Overview of OWASP and its Top 10 Security Vulnerabilities. Strategies for protecting against common web application security vulnerabilities.
Presented at the January 2011 KU Web Developers meeting.
4. DISCLAIMER
• I am NOT a “security expert"
• But I know a little about web security
5. DISCLAIMER
• I am NOT a “security expert"
• But I know a little about web security
• Taken SANS DEV422: Defending Web
Application Security Essentials
6. DISCLAIMER
• I am NOT a “security expert"
• But I know a little about web security
• Taken SANS DEV422: Defending Web
Application Security Essentials
• I don’t know everything
9. ASSUMPTIONS
• This is an introduction-level talk
• You know enough PHP to be dangerous
10. ASSUMPTIONS
• This is an introduction-level talk
• You know enough PHP to be dangerous
• You’ve heard of some security vulns
11. ASSUMPTIONS
• This is an introduction-level talk
• You know enough PHP to be dangerous
• You’ve heard of some security vulns
• Again, I don’t know everything
20. OWASP
• Non-profit focused on improving security of application software
• Focused on awareness of risks and education on mitigating those risks
• Kansas City chapter meets every other month
• Next meeting: Thursday, February 10, 2011
at Johnson County Community College
• Free! No registration required, but RSVPs appreciated
24. INJECTION
SI T?
I Tricking an application into unintended
HAT
W commands in the data sent to an interpreter
-Interpreter--- -Injection---
Database SQL Injection
Shell Command Injection
File System File Injection/Inclusion
PHP PHP Injection
25. CT
INJECTION
PA
IM
IC AL Technical Impact:
SEVERE
T YP
Entire database read or modified
Access files on the filesystem
Uses a program's elevated privileges
to carry out unauthorized execution
26. LO
I TE
D? INJECTION
P
T EX
I SI
HOW
Source: Dave Wichers OWASP Top 10 Presentation
28. T I T? INJECTION
EN
R EV
P
TO
HOW SYSTEM LEVEL
29. T I T? INJECTION
EN
R EV
P
TO
HOW SYSTEM LEVEL
Limit access rights of your application accounts
30. T I T? INJECTION
EN
R EV
P
TO
HOW SYSTEM LEVEL
Limit access rights of your application accounts
OS user and database accounts
31. T I T? INJECTION
EN
R EV
P
TO
HOW SYSTEM LEVEL
Limit access rights of your application accounts
OS user and database accounts
Limit attack vectors
32. T I T? INJECTION
EN
R EV
P
TO
HOW SYSTEM LEVEL
Limit access rights of your application accounts
OS user and database accounts
Limit attack vectors
Sandbox execution
33. T I T? INJECTION
EN
R EV
P
TO
HOW SYSTEM LEVEL
Limit access rights of your application accounts
OS user and database accounts
Limit attack vectors
Sandbox execution
Firewall web-facing machine
34. T I T? INJECTION
EN
R EV
P
TO
HOW SYSTEM LEVEL
Limit access rights of your application accounts
OS user and database accounts
Limit attack vectors
Sandbox execution
Firewall web-facing machine
Close unused ports and services
35. T I T? INJECTION
EN
R EV
P
TO
OW SYSTEM LEVEL
KU IT
H
D Limit access rights of your application accounts
OES T
OS user and database accounts
HIS F
OR YO
Limit attack vectors
Sandbox execution
Firewall web-facing machine
Close unused ports and services U
36. T I T? INJECTION
EN
R EV
P
TO
HOW APPLICATION LEVEL
“Filter Input, Escape Output”
Examples:
HTML
SQL / DATABASE
37. T I T? INJECTION
EN
R EV
P
TO
HOW HTML Injection
38. T I T? INJECTION
EN
R EV
P
TO SQL Injection - Prepared Statements
HOW
39. T I T? INJECTION
EN
R EV
P
TO
HOW SQL Injection
Source: http://xkcd.com/327/
41. CROSS SITE SCRIPTING (XSS)
?
IS IT
AT Malicious data delivered to an
W H innocent user's browser
42. CROSS SITE SCRIPTING (XSS)
?
IS IT
AT Malicious data delivered to an
W H innocent user's browser
Single Request Exploit
43. CROSS SITE SCRIPTING (XSS)
?
IS IT
AT Malicious data delivered to an
W H innocent user's browser
Single Request Exploit
Specially crafted URL injecting JavaScript or other defacement code
44. CROSS SITE SCRIPTING (XSS)
?
IS IT
AT Malicious data delivered to an
W H innocent user's browser
Single Request Exploit
Specially crafted URL injecting JavaScript or other defacement code
Persistent Request Exploit
45. CROSS SITE SCRIPTING (XSS)
?
IS IT
AT Malicious data delivered to an
W H innocent user's browser
Single Request Exploit
Specially crafted URL injecting JavaScript or other defacement code
Persistent Request Exploit
Saved in the file itself or more commonly in a database
46. CROSS SITE SCRIPTING (XSS)
?
IS IT
AT Malicious data delivered to an
W H innocent user's browser
Single Request Exploit
Specially crafted URL injecting JavaScript or other defacement code
Persistent Request Exploit
Saved in the file itself or more commonly in a database
Delivered to all visitors just by visiting the page
48. CROSS SITE SCRIPTING (XSS)
CT
PA
IM Technical Impact:
AL
MODERATE
IC
T YP
Steal stored browser data...
Session IDs & cookies
Account numbers
Usernames
Deface website
Redirect user to phishing or malware site
49. CROSS SITE SCRIPTING (XSS)
LO
I TE
D?
EXP
SI T
I
HOW
Source: Dave Wichers OWASP Top 10 Presentation
50. CROSS SITE SCRIPTING (XSS)
NT I T?
VE
P RE
TO
HOW
“Filter Input, Escape Output”
Validate / Sanitize user input
Escape user input sent to a Database or the Browser
64. BROKEN AUTHENTICATION
IT?AND SESSION MANAGEMENT
IS
HAT Authentication or Sessions are
W
improperly implemented
65. BROKEN AUTHENTICATION
IT?AND SESSION MANAGEMENT
IS
HAT Authentication or Sessions are
W
improperly implemented
HTTP is “stateless”
66. BROKEN AUTHENTICATION
IT?AND SESSION MANAGEMENT
IS
HAT Authentication or Sessions are
W
improperly implemented
HTTP is “stateless”
HTTP sends credentials with every request
67. BROKEN AUTHENTICATION
IT?AND SESSION MANAGEMENT
IS
HAT Authentication or Sessions are
W
improperly implemented
HTTP is “stateless”
HTTP sends credentials with every request
Credentials are usually a Session ID
68. BROKEN AUTHENTICATION
IT?AND SESSION MANAGEMENT
IS
HAT Authentication or Sessions are
W
improperly implemented
HTTP is “stateless”
HTTP sends credentials with every request
Credentials are usually a Session ID
Attack is possible when attacker gets a valid Session ID
69. BROKEN AUTHENTICATION
IT?AND SESSION MANAGEMENT
IS
HAT Authentication or Sessions are
W
improperly implemented
HTTP is “stateless”
HTTP sends credentials with every request
Credentials are usually a Session ID
Attack is possible when attacker gets a valid Session ID
Remember Firesheep?
70. BROKEN AUTHENTICATION
PA
AND SESSION MANAGEMENT
CT
L IM Technical Impact:
CA
SEVERE
I
T YP
71. BROKEN AUTHENTICATION
PA
AND SESSION MANAGEMENT
CT
L IM Technical Impact:
CA
SEVERE
I
T YP
An attacker might be able to...
72. BROKEN AUTHENTICATION
PA
AND SESSION MANAGEMENT
CT
L IM Technical Impact:
CA
SEVERE
I
T YP
An attacker might be able to...
Login without a valid password
73. BROKEN AUTHENTICATION
PA
AND SESSION MANAGEMENT
CT
L IM Technical Impact:
CA
SEVERE
I
T YP
An attacker might be able to...
Login without a valid password
Change another user’s personal info
74. BROKEN AUTHENTICATION
PA
AND SESSION MANAGEMENT
CT
L IM Technical Impact:
CA
SEVERE
I
T YP
An attacker might be able to...
Login without a valid password
Change another user’s personal info
Assume another user’s identity by just clicking a link
75. BROKEN AUTHENTICATION
D?
AND
I TE SESSION MANAGEMENT
P LO
T EX
I SI
HOW
Source: Dave Wichers OWASP Top 10 Presentation
76. BROKEN AUTHENTICATION
T?
T I SESSION MANAGEMENT
VEAND
N
P RE
TO
HOW Rely on strong authentication and session management controls
Integrate Shibboleth into your application
77. BROKEN AUTHENTICATION
T?
T I SESSION MANAGEMENT
VEAND
N
P RE
TO
HOW Proper Session Storage
Default config stores sessions in a global temp directory
78. BROKEN AUTHENTICATION
T?
T I SESSION MANAGEMENT
VEAND
N
P RE
TO
HOW Proper Session Regeneration
Always run session_regenerate_id()
after an escalation in authentication/authorization
79. BROKEN AUTHENTICATION
T?
T I SESSION MANAGEMENT
VEAND
N
P RE
TO Proper Session cookie handling
HOW
Only allow session cookies over secure connections
Only allow session cookies over HTTP (not JavaScript)
Only allow session IDs in cookies (not in the URL)
80. BROKEN AUTHENTICATION
T?
T I SESSION MANAGEMENT
VEAND
N
P RE
TO Use HTTPS
HOW
NEVER deliver unencrypted network traffic when in HTTPS
http://test.ku.edu/page2.php
==> http://webmedia.ku.edu/jquery.js
https://test.ku.edu/page2.php
==> https://webmedia.ku.edu/jquery.js
82. INSECURE DIGITAL OBJECT REFERENCES
SI T?
I
HAT Users without proper credentials
W
can view secure data
Do any users have only partial access to certain types of system data?
84. INSECURE DIGITAL OBJECT REFERENCES
T
PAC
IM Technical Impact:
AL
MODERATE
IC
T YP
Depends on the value of the secure data
Flaws can compromise all data referenced by an insecure object
85. INSECURE DIGITAL OBJECT REFERENCES
I TE
D?
P LO
T EX
I SI
HOW
User clicks link “My Account”
User accesses “My Account” page at URL:
http://mybank.com/account/2055
User increments parameter in the URL:
http://mybank.com/account/2056
User is granted access
86. INSECUREIT?
T
DIGITAL OBJECT REFERENCES
EN
R EV Use Array Map to
P Obfuscate URL Parameters
TO
HOW
87. INSECUREIT?
T
DIGITAL OBJECT REFERENCES
EN
EV
Use switch() to test for valid values
P R
TO
HOW
89. CROSS SITE REQUEST FORGERY (CSRF)
SI T?
I
HAT Victim's browser is tricked into issuing a
W
command to a vulnerable web application
90. CROSS SITE REQUEST FORGERY (CSRF)
SI T?
I
HAT Victim's browser is tricked into issuing a
W
command to a vulnerable web application
HTTP is “stateless” - Credentials are included with every request
If the user visits another website while still authenticated...
Any request back to the application is considered authentic
91. CROSS SITE REQUEST FORGERY (CSRF)
T
PAC
IM Technical Impact:
AL
MODERATE
IC
T YP
92. CROSS SITE REQUEST FORGERY (CSRF)
T
PAC
IM Technical Impact:
AL
MODERATE
IC
T YP
What if a hacker could steer your mouse and get you
to click on links in your online banking application?
93. CROSS SITE REQUEST FORGERY (CSRF)
T
PAC
IM Technical Impact:
AL
MODERATE
IC
T YP
What if a hacker could steer your mouse and get you
to click on links in your online banking application?
What could they make you do?
94. CROSS SITE REQUEST FORGERY (CSRF)
T
PAC
IM Technical Impact:
AL
MODERATE
IC
T YP
What if a hacker could steer your mouse and get you
to click on links in your online banking application?
What could they make you do?
Make Transactions?
95. CROSS SITE REQUEST FORGERY (CSRF)
T
PAC
IM Technical Impact:
AL
MODERATE
IC
T YP
What if a hacker could steer your mouse and get you
to click on links in your online banking application?
What could they make you do?
Make Transactions?
Close Accounts?
96. CROSS SITE REQUEST FORGERY (CSRF)
T
PAC
IM Technical Impact:
AL
MODERATE
IC
T YP
What if a hacker could steer your mouse and get you
to click on links in your online banking application?
What could they make you do?
Make Transactions?
Close Accounts?
Change Password?
97. CROSS SITE REQUEST FORGERY (CSRF)
I TE
D?
P LO
T EX
I SI
HOW
A vulnerable web application allows destructive actions
(INSERT, UPDATE, DELETE) when using $_GET
http://mydomain.com/file.php?action=delete&id=12345
98. CROSS SITE REQUEST FORGERY (CSRF)
I TE
D?
P LO
T EX
I SI
HOW
A vulnerable web application allows destructive actions
(INSERT, UPDATE, DELETE) when using $_GET
http://mydomain.com/file.php?action=delete&id=12345
99. CROSS SITE REQUEST FORGERY (CSRF)
I TE
D?
P LO
T EX
I SI
HOW
Destructive actions are executed with minimal or no verification
of the origin of the request
HTTP POST => http://mydomain.com/file.php?action=delete
100. CROSS SITE REQUEST FORGERY (CSRF)
I TE
D?
P LO
T EX
I SI
HOW
Destructive actions are executed with minimal or no verification
of the origin of the request
HTTP POST => http://mydomain.com/file.php?action=delete
Only marginally more difficult to forge a POST
101. CROSS SITE REQUEST FORGERY (CSRF)
T I T?
EN
R EV
P
TO
HOW A few easy ways...
102. CROSS SITE REQUEST FORGERY (CSRF)
T I T?
EN
R EV
P
TO
HOW A few easy ways...
Invalidate user sessions quickly
103. CROSS SITE REQUEST FORGERY (CSRF)
T I T?
EN
R EV
P
TO
HOW A few easy ways...
Invalidate user sessions quickly
Encourage users to logout (they don’t)
104. CROSS SITE REQUEST FORGERY (CSRF)
T I T?
EN
R EV
P
TO
HOW A few easy ways...
Invalidate user sessions quickly
Encourage users to logout (they don’t)
Don’t implement “Remember Me” features
105. CROSS SITE REQUEST FORGERY (CSRF)
T I T?
EN
R EV
P
TO
HOW Implement a CSRF Token
Add a secret, not automatically submitted,
token to ALL sensitive requests
Verify token exists and matches the expected
value before executing the request
106. CROSS SITE REQUEST FORGERY (CSRF)
T I T?
EN
R EV
P
TO
HOW Implement a CSRF Token
Generate token and store in user's session
Source: http://shiflett.org/articles/cross-site-request-forgeries
107. CROSS SITE REQUEST FORGERY (CSRF)
T I T?
EN
R EV
P
TO
HOW Implement a CSRF Token
Use token in POST form
Source: http://shiflett.org/articles/cross-site-request-forgeries
108. CROSS SITE REQUEST FORGERY (CSRF)
T I T?
EN
R EV
P
TO
HOW Implement a CSRF Token
Validate when POST received
Source: http://shiflett.org/articles/cross-site-request-forgeries
111. SECURITY MISCONFIGURATION
SI T?
I
HAT Running web applications on a secure foundation
W
From the Operating System up through Apache
All PHP extensions
All installed libraries on the server
113. SECURITY MISCONFIGURATION
T
PAC
IM Technical Impact:
AL
MODERATE
IC
T YP
Install backdoor through missing security patch
114. SECURITY MISCONFIGURATION
T
PAC
IM Technical Impact:
AL
MODERATE
IC
T YP
Install backdoor through missing security patch
Install malware on the server
115. SECURITY MISCONFIGURATION
T
PAC
IM Technical Impact:
AL
MODERATE
IC
T YP
Install backdoor through missing security patch
Install malware on the server
“Root” the server
116. SECURITY MISCONFIGURATION
T
PAC
IM Technical Impact:
AL
MODERATE
IC
T YP
Install backdoor through missing security patch
Install malware on the server
“Root” the server
All your data is stolen
117. SECURITY MISCONFIGURATION
I TE
D?
P LO
T EX
I SI
HOW
Source: Dave Wichers OWASP Top 10 Presentation
119. SECURITY MISCONFIGURATION
T I T?
EN
R EV
P
TO
HOW
SYSTEM LEVEL
Update to latest application versions
Install security patches
Monitor vulnerabilities list
120. SECURITY MISCONFIGURATION
T I T?
EN
R EV
P
TO
OW
KU IT
H
D
SYSTEM LEVEL
OES T
HIS F
Update to latest application versions
Install security patches
OR YO
Monitor vulnerabilities list U
121. SECURITY MISCONFIGURATION
T I T?
EN
R EV
P
TO
HOW
APPLICATION LEVEL
Use latest available version of PHP
Update third-party software when available
Monitor mailing lists
122. SECURITY MISCONFIGURATION
T I T?
EN
R EV
P
TO
HOW
APPLICATION LEVEL
Use latest available version of PHP
Update third-party software when available
Monitor mailing lists
125. INSECURE CRYPTOGRAPHIC STORAGE
SI T?
I Incorrectly storing and transmitting
HAT
W confidential data
Database data
Log files
Backup files
Password files
126. INSECURE CRYPTOGRAPHIC STORAGE
SI T?
I
HAT What is considered secure data at KU?
W
Data protected by FERPA
Data protected by GLB
Data subject to PCI (credit or payment card industry) standards
Data subject to other Federal or state confidentiality laws
Donor or prospect information
Passwords and PINs
Personally Identifiable Information (“PII”)
Personnel data
Individually identifiable information created and collected by research projects
Certain research data with National Security implications
Data subject to protection pursuant to non-disclosure agreements
Audit working papers
Data protected by attorney/client privilege
Email covering topics listed above
Source: https://documents.ku.edu/policies/Information_Services/APPENDIX_1_Data_Classif_Policy.htm
127. INSECURE CRYPTOGRAPHIC STORAGE
SI T?
I
HAT What is considered secure data at KU?
W
Data protected by FERPA
Data protected by GLB
Data subject to PCI (credit or payment card industry) standards
Data subject to other Federal or state confidentiality laws
Donor or prospect information
Passwords and PINs
Personally Identifiable Information (“PII”)
Personnel data
Individually identifiable information created and collected by research projects
Certain research data with National Security implications
Data subject to protection pursuant to non-disclosure agreements
Audit working papers
Data protected by attorney/client privilege
Email covering topics listed above
THIS LIST IS NOT ALL INCLUSIVE
Source: https://documents.ku.edu/policies/Information_Services/APPENDIX_1_Data_Classif_Policy.htm
129. INSECURE CRYPTOGRAPHIC STORAGE
T
PAC
IM
IC AL Technical Impact:
T YP
SEVERE
Attacker accesses or modifies confidential data
Intellectual property stolen
You or KU might get sued
Makes the company look bad in the press
130. INSECURE CRYPTOGRAPHIC STORAGE
T
PAC
IM
IC AL Business Impacts:
T YP
SEVERE
High risk of...
significant financial loss
legal liability
public distrust
harm
...if this data is disclosed
134. INSECURE? CRYPTOGRAPHIC STORAGE
T IT
EN
R EV
P
TO
HOW
Identify all sensitive data and all places it is stored
Don’t store private data in public_html
135. INSECURE? CRYPTOGRAPHIC STORAGE
T IT
EN
R EV
P
TO
HOW
Identify all sensitive data and all places it is stored
Don’t store private data in public_html
Don’t invent your own encryption algorithm
136. INSECURE? CRYPTOGRAPHIC STORAGE
T IT
EN
R EV
P
TO
HOW
Identify all sensitive data and all places it is stored
Don’t store private data in public_html
Don’t invent your own encryption algorithm
Don’t transmit confidential data over unencrypted means
138. FAILURE TO RESTRICT URL ACCESS
SI T?
I
HAT Unauthorized users can view private pages
W
Public users could access your admin functionality
139. FAILURE TO RESTRICT URL ACCESS
T
PAC
IM Technical Impact:
AL
MODERATE
IC
T YP
140. FAILURE TO RESTRICT URL ACCESS
T
PAC
IM Technical Impact:
AL
MODERATE
IC
T YP
Attackers invoke functions and services they’re not authorized for
Access other user’s accounts and data
Perform privileged actions
141. FAILURE TO RESTRICT URL ACCESS
I TE
D?
P LO
T EX
I SI
HOW
User accesses URL
http://mydomain.com/user/profile
User changes role of URL
http://mydomain.com/manager/profile
http://mydomain.com/admin/profile
142. FAILURE TO RESTRICT URL ACCESS
I TE
D?
P LO
T EX
I SI
HOW
Presentation Layer Access Control
143. FAILURE TO RESTRICT URL ACCESS
I TE
D?
P LO
T EX
I SI
HOW
Presentation Layer Access Control
DOESN’T WORK
144. FAILURE TO RESTRICT URL ACCESS
I TE
D?
P LO
T EX
I SI
HOW
Unlinked URLs
http://mydomain.com/you/will/never/find/this/index.html
145. FAILURE TO RESTRICT URL ACCESS
I TE
D?
P LO
T EX
I SI
HOW
Unlinked URLs
http://mydomain.com/you/will/never/find/this/index.html
DOESN’T WORK
146. FAILURE ?TO RESTRICT URL ACCESS
T IT
EN
R EV
P
TO Check credentials on every page
HOW
147. FAILURE ?TO RESTRICT URL ACCESS
T IT
EN
R EV
P
TO Check credentials on every page
HOW
Disallow requests to unauthorized page types
http://mydomain.com/uploads
148. FAILURE ?TO RESTRICT URL ACCESS
T IT
EN
R EV
P
TO Check credentials on every page
HOW
Disallow requests to unauthorized page types
http://mydomain.com/uploads
Test it!
153. INSUFFICIENT TRANSPORT LAYER PROTECTION
SI T?
I Sending confidential data over
HAT
W unencrypted protocols
Failure to identify all sensitive data
154. INSUFFICIENT TRANSPORT LAYER PROTECTION
SI T?
I Sending confidential data over
HAT
W unencrypted protocols
Failure to identify all sensitive data
Failure to identify all places sensitive data is sent
155. INSUFFICIENT TRANSPORT LAYER PROTECTION
SI T?
I Sending confidential data over
HAT
W unencrypted protocols
Failure to identify all sensitive data
Failure to identify all places sensitive data is sent
Between:
156. INSUFFICIENT TRANSPORT LAYER PROTECTION
SI T?
I Sending confidential data over
HAT
W unencrypted protocols
Failure to identify all sensitive data
Failure to identify all places sensitive data is sent
Between:
Server and user
157. INSUFFICIENT TRANSPORT LAYER PROTECTION
SI T?
I Sending confidential data over
HAT
W unencrypted protocols
Failure to identify all sensitive data
Failure to identify all places sensitive data is sent
Between:
Server and user
Backend databases
158. INSUFFICIENT TRANSPORT LAYER PROTECTION
SI T?
I Sending confidential data over
HAT
W unencrypted protocols
Failure to identify all sensitive data
Failure to identify all places sensitive data is sent
Between:
Server and user
Backend databases
Colleagues
159. INSUFFICIENT TRANSPORT LAYER PROTECTION
SI T?
I Sending confidential data over
HAT
W unencrypted protocols
Failure to identify all sensitive data
Failure to identify all places sensitive data is sent
Between:
Server and user
Backend databases
Colleagues
Internal Communications
163. INSUFFICIENT ?TRANSPORT LAYER PROTECTION
T ED
OI
PL
T EX
I SI What is considered secure data at KU?
HOW
Data protected by FERPA
Data protected by GLB
Data subject to PCI (credit or payment card industry) standards
Data subject to other Federal or state confidentiality laws
Donor or prospect information
Passwords and PINs
Personally Identifiable Information (“PII”)
Personnel data
Individually identifiable information created and collected by research projects
Certain research data with National Security implications
Data subject to protection pursuant to non-disclosure agreements
Audit working papers
Data protected by attorney/client privilege
Email covering topics listed above
Source: https://documents.ku.edu/policies/Information_Services/APPENDIX_1_Data_Classif_Policy.htm
167. INSUFFICIENT ?TRANSPORT LAYER PROTECTION
T ED I
P LO
T EX
I SI
HOW
Does your application...
Use confidential data?
Send it over email?
168. INSUFFICIENT ?TRANSPORT LAYER PROTECTION
T ED I
P LO
T EX
I SI
HOW
Does your application...
Use confidential data?
Send it over email?
Send it to a database?
169. INSUFFICIENT ?TRANSPORT LAYER PROTECTION
T ED I
P LO
T EX
I SI
HOW
Does your application...
Use confidential data?
Send it over email?
Send it to a database?
Use HTTPS for ALL authentication requests?
172. INSUFFICIENT ?TRANSPORT LAYER PROTECTION
T ED I
P LO
T EX
I SI
HOW
Do you...
Have encrypted email setup between colleagues?
173. INSUFFICIENT ?TRANSPORT LAYER PROTECTION
T ED I
P LO
T EX
I SI
HOW
Do you...
Have encrypted email setup between colleagues?
Use encrypted IM chat between colleagues?
174. INSUFFICIENT ?TRANSPORT LAYER PROTECTION
T ED I
P LO
T EX
I SI
HOW
Do you...
Have encrypted email setup between colleagues?
Use encrypted IM chat between colleagues?
Store your account passwords in a password safe?
175. INSUFFICIENT TRANSPORT LAYER PROTECTION
I T?
T
EN
R EV
P
TO
HOW
Don’t use KU Email Form to send confidential data
176. INSUFFICIENT TRANSPORT LAYER PROTECTION
I T?
T
EN
R EV
P
TO
HOW
Don’t use KU Email Form to send confidential data
1. Build a web form that stores it in a secure database
177. INSUFFICIENT TRANSPORT LAYER PROTECTION
I T?
T
EN
R EV
P
TO
HOW
Don’t use KU Email Form to send confidential data
1. Build a web form that stores it in a secure database
2. Build a page to download or browse the info
178. INSUFFICIENT TRANSPORT LAYER PROTECTION
I T?
T
EN
R EV
P
TO
HOW
Don’t use KU Email Form to send confidential data
1. Build a web form that stores it in a secure database
2. Build a page to download or browse the info
3. Only allow specific users to access it using Shibboleth
179. INSUFFICIENT TRANSPORT LAYER PROTECTION
I T?
T
EN
R EV
P
TO
HOW
Don’t use KU Email Form to send confidential data
1. Build a web form that stores it in a secure database
2. Build a page to download or browse the info
3. Only allow specific users to access it using Shibboleth
180. INSUFFICIENT TRANSPORT LAYER PROTECTION
I T?
T
EN
R EV
P
TO
HOW
Use secure protocols to transmit and store data
181. INSUFFICIENT TRANSPORT LAYER PROTECTION
I T?
T
EN
R EV
P
TO
HOW
Use secure protocols to transmit and store data
Ever try to FTP to www2.ku.edu without SFTP?
182. INSUFFICIENT TRANSPORT LAYER PROTECTION
I T?
T
EN
R EV
P
TO
HOW
Use secure protocols to transmit and store data
Ever try to FTP to www2.ku.edu without SFTP?
Store confidential data in our secure Oracle database
185. INSUFFICIENT TRANSPORT LAYER PROTECTION
I T?
T
EN
R EV
P
TO
HOW
Setup email encryption between colleagues
http://www.technology.ku.edu/ca/install/
186. INSUFFICIENT TRANSPORT LAYER PROTECTION
I T?
T
EN
R EV
P
TO
HOW
Setup Off-The-Record chat encryption
http://www.h-i-r.net/2011/01/introduction-to-encrypted-internet-chat.html
187. INSUFFICIENT TRANSPORT LAYER PROTECTION
I T?
T
EN
R EV
P
TO
HOW
KeePass
Windows: http://keepass.info/
Mac: http://www.keepassx.org/
Free & Open-Source
189. UNVALIDATED REDIRECTS AND FORWARDS
SI T?
I
HAT
W
URL Redirects built by the web application
can be exploited if unvalidated
Appears as a valid URL but contains a payload
Internal redirects are common
External redirects are becoming more common
190. UNVALIDATED REDIRECTS AND FORWARDS
CT
PA
IM Technical Impact:
AL
MODERATE
IC
T YP
Install malware
Phishing site
Bypass authorization controls
191. UNVALIDATED REDIRECTS AND FORWARDS
TE
D?
I
P LO
T EX
I SI
HOW
Source: Dave Wichers OWASP Top 10 Presentation
192. UNVALIDATED REDIRECTS AND FORWARDS
I T?
T
EN
R EV
P
TO
HOW
Avoid using redirects and forwards as much as possible
If used, don’t use user-input parameters
If using user-input...
Use Array Map to Whitelist URL Parameters
193. UNVALIDATED REDIRECTS AND FORWARDS
I T?
T
EN
R EV Use Array Map to
P Whitelist URL Parameters
TO
HOW
195. My Challenge to you
Read the OWASP Wiki
http://www.owasp.org
Review your code
http://www.owasp.org/index.php/Code_Review_Guide
http://www.owasp.org/index.php/OWASP_Testing_Project
196. Sources
OWASP Sources:
- OWASP Application Security Verification Standard Project. <http://www.owasp.org/index.php/ASVS>
- OWASP Authentication Cheat Sheet. <http://www.owasp.org/index.php/Authentication_Cheat_Sheet>
- OWASP Code Review Project. <http://www.owasp.org/index.php/Code_Review_Guide>
- OWASP Testing Project. <http://www.owasp.org/index.php/OWASP_Testing_Project>
- OWASP Top 10 - 2010: The Top 10 Most Critical Web Application Security Risks. Dave Wichers, OWASP Board Member. <http://
owasptop10.googlecode.com/files/OWASP_Top_10_-_2010%20Presentation.pptx>
- OWASP XSS (Cross Site Scripting) Prevention Cheat Sheet. <http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)
_Prevention_Cheat_Sheet>
Links:
- Setting up encrypted email at KU. http://www.technology.ku.edu/ca/install/
- Introduction to Encrypted Internet Chat. http://www.h-i-r.net/2011/01/introduction-to-encrypted-internet-chat.html
Software:
- HTMLPurifier <http://htmlpurifier.org/>
- KeePass <http://keepass.info/>
- KeePassX <http://www.keepassx.org/>
- WebScarab <http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project>
Photos:
http://www.flickr.com/photos/mrbenn/2337943659/
http://www.flickr.com/photos/12836528@N00/4294660659/ John Kary | johnkary@ku.edu
http://xkcd.com/327/ Web Development & Interface Design
University of Kansas, Information Technology
January 2011 KU Web Developers Meeting