OWASP Top 10 Project - PowerPoint PPT Presentation

1 / 27
About This Presentation
Title:

OWASP Top 10 Project

Description:

OWASP Top 10 Project Presented by ISAM Staff Tyler Hargis [GSEC, GWAS,GCIH] - and - Michael Morrison [GSEC, GWAS, CPTS, NSA IAM] * Input validation. Use a standard ... – PowerPoint PPT presentation

Number of Views:1138
Avg rating:3.0/5.0
Slides: 28
Provided by: morri73
Category:

less

Transcript and Presenter's Notes

Title: OWASP Top 10 Project


1
OWASP Top 10 Project
Presented by ISAM Staff Tyler Hargis GSEC,
GWAS,GCIH - and - Michael Morrison GSEC, GWAS,
CPTS, NSA IAM
2
Overview
  • Disclaimer
  • Common Misconceptions
  • Open Web Application Security Project
  • OWASP Top Vulnerabilities
  • Conclusion
  • QA

3
Disclaimer
  • The information contained in this presentation is
    intended to be used to educate developers about
    security vulnerabilities commonly found in Web
    Applications.
  • This presentation is not intended as training
    material for those with malicious intent against
    information systems.
  • Exploitation of the vulnerabilities listed in
    this presentation on systems or applications not
    owned or developed by the viewer is illegal in
    jurisdictions worldwide.
  • It is a violation of the University of Missouri
    Acceptable Use policy to transmit these exploits
    across the MU network without explicit permission
    of the system or application owner they are
    directed at.
  • The presenters are trained professionals, dont
    try this at home

4
Common Misconceptions
  • Arent I protected by firewalls or something?
  • I thought you just needed to keep things patched?
  • Im not using Microsoft, so I must be secure.
  • Isnt keeping me secure your job?

5
Open Web Application Security Project
  • The Open Web Application Security Project (OWASP)
    is an open community dedicated to enabling
    organizations to develop, purchase, and maintain
    applications that can be trusted.
  • All of the OWASP tools, documents, forums, and
    chapters are free and open to anyone interested
    in improving application security.
  • http//www.owasp.org

6
OWASP TOP 10
  • 1 Cross Site Scripting (XSS) Flaws
  • XSS flaws occur whenever an application takes
    user supplied data and sends it to a web browser
    without first validating or encoding that
    content.
  • XSS allows attackers to execute script in the
    victim's browser which can hijack user sessions,
    deface web sites, possibly introduce worms, etc.

7
OWASP TOP 10
  • Cross Site Scripting (XSS) Recommendations
  • Input validation
  • Strong output encoding
  • Specify the output encoding
  • Do not use "blacklist" validation
  • Watch out for canonicalization errors

8
OWASP TOP 10
  • Cross Site Scripting (XSS) Recommendations
  • Java Use Struts output mechanisms such as
    ltbeanwrite gt, or use the default JSTL
    escapeXML"true" attribute in ltcout gt.
  • .NET Use the Microsoft Anti-XSS Library 1.5
    freely available from MSDN. Understand which .NET
    controls automatically encode output data.
  • PHP Ensure output is passed through
    htmlentities() or htmlspecialchars() or use the
    soon to be released OWASP PHP Anti-XSS library.
    Disable register_globals if it is not already
    disabled

9
OWASP TOP 10
  • 2 Injection Flaws
  • Injection flaws, particularly SQL injection, are
    common in web applications. Injection occurs when
    user-supplied data is sent to an interpreter as
    part of a command or query. The attacker's
    hostile data tricks the interpreter into
    executing unintended commands or changing data.

10
OWASP TOP 10
  • Injection Flaw Recommendations
  • Input validation.
  • Use strongly typed parameterized query APIs
  • Enforce least privilege when connecting to
    databases
  • Avoid detailed error messages
  • Show care when using stored procedures
  • Do not use dynamic query interfaces
  • Do not use simple escaping functions - simple
    escaping functions cannot escape table names!
  • Watch out for canonicalization errors

11
OWASP TOP 10
  • Injection Flaw Recommendations
  • Java EE - use strongly typed PreparedStatement,
    or ORMs such as Hibernate or Spring
  • .NET - use strongly typed parameterized queries,
    such as SqlCommand with SqlParameter or an ORM
    like Hibernate.
  • PHP - use PDO with strongly typed parameterized
    queries (using bindParam())

12
OWASP TOP 10
  • 3 Malicious File Execution
  • Code vulnerable to remote file inclusion (RFI)
    allows attackers to include hostile code and
    data, resulting in devastating attacks, such as
    total server compromise. Malicious file execution
    attacks affect PHP, XML and any framework which
    accepts filenames or files from users.

13
OWASP TOP 10
  • Malicious File Execution Recommendations
  • Use an indirect object reference map (hash the
    reference)
  • Use explicit taint checking mechanisms, if
    supported (see OWASP)
  • Strongly validate user input
  • Add firewall rules
  • Check any user supplied files or filenames
  • Consider implementing a chroot jail or
    virtualization (sand box mechanisms)

14
OWASP TOP 10
  • Malicious File Execution Recommendations
  • PHP Disable allow_url_fopen and
    allow_url_include in php.ini
  • PHP Disable register_globals and use E_STRICT to
    find uninitialized variables
  • PHP Ensure that all file and streams functions
    (stream_) are carefully vetted.
  • PHP Be extremely cautious if data is passed to
    system() eval() passthru() or (the backtick
    operator)
  • J2EE, ensure that the security manager is enabled
    and properly configured and that the application
    is demanding permissions appropriately
  • ASP.NET, please refer to the documentation on
    partial trust, and design your applications to be
    segmented in trust, so that most of the
    application exists in the lowest possible trust
    state possible

15
OWASP TOP 10
  • 4 Insecure Direct Object Reference
  • A direct object reference occurs when a developer
    exposes a reference to an internal implementation
    object, such as a file, directory, database
    record, or key, as a URL or form parameter.
    Attackers can manipulate those references to
    access other objects without authorization.

16
OWASP TOP 10
  • Insecure Direct Object Reference Recommendations
  • Avoid exposing your private object references to
    users whenever possible, such as primary keys or
    filenames
  • Validate any private object references
  • Verify authorization to all referenced objects

17
OWASP TOP 10
  • 5 Cross Site Request Forgery (CSRF)
  • A CSRF attack forces a logged-on victim's browser
    to send a pre-authenticated request to a
    vulnerable web application, which then forces the
    victim's browser to perform a hostile action to
    the benefit of the attacker. CSRF can be as
    powerful as the web application that it attacks.

18
OWASP TOP 10
  • Cross Site Request Forgery (CSRF) Recommendations
  • Ensure that there are no XSS vulnerabilities in
    your application
  • Insert custom random tokens into every form and
    URL (For ASP.NET, set a ViewStateUserKey.)
  • For sensitive data or value transactions,
    re-authenticate or use transaction signing
  • Do not use GET requests (URLs) for sensitive data
    or to perform value transactions.
  • POST alone is insufficient a protection.

19
OWASP TOP 10
  • 6 Information Leakage and Improper Error
    Handling
  • Applications can unintentionally leak information
    about their configuration, internal workings, or
    violate privacy through a variety of application
    problems. Attackers use this weakness to steal
    sensitive data, or conduct more serious attacks.

20
OWASP TOP 10
  • 7 Broken Authentication and Session Management
  • Account credentials and session tokens are often
    not properly protected. Attackers compromise
    passwords, keys, or authentication tokens to
    assume other users' identities.

21
OWASP TOP 10
  • 8 Insecure Cryptographic Storage
  • Web applications rarely use cryptographic
    functions properly to protect data and
    credentials. Attackers use weakly protected data
    to conduct identity theft and other crimes, such
    as credit card fraud.

22
OWASP TOP 10
  • 9 Insecure Communications
  • Applications frequently fail to encrypt network
    traffic when it is necessary to protect sensitive
    communications.

23
OWASP TOP 10
  • 10 Failure to Restrict URL Access
  • Frequently, an application only protects
    sensitive functionality by preventing the display
    of links or URLs to unauthorized users. Attackers
    can use this weakness to access and perform
    unauthorized operations by accessing those URLs
    directly.

24
How Do I Protect My Applications?
  • Take advantage of free sites like OWASP for
    details on remediating the vulnerabilities
    demonstrated today. (http//www.owasp.org/index.ph
    p/Top_10_2007-Where_to_Go_From_Here)
  • Fortify Source Code Analyzer is available at a
    reduced cost from DoIT.
  • Security Training of any type (DoIT, SANS, etc.)

25
How Can DoIT Help?
  • Inspections by ISAM will reveal many common
    vulnerabilities in applications as well as
    systems.
  • Our Tipping Point IPS blocks many attacks, but is
    not a good substitute for solid programming.
  • MU Root SSL Certificates and Verisign
    Certificates are Available

26
Practice Sites
  • WebGoat
  • http//www.owasp.org/index.php/CategoryOWASP_WebG
    oat_Project
  • Requires a Java Virtual Machine be available on
    the local machine, and runs from the local
    machine.
  • HACME Bank / HACME Books
  • http//www.foundstone.com
  • Note you will have to install these on a system
    you can run an appropriate web server on.
  • Hack This Site!
  • http//www.hackthissite.org/
  • Bright Shadows Challenges
  • http//www.bright-shadows.net/

27
Practice Sites
  • The Web Hacking Incidents Databasehttp//packetst
    ormsecurity.org/papers/attack/Web-Hacking-Incident
    s-Database-Annual-Report-2007.pdf
  • UM System Database Hackedhttp//www.techshout.com
    /internet/2007/09/university-of-missouri-system-da
    tabase-hacked-over-22000-social-security-numbers-s
    tolen/
  • YGN Ethical Hacker Group (WebGoat
    Videos)http//yehg.net/lab/pr0js/training/webgoat
    .php
Write a Comment
User Comments (0)
About PowerShow.com