owasp top ten
play

OWASP Top Ten Kirk Jackson OWASP NZ RedShield - PowerPoint PPT Presentation

Mar 10, 2023 •416 likes •880 views

Introduction to the OWASP Top Ten Kirk Jackson OWASP NZ RedShield https://www.meetup.com/ kirk@pageofwords.com OWASP-Wellington/ http://hack-ed.com www.owasp.org.nz Recordings: @kirkj @owaspnz https://goo.gl/a2VSG2 What is OWASP? Open

  1. Introduction to the OWASP Top Ten Kirk Jackson OWASP NZ RedShield https://www.meetup.com/ kirk@pageofwords.com OWASP-Wellington/ http://hack-ed.com www.owasp.org.nz Recordings: @kirkj @owaspnz https://goo.gl/a2VSG2

  2. What is OWASP? Open Web Application Security Project (OWASP) is a nonprofit foundation that works to improve the security of software. ● A website: owasp.org ● A bunch of cool tools: Zed Attack Proxy, Juice Shop, Proactive Controls, Software Assurance Maturity Model (SAMM), Application Security Verification Standard (ASVS) ● A global community of like-minded people, meetups and conferences

  5. OWASP Top Ten Globally recognized by developers as the first step towards more secure coding. The most critical security risks to web applications. Updated every 2-3 years from 2003 to 2017 (2020 is in progress)

  6. Securing the user Web Browser Web Server X Site A sitea.com GET / Site A DOM Y + JS Site B

  7. OWASP Top Ten 2017 A1 Injection A2 Broken Authentication A3 Sensitive Data Exposure A4 XML External Entities (XXE) A5 Broken Access Control A6 Security Misconfiguration A7 Cross-Site Scripting (XSS) A8 Insecure Deserialization A9 Using Components with Known Vulnerabilities A10 Insufficient Logging & Monitoring

  8. A1 Injection Sending hostile data to an interpreter (e.g. SQL, LDAP, command line) Web Browser Web Server X Site A sitea.com GET / Site A DOM Y + JS Site B

  9. A1 Injection Sending hostile data to an interpreter (e.g. SQL, LDAP, command line) String query = "SELECT * FROM accounts WHERE Web Server X custID='" + request.getParameter("id") + "'"; query Site A id = " '; drop table accounts -- " Y SQL statements combine code and data

  10. SQLi Demo

  11. A1 Injection Prevention: SQL statements combine code and data => Separate code and data Web Server X query Site A ● Parameterise your queries Y ● Validate which data can be entered ● Escape special characters

  12. A2 Broken Authentication Web Browser Web Server X Site A sitea.com GET / Site A DOM Y + JS Site B

  13. A2 Broken Authentication ● Weak session management ● Credential stuffing ● Brute force ● Forgotten password Web Server X ● No multi-factor authentication query Site A Y ● Sessions don’t expire

  14. A2 Broken Authentication Prevention: ● Use good authentication libraries ● Use MFA ● Enforce strong passwords ● Detect and prevent brute force or stuffing attacks

  15. A3 Sensitive Data Exposure Web Browser Web Server X Site A sitea.com GET / Site A DOM Y + JS Site B

  16. A3 Sensitive Data Exposure ● Clear-text data transfer ● Unencrypted storage ● Weak crypto or keys ● Certificates not validated Web Server X ● Exposing PII or Credit Cards GET / Site A Y

  17. Data Exposure Demo

  18. A3 Sensitive Data Exposure Prevention: ● Don’t store data unless you need to! ● Encrypt at rest and in transit ● Use strong crypto

  19. A4 XML External Entities (XXE) Web Browser Web Server X Site A sitea.com GET / Site A DOM Y + JS Site B

  20. A4 XML External Entities (XXE) The application accepts XML, and assumes it is safe <?xml version="1.0" encoding="ISO-8859-1"?> Web Server X <!DOCTYPE foo [ <!ELEMENT foo ANY > query Site A <!ENTITY xxe SYSTEM "file:///etc/passwd" >]> Y <foo>&xxe;</foo> Can allow accessing sensitive resources, command execution, recon, or cause denial of service.

  21. XXE Demo

  22. A4 XML External Entities (XXE) Prevention: ● Avoid XML ● Use modern libraries, and configure them well! ● Validate XML

  23. A5 Broken Access Control Web Browser Web Server X Site A sitea.com GET / Site A DOM Y + JS Site B

  24. A5 Broken Access Control ● Access hidden pages http://site.com/admin/user-management ● Elevate to an administrative account ● View other people’s data Web Server X http://site.com/user?id=7 query Site A ● Modifying cookies or JWT tokens Y

  25. A5 Broken Access Control Prevention: ● Use proven code or libraries ● Deny access by default ● Log failures and alert ● Rate limit access to resources

  26. A6 Security Misconfiguration Web Browser Web Server X Site A sitea.com GET / Site A DOM Y + JS Site B

  27. A6 Security Misconfiguration ● Security features not configured properly ● Unnecessary features enabled ● Default accounts not removed Web Server X ● Error messages expose sensitive query Site A Y information

  28. A6 Security Misconfiguration Prevention: ● Have a repeatable build process or “gold master” ● Disable all unused services ● Use tools to review settings

  29. A7 Cross-Site Scripting (XSS) Web Browser Web Server X Site A sitea.com GET / Site A DOM Y + JS Site B

  30. A7 Cross-Site Scripting (XSS) HTML mixes content, presentation and code into one string (HTML+CSS+JS) Web Browser If an attacker can alter the DOM, they Site A can do anything that the user can do. DOM + JS XSS can be found using automated Site B tools.

  31. XSS Demo

  32. A7 Cross-Site Scripting (XSS) Prevention: ● Encode all user-supplied data to render it safe Kirk <script> => Kirk &lt;script&gt; ● Use appropriate encoding for the context ● Use templating frameworks that assemble HTML safely ● Use Content Security Policy

  33. A8 Insecure Deserialization Web Browser Web Server X Site A sitea.com GET / Site A DOM Y + JS Site B

  34. A8 Insecure Deserialization Programming languages allow you to turn a tree of objects into a string that can be sent to the browser. Web Server X If you deserialise untrusted data, you query Site A may allow objects to be created, or code Y to be executed.

  35. Deserialisation Demo

  36. A8 Insecure Deserialization Prevention: ● Avoid serialising and deserialising objects ● Use signatures to detect tampering ● Configure your library safely ● Check out the OWASP Deserialisation Cheat Sheet

  37. A9 Using Components with Known Vulnerabilities Web Browser Web Server X Site A sitea.com GET / Site A DOM Y + JS Site B

  38. A9 Using Components with Known Vulnerabilities Modern applications contain a lot of third-party code. It’s hard to keep it all up to date. Attackers can enumerate the libraries you use, and develop exploits.

  39. A9 Using Components with Known Vulnerabilities Prevention: ● Reduce dependencies ● Patch management ● Scan for out-of-date components ● Budget for ongoing maintenance for all software projects

  40. A10 Insuffjcient Logging & Monitoring Web Browser Web Server X Site A sitea.com GET / Site A DOM Y + JS Site B SIEM

  41. A10 Insuffjcient Logging & Monitoring You can’t react to attacks that you don’t know about. Logs are important for: Web Server X ● Detecting incidents Site A Y ● Understanding what happened ● Proving who did something SIEM

  42. OWASP Top Ten 2017 A1 Injection A2 Broken Authentication A3 Sensitive Data Exposure A4 XML External Entities (XXE) A5 Broken Access Control A6 Security Misconfiguration A7 Cross-Site Scripting (XSS) A8 Insecure Deserialization A9 Using Components with Known Vulnerabilities A10 Insufficient Logging & Monitoring

  43. Next Steps

  44. Next Steps ● Attend OWASP events ● Search for OWASP Top Ten category names and your framework E.g. “C# XSS protection” ● Watch youtube or Pluralsight videos ● Use the terms when discussing bugs with colleagues ● Keep track of which issues affect you the most ● Go beyond the Top Ten

  45. Introduction to the OWASP Top Ten Kirk Jackson OWASP NZ RedShield https://www.meetup.com/ kirk@pageofwords.com OWASP-Wellington/ http://hack-ed.com www.owasp.org.nz Recordings: @kirkj @owaspnz https://goo.gl/a2VSG2

Recommend

New Privacy in Android 11 and OWASP Mobile Security Albert Hsieh OWASP 200

New Privacy in Android 11 and OWASP Mobile Security Albert Hsieh OWASP 200

New Privacy in Android 11 and OWASP Mobile Security Albert Hsieh OWASP 200 OWASP Flagship Projects Tool Projects OWASP Amass OWASP CSRFGuard OWASP Defectdojo OWASP Dependency-Check OWASP Dependency-Track

751 views • 55 slides
OWASP Daniel Brzozowski daniel@brzozowski.biz Agenda 1. Few words about OWASP 2. Owasp resources

OWASP Daniel Brzozowski daniel@brzozowski.biz Agenda 1. Few words about OWASP 2. Owasp resources

OWASP Daniel Brzozowski daniel@brzozowski.biz Agenda 1. Few words about OWASP 2. Owasp resources 3. Setting up workstations 4. OWASP WebScarab/OWASP WebScarab-NG 5. O2 Platform About me In London since October 2010 Before that MCPD, MCTS,

747 views • 58 slides
OpenSAMM Software Assurance Maturity Model Seba Deleersnyder seba@owasp.org OWASP Foundation

OpenSAMM Software Assurance Maturity Model Seba Deleersnyder seba@owasp.org OWASP Foundation

The OWASP Foundation Libre Software Meeting Brussels 10-July-2013 http://www.owasp.org OpenSAMM Software Assurance Maturity Model Seba Deleersnyder seba@owasp.org OWASP Foundation Board Member OWASP Belgium Chapter Leader SAMM project

682 views • 43 slides
OWASP Foundation OWASP does not endorse or recommend commercial products or services , allowing our

OWASP Foundation OWASP does not endorse or recommend commercial products or services , allowing our

OWASP Foundation OWASP does not endorse or recommend commercial products or services , allowing our community to remain vendor neutral with the collective wisdom of the best minds in software security worldwide. OWASP Foundation, NYC Chapter

382 views • 23 slides
Welcome to the OWASP Toronto Meetup Hello, and happy 2018! Announcement: OWASP Top 10 2017

Welcome to the OWASP Toronto Meetup Hello, and happy 2018! Announcement: OWASP Top 10 2017

Welcome to the OWASP Toronto Meetup Hello, and happy 2018! Announcement: OWASP Top 10 2017 Changes between 2013 and 2017 Hi, I am X. How do I get into AppSec/Security? OWASP Toronto Chapter January 17, 2018 Topics Overviews, Career Paths,

372 views • 36 slides
Broken Authentication: What it means, and what you can do hassan.abudu@owasp.org OWASP Top 10

Broken Authentication: What it means, and what you can do hassan.abudu@owasp.org OWASP Top 10

Broken Authentication: What it means, and what you can do hassan.abudu@owasp.org OWASP Top 10 Vulnerabilities - 2017 Rank Name 1 Injection 2 Broken Authentication 3 Sensitive Data Exposure 4 XML External Entities 5 Broken Access

209 views • 6 slides
Insecurity in Informaton Technology Tanya Janca Tanya.Janca@owasp.org OWASP Otawa Chapter

Insecurity in Informaton Technology Tanya Janca Tanya.Janca@owasp.org OWASP Otawa Chapter

Insecurity in Informaton Technology Tanya Janca Tanya.Janca@owasp.org OWASP Otawa Chapter Leader OWASP DevSlop Project Leader @SheHacksPurple About Me The Im Qualifed Slide Tanya Janca: Applicaton security evangelist, web

1k views • 82 slides
Web Attacks Deian Stefan Slides from Zakir Durumeric and Dan Boneh OWASP Ten Most Critical Web

Web Attacks Deian Stefan Slides from Zakir Durumeric and Dan Boneh OWASP Ten Most Critical Web

Web Attacks Deian Stefan Slides from Zakir Durumeric and Dan Boneh OWASP Ten Most Critical Web Security Risks https://github.com/OWASP/Top10/blob/master/2017/OWASP%20Top%2010-2017%20(en).pdf Today

998 views • 78 slides
Introduction to OWASP Mobile Application Security Verification Standard (MASVS) OWASP Geneva

Introduction to OWASP Mobile Application Security Verification Standard (MASVS) OWASP Geneva

Introduction to OWASP Mobile Application Security Verification Standard (MASVS) OWASP Geneva 12/12/2016 Jrmy MATOS whois securingapps Developer background Spent last 10 years working between Geneva and Lausanne on security products

867 views • 22 slides
SQL Injection Attacks: A Quick Primer hassan.abudu@owasp.org OWASP Top 10 Vulnerabilities - 2017

SQL Injection Attacks: A Quick Primer hassan.abudu@owasp.org OWASP Top 10 Vulnerabilities - 2017

SQL Injection Attacks: A Quick Primer hassan.abudu@owasp.org OWASP Top 10 Vulnerabilities - 2017 Rank Name 1 Injection 2 Broken Authentication 3 Sensitive Data Exposure 4 XML External Entities 5 Broken Access Control 6 Security

682 views • 8 slides
Web Attacks Nadia Heninger and Deian Stefan Slides from Zakir Durumeric and Dan Boneh OWASP Ten

Web Attacks Nadia Heninger and Deian Stefan Slides from Zakir Durumeric and Dan Boneh OWASP Ten

Web Attacks Nadia Heninger and Deian Stefan Slides from Zakir Durumeric and Dan Boneh OWASP Ten Most Critical Web Security Risks https://github.com/OWASP/Top10/blob/master/2017/OWASP%20Top%2010-2017%20(en).pdf Today

916 views • 87 slides
Introduction to Mobile Security Testing Approaches and Examples using OWASP MSTG OWASP German

Introduction to Mobile Security Testing Approaches and Examples using OWASP MSTG OWASP German

Introduction to Mobile Security Testing Approaches and Examples using OWASP MSTG OWASP German Day 20.11.2018 Carlos Holguera $ whoami Carlos Holguera [olera] Security Engineer working at ESCRYPT GmbH since 2012 Area of expertise:

790 views • 56 slides
UC.yber; OWASP Chapter The University of Cincinnati's Official Cybersecurity Chapter What is

UC.yber; OWASP Chapter The University of Cincinnati's Official Cybersecurity Chapter What is

UC.yber; OWASP Chapter The University of Cincinnati's Official Cybersecurity Chapter What is OWASP? Open Web Application Security Project Non-profit organization focused on improving security of software. They have some GREAT info on

372 views • 9 slides
OWASP Summit 2017 Why, how, what, where (v0.9, Jan 2017) Close your eyes Imagine a place

OWASP Summit 2017 Why, how, what, where (v0.9, Jan 2017) Close your eyes Imagine a place

OWASP Summit 2017 Why, how, what, where (v0.9, Jan 2017) Close your eyes Imagine a place where (some of ) the best Application Security and OWASP minds come together to collaborate and work a meeting of minds focused on solving

770 views • 37 slides
OWASP Most Critical Web Application Security Vulnerabilities Introduction 2 Purpose of

OWASP Most Critical Web Application Security Vulnerabilities Introduction 2 Purpose of

OWASP Most Critical Web Application Security Vulnerabilities Introduction 2 Purpose of Session: - Provide Overview Web Application Security Threats and Defense Using the Open Web Application Security Project (OWASP) Top List, we

830 views • 39 slides
Security Vulnerabilities Decomposition Katy Anton OWASP Top 10 @KatyAnton When the report is

Security Vulnerabilities Decomposition Katy Anton OWASP Top 10 @KatyAnton When the report is

Security Vulnerabilities Decomposition Katy Anton OWASP Top 10 @KatyAnton When the report is published @KatyAnton Katy Anton Software development background Project co-leader for OWASP Top 10 Proactive Controls (@OWASPControls)

1.21k views • 45 slides
Driving OWASP ZAP with Selenium About Me Mark Torrens - Recently moved into Cyber Security -

Driving OWASP ZAP with Selenium About Me Mark Torrens - Recently moved into Cyber Security -

Driving OWASP ZAP with Selenium About Me Mark Torrens - Recently moved into Cyber Security - Based in London - Completjng MSc Cyber Security @ University of York - Security Architect for Kainos Mateusz Kalinowski - Java research OWASP

789 views • 23 slides
Pushing Left, Like a Boss Application Security Foundations Tanya Janca Tanya.Janca@owasp.org

Pushing Left, Like a Boss Application Security Foundations Tanya Janca Tanya.Janca@owasp.org

Pushing Left, Like a Boss Application Security Foundations Tanya Janca Tanya.Janca@owasp.org OWASP Ottawa Chapter Leader OWASP DevSlop Project Leader @sheHacksPurple About Me Who am I? Im Tanya Janca; Application security evangelist, web

434 views • 30 slides
with ASP.NET / MVC &amp; OWASP Adnan Masood Sr. System Architect Green Dot Corporation What

with ASP.NET / MVC &amp; OWASP Adnan Masood Sr. System Architect Green Dot Corporation What

Web Application Security with ASP.NET / MVC &amp; OWASP Adnan Masood Sr. System Architect Green Dot Corporation What this talk is about? 2 This session is an introduction to web application security threats using the OWASP Top 10 list

977 views • 69 slides
OWASP London Chapter Meeting 30th March 2017 London Chapter Chapter Leaders: Sam

OWASP London Chapter Meeting 30th March 2017 London Chapter Chapter Leaders: Sam

OWASP London Chapter Meeting 30th March 2017 London Chapter Chapter Leaders: Sam Stepanyan (@securestep9) Sherif Mansour (@kerberosmansour) Keeping In Touch: Join the OWASP London mailing list Follow

917 views • 23 slides
OWASP Top 10 OWASP Top Ten meets JSF Andreas Hartmann Application Security Komponente

OWASP Top 10 OWASP Top Ten meets JSF Andreas Hartmann Application Security Komponente

Agenda Application Security OWASP Top 10 OWASP Top Ten meets JSF Andreas Hartmann Application Security Komponente Application Security Startup 04.04.2013 04.04.2013 2 OWASP Top 10 Agenda Application Security Was ist Application Security

234 views • 8 slides
Chapter Meeting OWASP_Geneva 2015/10/19 About Me Thomas Hofer Java DEV / AppSec

Chapter Meeting OWASP_Geneva 2015/10/19 About Me Thomas Hofer Java DEV / AppSec

OWASP Dependency-Check Chapter Meeting OWASP_Geneva 2015/10/19 About Me Thomas Hofer Java DEV / AppSec OWASP Geneva Board State of Geneva @thhofer thomas.hofer@owasp.org Outline Context How it works / Integration

335 views • 9 slides
Hacking Web Sites OWASP Top 10 Emmanuel Benoist Fall Term 2020/2021 Berner Fachhochschule |

Hacking Web Sites OWASP Top 10 Emmanuel Benoist Fall Term 2020/2021 Berner Fachhochschule |

Hacking Web Sites OWASP Top 10 Emmanuel Benoist Fall Term 2020/2021 Berner Fachhochschule | Haute ecole sp ecialis ee bernoise | Berne University of Applied Sciences 1 Web Security: Overview of other security risks OWASP Top 10

1.25k views • 64 slides
The OWASP Amass Project DNS Enumeration written in Go September 6, 2018 Presented by Jeff Foley

The OWASP Amass Project DNS Enumeration written in Go September 6, 2018 Presented by Jeff Foley

The OWASP Amass Project DNS Enumeration written in Go September 6, 2018 Presented by Jeff Foley Introduction Jeff Foley (a.k.a caffix), Project Lead for OWASP Amass US Manager, Penetration Testing &amp; Red Teaming at National Grid

905 views • 11 slides

More recommend