2010-09-23
1
1
Web application security and
OWASP Top Ten 2010
Dr. Ulf Larson
Omegapoint
2
2010-09-23
2
What is application security?
• Def:– That appropriate measures are taken during the
lifecycle of an application,
– to prevent violations of the application‟s security policy,
– due to errors in design, development, operation,
upgrade and/or maintenance
• or, more informally:– even the slightest coding error may lead to utter chaos,
disaster and destruction of mankind (well…)
3
Pop Quiz
• Give me at two examples of where you
really need to assure
– That appropriate measures are taken during the
lifecycle of an application,
– to prevent violations of the application‟s security policy,
– due to errors in design, development, operation,
upgrade and/or maintenance
• to prevent utter chaos…
4
2010-09-23
3
So, why would I (personally) need
application security?
5
Dancing cows
(or pigs)…
Many, really cool
buttons
I run a small business and put my money in
business value instead => money in => Good for me!
Yeah! Good for you, until:
• One week before <random holiday where peoplespend LOTS of money>, your webshop dives just to come up two weeks later…
• The accountant from the credit card company realisesthat ”Yes we are compliant” actually ment “No we aren‟t compliant, but you don‟t know that”
• A considerable portion of this year‟s vacation is spentcalming our customers since they noticed that their”private” pictures were all over the Internet…
6
2010-09-23
4
Yeah! Good for you, until:
• One week before <random holiday where peoplespend LOTS of money>, your webshop dives just to come up two weeks later…
• The accountant from the credit card company realisesthat ”Yes we are compliant” actually ment “No we aren‟t compliant, but you don‟t know that”
• A considerable portion of this year‟s vacation is spentcalming our customers since they noticed that their”private” pictures were all over the Internet…
7
And, oh yeah. It happens
8
2010-09-23
5
Doesn‟t sound too cool…
What‟s wrong?
9
Number of websites has increased(didn‟t see that one coming, right…)
More powerful, interconnected
websites that allow user interaction
Is there more?
10
”Exotic” selection of passwords
123456
12345
123456789
password
iloveyou
Encryption, or lack thereof…
2010-09-23
6
Ok, I‟m prepared, what‟s next?
11
Tools, documentation and working exploits, of course!
Freely available to anyone (or the highest bidder)
…and finally
Application code contain (lots of) known vulnerabilities
"SELECT id FROM user WHERE username = '" + name + "'";
name = ' or 1=1 --
Logging in without knowing username or password
2010-09-23
7
Which leads to the following
13
ASP ASPXCold
FusionStruts JSP PHP Perl
Percentage of
sites that have
had at least one
serious
vulnerability
74 % 73 % 86 % 77 % 80 % 80 % 88 %
Percentage of
sites that have at
least one serious
vulnerability
57 % 58 % 54 % 56 % 59 % 63 % 75 %
Source: Website security statistics report, Tom Brennan, 2010
14
Web communication basics
A really, really, really brief background
2010-09-23
8
Web communication basics
• Http is a network application level protocol.
• A web browser at the client side communicates with one or more servers
• The browser makes a request, and the server responds with a response.
• To keep state between requests, the server generates a session token. This ID is passed between the browser and server with each request/response
• A cookie is a piece of data that can be passed with request/responses
15
ServerClient
Common communication pattern –
development and code
16
1. Someone develops code and put
it here (html, javascript, jsp, java)
3. The server responds…
…and part of the code goes here
to represent the response
2. The client asks the server for
a resource… (request)
… and part of the code
service the request
2010-09-23
9
Common communication
pattern - login
17
http://host.com?username=ulf&password=ulf
Select * from users where
username = ulf and
password = ulf
[true, userObject]
sessionID = xp33xx
…
<body> Hello
<% userObject.name %>
</body>
ServerClient
Pop quiz: Where do security bugs
cause problems?
18
HereHere
Here
Here
2010-09-23
10
19
OWASP top ten 2010
First: What is OWASP?
• Open Web Application Security Project
• Non-profit organization with goal to make
application security visible, such that
informed security decisions can be made
– Wiki (www.owasp.org)
– Blog (owasp.blogspot.com)
20
2010-09-23
11
What is OWASP doing?
• Manages and runs several projects within
the application security area
• Projects determine their own focus
– Guidelines for secure testing and code review
– Software for proxying and fuzzing
– Framework for implementing security oriented
design principles (ESAPI)
– Top ten list
21
OWASP Top Ten 2010
• OWASP Top Ten lists the ten most
dangerous application vulnerabilities
with respect to risk
22
Risk is based on generic parameters, such as empirically
observed amounts of vulnerabilities
Risk is NOT based on who a specific attacker is or what
consequences an attack has on business value
2010-09-23
12
Top Ten 2010
23
A1 – InjectionA2 – Cross Site
Scripting (XSS)
A3 – Broken
Authentication and
Session
Management
A4 – Insecure
Direct Object
Reference
A5 – Cross Site
Request Forgery
(CSRF)
A6 – Security
Misconfiguration
A7 – Insecure
Cryptographic
Storage
A8 – Failure to
Restrict URL
Access
A9 – Insufficient
Transport Layer
Protection
A10 – Unvalidated
Redirects and
Forwards
Input data from untrusted source (external system, user at webbrowser)
is interpreted as code or part of query (SQL, Xpath), rather than input
data.
A1 – Injection
Example (normal use)
24
Select * from users where uname=„ulf‟;
HTTP SQL
Login
2010-09-23
13
A1 – Injection
Example (misuse -> attack)
25
Select * from users where uname=„‟ or 1=1 --‟;
HTTP SQL
Login
A1 – Injection
Risk
26
It is easy to create
text input („ or 1=1)
Many types, SQL, Xpath, LDAP…
Use tools, exploit bad fault management
Loss of data, arbitrary
code execution, denial of service
2010-09-23
14
Data is sent from server to webbrowser without validation or output data
encoding. Sent data is interpreted as script code (and not data).
A2 – Cross Site Scripting
…
Example (normal use)
27
Hej! coolt
blogginlägg
eller vad!
Send comment
Read comment
A2 – Cross Site Scripting
Example (misuse)
28
Send comment
Read comment
2010-09-23
15
A2 – Cross Site Scripting
Risk
29
Could be tricky to create textdata
with correct syntax (<script>…)
Data is passed between browser
and server all the time
Submit data, watch result, look at
source code of browser page
Session hijacking,
redirect traffic to other site
Mechanisms for authentication and session management between server
and client are incorrectly implemented. The attacker may find passwords
and session IDs, as well as being able to steal users‟ identities.
A3 – Broken Authentication …
Example: Public computer, user Alice logs on to her bank
30
Alice closes(!) the browser window and
walks away.
Login
Auth-ID
Auth-ID
Timeout = 5 days
2010-09-23
16
A3 – Broken Authentication …
Example: Eve navigates to the bank on the same computer
somewhat later…
31
…and can suddenly perform transactions
as Alice, without having to log in first(!)
Auth-ID
Auth-ID
Timeout = 5 days
An object reference (for example a file) is made visible for users. If access
control is not performed when the object is refered to, the user can try to
instead refer to other objects.
A4 – Insecure Direct Object Ref.
Example (normal use)
32
www.company.com/getFile?file=info.txt
info.txt
2010-09-23
17
A4 – Insecure Direct Object Ref.
Example: (misuse)
33
www.company.com?file=../../../etc/passwd
/etc/passwd
No access
control for
/etc/passwd
An attacker creates a normal server request and then tricks a logged in
user to carry out this request. The request is carried out with the user‟s
privileges.
A5 – Cross Site Request Forgery
Example (normal use)
34
www.bank.com/transfer?amount=10&account=123
+ 10
2010-09-23
18
A5 – Cross Site Request Forgery
Example: (misuse)
35
www.bank.com/transfer?amount=100&account=223
+ 100
Look! Super
cool link!
www.bank.com/transfer?amount=100&account=223
”click” 2
1
One or more components (application, framework, webserver, application
server) in a system is not securely configured. An attacker uses any of
these configuration mistakes.
A6 – Security Misconfiguration
Example: IIS remote administration application running on port
8098 (default)
36
https://www.server.com:8098
Why not guess <admin:admin>, or brute
force
2010-09-23
19
A6 – Security Misconfiguration
Example: well…
37
Then what? – Change admin pass, create user…
<admin, admin>
I have seen cases where there is no user name, just password…
An application stores sensitive information (credit card details, PII, patient
journals) in the clear or with insufficient encryption or hash. An attacker can
then use stolen information directly.
A7 – Insecure Cryptographic Storage
Example: Username and password are stored in the clear on disk…
38
Insert into creds (“uname”,”pw”) values (“ulf”,”ulf”);
<ulf,ulf>1 2
2010-09-23
20
A7 – Insecure Cryptographic Storage
…and then get stolen during an attack. The attacker can use
the stolen information right away (no cracking or guessing
needed)
39
listUser.aspx?id=1 ; select * from creds;
<ulf,ulf>
1
2
3
An access control is performed before a link is rendered in the web
browser. If a user instead of clicking on the link directly navigates to the
adress the link points to, the control is bypassed.
A8 – Failure to Restrict URL Access
Example: Access control on the same page as the links and
before the links are generated
40
Logged in as admin Logged in as normal user
<a href=“CreateUser.html”>Skapa …
2010-09-23
21
A8 – Failure to Restrict URL Access
Example: What happens if you instead of following the link…
41
…type the address to the page where
the link points?
Sensitive information (e.g., username and password) travels between
client and server. If the travel path is unprotected, uses weak encryption or
is misconfigured, the attacker can use this to his advantage.
A9 – Insufficient Transport Layer Prot.
Example: (normal use)
42
HTTPS (SSL3/TLS)
[t56x99e!xpW]
-----.omegapoint.se
2010-09-23
22
A9 – Insufficient Transport Layer Prot.
Example (misconfiguration -> inconsistent use of HTTP/HTTPS)
43
HTTPS://www.secure.com/myLogin.aspx
[xa345tyjF!aa] (Auth-ID = 33)
HTTP://www.secure.com/viewProfile.aspx
Auth-ID = 33
1
2
An application performs a redirect or forward of a request, based on input
data that the attacker can choose. The attacker can redirect the request to
a target of its choice (for example a phishing site).
A10 – Unvalidated Redirects and Forwards
Example: (normal use)
44
Ok, you‟ re going to www.omegapoint.se
www.omegapoint.se
www.iwa.com/redirect?
url=www.omegapoint.se“click”1
2
3
4
2010-09-23
23
A10 – Unvalidated Redirects and Forwards
Example: (misuse)
45
Check it out!
Super cool link!
www.iwa.com/redirect?
url=www.evil.com
2
3
4
www.evil.com
www.iwa.com
1
Summary
• Web applications are becoming morecommon and powerful, thus attractingattackers in an increasing rate!
• OWASP tries to emphasize the importance of application security
• The top ten list covers the ten vulnerabilitiescarrying the highest risk
• Injection and Cross Site Scripting most risky– Common, easy to find and use, high impact
46
http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf