OWASP Top 10 2021 What's New

Michael Furman
Security Architect
OWASP Top 10 - 2021
What's New

What will we cover today?
• Who is OWASP?
• What is OWASP Top 10?
• OWASP Top 10 – Overview and What's New

About Me
• >15 yr. in application security
• >10 yr. with Tufin – Director of AppSec
• www.linkedin.com/in/furmanmichael/
• Blog https://ultimatesecurity.pro/
• Twitter @ultimatesecpro
• I like to travel, read books and listen to music

About
●Market Leader in Security Policy Automation
●Tufin is used by >2000 enterprises
 To segment networks and connect applications
 On-prem networks, firewalls and cloud
●We are the Security Policy Company!

Who is OWASP?
• Worldwide not-for-profit organization
• Founded in 2001
• OWASP - Open Web Application Security Project
• Mission is to make the software security visible.

OWASP Top 10
• Most successful OWASP Project
https://owasp.org/Top10/
• Ten most critical web application security flaws
• De facto application security standard
• Released every 3 - 4 years
• First released in 2004
• Current - 2021

OWASP Top 10 - 2021
• A01 Broken Access Control
• A02 Cryptographic Failures
• A03 Injection
• A04 Insecure Design
• A05 Security Misconfiguration
• A06 Vulnerable and Outdated Components
• A07 Identification and Authentication Failures
• A08 Software and Data Integrity Failures
• A09 Security Logging and Monitoring Failures
• A10 Server Side Request Forgery (SSRF)

OWASP Top 10 - 2017
• A1 Injection
• A2 Broken Authentication
• A3 Sensitive Data Exposure
• A4 XML External Entities
• A5 Broken Access Control
• A7 Cross-Site Scripting (XSS)
• A8 Insecure Deserialization
• A9 Using Components with Known Vulnerabilities
• A10 Insufficient Logging & Monitoring

What happened to …?
• Cross-Site Scripting (XSS)
• XML External Entities (XXE)
• Insecure Deserialization

They are still here
• A03 Injection
• XML External Entities

And even more …
• A03 Injection
• A04 Insecure Design
• XML External Entities
• A10 Server Side Request Forgery (SSRF)

A01: Broken Access Control
• Moved up from fifth position
• Elevation of privilege or Privilege Escalation
• Acting as an admin when logged in as a user
• Acting as a user without being logged in
• Viewing or editing someone else's account
• IDOR - Insecure Direct Object References
• Cross-Origin Resource Sharing (CORS)
misconfiguration
• Allows API access from unauthorized/untrusted origins

A01: Example 1
• Application provides the service:
• Attacker browses to target URLs:
https://example.com/app/getappInfo
https://example.com/app/admin_getappInfo
https://example.com/app/getadminappInfo

A01: Example 2
• Unverified parameters to access:
• Attacker modifies the parameter:
pstmt.setString(1, request.getParameter(“account"));
ResultSet results = pstmt.executeQuery( );
https://example.com/app/accountInfo?account=notmyaccount

A01: How to Prevent
• Default behavior: deny access to resources
– Except for public resources
• Implement access control mechanisms
– On the server side
– All requests
• Minimize CORS usage

A01: Example 1
• Validate access on each request and prevent access
for unauthorized users.
• Annotation example:
// implementation of getadminappInfo
if (“a user has admin permissions”) {
// return admin app Info
} else {
// authorization error
}
@PreAuthorize("hasPermision(‘admin’)")
// implementation of getadminappInfo
{
// return admin app Info
}

A01: Example 2
• Verify ownership / access:
pstmt.setString(1, request.getParameter("account"));
if (“a user has access to account”) {
} else {
// authorization error
}

A02: Cryptographic Failures
• Previously known as “A3 Sensitive Data Exposure”
– a broad symptom rather than a root cause
• Sensitive data is transmitted or stored in clear text
• Deprecated or weak cryptographic algorithms in use
• Default crypto keys in use
– proper key management or rotation missing

A02: How to Prevent
• Encrypt all sensitive data at rest
• Encrypt all data in transit
• Use TLS 1.2 or above
• Use HTTP Strict Transport Security (HSTS) security header
• Use up-to-date and strong standard algorithms and
protocols
• Use proper key management

A03: Injection
• Slid down from first position
• Was the first one since OWASP Top Ten - 2010
• User input is not validated, filtered, or sanitized by
the application
• User input is directly used or concatenated
• SQL injection
• OS Command Injection

A03: Example
• User input is directly used in the SQL call:
String query = "SELECT * FROM accounts
WHERE custID=‘” + request.getParameter("id") + "'";

A03: How to Prevent
• Do not pass user input directly to executable
statements
• Prepared Statements
• Parameterized Queries
• Hibernate

A03: Example
• Use PreparedStatement:
String id = request.getParameter("id");
String query = "SELECT * FROM accounts WHERE custID = ? ";
PreparedStatement pstmt = connection.prepareStatement( id );
pstmt.setInt( 1, id);

A03: Don’t Forget About XSS
• Attackers can execute scripts in a victim’s browser

A03: How to Prevent XSS
• Input validation for user input
• Whitelist patterns
• Encode output

A04: Insecure Design
• A new category
• Pushing "shift-left“ approach
• A secure design can still have insecure implementation
• An insecure design cannot be fixed by an implementation
Implementation
Requirements Design Verification Release

A04: How to Implement
• Threat modeling
• Threat Modeling Manifesto
https://www.threatmodelingmanifesto.org/
• Secure Development Lifecycle (SDL)
https://ultimatesecurity.pro/post/sdl-meetup/

A05: Security Misconfiguration
• Missing security hardening
• Unnecessary features are enabled or installed
• Unnecessary ports
• Services
• Accounts
• Default accounts
• Default passwords

A05: How to Prevent
• Apply security hardening
• CIS Benchmarks https://www.cisecurity.org/cis-benchmarks/
• Close unnecessary ports
• Disable unnecessary services
• Remove default accounts
• Change default passwords

A05: What About XXE?
• Attackers can exploit vulnerable XML processors if they can
upload XML or include hostile content in an XML document
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<foo>&xxe;</foo>

A05: How to Prevent XXE
• Disable XML external entity and DTD processing in all XML
parsers in the application, as per the OWASP Cheat Sheet 'XXE
Prevention’.
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat
_Sheet
• For additional details see the presentation:
https://ultimatesecurity.pro/post/xxe-meetup/

A06: Vulnerable and Outdated Components
• Software is vulnerable, unsupported, or out of date
• Apache Log4j (Log4Shell) Vulnerabilities

A06: How to Prevent
• Update software periodically
• Use Software Composition Analysis (SCA) tools
• Free or commercial tools
• OWASP Dependency-Check free tool
https://owasp.org/www-project-dependency-check/

A07: Identification and Authentication Failures
• Slid down from the second position
• Previously known as Broken Authentication
• Missing brute force protection
• Missing multi-factor authentication
• Using default, weak, or well-known passwords
• Password1 or "admin/admin"
• Reusing session identifier after successful login
• Exposing session identifier in the URL

A07: How to Prevent
• Implement brute force protection
• Implement multi-factor authentication
• Change default credentials
• Implement password complexity
• Rotate Session IDs after successful login

A08: Software and Data Integrity Failures
• New category
• Software and data integrity failures that does not protect
against integrity violations
• SolarWinds 2020 Attack

A08: How to Prevent
• Use digital signatures to verify software
• Ensure you consume trusted repositories

A08: Remember Insecure Deserialization?
• Serialization is the process of translating data structures or
object state into a format that can be stored or transmitted
and reconstructed later (deserialization)
• Insecure Deserialization - an attacker changes the object
between serialization and deserialization

A08: How to Prevent Insecure Deserialization
• Don't accept serialized objects from untrusted sources

A09: Security Logging and Monitoring Failures
• Insufficient logging
• Logins
• Failed logins
• High-value transactions
• Logs are only stored locally

A09: How to Prevent
• Log important events with sufficient user context
• Username
• Client IP
• Time

A10: Server Side Request Forgery (SSRF)
• New category
• A web application is fetching a remote resource without
validating the user-supplied URL
http://host/getImage?url=http://10.0.0.1 http://10.0.0.1
Response
Response from http://10.0.0.1

A10: Example 1
• Application provides the getImage service:
// getImage implementation
String imageUrl = request.getParameter(“url"));
URL url = new URL(imageUrl);
InputStream is = url.openStream();
OutputStream os = response.getOutputStream();
// copy is to os and return a response

A10: SSRF CVEs
• CVE-2021-44224
• High Severity Apache HTTP Server CVE
• CVE-2021-26715
• Critical Severity MITREid OpenID Connect Server CVE

A10: How to Prevent
• Sanitize and validate all client-supplied input data
• Validate URL Components
• URL schema, port, and destination
• Do not send raw responses to clients

A10: Example 1
• Validate URL Components:
// getImage implementation
String imageUrl = request.getParameter(“url"));
URL url = new URL(imageUrl);
// validate URL schema, port, and destination

Take aways
• Understand OWASP Top Ten
• Implement the recommendations

Thank you!
• Contact me
– www.linkedin.com/in/furmanmichael/
– https://ultimatesecurity.pro/
– @ultimatesecpro

OWASP Top 10 2021 What's New

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Semelhante a OWASP Top 10 2021 What's New

Semelhante a OWASP Top 10 2021 What's New (20)

Mais de Michael Furman

Mais de Michael Furman (6)

Último

Último (20)

OWASP Top 10 2021 What's New

Notas do Editor