SlideShare ist ein Scribd-Unternehmen logo
1 von 45
Downloaden Sie, um offline zu lesen
OWASP




        Bart ten Brinke
The Open Web Application
   Security Project (OWASP)



• https://www.owasp.org/
• Owasp gathers statistics of internet hacks and
  uses this to generate their security top 10.
Availablity


                                                                      “Wikipedia always has the latest news
     “Putting stuff on wikipedia makes
                                                                       available, but how can you be sure
it very available, but not very confidential.”
                                                                         that all the facts are checked?”



                                                 Data



       Confidentiality                                                       Integrity
                         “Doctor specific patient records cannot be viewed by Nurses,
                         which means they are not as well informed as they could be.”
Every solution is a compromise between
      Confidentiality, Integrity & Availability.


• http://en.wikipedia.org/wiki/Information_security
• The safest door is one you can’t walk through
  at all.
• De nuances of the CIA triangle are lost in the
  current media reports: something either safe or
  unsafe.
Safe



Unsafe
During the design of the dutch public transportation card (Ov-chipkaart)
     the designers make the decision to use less secure rfid cards,
because the savings of these cheap rfid-cards where much higher then
                     the loss of revenue to hackers.
               This was not reflected by the media at all.
OWASP Top 10
1. SQL injection
We have a website where you can log in using your
              username and password:


Username                    john

Password                    1234
The application checks these credentials with a database:



Username                      john

Password                      1234



           SELECT	
  *	
  FROM	
  users
           WHERE	
  username	
  =	
  ”john”
           AND	
  password	
  =	
  ”1234”
Give me all users with the
            name ”john” en password ”1234”.
            If there is one, you will be logged in.


Username                        john

Password                        1234



           SELECT	
  *	
  FROM	
  users
           WHERE	
  username	
  =	
  ”john”
           AND	
  password	
  =	
  ”1234”
Username                    administrator

Password                    ”	
  OR	
  1=”1



SELECT	
  *	
  FROM	
  users
WHERE	
  username	
  =	
  ”administrator”
AND	
  password	
  =	
  ””	
  OR	
  1=”1”
Give me all users where
      with the name ”administrator”
who has an empty password OR where 1=1.

  1=1 is always true, so you will be logged
          in as the administrator.



 SELECT	
  *	
  FROM	
  users
 WHERE	
  username	
  =	
  ”administrator”
 AND	
  password	
  =	
  ””	
  OR	
  1=”1”
2. XSS - Cross site
    Scripting
As an example we will be using a catblog which has a
      guestbook where you can post messages.
Name             john

Comment          I	
  have	
  a	
  cat	
  just	
  like	
  that!




My weblog

Story about my cat

Comments:
john: I have a cat just like that!
If the guestbook is poorly secured, it is possible to
          store other things then messages.
 For example you might be able to store javascript.

 Because other people can read the guestbook, it is
possible to abuse the catblog to help you spread your
        javascript to other readers of the blog.



• Visitors can be redirected to another site.
• Visitors can be presented with a popup
   containing a virus download link.
Name            hacker

  Comment         window.location	
  =	
  ”badstuff.tv”




  Hacker posts on blog.
     John visits blog.
John gets redirected to a
    different website.
3. Broken session
  management
Each visitor to a website receives a unique number from
             the webserver: your session_id.
  Through this number the webserver is able to keep
     track of who you are. This is why the number:


 • Has to be secret.
 • Should be very hard to guess.
 • May not be changed by other people.
Guessing a session_id can be very easy.




_session_id         My	
  session_id	
  +1
Sometimes it is possible to send other people your
             session_id, forcing a shared session.
    This might cause credentials of users to be combined.



Email to administrator of website:

I can’t log in! Could you try it for me?
https://catblog.com/?PHP_SESSION_ID=123456

Greets, hacker
4. Insecure direct
object reference
As an example we will take a website with
     a “change your password” form:
If you select “view source” in your browser, you
                  will see something like this:


<form	
  id="form"	
  method="post"	
  action="/employees/1234">
	
  	
  <input	
  type="text"	
  name="username"	
  />
	
  	
  <input	
  type="password"	
  name="password"	
  value=""	
  />
	
  	
  <input	
  type="hidden"	
  name="employee_id"	
  value="1234"	
  />
</form>




        What happens if you change the action
                  or the employee_id?
     Could you can reset somebody else’s password?
5. Cross site
request forgery
Complex variant of Cross Site Scripting (XSS), so we will
  be reusing the catblog example with a guestbook.
Name             john

Comment          I	
  have	
  a	
  cat	
  just	
  like	
  that!




My weblog

Story about my cat

Comments:
john: I have a cat just like that!
If the guestbook is poorly, secured, it might be possible
   to store other things like javascript in the message box.

Because other visitors can read the guestbook, it is possible to
abuse the catblog to help you spread your javascript to other
                      readers of the blog.

By using ajax we can abuse active sessions visitors might have
        with other services (like Gmail), to send spam
                    through their account.
Name      hacker

          $.ajax({
          	
  	
  type:	
  'POST',
          	
  	
  url:	
  ”www.gmail.com/new”,
          	
  	
  data:	
  {
          	
  	
  	
  	
  to:	
  ”anne@hotmail.com”,
Comment   	
  	
  	
  	
  subject:	
  ”NOT	
  SPAM!”,
          	
  	
  	
  	
  body:	
  ”Need	
  Viagra?”
          	
  	
  },
          	
  	
  success:	
  success,
          	
  	
  dataType:	
  dataType
          });
Hacker posts on blog.
      John visits blog.
Jan sends Spam to Anne via
  Gmail, without noticing it.
5. Security
misconfiguration
Every system needs periodic updates, to ensure
          the latest versions are installed.




• Check if your provider/hoster has a
  maintenance window to do updates.
7. Insecure
Cryptographic
   Storage
Incorrectly secure data.
         For example: this should NEVER be in your
                  database in plaintext:


Username                Email                Password


jantje        jantje@hotmail.com              jantje1


pietje        pietje@hotmail.com            welkom123
8. Failure to
restrict URL access
Modify the URL of a website.
    This is very popular by journalists, because
          you can do it with any browser.



• http://catblog.com/admin.php
• http://test.com/employee/1234 => 1235?
• http://ibm.com/annualreport/2011 => 2012?
9. Insufficient
Transport Layer
  Protection
With HTTPS the server and client negotiate about the
     level of security. Together they figure out
  what the highest level of encryption is that they
             can use for the connection.
• Virusses sometimes turn the encryption level of
   a browser down to the lowest possible setting.
• Badly configured severs agree with the low
   setting and set up a badly encrypted
   connection.
• Eavesdropping the secure traffic between the
   server and the client is now possible.
If people can not reach our website, but you can, there
    is a good possibility that our server wont drop to
            their suggested encryption level.
    Browsers give very bad error messages when this
                          happens.
10. Unvalidated
  Redirects and
Forwards (rickroll)
When you open a link to a secure section of a website, and
you are not logged in, you are often redirected to the login
page. After you log in you will be sent back to the original
              page you where trying to open.

http://catblog.com/login.php?
    return_url=/admin.php
Sometimes it is possible to abuse this and send people a
    link, which looks legit & contains a website they trust.
 However, after they log in, they are sent to somewhere else.



   http://catblog.com/login.php?
return_url=http://www.youtube.com/
        watch?v=oHg5SJYRHA0
Solutions?
• Using a framework like JBoss, Rails or Zend will fix 90% of
   the problems addressed in the OWASP top 10.

• To fix the other 10% you need to periodically have your
   application audited by an external party.

• Make sure you point out the responsibility of the end-user.
   Often the weakest link is a employee who is careless with
   printed files or leaves his computer logged in.

Weitere ähnliche Inhalte

Was ist angesagt?

Difference between authentication and authorization in asp.net
Difference between authentication and authorization in asp.netDifference between authentication and authorization in asp.net
Difference between authentication and authorization in asp.netUmar Ali
 
Phishing Detection using Machine Learning
Phishing Detection using Machine LearningPhishing Detection using Machine Learning
Phishing Detection using Machine LearningArjun BM
 
A8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf)   it 6873 presentationA8 cross site request forgery (csrf)   it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentationAlbena Asenova-Belal
 
Operating System Security
Operating System SecurityOperating System Security
Operating System SecurityRamesh Upadhaya
 
Internet infrastructure UNIT 5
Internet infrastructure UNIT 5Internet infrastructure UNIT 5
Internet infrastructure UNIT 5SURBHI SAROHA
 
Attack and Mitigation for Insecure Deserialization
Attack and Mitigation for Insecure DeserializationAttack and Mitigation for Insecure Deserialization
Attack and Mitigation for Insecure DeserializationSukhpreet Singh
 
Web authentication & authorization
Web authentication & authorizationWeb authentication & authorization
Web authentication & authorizationAlexandru Pasaila
 
Unit 2 Regulation of Cyberspace
Unit 2 Regulation of CyberspaceUnit 2 Regulation of Cyberspace
Unit 2 Regulation of CyberspaceTushar Rajput
 
Firewall presentation
Firewall presentationFirewall presentation
Firewall presentationgaurav96raj
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Amit Tyagi
 
CSRF-уязвимости все еще актуальны: как атакующие обходят CSRF-защиту в вашем ...
CSRF-уязвимости все еще актуальны: как атакующие обходят CSRF-защиту в вашем ...CSRF-уязвимости все еще актуальны: как атакующие обходят CSRF-защиту в вашем ...
CSRF-уязвимости все еще актуальны: как атакующие обходят CSRF-защиту в вашем ...Mikhail Egorov
 
Cns 13f-lec03- Classical Encryption Techniques
Cns 13f-lec03- Classical Encryption TechniquesCns 13f-lec03- Classical Encryption Techniques
Cns 13f-lec03- Classical Encryption Techniquesbabak danyal
 
RIA Cross Domain Policy
RIA Cross Domain PolicyRIA Cross Domain Policy
RIA Cross Domain PolicyNSConclave
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 

Was ist angesagt? (20)

Difference between authentication and authorization in asp.net
Difference between authentication and authorization in asp.netDifference between authentication and authorization in asp.net
Difference between authentication and authorization in asp.net
 
Proxy
ProxyProxy
Proxy
 
Phishing Detection using Machine Learning
Phishing Detection using Machine LearningPhishing Detection using Machine Learning
Phishing Detection using Machine Learning
 
A8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf)   it 6873 presentationA8 cross site request forgery (csrf)   it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentation
 
Operating System Security
Operating System SecurityOperating System Security
Operating System Security
 
Internet infrastructure UNIT 5
Internet infrastructure UNIT 5Internet infrastructure UNIT 5
Internet infrastructure UNIT 5
 
Attack and Mitigation for Insecure Deserialization
Attack and Mitigation for Insecure DeserializationAttack and Mitigation for Insecure Deserialization
Attack and Mitigation for Insecure Deserialization
 
malware
malware malware
malware
 
Port scanning
Port scanningPort scanning
Port scanning
 
Web authentication & authorization
Web authentication & authorizationWeb authentication & authorization
Web authentication & authorization
 
Unit 2 Regulation of Cyberspace
Unit 2 Regulation of CyberspaceUnit 2 Regulation of Cyberspace
Unit 2 Regulation of Cyberspace
 
Firewall presentation
Firewall presentationFirewall presentation
Firewall presentation
 
Network security
Network securityNetwork security
Network security
 
Proxy Servers
Proxy ServersProxy Servers
Proxy Servers
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
 
CSRF-уязвимости все еще актуальны: как атакующие обходят CSRF-защиту в вашем ...
CSRF-уязвимости все еще актуальны: как атакующие обходят CSRF-защиту в вашем ...CSRF-уязвимости все еще актуальны: как атакующие обходят CSRF-защиту в вашем ...
CSRF-уязвимости все еще актуальны: как атакующие обходят CSRF-защиту в вашем ...
 
Cns 13f-lec03- Classical Encryption Techniques
Cns 13f-lec03- Classical Encryption TechniquesCns 13f-lec03- Classical Encryption Techniques
Cns 13f-lec03- Classical Encryption Techniques
 
IP Spoofing
IP SpoofingIP Spoofing
IP Spoofing
 
RIA Cross Domain Policy
RIA Cross Domain PolicyRIA Cross Domain Policy
RIA Cross Domain Policy
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 

Andere mochten auch

OWASP WTE - Now in the Cloud!
OWASP WTE - Now in the Cloud!OWASP WTE - Now in the Cloud!
OWASP WTE - Now in the Cloud!Matt Tesauro
 
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityDevbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityMichael Coates
 
Web Application Security: Introduction to common classes of security flaws an...
Web Application Security: Introduction to common classes of security flaws an...Web Application Security: Introduction to common classes of security flaws an...
Web Application Security: Introduction to common classes of security flaws an...Thoughtworks
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectBlueinfy Solutions
 
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAPVirtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAPMichael Coates
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
Flex and the city in London - Keynote
Flex and the city in London - KeynoteFlex and the city in London - Keynote
Flex and the city in London - KeynoteMichael Chaize
 
Singapore PowerPoint Content
Singapore PowerPoint Content Singapore PowerPoint Content
Singapore PowerPoint Content Andrew Schwartz
 
Ria2010 keynote développeurs
Ria2010 keynote développeursRia2010 keynote développeurs
Ria2010 keynote développeursMichael Chaize
 
Canada PowerPoint Content
Canada PowerPoint Content Canada PowerPoint Content
Canada PowerPoint Content Andrew Schwartz
 
Jens And Levi
Jens And LeviJens And Levi
Jens And Levieka
 
South Korea PowerPoint Content
South Korea PowerPoint Content South Korea PowerPoint Content
South Korea PowerPoint Content Andrew Schwartz
 
B24 t043 good_tests
B24 t043 good_testsB24 t043 good_tests
B24 t043 good_testsGlen Gatin
 
我感恩Thanksgiving
我感恩Thanksgiving我感恩Thanksgiving
我感恩Thanksgivingnonnon
 

Andere mochten auch (18)

OWASP WTE - Now in the Cloud!
OWASP WTE - Now in the Cloud!OWASP WTE - Now in the Cloud!
OWASP WTE - Now in the Cloud!
 
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityDevbeat Conference - Developer First Security
Devbeat Conference - Developer First Security
 
Web Application Security: Introduction to common classes of security flaws an...
Web Application Security: Introduction to common classes of security flaws an...Web Application Security: Introduction to common classes of security flaws an...
Web Application Security: Introduction to common classes of security flaws an...
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open Redirect
 
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAPVirtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
 
Security testautomation
Security testautomationSecurity testautomation
Security testautomation
 
Flex and the city in London - Keynote
Flex and the city in London - KeynoteFlex and the city in London - Keynote
Flex and the city in London - Keynote
 
Singapore PowerPoint Content
Singapore PowerPoint Content Singapore PowerPoint Content
Singapore PowerPoint Content
 
Ria2010 keynote développeurs
Ria2010 keynote développeursRia2010 keynote développeurs
Ria2010 keynote développeurs
 
Canada PowerPoint Content
Canada PowerPoint Content Canada PowerPoint Content
Canada PowerPoint Content
 
Ch10
Ch10Ch10
Ch10
 
Recent PCI Hacks
Recent PCI HacksRecent PCI Hacks
Recent PCI Hacks
 
Jens And Levi
Jens And LeviJens And Levi
Jens And Levi
 
South Korea PowerPoint Content
South Korea PowerPoint Content South Korea PowerPoint Content
South Korea PowerPoint Content
 
Yox
YoxYox
Yox
 
B24 t043 good_tests
B24 t043 good_testsB24 t043 good_tests
B24 t043 good_tests
 
我感恩Thanksgiving
我感恩Thanksgiving我感恩Thanksgiving
我感恩Thanksgiving
 

Ähnlich wie Owasp for dummies handouts

OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFBrian Huff
 
Securing Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationSecuring Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationStormpath
 
Presentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationPresentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationMd Mahfuzur Rahman
 
OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012ZIONSECURITY
 
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub  - A case study of django web applications that are secur...Mr. Mohammed Aldoub  - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...nooralmousa
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultMohammed ALDOUB
 
Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)Kishor Kumar
 
Website Hacking and Preventive Measures
Website Hacking and Preventive MeasuresWebsite Hacking and Preventive Measures
Website Hacking and Preventive MeasuresShubham Takode
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeJeremiah Grossman
 
Web Application Vulnerabilities
Web Application VulnerabilitiesWeb Application Vulnerabilities
Web Application VulnerabilitiesPreetish Panda
 
Hacking sites for fun and profit
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profitDavid Stockton
 
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Stormpath
 
Top Ten Tips For Tenacious Defense In Asp.Net
Top Ten Tips For Tenacious Defense In Asp.NetTop Ten Tips For Tenacious Defense In Asp.Net
Top Ten Tips For Tenacious Defense In Asp.Netalsmola
 
Hacking sites for fun and profit
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profitDavid Stockton
 
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Michael Pirnat
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Jeremiah Grossman
 
How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a DatabaseJohn Ashmead
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJSrobertjd
 
[Bucharest] #DontTrustTheDarkSide
[Bucharest] #DontTrustTheDarkSide[Bucharest] #DontTrustTheDarkSide
[Bucharest] #DontTrustTheDarkSideOWASP EEE
 

Ähnlich wie Owasp for dummies handouts (20)

OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
 
Securing Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationSecuring Web Applications with Token Authentication
Securing Web Applications with Token Authentication
 
Presentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationPresentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web Application
 
OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012
 
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub  - A case study of django web applications that are secur...Mr. Mohammed Aldoub  - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by Default
 
Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)
 
Website Hacking and Preventive Measures
Website Hacking and Preventive MeasuresWebsite Hacking and Preventive Measures
Website Hacking and Preventive Measures
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safe
 
Web Application Vulnerabilities
Web Application VulnerabilitiesWeb Application Vulnerabilities
Web Application Vulnerabilities
 
Hacking sites for fun and profit
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profit
 
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)
 
Top Ten Tips For Tenacious Defense In Asp.Net
Top Ten Tips For Tenacious Defense In Asp.NetTop Ten Tips For Tenacious Defense In Asp.Net
Top Ten Tips For Tenacious Defense In Asp.Net
 
Hacking sites for fun and profit
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profit
 
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)
 
How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a Database
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJS
 
[Bucharest] #DontTrustTheDarkSide
[Bucharest] #DontTrustTheDarkSide[Bucharest] #DontTrustTheDarkSide
[Bucharest] #DontTrustTheDarkSide
 

Kürzlich hochgeladen

Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxUdaiappa Ramachandran
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarPrecisely
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfJamie (Taka) Wang
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXTarek Kalaji
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7DianaGray10
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Brian Pichman
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDELiveplex
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-pyJamie (Taka) Wang
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsSafe Software
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesDavid Newbury
 

Kürzlich hochgeladen (20)

Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptx
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity Webinar
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBX
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
 
201610817 - edge part1
201610817 - edge part1201610817 - edge part1
201610817 - edge part1
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-py
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond Ontologies
 

Owasp for dummies handouts

  • 1. OWASP Bart ten Brinke
  • 2. The Open Web Application Security Project (OWASP) • https://www.owasp.org/ • Owasp gathers statistics of internet hacks and uses this to generate their security top 10.
  • 3. Availablity “Wikipedia always has the latest news “Putting stuff on wikipedia makes available, but how can you be sure it very available, but not very confidential.” that all the facts are checked?” Data Confidentiality Integrity “Doctor specific patient records cannot be viewed by Nurses, which means they are not as well informed as they could be.”
  • 4. Every solution is a compromise between Confidentiality, Integrity & Availability. • http://en.wikipedia.org/wiki/Information_security • The safest door is one you can’t walk through at all. • De nuances of the CIA triangle are lost in the current media reports: something either safe or unsafe.
  • 6. During the design of the dutch public transportation card (Ov-chipkaart) the designers make the decision to use less secure rfid cards, because the savings of these cheap rfid-cards where much higher then the loss of revenue to hackers. This was not reflected by the media at all.
  • 9. We have a website where you can log in using your username and password: Username john Password 1234
  • 10. The application checks these credentials with a database: Username john Password 1234 SELECT  *  FROM  users WHERE  username  =  ”john” AND  password  =  ”1234”
  • 11. Give me all users with the name ”john” en password ”1234”. If there is one, you will be logged in. Username john Password 1234 SELECT  *  FROM  users WHERE  username  =  ”john” AND  password  =  ”1234”
  • 12. Username administrator Password ”  OR  1=”1 SELECT  *  FROM  users WHERE  username  =  ”administrator” AND  password  =  ””  OR  1=”1”
  • 13. Give me all users where with the name ”administrator” who has an empty password OR where 1=1. 1=1 is always true, so you will be logged in as the administrator. SELECT  *  FROM  users WHERE  username  =  ”administrator” AND  password  =  ””  OR  1=”1”
  • 14. 2. XSS - Cross site Scripting
  • 15. As an example we will be using a catblog which has a guestbook where you can post messages.
  • 16. Name john Comment I  have  a  cat  just  like  that! My weblog Story about my cat Comments: john: I have a cat just like that!
  • 17. If the guestbook is poorly secured, it is possible to store other things then messages. For example you might be able to store javascript. Because other people can read the guestbook, it is possible to abuse the catblog to help you spread your javascript to other readers of the blog. • Visitors can be redirected to another site. • Visitors can be presented with a popup containing a virus download link.
  • 18. Name hacker Comment window.location  =  ”badstuff.tv” Hacker posts on blog. John visits blog. John gets redirected to a different website.
  • 19. 3. Broken session management
  • 20. Each visitor to a website receives a unique number from the webserver: your session_id. Through this number the webserver is able to keep track of who you are. This is why the number: • Has to be secret. • Should be very hard to guess. • May not be changed by other people.
  • 21. Guessing a session_id can be very easy. _session_id My  session_id  +1
  • 22. Sometimes it is possible to send other people your session_id, forcing a shared session. This might cause credentials of users to be combined. Email to administrator of website: I can’t log in! Could you try it for me? https://catblog.com/?PHP_SESSION_ID=123456 Greets, hacker
  • 24. As an example we will take a website with a “change your password” form:
  • 25. If you select “view source” in your browser, you will see something like this: <form  id="form"  method="post"  action="/employees/1234">    <input  type="text"  name="username"  />    <input  type="password"  name="password"  value=""  />    <input  type="hidden"  name="employee_id"  value="1234"  /> </form> What happens if you change the action or the employee_id? Could you can reset somebody else’s password?
  • 27. Complex variant of Cross Site Scripting (XSS), so we will be reusing the catblog example with a guestbook.
  • 28. Name john Comment I  have  a  cat  just  like  that! My weblog Story about my cat Comments: john: I have a cat just like that!
  • 29. If the guestbook is poorly, secured, it might be possible to store other things like javascript in the message box. Because other visitors can read the guestbook, it is possible to abuse the catblog to help you spread your javascript to other readers of the blog. By using ajax we can abuse active sessions visitors might have with other services (like Gmail), to send spam through their account.
  • 30. Name hacker $.ajax({    type:  'POST',    url:  ”www.gmail.com/new”,    data:  {        to:  ”anne@hotmail.com”, Comment        subject:  ”NOT  SPAM!”,        body:  ”Need  Viagra?”    },    success:  success,    dataType:  dataType });
  • 31. Hacker posts on blog. John visits blog. Jan sends Spam to Anne via Gmail, without noticing it.
  • 33. Every system needs periodic updates, to ensure the latest versions are installed. • Check if your provider/hoster has a maintenance window to do updates.
  • 35. Incorrectly secure data. For example: this should NEVER be in your database in plaintext: Username Email Password jantje jantje@hotmail.com jantje1 pietje pietje@hotmail.com welkom123
  • 37. Modify the URL of a website. This is very popular by journalists, because you can do it with any browser. • http://catblog.com/admin.php • http://test.com/employee/1234 => 1235? • http://ibm.com/annualreport/2011 => 2012?
  • 39. With HTTPS the server and client negotiate about the level of security. Together they figure out what the highest level of encryption is that they can use for the connection. • Virusses sometimes turn the encryption level of a browser down to the lowest possible setting. • Badly configured severs agree with the low setting and set up a badly encrypted connection. • Eavesdropping the secure traffic between the server and the client is now possible.
  • 40. If people can not reach our website, but you can, there is a good possibility that our server wont drop to their suggested encryption level. Browsers give very bad error messages when this happens.
  • 41. 10. Unvalidated Redirects and Forwards (rickroll)
  • 42. When you open a link to a secure section of a website, and you are not logged in, you are often redirected to the login page. After you log in you will be sent back to the original page you where trying to open. http://catblog.com/login.php? return_url=/admin.php
  • 43. Sometimes it is possible to abuse this and send people a link, which looks legit & contains a website they trust. However, after they log in, they are sent to somewhere else. http://catblog.com/login.php? return_url=http://www.youtube.com/ watch?v=oHg5SJYRHA0
  • 45. • Using a framework like JBoss, Rails or Zend will fix 90% of the problems addressed in the OWASP top 10. • To fix the other 10% you need to periodically have your application audited by an external party. • Make sure you point out the responsibility of the end-user. Often the weakest link is a employee who is careless with printed files or leaves his computer logged in.