Testing the OWASP Top 10 Security Issues Andy Tinkham & Zach Bergman, Magenic Technologies Contact Us 1600 Utica Avenue South, Suite 800 St. Louis Park, MN 55416 1 (877)-277-1044 info@magenic.com
Who Are We?» Magenic: Leading consultancy providing custom application development, testing and QA services» Andy» 17 years of testing experience, focusing on automation, performance & other technical testing» Principal Consultant at Magenic, leading all our technical testing activities» Zach» 3 years of testing experience, focusing on security & test automation» Consultant at Magenic, driving internal security growth & initiatives
Security Testing» Testing focused on 3 aspects of a system» Authentication determining an entity is who they claim to be» Authorization determining whether an entity is allowed to use a requested action or resource» Accounting documenting what occurs in the system Authentication Authorization Accounting
Today» Talk about the most prevalent security vulnerabilities» Structure that talk using the OWASP Top 10 list» Andy will describe issue» Zach will demonstrate issue and talk about techniques to identify it» Cover some very basic testing techniques to find these» Only begin to scratch the surface of security testing
What is OWASP?» Open Web Application Security Project» Non-profit organization focused on improving the security of software» Around since 2001» Not affiliated with any technology company» Provide a variety of free tools, education, and information around application security» Local chapter: https://www.owasp.org/index.php/minneapolis_st_paul Next meeting: 1/21/2013, Gunnar Peterson, Mobile AppSec How ios and Android Apps fail and what to do to protect them
What is the OWASP Top 10? Most critical web application security flaws Occur frequently Easy to find Easy to exploit 10. Unvalidated Redirects and Forwards 9. Insufficient Transport Layer Protection 8. Failure to Restrict URL Access 7. Insecure Cryptographic Storage 6. Security Misconfiguration 5. Cross-Site Request Forgery 4. Insecure Direct Object References 3. Broken Authentication & Session Management 2. Cross-Site Scripting 1. Injection
Why should you care about these issues?» Security is a big deal» 77 million user accounts compromised on Sony PlayStation network» $1 trillion dollars worth of intellectual property stolen in 2008 (McAfee)» Symantec estimates the global price tag of consumer cybercrime to be $110 billion with 18 victims every second» 90% of businesses suffered some sort of hack in last 12 months (Research Ponemon/Juniper Networks, June 2011)» 83% of websites have had a high, critical or urgent issue (WhiteHat Security, 2009)» Poor security can lead to» Unwanted information disclosure» Compromised data» Financial and Reputational Costs» Legal Issues (HIPAA, other industry information security governance)
What Tools Will We Use?» Burp Suite (http://www.portswigger.net/burp/)» Awesome Cookie Manager (Chrome App Store)» BodgeIt Store (http://code.google.com/p/bodgeit/)» REST Console (Chrome App Store)
10. Unvalidated Redirects & Forwards» Use of an app s built-in redirect to access an unintended location» http://yoursite.com/redirect.php?url=http://yoursite.com/admin.php» http://yoursite.com/redirect.php?url=http://badsite.com» Users can be convinced to give information thinking they re giving it to you» Example Exploitability: Average Prevalence: Uncommon Detectability: Easy Impact: Moderate Testing Technique: Look for redirect functions throughout application in URL or request parameters
9. Insufficient Transport Layer Protection» Unencrypted data traversing networks can be seen, manipulated, and used without user knowledge» The session information from browser» User personally-identifiable information Exploitability: Difficult Prevalence: Common Detectability: Easy Impact: Moderate Testing Technique: See if HTTPS and TLS 1.1+ is being used on appropriate secure pages
9. Insufficient Transport Layer Protection Request over HTTP Request over HTTPS (SSL)
8. Failure to Restrict URL Access» Typically happens when assumptions are made regarding users knowledge of the app s layout/functionality security by obscurity» http://www.mysite.com/mysecretadminconsole.php» http://www.mysite.com/managerreports» Hidden or Unlisted resources» Only show the user functionality they can use Exploitability: Easy Prevalence: Uncommon Detectability: Average Impact: Moderate Testing Technique: Look for exposed URLs. If unlisted, check if URLs may be accessed with wrong authentication
7. Insecure Cryptographic Storage» Apps may not secure sensitive data with appropriate cryptography or may not store the artifacts around the cryptography securely» Inside or Outside of the physical data storage» Stored plaintext» Weak algorithm used» Unrestricted access to decrypt function» Private keys accessible Exploitability: Difficult Prevalence: Uncommon Detectability: Difficult Impact: Severe Testing Technique: Look for sensitive data in plaintext. Look for encryption in transit. (#9)
6. Security Misconfiguration» Default settings of platform being used» Configuration» Default usernames/passwords» Default error messages» Debugger sessions open» Lack of updates being applied Exploitability: Easy Prevalence: Common Detectability: Easy Impact: Moderate Testing Technique: Look for custom error messages. Look for debugger session being allowed.
6. Security Misconfiguration
6. Security Misconfiguration
6. Security Misconfiguration» 200 - OK» 401 - Unauthorized» 403 - Forbidden
5. Cross-Site Request Forgery (CSRF)» Targets user s session information in order to act as the user» http://www.store.com/addtocart.aspx?itemid=1234» http://www.blog.com/changepassword.php?newpass=password» Attacker takes advantage of user s currently stored sessions» In other tabs of browser» In browser if cookies haven t been cleared after closing Exploitability: Average Prevalence: Widespread Detectability: Easy Impact: Moderate Testing Technique: Look for actions, which can be completed by visiting a URL.
5. Cross-Site Request Forgery (CSRF)
5. Cross-Site Request Forgery (CSRF)» The image is right here:» <img src= http://10.30.46.15/bodgeit/basket.jsp?productid=17&price=4.1&qu antity=1 >
4. Insecure Direct Object Reference» Some application resources are accessible without going through access control» http://www.mysite.com/report00032» http://www.mysite.com/files/bugstofix.pdf» Manipulate requests to access resources» http://www.mysite.com/report00032 http://www.mysite.com/report00033» http://www.mysite.com/myaccount.php?user=bob http://www.mysite.com/myaccount.php?user=joan Exploitability: Easy Prevalence: Common Detectability: Easy Impact: Moderate Testing Technique: Look for references to objects, and attempt to access other similar objects.
3. Broken Authentication & Session Management» Poorly implemented protections can still be insecure, leading to additional vulnerabilities» Sessions should expire» Logout should revoke the user s session» Login should revoke any active sessions for same user» User shouldn t be able to manipulate or guess session» Key actions should revoke certain session permissions» Session fixation Exploitability: Average Prevalence: Common Detectability: Average Impact: Severe Testing Technique: Verify that sessions are actually revoked following key actions.
2. Cross-Site Scripting (XSS)» Untrusted input is not cleaned prior to being passed back to the browser» Can involve rendered HTML, JavaScript or any other web content Exploitability: Average Prevalence: Very Widespread Detectability: Easy Impact: Moderate Testing Technique: Verify that input is being validated or escaped so that it does not execute.
2. Cross-Site Scripting (XSS)
1. Injection» Untrusted input is not cleaned prior to being used by the application» Users may inject their own code into» The App» SQL Queries» XPath Queries» Operating System» Browser/DOM» Anywhere data is combined into executable statements Exploitability: Easy Prevalence: Common Detectability: Average Impact: Severe Testing Technique: Verify that input is being validated so that it is not executed server-side.
1. Injection
1. Injection
1. Injection» SELECT Username FROM Users WHERE Password = our input here» SELECT Username FROM Users WHERE Password = a or b = b
Summary» Security is a big deal» As testers, we can begin to look for obvious issues in the course of our normal work» OWASP Top 10 lists 10 most prevalent web security issues & is a good starting point» All of these security issues require deeper analysis beyond these techniques
Further Reading» OWASP Top 10 document (http://owasptop10.googlecode.com/files/owasp%20top%2010%20-%202010.pdf)» Troy Hunt s OWASP Top 10 for.net Developers ebook (https://asafaweb.com/owasp%20top%2010%20for%20.net%20developers.pdf)» The Web Application Hacker s Handbook, 2 nd Ed. Dafydd Stuttard and Marcus Pinto
Questions Contact us: AndyT@magenic.com ZachB@magenic.com