OWASP

Open Web Application Security Project

 OWASP

This is an online community

devoted to web application
security

They create freely available articles,

methodologies, tools, documentation
and technology in this field
 OWASP

www.owasp.org

This is the website devoted to

OWASP which you can use to
access its resources
 OWASP

www.owasp.org

OWASP is not for profit and does

not make recommendations for
commercial products and services
 OWASP

www.owasp.org

They are a treasure trove of

resources - a lot of the material in
this course is using their
documentation and examples
 OWASP
www.owasp.org
 OWASP
They have a getting started guide which
points you to a whole bunch of reading
 OWASP
Some interesting pages are the ones which
have a listing of all possible attacks
OWASP
 OWASP

Not all attacks

may have
detailed write
ups but it’s a
handy lookup
 OWASP

What is really useful though are the

cheat sheets

Most attacks have a cheat sheet

which has a basic description of the
attack and the defense mechanisms
to use
 OWASP
SQL injection cheatsheet
OWASP

The most widespread

vulnerabilities have
specific details which
a developer would
find useful
 OWASP
Cross Site Scripting cheatsheet
 OWASP

OWASP also publishes the top 10

security vulnerabilities

Here is the last published list for

2013
 OWASP
10. Unvalidated redirects and
forwards
9. Using components with
known vulnerabilities
8. Cross site request forgery
(XSRF)
10. Unvalidated redirects and forwards
9. Using components with known OWASP
vulnerabilities
8. Cross site request forgery (XSRF)

7. Missing function level

access control
6. Sensitive data exposure

5. Security misconfiguration
10. Unvalidated redirects and forwards
9. Using components with known OWASP
vulnerabilities
8. Cross site request forgery (XSRF)
7. Missing function level access control
6. Sensitive data exposure
5. Security misconfiguration

4. Direct object Reference

3. Cross Site Scripting (XSS)

10. Unvalidated redirects and forwards
9. Using components with known OWASP
vulnerabilities
8. Cross site request forgery (XSRF)
7. Missing function level access control
6. Sensitive data exposure
5. Security misconfiguration
4. Direct object Reference
3. Cross Site Scripting (XSS)

2. Broken authentication and

session management
10. Unvalidated redirects and forwards
9. Using components with known OWASP
vulnerabilities
8. Cross site request forgery (XSRF)
7. Missing function level access control
6. Sensitive data exposure
5. Security misconfiguration
4. Direct object Reference
3. Cross Site Scripting (XSS)
2. Broken authentication and session
management

1. Injection (SQLi)
 OWASP
1. Injection (SQLi)
2. Broken authentication and session management
3. Cross Site Scripting (XSS)
4. Direct object Reference
5. Security misconfiguration
6. Sensitive data exposure
7. Missing function level access control
8. Cross site request forgery (XSRF)
9. Using components with known vulnerabilities
10. Unvalidated redirects and forwards
 OWASP

Overall a web developer looking to

make her code secure will have lots
to learn here
2 FACTOR AUTHENTICATION
 2 FACTOR AUTHENTICATION

This is also known as 2FA or 2 Step

Verification

This was patented way back in

1984 but found widespread use on
web applications recently
 2 FACTOR AUTHENTICATION
This enables confirmation of a
user’s identity by a combination of
components
Something a user knows
Something a user possesses
Something inseparable from the user
 2 FACTOR AUTHENTICATION
Something a user knows

Password, username, PIN, TAN

Something a user possesses

Something inseparable from the user
 2 FACTOR AUTHENTICATION
Something a user possesses

Secret token USB, bank card, key

Something inseparable from the user

Something a user knows
 2 FACTOR AUTHENTICATION
Something inseparable from the user

user biometrics such as fingerprint,

eye iris, voice, typing speed

Something a user knows

Something a user possesses
 2 FACTOR AUTHENTICATION
A very common example of 2
factor authentication is the use of
ATMs

Withdrawing money from a bank

account requires 2 pieces of information
 2 FACTOR AUTHENTICATION
Withdrawing money from a bank
account requires 2 pieces of information

The combination of:

1. A bank card i.e debit card or
ATM card
2. A valid PIN number
 2 FACTOR AUTHENTICATION
1. A bank card i.e debit card or
ATM card
2. A valid PIN number

Only if the match is valid will

the transaction be successful!
 2 FACTOR AUTHENTICATION

2 factor authentication is a type

of multi-factor authentication

Multi-factor authentication is a
strong defense against online
identity theft and fraud
 2 FACTOR AUTHENTICATION
Multi-factor authentication is a
strong defense against online
identity theft and fraud

A password alone is no longer

enough to get into a system
which has sensitive data and
perform actions
 2 FACTOR AUTHENTICATION
Implementation considerations:
2 factor authentication may
require additional client soft ware
to be installed to get things to work

e.g. soft ware to use the token

or smart card
 2 FACTOR AUTHENTICATION
Implementation considerations:
Or a hardware based approach
using hardware token products
could be used
These provide a logistical
challenge when they have to be
issued in large numbers
 2 FACTOR AUTHENTICATION
Implementation considerations:
hardware token
logistical challenge

They require additional

investment for implementation
and maintenance
 2 FACTOR AUTHENTICATION
Implementation considerations:
hardware token
logistical challenge
investment

They also possibly require support

- when users get locked out of
their systems or lose their tokens
 2 FACTOR AUTHENTICATION
Implementation considerations:
hardware token
logistical challenge
investment
support

All in all 2 factor requires

commitment and is not cheap by
any means
 2 FACTOR AUTHENTICATION

mobile phone based 2 factor

authentication seems
attractive
No additional hardware tokens are
necessary and the the user is always
in possession of her mobile phone
 2 FACTOR AUTHENTICATION
mobile based 2 factor authentication

The user enters a password or a

pin at a website

An additional dynamic passcode comprising

of digits is sent to the user’s mobile phone
via SMS or an installed application
 2 FACTOR AUTHENTICATION
mobile based 2 factor authentication

This passcode is called a OTP or a

One Time Password

This is generated by a time-based

one time password algorithm
 2 FACTOR AUTHENTICATION
OTP
mobile based 2 factor authentication

The generation of the

OTP uses a shared secret
key and the current time
It’s for one time use -
If the token expires
if entered once it’s
- it’s no longer valid
no longer valid
 2 FACTOR AUTHENTICATION
Advantages of mobile based 2FA

No additional hardware needed

Safer than static login information
Have fixed expiry and one time use
Easy to configure and easy to use
 2 FACTOR AUTHENTICATION
Disadvantages of mobile based 2FA
Cellphone needs to be charged and needs to be in range
User needs to share the phone number with
the OTP provider
Text messages are insecure and can be intercepted
Smartphones have both email and SMS so a loss of
the phone means all accounts for which email is the
key can be hacked - 2 factors become 1 factor
Malware on the phone can steal credentials
SOCIAL ENGINEERING
 SOCIAL ENGINEERING

Social engineering is the art of

manipulating people so they
give up confidential information
 SOCIAL ENGINEERING
Social engineering is the art of
manipulating people so they
give up confidential information

Users can be made to give up

passwords, banking information,
install malicious soft ware anything
 SOCIAL ENGINEERING
Social engineering is the art of Users can be made to give up
manipulating people so they passwords, banking information,
give up confidential information install malicious soft ware anything

Attackers like social engineering

because it is much easier to exploit a
user’s trust than to find ways to
hack into soft ware
 SOCIAL ENGINEERING
Social engineering is the art of Users can be made to give up
manipulating people so they passwords, banking information,
give up confidential information install malicious soft ware anything
Attackers like social engineering
because it is much easier to exploit a
user’s trust than to find ways to
hack into soft ware

It’s easier to trick you into handing

over your password than trying to
figure out what it is
 SOCIAL ENGINEERING
Security is all about:
Knowing who and what to trust
When to trust that the person you’re
communicating with is indeed the person
he claims to be
When to trust whether the
website is legitimate or not
Knowing when providing your
information is a good idea
 SOCIAL ENGINEERING
Security is all about:
Knowing who and what to trust
TheWhen
weakest linktheinperson
to trust that theyou’re
chain is
communicating with is indeed the person
always the human being
he claims to be
- this is why
social engineering
When to trust whether the
works!
website is legitimate or not
Knowing when providing your
information is a good idea
 SOCIAL ENGINEERING
Common social engineering attacks

Phishing
Baiting

Clickjacking
 SOCIAL ENGINEERING
Phishing
Phishing is an attempt to get
sensitive information from users
by masquerading as a trust worthy
entity
A bank, school, a friend
Clickjacking Baiting
 SOCIAL ENGINEERING
Phishing
You might receive an email from
your mail provider asking you to
mail your password to them

Or from your bank asking you to reset

your password using a malicious link
Clickjacking Baiting
 SOCIAL ENGINEERING
Phishing

Or from another country asking

you to give your bank account
number so they can transfer funds

Clickjacking Baiting
 SOCIAL ENGINEERING
Phishing
When phishing uses your personal
information it’s infinitely more
successful

It’s termed spear phishing

Clickjacking Baiting
 SOCIAL ENGINEERING
Phishing

Phishing mails might ask for

your help, declare you a winner,
or ask you to verify
information

Clickjacking Baiting
 SOCIAL ENGINEERING
Phishing
Clone phishing is when the mail mimics a
legitimate mail which was sent earlier

The look and feel and the email

address from which the phishing
mail is sent is very similar to the
original
Clickjacking
Baiting
 SOCIAL ENGINEERING
Phishing

Phishing attacks often target

CEOs of companies or other highly
placed officials - this is called
whaling
Clickjacking Baiting
 SOCIAL ENGINEERING
Baiting
This involves offering something
the user would like to have to
bait them to click on stuff
A new movie for download, free
coupons etc
Clickjacking Phishing
 SOCIAL ENGINEERING
Baiting

Baiting could also pretend to be

responding to your request for help
e.g. for a soft ware that you use

Clickjacking Phishing
 SOCIAL ENGINEERING

Clickjacking
This is a technique to get the user to
click on something which is
different from what the user
perceives he is clicking on

Baiting Phishing
 SOCIAL ENGINEERING

Clickjacking

This is a version of the confused

deputy problem where a user is
fooled into misusing his authority

Baiting Phishing
 SOCIAL ENGINEERING

Clickjacking

Harmless features of HTML can be

heavily misused

Baiting Phishing
 SOCIAL ENGINEERING

Clickjacking

A user clicks on a concealed link

(matches with the page background)

Baiting Phishing
 SOCIAL ENGINEERING

Clickjacking
A user clicks on a concealed link
(matches with the page background)

Another page is loaded in a transparent

layer over the existing page

Baiting Phishing
 A user clicks on a concealed link
SOCIAL ENGINEERING
(matches with the page background)
Clickjacking
Another page is loaded in a transparent
layer over the existing page

All actions on the page that you

see are actually malicious actions
on the transparent layer
Baiting Phishing
 SOCIAL ENGINEERING

Clickjacking
A user clicks on a concealed link
(matches with the page background)

Another page is loaded in a transparent

layer over the existing page

All actions on the page that you

see are actually malicious actions
on the transparent layer
Baiting Phishing