Mais conteúdo relacionado Mais de Allon Mureinik (13) DevConf.US 2020 - OWASP Top -10 - Allon Mureinik1. OWASP Top Ten
Quickstart Your Security Awareness
Allon Mureinik
Senior Manager, Seeker Node.js and .NET Agents
Synopsys, Inc.
allon.mureinik@synopsys.com
@mureinik
https://www.linkedin.com/in/mureinik/
2. © 2020 Synopsys, Inc. 2OWASP Top Ten – Quickstart Your Security Awareness (Allon Mureinik, DevConf.US 2020, cc-by-sa-4.0)
Setting Expectations
http://montypython.com/
3. © 2020 Synopsys, Inc. 3OWASP Top Ten – Quickstart Your Security Awareness (Allon Mureinik, DevConf.US 2020, cc-by-sa-4.0)
Security is everyone's responsibility
https://thenounproject.com/term/security/957678
4. © 2020 Synopsys, Inc. 4OWASP Top Ten – Quickstart Your Security Awareness (Allon Mureinik, DevConf.US 2020, cc-by-sa-4.0)
But it starts with the developer
https://thenounproject.com/term/developer/94089
5. © 2020 Synopsys, Inc. 5OWASP Top Ten – Quickstart Your Security Awareness (Allon Mureinik, DevConf.US 2020, cc-by-sa-4.0)
OWASP
https://owasp.org/
6. © 2020 Synopsys, Inc. 6OWASP Top Ten – Quickstart Your Security Awareness (Allon Mureinik, DevConf.US 2020, cc-by-sa-4.0)
OWASP Top Ten
https://owasp.org/www-project-top-ten/
1. Injection
2. Broken Authentication
3. Sensitive Data Exposure
4. XML External Entities (XXE)
5. Broken Access Control
6. Security Misconfiguration
7. Cross-Site Scripting (XSS)
8. Insecure Deserialization
9. Using Components with Known Vulnerabilities
10.Insufficient Logging and Monitoring
7. © 2020 Synopsys, Inc. 7OWASP Top Ten – Quickstart Your Security Awareness (Allon Mureinik, DevConf.US 2020, cc-by-sa-4.0)
OWASP Top Ten
https://owasp.org/www-project-top-ten/
1. Injection
2. Broken Authentication
3. Sensitive Data Exposure
4. XML External Entities (XXE)
5. Broken Access Control
6. Security Misconfiguration
7. Cross-Site Scripting (XSS)
8. Insecure Deserialization
9. Using Components with Known Vulnerabilities
10.Insufficient Logging and Monitoring
8. © 2020 Synopsys, Inc. 8OWASP Top Ten – Quickstart Your Security Awareness (Allon Mureinik, DevConf.US 2020, cc-by-sa-4.0)
A1:2017 Injection
https://thenounproject.com/term/injection/1827356
9. © 2020 Synopsys, Inc. 9OWASP Top Ten – Quickstart Your Security Awareness (Allon Mureinik, DevConf.US 2020, cc-by-sa-4.0)
SQL Injection
https://xkcd.com/327/
10. © 2020 Synopsys, Inc. 10OWASP Top Ten – Quickstart Your Security Awareness (Allon Mureinik, DevConf.US 2020, cc-by-sa-4.0)
Log Injection
app.post('/logi', function(req, res) {
// We trust our users, every login will be successful!
const username = req.body.username;
// Enterprise-grade logging FTW!
console.log(username + ' logged in.');
res.end('Logged in with the honor system');
});
11. © 2020 Synopsys, Inc. 11OWASP Top Ten – Quickstart Your Security Awareness (Allon Mureinik, DevConf.US 2020, cc-by-sa-4.0)
Log Injection - demo
12. © 2020 Synopsys, Inc. 12OWASP Top Ten – Quickstart Your Security Awareness (Allon Mureinik, DevConf.US 2020, cc-by-sa-4.0)
A4:2017 XML External Entities (XXE)
https://thenounproject.com/term/xml/3123782
13. © 2020 Synopsys, Inc. 13OWASP Top Ten – Quickstart Your Security Awareness (Allon Mureinik, DevConf.US 2020, cc-by-sa-4.0)
XXE Injection
app.use(bodyParser.text({type: '*/*'}));
app.post('/xxe', function(req, res) {
const parsed = libxmljs.parseXml(req.body, {noent: true});
const name = parsed.get('//name').text();
res.end('Name is: ' + name);
});
14. © 2020 Synopsys, Inc. 14OWASP Top Ten – Quickstart Your Security Awareness (Allon Mureinik, DevConf.US 2020, cc-by-sa-4.0)
XXE Injection - demo
15. © 2020 Synopsys, Inc. 15OWASP Top Ten – Quickstart Your Security Awareness (Allon Mureinik, DevConf.US 2020, cc-by-sa-4.0)
A7:2017 Cross-Site Scripting (XSS)
https://thenounproject.com/term/html/101165
16. © 2020 Synopsys, Inc. 16OWASP Top Ten – Quickstart Your Security Awareness (Allon Mureinik, DevConf.US 2020, cc-by-sa-4.0)
Stored XSS
app.get('/xss', function (req, res) {
db.all('SELECT comment FROM comments ORDER BY ts DESC', [], function(err, rows) {
const comments = rows.map(r => r.comment).join('<br/>');
const body =
`<html lang="en">
<body>
How is DevConf.US so far?<br/>
<form action="/xss" method="post">
<input name="comment" type="text"> <input type="submit">
</form>
<br/>
Here's what others are saying:<br/>
${comments}
</body>
</html>`;
res.send(body);
});
});
17. © 2020 Synopsys, Inc. 17OWASP Top Ten – Quickstart Your Security Awareness (Allon Mureinik, DevConf.US 2020, cc-by-sa-4.0)
Stored XSS (cont.)
app.post('/xss', function (req, res) {
db.run('INSERT INTO comments(comment) VALUES (?)',
[req.body.comment],
function (err) {
if (err) {
return console.log(err.message);
}
});
res.writeHead(302, {
'Location': 'xss'
});
res.end();
});
18. © 2020 Synopsys, Inc. 18OWASP Top Ten – Quickstart Your Security Awareness (Allon Mureinik, DevConf.US 2020, cc-by-sa-4.0)
Stored XSS - demo
19. © 2020 Synopsys, Inc. 19OWASP Top Ten – Quickstart Your Security Awareness (Allon Mureinik, DevConf.US 2020, cc-by-sa-4.0)
Summary
https://thenounproject.com/term/brief/935656
20. © 2020 Synopsys, Inc. 20OWASP Top Ten – Quickstart Your Security Awareness (Allon Mureinik, DevConf.US 2020, cc-by-sa-4.0)
•OWASP Top-10 Project:
https://owasp.org/www-project-top-ten/
•Source code for the demos:
https://github.com/mureinik/owasp-top10-demo
•curl, used throughout the demos:
https://curl.haxx.se/
Some useful links
21. © 2020 Synopsys, Inc. 21OWASP Top Ten – Quickstart Your Security Awareness (Allon Mureinik, DevConf.US 2020, cc-by-sa-4.0)
Questions?
https://thenounproject.com/term/questions/1195076/