A6- Sensitive Data Exposure



Similar documents
ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

Where every interaction matters.

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Magento Security and Vulnerabilities. Roman Stepanov

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

Table of Contents. Page 2/13

OWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair

Guide for the attention of developers/hosts for merchant websites on the minimum level of security for bank card data processing

Testing the OWASP Top 10 Security Issues

Six Essential Elements of Web Application Security. Cost Effective Strategies for Defending Your Business

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

Cloud Security:Threats & Mitgations

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

Overview of the Penetration Test Implementation and Service. Peter Kanters

How to complete the Secure Internet Site Declaration (SISD) form

Web Application Penetration Testing

What is Web Security? Motivation

The Top Web Application Attacks: Are you vulnerable?

WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6

What Are Certificates?

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

Members of the UK cyber security forum. Soteria Health Check. A Cyber Security Health Check for SAP systems

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

Cracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH January 17, Mega Conference

How To Understand And Understand The Security Of A Web Browser (For Web Users)

Secure Programming Lecture 12: Web Application Security III

WHITE PAPER. FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6

Passing PCI Compliance How to Address the Application Security Mandates

Data Security. So many businesses leave their data exposed, That doesn t mean you have to Computerbilities, Inc.

Essential IT Security Testing

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

OWASP Top Ten Tools and Tactics

BE SAFE ONLINE: Lesson Plan

MatriXay WEB Application Vulnerability Scanner V Overview. (DAS- WEBScan ) The best WEB application assessment tool

APPLICATION SECURITY: FROM WEB TO MOBILE. DIFFERENT VECTORS AND NEW ATTACK

SecurityMetrics Vision whitepaper

WEB APPLICATION FIREWALLS: DO WE NEED THEM?

SQuAD: Application Security Testing

Rational AppScan & Ounce Products

TRAINING SERVICES elearning

Web Application Security

Mean Time to Fix (MTTF) IT Risk s Dirty Little Secret Joe Krull, CPP, CISSP, IAM, CISA, A.Inst.ISP, CRISC, CIPP

Web Application Security Considerations

Smart (and safe) Lighting:

Annex B - Content Management System (CMS) Qualifying Procedure

Integrating Security Testing into Quality Control

Web Application Attacks and Countermeasures: Case Studies from Financial Systems

Cyber Security & Data Privacy. January 22, 2014

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh

Welcome to the Protecting Your Identity. Training Module

TRAINING SERVICES elearning

TECHNICAL AUDITS FOR CERTIFYING EUROPEAN CITIZEN COLLECTION SYSTEMS

Bad Romance: Three Reasons Hackers <3 Your Web Apps & How to Break Them Up

Auditing Web Applications

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

WEB SITE SECURITY. Jeff Aliber Verizon Digital Media Services

VIDEO intypedia007en LESSON 7: WEB APPLICATION SECURITY - INTRODUCTION TO SQL INJECTION TECHNIQUES. AUTHOR: Chema Alonso

Web application security

AVOIDING ONLINE THREATS CYBER SECURITY MYTHS, FACTS, TIPS. ftrsecure.com

TMCEC CYBER SECURITY TRAINING

Internet Security Protecting Your Business. Hayden Johnston & Rik Perry WYSCOM

Introduction:... 1 Security in SDLC:... 2 Penetration Testing Methodology: Case Study... 3

How To Test A Computer System On A Microsoft Powerbook 2.5 (Windows) (Windows 2) (Powerbook 2) And Powerbook (Windows 3) (For Windows) (Programmer) (Or

Table of Contents. Application Vulnerability Trends Report Introduction. 99% of Tested Applications Have Vulnerabilities

SBA Cybersecurity for Small Businesses. 1.1 Introduction. 1.2 Course Objectives. 1.3 Course Topics

WEB ATTACKS AND COUNTERMEASURES

OWASP AND APPLICATION SECURITY

National Cyber Security Month 2015: Daily Security Awareness Tips

Sitefinity Security and Best Practices

Security Fort Mac

SPICE EduGuide EG0015 Security of Administrative Accounts

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Using Free Tools To Test Web Application Security

Web Application Security

Web Vulnerability Scanner by Using HTTP Method

Sichere Software- Entwicklung für Java Entwickler

Cyber- Attacks: The New Frontier for Fraudsters. Daniel Wanjohi, Technology Security Specialist

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

Web Hacking Incidents Revealed: Trends, Stats and How to Defend. Ryan Barnett Senior Security Researcher SpiderLabs Research

Architectural Design Patterns. Design and Use Cases for OWASP. Wei Zhang & Marco Morana OWASP Cincinnati, U.S.A.

MANAGED SECURITY TESTING

PCI Compliance Updates

Paul Nguyen CSG Interna0onal

Nuclear Regulatory Commission Computer Security Office Computer Security Standard

Modern two-factor authentication: Easy. Affordable. Secure.

9. Information Assurance and Security, Protecting Information Resources. Janeela Maraj. Tutorial 9 21/11/2014 INFO 1500

Secrets of Vulnerability Scanning: Nessus, Nmap and More. Ron Bowes - Researcher, Tenable Network Security

05.0 Application Development

Quality Assurance version 1

Top 10 Tips to Keep Your Small Business Safe

INTERNET & COMPUTER SECURITY March 20, Scoville Library. ccayne@biblio.org

Learn to protect yourself from Identity Theft. First National Bank can help.

Introduction: 1. Daily 360 Website Scanning for Malware

Network Security Audit. Vulnerability Assessment (VA)

It may look like this all has to do with your password, but that s not the only factor to worry about.

Data Breaches and Web Servers: The Giant Sucking Sound

Society for Information Management

Reducing Application Vulnerabilities by Security Engineering

Application security testing: Protecting your application and data

Transcription:

OWASP Vulnerabilities and Attacks Simplifie d: Business Manager Series Part 2 Have you heard of the times when Fantastic Frank from Randomland was furious? Money and critical data was being stolen from his Fishery of Randomland s website. That is when he called this security ace Ralph to find out what was wrong. Ralph indeed had a big list of problems. He explained the five of 10 severe OWASP vulnerabilities and this is what happened next. A6- Sensitive Data Exposure How secure is your data, asked Ralph. What data? hesitant Frank replied. There was so much going around that he wasn t sure of anything now. Everything. Data being sent to the users, your backups, password logs, everything, he probably knew the answer but asked anyway. Judging by the lack of confidence around, Ralph guessed that encryption wasn t a priority at Fishery of Randomland. So, he went back to the computer, which apparently had more answers. Unsurprisingly, Frank s team was storing user passwords, credit card

details, and other pieces of critical information in pure text files. La force d un secret, he turned back and said as everyone looked amazed, It s French for The Strength of a Secret. If you don t know the language, what is said is of no use to you. Frank and his website admin team were uncertain if he was being sarcastic or simply playful. That s how you should store or transmit the data. Encrypt it, obviously not in French but with cryptographic algorithms. Even if the passwords or credit card details are stolen, make sure that hackers cannot do anything with it, he cleared the point. It s critical to keep the data encrypted in such a way that only authorized keys or algorithms unlock it. Business Risks: Consider everything that comes with loss of sensitive data. Loss of passwords, credit card information, addresses and bank statements might bring serious repercussions. Recently, Uber accidently revealed driving licenses for more than 100 of drivers. A7- Missing Function Level Access Control Admin function controls are the most important ones and should be restricted. Right? What if nonadmin users can access it too? Do you regularly check for these misconfigurations? Make sure that you do, he explained further.

Ralph s question reveals a lot. Most companies do not bother reassuring that only authorized accounts access privileged information. What if someone with network level access can change privileges or URLs? Business Risks: Once the attacker gains admin access, he/she can change a lot things including application data and settings. A8- Cross-Site Request Forgery (CSRF) Here s a malicious link hidden in an image that your customer visits on random webiste, Ralph typed in his notepad. While rfish is the real website for Fishery of Randomland, fraudsters have altered the URL for the customer to initiate a command that he/she doesn t even know about. <img src= http://rfish.com/purchase-tuna?account=bob&number=1000&for=fred > Now your customer doesn t even know but the attacker has initiated a transaction of 1000 tunas to be delivered to Fred. Every time he visits such a malicious website, similar requests will be passed to your website with all the authenticated details, Ralph revealed a much serious flaw.

You mean all those customer complaints about random orders were real? God, they hate us, frustrated Frank pulled a chair hoping that it was the end of bad things on his website but of course it wasn t. Business Risks: Rogue requests, purchases, and money transfer. You will never be sure if it s a genuine requests and customers will gradually lose trust in your website. A9- Using Components with Known Vulnerabilities Hey Frank, what happens when you mix unknown construction material while building a house, Ralph wasn t finished yet. Well, it might not be strong enough? Who knows what s in there? Exactly my friend. Applications are the same. Your developers use open source projects with God knows what loopholes. Most of the time they don t even know what code library came from where, he explained. Business Risks: Unknown application codes bring unknown risks. XSS, injection risks, and business logic loopholes are just some of the examples. Such vulnerability brings data breach, access control, defacement, and theft risks. A10- Unvalidated Redirects and Forwards Coming to the last one; this is another weakness where you lose customer trust, Ralph said as he pulled the keyboard to show how it was easy to plant a spam redirect in the URL to take customer to a page of his choice. He simply used the URL parameter to change it as explained in the example below. See now that the customer has clicked on the link but does not know that I am taking him to a website that looks exactly like yours but it isn t. He will go about his business while I can get all the information I need, Ralph concluded. Most websites don t even know about such unauthorized redirects that look genuine. While customers should be more careful about phishing, how could someone suspect that they ll be redirected to gettingrobbed.com that looks exactly like rfish.com

http://www.rfish.com/redirect.jsp?url=gettingrobbed.com It comes down to website owners to ensure that customer is not redirected to frauds by restricting and controlling URL parameters. Business Risks: Attackers can install malware or access user accounts with phishing. Customers lose trust in attacked website forever. Problems Have Answers Ralph, that s like a list of thousand variables. You want us to look at it every day and crosscheck if everything is fine with the website? How about I just close everything and sell fish at my shop in Downtown, Frank wasn t sure of his website anymore. Not at all, Ralph smiled, I know you people have business to take care of and that s why we have things that check every weakness on your website. Things? Well, back in the office we call them Web Application Scanning and Web Application Firewall, And what do they do exactly?

See this Web Application Scanning has parameters to find OWASP 10 weaknesses automatically. It does that daily and lets you know issues to be taken care of. That s obviously better than your development team digging in every single day, And this firewall? We already have that right Bob? Frank looked at one of his employees. No, no it s different. This Web Application Firewall is for OWASP 10 vulnerabilities. Say you find three weaknesses through scanning and at the same time it s the big sale day on your website. What will be your priority? Should your team sit and correct the code or focus on keeping website running? Web Application Firewall prevents OWASP attacks until you can fix the issue, Ralph cleared the difference. That was probably the last time Frank had to get furious over data breach risks. Ralph was now a necessary part of his team, for things he couldn t bother to get into as Christmas was around and his target was getting to the number 1 fish selling spot. But did they miss the mobile app completely? Weren t they worried about that? Was the Christmas spoiled for him? Part 3 on OWASP Mobile Vulnerabilities coming soon

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information