Professional Documents
Culture Documents
The Top 10 Security Vulnerabilities in Web Applications: Brian "Bex" Huff Chief Software Architect
The Top 10 Security Vulnerabilities in Web Applications: Brian "Bex" Huff Chief Software Architect
Web Applications
1
Agenda
Intro
Countermeasures
2
Intro
What is OWASP?
• http://owasp.org
• Worldwide non-profit focused on improving software security
• Reaches out to ALL developers: not just security professionals
Who am I?
• Oracle ACE Director
• Author of 2 books on Oracle Technology
• Twitter: @bex -- used to be @OWASP
• Here to help all developers
Injection
Cross Site Scripting
3) Broken Authentication and Session Management
Insecure Direct Object References
Cross Site Request Forgery (CSRF)
Security Misconfiguration
Insecure Cryptographic Storage
8) Failure to Restrict URL Access
Insufficient Transport Layer Protection
Unvalidated Redirects and Forwards
4
1) Injection
5
Example
6
Countermeasures
9
3) Broken Authentication and Session Management
11
4) Insecure Direct Object References
Evil sites can hijack your browser, and run secure request:
• User logs into secure application behind the firewall
http://example.com/myApp
• User goes to "evil" website, or loads up "evil" HTML email
• HTML contains this image:
<img src="http://example.com/myApp/deleteEverything"></img>
With JavaScript and XSS, evil sites can completely take over your
browser
• Can browse around your intranet, log into bank accounts
• Anything you are currently logged into
• Complete control, as long as you stay on the evil site
16
Countermeasures
17
7) Insecure Cryptographic Storage
18
Countermeasures
19
8) Failure to Restrict URL Access
20
Countermeasures
22
Countermeasures
23
10) Unvalidated Redirects and Forwards
Most sites allow redirects to other sites, or pages within the site:
• http://example.com/redirect?url=google.com
Or, can trick a site user into harming their own site:
• http://example.com/redirect?url=/admin.jsp?deleteEverything=true
Keep a list of all redirect URLs, and pass the ID in the request,
instead of the URL
• http://example.com/redirect?urlId=123
Hash the URL with a secret, and pass the hash in the URL
• http://example.com/redirect?url=google.com&hash=a1b2c3
26
Questions?
My Company: http://bezzotech.com
My Blog: http://bexhuff.com
My Tweets: @bex
My Self: bex@bezzotech.com
27