Owasp Top10 2010 rc1

  • Published on
    27-Jan-2015

  • View
    105

  • Download
    1

Embed Size (px)

DESCRIPTION

Within end of March, the OWASP foundation will release the 2010 version of its major documentation project, the "Top 10 security risks in web applications." Agenda: - The 10 most common web application attacks - Discovering the OWASP Top 10 document - Integrating the Top 10 within an existing SDLC, as a software vendor, or a software buyer.

Transcript

  • 1. OWASP Top 10 - 2010 rc1The Top 10 Most Critical Web Application Security RisksAntonio FontesOWASP Geneva Chapter Leaderantonio.fontes@owasp.org

2. Agenda
10 ways to attack web applications
The OWASP Top 10 rc1 Project
Integrating the Top 10 in an existing SDLC/SALC
Q&A
2
Antonio Fontes / Confoo Conference, Montreal / 2010
3. About the OWASP
Open Web Application Security Project
Helping organizations secure their web applications.
Documentation and tools projects
130 local chapters worldwide
http://www.owasp.org
Antonio Fontes / Confoo Conference, Montreal / 2010
3
4. About me
Antonio Fontes, from Geneva (Switzerland)
>1999: Web developer
>2005: Ethical hacker / Security analyst
>2008: Security & Privacy manager (banking software ISV)
>2008: OWASP Geneva Chapter Leader
>2010: Information Security Consultant
SANS/CWE Top 25 Most Dangerous Programming Errors contributor
4
Antonio Fontes / Confoo Conference, Montreal / 2010
5. And about you?
Coders?
Testers?
Managers?
Hardcore OWASP Top 10 users?
5
Antonio Fontes / Confoo Conference, Montreal / 2010
6. Just taking the temperature
6
Randal Munroe (xkcd.com)
Antonio Fontes / Confoo Conference, Montreal / 2010
7. Part 1:
Top 10 major web application attack techniques
7
Antonio Fontes / Confoo Conference, Montreal / 2010
8. Attacking the infrastructure
Attacking the application
Attacking the users
Other attacks
8
Antonio Fontes / Confoo Conference, Montreal / 2010
9. Attacking the infrastructure
hitting the weakest layer
9
Antonio Fontes / Confoo Conference, Montreal / 2010
10. 10
; )
Are all demo apps removed?
Is the web server up to date?
Is the admin area protected from external access?
Is directory indexing been disabled?
Were all default passwords changed?
Are all unnecessary scripts removed?
Are there any backup/test/unused resources?
Is the web server up to date?
Have all default passwords been changed?
Are all unnecessary services disabled?
Are all unnecessary accounts disabled?
Have all default passwords been changed?
Is the system up to date?
Darwin Bell@flickr
Are all unnecessary paths closed?
Are all unnecessary ports closed?
Is the admin interface reachable from the web?
Can an administrative account be broken?
Is the device up to date?
Antonio Fontes / Confoo Conference, Montreal / 2010
11. Risk A6:
Security misconfiguration
11
Antonio Fontes / Confoo Conference, Montreal / 2010
12. What is the risk?
If there is a weaker link than the web application itself, the attacker will switch to the flawed layer.
What are the countermeasures?
Harden all layers
Reduce services and accounts to the minimum
No default passwords
Keep everything up to date
Apply security guidelines (OS security, Web server security, Application server security, etc.)
Keep default web application configuration safe
Deploy securely on a secure architecture
12
Antonio Fontes / Confoo Conference, Montreal / 2010
13. Attacking the infrastructure
Attacking the application
Attacking the users
Other attacks
13
Antonio Fontes / Confoo Conference, Montreal / 2010
14. Attacking the application
injecting hostile code
14
Antonio Fontes / Confoo Conference, Montreal / 2010
15. what if?
15
Antonio Fontes / Confoo Conference, Montreal / 2010
16. 16
what if?
SELECT * FROM users usrWHERE usr.username = 'admin ';--AND usr.password = bb21158c733229347bd4e681891e213d94c685be
Antonio Fontes / Confoo Conference, Montreal / 2010
17. 17
what if?
Antonio Fontes / Confoo Conference, Montreal / 2010
18. what if?
18
Antonio Fontes / Confoo Conference, Montreal / 2010
19. 19
Any user input is a potential attack vector.
Antonio Fontes / Confoo Conference, Montreal / 2010
20. Risk A1:
Injections
20
Antonio Fontes / Confoo Conference, Montreal / 2010
21. RISK?
Any application entry point can be used as a vector to inject hostile content that will modify expected behaviors.
GOOD TO KNOW
All non-binding query languages are exposed! (LDAP and Xpath.)
21
Antonio Fontes / Confoo Conference, Montreal / 2010
22. COUNTERMEASURES?
All input can be modified client-side. Be sure to validate:
Querystring parameters
Form fields (hidden fields also count)
File submissions : if youre expecting a picture, then make sure it is a picture!
Cookies
HTTP headers: all fields, including referrer are user input
22
Antonio Fontes / Confoo Conference, Montreal / 2010
23. COUNTERMEASURES? (contd)
Neverpaste user input into query commands (SQL, Xpath, LDAP, OS commands, etc.):
Use binding variables such as SQL parameters:
If no binding model, encode input before pasting:
Doubled quotes () for SQL server
Escaped quotes ()for MySQL (PHP addslashes is helpful!)
Etc.
23
Antonio Fontes / Confoo Conference, Montreal / 2010
24. COUNTERMEASURES ?(contd)
Choose best validation strategy!
Best: Whitelist
When all possible values are known (enums, if/else if statements, regular expressions, )
Graylist:
Enforce business rules:
Type: string, numeric, byte,
Range: >0,Weakest: Blacklist
if(input.IndexOf(

Here is my attack


52
Antonio Fontes / Confoo Conference, Montreal / 2010
53. What are the countermeasures?
Sanitize output, encode to destination format:
For XML output, use predefined entities:
here is my here is my
my input is my input is
53
Antonio Fontes / Confoo Conference, Montreal / 2010
54. Attacking the users
replaying predictable requests
54
Antonio Fontes / Confoo Conference, Montreal / 2010
55. what if?
55
Antonio Fontes / Confoo Conference, Montreal / 2010
56. what if?
56
Antonio Fontes / Confoo Conference, Montreal / 2010
57. Risk A5:
Cross-site Request Forgery
57
Antonio Fontes / Confoo Conference, Montreal / 2010
58. What is the risk?
An attacker might build her own website and trigger requests on the visitors browser. (yes, thats exactly what it seems to be...)
58
Antonio Fontes / Confoo Conference, Montreal / 2010
59. What are the countermeasures?
Implement unpredictable requests for all sensitive actions
Use temporary random hidden control fields:

Link forms to the user session:
if(!(Request.Form[checker]).Equals(SessionID))// return error
Use CAPTCHA
Use out-of-band verification:
SMS / Voice call / Cryptographic tokens, etc.
59
Antonio Fontes / Confoo Conference, Montreal / 2010
60. Attacking the infrastructure
Attacking the application
Attacking the users
Other attacks
60
Antonio Fontes / Confoo Conference, Montreal / 2010
61. Other attacks
breaking weak cryptography
61
Antonio Fontes / Confoo Conference, Montreal / 2010
62. what if?
Encrypting with Base64
$cookie = base64($sessionId);
62
Its not encryption, its encoding!
Antonio Fontes / Confoo Conference, Montreal / 2010
63. what if?
Encrypting user passwords with AES256
$password = encrypt($get_[password],AES256,key);
63
reversible encryption!
Antonio Fontes / Confoo Conference, Montreal / 2010
64. what if?
Hashing user passwords with md5
$password = md5($get_[password]);
64
weak algorithm!
Antonio Fontes / Confoo Conference, Montreal / 2010
65. what if?
Hashing user passwords with SHA-256
$password = sha($get_[password]);
65
Missing seed!
Antonio Fontes / Confoo Conference, Montreal / 2010
66. what if?
Building keys with Math.Random
Byte[] key = Math.RandBytes(128);
66
Weak random number generator!
Antonio Fontes / Confoo Conference, Montreal / 2010
67. what if?
Deriving a key from human entered secret
$key = md5($GET_[secret]);
67
Weak key entropy!
Antonio Fontes / Confoo Conference, Montreal / 2010
68. what if?
Using ECB mode of operation
$bytes = encrypt($text, key);
// returns: {0xAF00CADACCE34A4D}
$bytes2 = encrypt($text, key);
// returns: {0xAF00CADACCE34A4D}
68
Weak mode of operation!
Antonio Fontes / Confoo Conference, Montreal / 2010
69. what if?
Using CBC mode of operation
$bytes = encrypt($text, key);
// returns: {0xAF00CADACCE34A4D}
$bytes2 = encrypt($text, key);
// returns: {0xAF00CADACCE34A4D}
69
Non-random initialization vectors!
Antonio Fontes / Confoo Conference, Montreal / 2010
70. what if?
Decrypting with internal secret
String clearText = CryptUtils.Decrypt($bytes, Parameters.SecretKey);
70
Hard-coded secret!
Antonio Fontes / Confoo Conference, Montreal / 2010
71. what if?
blablabla
71
Another problem.
Antonio Fontes / Confoo Conference, Montreal / 2010
72. Risk A9:
Insecure cryptographic storage
72
Antonio Fontes / Confoo Conference, Montreal / 2010
73. What is the risk?
An attacker might not need as much time as you expected to decrypt your data.
If one of these words sounds foggy to you, there is a risk:
Asymmetric/symmetric encryption, offline encryption, online encryption, CBC, key entropy, initialization vector,ECB, message authentication code,PBKDF2 (RFC2898), constant time operation, Rijndael, AES, 3DES, DSA, RSA, ECC, SHA, keyring, DPAPI,
73
Antonio Fontes / Confoo Conference, Montreal / 2010
74. What are the countermeasures?
Dont do cryptography by yourself
Use business level APIs:
Use open-source reference implementations (OpenSSL, Truecrypt, etc.)
Use expert-community-driven libraries (OWASP ESAPI, )
Take classes
74
Antonio Fontes / Confoo Conference, Montreal / 2010
75. Other attacks
observing the environment
75
Antonio Fontes / Confoo Conference, Montreal / 2010
76. 76
?
daquellamanera @flickr
Antonio Fontes / Confoo Conference, Montreal / 2010
77. Risk A10:
Insufficient transport layer protection
77
Antonio Fontes / Confoo Conference, Montreal / 2010
78. What is the risk?
Traffic eavesdropping, due to insufficient transport layer protection.
What are the countermeasures?
Require an SSL encrypted link.
Use appropriate certificates (signed and valid).
Prevent cookies from leaving the encrypted link (secure flag enabled).
78
Antonio Fontes / Confoo Conference, Montreal / 2010
79. 79
Antonio Fontes / Confoo Conference, Montreal / 2010
WHAT IS THE RISK LEVEL ?
LOW
HIGH
80. Part 2:
Assessing the risks induced bythese 10 attacks
80
Antonio Fontes / Confoo Conference, Montreal / 2010
81. Hopefully, someone did it
81
Antonio Fontes / Confoo Conference, Montreal / 2010
82. rating the risks
Antonio Fontes / Confoo Conference, Montreal / 2010
82
XSS (example)
= 2,6x?
83. 83
Antonio Fontes / Confoo Conference, Montreal / 2010
OWASP Top 10 2010 RC1The top ten web application security risks
84. 84
Risk Managers

  • exploitability

85. prevalence 86. detectability 87. impact (CIA, AAA)Testers

  • search patterns

88. typical cases 89. mythsDevelopers

  • mitigation steps (agnostic)

90. best practicesAdvanced material

  • detailed attack scenarios

91. mitigation techniques (per technology) 92. further referencesTeachers / Students

  • example scenarios

Antonio Fontes / Confoo Conference, Montreal / 2010
93. 85
Migration info

  • removed entries

94. new entries 95. gap analysisAntonio Fontes / Confoo Conference, Montreal / 2010
96. Part 3:
Integrating the Top 10 into an existing software development / acquisition lifecycle
86
Antonio Fontes / Confoo Conference, Montreal / 2010
97. Antonio Fontes / ConfooConference, Montreal / 2010
The Top 10 in your SDLC/SALC
87
Secure coding
Metrics analysis
Security testing
Secure design
Software vendor
PERSONEL TRAINING
QUALITY ASSURANCE
Software buyer
Penetration test
Design review reports
Security test results
Contract conditions
SLA support
98. Conclusion
Your web application will be hacked.; )
88
Antonio Fontes / Confoo Conference, Montreal / 2010
99. Conclusion
But if you use the Top 10
89
Antonio Fontes / Confoo Conference, Montreal / 2010
100. Conclusion
It wont be the cheap way
90
Antonio Fontes / Confoo Conference, Montreal / 2010
101. Conclusion
And it wont be the embarrassing way
91
Antonio Fontes / Confoo Conference, Montreal / 2010
102. Conclusion
You now know the 10 riskiest flaws in web applications.
92
Antonio Fontes / Confoo Conference, Montreal / 2010
103. Conclusion
But theres still a lot to see
93
CWE/SANS Top 25 Programming errors
WASC Threat Classification
Threat modeling
OWASP Application Security Verification Standard (ASVS)
Open Software Assurance Maturity Model
Antonio Fontes / Confoo Conference, Montreal / 2010
104. Conclusion
before becoming secure.
94
Antonio Fontes / Confoo Conference, Montreal / 2010
105. http://owasp.org/index.php/Top10
(final version: end of March 2010)
95
Antonio Fontes / Confoo Conference, Montreal / 2010
thank you :)
106. 96
Antonio Fontes / Confoo Conference, Montreal / 2010
107. Copyright
You are free:
To share (copy, distribute, transmit)
To remix
But only if:
You attribute this work
You use it for non-commercial purposes
And you keep sharing your result the same way I did
97
Antonio Fontes / Confoo Conference, Montreal / 2010