security and owasp top 10 with service oriented
play

Security and OWASP Top 10 with Service Oriented Architectures - PowerPoint PPT Presentation

Nov 06, 2023 •225 likes •839 views

Practical Web Application Security and OWASP Top 10 with Service Oriented Architectures Adnan Masood Sr. System Architect Green Dot Corporation What this talk is about? 2 This session is an introduction to web application security

  1. Practical Web Application Security and OWASP Top 10 with Service Oriented Architectures Adnan Masood Sr. System Architect Green Dot Corporation

  2. What this talk is about? 2 This session is an introduction to web application security  threats using the OWASP Top 10 list of potential security flaws. Focusing on the Microsoft platform with examples in ASP.NET and ASP.NET Model-View-Controller (MVC), we will go over some of the common techniques for writing secure code in the light of the OWASP Top 10 list. In this talk, we will discuss the security features built into ASP.NET and MVC (e.g., cross-site request forgery tokens, secure cookies) and how to leverage them to write secure code. The web application security risks that will be covered in this presentation include injection flaws, cross-site scripting, broken authentication and session management, insecure direct object references, cross-site request forgery, security misconfiguration, insecure cryptographic storage, failure to restrict URL access, insufficient transport layer protection, and unvalidated redirects and forwards.

  3. 3 about the speaker Adnan Masood works as a Sr. system architect / technical lead for Green dot Corporation where he develops SOA based middle-tier architectures, distributed systems, and web-applications using Microsoft technologies. He is a Microsoft Certified Trainer holding several technical certifications, including MCSD2, MCPD (Enterprise Developer), and SCJP-II. Adnan is attributed and published in print media and on the Web; he also teaches Windows Communication Foundation (WCF) courses at the University of California at San Diego and regularly presents at local code camps and user groups. He is actively involved in the .NET community as cofounder and president of the of Pasadena .NET Developers group. Adnan holds a Master’s degree in Computer Science; he is currently a doctoral student working towards PhD in Machine Learning; specifically discovering interestingness measures in outliers using Bayesian Belief Networks. He also holds systems architecture certification from MIT and SOA Smarts certification from Carnegie Melon University.

  4. OWASP / Top 10 4  What is OWASP?  What are OWASP Top 10?  Why should I care about OWASP top 10?  What other lists are out there?  When will I see the code?  Become a Member.  Get a Cool Email address (adnan.Masood@owasp.org)  Get the warm and cozy feeling  Pretty Please 

  5. OWASP Top 10 5

  6. A1-Injection

  7. Hint: Congestion Zone – 7 Central London

  8. Exploits of a Mom 8

  9. Am I Vulnerable To 'Injection'? The best way to find out if an application is vulnerable to injection is to verify that all use of interpreters clearly separates untrusted data from the command or query. For SQL calls, this means using bind variables in all prepared statements and stored procedures, and avoiding dynamic queries. Checking the code is a fast and accurate way to see if the application uses interpreters safely. Code analysis tools can help a security analyst find the use of interpreters and trace the data flow through the application. Penetration testers can validate these issues by crafting exploits that confirm the vulnerability. Automated dynamic scanning which exercises the application may provide insight into whether some exploitable injection flaws exist. Scanners cannot always reach interpreters and have difficulty detecting whether an attack was successful. Poor error handling makes injection flaws easier to discover.

  10. How Do I Prevent 'Injection'? Preventing injection requires keeping untrusted data separate from commands and queries. The preferred option is to use a safe API which avoids the use of the interpreter 1. entirely or provides a parameterized interface. Be careful with APIs, such as stored procedures, that are parameterized, but can still introduce injection under the hood. If a parameterized API is not available, you should carefully escape special 2. characters using the specific escape syntax for that interpreter. OWASP’s ESAPI provides many of these escaping routines. Positive or “white list” input validation is also recommended, but is not a 3. complete defense as many applications require special characters in their input. If special characters are required, only approaches 1. and 2. above will make their use safe. OWASP’s ESAPI has an extensible library of white list input validation routines.

  11. Example Attack Scenarios Scenario #1: The application uses untrusted data in the construction of the following vulnerable SQL call: String query = "SELECT * FROM accounts WHERE custID= '" + request.getParameter("id") + "'"; Scenario #2: Similarly, an application’s blind trust in frameworks may result in queries that are still vulnerable, (e.g., Hibernate Query Language (HQL)): Query HQLQuery = session.createQuery (“FROM accounts WHERE custID ='“ + request.getParameter("id") + "'");

  12. In both cases, the attacker modifies the ‘id’ parameter value in her browser to send: ' or '1'='1. For example: http://example.com/app/accountView?id=' or '1'='1 This changes the meaning of both queries to return all the records from the accounts table. More dangerous attacks could modify data or even invoke stored procedures.

  13. References OWASP  OWASP SQL Injection Prevention Cheat Sheet  OWASP Query Parameterization Cheat Sheet  OWASP Command Injection Article  OWASP XML eXternal Entity (XXE) Reference Article  ASVS: Output Encoding/Escaping Requirements (V6)  OWASP Testing Guide: Chapter on SQL Injection Testing External  CWE Entry 77 on Command Injection  CWE Entry 89 on SQL Injection  CWE Entry 564 on Hibernate Injection

  14. A2-Broken Authentication and Session Management

  15. Am I Vulnerable To 'Broken Authentication and Session Management'? Are session management assets like user credentials and session IDs properly protected? You may be vulnerable if: User authentication credentials aren’t protected when stored 1. using hashing or encryption. See A6. Credentials can be guessed or overwritten through weak 2. account management functions (e.g., account creation, change password, recover password, weak session IDs). Session IDs are exposed in the URL (e.g., URL rewriting). 3. Session IDs are vulnerable to session fixation attacks. 4. Session IDs don’t timeout, or user sessions or authentication 5. tokens, particularly single sign- on (SSO) tokens, aren’t properly invalidated during logout. Session IDs aren’t rotated after successful login. 6. Passwords, session IDs, and other credentials are sent over 7. unencrypted connections. See A6.

  16. How Do I Prevent 'Broken Authentication and Session Management'? The primary recommendation for an organization is to make available to developers : A single set of strong authentication and 1. session management controls. Such controls should strive to: meet all the authentication and session management requirements 1. defined in OWASP’s Application Security Verification Standard (ASVS) areas V2 (Authentication) and V3 (Session Management). have a simple interface for developers. Consider theESAPI 2. Authenticator and User APIs as good examples to emulate, use, or build upon. Strong efforts should also be made to avoid 2. XSS flaws which can be used to steal session IDs. See A3 .

  17. Example Attack Scenarios Scenario #1: Airline reservations application supports URL rewriting, putting session IDs in the URL: http://example.com/sale/saleitemsj sessionid=2P0OC2JSNDLPSKHCJUN2JV?d est=Hawaii An authenticated user of the site wants to let his friends know about the sale. He e-mails the above link without knowing he is also giving away his session ID. When his friends use the link they will use his session and credit card. Scenario #2: Application’s timeouts aren’t set properly. User uses a public computer to access site. Instead of selecting “logout” the user simply closes the browser tab and walks away. Attacker uses the same browser an hour later, and that browser is still authenticated. Scenario #3: Insider or external attacker gains access to the system’s password database. User passwords are not properly hashed, exposing every users’ password to the attacker.

  18. References OWASP For a more complete set of requirements and problems to avoid in this area, see the ASVS requirements areas for Authentication (V2) and Session Management (V3).  OWASP Authentication Cheat Sheet  OWASP Forgot Password Cheat Sheet  OWASP Session Management Cheat Sheet  OWASP Development Guide: Chapter on Authentication  OWASP Testing Guide: Chapter on Authentication External  CWE Entry 287 on Improper Authentication  CWE Entry 384 on Session Fixation

  19. A3-Cross-Site Scripting (XSS)

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

New Privacy in Android 11 and OWASP Mobile Security Albert Hsieh OWASP 200

New Privacy in Android 11 and OWASP Mobile Security Albert Hsieh OWASP 200

New Privacy in Android 11 and OWASP Mobile Security Albert Hsieh OWASP 200 OWASP Flagship Projects Tool Projects OWASP Amass OWASP CSRFGuard OWASP Defectdojo OWASP Dependency-Check OWASP Dependency-Track

751 views • 55 slides
Introduction to OWASP Mobile Application Security Verification Standard (MASVS) OWASP Geneva

Introduction to OWASP Mobile Application Security Verification Standard (MASVS) OWASP Geneva

Introduction to OWASP Mobile Application Security Verification Standard (MASVS) OWASP Geneva 12/12/2016 Jrmy MATOS whois securingapps Developer background Spent last 10 years working between Geneva and Lausanne on security products

867 views • 22 slides
Introduction to Mobile Security Testing Approaches and Examples using OWASP MSTG OWASP German

Introduction to Mobile Security Testing Approaches and Examples using OWASP MSTG OWASP German

Introduction to Mobile Security Testing Approaches and Examples using OWASP MSTG OWASP German Day 20.11.2018 Carlos Holguera $ whoami Carlos Holguera [olera] Security Engineer working at ESCRYPT GmbH since 2012 Area of expertise:

790 views • 56 slides
OWASP Most Critical Web Application Security Vulnerabilities Introduction 2 Purpose of

OWASP Most Critical Web Application Security Vulnerabilities Introduction 2 Purpose of

OWASP Most Critical Web Application Security Vulnerabilities Introduction 2 Purpose of Session: - Provide Overview Web Application Security Threats and Defense Using the Open Web Application Security Project (OWASP) Top List, we

830 views • 39 slides
Driving OWASP ZAP with Selenium About Me Mark Torrens - Recently moved into Cyber Security -

Driving OWASP ZAP with Selenium About Me Mark Torrens - Recently moved into Cyber Security -

Driving OWASP ZAP with Selenium About Me Mark Torrens - Recently moved into Cyber Security - Based in London - Completjng MSc Cyber Security @ University of York - Security Architect for Kainos Mateusz Kalinowski - Java research OWASP

789 views • 23 slides
SECTET SECTET Model driven Security of Service Oriented Systems y y based on Security as

SECTET SECTET Model driven Security of Service Oriented Systems y y based on Security as

Japan-Austria Joint Workshop on ICT October 18-19 2010, Tokyo, Japan SECTET SECTET Model driven Security of Service Oriented Systems y y based on Security as a Service Basel Katt , Ruth Breu, Mukhtiar Memon and Michael

646 views • 26 slides
OWASP Foundation OWASP does not endorse or recommend commercial products or services , allowing our

OWASP Foundation OWASP does not endorse or recommend commercial products or services , allowing our

OWASP Foundation OWASP does not endorse or recommend commercial products or services , allowing our community to remain vendor neutral with the collective wisdom of the best minds in software security worldwide. OWASP Foundation, NYC Chapter

382 views • 23 slides
Welcome to the OWASP Toronto Meetup Hello, and happy 2018! Announcement: OWASP Top 10 2017

Welcome to the OWASP Toronto Meetup Hello, and happy 2018! Announcement: OWASP Top 10 2017

Welcome to the OWASP Toronto Meetup Hello, and happy 2018! Announcement: OWASP Top 10 2017 Changes between 2013 and 2017 Hi, I am X. How do I get into AppSec/Security? OWASP Toronto Chapter January 17, 2018 Topics Overviews, Career Paths,

372 views • 36 slides
OWASP Top 10 OWASP Top Ten meets JSF Andreas Hartmann Application Security Komponente

OWASP Top 10 OWASP Top Ten meets JSF Andreas Hartmann Application Security Komponente

Agenda Application Security OWASP Top 10 OWASP Top Ten meets JSF Andreas Hartmann Application Security Komponente Application Security Startup 04.04.2013 04.04.2013 2 OWASP Top 10 Agenda Application Security Was ist Application Security

234 views • 8 slides
OWASP Daniel Brzozowski daniel@brzozowski.biz Agenda 1. Few words about OWASP 2. Owasp resources

OWASP Daniel Brzozowski daniel@brzozowski.biz Agenda 1. Few words about OWASP 2. Owasp resources

OWASP Daniel Brzozowski daniel@brzozowski.biz Agenda 1. Few words about OWASP 2. Owasp resources 3. Setting up workstations 4. OWASP WebScarab/OWASP WebScarab-NG 5. O2 Platform About me In London since October 2010 Before that MCPD, MCTS,

747 views • 58 slides
UC.yber; OWASP Chapter The University of Cincinnati's Official Cybersecurity Chapter What is

UC.yber; OWASP Chapter The University of Cincinnati's Official Cybersecurity Chapter What is

UC.yber; OWASP Chapter The University of Cincinnati's Official Cybersecurity Chapter What is OWASP? Open Web Application Security Project Non-profit organization focused on improving security of software. They have some GREAT info on

372 views • 9 slides
Pushing Left, Like a Boss Application Security Foundations Tanya Janca Tanya.Janca@owasp.org

Pushing Left, Like a Boss Application Security Foundations Tanya Janca Tanya.Janca@owasp.org

Pushing Left, Like a Boss Application Security Foundations Tanya Janca Tanya.Janca@owasp.org OWASP Ottawa Chapter Leader OWASP DevSlop Project Leader @sheHacksPurple About Me Who am I? Im Tanya Janca; Application security evangelist, web

434 views • 30 slides
OWASP Top Ten Kirk Jackson OWASP NZ RedShield https://www.meetup.com/ kirk@pageofwords.com

OWASP Top Ten Kirk Jackson OWASP NZ RedShield https://www.meetup.com/ kirk@pageofwords.com

Introduction to the OWASP Top Ten Kirk Jackson OWASP NZ RedShield https://www.meetup.com/ kirk@pageofwords.com OWASP-Wellington/ http://hack-ed.com www.owasp.org.nz Recordings: @kirkj @owaspnz https://goo.gl/a2VSG2 What is OWASP? Open

880 views • 45 slides
Towards a Reference Architecture for Service- Oriented Cross Domain Security Infrastructures Wen

Towards a Reference Architecture for Service- Oriented Cross Domain Security Infrastructures Wen

Towards a Reference Architecture for Service- Oriented Cross Domain Security Infrastructures Wen Zhu Dr. Lowell Vizenor Dr. Avinash Srinivasan 7 th International Conference on Internet and Distributed Computing Systems Agenda Background

128 views • 12 slides
Security Vulnerabilities Decomposition Katy Anton OWASP Top 10 @KatyAnton When the report is

Security Vulnerabilities Decomposition Katy Anton OWASP Top 10 @KatyAnton When the report is

Security Vulnerabilities Decomposition Katy Anton OWASP Top 10 @KatyAnton When the report is published @KatyAnton Katy Anton Software development background Project co-leader for OWASP Top 10 Proactive Controls (@OWASPControls)

1.21k views • 45 slides
eb Security Software Studio yslin@DataLAB 1 OWASP Top 10 Security Risks in 2017 Rank Name

eb Security Software Studio yslin@DataLAB 1 OWASP Top 10 Security Risks in 2017 Rank Name

eb Security Software Studio yslin@DataLAB 1 OWASP Top 10 Security Risks in 2017 Rank Name 1 Injection 2 Broken Authentication and Session Management 3 Cross-Site Scripting (XSS) 4 Broken Access Control 5 Security Misconfiguration

944 views • 77 slides
Chester BO 1442(39) Alternatives Presentation Meeting Town Highway 18 (Thompson Road) Bridge

Chester BO 1442(39) Alternatives Presentation Meeting Town Highway 18 (Thompson Road) Bridge

Chester BO 1442(39) Alternatives Presentation Meeting Town Highway 18 (Thompson Road) Bridge #62 over Williams River August 29, 2019 Introductions Laura Stone, P.E. VTrans Scoping Engineer Jon Griffin, P.E. VTrans Project Manager

621 views • 58 slides
2010 Santa Barbara County Storm Water Public Opinion Survey Commissioned by Project Clean Water,

2010 Santa Barbara County Storm Water Public Opinion Survey Commissioned by Project Clean Water,

2010 Santa Barbara County Storm Water Public Opinion Survey Commissioned by Project Clean Water, Santa Barbara County 320-449 Funded by Coastal Assistance Impact Program, Bureau of Ocean Energy, Management, Regulation, and Enforcement, U.S.

363 views • 32 slides
Follow-up Analysis of Letters of Intent (LOIs) on Rare Diseases: Spring 2015 Cycle Lauren Fayish,

Follow-up Analysis of Letters of Intent (LOIs) on Rare Diseases: Spring 2015 Cycle Lauren Fayish,

Follow-up Analysis of Letters of Intent (LOIs) on Rare Diseases: Spring 2015 Cycle Lauren Fayish, MPH Program Associate, Evaluation & Analysis Laura Forsythe, PhD, MPH Associate Director, Evaluation & Analysis Vadim Y. Gershteyn, MPH

333 views • 15 slides
Collaborations Can Help Support Community Population Health Enrique Martinez-Vidal Vice

Collaborations Can Help Support Community Population Health Enrique Martinez-Vidal Vice

1 How Multi-Sector Collaborations Can Help Support Community Population Health Enrique Martinez-Vidal Vice President, AcademyHealth Susan Kennedy Senior Manager, AcademyHealth Robert Wood Johnson Foundations Payment Reform for

302 views • 26 slides
Segment routing in container networks Ben de Graaff Supervisor: Marijke Kaat (SURFnet/UvA) Best

Segment routing in container networks Ben de Graaff Supervisor: Marijke Kaat (SURFnet/UvA) Best

RP95 Segment routing in container networks Ben de Graaff Supervisor: Marijke Kaat (SURFnet/UvA) Best path Background A B Arbitrary paths Background 1 1 2 A 3 B 4 4 5 A > 1 > 4 > B Pure IPv6 (SRv6) Background 2000:1::

470 views • 34 slides
I L ROUT E 60/ 83 Co mmunity Adviso ry Gro up Me e ting No . 2 July 28, 2009 Outline Ag e

I L ROUT E 60/ 83 Co mmunity Adviso ry Gro up Me e ting No . 2 July 28, 2009 Outline Ag e

I L ROUT E 60/ 83 Co mmunity Adviso ry Gro up Me e ting No . 2 July 28, 2009 Outline Ag e nda Introduction to Participants Recap of Community Advisory Group Meeting No. 1 July 13, 2009 Drainage Traffic Safety

490 views • 26 slides
EMA Workshop on measuring the impact of pharmacovigilance activities December 5-6, 2016 Session

EMA Workshop on measuring the impact of pharmacovigilance activities December 5-6, 2016 Session

EMA Workshop on measuring the impact of pharmacovigilance activities December 5-6, 2016 Session 2 Health Canadas Approach to Measuring Impact of Pharmacovigilance and Regulatory Decisions Dr. John Patrick Stewart, MD, CCFP(EM) Marketed

175 views • 15 slides
The Next Station: University To fulfill the desire of Self- Actualization

The Next Station: University To fulfill the desire of Self- Actualization

The Next Station: University To fulfill the desire of Self- Actualization and to become everything that one is capable of becoming, extract from CTI Group Core Value The Next Station: University The Next

672 views • 32 slides

More recommend