OWASP Top Ten Tools and Tactics



Similar documents
Where every interaction matters.

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

Magento Security and Vulnerabilities. Roman Stepanov

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Web Application Penetration Testing

WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

OWASP AND APPLICATION SECURITY

WHITE PAPER. FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6

Overview of the Penetration Test Implementation and Service. Peter Kanters

Six Essential Elements of Web Application Security. Cost Effective Strategies for Defending Your Business

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh

Nuclear Regulatory Commission Computer Security Office Computer Security Standard

Integrating Security Testing into Quality Control

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

Members of the UK cyber security forum. Soteria Health Check. A Cyber Security Health Check for SAP systems

Essential IT Security Testing

Quality Assurance version 1

Testing the OWASP Top 10 Security Issues

Using Free Tools To Test Web Application Security

The Top Web Application Attacks: Are you vulnerable?

Adobe Systems Incorporated

Introduction:... 1 Security in SDLC:... 2 Penetration Testing Methodology: Case Study... 3

Rational AppScan & Ounce Products

Sitefinity Security and Best Practices

Sichere Software- Entwicklung für Java Entwickler

(WAPT) Web Application Penetration Testing

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

Columbia University Web Security Standards and Practices. Objective and Scope

Criteria for web application security check. Version

elearning for Secure Application Development

05.0 Application Development

Web Application Security and the OWASP Top 10. Web Application Security and the OWASP Top 10

Web Application Security Assessment and Vulnerability Mitigation Tests

FortiWeb Web Application Firewall. Ensuring Compliance for PCI DSS requirement 6.6 SOLUTION GUIDE

What is Web Security? Motivation

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

SQuAD: Application Security Testing

OWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair

Barracuda Web Site Firewall Ensures PCI DSS Compliance

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

Hack Proof Your Webapps

Web Application Security

Implementation of Web Application Security Solution using Open Source Gaurav Gupta 1, B. K. Murthy 2, P. N. Barwal 3

ASP.NET MVC Secure Coding 4-Day hands on Course. Course Syllabus

Web Application Vulnerability Testing with Nessus

Conducting Web Application Pentests. From Scoping to Report For Education Purposes Only

Mean Time to Fix (MTTF) IT Risk s Dirty Little Secret Joe Krull, CPP, CISSP, IAM, CISA, A.Inst.ISP, CRISC, CIPP

Application Security Vulnerabilities, Mitigation, and Consequences

Architectural Design Patterns. Design and Use Cases for OWASP. Wei Zhang & Marco Morana OWASP Cincinnati, U.S.A.

DFW INTERNATIONAL AIRPORT STANDARD OPERATING PROCEDURE (SOP)

Web Application Attacks and Countermeasures: Case Studies from Financial Systems

Web application security

Auditing Web Applications

Cloud Security:Threats & Mitgations

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

WEB APPLICATION FIREWALLS: DO WE NEED THEM?

National Information Security Group The Top Web Application Hack Attacks. Danny Allan Director, Security Research

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

WEB APPLICATION SECURITY

Columbia University Web Application Security Standards and Practices. Objective and Scope

WEB SITE SECURITY. Jeff Aliber Verizon Digital Media Services

Passing PCI Compliance How to Address the Application Security Mandates

Web Application Security

Web Application Firewall on SonicWALL SSL VPN

CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities

OWASP Application Security Building and Breaking Applications

Web Engineering Web Application Security Issues

Web Application Security

CSUSB Web Application Security Standard CSUSB, Information Security & Emerging Technologies Office

Web Applica+on Security: Be Offensive! About Me

Web Application Report

Protecting Your Organisation from Targeted Cyber Intrusion

How To Fix A Web Application Security Vulnerability

Drupal Security. A High-Level Perspective on Web Vulnerabilities, Solutions and Tips for Securing Your Drupal Website

Development. Resilient Software. Secure and. Mark S. Merkow Lakshmikanth Raghavan. CRC Press. Taylor& Francis Croup. Taylor St Francis Group,

OWASP TOP 10 ILIA

Web Application Hacking (Penetration Testing) 5-day Hands-On Course

Enterprise Application Security Workshop Series

Vulnerability Scanner

How To Ensure That Your Computer System Is Safe

Pentests more than just using the proper tools

Cracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH January 17, Mega Conference

Introduction to Web Application Security. Microsoft CSO Roundtable Houston, TX. September 13 th, 2006

Web Application Guidelines

EVALUATING COMMERCIAL WEB APPLICATION SECURITY. By Aaron Parke

Secure development and the SDLC. Presented By Jerry

Web Application Security Guidelines for Hosting Dynamic Websites on NIC Servers

Data Breaches and Web Servers: The Giant Sucking Sound

Guidelines for Web applications protection with dedicated Web Application Firewall

How to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP

Transcription:

OWASP Top Ten Tools and Tactics Russ McRee Copyright 2012 HolisticInfoSec.org SANSFIRE 2012 10 JULY

Welcome Manager, Security Analytics for Microsoft Online Services Security & Compliance Writer (toolsmith), researcher (holisticinfosec), presenter (Defcon, Black Hat, RSA) We see MANY web application security flaws 50,000 unique MS-related domains These tools and tactics help us assess and defend too Copyright 2012 HolisticInfoSec.org 2

OWASP Top Ten Tools and Tactics The Open Web Application Security Project All attack and defense content is drawn directly from the OWASP Top 10 Wiki* A tool for each of the Top Ten to aid in discovering and remediating each of the OWASP Top 10 We ll try to demo as many of these tools as time allows *2002-2010 OWASP Foundation This document is licensed under the Creative Commons Attribution-ShareAlike 3.0 license. Copyright 2012 HolisticInfoSec.org 3

Lessons from WhiteHat Security report Lesson 1: Software will always have bugs and by extension, security vulnerabilities. Therefore, a practical goal for a secure software development lifecycle (SDLC) should be to reduce, not necessarily eliminate, the number of vulnerabilities introduced and the severity of those that remain.* Copyright 2012 HolisticInfoSec.org 4 * from the 11 th edition of the WhiteHat Security Website Security Statistic Report

Lessons from WhiteHat Security report Lesson 2: Exploitation of just one website vulnerability is enough to significantly disrupt online business, cause data loss, shake customer confidence, and more. Therefore, the earlier vulnerabilities are identified and the faster they are remediated the shorter the window of opportunity for an attacker to maliciously exploit them.* Copyright 2012 HolisticInfoSec.org 5 * from the 11 th edition of the WhiteHat Security Website Security Statistic Report

OWASP Top Ten Web Application Security Risks A1: Injection: Injection flaws, such as SQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. A2: Cross-Site Scripting (XSS) XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation and escaping. A3: Broken Authentication and Session Management Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, session tokens, or exploit other implementation flaws to assume other users identities. A4: Insecure Direct Object References A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. A5: Cross-Site Request Forgery (CSRF) A CSRF attack forces a logged-on victim s browser to send a forged HTTP request, including the victim s session cookie and any other automatically included authentication information, to a vulnerable web application. Copyright 2012 HolisticInfoSec.org 6

OWASP Top Ten Web Application Security Risks A6: Security Misconfiguration Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. A7: Insecure Cryptographic Storage Many web applications do not properly protect sensitive data, such as credit cards, SSNs, and authentication credentials, with appropriate encryption or hashing. A8: Failure to Restrict URL Access Many web applications check URL access rights before rendering protected links and buttons. A9: Insufficient Transport Layer Protection Applications frequently fail to authenticate, encrypt, and protect the confidentiality and integrity of sensitive network traffic. A10: Unvalidated Redirects and Forwards Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages. Copyright 2012 HolisticInfoSec.org 7

OWASP Top Ten Tools A1: Injection ZAP A2: Cross-Site Scripting (XSS) - BeEF A3: Broken Authentication and Session Management - HackBar A4: Insecure Direct Object References - Burp Suite A5: Cross-Site Request Forgery (CSRF) Tamper Data A6: Security Misconfiguration Watobo A7: Insecure Cryptographic Storage N/A A8: Failure to Restrict URL Access - Nikto/Wikto A9: Insufficient Transport Layer Protection - Calomel A10: Unvalidated Redirects and Forwards Watcher Copyright 2012 HolisticInfoSec.org 8

A1: Injection ZAP (Zed Attack Proxy) Attack: The attacker s hostile data can trick the interpreter into executing unintended commands or accessing unauthorized data Defense: Prepared Statements (Parameterized Queries) Use of Stored Procedures Escaping all User Supplied Input 2011 Toolsmith Tool of the Year Copyright 2012 HolisticInfoSec.org 9

Attack: A2: Cross-Site Scripting (XSS) - BeEF Allows attackers to execute scripts in victim s browser, can hijack user sessions, deface web sites, or redirect user to malicious sites Defense: Escape all untrusted data based on the HTML context Positive or whitelist input validation Current browser, NoScript Copyright 2012 HolisticInfoSec.org 10

A3: Broken Authentication & Session Management - Hackbar Attack: Allows attackers to compromise passwords, keys, session tokens, or exploit other implementation flaws to assume other users identities Defense: A single set of strong authentication and session management controls ESAPI "I implore everybody to migrate to a stronger password scrambler without undue delay. MD5 developer Poul-Henning Kamp Copyright 2012 HolisticInfoSec.org 11

A4: Insecure Direct Object References - Burp Attack: Without an access control check or other protection, attackers can manipulate references to access unauthorized data Defense: Use per user or session indirect object references Check access Copyright 2012 HolisticInfoSec.org 12

A5: Cross-Site Request Forgery (CSRF) Tamper Data Attack: Allows attacker to force victim s browser to generate requests the vulnerable application thinks are legitimate requests from the victim Defense: Unique token in hidden field Copyright 2011 HolisticInfoSec.org 13

A6: Security Misconfiguration Watobo Attack: Settings that are not defined, well implemented and maintained, or shipped with weak defaults are subject to exploit Defense: Repeatable hardening process Awareness and deployment of new updates and patches Strong application architecture Scan and audit Copyright 2012 HolisticInfoSec.org 14

A8: Failure to Restrict URL Access - Nikto/Wikto Attack: Applications must perform access control checks to protected pages each time accessed to prevent attackers from gaining unauthorized access Defense: RBAC Deny all by default Check workflow Copyright 2012 HolisticInfoSec.org 15

A9: Insufficient Transport Layer Protection - Calomel Attack: Compromise confidentiality & integrity of sensitive network traffic due to lack of auth or encrypt, weak algorithms, expired or invalid certificates, or misuse Defense: Require SSL (strong) Secure flag on cookies Valid certs Copyright 2012 HolisticInfoSec.org 16

A10: Unvalidated Redirects and Forwards Watcher Attack: Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages Defense: Avoid using redirects and forwards Don t user parameters in calculating the destination If using parameters, ensure valid values and user authorization Copyright 2012 HolisticInfoSec.org 17

Summary Employ SDL/SDLC practices Test regularly Conform to uniform standards Work with development teams to create delivery schedules that allow security-oriented checkpoints: Static code analysis Development/integration deployments for testing Review all available resources Training: GWAPT, GSSP Java &.NET, GWEB Copyright 2012 HolisticInfoSec.org 18

OWASP Resources ZAP Web Application Vulnerability Example http://code.google.com/p/zaproxy/downloads/detail?name=zap-wave- 0.2.zip&can=2&q= WebGoat https://www.owasp.org/index.php/webgoat ESAPI https://www.owasp.org/index.php/esapi SQL Injection Prevention Cheat Sheet https://www.owasp.org/index.php/sql_injection_prevention_cheat_sheet XSS Prevention Cheat Sheet https://www.owasp.org/index.php/xss_(cross_site_scripting)_prevention_cheat_sheet Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet https://www.owasp.org/index.php/cross-site_request_forgery_(csrf)_prevention_cheat_sheet Transport Layer Protection Cheat Sheet https://www.owasp.org/index.php/transport_layer_protection_cheat_sheet Damn Vulnerable Web Application http://www.dvwa.co.uk/ Copyright 2012 HolisticInfoSec.org 19

Q & A russ at holisticinfosec dot org rmcree at microsoft dot com russell dot mcree at us dot army dot mil Copyright 2012 HolisticInfoSec.org 20

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information