Secure Software Development What is OWASP OWASP TOP

  • Slides: 20
Download presentation
Secure Software Development What is OWASP?

Secure Software Development What is OWASP?

OWASP TOP 10 A 1: 2017 -Injection A 2: 2017 -Broken Authentication A 3:

OWASP TOP 10 A 1: 2017 -Injection A 2: 2017 -Broken Authentication A 3: 2017 -Sensitive Data Exposure A 4: 2017 -XML External Entities (XXE) A 5: 2017 -Broken Access Control A 6: 2017 -Security Misconfiguration A 7: 2017 -Cross-Site Scripting (XSS) A 8: 2017 -Insecure Deserialization A 9: 2017 -Using Components with Known Vulnerabilities A 10: 2017 -Insufficient Logging&Monitoring

Injection

Injection

Injection SELECT * FROM table WHERE field = '$EMAIL'; $EMAIL=aaa@bbb. net' SELECT * FROM

Injection SELECT * FROM table WHERE field = '$EMAIL'; $EMAIL=aaa@bbb. net' SELECT * FROM table WHERE field = 'aaa@bbb. net''; EMAIL anything' OR 'x'='x SELECT * FROM table WHERE field = 'anything' OR 'x'='x';

Injection How to remediate? Prepared statements with parameterized queries txt. User. Id = get.

Injection How to remediate? Prepared statements with parameterized queries txt. User. Id = get. Request. String("User. Id"); sql = "SELECT * FROM Users WHERE User. Id = @0"; command = new Sql. Command(sql); command. Parameters. Add. With. Value("@0", txt. User. ID); command. Execute. Reader();

Injection How to remediate? Stored procedures CREATE PROCEDURE Select. All. Customers @City nvarchar(30) AS

Injection How to remediate? Stored procedures CREATE PROCEDURE Select. All. Customers @City nvarchar(30) AS SELECT * FROM Customers WHERE City = @City GO; Execute the stored procedure EXEC Select. All. Customers @City = "London";

Injection How to remediate? Validation Control / Sanitizing An email address can contain only

Injection How to remediate? Validation Control / Sanitizing An email address can contain only these characters, you can use whitelisting approach: abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ 0123456789 @. -_+

Broken Authentication and Session Management BROKEN AUTHENTICATION Password length Password complexity Username/Password Enumeration Protection

Broken Authentication and Session Management BROKEN AUTHENTICATION Password length Password complexity Username/Password Enumeration Protection against brute force login

Broken Authentication and Session Management SESSION MANAGEMENT Hashing/encrypting credentials Don’t expose session IDs in

Broken Authentication and Session Management SESSION MANAGEMENT Hashing/encrypting credentials Don’t expose session IDs in URL http: //example. com/saleitems; jsessionid=2 P 0 OC 2 JSNDLPSKH CJUN 2 JV? dest=Hawaii Session IDs timeout / recreate Don’t send credentials cleartext

Sensitive Data Exposure Protect sensitive data, such as financial, healthcare, and PII. How?

Sensitive Data Exposure Protect sensitive data, such as financial, healthcare, and PII. How?

XML External Entities (XXE) <? xml version="1. 0" encoding="UTF-8"? > <stock. Check><product. Id>381</product. Id></stock.

XML External Entities (XXE) <? xml version="1. 0" encoding="UTF-8"? > <stock. Check><product. Id>381</product. Id></stock. Check> <? xml version="1. 0" encoding="UTF-8"? > <!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file: ///etc/passwd"> ]> <stock. Check><product. Id>&xxe; </product. Id></stock. Check> Output: Invalid product ID: root: x: 0: 0: root: /bin/bash daemon: x: 1: 1: daemon: /usr/sbin/nologin bin: x: 2: 2: bin: /usr/sbin/nologin

Broken Access Control SQL call: pstmt. set. String(1, request. get. Parameter("acct")); Result. Set results

Broken Access Control SQL call: pstmt. set. String(1, request. get. Parameter("acct")); Result. Set results = pstmt. execute. Query( ); Attacker modifies ‘acct’ parameter: http: //example. com/app/account. Info? acct=notmyacct http: //example. com/app/getapp. Info http: //example. com/app/admin_getapp. Info

Security Misconfiguration The application server comes with sample applications. One of these applications is

Security Misconfiguration The application server comes with sample applications. One of these applications is the admin console, and default accounts weren’t changed. A minimal platform without any unnecessary features. Development, QA, and production environments should all be configured identically.

Cross-Site Scripting (XSS)

Cross-Site Scripting (XSS)

Cross-Site Scripting (XSS)

Cross-Site Scripting (XSS)

Cross-Site Scripting (XSS)

Cross-Site Scripting (XSS)

Insecure Deserialization

Insecure Deserialization

Insecure Deserialization

Insecure Deserialization

Using Components with Known Vulnerabilities Components typically run with the same privileges as the

Using Components with Known Vulnerabilities Components typically run with the same privileges as the application itself. Flaws in any component can result in serious impact.

Insufficient Logging & Monitoring The sandbox software had detected potentially unwanted software. No one

Insufficient Logging & Monitoring The sandbox software had detected potentially unwanted software. No one responded to this detection. The sandbox had been producing warnings for some time before the breach was detected.