owasp
play

OWASP Daniel Brzozowski daniel@brzozowski.biz Agenda 1. Few words - PowerPoint PPT Presentation

Dec 05, 2023 •166 likes •747 views

OWASP Daniel Brzozowski daniel@brzozowski.biz Agenda 1. Few words about OWASP 2. Owasp resources 3. Setting up workstations 4. OWASP WebScarab/OWASP WebScarab-NG 5. O2 Platform About me In London since October 2010 Before that MCPD, MCTS,

  1. OWASP Daniel Brzozowski daniel@brzozowski.biz

  2. Agenda 1. Few words about OWASP 2. Owasp resources 3. Setting up workstations 4. OWASP WebScarab/OWASP WebScarab-NG 5. O2 Platform

  3. About me… In London since October 2010 Before that MCPD, MCTS, MCP OWASP WebScarab-NG & OWASP .NET Project Leader 3

  4. Introduction – Web security Growing popularity of this subject … What is a security bug? Why we have such bugs? What about statistics? 4

  5. Penetration test What is a penetration test? Types Passive Mapping Research Attack Raport application Active 5

  6. OWASP 6

  7. What is OWASP? The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. OPEN INNOVATION GLOBAL INTEGRITY 7

  8. OWASP local chapters 8

  9. OWASP London Chapter Led by Justin Clarke Meetings Visit page: https://www.owasp.org/index.php/London And subscribe to mailing list! 9

  10. OWASP Resources you can use today! SDLC • Guides ( Testing , Development, Code Review) • SAMM • ASVS Community • Mailing lists • Chapters • Conferences Tools • WebGoat • WebScarab/WebScarab-NG • ESAPI • O2 Platform • OWASP Live CD •… 10

  11. OWASP Live CD https://www.owasp.org/index.php/Category:OWASP_Live_ CD_Project

  12. OWASP TOP 10 12

  13. OWASP Top 10 A3: Broken A4: Insecure Authentication A1: Injection A2: XSS Direct Object and Session References Management A7: Insecure A8: Failure to A6: Security A5: CSRF Cryptographic Restrict URL Misconfiguration Storage Access A9: Insufficient A10: Unvalidated Transport Layer Redirects and Protection Forwards 13

  14. A1: Injection Injection means… • Tricking an application into including unintended commands in the data sent to an interpreter Interpreters… • Take strings and interpret them as commands • SQL, OS Shell, LDAP, XPath , Hibernate, etc… SQL injection is still quite common •Many applications still susceptible (really don‟t know why) •Even though it‟s usually very simple to avoid Typical Impact • Usually severe. Entire database can usually be read or modified • May also allow full database schema, or account access, or even OS level access 14

  15. Attack example – OWASP TOP10 A1: Injection: SQL INJECTION User Hacker String userInput = s.getParser().getRawParameter(USERNAME, ""); String SELECT_ST = "select * from employee where userid="+ userInput; 15

  16. A1: Injection December 2009 • a hacker used SQL Injection techniques to hack the database of RockYou • RockYou creates applications for MySpace, Facebook, ... Result • data of 32.603.388 users and administrative accounts was compromised (credentials + clear text passwords) • the data also contained email-addresses and passwords for 3rd party sites Question: how many of those users use the same password for other sites too? 16

  17. A2: XSS Occurs any time… • Raw data from attacker is sent to an innocent user‟s browser Raw data… • Stored in database • Reflected from web input (form field, hidden field, URL, etc…) • Sent directly into rich JavaScript client Typical Impact • Steal user‟s session, steal sensitive data, rewrite web page, redirect user to phishing or malware site • Most Severe: Install XSS proxy which allows attacker to observe and direct all user‟s behavior on vulnerable site and force user to other sites 17

  18. A2: XSS „ A new cross-site scripting (XSS) weakness identified on Twitter and can be leveraged by attackers to hijack users' sessions and post on their behalf. ” Posted on xssed.com http://www.xssed.com/mirr or/68655/ 18

  19. A3: Broken Authentication and Session Management HTTP is a “stateless” protocol • Means credentials have to go with every request • Should use SSL for everything requiring authentication Session management flaws • SESSION ID used to track state since HTTP doesn‟t • and it is just as good as credentials to an attacker • SESSION ID is typically exposed on the network, in browser, in logs, … Beware the side-doors • Change my password, remember my password, forgot my password, secret question, logout, email address, etc… Typical Impact • User accounts compromised or user sessions hijacked 19

  20. A4: Insecure Direct Object References How do you protect access to your data? • This is part of enforcing proper “Authorization”, along with A7 – Failure to Restrict URL Access A common mistake … • Only listing the „authorized‟ objects for the current user, or • Hiding the object references in hidden fields • … and then not enforcing these restrictions on the server side • This is called presentation layer access control, and doesn‟t work • Attacker simply tampers with parameter value Typical Impact • Users are able to access unauthorized files or data 20

  21. A4: Insecure Direct Object References 21

  22. A5: CSRF Cross Site Request Forgery • An attack where the victim‟s browser is tricked into issuing a command to a vulnerable web application • Vulnerability is caused by browsers automatically including user authentication data (session ID, IP address, Windows domain credentials, …) with each request Imagine… • What if a hacker could steer your mouse and get you to click on links in your online banking application? • What could they make you do? Typical Impact • Initiate transactions (transfer funds, logout user, close account) • Access sensitive data • Change account details 22

  23. A5: CSRF <img src="http://bank.com/withdraw?fromId=12314 &amount=1000000&toID=12312"> Can be injected by XSS From phishing site 23

  24. A5: CSRF April 2010 No specific details „the victim‟s transaction details will be sent to the attacker‟s Website” 24

  25. A6: Security Misconfiguration Web applications rely on a secure foundation • All through the network and platform • Don‟t forget the development environment Is your source code a secret? • Think of all the places your source code goes • Security should not require secret source code Configuration Management must extend to all parts of the application • All credentials should change in production Typical Impact • Install backdoor through missing network or server patch • XSS flaw exploits due to missing application framework patches • Unauthorized access to default accounts, application functionality or data, or unused but accessible functionality due to poor server configuration 25

  26. A7: Insecure Cryptographic Storage Storing sensitive data insecurely • Failure to identify all sensitive data • Failure to identify all the places that this sensitive data gets stored • Databases, files, directories, log files, backups, etc. • Failure to properly protect this data in every location Typical Impact • Attackers access or modify confidential or private information • e.g, credit cards, health care records, financial data (yours or your customers) • Attackers extract secrets to use in additional attacks • Company embarrassment, customer dissatisfaction, and loss of trust • Expense of cleaning up the incident, such as forensics, sending apology letters, reissuing thousands of credit cards, providing identity theft insurance • Business gets sued and/or fined 26

  27. A7: Insecure Cryptographic Storage 27

  28. A8: Failure to Restrict URL Access How do you protect access to URLs (pages)? • This is part of enforcing proper “authorization”, along with A4 – Insecure Direct Object References A common mistake … • Displaying only authorized links and menu choices • This is called presentation layer access control, and doesn‟t work • Attacker simply forges direct access to „unauthorized‟ pages Typical Impact • Attackers invoke functions and services they‟re not authorized for • Access other user‟s accounts and data • Perform privileged actions 28

  29. A8: Failure to Restrict URL Access Date published: 13/02/2010 Wordpress Version 2.9 Ability to view deleted messages by other users 29

  30. A9: Insufficient Transport Layer Protection Transmitting sensitive data insecurely • Failure to identify all sensitive data • Failure to identify all the places that this sensitive data is sent • On the web, to backend databases, to business partners, internal communications • Failure to properly protect this data in every location Typical Impact • Attackers access or modify confidential or private information • e.g, credit cards, health care records, financial data (yours or your customers) • Attackers extract secrets to use in additional attacks • Company embarrassment, customer dissatisfaction, and loss of trust • Expense of cleaning up the incident • Business gets sued and/or fined 30

  31. A9: Insufficient Transport Layer Protection 31

Recommend

New Privacy in Android 11 and OWASP Mobile Security Albert Hsieh OWASP 200

New Privacy in Android 11 and OWASP Mobile Security Albert Hsieh OWASP 200

New Privacy in Android 11 and OWASP Mobile Security Albert Hsieh OWASP 200 OWASP Flagship Projects Tool Projects OWASP Amass OWASP CSRFGuard OWASP Defectdojo OWASP Dependency-Check OWASP Dependency-Track

751 views • 55 slides
OWASP Top Ten Kirk Jackson OWASP NZ RedShield https://www.meetup.com/ kirk@pageofwords.com

OWASP Top Ten Kirk Jackson OWASP NZ RedShield https://www.meetup.com/ kirk@pageofwords.com

Introduction to the OWASP Top Ten Kirk Jackson OWASP NZ RedShield https://www.meetup.com/ kirk@pageofwords.com OWASP-Wellington/ http://hack-ed.com www.owasp.org.nz Recordings: @kirkj @owaspnz https://goo.gl/a2VSG2 What is OWASP? Open

880 views • 45 slides
OpenSAMM Software Assurance Maturity Model Seba Deleersnyder seba@owasp.org OWASP Foundation

OpenSAMM Software Assurance Maturity Model Seba Deleersnyder seba@owasp.org OWASP Foundation

The OWASP Foundation Libre Software Meeting Brussels 10-July-2013 http://www.owasp.org OpenSAMM Software Assurance Maturity Model Seba Deleersnyder seba@owasp.org OWASP Foundation Board Member OWASP Belgium Chapter Leader SAMM project

682 views • 43 slides
OWASP Foundation OWASP does not endorse or recommend commercial products or services , allowing our

OWASP Foundation OWASP does not endorse or recommend commercial products or services , allowing our

OWASP Foundation OWASP does not endorse or recommend commercial products or services , allowing our community to remain vendor neutral with the collective wisdom of the best minds in software security worldwide. OWASP Foundation, NYC Chapter

382 views • 23 slides
Welcome to the OWASP Toronto Meetup Hello, and happy 2018! Announcement: OWASP Top 10 2017

Welcome to the OWASP Toronto Meetup Hello, and happy 2018! Announcement: OWASP Top 10 2017

Welcome to the OWASP Toronto Meetup Hello, and happy 2018! Announcement: OWASP Top 10 2017 Changes between 2013 and 2017 Hi, I am X. How do I get into AppSec/Security? OWASP Toronto Chapter January 17, 2018 Topics Overviews, Career Paths,

372 views • 36 slides
Broken Authentication: What it means, and what you can do hassan.abudu@owasp.org OWASP Top 10

Broken Authentication: What it means, and what you can do hassan.abudu@owasp.org OWASP Top 10

Broken Authentication: What it means, and what you can do hassan.abudu@owasp.org OWASP Top 10 Vulnerabilities - 2017 Rank Name 1 Injection 2 Broken Authentication 3 Sensitive Data Exposure 4 XML External Entities 5 Broken Access

209 views • 6 slides
Insecurity in Informaton Technology Tanya Janca Tanya.Janca@owasp.org OWASP Otawa Chapter

Insecurity in Informaton Technology Tanya Janca Tanya.Janca@owasp.org OWASP Otawa Chapter

Insecurity in Informaton Technology Tanya Janca Tanya.Janca@owasp.org OWASP Otawa Chapter Leader OWASP DevSlop Project Leader @SheHacksPurple About Me The Im Qualifed Slide Tanya Janca: Applicaton security evangelist, web

1k views • 82 slides
Web Attacks Deian Stefan Slides from Zakir Durumeric and Dan Boneh OWASP Ten Most Critical Web

Web Attacks Deian Stefan Slides from Zakir Durumeric and Dan Boneh OWASP Ten Most Critical Web

Web Attacks Deian Stefan Slides from Zakir Durumeric and Dan Boneh OWASP Ten Most Critical Web Security Risks https://github.com/OWASP/Top10/blob/master/2017/OWASP%20Top%2010-2017%20(en).pdf Today

998 views • 78 slides
Introduction to OWASP Mobile Application Security Verification Standard (MASVS) OWASP Geneva

Introduction to OWASP Mobile Application Security Verification Standard (MASVS) OWASP Geneva

Introduction to OWASP Mobile Application Security Verification Standard (MASVS) OWASP Geneva 12/12/2016 Jrmy MATOS whois securingapps Developer background Spent last 10 years working between Geneva and Lausanne on security products

867 views • 22 slides
SQL Injection Attacks: A Quick Primer hassan.abudu@owasp.org OWASP Top 10 Vulnerabilities - 2017

SQL Injection Attacks: A Quick Primer hassan.abudu@owasp.org OWASP Top 10 Vulnerabilities - 2017

SQL Injection Attacks: A Quick Primer hassan.abudu@owasp.org OWASP Top 10 Vulnerabilities - 2017 Rank Name 1 Injection 2 Broken Authentication 3 Sensitive Data Exposure 4 XML External Entities 5 Broken Access Control 6 Security

682 views • 8 slides
Web Attacks Nadia Heninger and Deian Stefan Slides from Zakir Durumeric and Dan Boneh OWASP Ten

Web Attacks Nadia Heninger and Deian Stefan Slides from Zakir Durumeric and Dan Boneh OWASP Ten

Web Attacks Nadia Heninger and Deian Stefan Slides from Zakir Durumeric and Dan Boneh OWASP Ten Most Critical Web Security Risks https://github.com/OWASP/Top10/blob/master/2017/OWASP%20Top%2010-2017%20(en).pdf Today

916 views • 87 slides
Introduction to Mobile Security Testing Approaches and Examples using OWASP MSTG OWASP German

Introduction to Mobile Security Testing Approaches and Examples using OWASP MSTG OWASP German

Introduction to Mobile Security Testing Approaches and Examples using OWASP MSTG OWASP German Day 20.11.2018 Carlos Holguera $ whoami Carlos Holguera [olera] Security Engineer working at ESCRYPT GmbH since 2012 Area of expertise:

790 views • 56 slides
UC.yber; OWASP Chapter The University of Cincinnati's Official Cybersecurity Chapter What is

UC.yber; OWASP Chapter The University of Cincinnati's Official Cybersecurity Chapter What is

UC.yber; OWASP Chapter The University of Cincinnati's Official Cybersecurity Chapter What is OWASP? Open Web Application Security Project Non-profit organization focused on improving security of software. They have some GREAT info on

372 views • 9 slides
OWASP Summit 2017 Why, how, what, where (v0.9, Jan 2017) Close your eyes Imagine a place

OWASP Summit 2017 Why, how, what, where (v0.9, Jan 2017) Close your eyes Imagine a place

OWASP Summit 2017 Why, how, what, where (v0.9, Jan 2017) Close your eyes Imagine a place where (some of ) the best Application Security and OWASP minds come together to collaborate and work a meeting of minds focused on solving

770 views • 37 slides
OWASP Most Critical Web Application Security Vulnerabilities Introduction 2 Purpose of

OWASP Most Critical Web Application Security Vulnerabilities Introduction 2 Purpose of

OWASP Most Critical Web Application Security Vulnerabilities Introduction 2 Purpose of Session: - Provide Overview Web Application Security Threats and Defense Using the Open Web Application Security Project (OWASP) Top List, we

830 views • 39 slides
Security Vulnerabilities Decomposition Katy Anton OWASP Top 10 @KatyAnton When the report is

Security Vulnerabilities Decomposition Katy Anton OWASP Top 10 @KatyAnton When the report is

Security Vulnerabilities Decomposition Katy Anton OWASP Top 10 @KatyAnton When the report is published @KatyAnton Katy Anton Software development background Project co-leader for OWASP Top 10 Proactive Controls (@OWASPControls)

1.21k views • 45 slides
Driving OWASP ZAP with Selenium About Me Mark Torrens - Recently moved into Cyber Security -

Driving OWASP ZAP with Selenium About Me Mark Torrens - Recently moved into Cyber Security -

Driving OWASP ZAP with Selenium About Me Mark Torrens - Recently moved into Cyber Security - Based in London - Completjng MSc Cyber Security @ University of York - Security Architect for Kainos Mateusz Kalinowski - Java research OWASP

789 views • 23 slides
Pushing Left, Like a Boss Application Security Foundations Tanya Janca Tanya.Janca@owasp.org

Pushing Left, Like a Boss Application Security Foundations Tanya Janca Tanya.Janca@owasp.org

Pushing Left, Like a Boss Application Security Foundations Tanya Janca Tanya.Janca@owasp.org OWASP Ottawa Chapter Leader OWASP DevSlop Project Leader @sheHacksPurple About Me Who am I? Im Tanya Janca; Application security evangelist, web

434 views • 30 slides
with ASP.NET / MVC &amp; OWASP Adnan Masood Sr. System Architect Green Dot Corporation What

with ASP.NET / MVC &amp; OWASP Adnan Masood Sr. System Architect Green Dot Corporation What

Web Application Security with ASP.NET / MVC &amp; OWASP Adnan Masood Sr. System Architect Green Dot Corporation What this talk is about? 2 This session is an introduction to web application security threats using the OWASP Top 10 list

977 views • 69 slides
OWASP London Chapter Meeting 30th March 2017 London Chapter Chapter Leaders: Sam

OWASP London Chapter Meeting 30th March 2017 London Chapter Chapter Leaders: Sam

OWASP London Chapter Meeting 30th March 2017 London Chapter Chapter Leaders: Sam Stepanyan (@securestep9) Sherif Mansour (@kerberosmansour) Keeping In Touch: Join the OWASP London mailing list Follow

917 views • 23 slides
OWASP Top 10 OWASP Top Ten meets JSF Andreas Hartmann Application Security Komponente

OWASP Top 10 OWASP Top Ten meets JSF Andreas Hartmann Application Security Komponente

Agenda Application Security OWASP Top 10 OWASP Top Ten meets JSF Andreas Hartmann Application Security Komponente Application Security Startup 04.04.2013 04.04.2013 2 OWASP Top 10 Agenda Application Security Was ist Application Security

234 views • 8 slides
Chapter Meeting OWASP_Geneva 2015/10/19 About Me Thomas Hofer Java DEV / AppSec

Chapter Meeting OWASP_Geneva 2015/10/19 About Me Thomas Hofer Java DEV / AppSec

OWASP Dependency-Check Chapter Meeting OWASP_Geneva 2015/10/19 About Me Thomas Hofer Java DEV / AppSec OWASP Geneva Board State of Geneva @thhofer thomas.hofer@owasp.org Outline Context How it works / Integration

335 views • 9 slides
Hacking Web Sites OWASP Top 10 Emmanuel Benoist Fall Term 2020/2021 Berner Fachhochschule |

Hacking Web Sites OWASP Top 10 Emmanuel Benoist Fall Term 2020/2021 Berner Fachhochschule |

Hacking Web Sites OWASP Top 10 Emmanuel Benoist Fall Term 2020/2021 Berner Fachhochschule | Haute ecole sp ecialis ee bernoise | Berne University of Applied Sciences 1 Web Security: Overview of other security risks OWASP Top 10

1.25k views • 64 slides
The OWASP Amass Project DNS Enumeration written in Go September 6, 2018 Presented by Jeff Foley

The OWASP Amass Project DNS Enumeration written in Go September 6, 2018 Presented by Jeff Foley

The OWASP Amass Project DNS Enumeration written in Go September 6, 2018 Presented by Jeff Foley Introduction Jeff Foley (a.k.a caffix), Project Lead for OWASP Amass US Manager, Penetration Testing &amp; Red Teaming at National Grid

905 views • 11 slides

More recommend