OWASP Top 10 2021 – Overview and What's New.
OWASP Top 10 is the most successful OWASP Project
It shows ten most critical web application security flaws.
Read the presentation and you will learn each OWASP Top 10 category and recommendations on how to prevent it.
2. What will we cover today?
• Who is OWASP?
• What is OWASP Top 10?
• OWASP Top 10 – Overview and What's New
3. About Me
• >15 yr. in application security
• >10 yr. with Tufin – Director of AppSec
• www.linkedin.com/in/furmanmichael/
• Blog https://ultimatesecurity.pro/
• Twitter @ultimatesecpro
• I like to travel, read books and listen to music
4. About
●Market Leader in Security Policy Automation
●Tufin is used by >2000 enterprises
To segment networks and connect applications
On-prem networks, firewalls and cloud
●We are the Security Policy Company!
5. Who is OWASP?
• Worldwide not-for-profit organization
• Founded in 2001
• OWASP - Open Web Application Security Project
• Mission is to make the software security visible.
6. OWASP Top 10
• Most successful OWASP Project
https://owasp.org/Top10/
• Ten most critical web application security flaws
• De facto application security standard
• Released every 3 - 4 years
• First released in 2004
• Current - 2021
7. OWASP Top 10 - 2021
• A01 Broken Access Control
• A02 Cryptographic Failures
• A03 Injection
• A04 Insecure Design
• A05 Security Misconfiguration
• A06 Vulnerable and Outdated Components
• A07 Identification and Authentication Failures
• A08 Software and Data Integrity Failures
• A09 Security Logging and Monitoring Failures
• A10 Server Side Request Forgery (SSRF)
8. OWASP Top 10 - 2017
• A1 Injection
• A2 Broken Authentication
• A3 Sensitive Data Exposure
• A4 XML External Entities
• A5 Broken Access Control
• A6 Security Misconfiguration
• A7 Cross-Site Scripting (XSS)
• A8 Insecure Deserialization
• A9 Using Components with Known Vulnerabilities
• A10 Insufficient Logging & Monitoring
9. What happened to …?
• Cross-Site Scripting (XSS)
• XML External Entities (XXE)
• Insecure Deserialization
10. They are still here
• A03 Injection
• Cross-Site Scripting (XSS)
• A05 Security Misconfiguration
• XML External Entities
• A08 Software and Data Integrity Failures
• Insecure Deserialization
11. And even more …
• A03 Injection
• Cross-Site Scripting (XSS)
• A04 Insecure Design
• A05 Security Misconfiguration
• XML External Entities
• A08 Software and Data Integrity Failures
• Insecure Deserialization
• A10 Server Side Request Forgery (SSRF)
14. A01: Broken Access Control
• Moved up from fifth position
• Elevation of privilege or Privilege Escalation
• Acting as an admin when logged in as a user
• Acting as a user without being logged in
• Viewing or editing someone else's account
• IDOR - Insecure Direct Object References
• Cross-Origin Resource Sharing (CORS)
misconfiguration
• Allows API access from unauthorized/untrusted origins
15. A01: Example 1
• Application provides the service:
• Attacker browses to target URLs:
https://example.com/app/getappInfo
https://example.com/app/admin_getappInfo
https://example.com/app/getadminappInfo
16. A01: Example 2
• Unverified parameters to access:
• Attacker modifies the parameter:
pstmt.setString(1, request.getParameter(“account"));
ResultSet results = pstmt.executeQuery( );
https://example.com/app/accountInfo?account=notmyaccount
17. A01: How to Prevent
• Default behavior: deny access to resources
– Except for public resources
• Implement access control mechanisms
– On the server side
– All requests
• Minimize CORS usage
18. A01: Example 1
• Validate access on each request and prevent access
for unauthorized users.
• Annotation example:
// implementation of getadminappInfo
if (“a user has admin permissions”) {
// return admin app Info
} else {
// authorization error
}
@PreAuthorize("hasPermision(‘admin’)")
// implementation of getadminappInfo
{
// return admin app Info
}
19. A01: Example 2
• Verify ownership / access:
pstmt.setString(1, request.getParameter("account"));
if (“a user has access to account”) {
ResultSet results = pstmt.executeQuery( );
} else {
// authorization error
}
20. A02: Cryptographic Failures
• Previously known as “A3 Sensitive Data Exposure”
– a broad symptom rather than a root cause
• Sensitive data is transmitted or stored in clear text
• Deprecated or weak cryptographic algorithms in use
• Default crypto keys in use
– proper key management or rotation missing
21. A02: How to Prevent
• Encrypt all sensitive data at rest
• Encrypt all data in transit
• Use TLS 1.2 or above
• Use HTTP Strict Transport Security (HSTS) security header
• Use up-to-date and strong standard algorithms and
protocols
• Use proper key management
22. A03: Injection
• Slid down from first position
• Was the first one since OWASP Top Ten - 2010
• User input is not validated, filtered, or sanitized by
the application
• User input is directly used or concatenated
• SQL injection
• OS Command Injection
23. A03: Example
• User input is directly used in the SQL call:
String query = "SELECT * FROM accounts
WHERE custID=‘” + request.getParameter("id") + "'";
24. A03: How to Prevent
• Do not pass user input directly to executable
statements
• Prepared Statements
• Parameterized Queries
• Hibernate
25. A03: Example
• Use PreparedStatement:
String id = request.getParameter("id");
String query = "SELECT * FROM accounts WHERE custID = ? ";
PreparedStatement pstmt = connection.prepareStatement( id );
pstmt.setInt( 1, id);
ResultSet results = pstmt.executeQuery( );
26. A03: Don’t Forget About XSS
• Attackers can execute scripts in a victim’s browser
27. A03: How to Prevent XSS
• Input validation for user input
• Whitelist patterns
• Encode output
28. A04: Insecure Design
• A new category
• Pushing "shift-left“ approach
• A secure design can still have insecure implementation
• An insecure design cannot be fixed by an implementation
Implementation
Requirements Design Verification Release
29. A04: How to Implement
• Threat modeling
• Threat Modeling Manifesto
https://www.threatmodelingmanifesto.org/
• Secure Development Lifecycle (SDL)
https://ultimatesecurity.pro/post/sdl-meetup/
30. A05: Security Misconfiguration
• Missing security hardening
• Unnecessary features are enabled or installed
• Unnecessary ports
• Services
• Accounts
• Default accounts
• Default passwords
31. A05: How to Prevent
• Apply security hardening
• CIS Benchmarks https://www.cisecurity.org/cis-benchmarks/
• Close unnecessary ports
• Disable unnecessary services
• Remove default accounts
• Change default passwords
32. A05: What About XXE?
• Attackers can exploit vulnerable XML processors if they can
upload XML or include hostile content in an XML document
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<foo>&xxe;</foo>
33. A05: How to Prevent XXE
• Disable XML external entity and DTD processing in all XML
parsers in the application, as per the OWASP Cheat Sheet 'XXE
Prevention’.
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat
_Sheet
• For additional details see the presentation:
https://ultimatesecurity.pro/post/xxe-meetup/
34. A06: Vulnerable and Outdated Components
• Software is vulnerable, unsupported, or out of date
• Apache Log4j (Log4Shell) Vulnerabilities
35. A06: How to Prevent
• Update software periodically
• Use Software Composition Analysis (SCA) tools
• Free or commercial tools
• OWASP Dependency-Check free tool
https://owasp.org/www-project-dependency-check/
36. A07: Identification and Authentication Failures
• Slid down from the second position
• Previously known as Broken Authentication
• Missing brute force protection
• Missing multi-factor authentication
• Using default, weak, or well-known passwords
• Password1 or "admin/admin"
• Reusing session identifier after successful login
• Exposing session identifier in the URL
37. A07: How to Prevent
• Implement brute force protection
• Implement multi-factor authentication
• Change default credentials
• Implement password complexity
• Rotate Session IDs after successful login
38. A08: Software and Data Integrity Failures
• New category
• Software and data integrity failures that does not protect
against integrity violations
• SolarWinds 2020 Attack
39. A08: How to Prevent
• Use digital signatures to verify software
• Ensure you consume trusted repositories
40. A08: Remember Insecure Deserialization?
• Serialization is the process of translating data structures or
object state into a format that can be stored or transmitted
and reconstructed later (deserialization)
• Insecure Deserialization - an attacker changes the object
between serialization and deserialization
41. A08: How to Prevent Insecure Deserialization
• Don't accept serialized objects from untrusted sources
42. A09: Security Logging and Monitoring Failures
• Insufficient logging
• Logins
• Failed logins
• High-value transactions
• Logs are only stored locally
43. A09: How to Prevent
• Log important events with sufficient user context
• Username
• Client IP
• Time
44. A10: Server Side Request Forgery (SSRF)
• New category
• A web application is fetching a remote resource without
validating the user-supplied URL
http://host/getImage?url=http://10.0.0.1 http://10.0.0.1
Response
Response from http://10.0.0.1
45. A10: Example 1
• Application provides the getImage service:
// getImage implementation
String imageUrl = request.getParameter(“url"));
URL url = new URL(imageUrl);
InputStream is = url.openStream();
OutputStream os = response.getOutputStream();
// copy is to os and return a response
46. A10: SSRF CVEs
• CVE-2021-44224
• High Severity Apache HTTP Server CVE
• CVE-2021-26715
• Critical Severity MITREid OpenID Connect Server CVE
47. A10: How to Prevent
• Sanitize and validate all client-supplied input data
• Validate URL Components
• URL schema, port, and destination
• Do not send raw responses to clients
48. A10: Example 1
• Validate URL Components:
// getImage implementation
String imageUrl = request.getParameter(“url"));
URL url = new URL(imageUrl);
// validate URL schema, port, and destination
Hi everyone,Thank you for joining the last lecture for today.What will we see today?I will start by giving you an overview of OpenID Connect.I will describe the OpenID Connect protocol, and will show you how it compares to other protocols.
Then, we will review some of OpenID Connect Implementations.
Finally, I will show you one of the best OpenID Connect implementations: Keycloak.
Before we begin, a couple of words about me and the company I work for - Tufin.
I have many years of experience in software development.
Like most of you here today, I particularly like application security.
I started to work in this area more than 10 years ago, and enjoy each day I work on it.
For the last few years, I am responsible for the application security of all Tufin products.
Recently I have started to write a blog – you are more then welcomed to read it.
Something personal: I like traveling, reading books and listening to music.I particularly enjoy listen to jazz.
Moving up from the fifth position to the first position.https://www.owasp.org/index.php/Top_10-2017_A5-Broken_Access_ControlBypassing access control checks by modifying the URL, internal application state, or the HTML page, or simply using a custom API attack tool.
Shifting up one position to #2, previously known as Sensitive Data Exposure, which is more of a broad symptom rather than a root cause, the focus is on failures related to cryptography (or lack thereof).
Not first category
https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components/ Who use Java?
How many times in a year you updates Java in production?
Thank you for participating in my lecture!
Please contact me if you need any additional information, or if you want to send me your resume.