2. lIntroduction of Web Application Security
lHistory of Security Flaws
lVulnerability on Web Application
lIntroduction to OWASP
lOWASP Top Ten 2010 & 2013
lSecurity Testing Taxonomy
lBenefits of Security Testing
lQ & A
Objectives
3. Overview:
lWhat is Web Application Security?
lNetwork Security & Web Security
lWhy web application firewalls are not a complete web
application security solutions?
lHow to secure websites and web applications
Web Application Security
6. Web Application Security
Network Security:
l Build perimeter defenses
l Block unwanted traffic and activities
l Allow legitimate traffic in
Web Security:
l Allow port 80 and port 443 traffic in
l Hope everyone plays by the rules
7. Web Application Security
lWhy web application firewalls are not a complete web application
security solutions?
Firewall does not analyze request parameter and traffic.
Firewall does not check vulnerabilities in web application.
Firewall won't fix security holes in web applications.
Firewall is not immune to attacks.
lBut What does it do?
Analyze incoming web traffic.
Allows legitimate traffics only.
Delays attack.
WAF was bypassed in 2009 by OWASP.
8. How to secure web application?
lTrain developers to write secure code
lDevelopers should be able to check their applications for
security issues.
lThorough application testing
lOnce online, web application still need to be constantly checked
for vulnerabilities.
lBut constant check might be lengthy and expensive process.
lTendency to miss I/p and parameters in manual testing.
Web Application Security
9. lTitle – Short but explicit description of feature
lNarrative – A short narrative describing who, what and why of
feature. User story syntax is common: In order to add entries, as
a user, I can add an entry.
lScenario – Descriptions of specific cases for the narrative with
following:
lInitial condition that is true.
lThe expected outcomes.
lUse Given, When, and Then Identifiers
Vulnerabilities on Web App
10. l
History of Security Threats
1943
2009
2007
1979
2001
2011
French Computer experts Rene Carmille hacked punched card.
The first computer WORM is created at xerox's Palo Alto
Research Center.
The code red WORM causes $2 billion in damage by infecting
Microsoft windows NT and 2000 server software.
The storm WORM virus (actually Trojan) is sent to unsuspecting
Individuals via emails.
The conficker (Downadup/Kido) WORM best known for stealing
Technical data and passwords from web servers.
The Ramnit virus is used to steal over 45000 passwords on
Facebook.
11. OWASP
Open Web Application Security Project
Founded: December 2, 2001
Founders: Mark Curphey, Dennis Groves
Not-for-profit charitable organization in the US
Open community
Core Values:
OPEN Everything at OWASP is radically transparent from our finances to our
code.
INNOVATION OWASP encourages and supports innovation and experiments for
solutions to software security challenges.
GLOBAL Anyone around the world is encouraged to participate in the OWASP
community.
INTEGRITY OWASP is an honest and truthful, vendor neutral, global community.
13. A1 - Injection
The attacker’s hostile data can trick the
interpreter into executing unintended commands
or accessing data without proper authorization.
15. A2 – Broken Authentication & Session
Management
User authentication credentials aren’t protected when stored using
hashing or encryption.
Credentials can be guessed or overwritten.
Session IDs are exposed in the URL (e.g., URL rewriting).
Session IDs aren’t rotated after successful login.
Passwords, session IDs, and other credentials are sent over
unencrypted connections.
16. A3 – Cross Site Scripting
XSS is the most prevalent web application security flaw.
Attacker sends text-based attack scripts that exploit the interpreter in
the browser.
Impact:
Attackers can execute scripts in a victim’s browser to hijack user
sessions, deface web sites, insert hostile content, redirect users,
hijack the user’s browser using malware, etc.
e.g. <script>alert(document.cookie);</script>
17. A4 – Direct Object Reference
A direct object reference occurs when a developer exposes a reference to
an internal implementation object, such as a file, directory, or database
key.
18. A5 – Security Misconfiguration
Good security requires having a secure configuration defined and
deployed for the application, frameworks, application server, web
server, database server, and platform.
Is any of your software out of date? This includes the OS,
Web/App Server, DBMS, applications, and all code libraries, etc.
Are any unnecessary features enabled or installed (e.g., ports,
services, pages, accounts, privileges)?
Are default accounts and their passwords still enabled and
unchanged?
19. A6 – Sensitive Data Exposure
Many web applications do not properly protect sensitive data,
such as credit cards, tax IDs, and authentication credentials.
Attackers may steal or modify such weakly protected data to
conduct credit card fraud, identity theft, or other crimes.
The most common flaw is simply not encrypting sensitive data.
Are any old / weak cryptographic algorithms used?
20. A7 – Missing Function Level
Access Control
Are server side authentication or authorization checks missing?
Anyone with network access can send your application a request.
The attacker simply force browses to target URLs.
http://example.com/app/getappInfo
http://example.com/app/admin_getappInfo
21. A8 - CSRF
Cross Site Request Forgery
Attacker creates forged HTTP requests and tricks a victim into
submitting them via image tags, XSS, or numerous other
techniques.
Attackers can trick victims to performs undesired operations e.g.,
updating account details, making purchases, etc.