SlideShare ist ein Scribd-Unternehmen logo

Top 10 Web Security Vulnerabilities

Als ODP, PDF herunterladen
Carol McDonald
Carol McDonald

Top 10 Web Security Vulnerabilities as defined by the OWASP, and what you can do to protect your application

1 von 74
OWASP Top 10 Web Security Vulnerabilities Carol McDonald Sun Microsystems
About the Speaker ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
OWASP Top 10 ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
WebGoat and WebScarab from OWASP
Enterprise Security API http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
Frameworks and ESAPI ,[object Object],[object Object],[object Object],[object Object],[object Object]
Enterprise Security API
Enterprise Security API
A1: Cross Site Scripting XSS ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
A1 Cross Site Scripting Example ,[object Object],[object Object],Site reflects the script back to user where it executes and sends the session cookie to the hacker. Hacker tricks user into sending request containing script in search parameter. <script>alert(document.cookie)</script>
Never Trust Input ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
A1 Cross Site Scripting Protection ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],A1 Cross Site Scripting Protection
[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],A1 Cross Site Scripting Protection
Validation, Encoding, and Injection http://owasp-esapi-java.googlecode.com/files/OWASP%20ESAPI.ppt Any Encoding Any Interpreter Set Character Set Encode For HTML Global Validate Canonicalize Specific Validate Sanitize Canonicalize Validate
Handling Validation, and Encoding http://owasp-esapi-java.googlecode.com/files/OWASP%20ESAPI.ppt encodeForURL encodeForJavaScript encodeForVBScript encodeForDN encodeForHTML encodeForHTMLAttribute encodeForLDAP encodeForSQL encodeForXML encodeForXMLAttribute encodeForXPath isValidDirectoryPath isValidCreditCard isValidDataFromBrowser isValidListItem isValidFileContent isValidFileName isValidHTTPRequest isValidRedirectLocation isValidSafeHTML isValidPrintable safeReadLine Canonicalization Double Encoding Protection Normalization Sanitization
[object Object],[object Object],[object Object],A1 Cross Site Scripting Protection
[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],A1 Cross Site Scripting Protection
[object Object],[object Object],A1 Cross Site Scripting Protection
[object Object],A2: Injection Flaws Hacker sends SQL commands into a form field. Site executes modified SQL query and returns results to hacker. 101’ or ‘1’=‘1
[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],A2: SQL Injection
[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],A2: SQL Injection
Never Trust Input ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],A2: SQL Injection Protection dangerous characters - escaped by the JDBC driver.
[object Object],[object Object],[object Object],[object Object],[object Object],A2: SQL Injection Protection dangerous characters - escaped by the JDBC driver.
[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],A2: SQL Injection Protection compiler checks for correctness dangerous characters - escaped by the JDBC driver.
[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],A3: Malicious File Execution
A3: Malicious File Execution ,[object Object],[object Object],[object Object]
A3: Malicious File Execution Protection ,[object Object],[object Object],[object Object],[object Object]
Handling Validation, and Encoding http://owasp-esapi-java.googlecode.com/files/OWASP%20ESAPI.ppt encodeForURL encodeForJavaScript encodeForVBScript encodeForDN encodeForHTML encodeForHTMLAttribute encodeForLDAP encodeForSQL encodeForXML encodeForXMLAttribute encodeForXPath isValidDirectoryPath isValidCreditCard isValidDataFromBrowser isValidListItem isValidFileContent isValidFileName isValidHTTPRequest isValidRedirectLocation isValidSafeHTML isValidPrintable safeReadLine Canonicalization Double Encoding Protection Normalization Sanitization
[object Object],[object Object],[object Object],[object Object],[object Object],A3: Malicious File Execution Protection
A4: Insecure Direct Object Reference ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Real Attack on Australian Tax office attacker changed the tax id in the url , got info on 17,000 companies
[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],A4: Insecure Direct Object Reference - Example code can be attacked using a string like &quot;/../../../etc/passwd%00&quot; (null byte injection)
[object Object],[object Object],A4: Insecure Direct Object Reference - Example reference to database key attacker can search on another key.
A4: Insecure Direct Object Reference Protection ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Handling Direct Object References http://app?file=7d3J93 Report123.xls Web Service Database Mainframe File System User Etc… Access Reference Map Indirect Reference Direct Reference Indirect Reference Direct Reference
ESAPI Access Reference Map ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],ESAPI: Handling Direct Object References
[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],ESAPI: Controlling Access to Files, Data
A5: Cross Site Request Forgery ,[object Object],[object Object],[object Object],logon navigate to javascript get users gmail contacts users cookie, session
A5: Cross Site Request Forgery ,[object Object],remember me navigate to add movies to users queue users cookie, session http://news.cnet.com/Netflix-fixes-Web-2.0-bugs/2100-1002_3-6126438.html?part=rss&tag=6126438&subj=news <img src=&quot; http://www.netflix.com/AddToQueue?movieid=70011204 &quot; />
A5: Cross Site Request Forgery ,[object Object],logon read email, click image transfer funds users cookie, session
A5:Cross Site Request Forgery ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
A5:Cross Site Request Forgery ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
A5:Cross Site Request Forgery ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Handling Authentication and Identity http://owasp-esapi-java.googlecode.com/files/OWASP%20ESAPI.ppt Strong Passwords Random Tokens CSRF Tokens Lockout Remember Me Screen Name Roles Timeout Users
A5:Cross Site Request Forgery Java Protection ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
A6: Information Leakage and Improper Error Handling ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
A6: Information Leakage and Improper Error Handling Protection ,[object Object],[object Object],[object Object],[object Object],[object Object]
A7:Broken Authentication/Session Management ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
A7:Broken Authentication/Session Management Protection: ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
A7:Broken Authentication/Session Management Protection: ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],A7:Broken Authentication/Session Management Protection:
ESAPI Handling Authentication and Identity http://owasp-esapi-java.googlecode.com/files/OWASP%20ESAPI.ppt Strong Passwords Random Tokens CSRF Tokens Lockout Remember Me Screen Name Roles Timeout Users
ESAPI Authenticator Interface ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
ESAPI User Interface ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
A8: Insecure Cryptographic Storage ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],A8: Insecure Cryptographic Storage Protection
Handling Sensitive Information http://owasp-esapi-java.googlecode.com/files/OWASP%20ESAPI.ppt Encryption Digital Signatures Integrity Seals Strong GUID Random Tokens Timestamp Salted Hash Safe Config Details
ESAPI Encryptor ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
A9: Insecure Communication ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],A9: Insecure Communication Protection
[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],A9: Insecure Communication Protection
A10: Failure to Restrict URL Access ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
A10: Failure to Restrict URL Access ,[object Object],[object Object],[object Object],[object Object],http://grutztopia.jingojango.net/2007/01/your-free-macworld-expo-platinum-pass_11.html
A10: Failure to Restrict URL Access Protection ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],A10: Protection
ACEGI Spring Security
ESAPI Handling Access Control isAuthorizedForURL isAuthorizedForFunction isAuthorizedForFunction isAuthorizedForService isAuthorizedForData isAuthorizedForFile
ESAPI AccessController ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
ESAPI IntrusionDetector ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Secure Principles ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
References and More Information: ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

Empfohlen

OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
Software Guru
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & Testing
Deepu S Nath
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
OWASP Delhi
 
Mobile Application Penetration Testing
Mobile Application Penetration TestingMobile Application Penetration Testing
Mobile Application Penetration Testing
BGA Cyber Security
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
OWASP Top 10 API Security Risks
OWASP Top 10 API Security RisksOWASP Top 10 API Security Risks
OWASP Top 10 API Security Risks
IndusfacePvtLtd
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
n|u - The Open Security Community
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
TzahiArabov
 

Empfohlen

OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
Software Guru
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & Testing
Deepu S Nath
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
OWASP Delhi
 
Mobile Application Penetration Testing
Mobile Application Penetration TestingMobile Application Penetration Testing
Mobile Application Penetration Testing
BGA Cyber Security
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
OWASP Top 10 API Security Risks
OWASP Top 10 API Security RisksOWASP Top 10 API Security Risks
OWASP Top 10 API Security Risks
IndusfacePvtLtd
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
n|u - The Open Security Community
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
TzahiArabov
 
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security RisksOWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
All Things Open
 
Hacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfHacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdf
Matt Tesauro
 
Sql injection
Sql injectionSql injection
Sql injection
Nuruzzaman Milon
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
Nezar Alazzabi
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
Michael Furman
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
Priyanka Aash
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
Rodolfo Assis (Brute)
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
Anurag Srivastava
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
Narudom Roongsiriwong, CISSP
 
OWASP Top 10 - Day 1 - A1 injection attacks
OWASP Top 10 - Day 1 - A1 injection attacksOWASP Top 10 - Day 1 - A1 injection attacks
OWASP Top 10 - Day 1 - A1 injection attacks
Mohamed Talaat
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Brian Huff
 
Security testing
Security testingSecurity testing
Security testing
Khizra Sammad
 
OWASP Top Ten
OWASP Top TenOWASP Top Ten
OWASP Top Ten
Christian Heinrich
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa Workshop
Paul Ionescu
 
Secure Coding for Java
Secure Coding for JavaSecure Coding for Java
Secure Coding for Java
Sébastien GIORIA
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
Mohammed Danish Amber
 
Pentesting ReST API
Pentesting ReST APIPentesting ReST API
Pentesting ReST API
Nutan Kumar Panda
 
Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and Awareness
Abdul Rahman Sherzad
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
Scott Hurrey
 
SQL Injection
SQL Injection SQL Injection
SQL Injection
Adhoura Academy
 
Web Security
Web SecurityWeb Security
Web Security
Tripad M
 
Introduction to Web security
Introduction to Web securityIntroduction to Web security
Introduction to Web security
jeyaselvir
 

Weitere ähnliche Inhalte

Was ist angesagt?

Hacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfHacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdf
Matt Tesauro
 
Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and Awareness
Abdul Rahman Sherzad
 

Was ist angesagt? (20)

OWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security RisksOWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
 
Hacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfHacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdf
 
Sql injection
Sql injectionSql injection
Sql injection
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
 
OWASP Top 10 - Day 1 - A1 injection attacks
OWASP Top 10 - Day 1 - A1 injection attacksOWASP Top 10 - Day 1 - A1 injection attacks
OWASP Top 10 - Day 1 - A1 injection attacks
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
Security testing
Security testingSecurity testing
Security testing
 
OWASP Top Ten
OWASP Top TenOWASP Top Ten
OWASP Top Ten
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa Workshop
 
Secure Coding for Java
Secure Coding for JavaSecure Coding for Java
Secure Coding for Java
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
 
Pentesting ReST API
Pentesting ReST APIPentesting ReST API
Pentesting ReST API
 
Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and Awareness
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
 
SQL Injection
SQL Injection SQL Injection
SQL Injection
 

Andere mochten auch

Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root Causes
Marco Morana
 
情報検索における質問者の プライバシー保護 :Private Information Retrieval
情報検索における質問者の プライバシー保護 :Private Information Retrieval情報検索における質問者の プライバシー保護 :Private Information Retrieval
情報検索における質問者の プライバシー保護 :Private Information Retrieval
Hiroshi Nakagawa
 
WordPress for Beginners Create Professional Websites
WordPress for Beginners Create Professional WebsitesWordPress for Beginners Create Professional Websites
WordPress for Beginners Create Professional Websites
ayman diab
 
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Braindev Kyiv
 

Andere mochten auch (20)

Web Security
Web SecurityWeb Security
Web Security
 
Introduction to Web security
Introduction to Web securityIntroduction to Web security
Introduction to Web security
 
OWASP Top 10 A4 – Insecure Direct Object Reference
OWASP Top 10 A4 – Insecure Direct Object ReferenceOWASP Top 10 A4 – Insecure Direct Object Reference
OWASP Top 10 A4 – Insecure Direct Object Reference
 
Web Security 101
Web Security 101Web Security 101
Web Security 101
 
Web Security
Web SecurityWeb Security
Web Security
 
Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Web Security - Introduction v.1.3
Web Security - Introduction v.1.3
 
OWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsOWASP Top 10 Proactive Controls
OWASP Top 10 Proactive Controls
 
Top 10 Web App Security Risks
Top 10 Web App Security RisksTop 10 Web App Security Risks
Top 10 Web App Security Risks
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
 
[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101
 
Web security 2012
Web security 2012Web security 2012
Web security 2012
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root Causes
 
Browser Security
Browser SecurityBrowser Security
Browser Security
 
Web Security
Web SecurityWeb Security
Web Security
 
Web Security Workshop : A Jumpstart
Web Security Workshop : A JumpstartWeb Security Workshop : A Jumpstart
Web Security Workshop : A Jumpstart
 
情報検索における質問者の プライバシー保護 :Private Information Retrieval
情報検索における質問者の プライバシー保護 :Private Information Retrieval情報検索における質問者の プライバシー保護 :Private Information Retrieval
情報検索における質問者の プライバシー保護 :Private Information Retrieval
 
WordPress for Beginners Create Professional Websites
WordPress for Beginners Create Professional WebsitesWordPress for Beginners Create Professional Websites
WordPress for Beginners Create Professional Websites
 
Mobile Threats and Owasp Top 10 Risks
Mobile Threats and Owasp Top 10 RisksMobile Threats and Owasp Top 10 Risks
Mobile Threats and Owasp Top 10 Risks
 
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
 

Ähnlich wie Top 10 Web Security Vulnerabilities

Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web Apps
Frank Kim
 
Joomla security nuggets
Joomla security nuggetsJoomla security nuggets
Joomla security nuggets
guestbd1cdca
 
PCI Security Requirements - secure coding
PCI Security Requirements - secure codingPCI Security Requirements - secure coding
PCI Security Requirements - secure coding
Haitham Raik
 
CiklumJavaSat_15112011:Alex Kruk VMForce
CiklumJavaSat_15112011:Alex Kruk VMForceCiklumJavaSat_15112011:Alex Kruk VMForce
CiklumJavaSat_15112011:Alex Kruk VMForce
Ciklum Ukraine
 
Application Security
Application SecurityApplication Security
Application Security
nirola
 
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...
Xlator
 
09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)
09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)
09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)
Igor Bronovskyy
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009
mirahman
 

Ähnlich wie Top 10 Web Security Vulnerabilities (20)

PHPUG Presentation
PHPUG PresentationPHPUG Presentation
PHPUG Presentation
 
Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web Apps
 
General Principles of Web Security
General Principles of Web SecurityGeneral Principles of Web Security
General Principles of Web Security
 
Joomla security nuggets
Joomla security nuggetsJoomla security nuggets
Joomla security nuggets
 
PHP Secure Programming
PHP Secure ProgrammingPHP Secure Programming
PHP Secure Programming
 
PCI Security Requirements - secure coding
PCI Security Requirements - secure codingPCI Security Requirements - secure coding
PCI Security Requirements - secure coding
 
Web Security
Web SecurityWeb Security
Web Security
 
Pascarello_Investigating JavaScript and Ajax Security
Pascarello_Investigating JavaScript and Ajax SecurityPascarello_Investigating JavaScript and Ajax Security
Pascarello_Investigating JavaScript and Ajax Security
 
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encoding
 
CiklumJavaSat_15112011:Alex Kruk VMForce
CiklumJavaSat_15112011:Alex Kruk VMForceCiklumJavaSat_15112011:Alex Kruk VMForce
CiklumJavaSat_15112011:Alex Kruk VMForce
 
Application Security
Application SecurityApplication Security
Application Security
 
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...
 
my accadanic project ppt
my accadanic project pptmy accadanic project ppt
my accadanic project ppt
 
Secure coding in C#
Secure coding in C#Secure coding in C#
Secure coding in C#
 
Client-side JavaScript Vulnerabilities
Client-side JavaScript VulnerabilitiesClient-side JavaScript Vulnerabilities
Client-side JavaScript Vulnerabilities
 
09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)
09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)
09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009
 
php
phpphp
php
 
XSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hourXSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hour
 
D:\Technical\Ppt\Sql Injection
D:\Technical\Ppt\Sql InjectionD:\Technical\Ppt\Sql Injection
D:\Technical\Ppt\Sql Injection
 

Mehr von Carol McDonald

Demystifying AI, Machine Learning and Deep Learning
Demystifying AI, Machine Learning and Deep LearningDemystifying AI, Machine Learning and Deep Learning
Demystifying AI, Machine Learning and Deep Learning
Carol McDonald
 
Streaming Patterns Revolutionary Architectures with the Kafka API
Streaming Patterns Revolutionary Architectures with the Kafka APIStreaming Patterns Revolutionary Architectures with the Kafka API
Streaming Patterns Revolutionary Architectures with the Kafka API
Carol McDonald
 

Mehr von Carol McDonald (20)

Introduction to machine learning with GPUs
Introduction to machine learning with GPUsIntroduction to machine learning with GPUs
Introduction to machine learning with GPUs
 
Streaming healthcare Data pipeline using Apache APIs: Kafka and Spark with Ma...
Streaming healthcare Data pipeline using Apache APIs: Kafka and Spark with Ma...Streaming healthcare Data pipeline using Apache APIs: Kafka and Spark with Ma...
Streaming healthcare Data pipeline using Apache APIs: Kafka and Spark with Ma...
 
Analyzing Flight Delays with Apache Spark, DataFrames, GraphFrames, and MapR-DB
Analyzing Flight Delays with Apache Spark, DataFrames, GraphFrames, and MapR-DBAnalyzing Flight Delays with Apache Spark, DataFrames, GraphFrames, and MapR-DB
Analyzing Flight Delays with Apache Spark, DataFrames, GraphFrames, and MapR-DB
 
Analysis of Popular Uber Locations using Apache APIs: Spark Machine Learning...
Analysis of Popular Uber Locations using Apache APIs: Spark Machine Learning...Analysis of Popular Uber Locations using Apache APIs: Spark Machine Learning...
Analysis of Popular Uber Locations using Apache APIs: Spark Machine Learning...
 
Predicting Flight Delays with Spark Machine Learning
Predicting Flight Delays with Spark Machine LearningPredicting Flight Delays with Spark Machine Learning
Predicting Flight Delays with Spark Machine Learning
 
Structured Streaming Data Pipeline Using Kafka, Spark, and MapR-DB
Structured Streaming Data Pipeline Using Kafka, Spark, and MapR-DBStructured Streaming Data Pipeline Using Kafka, Spark, and MapR-DB
Structured Streaming Data Pipeline Using Kafka, Spark, and MapR-DB
 
Streaming Machine learning Distributed Pipeline for Real-Time Uber Data Using...
Streaming Machine learning Distributed Pipeline for Real-Time Uber Data Using...Streaming Machine learning Distributed Pipeline for Real-Time Uber Data Using...
Streaming Machine learning Distributed Pipeline for Real-Time Uber Data Using...
 
Applying Machine Learning to IOT: End to End Distributed Pipeline for Real-Ti...
Applying Machine Learning to IOT: End to End Distributed Pipeline for Real-Ti...Applying Machine Learning to IOT: End to End Distributed Pipeline for Real-Ti...
Applying Machine Learning to IOT: End to End Distributed Pipeline for Real-Ti...
 
Applying Machine Learning to IOT: End to End Distributed Pipeline for Real- T...
Applying Machine Learning to IOT: End to End Distributed Pipeline for Real- T...Applying Machine Learning to IOT: End to End Distributed Pipeline for Real- T...
Applying Machine Learning to IOT: End to End Distributed Pipeline for Real- T...
 
How Big Data is Reducing Costs and Improving Outcomes in Health Care
How Big Data is Reducing Costs and Improving Outcomes in Health CareHow Big Data is Reducing Costs and Improving Outcomes in Health Care
How Big Data is Reducing Costs and Improving Outcomes in Health Care
 
Demystifying AI, Machine Learning and Deep Learning
Demystifying AI, Machine Learning and Deep LearningDemystifying AI, Machine Learning and Deep Learning
Demystifying AI, Machine Learning and Deep Learning
 
Spark graphx
Spark graphxSpark graphx
Spark graphx
 
Applying Machine learning to IOT: End to End Distributed Distributed Pipeline...
Applying Machine learning to IOT: End to End Distributed Distributed Pipeline...Applying Machine learning to IOT: End to End Distributed Distributed Pipeline...
Applying Machine learning to IOT: End to End Distributed Distributed Pipeline...
 
Streaming patterns revolutionary architectures
Streaming patterns revolutionary architectures Streaming patterns revolutionary architectures
Streaming patterns revolutionary architectures
 
Spark machine learning predicting customer churn
Spark machine learning predicting customer churnSpark machine learning predicting customer churn
Spark machine learning predicting customer churn
 
Fast Cars, Big Data How Streaming can help Formula 1
Fast Cars, Big Data How Streaming can help Formula 1Fast Cars, Big Data How Streaming can help Formula 1
Fast Cars, Big Data How Streaming can help Formula 1
 
Applying Machine Learning to Live Patient Data
Applying Machine Learning to Live Patient DataApplying Machine Learning to Live Patient Data
Applying Machine Learning to Live Patient Data
 
Streaming Patterns Revolutionary Architectures with the Kafka API
Streaming Patterns Revolutionary Architectures with the Kafka APIStreaming Patterns Revolutionary Architectures with the Kafka API
Streaming Patterns Revolutionary Architectures with the Kafka API
 
Apache Spark Machine Learning Decision Trees
Apache Spark Machine Learning Decision TreesApache Spark Machine Learning Decision Trees
Apache Spark Machine Learning Decision Trees
 
Advanced Threat Detection on Streaming Data
Advanced Threat Detection on Streaming DataAdvanced Threat Detection on Streaming Data
Advanced Threat Detection on Streaming Data
 

Top 10 Web Security Vulnerabilities

  • 1. OWASP Top 10 Web Security Vulnerabilities Carol McDonald Sun Microsystems
  • 2.
  • 3.
  • 5. Enterprise Security API http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
  • 6.
  • 9.
  • 10.
  • 11.
  • 12.
  • 13.
  • 14.
  • 15. Validation, Encoding, and Injection http://owasp-esapi-java.googlecode.com/files/OWASP%20ESAPI.ppt Any Encoding Any Interpreter Set Character Set Encode For HTML Global Validate Canonicalize Specific Validate Sanitize Canonicalize Validate
  • 16. Handling Validation, and Encoding http://owasp-esapi-java.googlecode.com/files/OWASP%20ESAPI.ppt encodeForURL encodeForJavaScript encodeForVBScript encodeForDN encodeForHTML encodeForHTMLAttribute encodeForLDAP encodeForSQL encodeForXML encodeForXMLAttribute encodeForXPath isValidDirectoryPath isValidCreditCard isValidDataFromBrowser isValidListItem isValidFileContent isValidFileName isValidHTTPRequest isValidRedirectLocation isValidSafeHTML isValidPrintable safeReadLine Canonicalization Double Encoding Protection Normalization Sanitization
  • 17.
  • 18.
  • 19.
  • 20.
  • 21.
  • 22.
  • 23.
  • 24.
  • 25.
  • 26.
  • 27.
  • 28.
  • 29.
  • 30. Handling Validation, and Encoding http://owasp-esapi-java.googlecode.com/files/OWASP%20ESAPI.ppt encodeForURL encodeForJavaScript encodeForVBScript encodeForDN encodeForHTML encodeForHTMLAttribute encodeForLDAP encodeForSQL encodeForXML encodeForXMLAttribute encodeForXPath isValidDirectoryPath isValidCreditCard isValidDataFromBrowser isValidListItem isValidFileContent isValidFileName isValidHTTPRequest isValidRedirectLocation isValidSafeHTML isValidPrintable safeReadLine Canonicalization Double Encoding Protection Normalization Sanitization
  • 31.
  • 32.
  • 33. Real Attack on Australian Tax office attacker changed the tax id in the url , got info on 17,000 companies
  • 34.
  • 35.
  • 36.
  • 37. Handling Direct Object References http://app?file=7d3J93 Report123.xls Web Service Database Mainframe File System User Etc… Access Reference Map Indirect Reference Direct Reference Indirect Reference Direct Reference
  • 38.
  • 39.
  • 40.
  • 41.
  • 42.
  • 43.
  • 44.
  • 45.
  • 46.
  • 47. Handling Authentication and Identity http://owasp-esapi-java.googlecode.com/files/OWASP%20ESAPI.ppt Strong Passwords Random Tokens CSRF Tokens Lockout Remember Me Screen Name Roles Timeout Users
  • 48.
  • 49.
  • 50.
  • 51.
  • 52.
  • 53.
  • 54.
  • 55. ESAPI Handling Authentication and Identity http://owasp-esapi-java.googlecode.com/files/OWASP%20ESAPI.ppt Strong Passwords Random Tokens CSRF Tokens Lockout Remember Me Screen Name Roles Timeout Users
  • 56.
  • 57.
  • 58.
  • 59.
  • 60. Handling Sensitive Information http://owasp-esapi-java.googlecode.com/files/OWASP%20ESAPI.ppt Encryption Digital Signatures Integrity Seals Strong GUID Random Tokens Timestamp Salted Hash Safe Config Details
  • 61.
  • 62.
  • 63.
  • 64.
  • 65.
  • 66.
  • 67.
  • 68.
  • 70. ESAPI Handling Access Control isAuthorizedForURL isAuthorizedForFunction isAuthorizedForFunction isAuthorizedForService isAuthorizedForData isAuthorizedForFile
  • 71.
  • 72.
  • 73.
  • 74.

Hinweis der Redaktion

  1. The attacker can send data in any encoding. And the interpreters downstream from your application may decide to handle any encoding. Canonicalize Input could be in any character set Double-encoding Multiple encoding schemes Double-encoding with multiple encoding schemes Validation Simple to configure for positive rules Impossible to do perfectly, since you need special characters GetSafeValue Rich content – strip out bad stuff and continue Difficult – need to fully parse HTML Canonicalize and Validate from database Watch out mass SQL injection? EncodeForHTML Not perfect since browsers allow encoded characters to execute (particularly in attributes) Have to avoid double-encoding SetCharacterSet Browser will try to guess the encoding
  2. The attacker can send data in any encoding. And the interpreters downstream from your application may decide to handle any encoding. Canonicalize Input could be in any character set Double-encoding Multiple encoding schemes Double-encoding with multiple encoding schemes Validation Simple to configure for positive rules Impossible to do perfectly, since you need special characters GetSafeValue Rich content – strip out bad stuff and continue Difficult – need to fully parse HTML Canonicalize and Validate from database Watch out mass SQL injection? EncodeForHTML Not perfect since browsers allow encoded characters to execute (particularly in attributes) SetCharacterSet Browser will try to guess the encoding
  3. The attacker can send data in any encoding. And the interpreters downstream from your application may decide to handle any encoding. Canonicalize Input could be in any character set Double-encoding Multiple encoding schemes Double-encoding with multiple encoding schemes Validation Simple to configure for positive rules Impossible to do perfectly, since you need special characters GetSafeValue Rich content – strip out bad stuff and continue Difficult – need to fully parse HTML Canonicalize and Validate from database Watch out mass SQL injection? EncodeForHTML Not perfect since browsers allow encoded characters to execute (particularly in attributes) SetCharacterSet Browser will try to guess the encoding
  4. If an online bank allowed its application to process requests, such as transfer funds, a similar attack might allow high risk transactions such as money transfers The form itself contains the fields name and lastname and the button submit to prevent this to be forgged we add another field which contains the name of the current session identifier cookie name and the current session identifier cookie value &lt;form&gt; &lt;input type=&amp;quot;test&amp;quot; name=&amp;quot;name&amp;quot; value=&amp;quot;John&amp;quot;/&gt; &lt;input type=&amp;quot;test&amp;quot; name=&amp;quot;lastname&amp;quot; value=&amp;quot;Dawson&amp;quot;/&gt; &lt;input type=&amp;quot;test&amp;quot; name=&amp;quot;JSPSESSIONID&amp;quot; value=&amp;quot;7af7a55caff365ca594510586&amp;quot;/&gt; &lt;input type=&amp;quot;submit&amp;quot;/&gt; &lt;/form&gt;
  5. If an online bank allowed its application to process requests, such as transfer funds, a similar attack might allow high risk transactions such as money transfers The form itself contains the fields name and lastname and the button submit to prevent this to be forgged we add another field which contains the name of the current session identifier cookie name and the current session identifier cookie value &lt;form&gt; &lt;input type=&amp;quot;test&amp;quot; name=&amp;quot;name&amp;quot; value=&amp;quot;John&amp;quot;/&gt; &lt;input type=&amp;quot;test&amp;quot; name=&amp;quot;lastname&amp;quot; value=&amp;quot;Dawson&amp;quot;/&gt; &lt;input type=&amp;quot;test&amp;quot; name=&amp;quot;JSPSESSIONID&amp;quot; value=&amp;quot;7af7a55caff365ca594510586&amp;quot;/&gt; &lt;input type=&amp;quot;submit&amp;quot;/&gt; &lt;/form&gt;
  6. If an online bank allowed its application to process requests, such as transfer funds, a similar attack might allow high risk transactions such as money transfers The form itself contains the fields name and lastname and the button submit to prevent this to be forgged we add another field which contains the name of the current session identifier cookie name and the current session identifier cookie value &lt;form&gt; &lt;input type=&amp;quot;test&amp;quot; name=&amp;quot;name&amp;quot; value=&amp;quot;John&amp;quot;/&gt; &lt;input type=&amp;quot;test&amp;quot; name=&amp;quot;lastname&amp;quot; value=&amp;quot;Dawson&amp;quot;/&gt; &lt;input type=&amp;quot;test&amp;quot; name=&amp;quot;JSPSESSIONID&amp;quot; value=&amp;quot;7af7a55caff365ca594510586&amp;quot;/&gt; &lt;input type=&amp;quot;submit&amp;quot;/&gt; &lt;/form&gt;
  7. The attacker can send data in any encoding. And the interpreters downstream from your application may decide to handle any encoding. Canonicalize Input could be in any character set Double-encoding Multiple encoding schemes Double-encoding with multiple encoding schemes Validation Simple to configure for positive rules Impossible to do perfectly, since you need special characters GetSafeValue Rich content – strip out bad stuff and continue Difficult – need to fully parse HTML Canonicalize and Validate from database Watch out mass SQL injection? EncodeForHTML Not perfect since browsers allow encoded characters to execute (particularly in attributes) SetCharacterSet Browser will try to guess the encoding
  8. If an online bank allowed its application to process requests, such as transfer funds, a similar attack might allow high risk transactions such as money transfers The form itself contains the fields name and lastname and the button submit to prevent this to be forgged we add another field which contains the name of the current session identifier cookie name and the current session identifier cookie value &lt;form&gt; &lt;input type=&amp;quot;test&amp;quot; name=&amp;quot;name&amp;quot; value=&amp;quot;John&amp;quot;/&gt; &lt;input type=&amp;quot;test&amp;quot; name=&amp;quot;lastname&amp;quot; value=&amp;quot;Dawson&amp;quot;/&gt; &lt;input type=&amp;quot;test&amp;quot; name=&amp;quot;JSPSESSIONID&amp;quot; value=&amp;quot;7af7a55caff365ca594510586&amp;quot;/&gt; &lt;input type=&amp;quot;submit&amp;quot;/&gt; &lt;/form&gt;
  9. If an online bank allowed its application to process requests, such as transfer funds, a similar attack might allow high risk transactions such as money transfers The form itself contains the fields name and lastname and the button submit to prevent this to be forgged we add another field which contains the name of the current session identifier cookie name and the current session identifier cookie value &lt;form&gt; &lt;input type=&amp;quot;test&amp;quot; name=&amp;quot;name&amp;quot; value=&amp;quot;John&amp;quot;/&gt; &lt;input type=&amp;quot;test&amp;quot; name=&amp;quot;lastname&amp;quot; value=&amp;quot;Dawson&amp;quot;/&gt; &lt;input type=&amp;quot;test&amp;quot; name=&amp;quot;JSPSESSIONID&amp;quot; value=&amp;quot;7af7a55caff365ca594510586&amp;quot;/&gt; &lt;input type=&amp;quot;submit&amp;quot;/&gt; &lt;/form&gt;