Within end of March, the OWASP foundation will release the 2010 version of its major documentation project, the "Top 10 security risks in web applications."
Agenda:
- The 10 most common web application attacks
- Discovering the OWASP Top 10 document
- Integrating the Top 10 within an existing SDLC, as a software vendor, or a software buyer.
1. OWASP Top 10 - 2010 rc1The Top 10 Most Critical Web Application Security RisksAntonio FontesOWASP Geneva Chapter Leaderantonio.fontes@owasp.org
2. Agenda 10 ways to attack web applications The OWASP Top 10 rc1 Project Integrating the Top 10 in an existing SDLC/SALC Q&A 2 Antonio Fontes / Confoo Conference, Montreal / 2010
3. About the OWASP Open Web Application Security Project “Helping organizations secure their web applications.” Documentation and tools projects 130 local chapters worldwide http://www.owasp.org Antonio Fontes / Confoo Conference, Montreal / 2010 3
4. About me… Antonio Fontes, from Geneva (Switzerland) >1999: Web developer >2005: Ethical hacker / Security analyst >2008: Security & Privacy manager (banking software ISV) >2008: OWASP Geneva Chapter Leader >2010: Information Security Consultant SANS/CWE Top 25 Most Dangerous Programming Errors contributor 4 Antonio Fontes / Confoo Conference, Montreal / 2010
5. And about you? Coders? Testers? Managers? Hardcore OWASP Top 10 users? 5 Antonio Fontes / Confoo Conference, Montreal / 2010
11. Risk A6: Security misconfiguration 11 Antonio Fontes / Confoo Conference, Montreal / 2010
12. What is the risk? If there is a weaker link than the web application itself, the attacker will switch to the flawed layer. What are the countermeasures? Harden all layers Reduce services and accounts to the minimum No default passwords Keep everything up to date Apply security guidelines (OS security, Web server security, Application server security, etc.) Keep default web application configuration safe “Deploy securely on a secure architecture” 12 Antonio Fontes / Confoo Conference, Montreal / 2010
13. Attacking the infrastructure Attacking the application Attacking the users Other attacks 13 Antonio Fontes / Confoo Conference, Montreal / 2010
14. Attacking the application injecting hostile code… 14 Antonio Fontes / Confoo Conference, Montreal / 2010
15. what if? 15 Antonio Fontes / Confoo Conference, Montreal / 2010
16. 16 what if? SELECT * FROM users usrWHERE usr.username = 'admin ';--‘AND usr.password = ‘bb21158c733229347bd4e681891e213d94c685be’ Antonio Fontes / Confoo Conference, Montreal / 2010
17. 17 what if? Antonio Fontes / Confoo Conference, Montreal / 2010
18. what if? 18 Antonio Fontes / Confoo Conference, Montreal / 2010
19. 19 Any user input is a potential attack vector. Antonio Fontes / Confoo Conference, Montreal / 2010
20. Risk A1: Injections 20 Antonio Fontes / Confoo Conference, Montreal / 2010
21. RISK? Any application entry point can be used as a vector to inject hostile content that will modify expected behaviors. GOOD TO KNOW All non-binding query languages are exposed! (LDAP and Xpath….) 21 Antonio Fontes / Confoo Conference, Montreal / 2010
22. COUNTERMEASURES? All input can be modified client-side. Be sure to validate: Querystring parameters Form fields (hidden fields also count) File submissions : if you’re expecting a picture, then make sure it is a picture! Cookies HTTP headers: all fields, including referrer are “user input” 22 Antonio Fontes / Confoo Conference, Montreal / 2010
23. COUNTERMEASURES? (cont’d) Neverpaste user input into query commands (SQL, Xpath, LDAP, OS commands, etc.): Use binding variables such as SQL parameters: If no binding model, encode input before pasting: Doubled quotes (‘’) for SQL server Escaped quotes () for MySQL (PHP addslashes is helpful!) Etc. 23 Antonio Fontes / Confoo Conference, Montreal / 2010
24. COUNTERMEASURES ?(cont’d) Choose best validation strategy! Best: Whitelist When all possible values are known (enums, if/else if statements, regular expressions, …) Graylist: Enforce business rules: Type: string, numeric, byte, … Range: >0, <MaxInt, [a-z]{3,20} Weakest: Blacklist if(input.IndexOf(“<script>”)>=0) //reject 24 Antonio Fontes / Confoo Conference, Montreal / 2010
25. Attacking the application playing with obvious identifiers… 25 Antonio Fontes / Confoo Conference, Montreal / 2010
26. what if? 26 99999999 Antonio Fontes / Confoo Conference, Montreal / 2010
27. what if? 27 1234567 Antonio Fontes / Confoo Conference, Montreal / 2010
28. Risk A4: Insecure direct object references 28 Antonio Fontes / Confoo Conference, Montreal / 2010
29. What is the risk? All references can modified client-side. An attacker might be able to access and/or modify confidential information. What are the countermeasures? Never send internal references to the browser: Use temporary or random number mapping (#0, #1, #2, #3, etc.) OR combine referenced access with access control: SELECT * FROM item WHERE id = $id AND owner = $uID UPDATE item … WHERE id = $id AND owner = $id 29 Antonio Fontes / Confoo Conference, Montreal / 2010
30. Attacking the application breaking session and authentication mechanisms… 30 Antonio Fontes / Confoo Conference, Montreal / 2010
31. what if? 31 Antonio Fontes / Confoo Conference, Montreal / 2010
32. what if? 32 Antonio Fontes / Confoo Conference, Montreal / 2010
33. what if? 33 Antonio Fontes / Confoo Conference, Montreal / 2010
34. Risk A3: Broken authentication or session management 34 Antonio Fontes / Confoo Conference, Montreal / 2010
35. What is the risk? HTTP is a stateless protocol. Each request must transmit ‘session’ information over the network. Authentication mechanisms are highly targeted by attackers , at all levels: forms, traffic, stored data. What are the countermeasures? Use simple, centralized and standardized session mechanism Enable cookie security attributes (secure flag, httponly flag, encryption and integrity control) Validate session identifiers Is the sessionID coming from the right place? 35 Antonio Fontes / Confoo Conference, Montreal / 2010
36. countermeasures? (cont’d) Make sure ‘logoff’ actually invalidates the session. Prevent bruteforcing attacks, but also prevent denial of service on legitimate accounts Enforce secure password recovery Authenticate before resetting Review, review, review authentication (and logoff) code manually! 36 Antonio Fontes / Confoo Conference, Montreal / 2010
37. Attacking the application finding hidden “secret” URLs… 37 Antonio Fontes / Confoo Conference, Montreal / 2010
38. what if? 38 Antonio Fontes / Confoo Conference, Montreal / 2010
39. what if? 39 Antonio Fontes / Confoo Conference, Montreal / 2010
40. Risk A7: Failure to restrict URL access 40 Antonio Fontes / Confoo Conference, Montreal / 2010
41. What is the risk? URLs that lead to confidential resources can be easily sent, stored (bookmarks), monitored (proxies, security devices) and sometimes, guessed. What are the countermeasures? Completely disallow access to sensitive file types Validate ALL incoming requests Authorize explicitly (web.xml, ASP.Net page lifecycle, etc.) Don’t expose physical documents with permanent or guessable URLs 41 Antonio Fontes / Confoo Conference, Montreal / 2010
42. Attacking the infrastructure Attacking the application Attacking the users Other attacks 42 Antonio Fontes / Confoo Conference, Montreal / 2010
43. Attacking the users redirecting users elsewhere… 43 Antonio Fontes / Confoo Conference, Montreal / 2010
44. what if? 44 Antonio Fontes / Confoo Conference, Montreal / 2010
45. Risk A8: Non-validated redirects and forwards 45 Antonio Fontes / Confoo Conference, Montreal / 2010
46. What is the risk? An attacker may use your website reputation as a vector to redirect victims to a hostile website. What are the countermeasures? Never allow absolute URL redirection. If not possible: Use a whitelist of valid hosts Show a warning before redirecting the user If using a “web portal”, make sure redirect pages do not include sensitive information in URLs (aka single-signon-on information) 46 Antonio Fontes / Confoo Conference, Montreal / 2010
47. Attacking the users running client hostile code in the website… 47 Antonio Fontes / Confoo Conference, Montreal / 2010
48. what if? 48 Antonio Fontes / Confoo Conference, Montreal / 2010
49. what if? 49 Antonio Fontes / Confoo Conference, Montreal / 2010
50. Risk A2: Cross-site scripting 50 Antonio Fontes / Confoo Conference, Montreal / 2010
51. What is the risk? An attacker might inject client-side hostile code in the web application, which will be returned to a victim. 51 Antonio Fontes / Confoo Conference, Montreal / 2010
52. What are the countermeasures? Sanitize output. Encode to destination format. For HTML output, use HtmlEntities: <div id=“comment”>Here is my <script>attack</script></div> <div id=“comment”>Here is my <script>attack</script></div> 52 Antonio Fontes / Confoo Conference, Montreal / 2010
53. What are the countermeasures? Sanitize output, encode to destination format: For XML output, use predefined entities: <says>“here is my <script>”</says> <says><![CDATA[here is my <script>]]></says> <says>my input is <script></says> <says>my input is <script></says> 53 Antonio Fontes / Confoo Conference, Montreal / 2010
54. Attacking the users replaying predictable requests… 54 Antonio Fontes / Confoo Conference, Montreal / 2010
55. what if? 55 Antonio Fontes / Confoo Conference, Montreal / 2010
56. what if? 56 Antonio Fontes / Confoo Conference, Montreal / 2010
57. Risk A5: Cross-site Request Forgery 57 Antonio Fontes / Confoo Conference, Montreal / 2010
58. What is the risk? An attacker might build her own website and trigger requests on the visitor’s browser. (yes, that’s exactly what it seems to be...) 58 Antonio Fontes / Confoo Conference, Montreal / 2010
59. What are the countermeasures? Implement unpredictable requests for all sensitive actions Use temporary random hidden control fields: <input type=hidden name=check value=ab23b4a/> Link forms to the user session: if(!(Request.Form[“checker”]).Equals(SessionID)) // return error Use CAPTCHA Use out-of-band verification: SMS / Voice call / Cryptographic tokens, etc. 59 Antonio Fontes / Confoo Conference, Montreal / 2010
60. Attacking the infrastructure Attacking the application Attacking the users Other attacks 60 Antonio Fontes / Confoo Conference, Montreal / 2010
61. Other attacks breaking weak cryptography… 61 Antonio Fontes / Confoo Conference, Montreal / 2010
62. what if? Encrypting with Base64 $cookie = base64($sessionId); 62 It’s not encryption, it’s encoding! Antonio Fontes / Confoo Conference, Montreal / 2010
63. what if? Encrypting user passwords with AES256 $password = encrypt($get_[“password”],AES256,key); 63 reversible encryption! Antonio Fontes / Confoo Conference, Montreal / 2010
64. what if? Hashing user passwords with md5 $password = md5($get_[“password”]); 64 weak algorithm! Antonio Fontes / Confoo Conference, Montreal / 2010
65. what if? Hashing user passwords with SHA-256 $password = sha($get_[“password”]); 65 Missing seed! Antonio Fontes / Confoo Conference, Montreal / 2010
66. what if? Building keys with Math.Random Byte[] key = Math.RandBytes(128); 66 Weak random number generator! Antonio Fontes / Confoo Conference, Montreal / 2010
67. what if? Deriving a key from human entered secret $key = md5($GET_[“secret”]); 67 Weak key entropy! Antonio Fontes / Confoo Conference, Montreal / 2010
68. what if? Using ECB mode of operation $bytes = encrypt($text, key); // returns: {0xAF00CADACCE34A4D} $bytes2 = encrypt($text, key); // returns: {0xAF00CADACCE34A4D} 68 Weak mode of operation! Antonio Fontes / Confoo Conference, Montreal / 2010
69. what if? Using CBC mode of operation $bytes = encrypt($text, key); // returns: {0xAF00CADACCE34A4D} $bytes2 = encrypt($text, key); // returns: {0xAF00CADACCE34A4D} 69 Non-random initialization vectors! Antonio Fontes / Confoo Conference, Montreal / 2010
70. what if? Decrypting with internal secret String clearText = CryptUtils.Decrypt($bytes, Parameters.SecretKey); 70 Hard-coded secret! Antonio Fontes / Confoo Conference, Montreal / 2010
71. what if? blablabla 71 Another problem. Antonio Fontes / Confoo Conference, Montreal / 2010
72. Risk A9: Insecure cryptographic storage 72 Antonio Fontes / Confoo Conference, Montreal / 2010
73. What is the risk? An attacker might not need as much time as you expected to decrypt your data. If one of these words sounds foggy to you, there is a risk: Asymmetric/symmetric encryption, offline encryption, online encryption, CBC, key entropy, initialization vector, ECB, message authentication code, PBKDF2 (RFC2898), constant time operation, Rijndael, AES, 3DES, DSA, RSA, ECC, SHA, keyring, DPAPI, … 73 Antonio Fontes / Confoo Conference, Montreal / 2010
74. What are the countermeasures? Don’t do cryptography by yourself Use business level APIs: Use open-source reference implementations (OpenSSL, Truecrypt, etc.) Use expert-community-driven libraries (OWASP ESAPI, …) Take classes… 74 Antonio Fontes / Confoo Conference, Montreal / 2010
75. Other attacks observing the environment… 75 Antonio Fontes / Confoo Conference, Montreal / 2010
77. Risk A10: Insufficient transport layer protection 77 Antonio Fontes / Confoo Conference, Montreal / 2010
78. What is the risk? Traffic eavesdropping, due to insufficient transport layer protection. What are the countermeasures? Require an SSL encrypted link. Use appropriate certificates (signed and valid). Prevent cookies from leaving the encrypted link (“secure” flag enabled). 78 Antonio Fontes / Confoo Conference, Montreal / 2010
79. 79 Antonio Fontes / Confoo Conference, Montreal / 2010 WHAT IS THE RISK LEVEL ? LOW HIGH
80. Part 2: Assessing the risks induced by these 10 attacks 80 Antonio Fontes / Confoo Conference, Montreal / 2010
96. Part 3: Integrating the Top 10 into an existing software development / acquisition lifecycle 86 Antonio Fontes / Confoo Conference, Montreal / 2010
97. Antonio Fontes / ConfooConference, Montreal / 2010 The Top 10 in your SDLC/SALC 87 Secure coding Metrics analysis Security testing Secure design Software vendor PERSONEL TRAINING QUALITY ASSURANCE Software buyer Penetration test Design review reports Security test results Contract conditions SLA support
98. Conclusion Your web application will be hacked. ; ) 88 Antonio Fontes / Confoo Conference, Montreal / 2010
99. Conclusion But if you use the Top 10… 89 Antonio Fontes / Confoo Conference, Montreal / 2010
100. Conclusion It won’t be the cheap way… 90 Antonio Fontes / Confoo Conference, Montreal / 2010
101. Conclusion And it won’t be the embarrassing way… 91 Antonio Fontes / Confoo Conference, Montreal / 2010
102. Conclusion You now know the 10 riskiest flaws in web applications. 92 Antonio Fontes / Confoo Conference, Montreal / 2010
103. Conclusion But there’s still a lot to see… 93 CWE/SANS Top 25 Programming errors WASC Threat Classification Threat modeling OWASP Application Security Verification Standard (ASVS) Open Software Assurance Maturity Model Antonio Fontes / Confoo Conference, Montreal / 2010
107. Copyright You are free: To share (copy, distribute, transmit) To remix But only if: You attribute this work You use it for non-commercial purposes And you keep sharing your result the same way I did 97 Antonio Fontes / Confoo Conference, Montreal / 2010