OWASP

Top 10 - 2013




Colin Harrington
4/16/2014

A1: Injection

SQL


 String query = "SELECT * FROM accounts WHERE custID='" + request.getParameter("id") +"'";



 http://example.com/app/accountView?id=' or '1'='1


  • HQL
  • LDAP
  • OS Commands



"cp $filename /tmp/something;".execute()

A2: Broken Authentication 

and Session Management


Session ID


Session Fixation
Timeout
Rotated on Login


 http://example.com/sale/saleitems;
jsessionid=2P0OC2JDPXM0OQSNDLPSKHCJUN2JV
?dest=Hawaii

Account Management


Weak Account Management
Password recovery
SSO (Single Sign-On)
Unencrypted transports

A3: Cross-Site Scripting (XSS)


unvalid inputs
unescaped data

Javascript, DOM injection, etc.

A4: Insecure Direct Object References




Attacker, who is an authorized system user, simply changes a parameter value that directly refers to a system object to another object the user isn’t authorized for. Is access granted?




Multi-tenancy
HIPPA

http://example.com/app/accountInfo?acct=notmyacct

Updating bad references.

A5: Security MISCONFIGURATION


  • Software
  • Firewall holes
  • Default accounts
  • Revealing Stacktraces
  • Insecure Configuration

A6: Sensitive Data Exposure


Clear text storage/transport
Unencrypted Payment Card Information
Transport MITM

A7: Missing Function Level Access Control


Lack of server-side Access Control

http://example.com/app/getappInfohttp://example.com/app/admin_getappInfo 
http://example.com/app/addRole/Admin

A8: Cross-Site Request Forgery (CSRF)



Attacker creates forged HTTP requests and tricks a victim into submitting them via image tags, XSS, or numerous other techniques. If the user is authenticated, the attack succeeds.


<img src="http://example.com/app/transferFunds?amount=1500&destinationAccount=attackersAcct#" width="0" height="0" />

A9: Using Components with Known Vulnerabilities




Need I say more?




A10: Unvalidated Redirects and Forwards


Attacker links to unvalidated redirect and tricks victims into clicking it. Victims are more likely to click on it, since the link is to a valid site. Attacker targets unsafe forward to bypass security checks.

 http://www.example.com/redirect.jsp?url=evil.com



https://www.owasp.org


Shamelessly paraphrased from:
https://www.owasp.org/index.php/Top10#OWASP_Top_10_for_2013

Made with Slides.com