Professional Documents
Culture Documents
OWASP Top 10 Web Security Vulnerabilities
OWASP Top 10 Web Security Vulnerabilities
OWASP Top 10 Web Security Vulnerabilities
Security
Vulnerabilities
Carol McDonald
Sun Microsystems
1
OWASP
• Carol cDonald:
> Java Architect at Sun Microsystems
> Before Sun, worked on software development of:
> Application to manage car Loans for Toyota (>10 million
loans)
> Pharmaceutical Intranet apps (Roche Switzerland)
> Telecom Network Mgmt (Digital France)
> X.400 Email Server (IBM Germany)
OWASP
OWASP
OWASP Top 10
• Open Web Application Security Project
> promotes the development of secure web applications
> developers guide, test guide, top 10, ESAPI...
> http://www.OWASP.org
• OWASP TOP 10
> The Ten Most Critical Issues
> Aimed to educate about the most common web application security
vulnerabilities
> Living document: 2007 Top 10 different from 2004 Top 10
OWASP
OWASP
OWASP
OWASP
http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
Sanitize
Any Encoding
isValidCreditCard encodeForJavaScript
isValidDataFromBrowser encodeForVBScript
isValidDirectoryPath encodeForURL
isValidFileContent encodeForHTML
isValidFileName encodeForHTMLAttribute
isValidHTTPRequest encodeForLDAP
isValidListItem Canonicalization encodeForDN
isValidRedirectLocation Double Encoding Protection encodeForSQL
isValidSafeHTML Sanitization encodeForXML
isValidPrintable Normalization encodeForXMLAttribute
safeReadLine encodeForXPath
OWASP
http://owasp-esapi-java.googlecode.com/files/OWASP%20ESAPI.ppt
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
101’ or ‘1’=‘1
Hacker sends SQL
commands into a form
field.
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
isValidCreditCard encodeForJavaScript
isValidDataFromBrowser encodeForVBScript
isValidDirectoryPath encodeForURL
isValidFileContent encodeForHTML
isValidFileName encodeForHTMLAttribute
isValidHTTPRequest encodeForLDAP
isValidListItem Canonicalization encodeForDN
isValidRedirectLocation Double Encoding Protection encodeForSQL
isValidSafeHTML Sanitization encodeForXML
isValidPrintable Normalization encodeForXMLAttribute
safeReadLine encodeForXPath
OWASP
http://owasp-esapi-java.googlecode.com/files/OWASP%20ESAPI.ppt
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
<select name="language">
<option value="fr">Français</option>
</select>
int accountID =
Integer.parseInt( request.getParameter( "accou
ntID" ) );
String query = "SELECT * FROM account WHERE
accountID=" + accountID;
OWASP
OWASP
OWASP
OWASP
Database
Mainframe
Access
User Reference
Map File System Report123.xls
Indirect Direct
Reference Reference
Etc…
http://app?file=7d3J93
OWASP
OWASP
• Example
> http://www.ibank.com?file=report123.xls
> http://www.ibank.com?file=a3nr38
OWASP
OWASP
OWASP
OWASP
try {
ESAPI.accessController().
assertAuthorizedForFile(filepath);
} catch (AccessControlException ace) {
.. attack in progress
}
try {
ESAPI.accessController().
assertAuthorizedForData(key);
} catch (AccessControlException ace) {
.. attack in progress
OWASP
}
OWASP
logon
navigate to
javascript get users gmail contacts
users cookie, session
OWASP
OWASP
remember me
navigate to
OWASP
http://news.cnet.com/Netflix-fixes-Web-2.0-bugs/2100-1002_3-6126438.html?part=rss&tag=6126438&subj=news
OWASP
hostile email
Bank App
with image
logon
IMG SRC
<img src="http://host/?command">
SCRIPT SRC
<script src="http://host/?command">
IFRAME SRC
<iframe src="http://host/?command">
OWASP
OWASP
OWASP
OWASP
OWASP
http://owasp-esapi-java.googlecode.com/files/OWASP%20ESAPI.ppt
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
http://owasp-esapi-java.googlecode.com/files/OWASP%20ESAPI.ppt
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
http://owasp-esapi-java.googlecode.com/files/OWASP%20ESAPI.ppt
OWASP
ESAPI Encryptor
• encrypt(plaintext)
• hash(plaintext, salt)
• loadCertificateFromFile(file)
• Simple master key in configuration
• Minimal certificate support
OWASP
OWASP
OWASP
OWASP
OWASP
OWASP
http://grutztopia.jingojango.net/2007/01/your-free-macworld-expo-platinum-pass_11.html
OWASP
OWASP
OWASP
OWASP
A10: Protection
security constraints and auth-contstraints in web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name> protected Admin pages</web-resource-name>
<description>Require users to authenticate</description>
<url-pattern>/admin/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description> Manager role can access Admin pages</description>
<role-name>Manager</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<description>Managers</description>
<role-name>Manager</role-name>
</security-role>
OWASP
OWASP
OWASP
OWASP
isAuthorizedForFunction
isAuthorizedForService
isAuthorizedForFile
isAuthorizedForFunction
OWASP
OWASP
ESAPI AccessController
OWASP
OWASP
ESAPI IntrusionDetector
• Key Methods
• addException(exception)
• addEvent(event)
• Model
• EnterpriseSecurityExceptions automatically added
• Specify a threshold for each event type
• org.owasp.esapi.ValidationException.count=3
• org.owasp.esapi.ValidationException.interval=3 (seconds)
• org.owasp.esapi.ValidationException.action=logout
• Actions are log message, disable account
OWASP
OWASP
Secure Principles
• INput Validation
> white list validation
• OUTput Validation
> HTML encoding before rendering
• Error Handling
> put details in log, don't send to user
• Authentication, Authorization, Access controls
> Enforce Least Privilege
• Secure
> communications, storage, Session Management,
Encryption
• Trace and Log User Actions And Security OWASP
Events
OWASP
• Aspect Security
> http://www.aspectsecurity.com/
OWASP