1. Web Application Vulnerabilities and Security Flaws Root Causes: The OWASP Top 10 Cincinnati Chapter Meeting May 26 th , 2009 Marco Morana Cincinnati Chapter Lead

5. Mapping OWASP T10 to Security Flaws

7. Mapping OWASP T10 To Web Architecture Phishing Privacy Violations S y s t e m- Data Distruction Financial Loss Reputation Loss I d e n t i t y Theft XSS, Weak authN-AuthZ (A4,A7,A10) Poor validation, business rule and weak authZ(A2,A4,A6,A7,A10) Weak Crypto (A8,A9) malicious file exec(A3) and AuthN-AuthZ (A4,A7,A10) Inject. Flaws (A2), remote file incl (A3) Obj Ref (A4), CSRF (A5),AuthN & SessM (A7), No URL Access Rest (A10) All T10

9. Mapping Threats, Vulnerability Conditions and Countermeasures Using Threat Trees Source: OWASP Application Threat Modeling, https://www.owasp.org/index.php/Application_Threat_Modeling

11. A1: Cross Site Scripting – Security Flaws Phishing, Identity Theft XSS XSS http://server/cgibin/testcgi.exe?<SCRIPT>alert(“Cookie”+document.cookie)</SCRIPT> NSAPI/ISAPI filter ESAPI Filtering

13. A2: Injection Flaws-SQL Injection Identity Theft System Compromise, Data Alteration, Destruction SQLI SQLI NSAPI/ ISAPI filter, Custom Errors Filtering, DB API use Prepared Statements/Store Procedures DB Least Principle Privileges, Store Procedure errors SQLI OR ‘1’=’1—‘ aaa’; DROP TABLE Docs;--

15. A3: Insecure Remote File Include Privacy Violations, System Compromise, Alteration, Destruction A3 A3 Cmd=%3B+mkdir+hackerDirectory No File uploads on the web server! File upload Filtering, File Type/Format Validations. AV, Segregation, Permissions A3 DB Privileges A3 No file uploads

17. A4: Insecure Direct Object Reference Phishing, Privacy Violations, Financial Loss A4 A4 &quot;../../../../etc/passwd%00&quot; Hardened Web Root/Server Rely on server side-R B A C not URL params, Secure Shopping cart logic A4 No PK exposed as URL parameter http://www.shopcart?CartID http://www.abc.com?RoleID

19. A5: Cross Site Request Forgery (CSRF) Privacy Violations, Financial Loss CSRF <img src=&quot;http://www.example.com/logout.php&quot;> Re-issue session and cookies at POST CSRF Form Authentication Via Tokens (OTPs), Secondary Authentication, Default POST for sensitive transactions <form action=&quot;/transfer.do&quot; method=&quot;post&quot;> <input type=&quot;hidden&quot; ACC#=&quot;8438927730&quot; … </form>

21. A6: Information Leakage and Improper Error Handling Privacy Violations A6 “ The password you entered was not recognized. Please enter it again A6 No stack traces to user errors Generic error validations [ SqlException (0x80131904): An error has occurred while establishing a connection to the server. A6 A6 Web.config custom errors=ON Set custom error Web pages, Clean Webroot No SQL exception errors in user’s error messages No transaction message error codes in user’s error messages

23. A7: Broken Authentication Phishing, Privacy Violations, Financial Loss A7-BA A7-BA Autocomplete OFF, Strong AuthN/ Trusted AuthN SSO/tokens Cache Headers Set No Cache A7-BA A7-BA SSL Trusted User AuthN Mutual AuthN A7-BA SSL A7-BA User Trusted AuthN-SSO /Server to Server Mutual Authentication A7-BA SSL/JDBC-S Trusted User AuthN A7-BA Hash Pwds AUTHN Attacks: Guess PWD/secrets Credential Harvesting Brute Force PWD, MiTM, MITB, Caching, POST reply

29. A9: Insecure Communication Identity Theft, Financial Loss A9 SSL/VPN A9 A9 JDBC/S Crypto Attacks Against Weak Cypto/Keys Unsecure Certs, Spoofing/Sniffing clear sensitive data in transit SSL Strong Ciphers/Min Standard Key Lengths SSL A9

43. Q & Q U E S T I O N S A N S W E R S

44. APPENDIX: Application Threat Modeling From Insecure Magazine, http://www.net-security.org/dl/insecure/INSECURE-Mag-17.pdf

45. OWASP Threat Risk Modeling Cycle OWASP Threat Risk Modeling http://www.owasp.org/index.php/Threat_Risk_Modeling

47. Step 2: Application Overview

49. Use and Abuse Cases From OWASP Security Testing Guide https://www.owasp.org/index.php/Testing_Guide_Introduction#Security_Requirements_Test_Derivation

50. Understanding the Application: Data Flow Diagrams OWASP Application Threat Modeling https://www.owasp.org/index.php/Application_Threat_Modeling

52. STRIDE Threat Categorization OWASP Application Threat Modeling https://www.owasp.org/index.php/Application_Threat_Modeling

53. Threat Categorization: ASF Threat List https:// www.owasp.org/index.php/Application_Threat_Modeling

55. Threats, Vulnerability Conditions and Mitigations: Threat Trees OWASP Application Threat Modeling https://www.owasp.org/index.php/Application_Threat_Modeling

56. STRIDE Threat And Countermeasures OWASP Application Threat Modeling https://www.owasp.org/index.php/Application_Threat_Modeling

57. Countermeasure Identification https://www.owasp.org/index.php/Application_Threat_Modeling