Presentation on theme: "OWASP’s Ten Most Critical Web Application Security Vulnerabilities"— Presentation transcript:
1OWASP’s Ten Most Critical Web Application Security Vulnerabilities Jeff Williams, CEO Aspect Security, Inc.
2Open Web Application Security Project What is an OWASP?Open Web Application Security ProjectOpen group focused on understanding and improving the security of web applications and web services!Hundreds of volunteer experts from around the worldTop Ten ProjectRaise awareness with a simple messageLead by Aspect SecurityGo download “The Guide” right now!aspect
3What is Web Application Security? Not Network SecuritySecuring the “custom code” that drives a web applicationSecuring librariesSecuring backend systemsSecuring web and application serversNetwork Security Mostly Ignores the Contents of HTTP TrafficFirewalls, SSL, Intrusion Detection Systems, Operating System Hardening, Database Hardening
4Your Code is Part of Your Security Perimeter Your security “perimeter” has huge holes at the application layerCustom Developed Application CodeApplication LayerDatabasesLegacy SystemsWeb ServicesDirectoriesHuman ResrcsBillingAPPLICATION ATTACKApp ServerWeb ServerHardened OSMAIN THEME: applications are different than networks – software is full of holesHTTP Request is like an ENVELOPE that passes thru all those components. Envelope is finally opened by YOUR CODE.Introduce SSL, only prevents eavesdropping. Actually helps hacker by protecting their attacks with a tunnel.LMCO apps may be internal users, but that doesn’t deplete the threat environment. So, the picture above still applies to internal apps.Network LayerFirewallFirewallYou can’t use network layer protection (firewall, SSL, IDS, hardening)to stop or detect application layer attacks
5Let’s just think this through… Why Should I Care?Let’s just think this through…How likely is a successful web application attack?Stunningly prevalentEasy to exploit without special tools or knowledgeLittle chance of being detectedHundreds of thousands of developers, tiny fraction with securityConsequences?Corruption or disclosure of database contentsRoot access to web and application serversLoss of authentication and access control for usersDefacementSecondary attacks from your siteWeb Application Security is just as important as Network SecurityWhy does the vast majority of security money go to secure networks?
61. Unvalidated Parameters HTTP requests from browsers to web appsURL, Querystring, Form Fields, Hidden Fields, Cookies, HeadersWeb apps use this information to generate web pagesAttackers can modify anything in requestWebScarabKey Points:Check before you use anything in HTTP requestCanonicalize before you checkClient-side validation is irrelevantReject anything not specifically allowedType, min/max length, character set, regex, min/max value…
72. Broken Access ControlAccess control is how you keep one user away from other users’ informationThe problem is that many environments provide authentication, but don’t handle access control wellMany sites have a complex access control policyInsidiously difficult to implement correctlyKey PointsWrite down your access control policyDon’t use any “id’s” that an attacker can manipulateImplement access control in a centralized module
83. Broken Account and Session Management Account ManagementHandling credentials across client-server gapBackend authentication credentials tooSession ManagementHTTP is a “stateless” protocol. Web apps need to keep track of which request came from which user“Brand” sessions with an id using cookie, hidden field, URL tag, etc…Key PointsKeep credentials secret at all timesUse only the random sessionid provided by your environment
10Web applications read all types of input from users 5. Buffer OverflowsWeb applications read all types of input from usersLibraries, DLL’s, Server code, Custom code, ExecC and C++ code is vulnerable to buffer overflowsInput overflows end of buffer and overwrites the stackCan be used to execute arbitrary codeKey PointsDon’t use C or C++Be careful about reading into buffersUse safe string libraries correctly
116. Command Injection Flaws Web applications involve many interpretersOS calls, SQL databases, templating systemsMalicious codeSent in HTTP requestExtracted by web applicationPassed to interpreter, executed on behalf of web appKey PointsUse extreme care when invoking an interpreterUse limited interfaces where possible (PreparedStatement)Check return values
127. Error Handling Problems Errors occur in web applications all the timeOut of memory, too many users, timeout, db failureAuthentication failure, access control failure, bad inputHow do you respond?Need to tell user what happened (no hacking clues)Need to log an appropriate (different) messageLogout, , pager, clear credit card, etc…Key Points:Make sure error screens don’t print stack tracesDesign your error handling schemeConfigure your server
138. Insecure Use of Cryptography Use cryptography to store sensitive informationAlgorithms are simple to use, integrating them is hardKey PointsDo not even think about inventing a new algorithmBe extremely careful storing keys, certs, and passwordsRethink whether you need to store the informationDon’t store user passwords – use a hash like SHA-256The “master secret” can be split into two locations and assembledConfiguration files, external servers, within the code
149. Remote Administration Flaws Many sites allow remote administrationVery powerful, often hidden interfacesDifficult to protectKey PointsEliminate all administration over the InternetSeparate the admin application from the main appLimit the scope of remote administrationConsider strong authenticationSmart card or token
1510. Web and Application Server Misconfiguration All web and application servers have many security-relevant configuration optionsDefault accounts and passwordsUnnecessary default, backup, sample apps, librariesOverly informative error messagesMisconfigured SSL, default certificates, self-signed certsUnused administrative servicesKey Points:Keep up with patches (Code Red, Slammer)Use Scanning Tools (Nikto, Nessus)Harden your servers!
16A Simple Program for Getting Healthy TrainingRead the Top Ten paper!Get developers trained in web application securityTry OWASP WebGoat to learn how flaws workPolicyWrite down the security rules for your applicationReviewsGet expert code review and penetration test periodically
17Software Development Organizations Educators Project Managers A Call To Arms!CustomersDemand web applications that don’t have these ten simple problemsDevelopersTake responsibility for securing your codeSoftware Development OrganizationsGuarantee that your web applications don’t have the top ten flawsEducatorsStop teaching insecure codingProject ManagersSplit your security budget between network and applicationMake security part of developer performance reviews