The OWASP Top 10 is a powerful awareness document for web application security, the latest version was released in 2017. It represents industry standards weaknesses that are the most critical ones in terms of their security risk. In this talk we go into details of all its items, matching them with vulnerability types from the CWE (Common Weakness Enumeration) category system. To understand the most common security issues and their consequences, one of the best ways is to learn about prevention. Most of them can be remediated at a low cost if they are discovered during the development phase - in this session we're going to check Java, C, PHP, Perl and other programming languages in order to raise awareness for secure software development.

1. Software Development
Weaknesses
Tatár Balázs János
SecOSdays Sofia – 25-26 October, 2019

2. WHO AM I?
Tatár Balázs János - @tatarbj
 CTO @ Petend
 Open Source Security Correspondent @ EU Commission
 SecOSdreamer @ SecOSdays
 Globetrotter @ Open Source software communities

3. OWASP TOP10
 Open Web Application Security Project
 TOP10 releases: 2010, 2013, 2017 (latest)
 General concept: the most critical web application security risks
 Well-known source for technical security awareness programs

4. Common Weakness Enumeration (CWE)
 A Community-Developed List of Software Weakness Types
 Library for all software weaknesses
 2019 CWE Top 25 Most Dangerous Software Errors
 Data-driven approach based on CVEs data and related CWE
mappings calculated by CVSS scores

5. The concept of this session
 OWASP TOP 10 – great for overview
 CWE TOP 25 – great for details and research
 Let’s map them and see some code (spoiler alert!)
 Following the OWASP list from 2017 and matching CWE entries

6. WARNINGS!
 Weaknesses are not vulnerabilities!
 They can cause certain malfunctioning.
 Many of the CWEs are conceptional/architectural issues
and raising awareness is the main purpose of this session.

7. CWE-223 - Omission of Security-relevant
Information
 Language independent, architectural/conceptual issue.
 Not recording or displaying relevant information that would
be important for identifying the source of an attack.
 Loss of information might cause futher issues.
OWASP 2017
A10
INSUFFICIENT
LOGGING AND
MONITORING

8. CWE-223 - Omission of Security-relevant
Information
OWASP 2017
A10
INSUFFICIENT
LOGGING AND
MONITORING

9. CWE-778 - Insufficient Logging
 Security-critical event occurs and the software either does not
record it or omits important details of it (similar to CWE-223).
OWASP 2017
A10
INSUFFICIENT
LOGGING AND
MONITORING

10. No CWEs
„This is an unusual category. CWE does not cover the
limitations of human processes and procedures that cannot
be described in terms of a specific technical weakness as
resident in the code, architecture, or configuration of the
software. Since "known vulnerabilities" can arise from
any kind of weakness, it is not possible to map this OWASP
category to other CWE entries, since it would effectively
require mapping this category to ALL weaknesses.”
OWASP 2017
A9
USING
COMPONENTS
WITH KNOWN
VULNERABILITIES

11. Managing 3rd parties
OWASP 2017
A9
USING
COMPONENTS
WITH KNOWN
VULNERABILITIES
 OWASP Dependency checker
 Composer-based tools
 Codario (Silver Sponsor of SecOSdays Sofia)
 Violinist (Special partner of SecOSdays Sofia)
 You can do it by your hand (not neccessarily a good strategy)

12. CWE-502 - Deserialization of Untrusted
Data
OWASP 2017
A8
INSECURE
DESERIALIZATION
 Untrusted data cannot be considered data because of
being well-formated.
 It can lead to unauthorized actions (missing
restrictions, methods that self-execute, shell
generations)

13. CWE-502 - Deserialization of Untrusted
Data
OWASP 2017
A8
INSECURE
DESERIALIZATION

14. CWE-79 - Improper Neutralization of
Input During Web Page Generation
OWASP 2017
A7
CROSS-SITE
SCRIPTING
 The application does not or incorrectly neutralize user-
controlled input before it’s being placed in output.
 Types: Reflected, Stored and DOM-based XSS

15. CWE-79 - Improper Neutralization of
Input During Web Page Generation
OWASP 2017
A7
CROSS-SITE
SCRIPTING

16. CWE-209 - Information Exposure
Through an Error Message
OWASP 2017
A6
SECURITY
MISCONFIGURATION
 Generated error messages that include sensitive information
about its environment, users or associated data.
 Can be mitigated on infrastructure level, but ultimately
should be avoided in the application.

17. CWE-209 - Information Exposure
Through an Error Message
OWASP 2017
A6
SECURITY
MISCONFIGURATION

18. CWE-676 - Use of Potentially
Dangerous Function
OWASP 2017
A6
SECURITY
MISCONFIGURATION
 The function can be used safely, but not recommended.
 Usually by evolving the language it gets deprecated (and
replaced by safer solutions).

19. CWE-732 - Incorrect Permission
Assignment for Critical Resource
OWASP 2017
A6
SECURITY
MISCONFIGURATION
 The application specified permissions do their job in a way that
allows that resource to be read/modified by unintended actions.

20. CWE-22 - Improper Limitation of a
Pathname to a Restricted Directory
OWASP 2017
A5
BROKEN ACCESS
CONTROL
 The application uses external input to construct a pathname, it
identifies a file/directory that is located underneath a restricted
parent directory.
 This weakness is present when the input is not properly
neutralized.

21. CWE-22 - Improper Limitation of a
Pathname to a Restricted Directory
OWASP 2017
A5
BROKEN ACCESS
CONTROL

22. CWE-285 - Improper Authorization
OWASP 2017
A5
BROKEN ACCESS
CONTROL
 The application does not or incorrectly performs an
authorization check when an actor attempts to access a resource
or performs an action.

23. CWE-611 - Improper Restriction of XML
External Entity Reference
OWASP 2017
A4
XML EXTERNAL
ENTITIES
 The software processes an XML document that can contain XML
entities with URIs that resolve to documents outside of the
intended sphere of control.
 It can cause the product to embed incorrect documents into its
output.
 In given circumstances it can lead to Remote Code Execution.

24. CWE-776 - Improper Restriction of
Recursive Entity References in DTDs (XML
Entity Expansion)
OWASP 2017
A4
XML EXTERNAL
ENTITIES
 The software uses XML documents and allows their structure to
be defined with a Document Type Definition (DTD), but it does
not properly control the number of recursive definitions of
entities.
 If the DTD contains a large number of nested or recursive
entities, this can lead to explosive growth of data when parsed,
causing a denial of service.

25. CWE-776 - Improper Restriction of
Recursive Entity References in DTDs (XML
Entity Expansion)
OWASP 2017
A4
XML EXTERNAL
ENTITIES

26. CWE-120 - Buffer Copy without Checking
Size of Input (Classic Buffer Overflow)
OWASP 2017
TOP10
Not present
 The program copies an input buffer to an output buffer without
verifying that the size of the input buffer is less than the size of
the output buffer, leading to a buffer overflow.

27. CWE-352 - Cross-Site Request Forgery
OWASP 2017
TOP10
Not present
 The web application does not, or can not, sufficiently verify whether a
well-formed, valid, consistent request was intentionally provided by
the user who submitted the request.
 It might be possible for an attacker to trick a client into making an
unintentional request to the web server which will be treated as an
authentic request. (No webserver protection)
 It can be done via a URL, image load, XMLHttpRequest, etc. and can
result in exposure of data or unintended code execution.

28. CWE-352 - Cross-Site Request Forgery
OWASP 2017
TOP10
Not present

29. CWE-601 - URL Redirection of
Untrusted Site (Open Redirect)
OWASP 2017
TOP10
Not present
 A web application accepts a user-controlled input that specifies
a link to an external site, and uses that link in a Redirect.
 It simplifies phishing attacks.

30. CWE-601 - URL Redirection of
Untrusted Site (Open Redirect)
OWASP 2017
TOP10
Not present

31. CWE-312 - Cleartext Storage of
Sensitive Information
OWASP 2017
A3
SENSITIVE DATA
EXPOSURE
 The application stores sensitive information in cleartext within a
resource that might be accessible to another control sphere.
 Even if the information is encoded in a way that is not human-
readable, certain techniques could determine which encoding is
being used, then decode the information.

32. CWE-312 - Cleartext Storage of
Sensitive Information
OWASP 2017
A3
SENSITIVE DATA
EXPOSURE

33. CWE-359 - Exposure of Private
Information (Privacy Violation)
OWASP 2017
A3
SENSITIVE DATA
EXPOSURE
 The software does not properly prevent private data from being
accessed by actors who either are not explicitly authorized to
access the data or do not have the implicit consent of the people to
which the data is related.
 Examples:
 Private user information enters the program.
 The data is written to an external location, such as the console, file
system, or network.

34. CWE-359 - Exposure of Private
Information (Privacy Violation)
OWASP 2017
A3
SENSITIVE DATA
EXPOSURE
AOL employee sold private data
In 2004 someone at AOL sold approx.
92 million private customer e-mail
addresses to a spammer marketing of
an offshore gambling web site.
In response to such high-profile
exploits, the collection and
management of private data is
becoming increasingly regulated.

35. CWE-327 - Use of a Broken or Risky
Cryptographic Algorithm
OWASP 2017
A3
SENSITIVE DATA
EXPOSURE
 The use of a non-standard algorithm is dangerous because an
attacker may be able to break the algorithm and compromise
whatever data has been protected.
 Well-known techniques may exist to break the algorithm.

36. CWE-256 - Unprotected Storage of
Credentials
OWASP 2017
A2
BROKEN
AUTHENTICATION
 Password management issues occur when a password is stored in
plaintext in an application's properties or configuration file.
 Storing a plaintext password in a configuration file allows anyone
who can read the file access to the password-protected resource.

37. CWE-256 - Unprotected Storage of
Credentials
OWASP 2017
A2
BROKEN
AUTHENTICATION

38. CWE-308 - Use of Single-factor
Authentication
OWASP 2017
A2
BROKEN
AUTHENTICATION
 The use of weak, reused, and common passwords is rampant on the
internet.
 Without the added protection of multiple authentication schemes, a
single mistake can result in the compromise of an account.
 If multiple schemes are possible and also easy to use, they should be
implemented and required.

39. CWE-308 - Use of Single-factor
Authentication
OWASP 2017
A2
BROKEN
AUTHENTICATION

40. CWE-640 - Weak Password Recovery
Mechanism for Forgotten Password
OWASP 2017
A2
BROKEN
AUTHENTICATION
 The software contains a mechanism for users to recover or
change their passwords without knowing the original password,
but the mechanism is weak. The eBay attack
eBay always displays the user id of the highest bidder. In the
final minutes of the auction, one of the bidders could try to
log in as the highest bidder three times. After three incorrect
log in attempts, eBay password throttling would kick in and
lock out the highest bidder's account for some time.
An attacker could then make their own bid and their victim
would not have a chance to place the counter bid because
they would be locked out. Thus an attacker could win the
auction.

41. CWE-90 - Improper Neutralization of Special
Elements used in an LDAP Query
OWASP 2017
A1
INJECTION
 The software constructs all or part of an LDAP query using externally-
influenced input from an upstream component, but it does not neutralize or
incorrectly neutralizes special elements that could modify the intended LDAP
query when it is sent to a downstream component.

42. CWE-89 - Improper Neutralization of Special
Elements used in an SQL Command
OWASP 2017
A1
INJECTION
 Without sufficient removal or quoting of SQL syntax in user-
controllable inputs, the generated SQL query can cause those
inputs to be interpreted as SQL instead of ordinary user data.
 It can be used to alter query logic to bypass security checks, or
to insert additional statements that modify the back-end
database, possibly including execution of system commands.

43. CWE-89 - Improper Neutralization of Special
Elements used in an SQL Command
OWASP 2017
A1
INJECTION

44. CWE-78 - Improper Neutralization of Special
Elements used in an OS Command
OWASP 2017
A1
INJECTION
 The software constructs all or part of an OS command using
externally-influenced input from an upstream component.
 It does not neutralize or incorrectly neutralizes special elements
that could modify the intended OS command when it is sent to a
downstream component.

45. CWE-78 - Improper Neutralization of Special
Elements used in an OS Command
OWASP 2017
A1
INJECTION

46. Sum up
 Weaknesses can harm data, users or systems directly.
 Protection does not always exist.
 Concepts are language-neutral.
 #securityawareness

47. QUESTIONS?

48. THANK YOU!
Tatár Balázs János
@tatarbj