OWASP Top Ten 1 Unvalidated Input Agenda What

OWASP Top Ten #1 Unvalidated Input

Agenda • • What is the OWASP Top 10? Where can I find it? What is Unvalidated Input? What environments are effected? How to determine if you are vulnerable How to protect yourself Demonstration

What is the OWASP Top 10? • Provides minimum standard for web app security. • Broad consensus about what the most critical web application security flaws are. • Compiled by a variety of security experts from around the world. • Available in multiple languages.

Where is the Top Ten List • Provided on the OWASP web site • OWASP Sanctioned Project • http: //www. owasp. org/index. php/Category: OWASP_Top_Ten_Project • Available either online (for browsing), in word format, or in PDF format.

What is Unvalidated Input? • In order for a web application to be useful it must pass information from the client to the server and then back again. • The input passed from the client to the server helps the server determine how to respond to the client. • Although the client side has been programmed with a certain understanding of process flow in mind, malicious users can modify information before it is passed back to the server. In a vulnerable application this could cause problems if the malicious input is not handled properly.

What is Unvalidated Input? • A surprisingly large number of applications rely on client side validation of data. • The client side data transmission is susceptible to manipulation. • There is the possibility that this manipulation could cause problems on the server. § Cross Site Scripting Flaws § Buffer Overflows § Injection Flaws

Effected Environments • All: § Web Servers § Application Servers § And Web Applications

Are you vulnerable? • Any parameter passed through HTTP that is not carefully validated is thought to be “tainted. ” • Therefore all HTTP parameters (both GET and POST) must be processed before anything is done with the variable. • There are libraries built into certain web packages and OWASP packages available for other packages. • Check to see if you are vulnerable. § Use a package like Web. Scarab to input a multitude of unexpected input to your web application. See what happens.

Are you vulnerable? • Bad code: • Better code: <? php $myvar = $_POST[‘field. Name’]; validate($_POST[‘fiel d. Name’]); ? >

How to Protect Yourself • Ensure that all parameters are validated before use. § An effective way of doing this is to write a centralized library to do the validate. § This library should use “positive” filtering specifications. In other words filter for data that should be there and ignore everything else.

How to Protect Yourself • Definitions for positive filtering: § § § § Data type (string, integer, real, etc. ) Allowed character set Min and max field length Null check (are nulls allowed? ) Required parameter check Numeric range check Is this a member of an enumeration Regex patterns

How to Protect Yourself • Third party Unvalidated Input Protection: § Web application firewalls • Configurable security “device” used to do input validation. • Is not called from the application nor is it part of the application. • Black-box style security.

How to Protect Yourself • Third party Unvalidated Input Protection continued: § The OWASP Filters Project • Project is designed to be a group of re-usable filters for input validation • The Stinger HTTP request validation engine is an example of this implementation developed by OWASP for J 2 EE validation. • http: //www. owasp. org/index. php/OWASP_Stinger_ Project • Other projects are in the works (PHP for example).

How to Protect Yourself • Be very careful about what you put into web forms § Use hidden inputs sparingly and smartly § Don’t always trust cookie data § Try to store persistent data other ways • Session • Database

Unvalidated Input Demo • Demo will show two simple vulnerabilities: § SQL Injection Flaws § Cross Site Scripting Flaws