SlideShare une entreprise Scribd logo

Sicurezza delle applicazioni web

Télécharger en tant que KEY, PDF
Advenias
Advenias

OWASP Top 5 explained

Technologie
1  sur  33
Liofilizzato de “Fondamenti di sicurezza delle applicazioni”
OWASP Top 10 1. Injection 2. Cross-Site Scripting (XSS) 3. Broken Authentication and Session Management 4. Insecure Direct Object References 5. Cross-Site Request Forgery (CSRF) 6. Security Misconfiguration 7. Insecure Cryptographic Storage 8. Failure to Restrict URL Access 9. Insufficient Transport Layer Protection 10. Unvalidated Redirects and Forwards
OWASP Top 10 1. Injection 2. Cross-Site Scripting (XSS) 3. Broken Authentication and Session Management 4. Insecure Direct Object References 5. Cross-Site Request Forgery (CSRF) 6. Security Misconfiguration 7. Insecure Cryptographic Storage 8. Failure to Restrict URL Access 9. Insufficient Transport Layer Protection 10. Unvalidated Redirects and Forwards
Injection Injection SQL Injection OS Injection Path traversal
SQL Injection What
SQL Injection What What ?
SQL Injection What un attaccante è in grado di inserire dichiarazioni SQL in una query esistente manipolando i dati passati in input ad una applicazione.
SQL Injection Why assenza / errata validazione degli input creazione dinamica di SQL in modo naif public boolean auth(String user) { String sql = “select * from FW01_USER where username = ” + param; ... // query execution... }
OS Injection What un attaccante è in grado di eseguire direttamente comandi del sistema operativo ospitante il server web o l’application server manipolando i dati passati in input ad una applicazione.
OS Injection Why assenza / errata validazione degli input esecuzione diretta di eseguibili nella shell sottostante mediante stringhe di comando contenenti i parametri in input
Path traversal What un attaccante è in grado accedere alle risorse al di fuori del web tree.
Path traversal Why assenza / errata validazione degli input utilizzo dell’input per la costruzione di referenze a file e directory
Path traversal Why assenza / errata validazione degli input utilizzo dell’input per la costruzione di referenze a file e directory http://xxx.yyy.zzz/getFile.jsp?file=report.pdf
Path traversal Why assenza / errata validazione degli input utilizzo dell’input per la costruzione di referenze a file e directory http://xxx.yyy.zzz/getFile.jsp?file=report.pdf http://xxx.yyy.zzz/getFile.jsp?file=../../../../src/code/src.zip
OWASP Top 10 ✓ Injection 2. Cross-Site Scripting (XSS) 3. Broken Authentication and Session Management 4. Insecure Direct Object References 5. Cross-Site Request Forgery (CSRF) 6. Security Misconfiguration 7. Insecure Cryptographic Storage 8. Failure to Restrict URL Access 9. Insufficient Transport Layer Protection 10. Unvalidated Redirects and Forwards
XSS What un attaccante è in grado di modificare l’output di una pagina prodotta da una web application per eseguire codice javascript / ActiveX / mobile code senza modificare i dati o le configurazioni del server.
XSS Why assenza / errata validazione degli input assenza di escaping dell’output
XSS How Validazione degli input e degli output Cookies HttpOnly
OWASP Top 10 ✓ Injection ✓ Cross-Site Scripting (XSS) 3. Broken Authentication and Session Management 4. Insecure Direct Object References 5. Cross-Site Request Forgery (CSRF) 6. Security Misconfiguration 7. Insecure Cryptographic Storage 8. Failure to Restrict URL Access 9. Insufficient Transport Layer Protection 10. Unvalidated Redirects and Forwards
Autenticazione Errori di design Errori di implementazione • password deboli • logiche fail-open • vulnerabilità a forza bruta • registrazione / comunicazione insicura di credenziali • messaggi differenziati di errore • uso di canali non cifrati • recupero password debole
Autenticazione Errori di design Errori di implementazione • password deboli • logiche fail-open • vulnerabilità a forza bruta • registrazione / comunicazione insicura di credenziali • messaggi differenziati di errore • uso di canali non cifrati • recupero password debole
Autenticazione Errori di design Errori di implementazione • password deboli • logiche fail-open • vulnerabilità a forza bruta Limite al • registrazione / comunicazione # tentativi / time slice insicura di credenziali • messaggi differenziati di errore • uso di canali non cifrati • recupero password debole
Autorizzazione Errori logici • controlli client side • parametri HTTP usati come ACL Errori di implementazione • URL diretti, privilegiati, segreti
Sessioni e cookie STATO SICUREZZA Semplicità Server side Client side Fat session Thin session Session token
OWASP Top 10 ✓ Injection ✓ Cross-Site Scripting (XSS) ✓ Broken Authentication and Session Management 4. Insecure Direct Object References 5. Cross-Site Request Forgery (CSRF) 6. Security Misconfiguration 7. Insecure Cryptographic Storage 8. Failure to Restrict URL Access 9. Insufficient Transport Layer Protection 10. Unvalidated Redirects and Forwards
Insecure Direct Object Refs String query = "SELECT * FROM accts WHERE account = ?"; PreparedStatement pstmt = connection.prepareStatement(query, ... ); pstmt.setString( 1, request.getParameter("acct")); ResultSet results = pstmt.executeQuery(); http://example.com/app/accountInfo?acct=notmyacct
OWASP Top 10 ✓ Injection ✓ Cross-Site Scripting (XSS) ✓ Broken Authentication and Session Management ✓ Insecure Direct Object References 5. Cross-Site Request Forgery (CSRF) 6. Security Misconfiguration 7. Insecure Cryptographic Storage 8. Failure to Restrict URL Access 9. Insufficient Transport Layer Protection 10. Unvalidated Redirects and Forwards
CSRF [see surf]
CSRF [see surf] https://mytrustedbank.com 1 Bank login username utonto password *****
CSRF [see surf] https://mytrustedbank.com 1 Bank login username utonto password ***** 2
CSRF [see surf] https://mytrustedbank.com 1 Bank login username utonto password ***** 2 http://malicious.org 3 Really bad site Ode to the pig
CSRF [see surf] https://mytrustedbank.com 1 Bank login username utonto password ***** 2 http://malicious.org 3 ... Really bad site <img src=”https://mytrustedbank.com/app/ transferFunds? amount=1500&destAccount=attackersAcct#”/> Ode to the pig
CSRF How ➡Usare GET e POST in modo appropriato ➡Usare un security token per richieste non GET

Recommandé

Web Application Insecurity L D2007
Web Application Insecurity L D2007Web Application Insecurity L D2007
Web Application Insecurity L D2007jekil
 
SMi MasterClass: Social Media in Pharmaceuticals 14 April 2010
SMi MasterClass: Social Media in Pharmaceuticals 14 April 2010SMi MasterClass: Social Media in Pharmaceuticals 14 April 2010
SMi MasterClass: Social Media in Pharmaceuticals 14 April 2010CREATION
 
How to Avoid a Social Media Crisis - e-Patient Connections 2011 Workshop
How to Avoid a Social Media Crisis - e-Patient Connections 2011 WorkshopHow to Avoid a Social Media Crisis - e-Patient Connections 2011 Workshop
How to Avoid a Social Media Crisis - e-Patient Connections 2011 WorkshopCREATION
 
DigiPharm Europe 2010: Reportable Adverse Events on the World Wide Web
DigiPharm Europe 2010: Reportable Adverse Events on the World Wide WebDigiPharm Europe 2010: Reportable Adverse Events on the World Wide Web
DigiPharm Europe 2010: Reportable Adverse Events on the World Wide WebCREATION
 
Doctors in Public Social Media: Cardiovascular Study - Doctors2.0 & You, Pari...
Doctors in Public Social Media: Cardiovascular Study - Doctors2.0 & You, Pari...Doctors in Public Social Media: Cardiovascular Study - Doctors2.0 & You, Pari...
Doctors in Public Social Media: Cardiovascular Study - Doctors2.0 & You, Pari...CREATION
 
Healthcare Engagement Strategy 2010: Insights from winning strategies
Healthcare Engagement Strategy 2010: Insights from winning strategiesHealthcare Engagement Strategy 2010: Insights from winning strategies
Healthcare Engagement Strategy 2010: Insights from winning strategiesCREATION
 
1rida kalho
1rida kalho1rida kalho
1rida kalhoguest784069
 
Estrategia comunicacional para la adopción de proyectos estratégicos de gobie...
Estrategia comunicacional para la adopción de proyectos estratégicos de gobie...Estrategia comunicacional para la adopción de proyectos estratégicos de gobie...
Estrategia comunicacional para la adopción de proyectos estratégicos de gobie...Ramón Ramón Sánchez
 

Recommandé

Web Application Insecurity L D2007
Web Application Insecurity L D2007Web Application Insecurity L D2007
Web Application Insecurity L D2007jekil
 
SMi MasterClass: Social Media in Pharmaceuticals 14 April 2010
SMi MasterClass: Social Media in Pharmaceuticals 14 April 2010SMi MasterClass: Social Media in Pharmaceuticals 14 April 2010
SMi MasterClass: Social Media in Pharmaceuticals 14 April 2010CREATION
 
How to Avoid a Social Media Crisis - e-Patient Connections 2011 Workshop
How to Avoid a Social Media Crisis - e-Patient Connections 2011 WorkshopHow to Avoid a Social Media Crisis - e-Patient Connections 2011 Workshop
How to Avoid a Social Media Crisis - e-Patient Connections 2011 WorkshopCREATION
 
DigiPharm Europe 2010: Reportable Adverse Events on the World Wide Web
DigiPharm Europe 2010: Reportable Adverse Events on the World Wide WebDigiPharm Europe 2010: Reportable Adverse Events on the World Wide Web
DigiPharm Europe 2010: Reportable Adverse Events on the World Wide WebCREATION
 
Doctors in Public Social Media: Cardiovascular Study - Doctors2.0 & You, Pari...
Doctors in Public Social Media: Cardiovascular Study - Doctors2.0 & You, Pari...Doctors in Public Social Media: Cardiovascular Study - Doctors2.0 & You, Pari...
Doctors in Public Social Media: Cardiovascular Study - Doctors2.0 & You, Pari...CREATION
 
Healthcare Engagement Strategy 2010: Insights from winning strategies
Healthcare Engagement Strategy 2010: Insights from winning strategiesHealthcare Engagement Strategy 2010: Insights from winning strategies
Healthcare Engagement Strategy 2010: Insights from winning strategiesCREATION
 
1rida kalho
1rida kalho1rida kalho
1rida kalhoguest784069
 
Estrategia comunicacional para la adopción de proyectos estratégicos de gobie...
Estrategia comunicacional para la adopción de proyectos estratégicos de gobie...Estrategia comunicacional para la adopción de proyectos estratégicos de gobie...
Estrategia comunicacional para la adopción de proyectos estratégicos de gobie...Ramón Ramón Sánchez
 
Creation Healthcare and Creation Pinpoint - An introduction
Creation Healthcare and Creation Pinpoint - An introductionCreation Healthcare and Creation Pinpoint - An introduction
Creation Healthcare and Creation Pinpoint - An introductionCREATION
 
Warhol: Sopa Campbell's
Warhol: Sopa Campbell'sWarhol: Sopa Campbell's
Warhol: Sopa Campbell'sguest784069
 
Doctors in social media: the story so far, with Creation Pinpoint (slides)
Doctors in social media: the story so far, with Creation Pinpoint (slides)Doctors in social media: the story so far, with Creation Pinpoint (slides)
Doctors in social media: the story so far, with Creation Pinpoint (slides)CREATION
 
Healthcare Professionals (HCPs) in Spain who have online influence in Diabetes.
Healthcare Professionals (HCPs) in Spain who have online influence in Diabetes.Healthcare Professionals (HCPs) in Spain who have online influence in Diabetes.
Healthcare Professionals (HCPs) in Spain who have online influence in Diabetes.CREATION
 
Doctors 2.0 & You Special - Diabetes Digital Opinion Leaders with Pharma Inis...
Doctors 2.0 & You Special - Diabetes Digital Opinion Leaders with Pharma Inis...Doctors 2.0 & You Special - Diabetes Digital Opinion Leaders with Pharma Inis...
Doctors 2.0 & You Special - Diabetes Digital Opinion Leaders with Pharma Inis...CREATION
 
Social Media & Pharma - DIA Clinical Forum, Lisbon 13 October 2010
Social Media & Pharma - DIA Clinical Forum, Lisbon 13 October 2010Social Media & Pharma - DIA Clinical Forum, Lisbon 13 October 2010
Social Media & Pharma - DIA Clinical Forum, Lisbon 13 October 2010CREATION
 
Healthcare professionals in social media - Kings Fund Digital Health & Care C...
Healthcare professionals in social media - Kings Fund Digital Health & Care C...Healthcare professionals in social media - Kings Fund Digital Health & Care C...
Healthcare professionals in social media - Kings Fund Digital Health & Care C...CREATION
 
Eclipse emf
Eclipse emfEclipse emf
Eclipse emfAdvenias
 
17 - Web Application Threats
17 - Web Application Threats17 - Web Application Threats
17 - Web Application ThreatsFederico Russo
 
HTML5 Security
HTML5 SecurityHTML5 Security
HTML5 SecuritySimone Onofri
 
Hackers vs. Developers: HTML5 Security by Simone Onofri
Hackers vs. Developers: HTML5 Security by Simone OnofriHackers vs. Developers: HTML5 Security by Simone Onofri
Hackers vs. Developers: HTML5 Security by Simone OnofriCodemotion
 
Hackers vs Developers - Cross Site Scripting (XSS) Attacco e difesa
Hackers vs Developers - Cross Site Scripting (XSS) Attacco e difesaHackers vs Developers - Cross Site Scripting (XSS) Attacco e difesa
Hackers vs Developers - Cross Site Scripting (XSS) Attacco e difesaSimone Onofri
 
Tesi Triennale: Navigazione automatica e rilevazione di errori in applicazion...
Tesi Triennale: Navigazione automatica e rilevazione di errori in applicazion...Tesi Triennale: Navigazione automatica e rilevazione di errori in applicazion...
Tesi Triennale: Navigazione automatica e rilevazione di errori in applicazion...Federico Villa
 
Sicurezza Informatica e Hacking - Università di Teramo 23/10/2015
Sicurezza Informatica e Hacking - Università di Teramo 23/10/2015Sicurezza Informatica e Hacking - Università di Teramo 23/10/2015
Sicurezza Informatica e Hacking - Università di Teramo 23/10/2015Pawel Zorzan Urban
 
Web Application Insecurity Uncensored
Web Application Insecurity UncensoredWeb Application Insecurity Uncensored
Web Application Insecurity Uncensoredjekil
 
Owasp parte3
Owasp parte3Owasp parte3
Owasp parte3claudiodigiovanni
 
TechDay: Hackers vs. Developers - Le SQL Injection - Simone Onofri
TechDay: Hackers vs. Developers - Le SQL Injection - Simone OnofriTechDay: Hackers vs. Developers - Le SQL Injection - Simone Onofri
TechDay: Hackers vs. Developers - Le SQL Injection - Simone OnofriCodemotion
 
Android (Un)Security Guidelines - VoidSec
Android (Un)Security Guidelines - VoidSecAndroid (Un)Security Guidelines - VoidSec
Android (Un)Security Guidelines - VoidSecPaolo Stagno
 
Hackers vs Developers - SQL Injection - Attacco e Difesa
Hackers vs Developers - SQL Injection - Attacco e DifesaHackers vs Developers - SQL Injection - Attacco e Difesa
Hackers vs Developers - SQL Injection - Attacco e DifesaSimone Onofri
 
ASP.NET MVC3 - Tutti i compiti del Controller
ASP.NET MVC3 - Tutti i compiti del ControllerASP.NET MVC3 - Tutti i compiti del Controller
ASP.NET MVC3 - Tutti i compiti del ControllerManuel Scapolan
 
20230208-webinar_IDP_resiliente.pdf
20230208-webinar_IDP_resiliente.pdf20230208-webinar_IDP_resiliente.pdf
20230208-webinar_IDP_resiliente.pdfRandom794412
 
CQRS ed Event Sourcing su Windows Azure: Applicazioni Distribuite, Scalabilit...
CQRS ed Event Sourcing su Windows Azure: Applicazioni Distribuite, Scalabilit...CQRS ed Event Sourcing su Windows Azure: Applicazioni Distribuite, Scalabilit...
CQRS ed Event Sourcing su Windows Azure: Applicazioni Distribuite, Scalabilit...DotNetMarche
 

Contenu connexe

En vedette

Creation Healthcare and Creation Pinpoint - An introduction
Creation Healthcare and Creation Pinpoint - An introductionCreation Healthcare and Creation Pinpoint - An introduction
Creation Healthcare and Creation Pinpoint - An introductionCREATION
 
Warhol: Sopa Campbell's
Warhol: Sopa Campbell'sWarhol: Sopa Campbell's
Warhol: Sopa Campbell'sguest784069
 
Doctors in social media: the story so far, with Creation Pinpoint (slides)
Doctors in social media: the story so far, with Creation Pinpoint (slides)Doctors in social media: the story so far, with Creation Pinpoint (slides)
Doctors in social media: the story so far, with Creation Pinpoint (slides)CREATION
 
Healthcare Professionals (HCPs) in Spain who have online influence in Diabetes.
Healthcare Professionals (HCPs) in Spain who have online influence in Diabetes.Healthcare Professionals (HCPs) in Spain who have online influence in Diabetes.
Healthcare Professionals (HCPs) in Spain who have online influence in Diabetes.CREATION
 
Doctors 2.0 & You Special - Diabetes Digital Opinion Leaders with Pharma Inis...
Doctors 2.0 & You Special - Diabetes Digital Opinion Leaders with Pharma Inis...Doctors 2.0 & You Special - Diabetes Digital Opinion Leaders with Pharma Inis...
Doctors 2.0 & You Special - Diabetes Digital Opinion Leaders with Pharma Inis...CREATION
 
Social Media & Pharma - DIA Clinical Forum, Lisbon 13 October 2010
Social Media & Pharma - DIA Clinical Forum, Lisbon 13 October 2010Social Media & Pharma - DIA Clinical Forum, Lisbon 13 October 2010
Social Media & Pharma - DIA Clinical Forum, Lisbon 13 October 2010CREATION
 
Healthcare professionals in social media - Kings Fund Digital Health & Care C...
Healthcare professionals in social media - Kings Fund Digital Health & Care C...Healthcare professionals in social media - Kings Fund Digital Health & Care C...
Healthcare professionals in social media - Kings Fund Digital Health & Care C...CREATION
 
Eclipse emf
Eclipse emfEclipse emf
Eclipse emfAdvenias
 

En vedette (8)

Creation Healthcare and Creation Pinpoint - An introduction
Creation Healthcare and Creation Pinpoint - An introductionCreation Healthcare and Creation Pinpoint - An introduction
Creation Healthcare and Creation Pinpoint - An introduction
 
Warhol: Sopa Campbell's
Warhol: Sopa Campbell'sWarhol: Sopa Campbell's
Warhol: Sopa Campbell's
 
Doctors in social media: the story so far, with Creation Pinpoint (slides)
Doctors in social media: the story so far, with Creation Pinpoint (slides)Doctors in social media: the story so far, with Creation Pinpoint (slides)
Doctors in social media: the story so far, with Creation Pinpoint (slides)
 
Healthcare Professionals (HCPs) in Spain who have online influence in Diabetes.
Healthcare Professionals (HCPs) in Spain who have online influence in Diabetes.Healthcare Professionals (HCPs) in Spain who have online influence in Diabetes.
Healthcare Professionals (HCPs) in Spain who have online influence in Diabetes.
 
Doctors 2.0 & You Special - Diabetes Digital Opinion Leaders with Pharma Inis...
Doctors 2.0 & You Special - Diabetes Digital Opinion Leaders with Pharma Inis...Doctors 2.0 & You Special - Diabetes Digital Opinion Leaders with Pharma Inis...
Doctors 2.0 & You Special - Diabetes Digital Opinion Leaders with Pharma Inis...
 
Social Media & Pharma - DIA Clinical Forum, Lisbon 13 October 2010
Social Media & Pharma - DIA Clinical Forum, Lisbon 13 October 2010Social Media & Pharma - DIA Clinical Forum, Lisbon 13 October 2010
Social Media & Pharma - DIA Clinical Forum, Lisbon 13 October 2010
 
Healthcare professionals in social media - Kings Fund Digital Health & Care C...
Healthcare professionals in social media - Kings Fund Digital Health & Care C...Healthcare professionals in social media - Kings Fund Digital Health & Care C...
Healthcare professionals in social media - Kings Fund Digital Health & Care C...
 
Eclipse emf
Eclipse emfEclipse emf
Eclipse emf
 

Similaire à Sicurezza delle applicazioni web

17 - Web Application Threats
17 - Web Application Threats17 - Web Application Threats
17 - Web Application ThreatsFederico Russo
 
Hackers vs. Developers: HTML5 Security by Simone Onofri
Hackers vs. Developers: HTML5 Security by Simone OnofriHackers vs. Developers: HTML5 Security by Simone Onofri
Hackers vs. Developers: HTML5 Security by Simone OnofriCodemotion
 
Hackers vs Developers - Cross Site Scripting (XSS) Attacco e difesa
Hackers vs Developers - Cross Site Scripting (XSS) Attacco e difesaHackers vs Developers - Cross Site Scripting (XSS) Attacco e difesa
Hackers vs Developers - Cross Site Scripting (XSS) Attacco e difesaSimone Onofri
 
Tesi Triennale: Navigazione automatica e rilevazione di errori in applicazion...
Tesi Triennale: Navigazione automatica e rilevazione di errori in applicazion...Tesi Triennale: Navigazione automatica e rilevazione di errori in applicazion...
Tesi Triennale: Navigazione automatica e rilevazione di errori in applicazion...Federico Villa
 
Sicurezza Informatica e Hacking - Università di Teramo 23/10/2015
Sicurezza Informatica e Hacking - Università di Teramo 23/10/2015Sicurezza Informatica e Hacking - Università di Teramo 23/10/2015
Sicurezza Informatica e Hacking - Università di Teramo 23/10/2015Pawel Zorzan Urban
 
Web Application Insecurity Uncensored
Web Application Insecurity UncensoredWeb Application Insecurity Uncensored
Web Application Insecurity Uncensoredjekil
 
TechDay: Hackers vs. Developers - Le SQL Injection - Simone Onofri
TechDay: Hackers vs. Developers - Le SQL Injection - Simone OnofriTechDay: Hackers vs. Developers - Le SQL Injection - Simone Onofri
TechDay: Hackers vs. Developers - Le SQL Injection - Simone OnofriCodemotion
 
Android (Un)Security Guidelines - VoidSec
Android (Un)Security Guidelines - VoidSecAndroid (Un)Security Guidelines - VoidSec
Android (Un)Security Guidelines - VoidSecPaolo Stagno
 
Hackers vs Developers - SQL Injection - Attacco e Difesa
Hackers vs Developers - SQL Injection - Attacco e DifesaHackers vs Developers - SQL Injection - Attacco e Difesa
Hackers vs Developers - SQL Injection - Attacco e DifesaSimone Onofri
 
ASP.NET MVC3 - Tutti i compiti del Controller
ASP.NET MVC3 - Tutti i compiti del ControllerASP.NET MVC3 - Tutti i compiti del Controller
ASP.NET MVC3 - Tutti i compiti del ControllerManuel Scapolan
 
20230208-webinar_IDP_resiliente.pdf
20230208-webinar_IDP_resiliente.pdf20230208-webinar_IDP_resiliente.pdf
20230208-webinar_IDP_resiliente.pdfRandom794412
 
CQRS ed Event Sourcing su Windows Azure: Applicazioni Distribuite, Scalabilit...
CQRS ed Event Sourcing su Windows Azure: Applicazioni Distribuite, Scalabilit...CQRS ed Event Sourcing su Windows Azure: Applicazioni Distribuite, Scalabilit...
CQRS ed Event Sourcing su Windows Azure: Applicazioni Distribuite, Scalabilit...DotNetMarche
 
Hackers vs developers: progettere le applicazioni mobile tra OWASP e OSSTMM
Hackers vs developers: progettere le applicazioni mobile tra OWASP e OSSTMMHackers vs developers: progettere le applicazioni mobile tra OWASP e OSSTMM
Hackers vs developers: progettere le applicazioni mobile tra OWASP e OSSTMMSimone Onofri
 
CCI2018 - Implementazione di una PKI in Windows Server e automazione del cicl...
CCI2018 - Implementazione di una PKI in Windows Server e automazione del cicl...CCI2018 - Implementazione di una PKI in Windows Server e automazione del cicl...
CCI2018 - Implementazione di una PKI in Windows Server e automazione del cicl...walk2talk srl
 
La sicurezza delle Web Application - SMAU Business Bari 2013
La sicurezza delle Web Application - SMAU Business Bari 2013La sicurezza delle Web Application - SMAU Business Bari 2013
La sicurezza delle Web Application - SMAU Business Bari 2013Massimo Chirivì
 
Smau Bari 2013 Massimo Chirivì
Smau Bari 2013 Massimo ChirivìSmau Bari 2013 Massimo Chirivì
Smau Bari 2013 Massimo ChirivìSMAU
 
Hackers vs Developers - Nuove e vecchie vulnerabilità con la OWASP TOP 10 2013
Hackers vs Developers - Nuove e vecchie vulnerabilità con la OWASP TOP 10 2013Hackers vs Developers - Nuove e vecchie vulnerabilità con la OWASP TOP 10 2013
Hackers vs Developers - Nuove e vecchie vulnerabilità con la OWASP TOP 10 2013Simone Onofri
 
Hackers vs. Developers: Nuove e vecchie vulnerabilità con la OWASP TOP 10 2013
Hackers vs. Developers: Nuove e vecchie vulnerabilità con la OWASP TOP 10 2013Hackers vs. Developers: Nuove e vecchie vulnerabilità con la OWASP TOP 10 2013
Hackers vs. Developers: Nuove e vecchie vulnerabilità con la OWASP TOP 10 2013Codemotion
 

Similaire à Sicurezza delle applicazioni web (20)

17 - Web Application Threats
17 - Web Application Threats17 - Web Application Threats
17 - Web Application Threats
 
HTML5 Security
HTML5 SecurityHTML5 Security
HTML5 Security
 
Hackers vs. Developers: HTML5 Security by Simone Onofri
Hackers vs. Developers: HTML5 Security by Simone OnofriHackers vs. Developers: HTML5 Security by Simone Onofri
Hackers vs. Developers: HTML5 Security by Simone Onofri
 
Hackers vs Developers - Cross Site Scripting (XSS) Attacco e difesa
Hackers vs Developers - Cross Site Scripting (XSS) Attacco e difesaHackers vs Developers - Cross Site Scripting (XSS) Attacco e difesa
Hackers vs Developers - Cross Site Scripting (XSS) Attacco e difesa
 
Tesi Triennale: Navigazione automatica e rilevazione di errori in applicazion...
Tesi Triennale: Navigazione automatica e rilevazione di errori in applicazion...Tesi Triennale: Navigazione automatica e rilevazione di errori in applicazion...
Tesi Triennale: Navigazione automatica e rilevazione di errori in applicazion...
 
Sicurezza Informatica e Hacking - Università di Teramo 23/10/2015
Sicurezza Informatica e Hacking - Università di Teramo 23/10/2015Sicurezza Informatica e Hacking - Università di Teramo 23/10/2015
Sicurezza Informatica e Hacking - Università di Teramo 23/10/2015
 
Web Application Insecurity Uncensored
Web Application Insecurity UncensoredWeb Application Insecurity Uncensored
Web Application Insecurity Uncensored
 
Owasp parte3
Owasp parte3Owasp parte3
Owasp parte3
 
TechDay: Hackers vs. Developers - Le SQL Injection - Simone Onofri
TechDay: Hackers vs. Developers - Le SQL Injection - Simone OnofriTechDay: Hackers vs. Developers - Le SQL Injection - Simone Onofri
TechDay: Hackers vs. Developers - Le SQL Injection - Simone Onofri
 
Android (Un)Security Guidelines - VoidSec
Android (Un)Security Guidelines - VoidSecAndroid (Un)Security Guidelines - VoidSec
Android (Un)Security Guidelines - VoidSec
 
Hackers vs Developers - SQL Injection - Attacco e Difesa
Hackers vs Developers - SQL Injection - Attacco e DifesaHackers vs Developers - SQL Injection - Attacco e Difesa
Hackers vs Developers - SQL Injection - Attacco e Difesa
 
ASP.NET MVC3 - Tutti i compiti del Controller
ASP.NET MVC3 - Tutti i compiti del ControllerASP.NET MVC3 - Tutti i compiti del Controller
ASP.NET MVC3 - Tutti i compiti del Controller
 
20230208-webinar_IDP_resiliente.pdf
20230208-webinar_IDP_resiliente.pdf20230208-webinar_IDP_resiliente.pdf
20230208-webinar_IDP_resiliente.pdf
 
CQRS ed Event Sourcing su Windows Azure: Applicazioni Distribuite, Scalabilit...
CQRS ed Event Sourcing su Windows Azure: Applicazioni Distribuite, Scalabilit...CQRS ed Event Sourcing su Windows Azure: Applicazioni Distribuite, Scalabilit...
CQRS ed Event Sourcing su Windows Azure: Applicazioni Distribuite, Scalabilit...
 
Hackers vs developers: progettere le applicazioni mobile tra OWASP e OSSTMM
Hackers vs developers: progettere le applicazioni mobile tra OWASP e OSSTMMHackers vs developers: progettere le applicazioni mobile tra OWASP e OSSTMM
Hackers vs developers: progettere le applicazioni mobile tra OWASP e OSSTMM
 
CCI2018 - Implementazione di una PKI in Windows Server e automazione del cicl...
CCI2018 - Implementazione di una PKI in Windows Server e automazione del cicl...CCI2018 - Implementazione di una PKI in Windows Server e automazione del cicl...
CCI2018 - Implementazione di una PKI in Windows Server e automazione del cicl...
 
La sicurezza delle Web Application - SMAU Business Bari 2013
La sicurezza delle Web Application - SMAU Business Bari 2013La sicurezza delle Web Application - SMAU Business Bari 2013
La sicurezza delle Web Application - SMAU Business Bari 2013
 
Smau Bari 2013 Massimo Chirivì
Smau Bari 2013 Massimo ChirivìSmau Bari 2013 Massimo Chirivì
Smau Bari 2013 Massimo Chirivì
 
Hackers vs Developers - Nuove e vecchie vulnerabilità con la OWASP TOP 10 2013
Hackers vs Developers - Nuove e vecchie vulnerabilità con la OWASP TOP 10 2013Hackers vs Developers - Nuove e vecchie vulnerabilità con la OWASP TOP 10 2013
Hackers vs Developers - Nuove e vecchie vulnerabilità con la OWASP TOP 10 2013
 
Hackers vs. Developers: Nuove e vecchie vulnerabilità con la OWASP TOP 10 2013
Hackers vs. Developers: Nuove e vecchie vulnerabilità con la OWASP TOP 10 2013Hackers vs. Developers: Nuove e vecchie vulnerabilità con la OWASP TOP 10 2013
Hackers vs. Developers: Nuove e vecchie vulnerabilità con la OWASP TOP 10 2013
 

Sicurezza delle applicazioni web

  • 1. Liofilizzato de “Fondamenti di sicurezza delle applicazioni”
  • 2. OWASP Top 10 1. Injection 2. Cross-Site Scripting (XSS) 3. Broken Authentication and Session Management 4. Insecure Direct Object References 5. Cross-Site Request Forgery (CSRF) 6. Security Misconfiguration 7. Insecure Cryptographic Storage 8. Failure to Restrict URL Access 9. Insufficient Transport Layer Protection 10. Unvalidated Redirects and Forwards
  • 3. OWASP Top 10 1. Injection 2. Cross-Site Scripting (XSS) 3. Broken Authentication and Session Management 4. Insecure Direct Object References 5. Cross-Site Request Forgery (CSRF) 6. Security Misconfiguration 7. Insecure Cryptographic Storage 8. Failure to Restrict URL Access 9. Insufficient Transport Layer Protection 10. Unvalidated Redirects and Forwards
  • 4. Injection Injection SQL Injection OS Injection Path traversal
  • 6. SQL Injection What What ?
  • 7. SQL Injection What un attaccante è in grado di inserire dichiarazioni SQL in una query esistente manipolando i dati passati in input ad una applicazione.
  • 8. SQL Injection Why assenza / errata validazione degli input creazione dinamica di SQL in modo naif public boolean auth(String user) { String sql = “select * from FW01_USER where username = ” + param; ... // query execution... }
  • 9. OS Injection What un attaccante è in grado di eseguire direttamente comandi del sistema operativo ospitante il server web o l’application server manipolando i dati passati in input ad una applicazione.
  • 10. OS Injection Why assenza / errata validazione degli input esecuzione diretta di eseguibili nella shell sottostante mediante stringhe di comando contenenti i parametri in input
  • 11. Path traversal What un attaccante è in grado accedere alle risorse al di fuori del web tree.
  • 12. Path traversal Why assenza / errata validazione degli input utilizzo dell’input per la costruzione di referenze a file e directory
  • 13. Path traversal Why assenza / errata validazione degli input utilizzo dell’input per la costruzione di referenze a file e directory http://xxx.yyy.zzz/getFile.jsp?file=report.pdf
  • 14. Path traversal Why assenza / errata validazione degli input utilizzo dell’input per la costruzione di referenze a file e directory http://xxx.yyy.zzz/getFile.jsp?file=report.pdf http://xxx.yyy.zzz/getFile.jsp?file=../../../../src/code/src.zip
  • 15. OWASP Top 10 ✓ Injection 2. Cross-Site Scripting (XSS) 3. Broken Authentication and Session Management 4. Insecure Direct Object References 5. Cross-Site Request Forgery (CSRF) 6. Security Misconfiguration 7. Insecure Cryptographic Storage 8. Failure to Restrict URL Access 9. Insufficient Transport Layer Protection 10. Unvalidated Redirects and Forwards
  • 16. XSS What un attaccante è in grado di modificare l’output di una pagina prodotta da una web application per eseguire codice javascript / ActiveX / mobile code senza modificare i dati o le configurazioni del server.
  • 17. XSS Why assenza / errata validazione degli input assenza di escaping dell’output
  • 18. XSS How Validazione degli input e degli output Cookies HttpOnly
  • 19. OWASP Top 10 ✓ Injection ✓ Cross-Site Scripting (XSS) 3. Broken Authentication and Session Management 4. Insecure Direct Object References 5. Cross-Site Request Forgery (CSRF) 6. Security Misconfiguration 7. Insecure Cryptographic Storage 8. Failure to Restrict URL Access 9. Insufficient Transport Layer Protection 10. Unvalidated Redirects and Forwards
  • 20. Autenticazione Errori di design Errori di implementazione • password deboli • logiche fail-open • vulnerabilità a forza bruta • registrazione / comunicazione insicura di credenziali • messaggi differenziati di errore • uso di canali non cifrati • recupero password debole
  • 21. Autenticazione Errori di design Errori di implementazione • password deboli • logiche fail-open • vulnerabilità a forza bruta • registrazione / comunicazione insicura di credenziali • messaggi differenziati di errore • uso di canali non cifrati • recupero password debole
  • 22. Autenticazione Errori di design Errori di implementazione • password deboli • logiche fail-open • vulnerabilità a forza bruta Limite al • registrazione / comunicazione # tentativi / time slice insicura di credenziali • messaggi differenziati di errore • uso di canali non cifrati • recupero password debole
  • 23. Autorizzazione Errori logici • controlli client side • parametri HTTP usati come ACL Errori di implementazione • URL diretti, privilegiati, segreti
  • 24. Sessioni e cookie STATO SICUREZZA Semplicità Server side Client side Fat session Thin session Session token
  • 25. OWASP Top 10 ✓ Injection ✓ Cross-Site Scripting (XSS) ✓ Broken Authentication and Session Management 4. Insecure Direct Object References 5. Cross-Site Request Forgery (CSRF) 6. Security Misconfiguration 7. Insecure Cryptographic Storage 8. Failure to Restrict URL Access 9. Insufficient Transport Layer Protection 10. Unvalidated Redirects and Forwards
  • 26. Insecure Direct Object Refs String query = "SELECT * FROM accts WHERE account = ?"; PreparedStatement pstmt = connection.prepareStatement(query, ... ); pstmt.setString( 1, request.getParameter("acct")); ResultSet results = pstmt.executeQuery(); http://example.com/app/accountInfo?acct=notmyacct
  • 27. OWASP Top 10 ✓ Injection ✓ Cross-Site Scripting (XSS) ✓ Broken Authentication and Session Management ✓ Insecure Direct Object References 5. Cross-Site Request Forgery (CSRF) 6. Security Misconfiguration 7. Insecure Cryptographic Storage 8. Failure to Restrict URL Access 9. Insufficient Transport Layer Protection 10. Unvalidated Redirects and Forwards
  • 29. CSRF [see surf] https://mytrustedbank.com 1 Bank login username utonto password *****
  • 30. CSRF [see surf] https://mytrustedbank.com 1 Bank login username utonto password ***** 2
  • 31. CSRF [see surf] https://mytrustedbank.com 1 Bank login username utonto password ***** 2 http://malicious.org 3 Really bad site Ode to the pig
  • 32. CSRF [see surf] https://mytrustedbank.com 1 Bank login username utonto password ***** 2 http://malicious.org 3 ... Really bad site <img src=”https://mytrustedbank.com/app/ transferFunds? amount=1500&destAccount=attackersAcct#”/> Ode to the pig
  • 33. CSRF How ➡Usare GET e POST in modo appropriato ➡Usare un security token per richieste non GET

Notes de l'éditeur

  1. \n
  2. \n
  3. \n
  4. \n
  5. \n
  6. \n
  7. \n
  8. \n
  9. \n
  10. \n
  11. \n
  12. \n
  13. \n
  14. \n
  15. \n
  16. \n
  17. \n
  18. \n
  19. \n
  20. \n
  21. \n
  22. \n
  23. \n
  24. \n
  25. \n
  26. \n
  27. \n
  28. \n
  29. \n
  30. \n
  31. \n
  32. \n
  33. \n
  34. \n
  35. \n
  36. \n
  37. \n
  38. \n
  39. \n
  40. \n
  41. \n
  42. \n
  43. \n
  44. \n
  45. \n
  46. \n
  47. \n
  48. \n
  49. \n
  50. \n
  51. \n
  52. \n
  53. \n
  54. \n
  55. \n
  56. \n
  57. \n
  58. \n
  59. \n
  60. \n