Professional Documents
Culture Documents
Top 10 Web Security Vulnerabilities v2 110529171455 Phpapp01
Top 10 Web Security Vulnerabilities v2 110529171455 Phpapp01
Agenda
Intro Open Web Application Security Project (OWASP) Top 10 Security Vulnerabilities Countermeasures
Intro
What is OWASP?
http://owasp.org Worldwide non-profit focused on improving software security Reaches out to ALL developers: not just security professionals
Who am I?
Oracle ACE Director Author of 2 books on Oracle Technology Twitter: @bex -- used to be @OWASP Here to help all developers
1) Injection
http://example.com/products?id=123
Hacker could instead supply this:http://example.com/products?id=';+DROP+TABLE+'products';
';+DROP+TABLE+'products';
';+DROP+TABLE+'products';
5
Example
Dont: name your child Robert); DROP TABLE Students;-Do: expect SQL Injection
6
Countermeasures
"Connections" between systems are highly vulnerable Always assume data coming in could be "evil"
be sure to include "evil" use cases and user stories in your design
Sites must "cleanse" user input before displaying it Hackers can create URLs to inject their own HTML onto the page
can be used to do almost any kind of attack!!!
Countermeasures
Countermeasures
Assume my project id is 123 I see a link on My Projects page that goes here:
http://example.com/projects/123
Do you only restrict access in the web form? What if I could "guess" the URL? Could I see the page?
Don't trick yourself into thinking complex URLs are any more secure Security != Obscurity
1 2
Countermeasures
Front-end restriction is nice for usability, but not security Back-end application must double-check access rights
1 3
Evil sites can hijack your browser, and run secure request:
1) User logs into secure application behind the firewall http://example.com/myApp 2) User goes to "evil" website, or loads up "evil" HTML email 3) HTML contains this image: <img src="http://example.com/myApp/deleteEverything"></img>
With JavaScript and XSS, evil sites can completely take over your
browser
1)Can browse around your intranet, log into bank accounts Anything you are currently logged into 1)Complete control, as long as you stay on the evil site
Countermeasures
All state change should require a unique token in the request But if its in the URL, it's vulnerable!
URLs are frequently logged, and can be "sniffed" avoid reusable tokens
General solution:
All state change requires HTTP POST, not a GET Put one-time token in a hidden field on the web form After POST, do a GET redirect to a confirmation page
6) Security Misconfiguration
Countermeasures
Do periodic scans to detect misconfiguration / missing patches Disable features that are "nice" for developers, but "nasty" for security Use automation to ensure patches are up-to-date
If you can't verify it, it's not secure Can you prove glass is bulletproof without firing bullets at it?
1 7
How are you preventing unauthorized access to these resources? If somebody stole your backup tapes, how bad would it be?
1 8
Countermeasures
Restrict access to decrypted data to only authorized users Hash all passwords with a standard algorithm, and a "salt" Use strong keys to access the information Create a password management policy, and stick with it!
1 9
2 0
Countermeasures
Don't draw URLs to the page if the user cannot access them
Bad usability Hackers might be tempted to fish around for vulnerabilities
What if the user has access, but their behavior is unusual should you prompt for password again, or perhaps for additional authorization?
2 1
2 2
Countermeasures
Use strong, standards compliant network security protocols Use TLS (SSL) on all connections with sensitive data Encrypt messages before transmission
XML-Encryption
Disable old, flawed encryption algorithms (ie, SSL 2.0) If HTTPS is impractical, at the very least secure the login process
2 3
Most sites allow redirects to other sites, or pages within the site:
http://example.com/redirect?url=google.com
Link looks like it goes to "example.com", but it goes to "evil.com" Or, can trick a site user into harming their own site:
http://example.com/redirect?url=/admin.jsp?deleteEverything=true
Countermeasures
Restrict redirects to a limited number of "trusted" sites Keep a list of all redirect URLs, and pass the ID in the request,
instead of the URL
http://example.com/redirect?urlId=123
Hash the URL with a secret, and pass the hash in the URL
http://example.com/redirect?url=google.com&hash=a1b2c3
Further Recommendations
Quiz your developers about what security is needed and why Audit to find threats with biggest business impact Reminder: security is everybody's responsibility!
2 6
Questions?
2 7