owasp -top 5 jagjit

1

OWASP - The Open Web Application Security Project

OWASP Top 5 By Jagjit Singh Brar LinkedIN : https://au.linkedin.com/in/jagjit-singh-brar-3634ba5

Agenda What is OWASP? What OWASP do? Why Web Application Security? Discussion about OWASP top 5

https://au.linkedin.com/in/jagjit-singh-brar-3634ba5

https://au.linkedin.com/in/jagjit-singh-brar-3634ba5

2


What is OWASP? Founded in 2001 by Mark Churphey Not-for-profit organization focused on improving the security of web applications and web services Issues software tools and knowledge-based documentation on application security http://www.owasp.org Hundreds of volunteer experts from around the world Cutting edge application security research

http://www.owasp.org/

3


How does OWASP help?Publications and Resources

OWASP Top Ten: List for awareness about application security by identifying some of the most critical risks

OWASP Software Assurance Maturity Model: Framework to help organizations formulate and implement a strategy for application security

OWASP Development Guide: Provide sample codes and development guide covers an extensive array of application-level security issues, from SQL injection through modern concerns such as phishing, credit card handling, session fixation, cross-site request forgeries, compliance, and privacy issues

OWASP Testing Guide: "best practice" penetration testing framework and a "low level" penetration testing guide

OWASP ZAP Project: Zed Attack Proxy is an easy to use integrated penetration testing tool for finding vulnerabilities

OWASP Code Review Guide: OWASP Application Security Verification Standard (ASVS):

4


Why Web Application Security?Application is core

Network Security Mostly Ignores the Contents of HTTP Traffic Securing the “custom code” that drives a web application Securing libraries Securing backend systems Securing web and application servers, Operating System Hardening, Database Hardening

Web Application Architecture

5


Web-application Vulnerabilities cause Data Loss or corruption Data could be stolen Unauthorized access Denial of access Legal action if system is used for other attacks

6


OWASP Top Ten (last update in 2013)?A variety of security experts from around the world shared their expertise to produce this list.List based on higher to low risk:

A1:Injection: A2:Broken Authentication and Session Management: A3:Cross Site Scripting: A4:Insecure Direct Object References: A5:Security Misconfiguration: A6:Sensitive Data Exposure: A7:Missing Function Level Access Control: A8:Cross Site Request Forgery (CSRF): A9:Using Components with Known Vulnerabilities: A10:Unvalidated Redirects and Forwards

7


A1: Injection: e.g. (?id=‘ or ‘1’=1)Hackers “inject” their code to run on server-side to read/modify/delete data

SQL-injection: Permits query manipulation Data entered by users is sent to the SQL interpreter as part of an SQL query SQL Injection attack exploits security vulnerabilities at the database layer by exploiting the SQL injection flaw Attackers can create, read, modify or delete sensitive data

Command Injection: Permit arbitrary shell commands File Injection: Upload executable files XML injection SSL injection Buffer Overflow

8


A1: Injection: ProtectionHackers “inject” their code to run on server-side

Must use trusted framework Use safe API instead of interpreter Escape special characters and validate input Use prepared statements Use “Web Application Firewall”- specially header manipulation

9


A2: Broken authentication and session managementA Vulnerability that allows the capture or bypass of authentication or capture sessionWeak Authentication

Single factor authentication Easily guessable usernames (admin, administrator etc.) Rest password options Unencrypted secrets

Backend Password Store Not being stored hashed Trust relationship between hosts

Weak Session Session id in URL Session timeout Session id sent over insecure connection(HTTP)

10


A2: Broken authentication and session management : Protection Password Strength Password Expiry Password Change Control Encryption in transit Session ID not in URL Session timeout

11


A3: Cross-Site Scripting(XSS)Attacker uses trusted application/company to inject malicious code through the URL

Social engineering: Email an innocent URL or image Cookie Steaking: Exploiting cookies Database Infecting: Self replicating worms

: Protection Keep untrusted data separate from active browser content White list output validation User/customer education

Example:1. Attacker injects malicious code into vulnerable web server2. Victim visits vulnerable web server3. Malicious code is served to victim by web server4. Malicious code executes on the victims with web server’s

privileges

12


A4: Insecure Direct Object ReferencesA direct object reference occurs when a developer exposes a reference to an internal implementation object(a file, directory or database key) without any validation mechanism

: Protection Send indirect random access reference map value Add access control for unauthorized access

13


A5: Security misconfigurationImproper server or web application configuration leading to various flaws Debugging enabled Incorrect folder permissions Using default accounts or passwords Setup/configuration pages enabled

: Protection Regular Hardening of framework Disabling unnecessary services/features Periodic scan Updating security patch

14


Conclusion: Multilayered security Best practice while Web Application Design Regular review security policy and procedures

Thanks for your valuable time.Regards,Jagjit Singh Brar

owasp -top 5 jagjit

Documents