Presentation is loading. Please wait.

Presentation is loading. Please wait.

The OWASP 2010 Top 10 Jason Montgomery, CISSP OWASP Cincinnati – Aug 30, 2011.

Similar presentations

Presentation on theme: "The OWASP 2010 Top 10 Jason Montgomery, CISSP OWASP Cincinnati – Aug 30, 2011."— Presentation transcript:

1 The OWASP 2010 Top 10 Jason Montgomery, CISSP OWASP Cincinnati – Aug 30, 2011

2 Cyber Security Engineering Team, AEP Author / Technical Editor Professional K2 blackpearl, Wiley Press © 2009 Professional C#, Beginning C#, etc. SANS Institute – DEV 532: Essential Secure Coding in ASP.NET DEV 544: Secure Coding in.NET: Developing Defensible Applications GIAC GSSP.NET Steering Committee Developer Sys Admin © 2011 Jason Montgomery

3 “Code is Law” - Lawrence Lessig © 2011 Jason Montgomery


5 “When first tested, more than half of all applications fail to meet acceptable security quality, and more than 8 out of 10 web applications fail OWASP Top 10.” VERACODE State of Software Security Report, 2011 Whose Vulnerable? © 2011 Jason Montgomery

6 Whose Vulnerable? Whitehat Website Security Statistics Report, Winter 2011

7 © 2011 Jason Montgomery Window of Exposure Source: Whitehat Website Security Statistics Report, Winter 2011 Figure 1. 2010 at a Glance – Sorted by Industry The average number of serious* vulnerabilities per website, the percentage of reported vulnerabilities that have been resolved (Remediation Rate), and average that a website is exposed to at least one serious vulnerability (Window of Exposure).

8 What are some challenges to Secure Applications?

9 Business (features) drives development, not security (non-functional requirements) © 2011 Jason Montgomery Challenges to App Sec

10 “Don’t Worry, Be Crappy” Guy Kawasaki © 2011 Jason Montgomery Market Forces

11 “Our developers are pretty smart. I’m sure they’ve got it covered.” “Our developers do amazing things. I’m sure they already understand these issues.” “We haven’t been hacked yet.” © 2011 Jason Montgomery Knowledge Gap

12 “We don’t have the time.” “It’s too expensive.” “We don’t have anyone here with the expertise.” © 2011 Jason Montgomery Constraints

13 No security in Software Development Lifecycle Rely on Black box or white box scanning Only fix what’s found Little or no assurance © 2011 Jason Montgomery No Process to Incorporate Security

14 “6 Billion Crash Test Dummies” - David Rice Geekonomics: The Real Cost of Insecure Software © 2011 Jason Montgomery

15 Common Weakness Enumeration (CWE) Top x Lists OWASP Top 10 – 2010: The 10 Most Critical Web Application Security Risks _Ten_Project _Ten_Project 2010 CWE-SANS Top 25 Most Dangerous Software Errors re-errors/ © 2011 Jason Montgomery Software and Security

16 Why are these important? Raise Awareness / Education Industry Accepted Mitigation Techniques Collaboration Define common terms and Language for describing issues Makes security measurable Help Prioritize © 2011 Jason Montgomery Software and Security

17 Software Bugs vs. Flaws CWE defines ~658 Software Weaknesses 356 can be introduced during design 578 can be introduced during implementation 100% Security…? Goal: Secure…or Defensible? © 2011 Jason Montgomery Secure vs. Defensible

18 The Building Security In Maturity Model (BSIMM2) Software Assurance Maturity Model (SAMM) – OWASP Microsoft SDLC © 2011 Jason Montgomery Add Security to the Development Lifecycle

19 A1: Injection A2: Cross-Site Scripting (XSS) A3: Broken Authentication and Session Management A4: Insecure Direct Object References A5: Cross-Site Request Forgery (CSRF) A6: Security Misconfiguration A7: Insecure Cryptographic Storage A8: Failure to Restrict URL Access A9: Insufficient Transport Layer Protection A10: Unvalidated Redirects and Forwards © 2011 Jason Montgomery OWASP Top 10 - 2010

20 “The software does not sufficiently validate, filter, escape, and/or encode user-controllable input before it is placed in output that is used as a web page that is served to other users.” CWE-79 © 2011 Jason Montgomery A2: Cross-Site Scripting (XSS)

21 © 2011 Jason Montgomery CWE Taxonomy of XSS CWE-20: Improper Input Validation (Category) CWE-74: Injection (Class) CWE-79: Cross-Site Scripting (Base) CWE-80: Basic XSS (V) CWE-81: Improper Sanitization of Script in an Error Message Web Page (V) CWE-83: Improper Neutralization of Script in Attributes in a Web Page(V) CWE-84: Failure to Resolve Encoded URI Schemes in a Web Page (V) CWE-85: Doubled Character XSS Manipulations (V) CWE-86: Improper Neutralization of Invalid Characters in Identifiers in Web Pages (V) CWE-87: Failure to Sanitize Alternate XSS Syntax (V)

22 Stored XSS Persisted to a data store, embedded into DOM server-side Reflected XSS Reflected from client into the DOM from Server DOM Based Reflected through URL back to client, embedded into DOM by JavaScript Cross-site Scripting Types © 2011 Jason Montgomery

23 Reflected XSS Example The following error occurred: %3Cscript%3Ealert('xss')%3B%3C%2Fscript%3E Error.aspx Code URL © 2011 Jason Montgomery

24 Reflected XSS Example The following error occurred: %3Cscript%3Ealert('xss')%3B%3C%2Fscript%3E Error.aspx Code URL The following error occurred: alert('xss'); Output HTML © 2011 Jason Montgomery

25 Web Html Entities Html Attributes JavaScript URL CSS / Style © 2011 Jason Montgomery Context Matters

26 XSS Injection Points HTML Element HTML Attribute HTML Comments --> " src=... /> © 2011 Jason Montgomery

27 XSS Injection Points Cont. JavaScript variables / data Styles Attributes / CSS Files URL function Redirect() { document.location = ' '; } function Redirect() { document.location = ' '; } "... /> ">link © 2011 Jason Montgomery

28 Real XSS Examples" alert('boo') Source:,44,632,44,632 askId=135&prod=%22%3E%3CSCRIPT%3Ealert(%22kefka%20was%20here%22)%3C/SCR IPT%3E'XSS')%3E/1/ =%3C/textarea%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E&send=Send'XSS')%3 C/script%3E&_nks=true&c=us&cs=19&l=en&s=dhs&x=0&y=0 %22onmouseover=%22alert('XSS')%22 © 2011 Jason Montgomery

29 Facebook (Oct. 5 th, 2010) - “wormable” Twitter (Sept. 21 st, 2010) – “wormable” © 2011 Jason Montgomery XSS In the News

30  Constrain input through input validation © 2011 Jason Montgomery A1 / A2: Injection – Defense in Depth

31  Must encode special characters © 2011 Jason Montgomery A1 / A2: Injection – Solution

32 Injection: Ask Two Questions Web Application Should I consume? Should I emit? Inbound data Outbound data Info Store Outbound data Inbound data © 2011 Jason Montgomery

33 Defense in Depth Assume all input is malicious (Re)use a vetted library Enforce Length Checks Enforce Type Checks Validate Input Whitelists/Blacklists Escape/Encode Output Properly encode/escape data * Take care with regular expressions © 2011 Jason Montgomery Injection Mitigation

34 Defense In Depth Set consistent encoding Encode using whitelists Constrain Input Sanitize dangerous tags/attributes Avoid allowing HTML input – (if possible) Prefer lightweight markup language (e.g. BBCode) and convert to stylistic input Not always an option with WYSIWYG controls on sites © 2011 Jason Montgomery Cross-Site Scripting (XSS) Mitigation +ADw-script+AD4-

35 AKA AntiXSS 4.0 Whitelists Narrowly defines allowable character sets and encodes everything else Microsoft Web Protection Library (WPL) © 2011 Jason Montgomery

36 Web Protection Library Sanitizer Class “…transforms and filters HTML of executable scripts. A safe list of tags and attributes are used to strip dangerous scripts from the HTML. HTML is also normalized where tags are properly closed and attributes are properly formatted.” [1] © 2011 Jason Montgomery WPL Cross-Site Scripting (XSS) Sanitation Sanitizer.GetSafeHtml() Sanitizes an entire HTML Document. Sanitizer.GetSafeHtmlFragment() Sanitizes a fragment of an HTML document.

37 UnicodeCharacterEncoder.MarkAsSafe() Configures Encoder class with valid ranges of Unicode Choose expected Lower, Lower Middle, Middle, Upper Middle, and Upper from code chart codes: © 2011 Jason Montgomery

38 Encoding Static Methods for Web Encoder.CssEncode() Encoder.HtmlEncode() Encoder.HtmlAttributeEncode() Encoder.UrlEncode() Encoder.HtmlFormEncode() Encoder.JavaScriptEncode() Encoder.VisualBasicScriptEncode() WPL Encoder Class

39 XSS Injection Fixed HTML Element HTML Attribute <img alt="<%= Encoder.HtmlAttributeEncode( Request.QueryString['altTxt'])%>" src=... /> <img alt="<%= Encoder.HtmlAttributeEncode( Request.QueryString['altTxt'])%>" src=... /> <%= Encoder.HtmlEncode( Request.QueryString['message']) %> <%= Encoder.HtmlEncode( Request.QueryString['message']) %> © 2011 Jason Montgomery

40 XSS Injection Fixed Cont. JavaScript variables / data Styles Attributes / CSS Files function Redirect() { document.location = '<%= Encoder.JavaScriptEncode( Request.QueryString["location"]) %>'; } function Redirect() { document.location = '<%= Encoder.JavaScriptEncode( Request.QueryString["location"]) %>'; } <DIV STYLE="width: <%= Encoder.CssEncode( untrustedInput) %>"... /> <DIV STYLE="width: <%= Encoder.CssEncode( untrustedInput) %>"... /> © 2011 Jason Montgomery

41 ASP.NET 4.0 – Encoding Change Default Encoding New Abbreviated Syntax © 2011 Jason Montgomery

42 ASP.NET 4.0 – Encoding New Abbreviated Syntax * Does NOT completely encode for HTML Attributes, JavaScript, VBScript, URL, or CSS. @variableToEncode MVC 3 Razor View Engine & '"<> and range 0x0a – 0xFF Default Encoder Blacklist © 2011 Jason Montgomery

43 Replacing Default HttpEncoder 12341234 12341234 web.config public class AntiXssEncoder : HttpEncoder { public AntiXssEncoder() {} protected override void HtmlEncode(string value, TextWriter output) { output.Write(Encoder.HtmlEncode(value)); } protected override void HtmlAttributeEncode(string value, TextWriter output) { output.Write(Encoder.HtmlAttributeEncode(value)); } } 1 2 3 4 5 6 7 8 9 10 11 12 AntiXssEncoder.cs © 2011 Jason Montgomery

44 XSS Exploit Demo BeEF: Browser Exploitation Framework © 2011 Jason Montgomery

45 Email (put OWASP in the subject) LinkedIn Blog © 2011 Jason Montgomery Contact

Download ppt "The OWASP 2010 Top 10 Jason Montgomery, CISSP OWASP Cincinnati – Aug 30, 2011."

Similar presentations

Ads by Google