Presented by Paulo Silva, Security Researcher at Checkmarx on October 31, 2018 at Polytechnic Institute of Cávado and Ave.
Learn all about the OWASP Top 10 from his talk:
Part I
Web Application architecture
The HTTP protocol
HTTP Request walk-through
Part II
What is OWASP
What is the OWASP TOP 10
OWASP Top 10 walk - through
2. Paulo Silva
Security Researcher
Researcher @ Checkmarx
Researcher/Team Leader/Software Developer @ Jscrambler
Volunteer @ OWASP
+13 years as Software Developer
Master in Innovation and Technological Entrepreneurship @ FEUP
Bachelor degree in Computer Sciences @ UMinho
2Checkmarx | All Rights Reserved
Who am I
5. Agenda
Part I
Web Application architecture
The HTTP protocol
HTTP Request walk-through
Part II
What is OWASP
What is the OWASP TOP 10
OWASP Top 10 walk-through
5Checkmarx | All Rights Reserved
11. 11Checkmarx | All Rights Reserved
Question 1
What does HTTP stand for?
12. What does HTTP stand for?
Checkmarx | All Rights Reserved 12
Hypertext Transfer Protocol
13. 13Checkmarx | All Rights Reserved
Question 2
What’s the HTTP protocol author’s name?
14. What’s the HTTP protocol author’s name?
Checkmarx | All Rights Reserved 14
Sir Tim Berners-Lee
(Turing Award 2016)
15. 15Checkmarx | All Rights Reserved
Question 3
When was the HTTP protocol first proposed?
16. When was the HTTP protocol first proposed?
Checkmarx | All Rights Reserved 16
1990
17. A little bit of history
Checkmarx | All Rights Reserved 17
18. 18Checkmarx | All Rights Reserved
HTTP/0.9 (1991)
Connection: Client-server TCP-IP link.
Request: Single ASCII characters line terminated by a CR LF.
Response: Hypertext mark-up language (HTML) document (byte stream of
ASCII characters).
Disconnection: TCP-IP connection is broken by the server when the whole
document has been transferred.
19. HTTP/0.9 (1991)
19Checkmarx | All Rights Reserved
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0
Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-
strict.dtd">
<html dir="ltr" lang="pt-PT">
<head><meta name="GENERATOR" content="Microsoft
SharePoint" /><meta http-equiv="Content-type"
content="text/html; charset=utf-8" /><meta http-
equiv="X-UA-Compatible" content="IE=10" /><meta
http-equiv="Expires" content="0" /><meta
name="msapplication-TileImage"
content="/_layouts/15/images/SharePointMetroAppTi
le.png" /><meta name="msapplication-TileColor"
content="#0072C6" /><title>
Universidade do Minho
</title>
$ telnet www.uminho.pt 80
GET /
20. 20Checkmarx | All Rights Reserved
HTTP/1.0 (1996)
Purpose
Serve more than just http documents,
Provide richer meta data about the request and the response,
Enable content negotiation and more.
New Features
Additional Request Methods
Additional Header Field Definitions
21. HTTP/1.0 (1996)
$ telnet www.uminho.pt 80
GET / HTTP/1.0
21Checkmarx | All Rights Reserved
HTTP/1.1 200 OK
Connection: close
Date: Tue, 11 Apr 2017 23:01:57 GMT
Content-Type: text/html; charset=utf-8
Last-Modified: Tue, 11 Apr 2017 23:01:57 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0
Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-
strict.dtd">
<html dir="ltr" lang="pt-PT">
<head><meta name="GENERATOR" content="Microsoft
SharePoint" />
22. 22Checkmarx | All Rights Reserved
HTTP/1.1 (1997)
New Features
Persistent Connections (Connection: Keep-Alive),
Internet address conservation (Host header became mandatory),
State Management (Netscape cookies standardization).
23. HTTP/1.1 (1997)
$ telnet www.uminho.pt 80
GET / HTTP/1.1
Host: www.uminho.pt
23Checkmarx | All Rights Reserved
HTTP/1.1 200 OK
Connection: Keep-Alive
Date: Tue, 11 Apr 2017 23:01:57 GMT
Content-Type: text/html; charset=utf-8
Last-Modified: Tue, 11 Apr 2017 23:01:57 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0
Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-
strict.dtd">
<html dir="ltr" lang="pt-PT">
<head><meta name="GENERATOR" content="Microsoft
SharePoint" />
24. 24Checkmarx | All Rights Reserved
HTTP/2 (2012)
Purpose
Improve transport performance,
Lower latency,
Higher throughput.
New Features
Is binary, instead of textual.
Is fully multiplexed, instead of ordered and blocking.
Can therefore use one connection for parallelism.
Uses header compression to reduce overhead.
Allows servers to “push” responses proactively into client caches.
27. The HTTP GET Request
27Checkmarx | All Rights Reserved
GET / HTTP/1.1
Host: www.uminho.pt
User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
28. HTTP method aka verb
28Checkmarx | All Rights Reserved
GET / HTTP/1.1
Host: www.uminho.pt
User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
29. Request URI (Uniform Resource Identifier)
29Checkmarx | All Rights Reserved
GET / HTTP/1.1
Host: www.uminho.pt
User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
30. Protocol Version
30Checkmarx | All Rights Reserved
GET / HTTP/1.1
Host: www.uminho.pt
User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
31. The “Host” header
31Checkmarx | All Rights Reserved
GET / HTTP/1.1
Host: www.uminho.pt
User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
32. The “User-Agent” header
32Checkmarx | All Rights Reserved
GET / HTTP/1.1
Host: www.uminho.pt
User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
33. The “Accept” header
33Checkmarx | All Rights Reserved
GET / HTTP/1.1
Host: www.uminho.pt
User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
34. The “Accept-Language” header
34Checkmarx | All Rights Reserved
GET / HTTP/1.1
Host: www.uminho.pt
User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
35. The “Accept-Encoding” header
35Checkmarx | All Rights Reserved
GET / HTTP/1.1
Host: www.uminho.pt
User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
36. The “Do Not Track” header
36Checkmarx | All Rights Reserved
GET / HTTP/1.1
Host: www.uminho.pt
User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Working Draft
37. The “Connection” header
37Checkmarx | All Rights Reserved
GET / HTTP/1.1
Host: www.uminho.pt
User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
38. The “Upgrade-Insecure-Requests” header
38Checkmarx | All Rights Reserved
GET / HTTP/1.1
Host: www.uminho.pt
User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Candidate Recommendation
39. DNS
39Checkmarx | All Rights Reserved
DNS 1
DNS 2
www.uminho.pt
1
2
3
4
5
What is the address of
www.uminho.pt? I don’t know it, but
I will ask.
Awesome, I will call it.
On my cache it
maps to 193.137.9.114
Thanks, I will cache
it for a while.
40. Let’s query Google DNS (8.8.8.8)
40Checkmarx | All Rights Reserved
$ dig @8.8.8.8 www.uminho.pt
; <<>> DiG 9.10.4-P6-RedHat-9.10.4-4.P6.fc25 <<>> @8.8.8.8 www.uminho.pt
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27263
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.uminho.pt. IN A
;; ANSWER SECTION:
www.uminho.pt. 12866 IN A 193.137.9.114
;; Query time: 53 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Apr 17 22:38:30 IST 2017
;; MSG SIZE rcvd: 58
41. Let’s connect and send the HTTP Request
41Checkmarx | All Rights Reserved
IP Address : 193.137.9.114
Port : 80
GET / HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:52.0)
Gecko/20100101 Firefox/52.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
42. HTTP Response
42Checkmarx | All Rights Reserved
HTTP/1.1 302 Object Moved
Date: Mon, 17 Apr 2017 18:27:06 GMT
Connection: Keep-Alive
Content-Length: 0
Location: https://www.uminho.pt/
43. HTTP Response - Protocol Version
43Checkmarx | All Rights Reserved
HTTP/1.1 302 Object Moved
Date: Mon, 17 Apr 2017 18:27:06 GMT
Connection: Keep-Alive
Content-Length: 0
Location: https://www.uminho.pt/
44. HTTP Response - Status Code
44Checkmarx | All Rights Reserved
HTTP/1.1 302 Object Moved
Date: Mon, 17 Apr 2017 18:27:06 GMT
Connection: Keep-Alive
Content-Length: 0
Location: https://www.uminho.pt/ Code Type
1xx Informational responses
2xx Success
3xx Redirection
4xx Client error
5xx Server error
45. HTTP Response - Reason Phrase
45Checkmarx | All Rights Reserved
HTTP/1.1 302 Object Moved
Date: Mon, 17 Apr 2017 18:27:06 GMT
Connection: Keep-Alive
Content-Length: 0
Location: https://www.uminho.pt/
The standard says: 302 Found
“The requested resource resides temporarily under
a different URI. Since the redirection might be
altered on occasion, the client SHOULD continue to
use the Request-URI for future requests.
(…)
The temporary URI SHOULD be given by the
Location field in the response.”
46. HTTP Response - Date
46Checkmarx | All Rights Reserved
HTTP/1.1 302 Object Moved
Date: Mon, 17 Apr 2017 18:27:06 GMT
Connection: Keep-Alive
Content-Length: 0
Location: https://www.uminho.pt/
47. HTTP Response - Connection
47Checkmarx | All Rights Reserved
HTTP/1.1 302 Object Moved
Date: Mon, 17 Apr 2017 18:27:06 GMT
Connection: Keep-Alive
Content-Length: 0
Location: https://www.uminho.pt/
48. HTTP Response - Content-Length
48Checkmarx | All Rights Reserved
HTTP/1.1 302 Object Moved
Date: Mon, 17 Apr 2017 18:27:06 GMT
Connection: Keep-Alive
Content-Length: 0
Location: https://www.uminho.pt/
49. HTTP Response - Location
49Checkmarx | All Rights Reserved
HTTP/1.1 302 Object Moved
Date: Mon, 17 Apr 2017 18:27:06 GMT
Connection: Keep-Alive
Content-Length: 0
Location: https://www.uminho.pt/
53. And finally the Hypertext document
53Checkmarx | All Rights Reserved
HTTP/1.1 200 OK
Date: Mon, 17 Apr 2017 18:27:05 GMT
Content-Type: text/html; charset=utf-8
Expires: Sun, 02 Apr 2017 18:27:06 GMT
Last-Modified: Mon, 17 Apr 2017 18:27:06 GMT
Cache-Control: private, max-age=0
Connection: Keep-Alive
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/
xhtml1-strict.dtd">
<html dir="ltr" lang="pt-PT"><head><meta name="GENERATOR" content="Microsoft SharePoint" /
><meta http-equiv="Content-type" content="text/html; charset=utf-8" /><meta http-equiv="X-
UA-Compatible" content="IE=10" /><meta http-equiv="Expires" content="0" /><meta
name="msapplication-TileImage" content="/_layouts/15/images/SharePointMetroAppTile.png"
/><meta name="msapplication-TileColor" content="#0072C6" /><title>
Universidade do Minho
54. What's Next?
54Checkmarx | All Rights Reserved
Parsing HTTP Response header
Security headers (e.g. CSP)
Cookies
Caching headers
Parsing HTTP Response body
Parse response body as text/html (according to Content-Type header)
Identify resources to download
JavaScript resources have to be downloaded, parsed and evaluated
CSS files have to be downloaded, parsed and then browser repaint is triggered
55. Statistics
55Checkmarx | All Rights Reserved
100 HTTP Requests (including redirects)
20.80MB data transferred
8.33 seconds
56. How does a POST HTTP Request looks like?
56Checkmarx | All Rights Reserved
POST / HTTP/1.1
Host: login.uminho.pt
User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://login.uminho.pt/adfs/ls/?wa=wsignin1.0&wtrealm=urn%3auminho
%3aalunos&wctx=https%3a%2f%2falunos.uminho.pt%2fEN%2f_layouts%2f15%2fAuthenticate.aspx
%3fSource%3d%252Fpt%252Fprivate
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 196
ctl00%24ContentPlaceHolder1%24UsernameTextBox=A50515&ctl00%24ContentPlaceHolder1%24Passwo
rdTextBox=Checkmarx-Research-Team&ctl00%24ContentPlaceHolder1%24SubmitButton=Iniciar+sess
%C3%A3o+%2F+Sign+in
57. How does a POST HTTP Request looks like?
57Checkmarx | All Rights Reserved
POST / HTTP/1.1
Host: login.uminho.pt
User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://login.uminho.pt/adfs/ls/?wa=wsignin1.0&wtrealm=urn%3auminho
%3aalunos&wctx=https%3a%2f%2falunos.uminho.pt%2fEN%2f_layouts%2f15%2fAuthenticate.aspx
%3fSource%3d%252Fpt%252Fprivate
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 196
ctl00%24ContentPlaceHolder1%24UsernameTextBox=A50515&ctl00%24ContentPlaceHolder1%24Passwo
rdTextBox=Checkmarx-Research-Team&ctl00%24ContentPlaceHolder1%24SubmitButton=Iniciar+sess
%C3%A3o+%2F+Sign+in
58. What the hell is a cookie?
58Checkmarx | All Rights Reserved
HTTP Response header set by the server
<name>=<value> can be anything but control characters or spaces and tabs. It also
must not contain the following characters: ( ) < > @ , ; : “ / [ ] ? = { }
Expires=<data> cookie lifetime. Session cookies do not specify this.
Domain=<domain-value> Specifies those hosts to which the cookie will be sent.
Path=<path-value> Indicates a URL path that must exist in the requested resource
before sending the Cookie header.
Secure Secure Cookies are only sent to the server when a request is made using SSL.
HttpOnly HTTP-only Cookies are not accessible via JavaScript though.
Document.cookie (and other APIs) to mitigate XSS attacks.
59. What the hell is a cookie?
59Checkmarx | All Rights Reserved
HTTP/1.1 200 OK
Date: Sun, 23 Apr 2017 09:39:22 GMT
Content-Type: text/html; charset=utf-8
Content-Encoding: gzip
Set-Cookie: UserName=A50515; expires=Sat, 22-Apr-2017 09:39:22 GMT; path=/
Password=checkmarx-research-team; expires=Sat, 22-Apr-2017 09:39:22 GMT; path=/
Cache-Control: no-cache
Expires: -1
Pragma: no-cache
Server: Microsoft-IIS/8.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Connection: Keep-Alive
...
62. What is OWASP
62Checkmarx | All Rights Reserved
Worldwide not-for-profit charitable organization;
Focuses on improving software security;
Provides impartial and practical information to AppSec individuals;
Issues software tools and knowledge-based documentation.
63. How does it work?
63Checkmarx | All Rights Reserved
“as a community of like-minded professionals”
65. OWASP TOP 10
65Checkmarx | All Rights Reserved
For each risk it provides:
A description
Example vulnerabilities
Example attacks
Guidance on how to avoid
References to OWASP and other related resources
“A list of the 10 Most Critical Web Application Security Risks”
67. A1 - Injection
67Checkmarx | All Rights Reserved
Application Specific
Exploitability
EASY
Prevalence
COMMON
Detectability
AVERAGE
Impact
SEVERE
Application / Business
Specific
Anyone who can send
untrusted data to the
system, including:
● external users,
● business partners,
● other systems,
● internal users, and
● administrators.
Attackers send simple
text-based attacks that
exploit the syntax of the
targeted interpreter.
● Injection flaws occur when an application sends
untrusted data to an interpreter.
● Injection flaws are very prevalent, particularly
in legacy code.
● They are often found in SQL, LDAP, XPath, or
NoSQL queries; OS commands; XML parsers,
SMTP Headers, expression languages, etc.
● Injection flaws are easy to discover when
examining code, but frequently hard to discover
via testing. Scanners and fuzzers can help
attackers find injection flaws.
Injection can result in:
● data loss or
corruption,
● lack of
accountability,
● denial of access,
● complete host
takeover.
Depends on:
● business value of
affected data;
● the platform running
the interpreter.
● How your reputation
can get harm
Security
Weakness
Security
Weakness
Attack
Vectors
Attack
Vectors
Technical
Impacts
Technical
ImpactsThreat
Agents
Business
Impacts
Business
Impacts
69. Am I Vulnerable?
69Checkmarx | All Rights Reserved
Your database query
SELECT
*
FROM Users
WHERE
Username='$username'
AND
Password='$password'
70. Am I Vulnerable?
70Checkmarx | All Rights Reserved
Inputs
SELECT
*
FROM Users
WHERE
Username='john'
AND
Password='h3ll0'
$username=”john”
$password=”h3ll0”
71. Am I Vulnerable?
71Checkmarx | All Rights Reserved
Inputs
SELECT
*
FROM Users
WHERE
Username='1' or '1' = '1'
AND
Password='1' or '1' = '1'
$username=”1' or '1' = '1”
$password=”1' or '1' = '1”
72. Am I Vulnerable?
72Checkmarx | All Rights Reserved
Inputs
SELECT
*
FROM Users
WHERE
Username='1' or '1' = '1'
AND
Password='1' or '1' = '1'
$username=”1' or '1' = '1”
$password=”1' or '1' = '1”
False OR True
AND
False OR True
True
74. Am I Vulnerable?
74Checkmarx | All Rights Reserved
Your database query
SELECT
*
FROM Products
WHERE
id=$id
The URL: https://my-app.com/product/?id=10
Sometimes we have to use the back door!
75. Am I Vulnerable?
75Checkmarx | All Rights Reserved
SELECT
*
FROM Products
WHERE
id=10; INSERT INTO users (...)
The URL
https://my-app.com/product/?id=10; INSERT INTO users (...)
77. Am I Vulnerable?
77Checkmarx | All Rights Reserved
Your database query
db.accounts.find({
“username”: username,
“password”: password
});
78. Am I Vulnerable?
78Checkmarx | All Rights Reserved
Inputs
db.accounts.find({
“username”: “john”,
“password”: {$gt: “”}
});
username=”john”
password={$gt: “”}
80. How Do I Prevent?
80Checkmarx | All Rights Reserved
Keep untrusted data separated from commands and queries
“SELECT
*
FROM Users
WHERE
Username='” + $username + ”' AND
Password='” + $password + ”'”
81. How Do I Prevent?
81Checkmarx | All Rights Reserved
Use a parameterized interface
Most databases support Prepared Statements
$stmt = db.prepare(“SELECT * FROM Users WHERE
Username=? AND Password=?”);
$stmt.exec($username, $password);
82. How Do I Prevent?
82Checkmarx | All Rights Reserved
Escape Special Characters
You should carefully escape special characters using the specific escape syntax for
the target interpreter (e.g. database query engine)
83. How Do I Prevent?
83Checkmarx | All Rights Reserved
Escape Special Characters
SELECT
*
FROM Users
WHERE
Username='1' or '1' = '1'
AND
Password='1' or '1' = '1'
84. How Do I Prevent?
84Checkmarx | All Rights Reserved
Input Validation
If you’re expecting a number do not allow letters;
This is not a complete defense, especially if your input requires special
characters;
Avoid writing your own validators: OWASP ESAPI.
85. Remember
85Checkmarx | All Rights Reserved
This is not database specific
LDAP;
XPath;
OS commands;
XML parsers;
SMTP Headers;
Regular Expressions
86. A2 – Broken Authentication and Session Management
86Checkmarx | All Rights Reserved
Application Specific Exploitability
AVERAGE
Prevalence
COMMON
Detectability
AVERAGE
Impact
SEVERE
Application / Business
Specific
External attackers
(steal accounts from
others)
Authorized users
(steal accounts from
others)
insiders (wanting to
disguise their
actions)
Attackers use leaks or
flaws in the
authentication or session
management functions
(e.g., exposed accounts,
passwords, session IDs)
to temporarily or
permanently
impersonate users.
● Build custom authentication and session
management schemes is hard and error prone
● Common flaws in areas such as logout, create
account, change password, forgot password,
timeouts, remember me, secret question,
account update, etc.
● Finding such flaws can sometimes be difficult,
as each implementation is unique.
● Impersonate users
● Privileged accounts
are frequently
targeted.
Depends on:
● Business value of
affected data;
● Application
functions
● Business impact
from public
exposure of the
vulnerability.
Security
Weakness
Security
Weakness
Attack
Vectors
Attack
Vectors
Technical
Impacts
Technical
ImpactsThreat
Agents
Business
Impacts
Business
Impacts
87. Am I Vulnerable?
87Checkmarx | All Rights Reserved
https://my-app.com/sale/saleitems;jsessionid=2P0OC2JSNDLPSKHCJUN2JV?dest=Hawaii
Session IDs in the URL
Sharing the URL allows:
Session reuse;
Others to access your account;
Impersonate you on further
transactions.
88. Am I Vulnerable?
88Checkmarx | All Rights Reserved
Session Timeout
If session lasts forever, accessing the account on a public
computer and closing browser’s window without logging out,
may allow others to access the account next time they open
the browser.
89. How Do I Prevent?
89Checkmarx | All Rights Reserved
Meet all Authentication and Session Management requirements defined in
OWASP’s Application Security Verification Standard;
Follow OWASP’s Secure Coding Practices guidelines about Authentication and Password
Management and Session Management.
90. A3 – Cross-Site Scripting (XSS)
90Checkmarx | All Rights Reserved
Application Specific
Exploitability
AVERAGE
Prevalence
VERY WIDESPREAD
Detectability
AVERAGE
Impact
MODERATE
Application / Business
Specific
Consider anyone who
can send untrusted data
to the system, including
external users, business
partners, other systems,
internal users, and
administrators.
Attackers send text-
based attack scripts that
exploit the interpreter in
the browser. Almost any
source of data can be an
attack vector, including
internal sources such as
data from the database.
XSS flaws occur when an application updates a web
page with attacker controlled data without properly
escaping that content or using a safe JavaScript API.
There are two primary categories of XSS flaws: (1)
Stored, and (2) Reflected, and each of these can
occur on (a) the Server or (b) on the Client.
Detection of most Server XSS flaws is fairly easy via
testing or code analysis. Client XSS can be very
difficult to identify.
Attackers can execute
scripts in a victim’s
browser to hijack user
sessions, deface web
sites, insert hostile
content, redirect users,
hijack the user’s browser
using malware, etc.
Consider the business
value of the affected
system and all the data it
processes.
Also consider the
business impact of
public exposure of the
vulnerability.
Security
Weakness
Security
Weakness
Attack
Vectors
Attack
Vectors
Technical
Impacts
Technical
ImpactsThreat
Agents
Business
Impacts
Business
Impacts
91. Am I Vulnerable?
91Checkmarx | All Rights Reserved
Inputs
INSERT
INTO Users
(Id, Name,
Surname)
VALUES
(1, “Jane”, ”Doe”)
$name=”Jane”
$surname=”Doe”
SELECT
Name, Surname
FROM Users
WHERE
Id = 1
<h2>
<?php
echo $name + “ “ + $surname
?>
</h2>
persist
read
display
97. How Do I Prevent?
97Checkmarx | All Rights Reserved
Preventing XSS requires separation of untrusted data from
active browser content.
Escape data based on the HTML context (body, attribute, JavaScript, CSS, or URL)
that the data will be placed into (Server XSS);
Avoid passing untrusted data to JavaScript and other browser APIs that can
generate active content (Client XSS);
For rich content, consider auto-sanitization libraries;
Consider Content Security Policy (CSP) to defend against XSS across your entire
site.
98. A4 – Broken Access Control
98Checkmarx | All Rights Reserved
Application Specific
Exploitability
EASY
Prevalence
WIDESPREAD
Detectability
EASY
Impact
MODERATE
Application / Business
Specific
Authorized users of your
system:
● Are users restricted
to certain functions
and data?
● Are unauthenticated
users allowed access
to any functionality
or data?
Attackers, who are
authorized users, simply
change a parameter
value to another
resource they aren’t
authorized for. Is access
to this functionality or
data granted?
For data, applications and APIs frequently use the
actual name or key of an object when generating
web pages. For functions, URLs and function names
are frequently easy to guess. Applications and APIs
don’t always verify the user is authorized for the
target resource. This results in an access control
flaw. Testers can easily manipulate parameters to
detect such flaws. Code analysis quickly shows
whether authorization is correct.
Such flaws can
compromise all the
functionality or data that
is accessible. Unless
references are
unpredictable, or access
control is enforced, data
and functionality can be
stolen, or abused.
Consider the business
value of the exposed
data and functionality.
Also consider the
business impact of
public exposure of the
vulnerability.
Security
Weakness
Security
Weakness
Attack
Vectors
Attack
Vectors
Technical
Impacts
Technical
ImpactsThreat
Agents
Business
Impacts
Business
Impacts
99. Am I Vulnerable?
99Checkmarx | All Rights Reserved
Relying on unknown URLs
http://my-app.com/product/1
Varying the product ID may allow access to unpublished products
http://my-app.com/product/10001
Adding query string parameters may allow access to reserved features like
product editing
http://my-app.com/product/1?edit
100. How Do I Prevent?
100Checkmarx | All Rights Reserved
Access Control check for every resource requiring authorization;
Per user or session indirect object references (do not use your objects’ database
primary key on Users’ Interface);
Automated verification: a single and audited verification control.
101. A5 – Security Misconfiguration
101Checkmarx | All Rights Reserved
Application Specific
Exploitability
EASY
Prevalence
COMMON
Detectability
EASY
Impact
MODERATE
Application / Business
Specific
Consider anonymous
external attackers as well
as authorized users that
may . Also consider
insiders wanting to
disguise their actions.
Attackers access default
accounts, unused pages,
unpatched flaws,
unprotected files and
directories, etc. to gain
unauthorized access to
or knowledge of the
system.
Security misconfiguration can happen at any level of
an application stack, including the platform, web
server, application server, database, frameworks,
and custom code. Developers and system
administrators need to work together to ensure
that the entire stack is configured properly.
Automated scanners are useful for detecting
missing patches, misconfigurations, use of default
accounts, unnecessary services, etc.
Such flaws frequently
give attackers
unauthorized access to
some system data or
functionality.
Occasionally, such flaws
result in a complete
system compromise.
The system could be
completely
compromised without
you knowing it. All of
your data could be
stolen or modified slowly
over time.
Recovery costs could be
expensive.
Security
Weakness
Security
Weakness
Attack
Vectors
Attack
Vectors
Technical
Impacts
Technical
ImpactsThreat
Agents
Business
Impacts
Business
Impacts
102. Am I Vulnerable?
102Checkmarx | All Rights Reserved
Out of date software (e.g. OS, Web/App Server, DBMS,…);
Unnecessary features enabled or installed (e.g., ports, services, pages, accounts,
privileges);
Unchanged default accounts and their passwords;
Stack traces on error messages;
Bad security settings configurations (e.g. application servers, application
frameworks, libraries, databases).
103. How Do I Prevent?
103Checkmarx | All Rights Reserved
A repeatable hardening process that makes it fast and easy to deploy another
environment that is properly locked down.
All environments should be configured the same way but using different credentials.
Well defined update process to all system and dependencies.
Application components isolation.
Environment configuration validation.
104. A6 – Sensitive Data Exposure
104Checkmarx | All Rights Reserved
Application Specific
Exploitability
DIFFICULT
Prevalence
UNCOMMON
Detectability
AVERAGE
Impact
SEVERE
Application / Business
Specific
Consider who can gain
access to your sensitive
data and any backups of
that data. This includes
the data at rest, in
transit, and even in your
customers’ browsers.
Include both external
and internal threats.
Attackers typically don’t
break crypto directly.
They break something
else, such as steal keys,
do man-in-the-middle
attacks, or steal clear
text data off the server,
while in transit, or from
the user’s browser.
The most common flaw is simply not encrypting
sensitive data. When crypto is employed, weak key
generation and management, and weak algorithm
usage is common, particularly weak password
hashing techniques. Browser weaknesses are very
common and easy to detect, but hard to exploit on
a large scale. External attackers have difficulty
detecting server side flaws due to limited access
and they are also usually hard to exploit.
Failure frequently
compromises all data
that should have been
protected. Typically, this
information includes
sensitive data such as
health records,
credentials, personal
data, credit cards, etc.
Consider the business
value of the lost data
and impact to your
reputation. What is your
legal liability if this data
is exposed? Also
consider the damage to
your reputation.
Security
Weakness
Security
Weakness
Attack
Vectors
Attack
Vectors
Technical
Impacts
Technical
ImpactsThreat
Agents
Business
Impacts
Business
Impacts
105. Am I Vulnerable?
105Checkmarx | All Rights Reserved
Passwords database using unsalted hashes
INSERT INTO accounts VALUES ($username, MD5($password))
Database
Username Password
root 63a9f0ea7bb98050796b649e85481845
User1 21232f297a57a5a743894a0e4a801fc3
User2 e10adc3949ba59abbe56e057f20f883e
Rainbow Table
MD5 Hash Plain
63a9f0ea7bb98050796b649e85481845 root
21232f297a57a5a743894a0e4a801fc3 admin
e10adc3949ba59abbe56e057f20f883e 123456
106. How Do I Prevent?
106Checkmarx | All Rights Reserved
Don’t store unnecessary data, discard it ASAP (e.g. Credit Cards);
Ensure strong standard algorithms, strong keys and proper key management;
Ensure passwords are stored using a proper algorithm like bcrypt, PBKDF2 or scrypt;
Disable auto complete on forms requesting sensitive data and caching for pages that
contain sensitive data.
107. A7 – Insufficient Attack Protection
107Checkmarx | All Rights Reserved
Application Specific
Exploitability
EASY
Prevalence
COMMON
Detectability
AVERAGE
Impact
MODERATE
Application / Business
Specific
Consider anyone with
network access can send
your application a
request. Does your
application detect and
respond to both manual
and automated attacks?
Attackers, known users
or anonymous, send in
attacks. Does the
application or API detect
the attack? How does it
respond? Can it thwart
attacks against known
vulnerabilities?
Applications and APIs are attacked all the time.
Most applications and APIs detect invalid input, but
simply reject it, letting the attacker attack again and
again. Such attacks indicate a malicious or
compromised user probing or exploiting
vulnerabilities. Detecting and blocking both manual
and automated attacks, is one of the most effective
ways to increase security. How quickly can you
patch a critical vulnerability you just discovered?
Most successful attacks
start with vulnerability
probing. Allowing such
probes to continue can
raise the likelihood of
successful exploit to
100%. Not quickly
deploying patches aids
attackers.
Consider the impact of
insufficient attack
protection on the
business. Successful
attacks may not be
prevented, go
undiscovered for long
periods of time, and
expand far beyond their
initial footprint.
Security
Weakness
Security
Weakness
Attack
Vectors
Attack
Vectors
Technical
Impacts
Technical
ImpactsThreat
Agents
Business
Impacts
Business
Impacts
108. Am I Vulnerable?
108Checkmarx | All Rights Reserved
Detect unexpected behavior
High volume requests to a single URL;
Request pattern detection.
Automated tools such as OWASP ZAP or SQLMap do have a pattern, allowing them to be
distinguished from regular users.
109. How Do I Prevent?
109Checkmarx | All Rights Reserved
Is the application being used in a way that an ordinary user would never do?
Decide whether to automatically block request, IP addresses or IP ranges. Disable or
monitor user accounts.
If application patching takes longer, go with a virtual patch.
Detect Attacks
Respond to Attacks
Patch Quickly
110. A8 – Cross-Site Request Forgery (CSRF)
110
Application Specific
Exploitability
AVERAGE
Prevalence
UNCOMMON
Detectability
EASY
Impact
MODERATE
Application / Business
Specific
Consider anyone who
can load content into
your users’ browsers,
and thus force them to
submit a request to your
website, including any
website or other HTML
feed that your users
visit.
Attackers create forged
HTTP requests and trick
a victim into submitting
them via image tags,
iframes, XSS, or various
other techniques. If the
user is authenticated,
the attack succeeds.
CSRF takes advantage of the fact that most web
apps allow attackers to predict all the details of a
particular action.
Because browsers send credentials like session
cookies automatically, attackers can create
malicious web pages which generate forged
requests that are indistinguishable from legitimate
ones.
Detection of CSRF flaws is fairly easy via penetration
testing or code analysis.
Attackers can trick
victims into performing
any state changing
operation the victim is
authorized to perform
(e.g., updating account
details, making
purchases, modifying
data).
Consider the business
value of the affected
data or application
functions. Imagine not
being sure if users
intended to take these
actions.
Consider the impact to
your reputation.
Security
Weakness
Security
Weakness
Attack
Vectors
Attack
Vectors
Technical
Impacts
Technical
ImpactsThreat
Agents
Business
Impacts
Business
Impacts
111. Am I Vulnerable?
111Checkmarx | All Rights Reserved
<form action=”https://yapp.com/signin“ method=”post”>
<input type=”email” name=”email” />
<input type=”password” name=”password” />
<input type=”submit” value=”submit” />
</form>
Not using CSRF tokens
112. How Do I Prevent?
112Checkmarx | All Rights Reserved
Using CSRF tokens
Generated server-side;
Unpredictable;
Short TTL;
One time only;
Unique per user session;
Requests without or with invalid CSRF token should be
discarded.
113. How Do I Prevent?
113Checkmarx | All Rights Reserved
<form action=”https://yapp.com/signin“ method=”post”>
<input type=”hidden” name=”csrf” value=”MTc1MjUK” />
<input type=”email” name=”email” />
<input type=”password” name=”password” />
<input type=”submit” value=”submit” />
</form>
Using CSRF tokens
114. A9 – Using Components with Known Vulnerabilities
114
Application Specific
Exploitability
AVERAGE
Prevalence
COMMON
Detectability
AVERAGE
Impact
MODERATE
Application / Business
Specific
Some vulnerable
components (e.g.,
framework libraries) can
be identified and
exploited with
automated tools,
expanding the threat
agent pool beyond
targeted attackers to
include chaotic actors.
Attackers identify a weak
component through
scanning or manual
analysis. They customize
the exploit as needed
and execute the attack.
It gets more difficult if
the used component is
deep in the application.
Many applications and APIs have these issues
because their development teams don’t focus on
ensuring their components and libraries are up to
date. In some cases, the developers don’t even
know all the components they are using, never
mind their versions. Component dependencies
make things even worse. Tools are becoming
commonly available to help detect components
with known vulnerabilities.
The full range of
weaknesses is possible,
including injection,
broken access control,
XSS, etc. The impact
could range from
minimal to complete
host takeover and data
compromise.
Consider what each
vulnerability might mean
for the business
controlled by the
affected application. It
could be trivial or it
could mean complete
compromise.
Security
Weakness
Security
Weakness
Attack
Vectors
Attack
Vectors
Technical
Impacts
Technical
ImpactsThreat
Agents
Business
Impacts
Business
Impacts
Checkmarx | All Rights Reserved
115. Am I Vulnerable?
115Checkmarx | All Rights Reserved
Using vulnerable components
Component
# Vulnerabilities
2016 2015 2014
OpenSSL 34 34 24
Microsoft IIS - 1 1
Microsoft Sharepoint 23 21 7
MySQL 1 1 38
MongoDB 1 1 2
116. How Do I Prevent?
116Checkmarx | All Rights Reserved
Continuously inventory the version of both client-side and server-side components;
Auditing dependencies to known vulnerabilities (e.g. using static code analysis tools);
Continuously monitor sources like CVE and NVD
117. A10 – Underprotected APIs
117Checkmarx | All Rights Reserved
Application Specific
Exploitability
AVERAGE
Prevalence
COMMON
Detectability
DIFFICULT
Impact
MODERATE
Application / Business
Specific
Consider anyone with
the ability to send
requests to your APIs.
Client software is easily
reversed and
communications are
easily intercepted, so
obscurity is no defense
for APIs.
Attackers can reverse
engineer APIs by
examining client code, or
simply monitoring
communications. Some
API vulnerabilities can be
automatically
discovered, others only
by experts.
Modern web applications and APIs are increasingly
composed of rich clients (browser, mobile, desktop)
that connect to backend APIs (XML, JSON, RPC,
GWT, custom). APIs (microservices, services,
endpoints) can be vulnerable to the full range of
attacks. Unfortunately, dynamic and sometimes
even static tools don’t work well on APIs, and they
can be difficult to analyze manually, so these
vulnerabilities are often undiscovered.
The full range of
negative outcomes is
possible, including data
theft, corruption, and
destruction;
unauthorized access to
the entire application;
and complete host
takeover.
Consider the impact of
an API attack on the
business. Does the API
access critical data or
functions? Many APIs
are mission critical, so
also consider the impact
of denial of service
attacks.
Security
Weakness
Security
Weakness
Attack
Vectors
Attack
Vectors
Technical
Impacts
Technical
ImpactsThreat
Agents
Business
Impacts
Business
Impacts
118. How Do I Prevent?
118Checkmarx | All Rights Reserved
Ensure that you have secured communications between the client and your APIs. (e.g. SSL);
Ensure that you have a strong authentication scheme for your APIs, and that all credentials,
keys, and tokens have been secured;
Ensure that whatever data format your requests use, that the parser configuration is
hardened against attack;
Implement an access control scheme that protects APIs from being improperly invoked,
including unauthorized function and data references;
Protect against injection of all forms, as these attacks are just as viable through APIs as
they are for normal apps.
120. 120Checkmarx | All Rights Reserved
Question 4
Why should I still read the OWASP TOP 10?
121. Why should I still read the OWASP TOP 10?
Checkmarx | All Rights Reserved 121
Because
I told you just part of the story;
OWASP TOP 10 includes:
– +D What’s Next for Developers
– +T What’s Next for Security Testing
– +O What’s Next for Organizations
OWASP TOP 10 is accepted as an industry standard
123. How can I join OWASP?
Checkmarx | All Rights Reserved 123
Join your local chapter
https://lists.owasp.org/mailman/listinfo/owasp-portuguese-project
125. How can I contribute?
Checkmarx | All Rights Reserved 125
Join your local chapter
https://lists.owasp.org/mailman/listinfo/owasp-portuguese-project
Helping translate OWASP contents to your language,
Helping review OWASP contents;
Using & reporting issues on OWASP software;
Creating security awareness;
...