Recommended
Recommended
More Related Content
Similar to RIA security based on OWASP Top 10
Similar to RIA security based on OWASP Top 10 (20)
Recently uploaded
Recently uploaded (20)
RIA security based on OWASP Top 10
- 1. RIA security based on OWASP Top 10 Kim Leppänen Leif Åstrand torsdag 19 december 13
- 2. OWASP Top 10 Open Web Application Security Project torsdag 19 december 13
- 4. A1: Injection torsdag 19 december 13
- 5. “SELECT * FROM Users WHERE username=’” + userNameField.getValue() + “‘“ Not just SQL - could also be JPQL, HQL, shell, XPath, XML, LDAP, regex, eval, ... torsdag 19 december 13
- 6. Web frameworks can help GWT Vaadin • N/A • N/A torsdag 19 december 13
- 7. A2: Broken Authentication and Session Management torsdag 19 december 13
- 8. Session ID fixation Exposure of session ID Exposing user credentials torsdag 19 december 13
- 9. Web frameworks can help GWT Vaadin • N/A • Helper for changing session id torsdag 19 december 13
- 10. A3: Cross-Site Scripting (XSS) torsdag 19 december 13
- 11. Demo: auction application torsdag 19 december 13
- 12. Web frameworks can help GWT Vaadin • setText • SafeHtml • setHtmlContentAllo wed(false) • Beware of tooltips (setDescription) torsdag 19 december 13
- 13. Other things to keep in mind Consider e.g. Markdown instead of HTML for formatting Different handling needed in different contexts Feel the power of the XSS filter evasion cheat sheet torsdag 19 december 13
- 14. A4: Insecure Direct Object References torsdag 19 december 13
- 15. Web frameworks can help GWT Vaadin • Not so much, since this is mostly a server-side thing • Can be hard to realize the problem since requests are “invisible” • All ids are generated values that the server uses to find the right object when needed torsdag 19 december 13
- 16. A5: Security Misconfiguration torsdag 19 december 13
- 17. Web frameworks can help GWT Vaadin • N/A • productionMode = true torsdag 19 december 13
- 18. A6: Sensitive Data Exposure torsdag 19 december 13
- 19. Keep in mind Use SSL, no excuses! Salt and hash passwords Avoid handling sensitive data, e.g. credit card numbers torsdag 19 december 13
- 20. A7: Missing Function Level Access Control torsdag 19 december 13
- 21. A8: Cross-Site Request Forgery (CSRF) torsdag 19 december 13
- 23. <img src=” http://example.com/addRole? user=eve&role=power_user “ /> torsdag 19 december 13
- 25. Web frameworks can help GWT Vaadin • GWT-RPC: XsrfTokenService and/or HasRpcToken • RequestFactory: Make your own RequestTransport • Secured out of the box torsdag 19 december 13
- 26. A9: Using Components with Known Vulnerabilities torsdag 19 december 13
- 27. How do you know whether they are vulnerable? torsdag 19 december 13
- 28. A10: Unvalidated Redirects and Forwards torsdag 19 december 13
- 29. <a href=”http://myapp.com? redirect=example.com/evil"> Open app </a> torsdag 19 december 13
- 30. Very quick conclusion torsdag 19 december 13
- 31. You need to know what the framework does for you and what you need to handle yourself torsdag 19 december 13
- 32. ? torsdag 19 december 13 Did we get some detail wrong? Questions? Please rate the talk at gwtcreate.com/agenda leif@vaadin.com kim@vaadin.com