SlideShare a Scribd company logo

Top 10 Web Security Vulnerabilities

Download as ODP, PDF
Carol McDonald
Carol McDonald

Top 10 Web Security Vulnerabilities as defined by the OWASP, and what you can do to protect your application

1 of 74
OWASP Top 10 Web Security Vulnerabilities Carol McDonald Sun Microsystems
About the Speaker ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
OWASP Top 10 ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
WebGoat and WebScarab from OWASP
Enterprise Security API http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
Frameworks and ESAPI ,[object Object],[object Object],[object Object],[object Object],[object Object]
Enterprise Security API
Enterprise Security API
A1: Cross Site Scripting XSS ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
A1 Cross Site Scripting Example ,[object Object],[object Object],Site reflects the script back to user where it executes and sends the session cookie to the hacker. Hacker tricks user into sending request containing script in search parameter. <script>alert(document.cookie)</script>
Never Trust Input ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
A1 Cross Site Scripting Protection ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],A1 Cross Site Scripting Protection
[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],A1 Cross Site Scripting Protection
Validation, Encoding, and Injection http://owasp-esapi-java.googlecode.com/files/OWASP%20ESAPI.ppt Any Encoding Any Interpreter Set Character Set Encode For HTML Global Validate Canonicalize Specific Validate Sanitize Canonicalize Validate
Handling Validation, and Encoding http://owasp-esapi-java.googlecode.com/files/OWASP%20ESAPI.ppt encodeForURL encodeForJavaScript encodeForVBScript encodeForDN encodeForHTML encodeForHTMLAttribute encodeForLDAP encodeForSQL encodeForXML encodeForXMLAttribute encodeForXPath isValidDirectoryPath isValidCreditCard isValidDataFromBrowser isValidListItem isValidFileContent isValidFileName isValidHTTPRequest isValidRedirectLocation isValidSafeHTML isValidPrintable safeReadLine Canonicalization Double Encoding Protection Normalization Sanitization
[object Object],[object Object],[object Object],A1 Cross Site Scripting Protection
[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],A1 Cross Site Scripting Protection
[object Object],[object Object],A1 Cross Site Scripting Protection
[object Object],A2: Injection Flaws Hacker sends SQL commands into a form field. Site executes modified SQL query and returns results to hacker. 101’ or ‘1’=‘1
[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],A2: SQL Injection
[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],A2: SQL Injection
Never Trust Input ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],A2: SQL Injection Protection dangerous characters - escaped by the JDBC driver.
[object Object],[object Object],[object Object],[object Object],[object Object],A2: SQL Injection Protection dangerous characters - escaped by the JDBC driver.
[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],A2: SQL Injection Protection compiler checks for correctness dangerous characters - escaped by the JDBC driver.
[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],A3: Malicious File Execution
A3: Malicious File Execution ,[object Object],[object Object],[object Object]
A3: Malicious File Execution Protection ,[object Object],[object Object],[object Object],[object Object]
Handling Validation, and Encoding http://owasp-esapi-java.googlecode.com/files/OWASP%20ESAPI.ppt encodeForURL encodeForJavaScript encodeForVBScript encodeForDN encodeForHTML encodeForHTMLAttribute encodeForLDAP encodeForSQL encodeForXML encodeForXMLAttribute encodeForXPath isValidDirectoryPath isValidCreditCard isValidDataFromBrowser isValidListItem isValidFileContent isValidFileName isValidHTTPRequest isValidRedirectLocation isValidSafeHTML isValidPrintable safeReadLine Canonicalization Double Encoding Protection Normalization Sanitization
[object Object],[object Object],[object Object],[object Object],[object Object],A3: Malicious File Execution Protection
A4: Insecure Direct Object Reference ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Real Attack on Australian Tax office attacker changed the tax id in the url , got info on 17,000 companies
[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],A4: Insecure Direct Object Reference - Example code can be attacked using a string like &quot;/../../../etc/passwd%00&quot; (null byte injection)
[object Object],[object Object],A4: Insecure Direct Object Reference - Example reference to database key attacker can search on another key.
A4: Insecure Direct Object Reference Protection ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Handling Direct Object References http://app?file=7d3J93 Report123.xls Web Service Database Mainframe File System User Etc… Access Reference Map Indirect Reference Direct Reference Indirect Reference Direct Reference
ESAPI Access Reference Map ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],ESAPI: Handling Direct Object References
[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],ESAPI: Controlling Access to Files, Data
A5: Cross Site Request Forgery ,[object Object],[object Object],[object Object],logon navigate to javascript get users gmail contacts users cookie, session
A5: Cross Site Request Forgery ,[object Object],remember me navigate to add movies to users queue users cookie, session http://news.cnet.com/Netflix-fixes-Web-2.0-bugs/2100-1002_3-6126438.html?part=rss&tag=6126438&subj=news <img src=&quot; http://www.netflix.com/AddToQueue?movieid=70011204 &quot; />
A5: Cross Site Request Forgery ,[object Object],logon read email, click image transfer funds users cookie, session
A5:Cross Site Request Forgery ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
A5:Cross Site Request Forgery ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
A5:Cross Site Request Forgery ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Handling Authentication and Identity http://owasp-esapi-java.googlecode.com/files/OWASP%20ESAPI.ppt Strong Passwords Random Tokens CSRF Tokens Lockout Remember Me Screen Name Roles Timeout Users
A5:Cross Site Request Forgery Java Protection ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
A6: Information Leakage and Improper Error Handling ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
A6: Information Leakage and Improper Error Handling Protection ,[object Object],[object Object],[object Object],[object Object],[object Object]
A7:Broken Authentication/Session Management ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
A7:Broken Authentication/Session Management Protection: ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
A7:Broken Authentication/Session Management Protection: ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],A7:Broken Authentication/Session Management Protection:
ESAPI Handling Authentication and Identity http://owasp-esapi-java.googlecode.com/files/OWASP%20ESAPI.ppt Strong Passwords Random Tokens CSRF Tokens Lockout Remember Me Screen Name Roles Timeout Users
ESAPI Authenticator Interface ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
ESAPI User Interface ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
A8: Insecure Cryptographic Storage ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],A8: Insecure Cryptographic Storage Protection
Handling Sensitive Information http://owasp-esapi-java.googlecode.com/files/OWASP%20ESAPI.ppt Encryption Digital Signatures Integrity Seals Strong GUID Random Tokens Timestamp Salted Hash Safe Config Details
ESAPI Encryptor ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
A9: Insecure Communication ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],A9: Insecure Communication Protection
[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],A9: Insecure Communication Protection
A10: Failure to Restrict URL Access ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
A10: Failure to Restrict URL Access ,[object Object],[object Object],[object Object],[object Object],http://grutztopia.jingojango.net/2007/01/your-free-macworld-expo-platinum-pass_11.html
A10: Failure to Restrict URL Access Protection ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],A10: Protection
ACEGI Spring Security
ESAPI Handling Access Control isAuthorizedForURL isAuthorizedForFunction isAuthorizedForFunction isAuthorizedForService isAuthorizedForData isAuthorizedForFile
ESAPI AccessController ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
ESAPI IntrusionDetector ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Secure Principles ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
References and More Information: ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

Recommended

OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
Software Guru
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Brian Huff
 
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
Lenur Dzhemiliev
 
Security in NodeJS applications
Security in NodeJS applicationsSecurity in NodeJS applications
Security in NodeJS applications
Daniel Garcia (a.k.a cr0hn)
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
Priyanka Aash
 
Penetration testing
Penetration testingPenetration testing
Penetration testing
Ammar WK
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
Security Innovation
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa Workshop
Paul Ionescu
 

Recommended

OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
Software Guru
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Brian Huff
 
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
Lenur Dzhemiliev
 
Security in NodeJS applications
Security in NodeJS applicationsSecurity in NodeJS applications
Security in NodeJS applications
Daniel Garcia (a.k.a cr0hn)
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
Priyanka Aash
 
Penetration testing
Penetration testingPenetration testing
Penetration testing
Ammar WK
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
Security Innovation
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa Workshop
Paul Ionescu
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
OWASP Delhi
 
Directory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion AttacksDirectory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion Attacks
Raghav Bisht
 
Footprinting and reconnaissance
Footprinting and reconnaissanceFootprinting and reconnaissance
Footprinting and reconnaissance
NishaYadav177
 
Burp suite
Burp suiteBurp suite
Burp suite
SOURABH DESHMUKH
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
Narudom Roongsiriwong, CISSP
 
Security Code Review 101
Security Code Review 101Security Code Review 101
Security Code Review 101
Paul Ionescu
 
OWASP Top 10 API Security Risks
OWASP Top 10 API Security RisksOWASP Top 10 API Security Risks
OWASP Top 10 API Security Risks
IndusfacePvtLtd
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
Rodolfo Assis (Brute)
 
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7
Teymur Kheirkhabarov
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
Nahidul Kibria
 
Penetration Testing
Penetration Testing Penetration Testing
Penetration Testing
RomSoft SRL
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
Anurag Srivastava
 
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Edureka!
 
Vulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration TestingVulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration Testing
Yvonne Marambanyika
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
TzahiArabov
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASP
Marco Morana
 
Cyber kill chain
Cyber kill chainCyber kill chain
Cyber kill chain
Ankita Ganguly
 
Web application security
Web application securityWeb application security
Web application security
Kapil Sharma
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
bilcorry
 
Web Security
Web SecurityWeb Security
Web Security
Tripad M
 
Introduction to Web security
Introduction to Web securityIntroduction to Web security
Introduction to Web security
jeyaselvir
 

More Related Content

What's hot

Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Edureka!
 
Vulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration TestingVulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration Testing
Yvonne Marambanyika
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASP
Marco Morana
 

What's hot (20)

Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
 
Directory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion AttacksDirectory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion Attacks
 
Footprinting and reconnaissance
Footprinting and reconnaissanceFootprinting and reconnaissance
Footprinting and reconnaissance
 
Burp suite
Burp suiteBurp suite
Burp suite
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
 
Security Code Review 101
Security Code Review 101Security Code Review 101
Security Code Review 101
 
OWASP Top 10 API Security Risks
OWASP Top 10 API Security RisksOWASP Top 10 API Security Risks
OWASP Top 10 API Security Risks
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
 
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
 
Penetration Testing
Penetration Testing Penetration Testing
Penetration Testing
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
 
Vulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration TestingVulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration Testing
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASP
 
Cyber kill chain
Cyber kill chainCyber kill chain
Cyber kill chain
 
Web application security
Web application securityWeb application security
Web application security
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
 

Viewers also liked

Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root Causes
Marco Morana
 
情報検索における質問者の プライバシー保護 :Private Information Retrieval
情報検索における質問者の プライバシー保護 :Private Information Retrieval情報検索における質問者の プライバシー保護 :Private Information Retrieval
情報検索における質問者の プライバシー保護 :Private Information Retrieval
Hiroshi Nakagawa
 
WordPress for Beginners Create Professional Websites
WordPress for Beginners Create Professional WebsitesWordPress for Beginners Create Professional Websites
WordPress for Beginners Create Professional Websites
ayman diab
 
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Braindev Kyiv
 

Viewers also liked (20)

Web Security
Web SecurityWeb Security
Web Security
 
Introduction to Web security
Introduction to Web securityIntroduction to Web security
Introduction to Web security
 
OWASP Top 10 A4 – Insecure Direct Object Reference
OWASP Top 10 A4 – Insecure Direct Object ReferenceOWASP Top 10 A4 – Insecure Direct Object Reference
OWASP Top 10 A4 – Insecure Direct Object Reference
 
Web Security 101
Web Security 101Web Security 101
Web Security 101
 
Web Security
Web SecurityWeb Security
Web Security
 
Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Web Security - Introduction v.1.3
Web Security - Introduction v.1.3
 
OWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsOWASP Top 10 Proactive Controls
OWASP Top 10 Proactive Controls
 
Top 10 Web App Security Risks
Top 10 Web App Security RisksTop 10 Web App Security Risks
Top 10 Web App Security Risks
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
 
[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101
 
Web security 2012
Web security 2012Web security 2012
Web security 2012
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root Causes
 
Browser Security
Browser SecurityBrowser Security
Browser Security
 
Web Security
Web SecurityWeb Security
Web Security
 
Web Security Workshop : A Jumpstart
Web Security Workshop : A JumpstartWeb Security Workshop : A Jumpstart
Web Security Workshop : A Jumpstart
 
情報検索における質問者の プライバシー保護 :Private Information Retrieval
情報検索における質問者の プライバシー保護 :Private Information Retrieval情報検索における質問者の プライバシー保護 :Private Information Retrieval
情報検索における質問者の プライバシー保護 :Private Information Retrieval
 
WordPress for Beginners Create Professional Websites
WordPress for Beginners Create Professional WebsitesWordPress for Beginners Create Professional Websites
WordPress for Beginners Create Professional Websites
 
Mobile Threats and Owasp Top 10 Risks
Mobile Threats and Owasp Top 10 RisksMobile Threats and Owasp Top 10 Risks
Mobile Threats and Owasp Top 10 Risks
 
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
 

Similar to Top 10 Web Security Vulnerabilities

Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web Apps
Frank Kim
 
Joomla security nuggets
Joomla security nuggetsJoomla security nuggets
Joomla security nuggets
guestbd1cdca
 
PCI Security Requirements - secure coding
PCI Security Requirements - secure codingPCI Security Requirements - secure coding
PCI Security Requirements - secure coding
Haitham Raik
 
CiklumJavaSat_15112011:Alex Kruk VMForce
CiklumJavaSat_15112011:Alex Kruk VMForceCiklumJavaSat_15112011:Alex Kruk VMForce
CiklumJavaSat_15112011:Alex Kruk VMForce
Ciklum Ukraine
 
Application Security
Application SecurityApplication Security
Application Security
nirola
 
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...
Xlator
 
09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)
09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)
09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)
Igor Bronovskyy
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009
mirahman
 

Similar to Top 10 Web Security Vulnerabilities (20)

PHPUG Presentation
PHPUG PresentationPHPUG Presentation
PHPUG Presentation
 
Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web Apps
 
General Principles of Web Security
General Principles of Web SecurityGeneral Principles of Web Security
General Principles of Web Security
 
Joomla security nuggets
Joomla security nuggetsJoomla security nuggets
Joomla security nuggets
 
PHP Secure Programming
PHP Secure ProgrammingPHP Secure Programming
PHP Secure Programming
 
PCI Security Requirements - secure coding
PCI Security Requirements - secure codingPCI Security Requirements - secure coding
PCI Security Requirements - secure coding
 
Web Security
Web SecurityWeb Security
Web Security
 
Pascarello_Investigating JavaScript and Ajax Security
Pascarello_Investigating JavaScript and Ajax SecurityPascarello_Investigating JavaScript and Ajax Security
Pascarello_Investigating JavaScript and Ajax Security
 
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encoding
 
CiklumJavaSat_15112011:Alex Kruk VMForce
CiklumJavaSat_15112011:Alex Kruk VMForceCiklumJavaSat_15112011:Alex Kruk VMForce
CiklumJavaSat_15112011:Alex Kruk VMForce
 
Application Security
Application SecurityApplication Security
Application Security
 
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...
 
my accadanic project ppt
my accadanic project pptmy accadanic project ppt
my accadanic project ppt
 
Secure coding in C#
Secure coding in C#Secure coding in C#
Secure coding in C#
 
Client-side JavaScript Vulnerabilities
Client-side JavaScript VulnerabilitiesClient-side JavaScript Vulnerabilities
Client-side JavaScript Vulnerabilities
 
09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)
09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)
09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009
 
php
phpphp
php
 
XSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hourXSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hour
 
D:\Technical\Ppt\Sql Injection
D:\Technical\Ppt\Sql InjectionD:\Technical\Ppt\Sql Injection
D:\Technical\Ppt\Sql Injection
 

More from Carol McDonald

Demystifying AI, Machine Learning and Deep Learning
Demystifying AI, Machine Learning and Deep LearningDemystifying AI, Machine Learning and Deep Learning
Demystifying AI, Machine Learning and Deep Learning
Carol McDonald
 
Streaming Patterns Revolutionary Architectures with the Kafka API
Streaming Patterns Revolutionary Architectures with the Kafka APIStreaming Patterns Revolutionary Architectures with the Kafka API
Streaming Patterns Revolutionary Architectures with the Kafka API
Carol McDonald
 

More from Carol McDonald (20)

Introduction to machine learning with GPUs
Introduction to machine learning with GPUsIntroduction to machine learning with GPUs
Introduction to machine learning with GPUs
 
Streaming healthcare Data pipeline using Apache APIs: Kafka and Spark with Ma...
Streaming healthcare Data pipeline using Apache APIs: Kafka and Spark with Ma...Streaming healthcare Data pipeline using Apache APIs: Kafka and Spark with Ma...
Streaming healthcare Data pipeline using Apache APIs: Kafka and Spark with Ma...
 
Analyzing Flight Delays with Apache Spark, DataFrames, GraphFrames, and MapR-DB
Analyzing Flight Delays with Apache Spark, DataFrames, GraphFrames, and MapR-DBAnalyzing Flight Delays with Apache Spark, DataFrames, GraphFrames, and MapR-DB
Analyzing Flight Delays with Apache Spark, DataFrames, GraphFrames, and MapR-DB
 
Analysis of Popular Uber Locations using Apache APIs: Spark Machine Learning...
Analysis of Popular Uber Locations using Apache APIs: Spark Machine Learning...Analysis of Popular Uber Locations using Apache APIs: Spark Machine Learning...
Analysis of Popular Uber Locations using Apache APIs: Spark Machine Learning...
 
Predicting Flight Delays with Spark Machine Learning
Predicting Flight Delays with Spark Machine LearningPredicting Flight Delays with Spark Machine Learning
Predicting Flight Delays with Spark Machine Learning
 
Structured Streaming Data Pipeline Using Kafka, Spark, and MapR-DB
Structured Streaming Data Pipeline Using Kafka, Spark, and MapR-DBStructured Streaming Data Pipeline Using Kafka, Spark, and MapR-DB
Structured Streaming Data Pipeline Using Kafka, Spark, and MapR-DB
 
Streaming Machine learning Distributed Pipeline for Real-Time Uber Data Using...
Streaming Machine learning Distributed Pipeline for Real-Time Uber Data Using...Streaming Machine learning Distributed Pipeline for Real-Time Uber Data Using...
Streaming Machine learning Distributed Pipeline for Real-Time Uber Data Using...
 
Applying Machine Learning to IOT: End to End Distributed Pipeline for Real-Ti...
Applying Machine Learning to IOT: End to End Distributed Pipeline for Real-Ti...Applying Machine Learning to IOT: End to End Distributed Pipeline for Real-Ti...
Applying Machine Learning to IOT: End to End Distributed Pipeline for Real-Ti...
 
Applying Machine Learning to IOT: End to End Distributed Pipeline for Real- T...
Applying Machine Learning to IOT: End to End Distributed Pipeline for Real- T...Applying Machine Learning to IOT: End to End Distributed Pipeline for Real- T...
Applying Machine Learning to IOT: End to End Distributed Pipeline for Real- T...
 
How Big Data is Reducing Costs and Improving Outcomes in Health Care
How Big Data is Reducing Costs and Improving Outcomes in Health CareHow Big Data is Reducing Costs and Improving Outcomes in Health Care
How Big Data is Reducing Costs and Improving Outcomes in Health Care
 
Demystifying AI, Machine Learning and Deep Learning
Demystifying AI, Machine Learning and Deep LearningDemystifying AI, Machine Learning and Deep Learning
Demystifying AI, Machine Learning and Deep Learning
 
Spark graphx
Spark graphxSpark graphx
Spark graphx
 
Applying Machine learning to IOT: End to End Distributed Distributed Pipeline...
Applying Machine learning to IOT: End to End Distributed Distributed Pipeline...Applying Machine learning to IOT: End to End Distributed Distributed Pipeline...
Applying Machine learning to IOT: End to End Distributed Distributed Pipeline...
 
Streaming patterns revolutionary architectures
Streaming patterns revolutionary architectures Streaming patterns revolutionary architectures
Streaming patterns revolutionary architectures
 
Spark machine learning predicting customer churn
Spark machine learning predicting customer churnSpark machine learning predicting customer churn
Spark machine learning predicting customer churn
 
Fast Cars, Big Data How Streaming can help Formula 1
Fast Cars, Big Data How Streaming can help Formula 1Fast Cars, Big Data How Streaming can help Formula 1
Fast Cars, Big Data How Streaming can help Formula 1
 
Applying Machine Learning to Live Patient Data
Applying Machine Learning to Live Patient DataApplying Machine Learning to Live Patient Data
Applying Machine Learning to Live Patient Data
 
Streaming Patterns Revolutionary Architectures with the Kafka API
Streaming Patterns Revolutionary Architectures with the Kafka APIStreaming Patterns Revolutionary Architectures with the Kafka API
Streaming Patterns Revolutionary Architectures with the Kafka API
 
Apache Spark Machine Learning Decision Trees
Apache Spark Machine Learning Decision TreesApache Spark Machine Learning Decision Trees
Apache Spark Machine Learning Decision Trees
 
Advanced Threat Detection on Streaming Data
Advanced Threat Detection on Streaming DataAdvanced Threat Detection on Streaming Data
Advanced Threat Detection on Streaming Data
 

Top 10 Web Security Vulnerabilities

  • 1. OWASP Top 10 Web Security Vulnerabilities Carol McDonald Sun Microsystems
  • 2.
  • 3.
  • 5. Enterprise Security API http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
  • 6.
  • 9.
  • 10.
  • 11.
  • 12.
  • 13.
  • 14.
  • 15. Validation, Encoding, and Injection http://owasp-esapi-java.googlecode.com/files/OWASP%20ESAPI.ppt Any Encoding Any Interpreter Set Character Set Encode For HTML Global Validate Canonicalize Specific Validate Sanitize Canonicalize Validate
  • 16. Handling Validation, and Encoding http://owasp-esapi-java.googlecode.com/files/OWASP%20ESAPI.ppt encodeForURL encodeForJavaScript encodeForVBScript encodeForDN encodeForHTML encodeForHTMLAttribute encodeForLDAP encodeForSQL encodeForXML encodeForXMLAttribute encodeForXPath isValidDirectoryPath isValidCreditCard isValidDataFromBrowser isValidListItem isValidFileContent isValidFileName isValidHTTPRequest isValidRedirectLocation isValidSafeHTML isValidPrintable safeReadLine Canonicalization Double Encoding Protection Normalization Sanitization
  • 17.
  • 18.
  • 19.
  • 20.
  • 21.
  • 22.
  • 23.
  • 24.
  • 25.
  • 26.
  • 27.
  • 28.
  • 29.
  • 30. Handling Validation, and Encoding http://owasp-esapi-java.googlecode.com/files/OWASP%20ESAPI.ppt encodeForURL encodeForJavaScript encodeForVBScript encodeForDN encodeForHTML encodeForHTMLAttribute encodeForLDAP encodeForSQL encodeForXML encodeForXMLAttribute encodeForXPath isValidDirectoryPath isValidCreditCard isValidDataFromBrowser isValidListItem isValidFileContent isValidFileName isValidHTTPRequest isValidRedirectLocation isValidSafeHTML isValidPrintable safeReadLine Canonicalization Double Encoding Protection Normalization Sanitization
  • 31.
  • 32.
  • 33. Real Attack on Australian Tax office attacker changed the tax id in the url , got info on 17,000 companies
  • 34.
  • 35.
  • 36.
  • 37. Handling Direct Object References http://app?file=7d3J93 Report123.xls Web Service Database Mainframe File System User Etc… Access Reference Map Indirect Reference Direct Reference Indirect Reference Direct Reference
  • 38.
  • 39.
  • 40.
  • 41.
  • 42.
  • 43.
  • 44.
  • 45.
  • 46.
  • 47. Handling Authentication and Identity http://owasp-esapi-java.googlecode.com/files/OWASP%20ESAPI.ppt Strong Passwords Random Tokens CSRF Tokens Lockout Remember Me Screen Name Roles Timeout Users
  • 48.
  • 49.
  • 50.
  • 51.
  • 52.
  • 53.
  • 54.
  • 55. ESAPI Handling Authentication and Identity http://owasp-esapi-java.googlecode.com/files/OWASP%20ESAPI.ppt Strong Passwords Random Tokens CSRF Tokens Lockout Remember Me Screen Name Roles Timeout Users
  • 56.
  • 57.
  • 58.
  • 59.
  • 60. Handling Sensitive Information http://owasp-esapi-java.googlecode.com/files/OWASP%20ESAPI.ppt Encryption Digital Signatures Integrity Seals Strong GUID Random Tokens Timestamp Salted Hash Safe Config Details
  • 61.
  • 62.
  • 63.
  • 64.
  • 65.
  • 66.
  • 67.
  • 68.
  • 70. ESAPI Handling Access Control isAuthorizedForURL isAuthorizedForFunction isAuthorizedForFunction isAuthorizedForService isAuthorizedForData isAuthorizedForFile
  • 71.
  • 72.
  • 73.
  • 74.

Editor's Notes

  1. The attacker can send data in any encoding. And the interpreters downstream from your application may decide to handle any encoding. Canonicalize Input could be in any character set Double-encoding Multiple encoding schemes Double-encoding with multiple encoding schemes Validation Simple to configure for positive rules Impossible to do perfectly, since you need special characters GetSafeValue Rich content – strip out bad stuff and continue Difficult – need to fully parse HTML Canonicalize and Validate from database Watch out mass SQL injection? EncodeForHTML Not perfect since browsers allow encoded characters to execute (particularly in attributes) Have to avoid double-encoding SetCharacterSet Browser will try to guess the encoding
  2. The attacker can send data in any encoding. And the interpreters downstream from your application may decide to handle any encoding. Canonicalize Input could be in any character set Double-encoding Multiple encoding schemes Double-encoding with multiple encoding schemes Validation Simple to configure for positive rules Impossible to do perfectly, since you need special characters GetSafeValue Rich content – strip out bad stuff and continue Difficult – need to fully parse HTML Canonicalize and Validate from database Watch out mass SQL injection? EncodeForHTML Not perfect since browsers allow encoded characters to execute (particularly in attributes) SetCharacterSet Browser will try to guess the encoding
  3. The attacker can send data in any encoding. And the interpreters downstream from your application may decide to handle any encoding. Canonicalize Input could be in any character set Double-encoding Multiple encoding schemes Double-encoding with multiple encoding schemes Validation Simple to configure for positive rules Impossible to do perfectly, since you need special characters GetSafeValue Rich content – strip out bad stuff and continue Difficult – need to fully parse HTML Canonicalize and Validate from database Watch out mass SQL injection? EncodeForHTML Not perfect since browsers allow encoded characters to execute (particularly in attributes) SetCharacterSet Browser will try to guess the encoding
  4. If an online bank allowed its application to process requests, such as transfer funds, a similar attack might allow high risk transactions such as money transfers The form itself contains the fields name and lastname and the button submit to prevent this to be forgged we add another field which contains the name of the current session identifier cookie name and the current session identifier cookie value &lt;form&gt; &lt;input type=&amp;quot;test&amp;quot; name=&amp;quot;name&amp;quot; value=&amp;quot;John&amp;quot;/&gt; &lt;input type=&amp;quot;test&amp;quot; name=&amp;quot;lastname&amp;quot; value=&amp;quot;Dawson&amp;quot;/&gt; &lt;input type=&amp;quot;test&amp;quot; name=&amp;quot;JSPSESSIONID&amp;quot; value=&amp;quot;7af7a55caff365ca594510586&amp;quot;/&gt; &lt;input type=&amp;quot;submit&amp;quot;/&gt; &lt;/form&gt;
  5. If an online bank allowed its application to process requests, such as transfer funds, a similar attack might allow high risk transactions such as money transfers The form itself contains the fields name and lastname and the button submit to prevent this to be forgged we add another field which contains the name of the current session identifier cookie name and the current session identifier cookie value &lt;form&gt; &lt;input type=&amp;quot;test&amp;quot; name=&amp;quot;name&amp;quot; value=&amp;quot;John&amp;quot;/&gt; &lt;input type=&amp;quot;test&amp;quot; name=&amp;quot;lastname&amp;quot; value=&amp;quot;Dawson&amp;quot;/&gt; &lt;input type=&amp;quot;test&amp;quot; name=&amp;quot;JSPSESSIONID&amp;quot; value=&amp;quot;7af7a55caff365ca594510586&amp;quot;/&gt; &lt;input type=&amp;quot;submit&amp;quot;/&gt; &lt;/form&gt;
  6. If an online bank allowed its application to process requests, such as transfer funds, a similar attack might allow high risk transactions such as money transfers The form itself contains the fields name and lastname and the button submit to prevent this to be forgged we add another field which contains the name of the current session identifier cookie name and the current session identifier cookie value &lt;form&gt; &lt;input type=&amp;quot;test&amp;quot; name=&amp;quot;name&amp;quot; value=&amp;quot;John&amp;quot;/&gt; &lt;input type=&amp;quot;test&amp;quot; name=&amp;quot;lastname&amp;quot; value=&amp;quot;Dawson&amp;quot;/&gt; &lt;input type=&amp;quot;test&amp;quot; name=&amp;quot;JSPSESSIONID&amp;quot; value=&amp;quot;7af7a55caff365ca594510586&amp;quot;/&gt; &lt;input type=&amp;quot;submit&amp;quot;/&gt; &lt;/form&gt;
  7. The attacker can send data in any encoding. And the interpreters downstream from your application may decide to handle any encoding. Canonicalize Input could be in any character set Double-encoding Multiple encoding schemes Double-encoding with multiple encoding schemes Validation Simple to configure for positive rules Impossible to do perfectly, since you need special characters GetSafeValue Rich content – strip out bad stuff and continue Difficult – need to fully parse HTML Canonicalize and Validate from database Watch out mass SQL injection? EncodeForHTML Not perfect since browsers allow encoded characters to execute (particularly in attributes) SetCharacterSet Browser will try to guess the encoding
  8. If an online bank allowed its application to process requests, such as transfer funds, a similar attack might allow high risk transactions such as money transfers The form itself contains the fields name and lastname and the button submit to prevent this to be forgged we add another field which contains the name of the current session identifier cookie name and the current session identifier cookie value &lt;form&gt; &lt;input type=&amp;quot;test&amp;quot; name=&amp;quot;name&amp;quot; value=&amp;quot;John&amp;quot;/&gt; &lt;input type=&amp;quot;test&amp;quot; name=&amp;quot;lastname&amp;quot; value=&amp;quot;Dawson&amp;quot;/&gt; &lt;input type=&amp;quot;test&amp;quot; name=&amp;quot;JSPSESSIONID&amp;quot; value=&amp;quot;7af7a55caff365ca594510586&amp;quot;/&gt; &lt;input type=&amp;quot;submit&amp;quot;/&gt; &lt;/form&gt;
  9. If an online bank allowed its application to process requests, such as transfer funds, a similar attack might allow high risk transactions such as money transfers The form itself contains the fields name and lastname and the button submit to prevent this to be forgged we add another field which contains the name of the current session identifier cookie name and the current session identifier cookie value &lt;form&gt; &lt;input type=&amp;quot;test&amp;quot; name=&amp;quot;name&amp;quot; value=&amp;quot;John&amp;quot;/&gt; &lt;input type=&amp;quot;test&amp;quot; name=&amp;quot;lastname&amp;quot; value=&amp;quot;Dawson&amp;quot;/&gt; &lt;input type=&amp;quot;test&amp;quot; name=&amp;quot;JSPSESSIONID&amp;quot; value=&amp;quot;7af7a55caff365ca594510586&amp;quot;/&gt; &lt;input type=&amp;quot;submit&amp;quot;/&gt; &lt;/form&gt;