SlideShare a Scribd company logo

Owasp Top 10-2013

n|u - The Open Security Community
n|u - The Open Security Community

null Mumbai Chapter - May 2013 Meet

Education
1 of 33
OWASP TOP 10 - 2013 Nitin Sharma
1. Injection 2. Broken authentication/session management 3. Cross-site scripting 4. Insecure Direct object refrences 5. Security Misconfiguration 6. Sensitive Data Exposure 7. Missing function level access control 8. Cross site request forgery 9. Using components with more vulnerabilities 10. Unvalidated Redirects and Forwards OWASP Top 10 Web Application Security Vulnerabilities
 SQL injection is a software vulnerability that occurs when data entered by users is sent to the SQL interpreter as a part of an SQL query  Attackers provide specially crafted input data to the SQL interpreter and trick the interpreter to execute unintended commands  a SQL Injection attack exploits security vulnerabilities at the database layer. By exploiting the SQL injection flaw, attackers can create, read, modify, or delete sensitive data A1 Injection
Am I Vulnerable To Injection?  The best way to find out if an application is vulnerable to injection is to verify that all use of interpreters clearly separates untrusted data from the command or query. For SQL calls, this means using bind variables in all prepared statements and stored procedures, and avoiding dynamic queries.
 Preventing injection requires keeping untrusted data separate from commands and queries.  1.The preferred option is to use a safe API which avoids the use of the interpreter entirely or provides a parameterized interface. Be careful of APIs, such as stored procedures, that are parameterized, but can still introduce injection under the hood.  2.If a parameterized API is not available, you should carefully escape special characters using the specific escape syntax for that interpreter. OWASP’s ESAPI provides many of these escaping routines.  3.Positive or “white list” input validation with appropriate canonicalization is also recommended, but is not a complete defense as many applications require special characters in their input. OWASP’s ESAPI has an extensible library of white list input validation routines. How Do I Prevent Injection?
Example String custname = request.getParameter("customerName"); // This should REALLY be validated too // perform input validation to detect attacks String query = "SELECT account_balance FROM user_data WHERE user_name = ? "; PreparedStatement pstmt = connection.prepareStatement( query ); pstmt.setString( 1, custname); ResultSet results = pstmt.executeQuery( ); Prepared Statement Example
 Weak authentication  Password-only  Easily guessable usernames (admin, etc.)  Unencrypted secrets are sniffable  How to break in  Guess/reset password  Have app email you new password  Sniff or crack password  Backend authentication  How are database passwords stored?  Trust relationships between hosts (IP address can be spoofed, etc.)  Countermeasures  Strong passwords  Remove default user names  Protect sensitive files A2 Broken Authentication and Session Management
 Attacker uses trusted application/company to reflect malicious code to end-user  Attacker can “hide” the malicious code  Unicode encoding  2 types of attacks  Stored  Reflected  Countermeasures  input validation  Positive  Negative: “< > ( ) # &”  Don’t forget these: “&lt &gt &#40 &#41 &#35 &#38”  User/customer education A3 Cross-Site Scripting (XSS)
Types of XSS Refleced/Non persistant XSS
Stored / Persistent Xss
 Preventing XSS requires keeping untrusted data separate from active browser content.  1.The preferred option is to properly escape all untrusted data based on the HTML context (body, attribute, JavaScript, CSS, or URL) that the data will be placed into  2.Positive or “whitelist” input validation is also recommended as it helps protect against XSS, but is not a complete defense as many applications require special characters in their input. How Do I Prevent XSS?
 A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data. A4 Insecure Direct Object References
Am I Vulnerable  The best way to find out if an application is vulnerable to insecure direct object references is to verify that all object references have appropriate defenses. To achieve this, consider:  Code review of the application can quickly verify whether either approach is implemented safely. Testing is also effective for identifying direct object references and whether they are safe. Automated tools typically do not look for such flaws because they cannot recognize what requires protection or what is safe or unsafe.
 Preventing insecure direct object references requires selecting an approach for protecting each user accessible object (e.g., object number, filename):  Check access. Each use of a direct object reference from an untrusted source must include an access control check to ensure the user is authorized for the requested object How Do I Prevent This?
 Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. All these settings should be defined, implemented, and maintained as many are not shipped with secure defaults. This includes keeping all software up to date. A5 Security Misconfiguration
Am I Vulnerable to Attack  1.Is everything unnecessary disabled, removed, or not installed (e.g. ports, services, pages, accounts, privileges)?  2.Are default account passwords changed or disabled?  3.Is your error handling set up to prevent stack traces and other overly informative error messages from leaking?  4.Are the security settings in your development frameworks (e.g., Struts, Spring, ASP.NET) and libraries understood and configured properly? A concerted, repeatable process is required to develop and maintain a proper application security configuration.
 The primary recommendations are to establish all of the following:  1.A repeatable hardening process that makes it fast and easy to deploy another environment that is properly locked down. Development, QA, and production environments should all be configured identically.  2.A process for keeping abreast of and deploying all new software updates and patches in a timely manner to each deployed environment. How Do I Prevent This?
 Many web applications do not properly protect sensitive data, such as credit cards, tax ids, and authentication credentials. Attackers may steal or modify such weakly protected data to conduct identity theft, credit card fraud, or other crimes. Sensitive data deserves extra protection such as encryption at rest or in transit, as well as special precautions when exchanged with the browser. A6 Sensitive Data Exposure
Am I Vulnerable to Data Exposure  The first thing you have to determine is which data is sensitive enough to require extra protection. For example, passwords, credit card numbers, health records, and personal information should be protected. For all such data, ensure:  1.It is encrypted everywhere it is stored long term, including backups of this data.  2.It is encrypted in transit, ideally internally as well as externally. All internet traffic should be encrypted.
 The full perils of unsafe cryptography, SSL usage, and data protection are well beyond the scope of the Top 10. That said, for all sensitive data, do all of the following, at a minimum:  1.Considering the threats you plan to protect this data from (e.g., insider attack, external user), make sure you encrypt all sensitive data at rest and in transit in a manner that defends against these threats.  2.Don’t store sensitive data unnecessarily. Discard it as soon as possible. Data you don’t have can’t be stolen.  3.Ensure strong standard algorithms and strong keys are used, and proper key management is in place. How Do I Prevent This?
 Virtually all web applications verify function level access rights before making that functionality visible in the UI. However, applications need to perform the same access control checks on the server when each function is accessed. If requests are not verified, attackers will be able to forge requests in order to access unauthorized functionality. A7 Missing function level access control
Am I Vulnerable to Function level Access  The best way to find out if an application has failed to properly restrict function level access is to verify every application function:  1.Does the UI show navigation to unauthorized functions?  2.Are proper authentication and authorization checked?
 1.The enforcement mechanism(s) should deny all access by default, requiring explicit grants to specific roles for access to every function.  2.If the function is involved in a workflow, check to make sure the conditions are in the proper state to allow access. How Do I Prevent Function level Access?
 A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim. A8 Cross site request forgery
Am I Vulnerable to CSRF  See if each link and form includes an unpredictable token. Without such a token, attackers can forge malicious requests.  Focus on the links and forms that invoke state-changing functions, since those are the most important CSRF targets. You should check multistep transactions, as they are not inherently immune.
 Preventing CSRF usually requires the inclusion of an unpredictable token in each HTTP request. Such tokens should, at a minimum, be unique per user session.  1.The preferred option is to include the unique token in a hidden field. This causes the value to be sent in the body of the HTTP request, avoiding its inclusion in the URL, which is subject to exposure.  2. OWASP’s ESAPI includes CSRF methods developers can use to prevent such vulnerabilities.  3.Requiring the user to reauthenticate, or prove they are a user (e.g., via a CAPTCHA) can also protect against CSRF How Do I Prevent CSRF?
 Vulnerable components, such as libraries, frameworks, and other software modules almost always run with full privilege. So, if exploited, they can cause serious data loss or server takeover. Applications using these vulnerable components may undermine their defenses and enable a range of possible attacks and impacts. A9 Using Components with Known Vulnerabilities
Am I Vulnerable ?  Determining if you are vulnerable requires searching the databases of your applications as well as keeping abreast of project mailing lists and announcements for anything that might be a vulnerability.
 Use components that you didn’t write. But realistically, the best way to deal with this risk is to ensure that you keep your components up-to-date. How Do I Prevent This?
 Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages. A10 Unvalidated Redirects and Forwards
Am I Vulnerable to Redirection  The best way to find out if an application has any unvalidated redirects or forwards is to:  1.Review the code for all uses of redirect or forward (called a transfer in .NET). For each use, identify if the target URL is included in any parameter values. If so, verify the parameter(s) are validated to contain only an allowed destination, or element of a destination.  2.Also, spider the site to see if it generates any redirects.
 Safe use of redirects and forwards can be done in a number of ways:  1.Simply avoid using redirects and forwards.  2.If used, don’t involve user parameters in calculating the destination. This can usually be done.  3.If destination parameters can’t be avoided, ensure that the supplied value is valid, and authorized for the user. It is recommended that any such destination parameters be a mapping value, rather than the actual URL or portion of the URL, and that server side code translate this mapping to the target URL. How Do I Prevent This?

Recommended

A7 Missing Function Level Access Control
A7 Missing Function Level Access ControlA7 Missing Function Level Access Control
A7 Missing Function Level Access Controlstevil1224
 
OWASP A7 and A8
OWASP A7 and A8OWASP A7 and A8
OWASP A7 and A8Pavan M
 
A10 - Unvalidated Redirects and Forwards
A10 - Unvalidated Redirects and ForwardsA10 - Unvalidated Redirects and Forwards
A10 - Unvalidated Redirects and ForwardsShane Stanley
 
The Complete Web Application Security Testing Checklist
The Complete Web Application Security Testing ChecklistThe Complete Web Application Security Testing Checklist
The Complete Web Application Security Testing ChecklistCigital
 
InsecureDirectObjectReferences
InsecureDirectObjectReferencesInsecureDirectObjectReferences
InsecureDirectObjectReferencesmacanazon
 
Get Ready for Web Application Security Testing
Get Ready for Web Application Security TestingGet Ready for Web Application Security Testing
Get Ready for Web Application Security TestingAlan Kan
 
Security testing
Security testingSecurity testing
Security testingKhizra Sammad
 
Security Testing Training With Examples
Security Testing Training With ExamplesSecurity Testing Training With Examples
Security Testing Training With ExamplesAlwin Thayyil
 

Recommended

A7 Missing Function Level Access Control
A7 Missing Function Level Access ControlA7 Missing Function Level Access Control
A7 Missing Function Level Access Controlstevil1224
 
OWASP A7 and A8
OWASP A7 and A8OWASP A7 and A8
OWASP A7 and A8Pavan M
 
A10 - Unvalidated Redirects and Forwards
A10 - Unvalidated Redirects and ForwardsA10 - Unvalidated Redirects and Forwards
A10 - Unvalidated Redirects and ForwardsShane Stanley
 
The Complete Web Application Security Testing Checklist
The Complete Web Application Security Testing ChecklistThe Complete Web Application Security Testing Checklist
The Complete Web Application Security Testing ChecklistCigital
 
InsecureDirectObjectReferences
InsecureDirectObjectReferencesInsecureDirectObjectReferences
InsecureDirectObjectReferencesmacanazon
 
Get Ready for Web Application Security Testing
Get Ready for Web Application Security TestingGet Ready for Web Application Security Testing
Get Ready for Web Application Security TestingAlan Kan
 
Security testing
Security testingSecurity testing
Security testingKhizra Sammad
 
Security Testing Training With Examples
Security Testing Training With ExamplesSecurity Testing Training With Examples
Security Testing Training With ExamplesAlwin Thayyil
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityColin English
 
Testing Web Application Security
Testing Web Application SecurityTesting Web Application Security
Testing Web Application SecurityTed Husted
 
Security testing presentation
Security testing presentationSecurity testing presentation
Security testing presentationConfiz
 
Owasp top 10 security threats
Owasp top 10 security threatsOwasp top 10 security threats
Owasp top 10 security threatsVishal Kumar
 
Security workshop - Lets get our hands dirty!!
Security workshop - Lets get our hands dirty!!Security workshop - Lets get our hands dirty!!
Security workshop - Lets get our hands dirty!!Manjyot Singh
 
Security Testing for Web Application
Security Testing for Web ApplicationSecurity Testing for Web Application
Security Testing for Web ApplicationPrecise Testing Solution
 
Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentationAshwini Paranjpe
 
OWASP Top 10 - 2017
OWASP Top 10 - 2017OWASP Top 10 - 2017
OWASP Top 10 - 2017HackerOne
 
OWASP Top 10 Vulnerabilities 2017- AppTrana
OWASP Top 10 Vulnerabilities 2017- AppTranaOWASP Top 10 Vulnerabilities 2017- AppTrana
OWASP Top 10 Vulnerabilities 2017- AppTranaIshan Mathur
 
Security-testing presentation
Security-testing presentationSecurity-testing presentation
Security-testing presentationEzhilan Elangovan (Eril)
 
Introduction to security testing
Introduction to security testingIntroduction to security testing
Introduction to security testingNagasahas DS
 
A5: Security Misconfiguration
A5: Security Misconfiguration A5: Security Misconfiguration
A5: Security Misconfiguration Tariq Islam
 
Vulnerability manager v1.0
Vulnerability manager v1.0Vulnerability manager v1.0
Vulnerability manager v1.0Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
Owasp security testing methodlogies –part2
Owasp security testing methodlogies –part2Owasp security testing methodlogies –part2
Owasp security testing methodlogies –part2robin_bene
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationshipn|u - The Open Security Community
 
Exploiting parameter tempering attack in web application
Exploiting parameter tempering attack in web applicationExploiting parameter tempering attack in web application
Exploiting parameter tempering attack in web applicationVishal Kumar
 
The bare minimum that you should know about web application security testing ...
The bare minimum that you should know about web application security testing ...The bare minimum that you should know about web application security testing ...
The bare minimum that you should know about web application security testing ...Ken DeSouza
 
Owasp top 10 2017
Owasp top 10 2017Owasp top 10 2017
Owasp top 10 2017ibrahimumer2
 
Oh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web AppsOh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web AppsTechWell
 
Security testing
Security testingSecurity testing
Security testingRihab Chebbah
 
Owasp Top 10 2017
Owasp Top 10 2017Owasp Top 10 2017
Owasp Top 10 2017SamsonMuoki
 
Introduction to security testing raj
Introduction to security testing rajIntroduction to security testing raj
Introduction to security testing rajRajakrishnan S, MCA,MBA,MA Phil,PMP,CSM,ISTQB-Test Mgr,ITIL
 

More Related Content

What's hot

Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityColin English
 
Testing Web Application Security
Testing Web Application SecurityTesting Web Application Security
Testing Web Application SecurityTed Husted
 
Security testing presentation
Security testing presentationSecurity testing presentation
Security testing presentationConfiz
 
Owasp top 10 security threats
Owasp top 10 security threatsOwasp top 10 security threats
Owasp top 10 security threatsVishal Kumar
 
Security workshop - Lets get our hands dirty!!
Security workshop - Lets get our hands dirty!!Security workshop - Lets get our hands dirty!!
Security workshop - Lets get our hands dirty!!Manjyot Singh
 
OWASP Top 10 - 2017
OWASP Top 10 - 2017OWASP Top 10 - 2017
OWASP Top 10 - 2017HackerOne
 
OWASP Top 10 Vulnerabilities 2017- AppTrana
OWASP Top 10 Vulnerabilities 2017- AppTranaOWASP Top 10 Vulnerabilities 2017- AppTrana
OWASP Top 10 Vulnerabilities 2017- AppTranaIshan Mathur
 
Introduction to security testing
Introduction to security testingIntroduction to security testing
Introduction to security testingNagasahas DS
 
A5: Security Misconfiguration
A5: Security Misconfiguration A5: Security Misconfiguration
A5: Security Misconfiguration Tariq Islam
 
Owasp security testing methodlogies –part2
Owasp security testing methodlogies –part2Owasp security testing methodlogies –part2
Owasp security testing methodlogies –part2robin_bene
 
Exploiting parameter tempering attack in web application
Exploiting parameter tempering attack in web applicationExploiting parameter tempering attack in web application
Exploiting parameter tempering attack in web applicationVishal Kumar
 
The bare minimum that you should know about web application security testing ...
The bare minimum that you should know about web application security testing ...The bare minimum that you should know about web application security testing ...
The bare minimum that you should know about web application security testing ...Ken DeSouza
 
Oh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web AppsOh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web AppsTechWell
 

What's hot (20)

Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
Testing Web Application Security
Testing Web Application SecurityTesting Web Application Security
Testing Web Application Security
 
Security testing presentation
Security testing presentationSecurity testing presentation
Security testing presentation
 
Owasp top 10 security threats
Owasp top 10 security threatsOwasp top 10 security threats
Owasp top 10 security threats
 
Security workshop - Lets get our hands dirty!!
Security workshop - Lets get our hands dirty!!Security workshop - Lets get our hands dirty!!
Security workshop - Lets get our hands dirty!!
 
Security Testing for Web Application
Security Testing for Web ApplicationSecurity Testing for Web Application
Security Testing for Web Application
 
Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentation
 
OWASP Top 10 - 2017
OWASP Top 10 - 2017OWASP Top 10 - 2017
OWASP Top 10 - 2017
 
OWASP Top 10 Vulnerabilities 2017- AppTrana
OWASP Top 10 Vulnerabilities 2017- AppTranaOWASP Top 10 Vulnerabilities 2017- AppTrana
OWASP Top 10 Vulnerabilities 2017- AppTrana
 
Security-testing presentation
Security-testing presentationSecurity-testing presentation
Security-testing presentation
 
Introduction to security testing
Introduction to security testingIntroduction to security testing
Introduction to security testing
 
A5: Security Misconfiguration
A5: Security Misconfiguration A5: Security Misconfiguration
A5: Security Misconfiguration
 
Vulnerability manager v1.0
Vulnerability manager v1.0Vulnerability manager v1.0
Vulnerability manager v1.0
 
Owasp security testing methodlogies –part2
Owasp security testing methodlogies –part2Owasp security testing methodlogies –part2
Owasp security testing methodlogies –part2
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 
Exploiting parameter tempering attack in web application
Exploiting parameter tempering attack in web applicationExploiting parameter tempering attack in web application
Exploiting parameter tempering attack in web application
 
The bare minimum that you should know about web application security testing ...
The bare minimum that you should know about web application security testing ...The bare minimum that you should know about web application security testing ...
The bare minimum that you should know about web application security testing ...
 
Owasp top 10 2017
Owasp top 10 2017Owasp top 10 2017
Owasp top 10 2017
 
Oh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web AppsOh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web Apps
 
Security testing
Security testingSecurity testing
Security testing
 

Similar to Owasp Top 10-2013

Owasp Top 10 2017
Owasp Top 10 2017Owasp Top 10 2017
Owasp Top 10 2017SamsonMuoki
 
Soteria Cybersecurity Healthcheck-FB01
Soteria Cybersecurity Healthcheck-FB01Soteria Cybersecurity Healthcheck-FB01
Soteria Cybersecurity Healthcheck-FB01Richard Sullivan
 
Appsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martinAppsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martindrewz lin
 
Secure code practices
Secure code practicesSecure code practices
Secure code practicesHina Rawal
 
Core defense mechanisms against security attacks on web applications
Core defense mechanisms against security attacks on web applicationsCore defense mechanisms against security attacks on web applications
Core defense mechanisms against security attacks on web applicationsKaran Nagrecha
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelinesZakaria SMAHI
 
Top 20 certified ethical hacker interview questions and answer
Top 20 certified ethical hacker interview questions and answerTop 20 certified ethical hacker interview questions and answer
Top 20 certified ethical hacker interview questions and answerShivamSharma909
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application SecurityPrateek Jain
 
Application security testing an integrated approach
Application security testing an integrated approachApplication security testing an integrated approach
Application security testing an integrated approachIdexcel Technologies
 
OWASP Top 10 List Overview for Web Developers
OWASP Top 10 List Overview for Web DevelopersOWASP Top 10 List Overview for Web Developers
OWASP Top 10 List Overview for Web DevelopersBenjamin Floyd
 
Top 10 Web App Security Risks
Top 10 Web App Security RisksTop 10 Web App Security Risks
Top 10 Web App Security RisksSperasoft
 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application SecurityNicholas Davis
 

Similar to Owasp Top 10-2013 (20)

Owasp Top 10 2017
Owasp Top 10 2017Owasp Top 10 2017
Owasp Top 10 2017
 
Introduction to security testing raj
Introduction to security testing rajIntroduction to security testing raj
Introduction to security testing raj
 
Security Awareness
Security AwarenessSecurity Awareness
Security Awareness
 
Soteria Cybersecurity Healthcheck-FB01
Soteria Cybersecurity Healthcheck-FB01Soteria Cybersecurity Healthcheck-FB01
Soteria Cybersecurity Healthcheck-FB01
 
C01461422
C01461422C01461422
C01461422
 
Appsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martinAppsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martin
 
Secure code practices
Secure code practicesSecure code practices
Secure code practices
 
Core defense mechanisms against security attacks on web applications
Core defense mechanisms against security attacks on web applicationsCore defense mechanisms against security attacks on web applications
Core defense mechanisms against security attacks on web applications
 
Owasp web security
Owasp web securityOwasp web security
Owasp web security
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
OWASP Top 10 Project
OWASP Top 10 ProjectOWASP Top 10 Project
OWASP Top 10 Project
 
Secure Software Engineering
Secure Software EngineeringSecure Software Engineering
Secure Software Engineering
 
Top 20 certified ethical hacker interview questions and answer
Top 20 certified ethical hacker interview questions and answerTop 20 certified ethical hacker interview questions and answer
Top 20 certified ethical hacker interview questions and answer
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application Security
 
gpt.AI.docx
gpt.AI.docxgpt.AI.docx
gpt.AI.docx
 
Application security testing an integrated approach
Application security testing an integrated approachApplication security testing an integrated approach
Application security testing an integrated approach
 
OWASP Top 10 List Overview for Web Developers
OWASP Top 10 List Overview for Web DevelopersOWASP Top 10 List Overview for Web Developers
OWASP Top 10 List Overview for Web Developers
 
OWASP Top10 2010
OWASP Top10 2010OWASP Top10 2010
OWASP Top10 2010
 
Top 10 Web App Security Risks
Top 10 Web App Security RisksTop 10 Web App Security Risks
Top 10 Web App Security Risks
 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application Security
 

More from n|u - The Open Security Community

Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...n|u - The Open Security Community
 

More from n|u - The Open Security Community (20)

Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)
 
Osint primer
Osint primerOsint primer
Osint primer
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
 
Metasploit primary
Metasploit primaryMetasploit primary
Metasploit primary
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
Introduction to TLS 1.3
Introduction to TLS 1.3Introduction to TLS 1.3
Introduction to TLS 1.3
 
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
 
Owning a company through their logs
Owning a company through their logsOwning a company through their logs
Owning a company through their logs
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
 
Cloud security
Cloud security Cloud security
Cloud security
 
Detecting persistence in windows
Detecting persistence in windowsDetecting persistence in windows
Detecting persistence in windows
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usage
 
OSQuery - Monitoring System Process
OSQuery - Monitoring System ProcessOSQuery - Monitoring System Process
OSQuery - Monitoring System Process
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
 
Extensible markup language attacks
Extensible markup language attacksExtensible markup language attacks
Extensible markup language attacks
 
Linux for hackers
Linux for hackersLinux for hackers
Linux for hackers
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
 
News bytes null 200314121904
News bytes null 200314121904News bytes null 200314121904
News bytes null 200314121904
 

Recently uploaded

Gas measurement O2,Co2,& ph) 04/2024.pptx
Gas measurement O2,Co2,& ph) 04/2024.pptxGas measurement O2,Co2,& ph) 04/2024.pptx
Gas measurement O2,Co2,& ph) 04/2024.pptxDr.Ibrahim Hassaan
 
DATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginnersDATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginnersSabitha Banu
 
Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17Celine George
 
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...JhezDiaz1
 
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdfLike-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdfMr Bounab Samir
 
Grade 9 Q4-MELC1-Active and Passive Voice.pptx
Grade 9 Q4-MELC1-Active and Passive Voice.pptxGrade 9 Q4-MELC1-Active and Passive Voice.pptx
Grade 9 Q4-MELC1-Active and Passive Voice.pptxChelloAnnAsuncion2
 
Science 7 Quarter 4 Module 2: Natural Resources.pptx
Science 7 Quarter 4 Module 2: Natural Resources.pptxScience 7 Quarter 4 Module 2: Natural Resources.pptx
Science 7 Quarter 4 Module 2: Natural Resources.pptxMaryGraceBautista27
 
Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Mark Reed
 
Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Jisc
 
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...Postal Advocate Inc.
 
Earth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatEarth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatYousafMalik24
 
ENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choomENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choomnelietumpap1
 
Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Celine George
 
Barangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptxBarangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptxCarlos105
 
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxMULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxAnupkumar Sharma
 
Karra SKD Conference Presentation Revised.pptx
Karra SKD Conference Presentation Revised.pptxKarra SKD Conference Presentation Revised.pptx
Karra SKD Conference Presentation Revised.pptxAshokKarra1
 
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdfInclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdfTechSoup
 

Recently uploaded (20)

Gas measurement O2,Co2,& ph) 04/2024.pptx
Gas measurement O2,Co2,& ph) 04/2024.pptxGas measurement O2,Co2,& ph) 04/2024.pptx
Gas measurement O2,Co2,& ph) 04/2024.pptx
 
DATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginnersDATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginners
 
Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17
 
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
 
LEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptx
LEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptxLEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptx
LEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptx
 
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdfLike-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
 
Grade 9 Q4-MELC1-Active and Passive Voice.pptx
Grade 9 Q4-MELC1-Active and Passive Voice.pptxGrade 9 Q4-MELC1-Active and Passive Voice.pptx
Grade 9 Q4-MELC1-Active and Passive Voice.pptx
 
FINALS_OF_LEFT_ON_C'N_EL_DORADO_2024.pptx
FINALS_OF_LEFT_ON_C'N_EL_DORADO_2024.pptxFINALS_OF_LEFT_ON_C'N_EL_DORADO_2024.pptx
FINALS_OF_LEFT_ON_C'N_EL_DORADO_2024.pptx
 
Science 7 Quarter 4 Module 2: Natural Resources.pptx
Science 7 Quarter 4 Module 2: Natural Resources.pptxScience 7 Quarter 4 Module 2: Natural Resources.pptx
Science 7 Quarter 4 Module 2: Natural Resources.pptx
 
Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)
 
Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...
 
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
 
Earth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatEarth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice great
 
ENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choomENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choom
 
Raw materials used in Herbal Cosmetics.pptx
Raw materials used in Herbal Cosmetics.pptxRaw materials used in Herbal Cosmetics.pptx
Raw materials used in Herbal Cosmetics.pptx
 
Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17
 
Barangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptxBarangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptx
 
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxMULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
 
Karra SKD Conference Presentation Revised.pptx
Karra SKD Conference Presentation Revised.pptxKarra SKD Conference Presentation Revised.pptx
Karra SKD Conference Presentation Revised.pptx
 
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdfInclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
 

Owasp Top 10-2013

  • 1. OWASP TOP 10 - 2013 Nitin Sharma
  • 2. 1. Injection 2. Broken authentication/session management 3. Cross-site scripting 4. Insecure Direct object refrences 5. Security Misconfiguration 6. Sensitive Data Exposure 7. Missing function level access control 8. Cross site request forgery 9. Using components with more vulnerabilities 10. Unvalidated Redirects and Forwards OWASP Top 10 Web Application Security Vulnerabilities
  • 3.  SQL injection is a software vulnerability that occurs when data entered by users is sent to the SQL interpreter as a part of an SQL query  Attackers provide specially crafted input data to the SQL interpreter and trick the interpreter to execute unintended commands  a SQL Injection attack exploits security vulnerabilities at the database layer. By exploiting the SQL injection flaw, attackers can create, read, modify, or delete sensitive data A1 Injection
  • 4. Am I Vulnerable To Injection?  The best way to find out if an application is vulnerable to injection is to verify that all use of interpreters clearly separates untrusted data from the command or query. For SQL calls, this means using bind variables in all prepared statements and stored procedures, and avoiding dynamic queries.
  • 5.  Preventing injection requires keeping untrusted data separate from commands and queries.  1.The preferred option is to use a safe API which avoids the use of the interpreter entirely or provides a parameterized interface. Be careful of APIs, such as stored procedures, that are parameterized, but can still introduce injection under the hood.  2.If a parameterized API is not available, you should carefully escape special characters using the specific escape syntax for that interpreter. OWASP’s ESAPI provides many of these escaping routines.  3.Positive or “white list” input validation with appropriate canonicalization is also recommended, but is not a complete defense as many applications require special characters in their input. OWASP’s ESAPI has an extensible library of white list input validation routines. How Do I Prevent Injection?
  • 6. Example String custname = request.getParameter("customerName"); // This should REALLY be validated too // perform input validation to detect attacks String query = "SELECT account_balance FROM user_data WHERE user_name = ? "; PreparedStatement pstmt = connection.prepareStatement( query ); pstmt.setString( 1, custname); ResultSet results = pstmt.executeQuery( ); Prepared Statement Example
  • 7.  Weak authentication  Password-only  Easily guessable usernames (admin, etc.)  Unencrypted secrets are sniffable  How to break in  Guess/reset password  Have app email you new password  Sniff or crack password  Backend authentication  How are database passwords stored?  Trust relationships between hosts (IP address can be spoofed, etc.)  Countermeasures  Strong passwords  Remove default user names  Protect sensitive files A2 Broken Authentication and Session Management
  • 8.  Attacker uses trusted application/company to reflect malicious code to end-user  Attacker can “hide” the malicious code  Unicode encoding  2 types of attacks  Stored  Reflected  Countermeasures  input validation  Positive  Negative: “< > ( ) # &”  Don’t forget these: “&lt &gt &#40 &#41 &#35 &#38”  User/customer education A3 Cross-Site Scripting (XSS)
  • 9. Types of XSS Refleced/Non persistant XSS
  • 11.  Preventing XSS requires keeping untrusted data separate from active browser content.  1.The preferred option is to properly escape all untrusted data based on the HTML context (body, attribute, JavaScript, CSS, or URL) that the data will be placed into  2.Positive or “whitelist” input validation is also recommended as it helps protect against XSS, but is not a complete defense as many applications require special characters in their input. How Do I Prevent XSS?
  • 12.  A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data. A4 Insecure Direct Object References
  • 13. Am I Vulnerable  The best way to find out if an application is vulnerable to insecure direct object references is to verify that all object references have appropriate defenses. To achieve this, consider:  Code review of the application can quickly verify whether either approach is implemented safely. Testing is also effective for identifying direct object references and whether they are safe. Automated tools typically do not look for such flaws because they cannot recognize what requires protection or what is safe or unsafe.
  • 14.  Preventing insecure direct object references requires selecting an approach for protecting each user accessible object (e.g., object number, filename):  Check access. Each use of a direct object reference from an untrusted source must include an access control check to ensure the user is authorized for the requested object How Do I Prevent This?
  • 15.  Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. All these settings should be defined, implemented, and maintained as many are not shipped with secure defaults. This includes keeping all software up to date. A5 Security Misconfiguration
  • 16. Am I Vulnerable to Attack  1.Is everything unnecessary disabled, removed, or not installed (e.g. ports, services, pages, accounts, privileges)?  2.Are default account passwords changed or disabled?  3.Is your error handling set up to prevent stack traces and other overly informative error messages from leaking?  4.Are the security settings in your development frameworks (e.g., Struts, Spring, ASP.NET) and libraries understood and configured properly? A concerted, repeatable process is required to develop and maintain a proper application security configuration.
  • 17.  The primary recommendations are to establish all of the following:  1.A repeatable hardening process that makes it fast and easy to deploy another environment that is properly locked down. Development, QA, and production environments should all be configured identically.  2.A process for keeping abreast of and deploying all new software updates and patches in a timely manner to each deployed environment. How Do I Prevent This?
  • 18.  Many web applications do not properly protect sensitive data, such as credit cards, tax ids, and authentication credentials. Attackers may steal or modify such weakly protected data to conduct identity theft, credit card fraud, or other crimes. Sensitive data deserves extra protection such as encryption at rest or in transit, as well as special precautions when exchanged with the browser. A6 Sensitive Data Exposure
  • 19. Am I Vulnerable to Data Exposure  The first thing you have to determine is which data is sensitive enough to require extra protection. For example, passwords, credit card numbers, health records, and personal information should be protected. For all such data, ensure:  1.It is encrypted everywhere it is stored long term, including backups of this data.  2.It is encrypted in transit, ideally internally as well as externally. All internet traffic should be encrypted.
  • 20.  The full perils of unsafe cryptography, SSL usage, and data protection are well beyond the scope of the Top 10. That said, for all sensitive data, do all of the following, at a minimum:  1.Considering the threats you plan to protect this data from (e.g., insider attack, external user), make sure you encrypt all sensitive data at rest and in transit in a manner that defends against these threats.  2.Don’t store sensitive data unnecessarily. Discard it as soon as possible. Data you don’t have can’t be stolen.  3.Ensure strong standard algorithms and strong keys are used, and proper key management is in place. How Do I Prevent This?
  • 21.  Virtually all web applications verify function level access rights before making that functionality visible in the UI. However, applications need to perform the same access control checks on the server when each function is accessed. If requests are not verified, attackers will be able to forge requests in order to access unauthorized functionality. A7 Missing function level access control
  • 22. Am I Vulnerable to Function level Access  The best way to find out if an application has failed to properly restrict function level access is to verify every application function:  1.Does the UI show navigation to unauthorized functions?  2.Are proper authentication and authorization checked?
  • 23.  1.The enforcement mechanism(s) should deny all access by default, requiring explicit grants to specific roles for access to every function.  2.If the function is involved in a workflow, check to make sure the conditions are in the proper state to allow access. How Do I Prevent Function level Access?
  • 24.  A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim. A8 Cross site request forgery
  • 25.
  • 26. Am I Vulnerable to CSRF  See if each link and form includes an unpredictable token. Without such a token, attackers can forge malicious requests.  Focus on the links and forms that invoke state-changing functions, since those are the most important CSRF targets. You should check multistep transactions, as they are not inherently immune.
  • 27.  Preventing CSRF usually requires the inclusion of an unpredictable token in each HTTP request. Such tokens should, at a minimum, be unique per user session.  1.The preferred option is to include the unique token in a hidden field. This causes the value to be sent in the body of the HTTP request, avoiding its inclusion in the URL, which is subject to exposure.  2. OWASP’s ESAPI includes CSRF methods developers can use to prevent such vulnerabilities.  3.Requiring the user to reauthenticate, or prove they are a user (e.g., via a CAPTCHA) can also protect against CSRF How Do I Prevent CSRF?
  • 28.  Vulnerable components, such as libraries, frameworks, and other software modules almost always run with full privilege. So, if exploited, they can cause serious data loss or server takeover. Applications using these vulnerable components may undermine their defenses and enable a range of possible attacks and impacts. A9 Using Components with Known Vulnerabilities
  • 29. Am I Vulnerable ?  Determining if you are vulnerable requires searching the databases of your applications as well as keeping abreast of project mailing lists and announcements for anything that might be a vulnerability.
  • 30.  Use components that you didn’t write. But realistically, the best way to deal with this risk is to ensure that you keep your components up-to-date. How Do I Prevent This?
  • 31.  Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages. A10 Unvalidated Redirects and Forwards
  • 32. Am I Vulnerable to Redirection  The best way to find out if an application has any unvalidated redirects or forwards is to:  1.Review the code for all uses of redirect or forward (called a transfer in .NET). For each use, identify if the target URL is included in any parameter values. If so, verify the parameter(s) are validated to contain only an allowed destination, or element of a destination.  2.Also, spider the site to see if it generates any redirects.
  • 33.  Safe use of redirects and forwards can be done in a number of ways:  1.Simply avoid using redirects and forwards.  2.If used, don’t involve user parameters in calculating the destination. This can usually be done.  3.If destination parameters can’t be avoided, ensure that the supplied value is valid, and authorized for the user. It is recommended that any such destination parameters be a mapping value, rather than the actual URL or portion of the URL, and that server side code translate this mapping to the target URL. How Do I Prevent This?