Contenu connexe Similaire à „OWASP Top Ten in Latvia“ by Agris Krusts from IT Centrs SIA at Security focused 64th DevClub.lv (20) „OWASP Top Ten in Latvia“ by Agris Krusts from IT Centrs SIA at Security focused 64th DevClub.lv1. OWASP Top Ten in Latvia
Most common web security problems
Agris Krusts, IT Centrs, SIA
2018
2. Who am I
• Agris Krusts, founder of IT Centrs, security consultant
• Managing pen-tes;ng engagements, pen-tests, security audits,
training
• E-mail: Agris.Krusts@itcentrs.lv
• TwiCer: @agris_krusts
• www.itcentrs.lv
© Agris Krusts, SIA IT Centrs, 2018 2
5. Data source
• Pen-tests for last 2 - 3 years
• ~ 130 systems
• Usually test environments
• According to appropriate OWASP TesBng Guide v4 control
• Detailed staBsBcs shows only most "popular" problems
• Comparing to similar data from 2011 - 2014
© Agris Krusts, SIA IT Centrs, 2018 5
6. Excep&ons from OWASP Top 10 2017
• No stats for:
• A8:2017-Insecure Deserializa;on
• A10:2017-Insufficient Logging & Monitoring
© Agris Krusts, SIA IT Centrs, 2018 6
7. Injec&ons
• Down from ~40% to less than 10%
• S6ll majority is SQLi (7)
• The rest: XML and code injec6ons
© Agris Krusts, SIA IT Centrs, 2018 7
8. Broken Authen,ca,on and session management
Vulnerable systems
Session fixa+on 11%
Logout problems 15%
Session +meouts 13%
Bypassing authen+ca+on 18%
Problems in password reset 7%
Weak passwords 13%
© Agris Krusts, SIA IT Centrs, 2018 8
9. Broken Authen,ca,on and session management
• Session fixa,on down from 30% to 11%
• Missing Secure and HttpOnly down from 44% to 5%
• S,ll some do not learn
© Agris Krusts, SIA IT Centrs, 2018 9
11. Sensi&ve Data Exposure
• SSL problems up from 27% to 31%
• Sensi7ve informa7on over HTTP down from 40% to 10%
© Agris Krusts, SIA IT Centrs, 2018 11
12. XML External En--es
• Separate category
• Only couple in Latvia
• Something like this ...
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:///c:/inetpub/secret.xml" >]>
<login>
<username>&xxe;</username>
</login>
© Agris Krusts, SIA IT Centrs, 2018 12
14. Broken Access Control
• Authoriza+on problems in general down from 40%
• Direct object reference down from 33% to 11%
© Agris Krusts, SIA IT Centrs, 2018 14
15. Security Misconfigura1on (most popular)
Systems
Pla$orm configura.on errors 17%
Old backups and unreferenced files
with sensi.ve informa.on
13%
Accessible admin interfaces 9%
No HSTS headers 26%
© Agris Krusts, SIA IT Centrs, 2018 15
16. Using Components with Known Vulnerabili6es
239 instances in 130 systems!
© Agris Krusts, SIA IT Centrs, 2018 16
18. Cross-site scrip,ng
• Down from 46% for dynamic and 36% for stored
• Less risk in dynamic because blocked by browsers
• Higher risk because of data may travel across many systems
© Agris Krusts, SIA IT Centrs, 2018 18
22. Number of issues
A1: Injec*on 10
A2: Broken Authen*ca*on and session
management
134
A3 Sensi*ve Data Exposure 89
A4: XML External En**es 2
A5: Broken Access Control 27
A6: Security Misconfigura*on 97
A7: Cross-Site Scrip*ng 59
A9: Using Components with Known Vulnerabili*es 239
© Agris Krusts, SIA IT Centrs, 2018 22
23. • Web applica+ons are becoming more secure, at least some
• Frameworks help
• Some developers produce more secure code than others
• Old problems, if exit, are more difficult to exploit
• More problems in "new" technologies
© Agris Krusts, SIA IT Centrs, 2018 23
25. Agris Krusts
SIA IT Centrs
E-mail: agris.krusts@itcentrs.lv
Phone: +371 29151412
Twi$er: @agris_krusts
www.itcentrs.lv
© Agris Krusts, SIA IT Centrs, 2018 25