The OWASP Top 10 is a powerful awareness document for web application security, the latest version was released in 2017. It represents industry standards weaknesses that are the most critical ones in terms of their security risk.
In this talk we go into details of all its items, matching them with vulnerability types from the CWE (Common Weakness Enumeration) category system.
To understand the most common security issues and their consequences, one of the best ways is to learn about prevention.
Most of them can be remediated at a low cost if they are discovered during the development phase - in this session we're going to check Java, C, PHP, Perl and other programming languages in order to raise awareness for secure software development.
2. WHO AM I?
Tatár Balázs János - @tatarbj
CTO @ Petend
Open Source Security Correspondent @ EU Commission
SecOSdreamer @ SecOSdays
Globetrotter @ Open Source software communities
3. OWASP TOP10
Open Web Application Security Project
TOP10 releases: 2010, 2013, 2017 (latest)
General concept: the most critical web application security risks
Well-known source for technical security awareness programs
4. Common Weakness Enumeration (CWE)
A Community-Developed List of Software Weakness Types
Library for all software weaknesses
2019 CWE Top 25 Most Dangerous Software Errors
Data-driven approach based on CVEs data and related CWE
mappings calculated by CVSS scores
5. The concept of this session
OWASP TOP 10 – great for overview
CWE TOP 25 – great for details and research
Let’s map them and see some code (spoiler alert!)
Following the OWASP list from 2017 and matching CWE entries
6. WARNINGS!
Weaknesses are not vulnerabilities!
They can cause certain malfunctioning.
Many of the CWEs are conceptional/architectural issues
and raising awareness is the main purpose of this session.
7. CWE-223 - Omission of Security-relevant
Information
Language independent, architectural/conceptual issue.
Not recording or displaying relevant information that would
be important for identifying the source of an attack.
Loss of information might cause futher issues.
OWASP 2017
A10
INSUFFICIENT
LOGGING AND
MONITORING
8. CWE-223 - Omission of Security-relevant
Information
OWASP 2017
A10
INSUFFICIENT
LOGGING AND
MONITORING
9. CWE-778 - Insufficient Logging
Security-critical event occurs and the software either does not
record it or omits important details of it (similar to CWE-223).
OWASP 2017
A10
INSUFFICIENT
LOGGING AND
MONITORING
10. No CWEs
„This is an unusual category. CWE does not cover the
limitations of human processes and procedures that cannot
be described in terms of a specific technical weakness as
resident in the code, architecture, or configuration of the
software. Since "known vulnerabilities" can arise from
any kind of weakness, it is not possible to map this OWASP
category to other CWE entries, since it would effectively
require mapping this category to ALL weaknesses.”
OWASP 2017
A9
USING
COMPONENTS
WITH KNOWN
VULNERABILITIES
11. Managing 3rd parties
OWASP 2017
A9
USING
COMPONENTS
WITH KNOWN
VULNERABILITIES
OWASP Dependency checker
Composer-based tools
Codario (Silver Sponsor of SecOSdays Sofia)
Violinist (Special partner of SecOSdays Sofia)
You can do it by your hand (not neccessarily a good strategy)
12. CWE-502 - Deserialization of Untrusted
Data
OWASP 2017
A8
INSECURE
DESERIALIZATION
Untrusted data cannot be considered data because of
being well-formated.
It can lead to unauthorized actions (missing
restrictions, methods that self-execute, shell
generations)
14. CWE-79 - Improper Neutralization of
Input During Web Page Generation
OWASP 2017
A7
CROSS-SITE
SCRIPTING
The application does not or incorrectly neutralize user-
controlled input before it’s being placed in output.
Types: Reflected, Stored and DOM-based XSS
15. CWE-79 - Improper Neutralization of
Input During Web Page Generation
OWASP 2017
A7
CROSS-SITE
SCRIPTING
16. CWE-209 - Information Exposure
Through an Error Message
OWASP 2017
A6
SECURITY
MISCONFIGURATION
Generated error messages that include sensitive information
about its environment, users or associated data.
Can be mitigated on infrastructure level, but ultimately
should be avoided in the application.
17. CWE-209 - Information Exposure
Through an Error Message
OWASP 2017
A6
SECURITY
MISCONFIGURATION
18. CWE-676 - Use of Potentially
Dangerous Function
OWASP 2017
A6
SECURITY
MISCONFIGURATION
The function can be used safely, but not recommended.
Usually by evolving the language it gets deprecated (and
replaced by safer solutions).
19. CWE-732 - Incorrect Permission
Assignment for Critical Resource
OWASP 2017
A6
SECURITY
MISCONFIGURATION
The application specified permissions do their job in a way that
allows that resource to be read/modified by unintended actions.
20. CWE-22 - Improper Limitation of a
Pathname to a Restricted Directory
OWASP 2017
A5
BROKEN ACCESS
CONTROL
The application uses external input to construct a pathname, it
identifies a file/directory that is located underneath a restricted
parent directory.
This weakness is present when the input is not properly
neutralized.
21. CWE-22 - Improper Limitation of a
Pathname to a Restricted Directory
OWASP 2017
A5
BROKEN ACCESS
CONTROL
22. CWE-285 - Improper Authorization
OWASP 2017
A5
BROKEN ACCESS
CONTROL
The application does not or incorrectly performs an
authorization check when an actor attempts to access a resource
or performs an action.
23. CWE-611 - Improper Restriction of XML
External Entity Reference
OWASP 2017
A4
XML EXTERNAL
ENTITIES
The software processes an XML document that can contain XML
entities with URIs that resolve to documents outside of the
intended sphere of control.
It can cause the product to embed incorrect documents into its
output.
In given circumstances it can lead to Remote Code Execution.
24. CWE-776 - Improper Restriction of
Recursive Entity References in DTDs (XML
Entity Expansion)
OWASP 2017
A4
XML EXTERNAL
ENTITIES
The software uses XML documents and allows their structure to
be defined with a Document Type Definition (DTD), but it does
not properly control the number of recursive definitions of
entities.
If the DTD contains a large number of nested or recursive
entities, this can lead to explosive growth of data when parsed,
causing a denial of service.
25. CWE-776 - Improper Restriction of
Recursive Entity References in DTDs (XML
Entity Expansion)
OWASP 2017
A4
XML EXTERNAL
ENTITIES
26. CWE-120 - Buffer Copy without Checking
Size of Input (Classic Buffer Overflow)
OWASP 2017
TOP10
Not present
The program copies an input buffer to an output buffer without
verifying that the size of the input buffer is less than the size of
the output buffer, leading to a buffer overflow.
27. CWE-352 - Cross-Site Request Forgery
OWASP 2017
TOP10
Not present
The web application does not, or can not, sufficiently verify whether a
well-formed, valid, consistent request was intentionally provided by
the user who submitted the request.
It might be possible for an attacker to trick a client into making an
unintentional request to the web server which will be treated as an
authentic request. (No webserver protection)
It can be done via a URL, image load, XMLHttpRequest, etc. and can
result in exposure of data or unintended code execution.
29. CWE-601 - URL Redirection of
Untrusted Site (Open Redirect)
OWASP 2017
TOP10
Not present
A web application accepts a user-controlled input that specifies
a link to an external site, and uses that link in a Redirect.
It simplifies phishing attacks.
30. CWE-601 - URL Redirection of
Untrusted Site (Open Redirect)
OWASP 2017
TOP10
Not present
31. CWE-312 - Cleartext Storage of
Sensitive Information
OWASP 2017
A3
SENSITIVE DATA
EXPOSURE
The application stores sensitive information in cleartext within a
resource that might be accessible to another control sphere.
Even if the information is encoded in a way that is not human-
readable, certain techniques could determine which encoding is
being used, then decode the information.
32. CWE-312 - Cleartext Storage of
Sensitive Information
OWASP 2017
A3
SENSITIVE DATA
EXPOSURE
33. CWE-359 - Exposure of Private
Information (Privacy Violation)
OWASP 2017
A3
SENSITIVE DATA
EXPOSURE
The software does not properly prevent private data from being
accessed by actors who either are not explicitly authorized to
access the data or do not have the implicit consent of the people to
which the data is related.
Examples:
Private user information enters the program.
The data is written to an external location, such as the console, file
system, or network.
34. CWE-359 - Exposure of Private
Information (Privacy Violation)
OWASP 2017
A3
SENSITIVE DATA
EXPOSURE
AOL employee sold private data
In 2004 someone at AOL sold approx.
92 million private customer e-mail
addresses to a spammer marketing of
an offshore gambling web site.
In response to such high-profile
exploits, the collection and
management of private data is
becoming increasingly regulated.
35. CWE-327 - Use of a Broken or Risky
Cryptographic Algorithm
OWASP 2017
A3
SENSITIVE DATA
EXPOSURE
The use of a non-standard algorithm is dangerous because an
attacker may be able to break the algorithm and compromise
whatever data has been protected.
Well-known techniques may exist to break the algorithm.
36. CWE-256 - Unprotected Storage of
Credentials
OWASP 2017
A2
BROKEN
AUTHENTICATION
Password management issues occur when a password is stored in
plaintext in an application's properties or configuration file.
Storing a plaintext password in a configuration file allows anyone
who can read the file access to the password-protected resource.
38. CWE-308 - Use of Single-factor
Authentication
OWASP 2017
A2
BROKEN
AUTHENTICATION
The use of weak, reused, and common passwords is rampant on the
internet.
Without the added protection of multiple authentication schemes, a
single mistake can result in the compromise of an account.
If multiple schemes are possible and also easy to use, they should be
implemented and required.
39. CWE-308 - Use of Single-factor
Authentication
OWASP 2017
A2
BROKEN
AUTHENTICATION
40. CWE-640 - Weak Password Recovery
Mechanism for Forgotten Password
OWASP 2017
A2
BROKEN
AUTHENTICATION
The software contains a mechanism for users to recover or
change their passwords without knowing the original password,
but the mechanism is weak. The eBay attack
eBay always displays the user id of the highest bidder. In the
final minutes of the auction, one of the bidders could try to
log in as the highest bidder three times. After three incorrect
log in attempts, eBay password throttling would kick in and
lock out the highest bidder's account for some time.
An attacker could then make their own bid and their victim
would not have a chance to place the counter bid because
they would be locked out. Thus an attacker could win the
auction.
41. CWE-90 - Improper Neutralization of Special
Elements used in an LDAP Query
OWASP 2017
A1
INJECTION
The software constructs all or part of an LDAP query using externally-
influenced input from an upstream component, but it does not neutralize or
incorrectly neutralizes special elements that could modify the intended LDAP
query when it is sent to a downstream component.
42. CWE-89 - Improper Neutralization of Special
Elements used in an SQL Command
OWASP 2017
A1
INJECTION
Without sufficient removal or quoting of SQL syntax in user-
controllable inputs, the generated SQL query can cause those
inputs to be interpreted as SQL instead of ordinary user data.
It can be used to alter query logic to bypass security checks, or
to insert additional statements that modify the back-end
database, possibly including execution of system commands.
43. CWE-89 - Improper Neutralization of Special
Elements used in an SQL Command
OWASP 2017
A1
INJECTION
44. CWE-78 - Improper Neutralization of Special
Elements used in an OS Command
OWASP 2017
A1
INJECTION
The software constructs all or part of an OS command using
externally-influenced input from an upstream component.
It does not neutralize or incorrectly neutralizes special elements
that could modify the intended OS command when it is sent to a
downstream component.
45. CWE-78 - Improper Neutralization of Special
Elements used in an OS Command
OWASP 2017
A1
INJECTION
46. Sum up
Weaknesses can harm data, users or systems directly.
Protection does not always exist.
Concepts are language-neutral.
#securityawareness
This code only logs failed login attempts when a certain limit is reached. If an attacker knows this limit, they can stop their attack from being discovered by avoiding the limit.
The example shows a configuration for the service security audit feature in the Windows Communication Foundation (WCF).
The previous configuration file has effectively disabled the recording of security-critical events, which would force the administrator to look to other sources during debug or recovery efforts.
Logging failed authentication attempts can warn administrators of potential brute force attacks. Similarly, logging successful authentication events can provide a useful audit trail when a legitimate account is compromised.
PATH TRAVERSAL
PATH TRAVERSAL
No1: The excerpt below calls the gets() function in C, which is inherently unsafe. However, the programmer uses the function gets() which is inherently unsafe because it blindly copies all input from STDIN to the buffer without restricting how much is copied. This allows the user to provide a string that is larger than the buffer size, resulting in an overflow condition.
No2: The problem with the code above is that it does not restrict or limit the size of the name entered by the user. If the user enters "Very_very_long_last_name" which is 24 characters long, then a buffer overflow will occur since the array can only hold 20 characters total.
No1: The following example shows a portion of a configuration file for an ASP.Net application. This configuration file includes username and password information for a connection to a database but the pair is stored in plaintext.
No2: Because the account ID is in plaintext, the user's account information is exposed if their computer is compromised by an attacker.