Download pptx - Owasp Top10 2010 rc1

Transcript
Page 1: Owasp Top10 2010 rc1

Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this documentunder the terms of the OWASP License.

The OWASP Foundation

ConfooConferenceMarch 10th Montreal

http://www.owasp.org/

OWASP Top 10 - 2010 rc1

The Top 10 Most Critical Web Application Security Risks

Antonio FontesOWASP Geneva Chapter Leader

[email protected]

Page 2: Owasp Top10 2010 rc1

2

Agenda

• 10 ways to attack web applications• The OWASP Top 10 rc1 Project• Integrating the Top 10 in an existing

SDLC/SALC• Q&A

Antonio Fontes / Confoo Conference, Montreal / 2010

Page 3: Owasp Top10 2010 rc1

3

About the OWASP

• Open Web Application Security Project• “Helping organizations secure their web

applications.”• Documentation and tools projects• 130 local chapters worldwide• http://www.owasp.org

Antonio Fontes / Confoo Conference, Montreal / 2010

Page 4: Owasp Top10 2010 rc1

4

About me…

• Antonio Fontes, from Geneva (Switzerland)• >1999: Web developer• >2005: Ethical hacker / Security analyst• >2008: Security & Privacy manager (banking

software ISV)• >2008: OWASP Geneva Chapter Leader • >2010: Information Security Consultant • SANS/CWE Top 25 Most Dangerous

Programming Errors contributorAntonio Fontes / Confoo Conference, Montreal / 2010

Page 5: Owasp Top10 2010 rc1

5

And about you?

• Coders? • Testers?• Managers?• Hardcore OWASP Top 10 users?

Antonio Fontes / Confoo Conference, Montreal / 2010

Page 6: Owasp Top10 2010 rc1

6

Just taking the temperature…©

Ran

dal M

unro

e (x

kcd.

com

)

Antonio Fontes / Confoo Conference, Montreal / 2010

Page 7: Owasp Top10 2010 rc1

7

Part 1: Top 10 major web application

attack techniques

Antonio Fontes / Confoo Conference, Montreal / 2010

Page 8: Owasp Top10 2010 rc1

8

Attacking the infrastructureAttacking the applicationAttacking the usersOther attacks

Antonio Fontes / Confoo Conference, Montreal / 2010

Page 9: Owasp Top10 2010 rc1

9

Attacking the infrastructurehitting the weakest layer

Antonio Fontes / Confoo Conference, Montreal / 2010

Page 10: Owasp Top10 2010 rc1

10

Web application

Application Server

Web Server

Operating System

Network devices

Are all unnecessary paths closed?Are all unnecessary ports closed?Is the admin interface reachable from the web?Can an administrative account be broken?Is the device up to date?

Are all unnecessary services disabled?Are all unnecessary accounts disabled?Have all default passwords been changed?Is the system up to date?

Are all unnecessary scripts removed?Are there any backup/test/unused resources?Is the web server up to date?Have all default passwords been changed?

Are all demo apps removed?Is the web server up to date?Is the admin area protected from external access?Is directory indexing been disabled?Were all default passwords changed?

; )

© D

arw

in B

ell@

flick

r

Antonio Fontes / Confoo Conference, Montreal / 2010

Page 11: Owasp Top10 2010 rc1

11

Risk A6: Security misconfiguration

Antonio Fontes / Confoo Conference, Montreal / 2010

Page 12: Owasp Top10 2010 rc1

12

• What is the risk?– If there is a weaker link than the web application

itself, the attacker will switch to the flawed layer.

• What are the countermeasures?– Harden all layers• Reduce services and accounts to the minimum• No default passwords• Keep everything up to date• Apply security guidelines (OS security, Web server

security, Application server security, etc.)• Keep default web application configuration safe• “Deploy securely on a secure architecture”

Antonio Fontes / Confoo Conference, Montreal / 2010

Page 13: Owasp Top10 2010 rc1

13

Attacking the infrastructureAttacking the applicationAttacking the usersOther attacks

Antonio Fontes / Confoo Conference, Montreal / 2010

Page 14: Owasp Top10 2010 rc1

14

Attacking the applicationinjecting hostile code…

Antonio Fontes / Confoo Conference, Montreal / 2010

Page 15: Owasp Top10 2010 rc1

15

what if?

Antonio Fontes / Confoo Conference, Montreal / 2010

Page 16: Owasp Top10 2010 rc1

16

SELECT * FROM users usr WHERE usr.username = 'admin ';-- ‘AND usr.password = ‘bb21158c733229347bd4e681891e213d94c685be’

what if?

Antonio Fontes / Confoo Conference, Montreal / 2010

Page 17: Owasp Top10 2010 rc1

17

what if?

Antonio Fontes / Confoo Conference, Montreal / 2010

Page 18: Owasp Top10 2010 rc1

18

what if?

Antonio Fontes / Confoo Conference, Montreal / 2010

Page 19: Owasp Top10 2010 rc1

19

Any user input is a potential attack vector.

Antonio Fontes / Confoo Conference, Montreal / 2010

Page 20: Owasp Top10 2010 rc1

20

Risk A1: Injections

Antonio Fontes / Confoo Conference, Montreal / 2010

Page 21: Owasp Top10 2010 rc1

21

• RISK?– Any application entry point can be used as a

vector to inject hostile content that will modify expected behaviors.

• GOOD TO KNOW– All non-binding query languages are exposed!

(LDAP and Xpath….)

Antonio Fontes / Confoo Conference, Montreal / 2010

Page 22: Owasp Top10 2010 rc1

22

• COUNTERMEASURES?– All input can be modified client-side. Be sure to

validate:• Querystring parameters• Form fields (hidden fields also count)• File submissions : if you’re expecting a picture, then

make sure it is a picture!• Cookies• HTTP headers: all fields, including referrer are “user

input”

Antonio Fontes / Confoo Conference, Montreal / 2010

Page 23: Owasp Top10 2010 rc1

23

COUNTERMEASURES? (cont’d)• Never paste user input into query commands (SQL,

Xpath, LDAP, OS commands, etc.):• Use binding variables such as SQL parameters:

• If no binding model, encode input before pasting:• Doubled quotes (‘’) for SQL server• Escaped quotes (\’) for MySQL (PHP addslashes is helpful!)• Etc.

Antonio Fontes / Confoo Conference, Montreal / 2010

Page 24: Owasp Top10 2010 rc1

24

COUNTERMEASURES ?(cont’d)• Choose best validation strategy!• Best: Whitelist– When all possible values are known (enums, if/else if

statements, regular expressions, …)• Graylist:– Enforce business rules:

• Type: string, numeric, byte, …• Range: >0, <MaxInt, [a-z]{3,20}

• Weakest: Blacklistif(input.IndexOf(“<script>”)>=0)

//reject

Antonio Fontes / Confoo Conference, Montreal / 2010

Page 25: Owasp Top10 2010 rc1

25

Attacking the applicationplaying with obvious identifiers…

Antonio Fontes / Confoo Conference, Montreal / 2010

Page 26: Owasp Top10 2010 rc1

26

what if?

99999999

Antonio Fontes / Confoo Conference, Montreal / 2010

Page 27: Owasp Top10 2010 rc1

27

what if?

1234567

Antonio Fontes / Confoo Conference, Montreal / 2010

Page 28: Owasp Top10 2010 rc1

28

Risk A4: Insecure direct object references

Antonio Fontes / Confoo Conference, Montreal / 2010

Page 29: Owasp Top10 2010 rc1

29

• What is the risk?– All references can modified client-side. An attacker

might be able to access and/or modify confidential information.

• What are the countermeasures?– Never send internal references to the browser:

• Use temporary or random number mapping (#0, #1, #2, #3, etc.)

– OR combine referenced access with access control:• SELECT * FROM item WHERE id = $id AND owner = $uID• UPDATE item … WHERE id = $id AND owner = $id

Antonio Fontes / Confoo Conference, Montreal / 2010

Page 30: Owasp Top10 2010 rc1

30

Attacking the applicationbreaking session and

authentication mechanisms…

Antonio Fontes / Confoo Conference, Montreal / 2010

Page 31: Owasp Top10 2010 rc1

31

what if?

Antonio Fontes / Confoo Conference, Montreal / 2010

Page 32: Owasp Top10 2010 rc1

32

what if?

Antonio Fontes / Confoo Conference, Montreal / 2010

Page 33: Owasp Top10 2010 rc1

33

what if?

Antonio Fontes / Confoo Conference, Montreal / 2010

Page 34: Owasp Top10 2010 rc1

34

Risk A3: Broken authentication or session

management

Antonio Fontes / Confoo Conference, Montreal / 2010

Page 35: Owasp Top10 2010 rc1

35

• What is the risk?– HTTP is a stateless protocol. Each request must

transmit ‘session’ information over the network.– Authentication mechanisms are highly targeted by

attackers , at all levels: forms, traffic, stored data.

• What are the countermeasures?– Use simple, centralized and standardized session

mechanism– Enable cookie security attributes (secure flag,

httponly flag, encryption and integrity control)– Validate session identifiers

• Is the sessionID coming from the right place?Antonio Fontes / Confoo Conference, Montreal / 2010

Page 36: Owasp Top10 2010 rc1

36

• countermeasures? (cont’d)– Make sure ‘logoff’ actually invalidates the session.– Prevent bruteforcing attacks, but also prevent

denial of service on legitimate accounts– Enforce secure password recovery• Authenticate before resetting

– Review, review, review authentication (and logoff) code manually!

Antonio Fontes / Confoo Conference, Montreal / 2010

Page 37: Owasp Top10 2010 rc1

37

Attacking the applicationfinding hidden “secret” URLs…

Antonio Fontes / Confoo Conference, Montreal / 2010

Page 38: Owasp Top10 2010 rc1

38

what if?

Antonio Fontes / Confoo Conference, Montreal / 2010

Page 39: Owasp Top10 2010 rc1

39

what if?

Antonio Fontes / Confoo Conference, Montreal / 2010

Page 40: Owasp Top10 2010 rc1

40

Risk A7: Failure to restrict URL access

Antonio Fontes / Confoo Conference, Montreal / 2010

Page 41: Owasp Top10 2010 rc1

41

• What is the risk?– URLs that lead to confidential resources can be

easily sent, stored (bookmarks), monitored (proxies, security devices) and sometimes, guessed.

• What are the countermeasures?– Completely disallow access to sensitive file types– Validate ALL incoming requests

• Authorize explicitly (web.xml, ASP.Net page lifecycle, etc.)

– Don’t expose physical documents with permanent or guessable URLs

Antonio Fontes / Confoo Conference, Montreal / 2010

Page 42: Owasp Top10 2010 rc1

42

Attacking the infrastructureAttacking the applicationAttacking the usersOther attacks

Antonio Fontes / Confoo Conference, Montreal / 2010

Page 43: Owasp Top10 2010 rc1

43

Attacking the usersredirecting users elsewhere…

Antonio Fontes / Confoo Conference, Montreal / 2010

Page 44: Owasp Top10 2010 rc1

44

what if?

Antonio Fontes / Confoo Conference, Montreal / 2010

Page 45: Owasp Top10 2010 rc1

45

Risk A8: Non-validated redirects and

forwards

Antonio Fontes / Confoo Conference, Montreal / 2010

Page 46: Owasp Top10 2010 rc1

46

• What is the risk?– An attacker may use your website reputation as a

vector to redirect victims to a hostile website.

• What are the countermeasures?– Never allow absolute URL redirection.– If not possible: • Use a whitelist of valid hosts• Show a warning before redirecting the user

– If using a “web portal”, make sure redirect pages do not include sensitive information in URLs (aka single-signon-on information)

Antonio Fontes / Confoo Conference, Montreal / 2010

Page 47: Owasp Top10 2010 rc1

47

Attacking the usersrunning client hostile code in the

website…

Antonio Fontes / Confoo Conference, Montreal / 2010

Page 48: Owasp Top10 2010 rc1

48

what if?

Antonio Fontes / Confoo Conference, Montreal / 2010

Page 49: Owasp Top10 2010 rc1

49

what if?

Antonio Fontes / Confoo Conference, Montreal / 2010

Page 50: Owasp Top10 2010 rc1

50

Risk A2: Cross-site scripting

Antonio Fontes / Confoo Conference, Montreal / 2010

Page 51: Owasp Top10 2010 rc1

51

• What is the risk?– An attacker might inject client-side hostile code in

the web application, which will be returned to a victim.

Antonio Fontes / Confoo Conference, Montreal / 2010

Page 52: Owasp Top10 2010 rc1

52

What are the countermeasures?• Sanitize output. Encode to destination

format.– For HTML output, use HtmlEntities:• <div id=“comment”>Here is my

<script>attack</script></div>

<div id=“comment”>Here is my &lt;script&gt;attack&lt;/script&gt;</div>

Antonio Fontes / Confoo Conference, Montreal / 2010

Page 53: Owasp Top10 2010 rc1

53

What are the countermeasures?• Sanitize output, encode to destination

format:– For XML output, use predefined entities:• <says>“here is my <script>”</says>

<says><![CDATA[here is my <script>]]></says>

• <says>my input is <script></says> <says>my input is &lt;script&gt;</says>

Antonio Fontes / Confoo Conference, Montreal / 2010

Page 54: Owasp Top10 2010 rc1

54

Attacking the usersreplaying predictable requests…

Antonio Fontes / Confoo Conference, Montreal / 2010

Page 55: Owasp Top10 2010 rc1

55

what if?

Antonio Fontes / Confoo Conference, Montreal / 2010

Page 56: Owasp Top10 2010 rc1

56

what if?

Antonio Fontes / Confoo Conference, Montreal / 2010

Page 57: Owasp Top10 2010 rc1

57

Risk A5: Cross-site Request Forgery

Antonio Fontes / Confoo Conference, Montreal / 2010

Page 58: Owasp Top10 2010 rc1

58

• What is the risk?– An attacker might build her own website and

trigger requests on the visitor’s browser. (yes, that’s exactly what it seems to be...)

Antonio Fontes / Confoo Conference, Montreal / 2010

Page 59: Owasp Top10 2010 rc1

59

What are the countermeasures?• Implement unpredictable requests for all

sensitive actions– Use temporary random hidden control fields:

<input type=hidden name=check value=ab23b4a/>

– Link forms to the user session:if(!(Request.Form[“checker”]).Equals(SessionID))

// return error

– Use CAPTCHA– Use out-of-band verification:• SMS / Voice call / Cryptographic tokens, etc.

Antonio Fontes / Confoo Conference, Montreal / 2010

Page 60: Owasp Top10 2010 rc1

60

Attacking the infrastructureAttacking the applicationAttacking the usersOther attacks

Antonio Fontes / Confoo Conference, Montreal / 2010

Page 61: Owasp Top10 2010 rc1

61

Other attacksbreaking weak cryptography…

Antonio Fontes / Confoo Conference, Montreal / 2010

Page 62: Owasp Top10 2010 rc1

62

what if?

Encrypting with Base64

$cookie = base64($sessionId);

It’s not encryption, it’s encoding!

Antonio Fontes / Confoo Conference, Montreal / 2010

Page 63: Owasp Top10 2010 rc1

63

what if?

Encrypting user passwords with AES256$password = encrypt($get_[“password”],AES256,key);

reversible encryption!

Antonio Fontes / Confoo Conference, Montreal / 2010

Page 64: Owasp Top10 2010 rc1

64

what if?

Hashing user passwords with md5

$password = md5($get_[“password”]);

weak algorithm!

Antonio Fontes / Confoo Conference, Montreal / 2010

Page 65: Owasp Top10 2010 rc1

65

what if?

Hashing user passwords with SHA-256$password = sha($get_[“password”]);

Missing seed!

Antonio Fontes / Confoo Conference, Montreal / 2010

Page 66: Owasp Top10 2010 rc1

66

what if?

Building keys with Math.RandomByte[] key = Math.RandBytes(128);

Weak random number generator!

Antonio Fontes / Confoo Conference, Montreal / 2010

Page 67: Owasp Top10 2010 rc1

67

what if?

Deriving a key from human entered secret$key = md5($GET_[“secret”]);

Weak key entropy!

Antonio Fontes / Confoo Conference, Montreal / 2010

Page 68: Owasp Top10 2010 rc1

68

what if?

Using ECB mode of operation$bytes = encrypt($text, key);// returns: {0xAF00CADACCE34A4D}$bytes2 = encrypt($text, key);// returns: {0xAF00CADACCE34A4D}

Weak mode of operation!

Antonio Fontes / Confoo Conference, Montreal / 2010

Page 69: Owasp Top10 2010 rc1

69

what if?

Using CBC mode of operation$bytes = encrypt($text, key);// returns: {0xAF00CADACCE34A4D}$bytes2 = encrypt($text, key);// returns: {0xAF00CADACCE34A4D}

Non-random initialization vectors!

Antonio Fontes / Confoo Conference, Montreal / 2010

Page 70: Owasp Top10 2010 rc1

70

what if?

Decrypting with internal secretString clearText = CryptUtils.Decrypt($bytes, Parameters.SecretKey);

Hard-coded secret!

Antonio Fontes / Confoo Conference, Montreal / 2010

Page 71: Owasp Top10 2010 rc1

71

what if?

blablabla

Another problem.

Antonio Fontes / Confoo Conference, Montreal / 2010

Page 72: Owasp Top10 2010 rc1

72

Risk A9: Insecure cryptographic storage

Antonio Fontes / Confoo Conference, Montreal / 2010

Page 73: Owasp Top10 2010 rc1

73

• What is the risk?– An attacker might not need as much time as you

expected to decrypt your data.– If one of these words sounds foggy to you, there is

a risk:• Asymmetric/symmetric encryption, offline encryption,

online encryption, CBC, key entropy, initialization vector, ECB, message authentication code, PBKDF2 (RFC2898), constant time operation, Rijndael, AES, 3DES, DSA, RSA, ECC, SHA, keyring, DPAPI, …

Antonio Fontes / Confoo Conference, Montreal / 2010

Page 74: Owasp Top10 2010 rc1

74

What are the countermeasures?• Don’t do cryptography by yourself– Use business level APIs:

Use open-source reference implementations (OpenSSL, Truecrypt, etc.)

Use expert-community-driven libraries (OWASP ESAPI, …)

• Take classes…

Antonio Fontes / Confoo Conference, Montreal / 2010

Page 75: Owasp Top10 2010 rc1

75

Other attacksobserving the environment…

Antonio Fontes / Confoo Conference, Montreal / 2010

Page 76: Owasp Top10 2010 rc1

76

© d

aque

llam

aner

a @

flick

r ?Antonio Fontes / Confoo Conference, Montreal / 2010

Page 77: Owasp Top10 2010 rc1

77

Risk A10: Insufficient transport layer

protection

Antonio Fontes / Confoo Conference, Montreal / 2010

Page 78: Owasp Top10 2010 rc1

78

• What is the risk?– Traffic eavesdropping, due to insufficient transport

layer protection.

• What are the countermeasures?– Require an SSL encrypted link.– Use appropriate certificates (signed and valid).– Prevent cookies from leaving the encrypted link

(“secure” flag enabled).

Antonio Fontes / Confoo Conference, Montreal / 2010

Page 79: Owasp Top10 2010 rc1

79 Antonio Fontes / Confoo Conference, Montreal / 2010

Security Misconfigurati

onInjection

Insecure Direct Object

References

Broken Authentication and

Session Management

Failure to Restrict URL

Access

Unvalidated Redirects and

Forwards

Cross Site Scripting (XSS)

Cross Site Request

Forgery (CSRF)

Insecure Cryptographic

Storage

Insufficient Transport Layer

Protection

WHAT IS THE RISK LEVEL ?LOW HIGH

Page 80: Owasp Top10 2010 rc1

80

Part 2: Assessing the risks induced by

these 10 attacks

Antonio Fontes / Confoo Conference, Montreal / 2010

Page 81: Owasp Top10 2010 rc1

81

Hopefully, someone did it…

Antonio Fontes / Confoo Conference, Montreal / 2010

Page 82: Owasp Top10 2010 rc1

82

rating the risks

Antonio Fontes / Confoo Conference, Montreal / 2010

Threat agent Attack vector Prevalance Detectability Technical Impact Business impact

?Easy Widespread Easy Severe

?Average Common Average ModerateDifficult Uncommon Difficult Minor

2 1 1 2

3 * 1.3 * 2 ? = 2,6x?

XSS (example)

Page 83: Owasp Top10 2010 rc1

83 Antonio Fontes / Confoo Conference, Montreal / 2010

A1: Injection

A2: Cross Site Scripting (XSS)

A3: Broken Authentication and

Session Management

A4: Insecure Direct Object References

A5: Cross Site Request

Forgery (CSRF)

A6: Security Misconfigurati

on

A7: Failure to Restrict URL

Access

A8: Unvalidated Redirects and

Forwards

A9: Insecure Cryptographic

Storage

A10: Insufficient Transport Layer

Protection

OWASP Top 10 – 2010 RC1The top ten web application security risks

Page 84: Owasp Top10 2010 rc1

84

Risk Managers- exploitability- prevalence- detectability- impact (CIA, AAA)

Testers- search patterns- typical cases- myths

Developers- mitigation steps

(agnostic)- best practices

Teachers / Students- example scenarios

Advanced material- detailed attack scenarios- mitigation techniques (per

technology)- further references

Antonio Fontes / Confoo Conference, Montreal / 2010

Page 85: Owasp Top10 2010 rc1

85

Migration info- removed entries- new entries- gap analysis

Antonio Fontes / Confoo Conference, Montreal / 2010

Page 86: Owasp Top10 2010 rc1

86

Part 3: Integrating the Top 10 into an

existing software development / acquisition lifecycle

Antonio Fontes / Confoo Conference, Montreal / 2010

Page 87: Owasp Top10 2010 rc1

87 Antonio Fontes / Confoo Conference, Montreal / 2010

The Top 10 in your SDLC/SALC

Analyze Design Implement Verify Deploy Support

Soft

war

e ve

ndor

Soft

war

e bu

yer

Secure design

Secure codingSecurity testing

Contract conditions

Design review reports

Security test results

Penetration test

SLA support

PERSONEL TRAINING

QUALITY ASSURANCE

Metrics analysis

Page 88: Owasp Top10 2010 rc1

88

Conclusion

Your web application will be hacked. ; )

Antonio Fontes / Confoo Conference, Montreal / 2010

Page 89: Owasp Top10 2010 rc1

89

Conclusion

But if you use the Top 10…

Antonio Fontes / Confoo Conference, Montreal / 2010

Page 90: Owasp Top10 2010 rc1

90

Conclusion

It won’t be the cheap way…

Antonio Fontes / Confoo Conference, Montreal / 2010

Page 91: Owasp Top10 2010 rc1

91

Conclusion

And it won’t be the embarrassing way…

Antonio Fontes / Confoo Conference, Montreal / 2010

Page 92: Owasp Top10 2010 rc1

92

Conclusion

You now know the 10 riskiest flaws in web applications.

Antonio Fontes / Confoo Conference, Montreal / 2010

Page 93: Owasp Top10 2010 rc1

93

Conclusion

But there’s still a lot to see…

WASC Threat Classification

CWE/SANS Top 25 Programming errors

Threat modeling

Open Software Assurance Maturity Model

Antonio Fontes / Confoo Conference, Montreal / 2010

OWASP Application Security Verification Standard (ASVS)

Page 94: Owasp Top10 2010 rc1

94

Conclusion

before becoming “secure”.

Antonio Fontes / Confoo Conference, Montreal / 2010

Page 95: Owasp Top10 2010 rc1

95

http://owasp.org/index.php/Top10(final version: end of March 2010)

Antonio Fontes / Confoo Conference, Montreal / 2010

thank you :)

Page 96: Owasp Top10 2010 rc1

96 Antonio Fontes / Confoo Conference, Montreal / 2010

Page 97: Owasp Top10 2010 rc1

97

Copyright

• You are free:– To share (copy, distribute, transmit)– To remix

• But only if: – You attribute this work– You use it for non-commercial purposes– And you keep sharing your result the

same way I did

Antonio Fontes / Confoo Conference, Montreal / 2010