Owasp Top 10-2013

OWASP TOP 10 - 2013
Nitin Sharma

1. Injection
2. Broken authentication/session management
3. Cross-site scripting
4. Insecure Direct object refrences
5. Security Misconfiguration
6. Sensitive Data Exposure
7. Missing function level access control
8. Cross site request forgery
9. Using components with more vulnerabilities
10. Unvalidated Redirects and Forwards
OWASP Top 10 Web Application
Security Vulnerabilities

 SQL injection is a software vulnerability that occurs
when data entered by users is sent to the SQL
interpreter as a part of an SQL query
 Attackers provide specially crafted input data to the
SQL interpreter and trick the interpreter to execute
unintended commands
 a SQL Injection attack exploits security vulnerabilities
at the database layer. By exploiting the SQL injection
flaw, attackers can create, read, modify, or delete
sensitive data
A1 Injection

Am I Vulnerable To Injection?
 The best way to find out if an application is vulnerable
to injection is to verify that all use of interpreters
clearly separates untrusted data from the command
or query. For SQL calls, this means using bind
variables in all prepared statements and stored
procedures, and avoiding dynamic queries.

 Preventing injection requires keeping untrusted data separate
from commands and queries.
 1.The preferred option is to use a safe API which avoids the use
of the interpreter entirely or provides a parameterized
interface. Be careful of APIs, such as stored procedures, that
are parameterized, but can still introduce injection under the
hood.
 2.If a parameterized API is not available, you should carefully
escape special characters using the specific escape syntax for
that interpreter. OWASP’s ESAPI provides many of these
escaping routines.
 3.Positive or “white list” input validation with appropriate
canonicalization is also recommended, but is not a complete
defense as many applications require special characters in
their input. OWASP’s ESAPI has an extensible library of white
list input validation routines.
How Do I Prevent Injection?

Example
String custname = request.getParameter("customerName"); // This should
REALLY be validated too
// perform input validation to detect attacks
String query = "SELECT account_balance FROM user_data WHERE
user_name = ? ";
PreparedStatement pstmt = connection.prepareStatement( query );
pstmt.setString( 1, custname);
ResultSet results = pstmt.executeQuery( );
Prepared Statement Example

 Weak authentication
 Password-only
 Easily guessable usernames (admin, etc.)
 Unencrypted secrets are sniffable
 How to break in
 Guess/reset password
 Have app email you new password
 Sniff or crack password
 Backend authentication
 How are database passwords stored?
 Trust relationships between hosts (IP address can be spoofed, etc.)
 Countermeasures
 Strong passwords
 Remove default user names
 Protect sensitive files
A2 Broken Authentication and
Session Management

 Attacker uses trusted
application/company to reflect
malicious code to end-user
 Attacker can “hide” the malicious
code
 Unicode encoding
 2 types of attacks
 Stored
 Reflected
 Countermeasures
 input validation
 Positive
 Negative: “< > ( ) # &”
 Don’t forget these: “&lt &gt &#40
&#41 &#35 &#38”
 User/customer education
A3 Cross-Site Scripting (XSS)

Types of XSS
Refleced/Non persistant XSS

 Preventing XSS requires keeping untrusted data separate
from active browser content.
 1.The preferred option is to properly escape all untrusted
data based on the HTML context (body, attribute,
JavaScript, CSS, or URL) that the data will be placed into
 2.Positive or “whitelist” input validation is also
recommended as it helps protect against XSS, but is not a
complete defense as many applications require special
characters in their input.
How Do I Prevent XSS?

 A direct object reference occurs when a developer
exposes a reference to an internal implementation
object, such as a file, directory, or database key.
Without an access control check or other protection,
attackers can manipulate these references to access
unauthorized data.
A4 Insecure Direct Object References

Am I Vulnerable
 The best way to find out if an application is vulnerable to
insecure direct object references is to verify that all object
references have appropriate defenses. To achieve this,
consider:
 Code review of the application can quickly verify whether
either approach is implemented safely. Testing is also
effective for identifying direct object references and
whether they are safe. Automated tools typically do not
look for such flaws because they cannot recognize what
requires protection or what is safe or unsafe.

 Preventing insecure direct object references requires
selecting an approach for protecting each user accessible
object (e.g., object number, filename):
 Check access. Each use of a direct object reference from an
untrusted source must include an access control check to
ensure the user is authorized for the requested object
How Do I Prevent This?

 Good security requires having a secure configuration
defined and deployed for the application,
frameworks, application server, web server, database
server, and platform. All these settings should be
defined, implemented, and maintained as many are
not shipped with secure defaults. This includes
keeping all software up to date.
A5 Security Misconfiguration

Am I Vulnerable to Attack
 1.Is everything unnecessary disabled, removed, or not
installed (e.g. ports, services, pages, accounts, privileges)?
 2.Are default account passwords changed or disabled?
 3.Is your error handling set up to prevent stack traces and
other overly informative error messages from leaking?
 4.Are the security settings in your development
frameworks (e.g., Struts, Spring, ASP.NET) and libraries
understood and configured properly? A concerted,
repeatable process is required to develop and maintain a
proper application security configuration.

 The primary recommendations are to establish all of the
following:
 1.A repeatable hardening process that makes it fast and easy
to deploy another environment that is properly locked down.
Development, QA, and production environments should all be
configured identically.
 2.A process for keeping abreast of and deploying all new
software updates and patches in a timely manner to each
deployed environment.

 Many web applications do not
properly protect sensitive data, such
as credit cards, tax ids, and
authentication credentials. Attackers
may steal or modify such weakly
protected data to conduct identity
theft, credit card fraud, or other
crimes. Sensitive data deserves extra
protection such as encryption at rest
or in transit, as well as special
precautions when exchanged with
the browser.
A6 Sensitive Data Exposure

Am I Vulnerable to Data Exposure
 The first thing you have to determine is which data is
sensitive enough to require extra protection. For example,
passwords, credit card numbers, health records, and
personal information should be protected. For all such data,
ensure:
 1.It is encrypted everywhere it is stored long term, including
backups of this data.
 2.It is encrypted in transit, ideally internally as well as
externally. All internet traffic should be encrypted.

 The full perils of unsafe cryptography, SSL usage, and data
protection are well beyond the scope of the Top 10. That
said, for all sensitive data, do all of the following, at a
minimum:
 1.Considering the threats you plan to protect this data
from (e.g., insider attack, external user), make sure you
encrypt all sensitive data at rest and in transit in a manner
that defends against these threats.
 2.Don’t store sensitive data unnecessarily. Discard it as
soon as possible. Data you don’t have can’t be stolen.
 3.Ensure strong standard algorithms and strong keys are
used, and proper key management is in place.

 Virtually all web applications verify function level access rights
before making that functionality visible in the UI. However,
applications need to perform the same access control checks
on the server when each function is accessed. If requests are
not verified, attackers will be able to forge requests in order to
access unauthorized functionality.
A7 Missing function level access
control

Am I Vulnerable to Function level Access
 The best way to find out if an application has failed to
properly restrict function level access is to verify every
application function:
 1.Does the UI show navigation to unauthorized functions?
 2.Are proper authentication and authorization checked?

 1.The enforcement mechanism(s) should deny all access by
default, requiring explicit grants to specific roles for access
to every function.
 2.If the function is involved in a workflow, check to make
sure the conditions are in the proper state to allow access.
How Do I Prevent Function level
Access?

 A CSRF attack forces a logged-on victim’s browser to send a
forged HTTP request, including the victim’s session cookie
and any other automatically included authentication
information, to a vulnerable web application. This allows the
attacker to force the victim’s browser to generate requests
the vulnerable application thinks are legitimate requests
from the victim.
A8 Cross site request forgery

Am I Vulnerable to CSRF
 See if each link and form includes an unpredictable token.
Without such a token, attackers can forge malicious
requests.
 Focus on the links and forms that invoke state-changing
functions, since those are the most important CSRF targets.
You should check multistep transactions, as they are not
inherently immune.

 Preventing CSRF usually requires the inclusion of an
unpredictable token in each HTTP request. Such tokens
should, at a minimum, be unique per user session.
 1.The preferred option is to include the unique token in a
hidden field. This causes the value to be sent in the body of
the HTTP request, avoiding its inclusion in the URL, which is
subject to exposure.
 2. OWASP’s ESAPI includes CSRF methods developers can
use to prevent such vulnerabilities.
 3.Requiring the user to reauthenticate, or prove they are a
user (e.g., via a CAPTCHA) can also protect against CSRF
How Do I Prevent CSRF?

 Vulnerable components, such as libraries,
frameworks, and other software modules almost
always run with full privilege. So, if exploited, they
can cause serious data loss or server takeover.
Applications using these vulnerable components may
undermine their defenses and enable a range of
possible attacks and impacts.
A9 Using Components with Known
Vulnerabilities

Am I Vulnerable ?
 Determining if you are vulnerable requires searching the
databases of your applications as well as keeping abreast of
project mailing lists and announcements for anything that
might be a vulnerability.

 Use components that you didn’t write. But realistically, the
best way to deal with this risk is to ensure that you keep
your components up-to-date.

 Web applications frequently redirect and forward
users to other pages and websites, and use untrusted
data to determine the destination pages. Without
proper validation, attackers can redirect victims to
phishing or malware sites, or use forwards to access
unauthorized pages.
A10 Unvalidated Redirects and
Forwards

Am I Vulnerable to Redirection
 The best way to find out if an application has any unvalidated
redirects or forwards is to:
 1.Review the code for all uses of redirect or forward (called a
transfer in .NET). For each use, identify if the target URL is
included in any parameter values. If so, verify the
parameter(s) are validated to contain only an allowed
destination, or element of a destination.
 2.Also, spider the site to see if it generates any redirects.

 Safe use of redirects and forwards can be done in a number
of ways:
 1.Simply avoid using redirects and forwards.
 2.If used, don’t involve user parameters in calculating the
destination. This can usually be done.
 3.If destination parameters can’t be avoided, ensure that the
supplied value is valid, and authorized for the user. It is
recommended that any such destination parameters be a
mapping value, rather than the actual URL or portion of the
URL, and that server side code translate this mapping to the
target URL.

Owasp Top 10-2013

More Related Content

What's hot

Similar to Owasp Top 10-2013

More from n|u - The Open Security Community

Recently uploaded

Owasp Top 10-2013