owasp top ten
play

OWASP Top Ten Kirk Jackson OWASP NZ RedShield - PowerPoint PPT Presentation

Mar 10, 2023 •416 likes •880 views

Introduction to the OWASP Top Ten Kirk Jackson OWASP NZ RedShield https://www.meetup.com/ kirk@pageofwords.com OWASP-Wellington/ http://hack-ed.com www.owasp.org.nz Recordings: @kirkj @owaspnz https://goo.gl/a2VSG2 What is OWASP? Open

  1. Introduction to the OWASP Top Ten Kirk Jackson OWASP NZ RedShield https://www.meetup.com/ kirk@pageofwords.com OWASP-Wellington/ http://hack-ed.com www.owasp.org.nz Recordings: @kirkj @owaspnz https://goo.gl/a2VSG2

  2. What is OWASP? Open Web Application Security Project (OWASP) is a nonprofit foundation that works to improve the security of software. ● A website: owasp.org ● A bunch of cool tools: Zed Attack Proxy, Juice Shop, Proactive Controls, Software Assurance Maturity Model (SAMM), Application Security Verification Standard (ASVS) ● A global community of like-minded people, meetups and conferences

  5. OWASP Top Ten Globally recognized by developers as the first step towards more secure coding. The most critical security risks to web applications. Updated every 2-3 years from 2003 to 2017 (2020 is in progress)

  6. Securing the user Web Browser Web Server X Site A sitea.com GET / Site A DOM Y + JS Site B

  7. OWASP Top Ten 2017 A1 Injection A2 Broken Authentication A3 Sensitive Data Exposure A4 XML External Entities (XXE) A5 Broken Access Control A6 Security Misconfiguration A7 Cross-Site Scripting (XSS) A8 Insecure Deserialization A9 Using Components with Known Vulnerabilities A10 Insufficient Logging & Monitoring

  8. A1 Injection Sending hostile data to an interpreter (e.g. SQL, LDAP, command line) Web Browser Web Server X Site A sitea.com GET / Site A DOM Y + JS Site B

  9. A1 Injection Sending hostile data to an interpreter (e.g. SQL, LDAP, command line) String query = "SELECT * FROM accounts WHERE Web Server X custID='" + request.getParameter("id") + "'"; query Site A id = " '; drop table accounts -- " Y SQL statements combine code and data

  10. SQLi Demo

  11. A1 Injection Prevention: SQL statements combine code and data => Separate code and data Web Server X query Site A ● Parameterise your queries Y ● Validate which data can be entered ● Escape special characters

  12. A2 Broken Authentication Web Browser Web Server X Site A sitea.com GET / Site A DOM Y + JS Site B

  13. A2 Broken Authentication ● Weak session management ● Credential stuffing ● Brute force ● Forgotten password Web Server X ● No multi-factor authentication query Site A Y ● Sessions don’t expire

  14. A2 Broken Authentication Prevention: ● Use good authentication libraries ● Use MFA ● Enforce strong passwords ● Detect and prevent brute force or stuffing attacks

  15. A3 Sensitive Data Exposure Web Browser Web Server X Site A sitea.com GET / Site A DOM Y + JS Site B

  16. A3 Sensitive Data Exposure ● Clear-text data transfer ● Unencrypted storage ● Weak crypto or keys ● Certificates not validated Web Server X ● Exposing PII or Credit Cards GET / Site A Y

  17. Data Exposure Demo

  18. A3 Sensitive Data Exposure Prevention: ● Don’t store data unless you need to! ● Encrypt at rest and in transit ● Use strong crypto

  19. A4 XML External Entities (XXE) Web Browser Web Server X Site A sitea.com GET / Site A DOM Y + JS Site B

  20. A4 XML External Entities (XXE) The application accepts XML, and assumes it is safe <?xml version="1.0" encoding="ISO-8859-1"?> Web Server X <!DOCTYPE foo [ <!ELEMENT foo ANY > query Site A <!ENTITY xxe SYSTEM "file:///etc/passwd" >]> Y <foo>&xxe;</foo> Can allow accessing sensitive resources, command execution, recon, or cause denial of service.

  21. XXE Demo

  22. A4 XML External Entities (XXE) Prevention: ● Avoid XML ● Use modern libraries, and configure them well! ● Validate XML

  23. A5 Broken Access Control Web Browser Web Server X Site A sitea.com GET / Site A DOM Y + JS Site B

  24. A5 Broken Access Control ● Access hidden pages http://site.com/admin/user-management ● Elevate to an administrative account ● View other people’s data Web Server X http://site.com/user?id=7 query Site A ● Modifying cookies or JWT tokens Y

  25. A5 Broken Access Control Prevention: ● Use proven code or libraries ● Deny access by default ● Log failures and alert ● Rate limit access to resources

  26. A6 Security Misconfiguration Web Browser Web Server X Site A sitea.com GET / Site A DOM Y + JS Site B

  27. A6 Security Misconfiguration ● Security features not configured properly ● Unnecessary features enabled ● Default accounts not removed Web Server X ● Error messages expose sensitive query Site A Y information

  28. A6 Security Misconfiguration Prevention: ● Have a repeatable build process or “gold master” ● Disable all unused services ● Use tools to review settings

  29. A7 Cross-Site Scripting (XSS) Web Browser Web Server X Site A sitea.com GET / Site A DOM Y + JS Site B

  30. A7 Cross-Site Scripting (XSS) HTML mixes content, presentation and code into one string (HTML+CSS+JS) Web Browser If an attacker can alter the DOM, they Site A can do anything that the user can do. DOM + JS XSS can be found using automated Site B tools.

  31. XSS Demo

  32. A7 Cross-Site Scripting (XSS) Prevention: ● Encode all user-supplied data to render it safe Kirk <script> => Kirk &lt;script&gt; ● Use appropriate encoding for the context ● Use templating frameworks that assemble HTML safely ● Use Content Security Policy

  33. A8 Insecure Deserialization Web Browser Web Server X Site A sitea.com GET / Site A DOM Y + JS Site B

  34. A8 Insecure Deserialization Programming languages allow you to turn a tree of objects into a string that can be sent to the browser. Web Server X If you deserialise untrusted data, you query Site A may allow objects to be created, or code Y to be executed.

  35. Deserialisation Demo

  36. A8 Insecure Deserialization Prevention: ● Avoid serialising and deserialising objects ● Use signatures to detect tampering ● Configure your library safely ● Check out the OWASP Deserialisation Cheat Sheet

  37. A9 Using Components with Known Vulnerabilities Web Browser Web Server X Site A sitea.com GET / Site A DOM Y + JS Site B

  38. A9 Using Components with Known Vulnerabilities Modern applications contain a lot of third-party code. It’s hard to keep it all up to date. Attackers can enumerate the libraries you use, and develop exploits.

  39. A9 Using Components with Known Vulnerabilities Prevention: ● Reduce dependencies ● Patch management ● Scan for out-of-date components ● Budget for ongoing maintenance for all software projects

  40. A10 Insuffjcient Logging & Monitoring Web Browser Web Server X Site A sitea.com GET / Site A DOM Y + JS Site B SIEM

  41. A10 Insuffjcient Logging & Monitoring You can’t react to attacks that you don’t know about. Logs are important for: Web Server X ● Detecting incidents Site A Y ● Understanding what happened ● Proving who did something SIEM

  42. OWASP Top Ten 2017 A1 Injection A2 Broken Authentication A3 Sensitive Data Exposure A4 XML External Entities (XXE) A5 Broken Access Control A6 Security Misconfiguration A7 Cross-Site Scripting (XSS) A8 Insecure Deserialization A9 Using Components with Known Vulnerabilities A10 Insufficient Logging & Monitoring

  43. Next Steps

  44. Next Steps ● Attend OWASP events ● Search for OWASP Top Ten category names and your framework E.g. “C# XSS protection” ● Watch youtube or Pluralsight videos ● Use the terms when discussing bugs with colleagues ● Keep track of which issues affect you the most ● Go beyond the Top Ten

  45. Introduction to the OWASP Top Ten Kirk Jackson OWASP NZ RedShield https://www.meetup.com/ kirk@pageofwords.com OWASP-Wellington/ http://hack-ed.com www.owasp.org.nz Recordings: @kirkj @owaspnz https://goo.gl/a2VSG2

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

New Privacy in Android 11 and OWASP Mobile Security Albert Hsieh OWASP 200

New Privacy in Android 11 and OWASP Mobile Security Albert Hsieh OWASP 200

New Privacy in Android 11 and OWASP Mobile Security Albert Hsieh OWASP 200 OWASP Flagship Projects Tool Projects OWASP Amass OWASP CSRFGuard OWASP Defectdojo OWASP Dependency-Check OWASP Dependency-Track

751 views • 55 slides
OWASP Daniel Brzozowski daniel@brzozowski.biz Agenda 1. Few words about OWASP 2. Owasp resources

OWASP Daniel Brzozowski daniel@brzozowski.biz Agenda 1. Few words about OWASP 2. Owasp resources

OWASP Daniel Brzozowski daniel@brzozowski.biz Agenda 1. Few words about OWASP 2. Owasp resources 3. Setting up workstations 4. OWASP WebScarab/OWASP WebScarab-NG 5. O2 Platform About me In London since October 2010 Before that MCPD, MCTS,

747 views • 58 slides
OpenSAMM Software Assurance Maturity Model Seba Deleersnyder seba@owasp.org OWASP Foundation

OpenSAMM Software Assurance Maturity Model Seba Deleersnyder seba@owasp.org OWASP Foundation

The OWASP Foundation Libre Software Meeting Brussels 10-July-2013 http://www.owasp.org OpenSAMM Software Assurance Maturity Model Seba Deleersnyder seba@owasp.org OWASP Foundation Board Member OWASP Belgium Chapter Leader SAMM project

682 views • 43 slides
OWASP Foundation OWASP does not endorse or recommend commercial products or services , allowing our

OWASP Foundation OWASP does not endorse or recommend commercial products or services , allowing our

OWASP Foundation OWASP does not endorse or recommend commercial products or services , allowing our community to remain vendor neutral with the collective wisdom of the best minds in software security worldwide. OWASP Foundation, NYC Chapter

382 views • 23 slides
Welcome to the OWASP Toronto Meetup Hello, and happy 2018! Announcement: OWASP Top 10 2017

Welcome to the OWASP Toronto Meetup Hello, and happy 2018! Announcement: OWASP Top 10 2017

Welcome to the OWASP Toronto Meetup Hello, and happy 2018! Announcement: OWASP Top 10 2017 Changes between 2013 and 2017 Hi, I am X. How do I get into AppSec/Security? OWASP Toronto Chapter January 17, 2018 Topics Overviews, Career Paths,

372 views • 36 slides
Broken Authentication: What it means, and what you can do hassan.abudu@owasp.org OWASP Top 10

Broken Authentication: What it means, and what you can do hassan.abudu@owasp.org OWASP Top 10

Broken Authentication: What it means, and what you can do hassan.abudu@owasp.org OWASP Top 10 Vulnerabilities - 2017 Rank Name 1 Injection 2 Broken Authentication 3 Sensitive Data Exposure 4 XML External Entities 5 Broken Access

207 views • 6 slides
Insecurity in Informaton Technology Tanya Janca Tanya.Janca@owasp.org OWASP Otawa Chapter

Insecurity in Informaton Technology Tanya Janca Tanya.Janca@owasp.org OWASP Otawa Chapter

Insecurity in Informaton Technology Tanya Janca Tanya.Janca@owasp.org OWASP Otawa Chapter Leader OWASP DevSlop Project Leader @SheHacksPurple About Me The Im Qualifed Slide Tanya Janca: Applicaton security evangelist, web

1k views • 82 slides
Web Attacks Deian Stefan Slides from Zakir Durumeric and Dan Boneh OWASP Ten Most Critical Web

Web Attacks Deian Stefan Slides from Zakir Durumeric and Dan Boneh OWASP Ten Most Critical Web

Web Attacks Deian Stefan Slides from Zakir Durumeric and Dan Boneh OWASP Ten Most Critical Web Security Risks https://github.com/OWASP/Top10/blob/master/2017/OWASP%20Top%2010-2017%20(en).pdf Today

998 views • 78 slides
Introduction to OWASP Mobile Application Security Verification Standard (MASVS) OWASP Geneva

Introduction to OWASP Mobile Application Security Verification Standard (MASVS) OWASP Geneva

Introduction to OWASP Mobile Application Security Verification Standard (MASVS) OWASP Geneva 12/12/2016 Jrmy MATOS whois securingapps Developer background Spent last 10 years working between Geneva and Lausanne on security products

867 views • 22 slides
SQL Injection Attacks: A Quick Primer hassan.abudu@owasp.org OWASP Top 10 Vulnerabilities - 2017

SQL Injection Attacks: A Quick Primer hassan.abudu@owasp.org OWASP Top 10 Vulnerabilities - 2017

SQL Injection Attacks: A Quick Primer hassan.abudu@owasp.org OWASP Top 10 Vulnerabilities - 2017 Rank Name 1 Injection 2 Broken Authentication 3 Sensitive Data Exposure 4 XML External Entities 5 Broken Access Control 6 Security

682 views • 8 slides
Web Attacks Nadia Heninger and Deian Stefan Slides from Zakir Durumeric and Dan Boneh OWASP Ten

Web Attacks Nadia Heninger and Deian Stefan Slides from Zakir Durumeric and Dan Boneh OWASP Ten

Web Attacks Nadia Heninger and Deian Stefan Slides from Zakir Durumeric and Dan Boneh OWASP Ten Most Critical Web Security Risks https://github.com/OWASP/Top10/blob/master/2017/OWASP%20Top%2010-2017%20(en).pdf Today

916 views • 87 slides
Introduction to Mobile Security Testing Approaches and Examples using OWASP MSTG OWASP German

Introduction to Mobile Security Testing Approaches and Examples using OWASP MSTG OWASP German

Introduction to Mobile Security Testing Approaches and Examples using OWASP MSTG OWASP German Day 20.11.2018 Carlos Holguera $ whoami Carlos Holguera [olera] Security Engineer working at ESCRYPT GmbH since 2012 Area of expertise:

790 views • 56 slides
UC.yber; OWASP Chapter The University of Cincinnati's Official Cybersecurity Chapter What is

UC.yber; OWASP Chapter The University of Cincinnati's Official Cybersecurity Chapter What is

UC.yber; OWASP Chapter The University of Cincinnati's Official Cybersecurity Chapter What is OWASP? Open Web Application Security Project Non-profit organization focused on improving security of software. They have some GREAT info on

372 views • 9 slides
OWASP Summit 2017 Why, how, what, where (v0.9, Jan 2017) Close your eyes Imagine a place

OWASP Summit 2017 Why, how, what, where (v0.9, Jan 2017) Close your eyes Imagine a place

OWASP Summit 2017 Why, how, what, where (v0.9, Jan 2017) Close your eyes Imagine a place where (some of ) the best Application Security and OWASP minds come together to collaborate and work a meeting of minds focused on solving

770 views • 37 slides
OWASP Most Critical Web Application Security Vulnerabilities Introduction 2 Purpose of

OWASP Most Critical Web Application Security Vulnerabilities Introduction 2 Purpose of

OWASP Most Critical Web Application Security Vulnerabilities Introduction 2 Purpose of Session: - Provide Overview Web Application Security Threats and Defense Using the Open Web Application Security Project (OWASP) Top List, we

830 views • 39 slides
Security Vulnerabilities Decomposition Katy Anton OWASP Top 10 @KatyAnton When the report is

Security Vulnerabilities Decomposition Katy Anton OWASP Top 10 @KatyAnton When the report is

Security Vulnerabilities Decomposition Katy Anton OWASP Top 10 @KatyAnton When the report is published @KatyAnton Katy Anton Software development background Project co-leader for OWASP Top 10 Proactive Controls (@OWASPControls)

1.21k views • 45 slides
TRANSFERABLE CLEAN-LABEL POISONING ATTACKS ON DEEP NEURAL NETS Chen Zhu*, W. Ronny Huang*^, Ali

TRANSFERABLE CLEAN-LABEL POISONING ATTACKS ON DEEP NEURAL NETS Chen Zhu*, W. Ronny Huang*^, Ali

TRANSFERABLE CLEAN-LABEL POISONING ATTACKS ON DEEP NEURAL NETS Chen Zhu*, W. Ronny Huang*^, Ali Shafahi, Hengduo Li, Gavin Taylor, Christoph Studer, Tom Goldstein * equal contribution ^ presenter WHAT IS POISONING? Training data Testing

218 views • 19 slides
cc cc . Earthquake attack ccc ccc . Sticker injection attack The day disaster struck the

cc cc . Earthquake attack ccc ccc . Sticker injection attack The day disaster struck the

The day disaster struck the northeastern part of Japan ' or 1=1 -- Protect Y ourself c . SQL injection attack cc cc . Earthquake attack ccc ccc . Sticker injection attack The day disaster struck the northeastern part of Japan ' or 1=1 --

546 views • 22 slides
CS 134 134 Elem ements of of Cr Cryptography a and nd Com Computer er &amp; &amp; Networ

CS 134 134 Elem ements of of Cr Cryptography a and nd Com Computer er &amp; &amp; Networ

CS 134 134 Elem ements of of Cr Cryptography a and nd Com Computer er &amp; &amp; Networ ork Sec Secur urity Fal all 2019 2019 Instructor or: Qi Alfred ed Chen Chen https://www.ics.uci.edu/~alfchen/teaching/cs134-2019-Fall

458 views • 33 slides
WEB AND BROWSER SECURITY Ben Livshits, Microsoft Research Web Application Vulnerabilities &amp;

WEB AND BROWSER SECURITY Ben Livshits, Microsoft Research Web Application Vulnerabilities &amp;

WEB AND BROWSER SECURITY Ben Livshits, Microsoft Research Web Application Vulnerabilities &amp; Defenses 2 Server-side woes Browser mechanisms: Same origin SQL injection Cross-domain request XSS overview Content

738 views • 50 slides
Finding Protocol Manipulation Attacks Nupur Kothari Ratul Mahajan, Todd Millstein, Ramesh

Finding Protocol Manipulation Attacks Nupur Kothari Ratul Mahajan, Todd Millstein, Ramesh

Finding Protocol Manipulation Attacks Nupur Kothari Ratul Mahajan, Todd Millstein, Ramesh Govindan, Madanlal Musuvathi Manipulation Attacks Adversaries induce victim into undesirable behavior by lying in their messages Exploit partial

216 views • 19 slides
CSCI 4250/6250 Fall 2013 Computer and Networks Security Web Security Goodrich, Chapter 7

CSCI 4250/6250 Fall 2013 Computer and Networks Security Web Security Goodrich, Chapter 7

CSCI 4250/6250 Fall 2013 Computer and Networks Security Web Security Goodrich, Chapter 7 The Web Application Hackers Handbook, 2/e WWW Evolution Past vs. Future In the past web was made of static pages Today, highly

1.09k views • 63 slides
A First Joint Look at DoS Attacks and BGP Blackholing in the Wild Mattijs Jonker Aiko Pras

A First Joint Look at DoS Attacks and BGP Blackholing in the Wild Mattijs Jonker Aiko Pras

A First Joint Look at DoS Attacks and BGP Blackholing in the Wild Mattijs Jonker Aiko Pras (UTwente) Alberto Dainotti (CAIDA / UC San Diego) Anna Sperotto (UTwente) Denial-of-Service attacks A conceptually simple, yet effective class of

750 views • 33 slides
SENSS Against Volumetric DDoS Attacks Sivaram Ramanathan 1 , Jelena Mirkovic 1 , Minlan Yu 2 and

SENSS Against Volumetric DDoS Attacks Sivaram Ramanathan 1 , Jelena Mirkovic 1 , Minlan Yu 2 and

SENSS Against Volumetric DDoS Attacks Sivaram Ramanathan 1 , Jelena Mirkovic 1 , Minlan Yu 2 and Ying Zhang 3 1 University of Southern California/Information Sciences Institute 2 Harvard University 3 Facebook 1 DDoS attacks Volumetric DDoS

604 views • 56 slides

More recommend