OWASP Top 10 Project

1
OWASP Top 10 Project
Presented by ISAM Staff Tyler Hargis GSEC,
GWAS,GCIH - and - Michael Morrison GSEC, GWAS,
CPTS, NSA IAM
2
Overview

• Disclaimer
• Common Misconceptions
• Open Web Application Security Project
• OWASP Top Vulnerabilities
• Conclusion
• QA

3
Disclaimer

• The information contained in this presentation is
  intended to be used to educate developers about
  security vulnerabilities commonly found in Web
  Applications.
• This presentation is not intended as training
  material for those with malicious intent against
  information systems.
• Exploitation of the vulnerabilities listed in
  this presentation on systems or applications not
  owned or developed by the viewer is illegal in
  jurisdictions worldwide.
• It is a violation of the University of Missouri
  Acceptable Use policy to transmit these exploits
  across the MU network without explicit permission
  of the system or application owner they are
  directed at.
• The presenters are trained professionals, dont
  try this at home

4
Common Misconceptions

• Arent I protected by firewalls or something?
• I thought you just needed to keep things patched?
• Im not using Microsoft, so I must be secure.
• Isnt keeping me secure your job?

5
Open Web Application Security Project

• The Open Web Application Security Project (OWASP)
  is an open community dedicated to enabling
  organizations to develop, purchase, and maintain
  applications that can be trusted.
• All of the OWASP tools, documents, forums, and
  chapters are free and open to anyone interested
  in improving application security.
• http//www.owasp.org

6
OWASP TOP 10

• 1 Cross Site Scripting (XSS) Flaws
• XSS flaws occur whenever an application takes
  user supplied data and sends it to a web browser
  without first validating or encoding that
  content.
• XSS allows attackers to execute script in the
  victim's browser which can hijack user sessions,
  deface web sites, possibly introduce worms, etc.

7
OWASP TOP 10

• Cross Site Scripting (XSS) Recommendations
• Input validation
• Strong output encoding
• Specify the output encoding
• Do not use "blacklist" validation
• Watch out for canonicalization errors

8
OWASP TOP 10

• Cross Site Scripting (XSS) Recommendations
• Java Use Struts output mechanisms such as
  ltbeanwrite gt, or use the default JSTL
  escapeXML"true" attribute in ltcout gt.
• .NET Use the Microsoft Anti-XSS Library 1.5
  freely available from MSDN. Understand which .NET
  controls automatically encode output data.
• PHP Ensure output is passed through
  htmlentities() or htmlspecialchars() or use the
  soon to be released OWASP PHP Anti-XSS library.
  Disable register_globals if it is not already
  disabled

9
OWASP TOP 10

• 2 Injection Flaws
• Injection flaws, particularly SQL injection, are
  common in web applications. Injection occurs when
  user-supplied data is sent to an interpreter as
  part of a command or query. The attacker's
  hostile data tricks the interpreter into
  executing unintended commands or changing data.

10
OWASP TOP 10

• Injection Flaw Recommendations
• Input validation.
• Use strongly typed parameterized query APIs
• Enforce least privilege when connecting to
  databases
• Avoid detailed error messages
• Show care when using stored procedures
• Do not use dynamic query interfaces
• Do not use simple escaping functions - simple
  escaping functions cannot escape table names!
• Watch out for canonicalization errors

11
OWASP TOP 10

• Injection Flaw Recommendations
• Java EE - use strongly typed PreparedStatement,
  or ORMs such as Hibernate or Spring
• .NET - use strongly typed parameterized queries,
  such as SqlCommand with SqlParameter or an ORM
  like Hibernate.
• PHP - use PDO with strongly typed parameterized
  queries (using bindParam())

12
OWASP TOP 10

• 3 Malicious File Execution
• Code vulnerable to remote file inclusion (RFI)
  allows attackers to include hostile code and
  data, resulting in devastating attacks, such as
  total server compromise. Malicious file execution
  attacks affect PHP, XML and any framework which
  accepts filenames or files from users.

13
OWASP TOP 10

• Malicious File Execution Recommendations
• Use an indirect object reference map (hash the
  reference)
• Use explicit taint checking mechanisms, if
  supported (see OWASP)
• Strongly validate user input
• Add firewall rules
• Check any user supplied files or filenames
• Consider implementing a chroot jail or
  virtualization (sand box mechanisms)

14
OWASP TOP 10

• Malicious File Execution Recommendations
• PHP Disable allow_url_fopen and
  allow_url_include in php.ini
• PHP Disable register_globals and use E_STRICT to
  find uninitialized variables
• PHP Ensure that all file and streams functions
  (stream_) are carefully vetted.
• PHP Be extremely cautious if data is passed to
  system() eval() passthru() or (the backtick
  operator)
• J2EE, ensure that the security manager is enabled
  and properly configured and that the application
  is demanding permissions appropriately
• ASP.NET, please refer to the documentation on
  partial trust, and design your applications to be
  segmented in trust, so that most of the
  application exists in the lowest possible trust
  state possible

15
OWASP TOP 10

• 4 Insecure Direct Object Reference
• A direct object reference occurs when a developer
  exposes a reference to an internal implementation
  object, such as a file, directory, database
  record, or key, as a URL or form parameter.
  Attackers can manipulate those references to
  access other objects without authorization.

16
OWASP TOP 10

• Insecure Direct Object Reference Recommendations
• Avoid exposing your private object references to
  users whenever possible, such as primary keys or
  filenames
• Validate any private object references
• Verify authorization to all referenced objects

17
OWASP TOP 10

• 5 Cross Site Request Forgery (CSRF)
• A CSRF attack forces a logged-on victim's browser
  to send a pre-authenticated request to a
  vulnerable web application, which then forces the
  victim's browser to perform a hostile action to
  the benefit of the attacker. CSRF can be as
  powerful as the web application that it attacks.

18
OWASP TOP 10

• Cross Site Request Forgery (CSRF) Recommendations
• Ensure that there are no XSS vulnerabilities in
  your application
• Insert custom random tokens into every form and
  URL (For ASP.NET, set a ViewStateUserKey.)
• For sensitive data or value transactions,
  re-authenticate or use transaction signing
• Do not use GET requests (URLs) for sensitive data
  or to perform value transactions.
• POST alone is insufficient a protection.

19
OWASP TOP 10

• 6 Information Leakage and Improper Error
  Handling
• Applications can unintentionally leak information
  about their configuration, internal workings, or
  violate privacy through a variety of application
  problems. Attackers use this weakness to steal
  sensitive data, or conduct more serious attacks.

20
OWASP TOP 10

• 7 Broken Authentication and Session Management
• Account credentials and session tokens are often
  not properly protected. Attackers compromise
  passwords, keys, or authentication tokens to
  assume other users' identities.

21
OWASP TOP 10

• 8 Insecure Cryptographic Storage
• Web applications rarely use cryptographic
  functions properly to protect data and
  credentials. Attackers use weakly protected data
  to conduct identity theft and other crimes, such
  as credit card fraud.

22
OWASP TOP 10

• 9 Insecure Communications
• Applications frequently fail to encrypt network
  traffic when it is necessary to protect sensitive
  communications.

23
OWASP TOP 10

• 10 Failure to Restrict URL Access
• Frequently, an application only protects
  sensitive functionality by preventing the display
  of links or URLs to unauthorized users. Attackers
  can use this weakness to access and perform
  unauthorized operations by accessing those URLs
  directly.

24
How Do I Protect My Applications?

• Take advantage of free sites like OWASP for
  details on remediating the vulnerabilities
  demonstrated today. (http//www.owasp.org/index.ph
  p/Top_10_2007-Where_to_Go_From_Here)
• Fortify Source Code Analyzer is available at a
  reduced cost from DoIT.
• Security Training of any type (DoIT, SANS, etc.)

25
How Can DoIT Help?

• Inspections by ISAM will reveal many common
  vulnerabilities in applications as well as
  systems.
• Our Tipping Point IPS blocks many attacks, but is
  not a good substitute for solid programming.
• MU Root SSL Certificates and Verisign
  Certificates are Available

26
Practice Sites

• WebGoat
• http//www.owasp.org/index.php/CategoryOWASP_WebG
  oat_Project
• Requires a Java Virtual Machine be available on
  the local machine, and runs from the local
  machine.
• HACME Bank / HACME Books
• http//www.foundstone.com
• Note you will have to install these on a system
  you can run an appropriate web server on.
• Hack This Site!
• http//www.hackthissite.org/
• Bright Shadows Challenges
• http//www.bright-shadows.net/

27
Practice Sites

• The Web Hacking Incidents Databasehttp//packetst
  ormsecurity.org/papers/attack/Web-Hacking-Incident
  s-Database-Annual-Report-2007.pdf
• UM System Database Hackedhttp//www.techshout.com
  /internet/2007/09/university-of-missouri-system-da
  tabase-hacked-over-22000-social-security-numbers-s
  tolen/
• YGN Ethical Hacker Group (WebGoat
  Videos)http//yehg.net/lab/pr0js/training/webgoat
  .php