2Top Ten Web App Vulnerabilities OWASP top ten web application vulnerabilities – 2007 reportVulnerabilitiesA1 - Cross Site Scripting (XSS)A2 - Injection FlawsA3 - Malicious File ExecutionA4 - Insecure Direct Object ReferenceA5 - Cross Site Request Forgery (CSRF)A6 - Information Leakage and Improper Error HandlingA7 - Broken Authentication and Session ManagementA8 - Insecure Cryptographic StorageA9 - Insecure CommunicationsA10 - Failure to Restrict URL Access
3Top Ten Web App Vulnerabilities OWASP top ten web application vulnerabilities – 2010 reportVulnerabilitiesA1 - Injection FlawsA2 - Cross Site Scripting (XSS)A3 – Broken Authentication and Session ManagementA4 - Insecure Direct Object ReferenceA5 - Cross Site Request Forgery (CSRF)A6 – Security misconfigurationA7 - Insecure Cryptographic StorageA8 - Failure to Restrict URL AccessA9 – Insufficient transport layer protectionA10 – Unvalidated redirect and forwards
4Cross-Site Scripting and Injection Flows See Week 10 materials
5Insecure Direct Object Reference A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, database record, or key, as a URL or form parameter. Attackers can manipulate those references to access other objects without authorization.
6IDOR ProtectionAvoid exposing direct object references to users by using either ofan index,indirect reference map,or other indirect method that is easy to validate.If a direct object reference must be used, ensure that the user is authorized before using it.Validate any private object references extensively with a white list approach
7Cross-Site Request Forgery CSRF forces a victim browser to send a request to a vulnerable application, after a user is logged-on. A user can be tricked by an image link for example.A vulnerable application (or html page) starts acting on behalf of a user, using the opened session. It can perform actions designed by the attacker, e.g. transfer money from the victim accountAffected page performs the action that appears to come from a legitimate userThe malicious code often resides on other site, not on the victim site, that’s why named as cross-site
8Cross-Site Request Forgery XSS exploits the trust a user has for a particular site, when CSRF exploits the trust a site has for a particular userCSRF occurs when the application rely solely on automatically submitted credentials such as session cookies, basic authentication credentials, source IP addresses, SSL certificates, or Windows domain credentials.
9CSRF ProtectionA user must be re-authenticated by generating and then requiring some type of authorization token that is not automatically submitted by the browser.Insert custom random tokens into every form and URL that will not be automatically submitted by the browserFor sensitive data or value transactions, re-authenticate or use transaction signingDo not use GET requests (URLs) for sensitive data or to perform value transactions. Use only POST methods when processing sensitive data from the userPOST alone is not sufficient. It must be combined with random tokens and re-authenticationLimit the lifetime of authentication cookiesEnsure that there are no XSS vulnerabilities in your application. XSS vulnerabilities are not required for CSRF success but may aggravate the CSRF result
10Security misconfiguration Security holes that occur due to wrong, weak, or contradicted configuration parametersMostly relate to network and servers configuration
11Security misconfiguration protection Standard hardening procedures must apply to all infrastructure sw/hwUpdates and patchingApplication code version control
12Insecure cryptographic store The most common problems are:Not encrypting sensitive dataUsing home grown algorithmsInsecure use of strong algorithmsContinued use of proven weak algorithms (MD5, SHA-1, RC3, RC4, etc…)Hard coding keys, and storing keys in unprotected stores
13Strong crypto mechanism Do not create cryptographic algorithms. Only use approved public algorithms such as AES, RSA public key cryptography, and SHA-256 or better for hashing.Do not use weak algorithms, such as MD5 / SHA1. Favor safer alternatives, such as SHA-256 or better.Generate keys offline and store private keys with extreme care. Never transmit private keys over insecure channelsEnsure that infrastructure credentials such as database credentials or MQ queue access details are properly secured (via tight file system permissions and controls), or securely encrypted and not easily decrypted by local or remote usersEnsure that encrypted data stored on disk is not easy to decrypt. For example, database encryption is worthless if the database connection pool provides unencrypted access.
14Strong crypto mechanism (cont) Data in rest must be encrypted with the highest possible granularity, relevant to the data’s sensitivity classification.Field encryption will be implemented for highly sensitive data.Data files, folders, or whole-disk encryption can be used to protect data as a batch function. However, if the data contains sensitive items, then field encryption must be implemented prior to using bulk encryptionEncryption keys must be protected at the same level or higher as the data.
15Strong crypto mechanism (cont) All keying materials must be destroyed immediately after use.Encryption keys must not be hardcodedEncryption keys must not be stored in audit logs.An encryption key can be used for one purpose only.Memory protectionAllocate two different buffers used for:Plaintext dataEncrypted dataErase data traces from the buffers immediately after use.
16Failure to restrict URL access Access to web pages thru “hidden" or "special" URLs, rendered only to administrators or privileged users in the presentation layer, but accessible to all users if they know it existsAccess to “hidden” files, such as static xml files without authorizationCode that enforces an access control policy but is out of date or insufficientCode that evaluates privileges on the client but not on the server
17URL access protectionRole-based access control to the application functionsAlways ensure that administrative and high privilege actions are protectedLocate application libraries outside of the web rootBlock access to all file types that your application should never serve
18Insufficient transport layer protection Failure to encrypt network traffic for all authenticated connectionsCommon flaws:Only login activity is protected with SSLBackend communication is not protected
19Insufficient transport layer protection Communication to end user always occurs over SSLAll sensitive actions are protected, not only loginBackend communication is protected with TLS
20Unvalidated redirects and forwards Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages.
21Unvalidated redirects and forwards - protection Avoid using redirects and forwardsIf used, don’t involve user parameters in calculating the destination.If destination parameters can’t be avoided, ensure that the supplied value is valid, and authorized for the user.
23Malicious File Execution Occurs when a developer accepts file names or files from a user without validationTypical examples include: .NET assemblies which allow URL file name arguments, or code which accepts the user’s choice of filename to include local files.A common vulnerable construct:include $_REQUEST['filename’];
24Malicious File Execution (cont) Other methods of attacks:Hostile data being uploaded to session files, log data, and via image uploads (typical of forum software)XML documents submitted by an attacker may have a hostile DTD that forces the XML parser to load a remote DTD, and parse and process the results
25Protection This vulnerability is difficult to determine Automatic testing is not capable to validate the use of parametersSecurity remedy must start from the architecture and designEnsure that the application will not use user-supplied input in any filename for any server-based resource (such as images, XML and XSL transform documents, or script inclusions), and will have firewall rules in place preventing new outbound connections to the Internet or internally back to any other server.
26Protection (cont.) Recommendations Use indirect object reference map Strong user data input validation (white list strategy)Check any user supplied filenames or filesIn Java, consider implementing a chroot jail or other sandbox mechanisms in order to isolate applicationsIn J2EE, ensure that security manager is enabled and permissions are controlled