to Cognizant’s global clients.
Oh, WASP! Security Essentials for Web Apps Benny Paul Cognizant Testing Services Nov 11, 2013 1 | ©2013, Cognizant
Introduction Purpose of Session - Provide Overview of Web Application Security - OWASP Top 10 What is Web Application Security? - A brief discussion - Attacker’s hotspots Top Security Problems on the web today - Recent Nightmares - Some statistics Understand OWASP 2013 Top 10 Vulnerabilities - Define the vulnerabilities - How do we protect against them? 2 | ©2013, Cognizant www.owasp.org
Credits & References !  Documents copyrighted Open Web Application Security Project, and freely downloaded from www.owasp.org. !  OWASP Top Ten titled "The Ten Most Critical Web Application Security Vulnerabilities" 2013 update. https://www.owasp.org/index.php/Top_10_2013-Top_10 !  The OWASP Tutorial Series by Jerry Hoff https://www.owasp.org/index.php/Main_Page https://www.owasp.org/index.php/OWASP_Appsec_Tutorial_Series !  Several Application Security Testing related sites and content on the web like iTeach etc.. 3 | ©2013, Cognizant www.owasp.org
What is Web Application Security? ! Not Network Security ! Starts in the initial planning stages ! Continues through coding, testing, and deployment ! Doesn’t finish until the lifecycle is completely finished Likelihood of a successful web application attack -A web application is attacked at 1-in-3 days on average - Easy to exploit without special tools or knowledge - Little chance of being detected Consequences: -Unauthorized Access to web and application servers -Database Corruption and Disclosure of contents -Breach in user authentication and access control - Website defacement 4 | ©2013, Cognizant www.owasp.org
Percentage of Websites Vulnerability by Class Who are we up against? Who What Why Organized Crime Cash Espionage (Nation State & Corporate) Data Theft & Intellectual Property Competitive Advantage Hackers / Script Kiddies 5 Data & Identity Theft Defacement & Denial of Service Ego & Credibility building | ©2013, Cognizant www.owasp.org
Most sites are not secure… An attacker can access unauthorized data, attack users using your website! 6 | ©2013, Cognizant www.owasp.org
Look at Web App through eyes of Attacker 7 | ©2013, Cognizant www.owasp.org
Hot Spots for Attacker 8 | ©2013, Cognizant www.owasp.org
Recent Security Flaws… Real Attack on Australian Tax office - Attacker changed the tax id in the url, got info on 17,000 companies Bank W e Aug 15 bsite Hacke d! 2013 http://articles.timesofindia.indiatimes.com/2013-08-15/delhi/41412603_1_bank-accountsarun-kumar-machines 9 | ©2013, Cognizant www.owasp.org
So, how can we fix this? 10 | ©2013, Cognizant www.owasp.org
OWASP - What is that? Open Web Application Security Project www.owasp.org "  International not-for-profit charitable Open Source Org "  Top Ten "  Guides towards Building Secure Web Apps Application Testing Code Reviews "  OWASP Resources and Community Documentation & Wiki Code Projects Chapters Conferences "  Participation in OWASP is free and open to all! 11 | ©2013, Cognizant www.owasp.org
Most Critical Web App Security Risks https://www.owasp.org/index.php/Top_10_2013-Top_10 12 | ©2013, Cognizant www.owasp.org
OWASP Top 10 Risks 1 Injection 13 | ©2013, Cognizant www.owasp.org
1 - Injection Easy Common Critical https://www.owasp.org/index.php/Top_10_2013-A1-Injection 14 | ©2013, Cognizant www.owasp.org
1 - Injection String query = "SELECT * FROM accounts WHERE custID='" + request.getParameter("id") + "'"; String query = "SELECT * FROM accounts WHERE custID='" + 209907 + "'"; Retu rns 1 row Web Server DB String query = "SELECT * FROM accounts WHERE custID='" + 209907’ or ‘1’=‘1+ "'"; 15 | ©2013, Cognizant www.owasp.org
1 - Injection How do I Prevent 'Injection'? " Use Parameterized Queries   "Stored Procedures instead of Dynamic SQL " OWASP ESAPI " Whitelist Input validation https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet 16 | ©2013, Cognizant www.owasp.org
OWASP Top 10 Risks 2 Broken Authentication & Session Management 17 | ©2013, Cognizant www.owasp.org
2 - Broken Authentication & Session Mgmt ncryption shing or e using ha en stored tected wh aren’t pro dentials ication cre weak acco Authent unt m Session IDs are exposed in the URL anagemen t functions ter login n’t Rotate af eout, do IDs don’t tim Session 18 | ©2013, Cognizant www.owasp.org
2 - Broken Authentication & Session Mgmt Scenario 1 – Session id in URL http://myairline.com/sale/saleitems jsessionid=47HDFKWkJDS8723HAUG12HG? dest=Sydney -An authenticated User shares the airline offer (link) - The link has his session id since app supports URL rewriting - When friends open the link, they have access to his session, Credit card etc. Scenario 2 – Improper Application Timeouts -User accesses site in a public computer - Closes browser instead of logging out - Attacker uses same browser shortly, browser is still authenticated Scenario 3 – No restriction on Login attempts - In 2009, an attacker gained admin access to a Twitter server due to no restriction on the no. of login attempts. - Attacker targets a support staff's password using “brute force” - Gains admin access to 33 accounts belonging to celebrities, politicians 19 | ©2013, Cognizant www.owasp.org
2 - Broken Authentication & Session Mgmt How do I Prevent ‘Authentication’ and ‘Session’ related risks'? A single set of strong authentication and session management controls. Such controls should strive to: -Meet all the authentication and session management requirements defined in OWASP’s Application Security Verification Standard (ASVS) areas V2 (Authentication) and V3 (Session Management). https://www.owasp.org/index.php/ASVS 20 | ©2013, Cognizant www.owasp.org
OWASP Top 10 Risks 3 Cross Site Scripting (XSS) 21 | ©2013, Cognizant www.owasp.org
3 - Cross Site Scripting (XSS) XSS is targeted to attack other users’ browse 22 | ©2013, Cognizant www.owasp.org
3 - Cross Site Scripting (XSS) Using Javascript, an attacker can steal Session ID / coockie, rewrite webpages etc.. 23 | ©2013, Cognizant www.owasp.org
3 - Cross Site Scripting (XSS) How do I Prevent ‘XSS'? " Data Escaping techniques " Contextual Encoding   "Auto Sanitation Libaries " Content Secure Policy (CSP) " Whitelist Input validation https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet 24 | ©2013, Cognizant www.owasp.org
OWASP Top 10 Risks 4 Insecure Direct Object References 25 | ©2013, Cognizant www.owasp.org
4 - Insecure Direct Object References Unauthorized access to objects thru Parameter Tampering.. 26 | ©2013, Cognizant www.owasp.org
4 - Insecure Direct Object References 1 4 2 5 3 6 27 | ©2013, Cognizant www.owasp.org
4 - Insecure Direct Object References How Do I Prevent? " Avoid exposing your private object references to users " Validate any private object references " Verify authorization to all referenced objects " Session indirect object references 28 | ©2013, Cognizant www.owasp.org
OWASP Top 10 Risks 5 Security Misconfiguration 29 | ©2013, Cognizant www.owasp.org
5 - Security Misconfiguration Web Apps exposing server error messages on scree Default Acounts 30 | ©2013, Cognizant www.owasp.org
5 - Security Misconfiguration Unprotected Website Directories ! 31 | ©2013, Cognizant www.owasp.org
5 - Security Misconfiguration How Do I Prevent? " Directory listing disabled on your server " Disable stack traces to be returned to users " Identical configuration of Dev, QA & Prod, properly locked down with different passwords   "Periodic scans & audits to detect misconfigurations From OWASP: Development Guide: Chapter on Configuration https://www.owasp.org/index.php/Configuration Testing Guide: Configuration Management https://www.owasp.org/index.php/Testing_for_configuration_management 32 | ©2013, Cognizant www.owasp.org
OWASP Top 10 Risks 6 Sensitive Data Exposure 33 | ©2013, Cognizant www.owasp.org
6 - Sensitive Data Exposure Sensitive Data not Protected properly! 34 | ©2013, Cognizant www.owasp.org
6 - Sensitive Data Exposure Example 1: Https only during login https://OfficeEmail.com HTTP HTTPS HTTP Example 2: Man-in-the-middle Attack 35 | ©2013, Cognizant www.owasp.org
6 - Sensitive Data Exposure How Do I Prevent? " Strict Transport Security in HTTP Header (converts Http to Https at the browser) " Secured sites should switch entirely to HTTPS   "Encrypt all sensitive data " Don’t store sensitive data unnecessarily – Discard them " Disable autocomplete on forms https://www.owasp.org/index.php/Cryptographic_Storage_Cheat_Sheet 36 | ©2013, Cognizant www.owasp.org
OWASP Top 10 Risks 7 Missing Function Level Access Control 37 | ©2013, Cognizant www.owasp.org
7 - Missing Function Level Access Control UI shows navigation to unauthorized functionsserver side authentication No http://example.com/app/getappInfo http://example.com/app/admin_getappInfo Example Access to unauthorized functions 38 | ©2013, Cognizant www.owasp.org
6 - Sensitive Data Exposure How Do I Prevent? " “presentation layer access control” vs. validations at controller or business logic " Define specific roles for access to every function " Establish a solid process for ‘Managing Entitlements’ OWASP offers: ESAPI Access Control API http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/ AccessController.html OWASP Development Guide: Chapter on Authorization https://www.owasp.org/index.php/Guide_to_Authorization Testing Guide: Testing for Path Traversal https://www.owasp.org/index.php/Testing_for_Path_Traversal 39 | ©2013, Cognizant www.owasp.org
OWASP Top 10 Risks 8 Cross Site Request Forgery (CSRF) 40 | ©2013, Cognizant www.owasp.org
8 - Cross Site Request Forgery (CSRF) Forged Http requests Easy to detect v ia Penetrat ion Testing 41 | ©2013, Cognizant www.owasp.org
8 - Cross Site Request Forgery (CSRF) Example : 1. Victim browses a page from Evil.org. 2. Evil.org crafted an HTML image element that references a script to the victim's bank's website (rather than an image file), for example: 3. If the victim's bank stores his authentication information in a cookie, and if the cookie hasn't expired, then the attempt by the victim's browser to load the image will submit the withdrawal form with his cookie, thus authorizing a transaction without the victim's approval 42 | ©2013, Cognizant www.owasp.org
8 - Cross Site Request Forgery (CSRF) How Do I Prevent CSRF? " Include unpredictable unique Token in each HTTP request   "Token in a hidden field rather than URL " Re-authentication via CAPTCHA OWASP offers: CSRF Guard to include such tokens in Java EE, .NET, or PHP apps https://www.owasp.org/index.php/CSRFGuard Other References: 43 | ©2013, Cognizant www.owasp.org
OWASP Top 10 Risks 9 Using Unknown Vulnerable Components 44 | ©2013, Cognizant www.owasp.org
9 - Using Unknown Vulnerable Components Weak external Components – vulnerable to injection, broken access control, XSS, etc 45 | ©2013, Cognizant www.owasp.org
9 - Using Unknown Vulnerable Components Components built by other Developers Dependency Developer # Web toolkits # Widgets # Runtime engines # Web servers # Framework libraries Etc…. Example: The following two vulnerable components were downloaded 22m times in 2011! Every application using these are vulnerable to attack as both components are directly accessible by application users !  !  46 | ©2013, Cognizant Apache CXF Authentication Bypass Spring Remote Code Execution www.owasp.org
9 - Using Unknown Vulnerable Components How Do I Prevent? " Upgrade to newer versions " Establish security policies governing component use- like requiring certain software development practices, passing security tests, and acceptable licenses OWASP References: https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities 47 | ©2013, Cognizant www.owasp.org
OWASP Top 10 Risks 10 Unvalidated Redirects & Forwards 48 | ©2013, Cognizant www.owasp.org
10 - Unvalidated Redirects & Forwards Easy to detect 49 | ©2013, Cognizant www.owasp.org
10 - Unvalidated Redirects & Forwards Example : 1 2 3 50 | ©2013, Cognizant User receives trusted Email containing legitimate Link Hovering on link shows legitimate Website www.trustedsite.com Clicking on link redirects to www.evilsite.com www.owasp.org
9 - Using Unknown Vulnerable Components How Do I Prevent? " Simply avoid using redirects and forwards " If used, don’t involve user parameters " use OWASP ESAPI to override redirect destinations OWASP References: https://www.owasp.org/index.php/Top_10_2013-A10-Unvalidated_Redirects_and_Forwards 51 | ©2013, Cognizant www.owasp.org
OWASP - A Great start for your Web Apps Security! !  Read the OWASP Top Ten paper! !  Get developers trained in web app security !  Try OWASP WebGoat to learn how flaws work !  Define security rules for your application !  Get expert code review and penetration test periodically 52 | ©2013, Cognizant www.owasp.org
Most Critical Web App Security Risks Free download Available at OWASP.Org https://www.owasp.org/index.php/Top_10_2013-Top_10 53 | ©2013, Cognizant www.owasp.org
Thank you for your time Any Questions? 54 | ©2012, Cognizant www.owasp.org

More Related Content

PPTX
Owasp
penetration Tester
 
PPTX
OWASP Top 10 Vulnerabilities 2017- AppTrana
Ishan Mathur
 
PDF
Owasp Top 10
Shivam Porwal
 
PPTX
Owasp top 10 security threats
Vishal Kumar
 
PDF
OWASP Top 10 - 2017
HackerOne
 
PDF
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
All Things Open
 
PDF
Penetration testing web application web application (in) security
Nahidul Kibria
 
PPTX
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
Andre Van Klaveren
 
Owasp
penetration Tester
 
OWASP Top 10 Vulnerabilities 2017- AppTrana
Ishan Mathur
 
Owasp Top 10
Shivam Porwal
 
Owasp top 10 security threats
Vishal Kumar
 
OWASP Top 10 - 2017
HackerOne
 
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
All Things Open
 
Penetration testing web application web application (in) security
Nahidul Kibria
 
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
Andre Van Klaveren
 

What's hot (20)

PDF
Web Application Security 101
Cybersecurity Education and Research Centre
 
PPTX
Web Application Penetration Testing Introduction
gbud7
 
PDF
Owasp top 10
YasserElsnbary
 
PPTX
Web application penetration testing
Imaginea
 
PDF
Web Application Security and Awareness
Abdul Rahman Sherzad
 
PDF
OWASP TOP TEN 2017 RC1
Chema Alonso
 
PDF
Secure coding presentation Oct 3 2020
Moataz Kamel
 
PDF
OWASP TOP 10 & .NET
Daniel Krasnokucki
 
PPTX
OWASP Top 10 2017 - New Vulnerabilities
Dilum Bandara
 
PPTX
Owasp 2017 oveview
Shreyas N
 
PPTX
Secure Coding 2013
The eCore Group
 
PDF
Top 10 Web Application vulnerabilities
Terrance Medina
 
PPTX
The bare minimum that you should know about web application security testing ...
Ken DeSouza
 
PDF
The New OWASP Top Ten: Let's Cut to the Chase
Security Innovation
 
PPTX
Web application security
Kapil Sharma
 
PPTX
Owasp top 10 vulnerabilities
OWASP Delhi
 
PPT
Owasp Top 10
Shivam Porwal
 
PPT
Owasp Top 10 And Security Flaw Root Causes
Marco Morana
 
PDF
Axoss Web Application Penetration Testing Services
Bulent Buyukkahraman
 
PDF
OWASP Top Ten in Practice
Security Innovation
 
Web Application Security 101
Cybersecurity Education and Research Centre
 
Web Application Penetration Testing Introduction
gbud7
 
Owasp top 10
YasserElsnbary
 
Web application penetration testing
Imaginea
 
Web Application Security and Awareness
Abdul Rahman Sherzad
 
OWASP TOP TEN 2017 RC1
Chema Alonso
 
Secure coding presentation Oct 3 2020
Moataz Kamel
 
OWASP TOP 10 & .NET
Daniel Krasnokucki
 
OWASP Top 10 2017 - New Vulnerabilities
Dilum Bandara
 
Owasp 2017 oveview
Shreyas N
 
Secure Coding 2013
The eCore Group
 
Top 10 Web Application vulnerabilities
Terrance Medina
 
The bare minimum that you should know about web application security testing ...
Ken DeSouza
 
The New OWASP Top Ten: Let's Cut to the Chase
Security Innovation
 
Web application security
Kapil Sharma
 
Owasp top 10 vulnerabilities
OWASP Delhi
 
Owasp Top 10
Shivam Porwal
 
Owasp Top 10 And Security Flaw Root Causes
Marco Morana
 
Axoss Web Application Penetration Testing Services
Bulent Buyukkahraman
 
OWASP Top Ten in Practice
Security Innovation
 
Ad

Viewers also liked (18)

PDF
Web Application Remediation - OWASP San Antonio March 2007
Denim Group
 
PDF
Defending Against Application DoS attacks
Roberto Suggi Liverani
 
PPTX
Application Hackers Have A Handbook. Why Shouldn't You?
London School of Cyber Security
 
PDF
Hacking your Droid (Aditya Gupta)
ClubHack
 
PPTX
Hacking for Fun and Profit
Apkudo
 
PDF
Ajax Security
Joe Walker
 
PDF
XSS Remediation
Denim Group
 
PDF
Using ThreadFix to Manage Application Vulnerabilities
Denim Group
 
PPTX
Basic reverse engineering steps about .apk file
Carl Lu
 
PDF
Decompiling Android Workshop
Godfrey Nolan
 
PDF
Rolling Out An Enterprise Source Code Review Program
Denim Group
 
PDF
Mobile Application Security Code Reviews
Denim Group
 
PDF
Software development with qt
NokiaAppForumBulgaria
 
PDF
Scripting Your Qt Application
account inactive
 
PPTX
Reverse Engineering 101
ysurer
 
PDF
Developing Secure Mobile Applications
Denim Group
 
PDF
Threat Modeling to Reduce Software Security Risk
Security Innovation
 
PDF
Application Assessment Techniques
Denim Group
 
Web Application Remediation - OWASP San Antonio March 2007
Denim Group
 
Defending Against Application DoS attacks
Roberto Suggi Liverani
 
Application Hackers Have A Handbook. Why Shouldn't You?
London School of Cyber Security
 
Hacking your Droid (Aditya Gupta)
ClubHack
 
Hacking for Fun and Profit
Apkudo
 
Ajax Security
Joe Walker
 
XSS Remediation
Denim Group
 
Using ThreadFix to Manage Application Vulnerabilities
Denim Group
 
Basic reverse engineering steps about .apk file
Carl Lu
 
Decompiling Android Workshop
Godfrey Nolan
 
Rolling Out An Enterprise Source Code Review Program
Denim Group
 
Mobile Application Security Code Reviews
Denim Group
 
Software development with qt
NokiaAppForumBulgaria
 
Scripting Your Qt Application
account inactive
 
Reverse Engineering 101
ysurer
 
Developing Secure Mobile Applications
Denim Group
 
Threat Modeling to Reduce Software Security Risk
Security Innovation
 
Application Assessment Techniques
Denim Group
 
Ad

Similar to Oh, WASP! Security Essentials for Web Apps (20)

PDF
Top 10 web application security risks akash mahajan
Akash Mahajan
 
PPTX
Owasp top 10_-_2010 presentation
Islam Azeddine Mennouchi
 
PPTX
Security risks awareness
Janagi Kannan
 
PPT
OWASP Top10 2010
Tommy Tracx Xaypanya
 
PDF
2013 OWASP Top 10
bilcorry
 
PPT
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Braindev Kyiv
 
PPTX
Web_Appication_Security_Training_For_Developers.pptx
xobewe1102
 
PDF
Solvay secure application layer v2015 seba
Sebastien Deleersnyder
 
PPTX
Owasp top-ten-mapping-2015-05-lwc
Katy Anton
 
PDF
Threat Modeling for Web Applications (and other duties as assigned)
Mike Tetreault
 
PPT
OWASP_Top_10_Introduction_and_Remedies_2017.ppt
jangomanso
 
ODP
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20
Tabăra de Testare
 
PPTX
OWASP -Top 5 Jagjit
Jagjit Singh Brar
 
PPTX
Web Application Security
sudip pudasaini
 
PDF
How to Harden the Security of Your .NET Website
DNN
 
PDF
OWASP Top 10 List Overview for Web Developers
Benjamin Floyd
 
PPTX
Application Security Vulnerabilities: OWASP Top 10 -2007
Vaibhav Gupta
 
PPTX
RSA Europe 2013 OWASP Training
Jim Manico
 
PDF
Threat Modeling and OWASP Top 10 (2017 rc1)
Mike Tetreault
 
PPTX
Web Security Overview
Noah Jaehnert
 
Top 10 web application security risks akash mahajan
Akash Mahajan
 
Owasp top 10_-_2010 presentation
Islam Azeddine Mennouchi
 
Security risks awareness
Janagi Kannan
 
OWASP Top10 2010
Tommy Tracx Xaypanya
 
2013 OWASP Top 10
bilcorry
 
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Braindev Kyiv
 
Web_Appication_Security_Training_For_Developers.pptx
xobewe1102
 
Solvay secure application layer v2015 seba
Sebastien Deleersnyder
 
Owasp top-ten-mapping-2015-05-lwc
Katy Anton
 
Threat Modeling for Web Applications (and other duties as assigned)
Mike Tetreault
 
OWASP_Top_10_Introduction_and_Remedies_2017.ppt
jangomanso
 
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20
Tabăra de Testare
 
OWASP -Top 5 Jagjit
Jagjit Singh Brar
 
Web Application Security
sudip pudasaini
 
How to Harden the Security of Your .NET Website
DNN
 
OWASP Top 10 List Overview for Web Developers
Benjamin Floyd
 
Application Security Vulnerabilities: OWASP Top 10 -2007
Vaibhav Gupta
 
RSA Europe 2013 OWASP Training
Jim Manico
 
Threat Modeling and OWASP Top 10 (2017 rc1)
Mike Tetreault
 
Web Security Overview
Noah Jaehnert
 

More from TechWell (20)

PDF
Failing and Recovering
TechWell
 
PDF
Instill a DevOps Testing Culture in Your Team and Organization
TechWell
 
PDF
Test Design for Fully Automated Build Architecture
TechWell
 
PDF
System-Level Test Automation: Ensuring a Good Start
TechWell
 
PDF
Build Your Mobile App Quality and Test Strategy
TechWell
 
PDF
Testing Transformation: The Art and Science for Success
TechWell
 
PDF
Implement BDD with Cucumber and SpecFlow
TechWell
 
PDF
Develop WebDriver Automated Tests—and Keep Your Sanity
TechWell
 
PDF
Ma 15
TechWell
 
PDF
Eliminate Cloud Waste with a Holistic DevOps Strategy
TechWell
 
PDF
Transform Test Organizations for the New World of DevOps
TechWell
 
PDF
The Fourth Constraint in Project Delivery—Leadership
TechWell
 
PDF
Resolve the Contradiction of Specialists within Agile Teams
TechWell
 
PDF
Pin the Tail on the Metric: A Field-Tested Agile Game
TechWell
 
PDF
Agile Performance Holarchy (APH)—A Model for Scaling Agile Teams
TechWell
 
PDF
A Business-First Approach to DevOps Implementation
TechWell
 
PDF
Databases in a Continuous Integration/Delivery Process
TechWell
 
PDF
Mobile Testing: What—and What Not—to Automate
TechWell
 
PDF
Cultural Intelligence: A Key Skill for Success
TechWell
 
PDF
Turn the Lights On: A Power Utility Company's Agile Transformation
TechWell
 
Failing and Recovering
TechWell
 
Instill a DevOps Testing Culture in Your Team and Organization
TechWell
 
Test Design for Fully Automated Build Architecture
TechWell
 
System-Level Test Automation: Ensuring a Good Start
TechWell
 
Build Your Mobile App Quality and Test Strategy
TechWell
 
Testing Transformation: The Art and Science for Success
TechWell
 
Implement BDD with Cucumber and SpecFlow
TechWell
 
Develop WebDriver Automated Tests—and Keep Your Sanity
TechWell
 
Ma 15
TechWell
 
Eliminate Cloud Waste with a Holistic DevOps Strategy
TechWell
 
Transform Test Organizations for the New World of DevOps
TechWell
 
The Fourth Constraint in Project Delivery—Leadership
TechWell
 
Resolve the Contradiction of Specialists within Agile Teams
TechWell
 
Pin the Tail on the Metric: A Field-Tested Agile Game
TechWell
 
Agile Performance Holarchy (APH)—A Model for Scaling Agile Teams
TechWell
 
A Business-First Approach to DevOps Implementation
TechWell
 
Databases in a Continuous Integration/Delivery Process
TechWell
 
Mobile Testing: What—and What Not—to Automate
TechWell
 
Cultural Intelligence: A Key Skill for Success
TechWell
 
Turn the Lights On: A Power Utility Company's Agile Transformation
TechWell
 

Recently uploaded (20)

PDF
Data_Analytics_vs_Data_Science_vs_BI_by_CA_Suvidha_Chaplot.pdf
CA Suvidha Chaplot
 
PPTX
cloud computing vai.pptx for the project
vaibhavdobariyal79
 
PDF
The Evolution of KM Roles (Presented at Knowledge Summit Dublin 2025)
Enterprise Knowledge
 
PDF
OFFOFFBOX™ – A New Era for African Film | Startup Presentation
ambaicciwalkerbrian
 
PDF
Using Anchore and DefectDojo to Stand Up Your DevSecOps Function
Anchore
 
PDF
Orbitly Pitch Deck|A Mission-Driven Platform for Side Project Collaboration (...
zz41354899
 
PPTX
What-is-the-World-Wide-Web -- Introduction
tonifi9488
 
PPTX
AI in Daily Life: How Artificial Intelligence Helps Us Every Day
vanshrpatil7
 
PDF
Tea4chat - another LLM Project by Kerem Atam
a0m0rajab1
 
PDF
Presentation about Hardware and Software in Computer
snehamodhawadiya
 
PDF
Unlocking the Future- AI Agents Meet Oracle Database 23ai - AIOUG Yatra 2025.pdf
Sandesh Rao
 
PDF
Responsible AI and AI Ethics - By Sylvester Ebhonu
Sylvester Ebhonu
 
PDF
Google I/O Extended 2025 Baku - all ppts
HusseinMalikMammadli
 
PDF
Software Development Methodologies in 2025
KodekX
 
PDF
REPORT: Heating appliances market in Poland 2024
SPIUG
 
PPTX
New ThousandEyes Product Innovations: Cisco Live June 2025
ThousandEyes
 
PDF
Cloud-Migration-Best-Practices-A-Practical-Guide-to-AWS-Azure-and-Google-Clou...
Artjoker Software Development Company
 
PPTX
The-Ethical-Hackers-Imperative-Safeguarding-the-Digital-Frontier.pptx
sujalchauhan1305
 
PDF
Brief History of Internet - Early Days of Internet
sutharharshit158
 
PDF
AI-Cloud-Business-Management-Platforms-The-Key-to-Efficiency-Growth.pdf
Artjoker Software Development Company
 
Data_Analytics_vs_Data_Science_vs_BI_by_CA_Suvidha_Chaplot.pdf
CA Suvidha Chaplot
 
cloud computing vai.pptx for the project
vaibhavdobariyal79
 
The Evolution of KM Roles (Presented at Knowledge Summit Dublin 2025)
Enterprise Knowledge
 
OFFOFFBOX™ – A New Era for African Film | Startup Presentation
ambaicciwalkerbrian
 
Using Anchore and DefectDojo to Stand Up Your DevSecOps Function
Anchore
 
Orbitly Pitch Deck|A Mission-Driven Platform for Side Project Collaboration (...
zz41354899
 
What-is-the-World-Wide-Web -- Introduction
tonifi9488
 
AI in Daily Life: How Artificial Intelligence Helps Us Every Day
vanshrpatil7
 
Tea4chat - another LLM Project by Kerem Atam
a0m0rajab1
 
Presentation about Hardware and Software in Computer
snehamodhawadiya
 
Unlocking the Future- AI Agents Meet Oracle Database 23ai - AIOUG Yatra 2025.pdf
Sandesh Rao
 
Responsible AI and AI Ethics - By Sylvester Ebhonu
Sylvester Ebhonu
 
Google I/O Extended 2025 Baku - all ppts
HusseinMalikMammadli
 
Software Development Methodologies in 2025
KodekX
 
REPORT: Heating appliances market in Poland 2024
SPIUG
 
New ThousandEyes Product Innovations: Cisco Live June 2025
ThousandEyes
 
Cloud-Migration-Best-Practices-A-Practical-Guide-to-AWS-Azure-and-Google-Clou...
Artjoker Software Development Company
 
The-Ethical-Hackers-Imperative-Safeguarding-the-Digital-Frontier.pptx
sujalchauhan1305
 
Brief History of Internet - Early Days of Internet
sutharharshit158
 
AI-Cloud-Business-Management-Platforms-The-Key-to-Efficiency-Growth.pdf
Artjoker Software Development Company
 

Oh, WASP! Security Essentials for Web Apps

  • 1. BW8 Concurrent Session 11/13/2013 2:15 PM "Oh, WASP! Security Essentials for Web Apps" Presented by: Benny Paul Cognizant Technology Solutions Brought to you by: 340 Corporate Way, Suite 300, Orange Park, FL 32073 888 268 8770 904 278 0524 [email protected] www.sqe.com
  • 2. Benny Paul Cognizant Technology Solutions Benny Paul brings more than fifteen years of IT experience to Cognizant Testing Services where he is responsible for program management, strategic planning, and delivery of QA Services. Benny is experienced in building and managing large scale QA programs in multiple domains, with resolute focus on improving QA maturity practices, enhancing quality engineering and delivery, incorporating optimization techniques, and implementing practical and effective process improvement methods. Benny’s passion for business development, maintaining customer relationships and people management through motivation and inspiration, further contributes to his ability to manage large programs and deliver business value to Cognizant’s global clients.
  • 3. Oh, WASP! Security Essentials for Web Apps Benny Paul Cognizant Testing Services Nov 11, 2013 1 | ©2013, Cognizant
  • 4. Introduction Purpose of Session - Provide Overview of Web Application Security - OWASP Top 10 What is Web Application Security? - A brief discussion - Attacker’s hotspots Top Security Problems on the web today - Recent Nightmares - Some statistics Understand OWASP 2013 Top 10 Vulnerabilities - Define the vulnerabilities - How do we protect against them? 2 | ©2013, Cognizant www.owasp.org
  • 5. Credits & References !  Documents copyrighted Open Web Application Security Project, and freely downloaded from www.owasp.org. !  OWASP Top Ten titled "The Ten Most Critical Web Application Security Vulnerabilities" 2013 update. https://www.owasp.org/index.php/Top_10_2013-Top_10 !  The OWASP Tutorial Series by Jerry Hoff https://www.owasp.org/index.php/Main_Page https://www.owasp.org/index.php/OWASP_Appsec_Tutorial_Series !  Several Application Security Testing related sites and content on the web like iTeach etc.. 3 | ©2013, Cognizant www.owasp.org
  • 6. What is Web Application Security? ! Not Network Security ! Starts in the initial planning stages ! Continues through coding, testing, and deployment ! Doesn’t finish until the lifecycle is completely finished Likelihood of a successful web application attack -A web application is attacked at 1-in-3 days on average - Easy to exploit without special tools or knowledge - Little chance of being detected Consequences: -Unauthorized Access to web and application servers -Database Corruption and Disclosure of contents -Breach in user authentication and access control - Website defacement 4 | ©2013, Cognizant www.owasp.org
  • 7. Percentage of Websites Vulnerability by Class Who are we up against? Who What Why Organized Crime Cash Espionage (Nation State & Corporate) Data Theft & Intellectual Property Competitive Advantage Hackers / Script Kiddies 5 Data & Identity Theft Defacement & Denial of Service Ego & Credibility building | ©2013, Cognizant www.owasp.org
  • 8. Most sites are not secure… An attacker can access unauthorized data, attack users using your website! 6 | ©2013, Cognizant www.owasp.org
  • 9. Look at Web App through eyes of Attacker 7 | ©2013, Cognizant www.owasp.org
  • 10. Hot Spots for Attacker 8 | ©2013, Cognizant www.owasp.org
  • 11. Recent Security Flaws… Real Attack on Australian Tax office - Attacker changed the tax id in the url, got info on 17,000 companies Bank W e Aug 15 bsite Hacke d! 2013 http://articles.timesofindia.indiatimes.com/2013-08-15/delhi/41412603_1_bank-accountsarun-kumar-machines 9 | ©2013, Cognizant www.owasp.org
  • 12. So, how can we fix this? 10 | ©2013, Cognizant www.owasp.org
  • 13. OWASP - What is that? Open Web Application Security Project www.owasp.org "  International not-for-profit charitable Open Source Org "  Top Ten "  Guides towards Building Secure Web Apps Application Testing Code Reviews "  OWASP Resources and Community Documentation & Wiki Code Projects Chapters Conferences "  Participation in OWASP is free and open to all! 11 | ©2013, Cognizant www.owasp.org
  • 14. Most Critical Web App Security Risks https://www.owasp.org/index.php/Top_10_2013-Top_10 12 | ©2013, Cognizant www.owasp.org
  • 15. OWASP Top 10 Risks 1 Injection 13 | ©2013, Cognizant www.owasp.org
  • 17. 1 - Injection String query = "SELECT * FROM accounts WHERE custID='" + request.getParameter("id") + "'"; String query = "SELECT * FROM accounts WHERE custID='" + 209907 + "'"; Retu rns 1 row Web Server DB String query = "SELECT * FROM accounts WHERE custID='" + 209907’ or ‘1’=‘1+ "'"; 15 | ©2013, Cognizant www.owasp.org
  • 18. 1 - Injection How do I Prevent 'Injection'? " Use Parameterized Queries   "Stored Procedures instead of Dynamic SQL " OWASP ESAPI " Whitelist Input validation https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet 16 | ©2013, Cognizant www.owasp.org
  • 19. OWASP Top 10 Risks 2 Broken Authentication & Session Management 17 | ©2013, Cognizant www.owasp.org
  • 20. 2 - Broken Authentication & Session Mgmt ncryption shing or e using ha en stored tected wh aren’t pro dentials ication cre weak acco Authent unt m Session IDs are exposed in the URL anagemen t functions ter login n’t Rotate af eout, do IDs don’t tim Session 18 | ©2013, Cognizant www.owasp.org
  • 21. 2 - Broken Authentication & Session Mgmt Scenario 1 – Session id in URL http://myairline.com/sale/saleitems jsessionid=47HDFKWkJDS8723HAUG12HG? dest=Sydney -An authenticated User shares the airline offer (link) - The link has his session id since app supports URL rewriting - When friends open the link, they have access to his session, Credit card etc. Scenario 2 – Improper Application Timeouts -User accesses site in a public computer - Closes browser instead of logging out - Attacker uses same browser shortly, browser is still authenticated Scenario 3 – No restriction on Login attempts - In 2009, an attacker gained admin access to a Twitter server due to no restriction on the no. of login attempts. - Attacker targets a support staff's password using “brute force” - Gains admin access to 33 accounts belonging to celebrities, politicians 19 | ©2013, Cognizant www.owasp.org
  • 22. 2 - Broken Authentication & Session Mgmt How do I Prevent ‘Authentication’ and ‘Session’ related risks'? A single set of strong authentication and session management controls. Such controls should strive to: -Meet all the authentication and session management requirements defined in OWASP’s Application Security Verification Standard (ASVS) areas V2 (Authentication) and V3 (Session Management). https://www.owasp.org/index.php/ASVS 20 | ©2013, Cognizant www.owasp.org
  • 23. OWASP Top 10 Risks 3 Cross Site Scripting (XSS) 21 | ©2013, Cognizant www.owasp.org
  • 24. 3 - Cross Site Scripting (XSS) XSS is targeted to attack other users’ browse 22 | ©2013, Cognizant www.owasp.org
  • 25. 3 - Cross Site Scripting (XSS) Using Javascript, an attacker can steal Session ID / coockie, rewrite webpages etc.. 23 | ©2013, Cognizant www.owasp.org
  • 26. 3 - Cross Site Scripting (XSS) How do I Prevent ‘XSS'? " Data Escaping techniques " Contextual Encoding   "Auto Sanitation Libaries " Content Secure Policy (CSP) " Whitelist Input validation https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet 24 | ©2013, Cognizant www.owasp.org
  • 27. OWASP Top 10 Risks 4 Insecure Direct Object References 25 | ©2013, Cognizant www.owasp.org
  • 28. 4 - Insecure Direct Object References Unauthorized access to objects thru Parameter Tampering.. 26 | ©2013, Cognizant www.owasp.org
  • 29. 4 - Insecure Direct Object References 1 4 2 5 3 6 27 | ©2013, Cognizant www.owasp.org
  • 30. 4 - Insecure Direct Object References How Do I Prevent? " Avoid exposing your private object references to users " Validate any private object references " Verify authorization to all referenced objects " Session indirect object references 28 | ©2013, Cognizant www.owasp.org
  • 31. OWASP Top 10 Risks 5 Security Misconfiguration 29 | ©2013, Cognizant www.owasp.org
  • 32. 5 - Security Misconfiguration Web Apps exposing server error messages on scree Default Acounts 30 | ©2013, Cognizant www.owasp.org
  • 33. 5 - Security Misconfiguration Unprotected Website Directories ! 31 | ©2013, Cognizant www.owasp.org
  • 34. 5 - Security Misconfiguration How Do I Prevent? " Directory listing disabled on your server " Disable stack traces to be returned to users " Identical configuration of Dev, QA & Prod, properly locked down with different passwords   "Periodic scans & audits to detect misconfigurations From OWASP: Development Guide: Chapter on Configuration https://www.owasp.org/index.php/Configuration Testing Guide: Configuration Management https://www.owasp.org/index.php/Testing_for_configuration_management 32 | ©2013, Cognizant www.owasp.org
  • 35. OWASP Top 10 Risks 6 Sensitive Data Exposure 33 | ©2013, Cognizant www.owasp.org
  • 36. 6 - Sensitive Data Exposure Sensitive Data not Protected properly! 34 | ©2013, Cognizant www.owasp.org
  • 37. 6 - Sensitive Data Exposure Example 1: Https only during login https://OfficeEmail.com HTTP HTTPS HTTP Example 2: Man-in-the-middle Attack 35 | ©2013, Cognizant www.owasp.org
  • 38. 6 - Sensitive Data Exposure How Do I Prevent? " Strict Transport Security in HTTP Header (converts Http to Https at the browser) " Secured sites should switch entirely to HTTPS   "Encrypt all sensitive data " Don’t store sensitive data unnecessarily – Discard them " Disable autocomplete on forms https://www.owasp.org/index.php/Cryptographic_Storage_Cheat_Sheet 36 | ©2013, Cognizant www.owasp.org
  • 39. OWASP Top 10 Risks 7 Missing Function Level Access Control 37 | ©2013, Cognizant www.owasp.org
  • 40. 7 - Missing Function Level Access Control UI shows navigation to unauthorized functionsserver side authentication No http://example.com/app/getappInfo http://example.com/app/admin_getappInfo Example Access to unauthorized functions 38 | ©2013, Cognizant www.owasp.org
  • 41. 6 - Sensitive Data Exposure How Do I Prevent? " “presentation layer access control” vs. validations at controller or business logic " Define specific roles for access to every function " Establish a solid process for ‘Managing Entitlements’ OWASP offers: ESAPI Access Control API http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/ AccessController.html OWASP Development Guide: Chapter on Authorization https://www.owasp.org/index.php/Guide_to_Authorization Testing Guide: Testing for Path Traversal https://www.owasp.org/index.php/Testing_for_Path_Traversal 39 | ©2013, Cognizant www.owasp.org
  • 42. OWASP Top 10 Risks 8 Cross Site Request Forgery (CSRF) 40 | ©2013, Cognizant www.owasp.org
  • 43. 8 - Cross Site Request Forgery (CSRF) Forged Http requests Easy to detect v ia Penetrat ion Testing 41 | ©2013, Cognizant www.owasp.org
  • 44. 8 - Cross Site Request Forgery (CSRF) Example : 1. Victim browses a page from Evil.org. 2. Evil.org crafted an HTML image element that references a script to the victim's bank's website (rather than an image file), for example: 3. If the victim's bank stores his authentication information in a cookie, and if the cookie hasn't expired, then the attempt by the victim's browser to load the image will submit the withdrawal form with his cookie, thus authorizing a transaction without the victim's approval 42 | ©2013, Cognizant www.owasp.org
  • 45. 8 - Cross Site Request Forgery (CSRF) How Do I Prevent CSRF? " Include unpredictable unique Token in each HTTP request   "Token in a hidden field rather than URL " Re-authentication via CAPTCHA OWASP offers: CSRF Guard to include such tokens in Java EE, .NET, or PHP apps https://www.owasp.org/index.php/CSRFGuard Other References: 43 | ©2013, Cognizant www.owasp.org
  • 46. OWASP Top 10 Risks 9 Using Unknown Vulnerable Components 44 | ©2013, Cognizant www.owasp.org
  • 47. 9 - Using Unknown Vulnerable Components Weak external Components – vulnerable to injection, broken access control, XSS, etc 45 | ©2013, Cognizant www.owasp.org
  • 48. 9 - Using Unknown Vulnerable Components Components built by other Developers Dependency Developer # Web toolkits # Widgets # Runtime engines # Web servers # Framework libraries Etc…. Example: The following two vulnerable components were downloaded 22m times in 2011! Every application using these are vulnerable to attack as both components are directly accessible by application users !  !  46 | ©2013, Cognizant Apache CXF Authentication Bypass Spring Remote Code Execution www.owasp.org
  • 49. 9 - Using Unknown Vulnerable Components How Do I Prevent? " Upgrade to newer versions " Establish security policies governing component use- like requiring certain software development practices, passing security tests, and acceptable licenses OWASP References: https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities 47 | ©2013, Cognizant www.owasp.org
  • 50. OWASP Top 10 Risks 10 Unvalidated Redirects & Forwards 48 | ©2013, Cognizant www.owasp.org
  • 51. 10 - Unvalidated Redirects & Forwards Easy to detect 49 | ©2013, Cognizant www.owasp.org
  • 52. 10 - Unvalidated Redirects & Forwards Example : 1 2 3 50 | ©2013, Cognizant User receives trusted Email containing legitimate Link Hovering on link shows legitimate Website www.trustedsite.com Clicking on link redirects to www.evilsite.com www.owasp.org
  • 53. 9 - Using Unknown Vulnerable Components How Do I Prevent? " Simply avoid using redirects and forwards " If used, don’t involve user parameters " use OWASP ESAPI to override redirect destinations OWASP References: https://www.owasp.org/index.php/Top_10_2013-A10-Unvalidated_Redirects_and_Forwards 51 | ©2013, Cognizant www.owasp.org
  • 54. OWASP - A Great start for your Web Apps Security! !  Read the OWASP Top Ten paper! !  Get developers trained in web app security !  Try OWASP WebGoat to learn how flaws work !  Define security rules for your application !  Get expert code review and penetration test periodically 52 | ©2013, Cognizant www.owasp.org
  • 55. Most Critical Web App Security Risks Free download Available at OWASP.Org https://www.owasp.org/index.php/Top_10_2013-Top_10 53 | ©2013, Cognizant www.owasp.org
  • 56. Thank you for your time Any Questions? 54 | ©2012, Cognizant www.owasp.org