Breaking the Kubernetes Kill Chain: Host Path Mount
Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013
1. The “Top 10” Web
Application Security Risks
Murat Lostar
2. Why Web Application Security?
• Mid – late 90s.
• Early – 2000s.
• Today
• Tomorrow - Cloud, M2M
• Always - People
3. OWASP – Top10
1. Injection
2. Broken Authentication
and Session
Management
3. Cross-Site Scripting (XSS)
4. Insecure Direct Object
References
5. Security
Misconfiguration
6. Sensitive Data Exposure
7. Missing Functional Level
Access Control
8. Cross-Site Request
Forgery (CSRF)
9. Using Known Vulnerable
Components
10. Unvalidated Redirects
and Forwards
4. 1. Injection
• Application sends untrusted data to an
interpreter
• Types: SQL, LDAP, Xpath, NoSQL queries;
OS commands; XML parsers, SMTP
Headers, program arguments, etc.
5. Injection Example
• If exist (Select * from users where id=
‘@Name’ and pw= ‘@Pass’;) then logon
successful
6. Injection Example
• Username: admin
• Password: ‘ or 1=1 --
• If exist (Select * from users where id=
‘admin‘ and pw= ‘‘ or 1=1 --’;)
• Logon successful
12. 4. Insecure Direct Object References
• User logs into the application
• Can see own account information
http://example.com/app/accountInfo?acct=MyAcctNumber
• Is it possible to get other account infos?
http://example.com/app/accountInfo?acct=NotMyAcctNumber
14. Questions to ask
• Software out of date? (OS, Web/App
Server, DBMS, applications, and all code libraries)
• Unnecessary features enabled or installed?
(ports, services, pages, accounts, privileges, …)
• Default accounts and their passwords still the
same?
• Default error messages?
• Insecure development frameworks settings?
15. 6. Sensitive Data Exposure
• Data stored in clear text long term, including
backups
• Data transmitted in clear text, internally or
externally
• Old / weak cryptographic algorithms
• Weak crypto keys generated /
No proper key management
17. 7. Missing Functional Level Access
Control
• Using the URL independent of logon
process without authorization
18. 8. Cross-Site Request Forgery (CSRF)
• Money transfer app for the bank:
– GET http://bank.com/transfer.do?acct=BOB&amount=100
HTTP/1.1
• Preparing false URL:
– http://bank.com/transfer.do?acct=MARIA&amount=100000
• Trick the user to send this URL:
– <a
href="http://bank.com/transfer.do?acct=MARIA&amount=10000
0">View my Pictures!</a>
– <img
src="http://bank.com/transfer.do?acct=MARIA&amount=100000
" width="1" height="1" border="0">
20. 9. Using Known Vulnerable
Components
• Using old, unpatched components within
applications
• Most difficult to discover
• Requires detailed inventory of components
to mitigate
21. 10. Unvalidated Redirects and
Forwards
• http://www.example.com/redirect.jsp?url
=evil.com
• http://www.example.com/boring.jsp?fwd=
admin.jsp
• Check for spider 300-307 (302) responses
24. Use strong authentication
• Something you know
– Passwords, PINS, etc
• Something you have
– Mobile phones (SMS), bank cards, OTP, etc
• Something you are
– Fingerprint, retina, voice, etc
25. Last words
• Web application security requires
– Secure software lifecycle
• Risk management
• Security KPIs
• Code security review (automated & automatic)
– Continuous monitoring and pen testing
– Management commitment
The “Top 10” Web Application Security Risks Speaker Murat LostarCEOLostar Information SecurityAfter completing this session, you will be able to:• Recognize the Top 10 Web Application Security Risks along with the vulnerabilities that cause them• Use open source tools to identify if these risks are present in your enterprise• Participate in detailed risk mitigation examplesdrawn from banking, telecommunications, online retail and transportation• Evaluate and effectively utilize web development tools for security testing• Utilize proven methodologies and approaches to mitigate these risks in your organisation