Upload File

ria security based on owasp top 10€¦ · owasp top 10 open web application security project. rich...

  • Home
  • Documents
  • RIA security based on OWASP Top 10€¦ · OWASP Top 10 Open Web Application Security Project. Rich Internet Applications. 1! 0 1! 1 0 1! 1 1 0. ... A5: Security Misconfiguration
37
Kim Leppänen Leif Åstrand RIA security based on OWASP Top 10

Upload: others

Post on 11-Sep-2020

2 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: RIA security based on OWASP Top 10€¦ · OWASP Top 10 Open Web Application Security Project. Rich Internet Applications. 1! 0 1! 1 0 1! 1 1 0. ... A5: Security Misconfiguration

Kim LeppänenLeif Åstrand

RIA security based on OWASP Top 10

Page 2: RIA security based on OWASP Top 10€¦ · OWASP Top 10 Open Web Application Security Project. Rich Internet Applications. 1! 0 1! 1 0 1! 1 1 0. ... A5: Security Misconfiguration

<script language=“javascript”>!if ( prompt("Enter password") == “supersecret" ) {!! document.location.href = "secret.html";!}!</script>

Page 3: RIA security based on OWASP Top 10€¦ · OWASP Top 10 Open Web Application Security Project. Rich Internet Applications. 1! 0 1! 1 0 1! 1 1 0. ... A5: Security Misconfiguration

OWASP Top 10Open Web Application Security Project

Page 4: RIA security based on OWASP Top 10€¦ · OWASP Top 10 Open Web Application Security Project. Rich Internet Applications. 1! 0 1! 1 0 1! 1 1 0. ... A5: Security Misconfiguration

Rich Internet Applications

Page 5: RIA security based on OWASP Top 10€¦ · OWASP Top 10 Open Web Application Security Project. Rich Internet Applications. 1! 0 1! 1 0 1! 1 1 0. ... A5: Security Misconfiguration
Page 6: RIA security based on OWASP Top 10€¦ · OWASP Top 10 Open Web Application Security Project. Rich Internet Applications. 1! 0 1! 1 0 1! 1 1 0. ... A5: Security Misconfiguration
Page 7: RIA security based on OWASP Top 10€¦ · OWASP Top 10 Open Web Application Security Project. Rich Internet Applications. 1! 0 1! 1 0 1! 1 1 0. ... A5: Security Misconfiguration

1!0 1!1 0 1!1 1 0

Page 8: RIA security based on OWASP Top 10€¦ · OWASP Top 10 Open Web Application Security Project. Rich Internet Applications. 1! 0 1! 1 0 1! 1 1 0. ... A5: Security Misconfiguration

Client Server

UI logic Business logic

DB

GWT

DOM

Page 9: RIA security based on OWASP Top 10€¦ · OWASP Top 10 Open Web Application Security Project. Rich Internet Applications. 1! 0 1! 1 0 1! 1 1 0. ... A5: Security Misconfiguration

Client Server

UI logic

Business logic

DB

Vaadin

DOM

Handled by the framework

Page 10: RIA security based on OWASP Top 10€¦ · OWASP Top 10 Open Web Application Security Project. Rich Internet Applications. 1! 0 1! 1 0 1! 1 1 0. ... A5: Security Misconfiguration

A1: Injection

Page 11: RIA security based on OWASP Top 10€¦ · OWASP Top 10 Open Web Application Security Project. Rich Internet Applications. 1! 0 1! 1 0 1! 1 1 0. ... A5: Security Misconfiguration

“SELECT * FROM Users WHERE username=’” + userNameField.getValue() + “‘“!

Not just SQL - could also be JPQL, HQL, shell, XPath, XML, LDAP, regex, eval, ...

Page 12: RIA security based on OWASP Top 10€¦ · OWASP Top 10 Open Web Application Security Project. Rich Internet Applications. 1! 0 1! 1 0 1! 1 1 0. ... A5: Security Misconfiguration

GWT !

• N/A

Vaadin !• N/A

Web frameworks can help

Page 13: RIA security based on OWASP Top 10€¦ · OWASP Top 10 Open Web Application Security Project. Rich Internet Applications. 1! 0 1! 1 0 1! 1 1 0. ... A5: Security Misconfiguration

A2: Broken Authentication and Session Management

https://www.owasp.org/index.php/Top_10_2013-A2-Broken_Authentication_and_Session_Management
Page 14: RIA security based on OWASP Top 10€¦ · OWASP Top 10 Open Web Application Security Project. Rich Internet Applications. 1! 0 1! 1 0 1! 1 1 0. ... A5: Security Misconfiguration

Session ID fixation !

Exposure of session ID !

Exposing user credentials

Page 15: RIA security based on OWASP Top 10€¦ · OWASP Top 10 Open Web Application Security Project. Rich Internet Applications. 1! 0 1! 1 0 1! 1 1 0. ... A5: Security Misconfiguration

GWT !

• N/A

Vaadin !• Helper for changing

session id

Web frameworks can help

Page 16: RIA security based on OWASP Top 10€¦ · OWASP Top 10 Open Web Application Security Project. Rich Internet Applications. 1! 0 1! 1 0 1! 1 1 0. ... A5: Security Misconfiguration

A3: Cross-Site Scripting (XSS)

Page 17: RIA security based on OWASP Top 10€¦ · OWASP Top 10 Open Web Application Security Project. Rich Internet Applications. 1! 0 1! 1 0 1! 1 1 0. ... A5: Security Misconfiguration

Demo: auction application

Page 18: RIA security based on OWASP Top 10€¦ · OWASP Top 10 Open Web Application Security Project. Rich Internet Applications. 1! 0 1! 1 0 1! 1 1 0. ... A5: Security Misconfiguration

GWT !• setText • SafeHtml

Vaadin !• setHtmlContentAllo

wed(false) • Beware of tooltips

(setDescription)

Web frameworks can help

Page 19: RIA security based on OWASP Top 10€¦ · OWASP Top 10 Open Web Application Security Project. Rich Internet Applications. 1! 0 1! 1 0 1! 1 1 0. ... A5: Security Misconfiguration

Other things to keep in mind

The XSS filter evasion cheat sheet

Context is king

Consider using Markdown

Page 20: RIA security based on OWASP Top 10€¦ · OWASP Top 10 Open Web Application Security Project. Rich Internet Applications. 1! 0 1! 1 0 1! 1 1 0. ... A5: Security Misconfiguration

A4: Insecure Direct Object References

Page 21: RIA security based on OWASP Top 10€¦ · OWASP Top 10 Open Web Application Security Project. Rich Internet Applications. 1! 0 1! 1 0 1! 1 1 0. ... A5: Security Misconfiguration

GWT !• Not so much, since

this is mostly a server-side thing

• Can be hard to realize the problem since requests are “invisible”

Vaadin !• All ids are

generated values that the server uses to find the right object when needed

Web frameworks can help

Page 22: RIA security based on OWASP Top 10€¦ · OWASP Top 10 Open Web Application Security Project. Rich Internet Applications. 1! 0 1! 1 0 1! 1 1 0. ... A5: Security Misconfiguration

A5: Security Misconfiguration

Page 23: RIA security based on OWASP Top 10€¦ · OWASP Top 10 Open Web Application Security Project. Rich Internet Applications. 1! 0 1! 1 0 1! 1 1 0. ... A5: Security Misconfiguration

GWT !• N/A

Vaadin !• productionMode =

true

Web frameworks can help

Page 24: RIA security based on OWASP Top 10€¦ · OWASP Top 10 Open Web Application Security Project. Rich Internet Applications. 1! 0 1! 1 0 1! 1 1 0. ... A5: Security Misconfiguration

A6: Sensitive Data Exposure

Page 25: RIA security based on OWASP Top 10€¦ · OWASP Top 10 Open Web Application Security Project. Rich Internet Applications. 1! 0 1! 1 0 1! 1 1 0. ... A5: Security Misconfiguration

Keep in mind

Avoid handling sensitive data, e.g. credit card numbers

Salt and hash passwords

Use SSL, no excuses!

Page 26: RIA security based on OWASP Top 10€¦ · OWASP Top 10 Open Web Application Security Project. Rich Internet Applications. 1! 0 1! 1 0 1! 1 1 0. ... A5: Security Misconfiguration

A7: Missing Function Level Access Control

Page 27: RIA security based on OWASP Top 10€¦ · OWASP Top 10 Open Web Application Security Project. Rich Internet Applications. 1! 0 1! 1 0 1! 1 1 0. ... A5: Security Misconfiguration

A8: Cross-Site Request Forgery (CSRF)

https://www.owasp.org/index.php/Top_10_2013-A8-Cross-Site_Request_Forgery_(CSRF)
Page 28: RIA security based on OWASP Top 10€¦ · OWASP Top 10 Open Web Application Security Project. Rich Internet Applications. 1! 0 1! 1 0 1! 1 1 0. ... A5: Security Misconfiguration

http://example.com/addRole?user=adam&role=power_user

Page 29: RIA security based on OWASP Top 10€¦ · OWASP Top 10 Open Web Application Security Project. Rich Internet Applications. 1! 0 1! 1 0 1! 1 1 0. ... A5: Security Misconfiguration

<img src=”!http://example.com/addRole?user=eve&role=power_user!

“ />

Page 30: RIA security based on OWASP Top 10€¦ · OWASP Top 10 Open Web Application Security Project. Rich Internet Applications. 1! 0 1! 1 0 1! 1 1 0. ... A5: Security Misconfiguration

http://example.com/addRole?user=eve&role=power_user&token=abcd

Page 31: RIA security based on OWASP Top 10€¦ · OWASP Top 10 Open Web Application Security Project. Rich Internet Applications. 1! 0 1! 1 0 1! 1 1 0. ... A5: Security Misconfiguration

GWT !• GWT-RPC:

XsrfTokenService and/or HasRpcToken

• RequestFactory: Make your own RequestTransport

Vaadin !• Secured out of the

box

Web frameworks can help

Page 32: RIA security based on OWASP Top 10€¦ · OWASP Top 10 Open Web Application Security Project. Rich Internet Applications. 1! 0 1! 1 0 1! 1 1 0. ... A5: Security Misconfiguration

A9: Using Components with Known Vulnerabilities

Page 33: RIA security based on OWASP Top 10€¦ · OWASP Top 10 Open Web Application Security Project. Rich Internet Applications. 1! 0 1! 1 0 1! 1 1 0. ... A5: Security Misconfiguration

How do you know whether

they are vulnerable?

Page 34: RIA security based on OWASP Top 10€¦ · OWASP Top 10 Open Web Application Security Project. Rich Internet Applications. 1! 0 1! 1 0 1! 1 1 0. ... A5: Security Misconfiguration

A10: Unvalidated Redirects and Forwards

Page 35: RIA security based on OWASP Top 10€¦ · OWASP Top 10 Open Web Application Security Project. Rich Internet Applications. 1! 0 1! 1 0 1! 1 1 0. ... A5: Security Misconfiguration

<a href=”http://myapp.com?redirect=example.com/evil"> Open app </a>!

Page 36: RIA security based on OWASP Top 10€¦ · OWASP Top 10 Open Web Application Security Project. Rich Internet Applications. 1! 0 1! 1 0 1! 1 1 0. ... A5: Security Misconfiguration

Very quick conclusion

Page 37: RIA security based on OWASP Top 10€¦ · OWASP Top 10 Open Web Application Security Project. Rich Internet Applications. 1! 0 1! 1 0 1! 1 1 0. ... A5: Security Misconfiguration

Did we get some detail wrong? !

Questions? !? [email protected]

[email protected]


Simplifying Security OWASP Top Ten - Security Innovation

The OWASP Foundation OWASP Top 10 2010 Kuai Hinojosa Software Security Consultant at Cigital OWASP Global Education Committee OWASP

OWASP Enterprise Security API

Introduction to VOIP Security - OWASP

Automated Security Testing - OWASP · Automated Security Testing OWASP Israel 2017 Chapter Meeting 3 April 2017

owasp top10 and security flaws

OWASP Application Security – Building and Breaking ... · PDF fileOWASP Application Security – Building and Breaking ... EH, GSEC, GCIH, GSNA, GCIA, ... OWASP Application Security

API Security Project - OWASP · API Security Project OWASP Projects’ Showcase Sep 12, 2019. OWASP GLOBAL APPSEC - AMSTERDAM ... Traditional vs. Modern Modern Application API Get

Open Source Security & IoT Development the OWASP Way · OWASP –The Open Web Application Security Project •The Open Web Application Security Project (OWASP) is a not-for-profit

Owasp Backend Security Project 1.0beta

OWASP Security Spending Benchmarks Project Report€¦ · This question led us to the OWASP Security Spending Benchmarks Project. This report ... OWASP Security Spending Benchmarks

Entreprise Security API - OWASP Montreal

WordPress Security White Paper · 2013 OWASP Top 10 The Open Web Application Security Project (OWASP) is an online community dedicated to web application security. The OWASP Top 108

OWASP Application Security Verification Standard3.0

REST API Penetration Testing Report for [CLIENT]€¦ · OWASP Top 10 Application Security Risks - 2017 OWASP Testing Guide OWASP ASVS Open Web Application Security Project (OWASP)

Scale Your Security - OWASP

Frameworks & Security - OWASP

Security Code Review - OWASP · What IS Security Code Review? 5 Thursday, 9 May, 13. OWASP Why Security Code Reviews 6 Thursday, 9 May, 13. OWASP Why Security Code Reviews Effectiveness

Security as Code owasp

Owasp joy of proactive security

OWASP...OWASP Newsletter [ May 2012 ] 18 The OWASP Foundation The Open Web Application Security Project (OWASP) is an international community of security professionals dedicated to

SecretAsaService - OWASP · ACADEMIC APPLICATION SECURITY SECURITY CONSULTANT SECURITY PRODUCTS OWASP BOARD MEMBER OWASP LIVE CD ... We must support multi-cloud use cases and key

OWASP Khartoum Cyber Security Session

Cloudy with a chance of hack - OWASP · Cloudy with a chance of hack 20. OWASP Cloud Security. OWASP Cloud Security – A Big Issue 22. OWASP Cloud Security – A Big Issue 57% 53%

Cloud Computing Security - OWASP · OWASP 2 Topics 1. What is Cloud Computing? 2. The Same Old Security Problems 3. Virtualization Security 4. New Security Issues and Threat Model

Desarrollo Seguro ante Ciberataques para Java, …...2.3.- OWASP Top Ten Security Controls 2.4.- OWASP Mobile Security Testing Guide 2.5.- OWASP Mobile Application Security Verification

Application Security - Enterprise Strategiessecuritybyte.org/.../application-security-enterprise-strategies.pdf · OWASP Secure Coding Guides. ... () OWASP Testing Guide Tools of

Flash Security, OWASP Chennai

OWASP API Security Top 10 - files.devnetwork.cloud · OWASP API Security Top 10 Erez Yalon Director of Security Research Checkmarx OWASP API Top 10 project lead Dmitry Sotnikov Vice

OWASP – Top 10 · • OWASP Code Review Guide • OWASP Testing Guide • OWASP Top Ten Project . OWASP – TOP 10 • OWASP Top 10 Web Application Security Risks for 2010 are:

Sicherheit mobiler Apps - OWASP · OWASP OWASP Mobile Security Project Seit 2010 [1] Zielsetzung Entwicklung sicherer mobiler Apps Inhalte Threat Model Controls & Design Principles

The OWASP Enterprise Security API

Owasp security summit_2012_milanovs_final

Security Knowledge Framework - OWASP

OWASP Top-10 2013 · OWASP Top-10 2013 Dave Wichers OWASP Top 10 Project Lead OWASP Board Member ... 2013-A5 – Security Misconfiguration ... Thailand Open Web Application Security