Empfohlen
Weitere ähnliche Inhalte
Was ist angesagt?
Was ist angesagt? (11)
Ähnlich wie DC612 Day - Web Application Security: OWASP Top 10
Ähnlich wie DC612 Day - Web Application Security: OWASP Top 10 (20)
DC612 Day - Web Application Security: OWASP Top 10
- 1. OWASP Top 10 Finding and Exploiting AppSec Flaws 1
- 2. Goals Understand common AppSec issues Be able to identify the OWASP Top 10 issues Understand what causes the issues 2 2
- 3. Why OWASP •Free information and projects •Defacto source for information on web security •Vendor and technology neutral •This is their mission 3 3
- 4. Terms HTTP Requests GET vs POST URI/URL Cookies Parameters SSL/TLS 4 4
- 5. Tools Scanners AppScan WebInspect N-Stalker Skipfish W3AF More at: http://projects.webappsec.org/w/page/13246988/W eb%20Application%20Security%20Scanner%20List 5 5
- 6. Tools Intercepting proxies Burp Suite Web Scarab Paros Proxy Zed Attack Proxy 6 6
- 7. Tools Browser Plugins TamperData Web Developer Firebug Proxy Switcher 7 7
- 8. The Top 10 Injection Broken Authentication and Session Management Cross-Site Scripting (XSS) Insecure Direct Object References Security Misconfiguration 8 8
- 9. The Top 10 (continued) Sensitive Data Exposure Missing Function Level Access Control Cross-Site Request Forgery Using Known Vulnerable Components Unvalidated Redirects and Forwards 9 9
- 10. Scope of Attacks Client Side Attack the end user and end user network Server Side Attack the infrastructure 10 10
- 11. Causes of Vulnerabilities Improper input sanitization Programming errors Logic errors Configuration errors Missing security updates 11 11
- 12. Injection Result from improper input sanitization Multiple types SQL LDAP XPATH OS ... 12 12
- 13. SQL Injection Two types Vanilla (or “normal” or “first order”) Blind Results from directly inserting user supplied data into a SQL Query 13 13
- 14. SQL Queries SELECT * FROM events WHERE id='$id' Developer expects $id to be an integer like 3 What if $id is 3' or '1'='1 Or 3' union select name, password, role from users; -- 14 14
- 15. How to find Check all inputs to see if you can create an error message Single quote ' Double quote “ SQL comments SQL verbs 15 15
- 16. How to find If errors are trapped you have to look for differences between query results Unbalanced vs balanced quotes SQL errors ... 16 16
- 19. Broken Authentication and Session Management Logic, programming or configuration errors Exposes password or tokens Allows users to act as another user Horizontal Vertical 19 19
- 20. Cause Logic errors Security through obscurity Enforcing permissions on the wrong portion of the application 20 20
- 21. How to find Try to access functionality that your user shouldn't have access to Modify user identifying information 21 21
- 23. Cross-Site Scripting (XSS) Results from improper input sanitization Client side attack Two types Reflected Stored 23 23
- 24. Cause Direct use of user supplied input: echo(“Hello $_POST['name']”); 24 24
- 25. How to find Check all inputs to see if dangerous characters are properly escaped or deleted Text fields Hidden variables Cookies etc Proper escaping varies depending on your context 25 25
- 28. Insecure Direct Object References Results from improper input validation Directly refer to variables used in business logic Account numbers Prices File names etc 28 28
- 29. How to find Check for parameter names that reference business logic Modify parameters to see how they affect what data is presented to you or calculated values 29 29
- 31. Security Misconfiguration Improper configurations 31 31
- 32. How to find •Vulnerability scanners •System audit 32 32
- 33. Sensitive Data Exposure Improper storage of sensitive data Authentication data Credit card data SSNs Fail to encrypt sensitive data in transit No SSL/TLS More than just web traffic Unnecessary data returned to the client 33 33
- 34. How to find Improper storage of sensitive data Look at data you retrieved from other attacks Audits of the systems are more effective Fail to encrypt sensitive data in transit Look at the URL Capture traffic Man in the middle if necessary 34 34
- 35. Missing Function Level Access Control Logic error on protecting links/functions Often vertical access control 35 35
- 36. How to find If you have multiple accounts at different privilege levels try to access content for a higher privilege level as a lower privilege user Guess common page names Admin.[php|asp|html|...] Console.[php|asp|html|...] 36 36
- 39. Cross-Site Request Forgery (CSRF) Confused deputy attack Make a user make a request for you 39 39
- 40. How to find Look for actions that only depend on cookie values and well-known or public data Even if you have to guess a value, make sure the value is actually non-predictable 40 40
- 43. Using Known Vulnerable Components Framework or third party components contain vulnerabilities Missing patches 0-days 43 43
- 44. How to find •Vulnerability Scanners •Server headers/banners 44 44
- 45. Unvalidated Redirects and Forwards Improper validation of forwarding or redirect links Useful in phishing or drive by attacks Betrays a user's trust in a site 45 45
- 46. How to find Look for URLs or URL fragments in parameters and modify these 46 46
- 49. In the news SQL Injection Anonymous and Lulzsec Sony et al Insecure Direct Object Access Citibank 49 49
- 50. What next Vulnerable web applications • Damn Vulnerable Web Application • Bad Store • Hacme Bank|Casino|Books|Travel|... • Webmaven • Buggy Bank • ... 50 50