Uploaded byXlator
1,738 views

Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP Göteborg

This document summarizes the top 10 web security controls according to a 2012 report. It discusses query parameterization for preventing SQL injection in various programming languages like PHP, .NET, Java, Ruby, ColdFusion and Perl. It also covers cross-site scripting defenses like encoding data based on context, validating untrusted HTML, and sandboxing untrusted JavaScript. Additional topics include access control best practices like centralizing authorization logic and coding to specific activities rather than roles.

Technology
Related topics:
Web Security Overview
In this document
Powered by AI

This slide introduces the presentation topic on the top web security controls identified by Jim Manico and Eoin Keary.

Shows how to implement safe SQL commands using query parameterization in PHP to prevent SQL injection.

Illustrates the use of parameterized queries in .NET to secure user input in SQL commands.

Demonstrates how to use prepared statements in Java for safe query parameterization.

Explains how to safely work with parameterized queries in Ruby on Rails to prevent SQL injection.

Shows an example of using query parameters in Cold Fusion to safeguard against SQL injection.

Presents a code sample illustrating query parameter usage in PERL for safe SQL command execution.

Lists various serious threats posed by XSS, including session hijacking and data theft.

Highlights the significance of multiple contexts in web browsers when considering XSS attacks.

Describes how XSS can be executed through HTML attributes and improper handling of user data.

Explains the exploitability of source attributes in HTML tags leading to potential XSS vulnerabilities.

Emphasizes the need for URL parameter escaping to mitigate XSS risks during link rendering.

Discusses the risks of using user data within style tags in web applications.

Illustrates a test case demonstrating how CSS can be exploited for XSS attacks.

Describes methods for escaping user data in JavaScript to prevent XSS vulnerabilities.

Outlines best practices for defending against XSS by properly handling untrusted data in DOM.

Details various XSS defense techniques based on data type and context.

Identifies vertical, horizontal, and business logic access control attacks, emphasizing their threats.

Promotes coding practices focused on activity rather than user roles to strengthen access control.

Encourages the use of a centralized access controller for effective permission management.

Highlights the use of centralized access control logic and the significance of failing securely.

Discusses a sample CSRF attack scenario involving user form submission and potential exploit.

Presents multiple defenses against CSRF, including cryptographic tokens and re-authentication.

Enumerates various weaknesses in authentication processes that can lead to security vulnerabilities.

Suggests multiple authentication defenses like 2FA and account lockout after failed attempts.

Discusses best practices for secure design in the forgot password feature of applications.

Describes best practices for managing and securing user sessions to prevent hijacking.

Details clickjacking protection strategies such as headers and frame-breaking scripts.

Illustrates a code example for secure password hashing and storage.

Discusses additional password security measures and frontend handling for sensitive data.

Emphasizes the necessity of encrypting sensitive data in transit with HTTPS/SSL protocols.

Embed presentation

Top 10 Web Security Controls March 2012 Top Ten Controls v4.1 Jim Manico and Eoin Keary Page 1
(1) Query Parameterization (PHP PDO) $stmt = $dbh->prepare("INSERT INTO REGISTRY (name, value) VALUES (:name, :value)"); $stmt->bindParam(':name', $name); $stmt->bindParam(':value', $value); March 2012 Top Ten Controls v4.1 Jim Manico and Eoin Keary Page 2
Query Parameterization (.NET) SqlConnection objConnection = new SqlConnection(_ConnectionString); objConnection.Open(); SqlCommand objCommand = new SqlCommand( "SELECT * FROM User WHERE Name = @Name AND Password = @Password", objConnection); objCommand.Parameters.Add("@Name", NameTextBox.Text); objCommand.Parameters.Add("@Password", PasswordTextBox.Text); SqlDataReader objReader = objCommand.ExecuteReader(); if (objReader.Read()) { ... March 2012 Top Ten Controls v4.1 Jim Manico and Eoin Keary Page 3
Query Parameterization (Java) double newSalary = request.getParameter(“newSalary”) ; int id = request.getParameter(“id”); PreparedStatement pstmt = con.prepareStatement("UPDATE EMPLOYEES SET SALARY = ? WHERE ID = ?"); pstmt.setDouble(1, newSalary); pstmt.setInt(2, id); Query safeHQLQuery = session.createQuery("from Inventory where productID=:productid"); safeHQLQuery.setParameter("productid", userSuppliedParameter); March 2012 Top Ten Controls v4.1 Jim Manico and Eoin Keary Page 4
Query Parameterization (Ruby) # Create Project.create!(:name => 'owasp') # Read Project.all(:conditions => "name = ?", name) Project.all(:conditions => { :name => name }) Project.where("name = :name", :name => name) # Update project.update_attributes(:name => 'owasp') # Delete Project.delete(:name => 'name') March 2012 Top Ten Controls v4.1 Jim Manico and Eoin Keary Page 5
Query Parameterization (Cold Fusion) <cfquery name="getFirst" dataSource="cfsnippets"> SELECT * FROM #strDatabasePrefix#_courses WHERE intCourseID = <cfqueryparam value=#intCourseID# CFSQLType="CF_SQL_INTEGER"> </cfquery> March 2012 Top Ten Controls v4.1 Jim Manico and Eoin Keary Page 6
Query Parameterization (PERL) my $sql = "INSERT INTO foo (bar, baz) VALUES ( ?, ? )”; my $sth = $dbh->prepare( $sql ); $sth->execute( $bar, $baz ); March 2012 Top Ten Controls v4.1 Jim Manico and Eoin Keary Page 7
XSS: Why so Serious? Session hijacking Site defacement Network scanning Undermining CSRF defenses Site redirection/phishing Load of remotely hosted scripts Data theft Keystroke logging March 2012 Top Ten Controls v4.1 Jim Manico and Eoin Keary Page 8
Danger: Multiple Contexts Browsers have multiple contexts that must be considered! March 2012 Top Ten Controls v4.1 Jim Manico and Eoin Keary Page 9
XSS in HTML Attributes < i n p u t typ e = "te x t" n am e = "c o m m e n ts ” valu e = "U N T R U S T E D D AT A"> < i n p u t typ e = "te x t" n am e = "c o m m e n ts " valu e = "h e llo " o n m o u s e o ve r= "/* fi re attac k * /">  Attackers can add event handlers:  onMouseOver  onLoad  onUnLoad  etc… March 2012 Top Ten Controls v4.1 Jim Manico and Eoin Keary Page 10
XSS in Source Attribute  User input often winds up in src attribute  Tags such as < i m g s rc = ""> < i fram e s rc = "">  Example Request: h ttp ://e x am p le .c o m /vi e w I m ag e ? i m ag e n am e = m ym ap .jp g  Attackers can use javascript:/*attack*/ in src attributes March 2012 Top Ten Controls v4.1 Jim Manico and Eoin Keary Page 11
URL Parameter Escaping  Escape all non alpha-num characters with the %HH format < a h re f= “/s e arc h ?d ata= U N T R U S T E D D AT A”>  Be careful not to allow untrusted data to drive entire URL’s or URL fragments  This encoding only protects you from XSS at the time of rendering the link  Treat DATA as untrusted after submitted March 2012 Top Ten Controls v4.1 Jim Manico and Eoin Keary Page 12
XSS in the Style Tag  Applications sometimes take user data and use it to generate presentation style U R L p aram e te r w ri tte n w i th i n s tyle tag  Consider this example: h ttp ://e x am p le .c o m /vi e w D o c u m e n t?b ac k g ro u n d = w h i te March 2012 Top Ten Controls v4.1 Jim Manico and Eoin Keary Page 13
CSS Pwnage Test Case < d i v s tyle = "w i d th : < % = te m p 3% > ;"> M o u s e o ve r < / d i v> temp3 = ESAPI.encoder().encodeForCSS("expression(alert (String.fromCharCode (88,88,88)))"); < d i v s tyle = "w i d th : e x p re s s i o n 2 8 ale rt2 8 S tri n g 2 e fro m C h arC o d e 2 0 2 8 882 c 882 c 882 9 2 9 2 9 ;"> M o u s e o ve r < /d i v>  Pops in at least IE6 and IE7. li s ts .o w as p .o rg /p i p e rm ai l/o w as p -e s ap i /2 009- F e b ru ary/000405 .h tm l March 2012 Top Ten Controls v4.1 Jim Manico and Eoin Keary Page 14
Javascript Context  Escape all non alpha-num characters with the xHH format <script>var x='U N T R U S T E D D AT A';</script>  You're now protected from XSS at the time data is assigned  What happens to x after you assign it? March 2012 Top Ten Controls v4.1 Jim Manico and Eoin Keary Page 15
Best Practice: DOM Based XSS Defense  Untrusted data should only be treated as displayable text  JavaScript encode and delimit untrusted data as quoted strings  Use document.createElement("…"), element.setAttribute("…","value"), element.appendChild(…), etc. to build dynamic interfaces  Avoid use of HTML rendering methods  Understand the dataflow of untrusted data through your JavaScript code. If you do have to use the methods above remember to HTML and then JavaScript encode the untrusted data  Avoid passing untrusted data to eval(), setTimeout() etc.  Don’t eval() JSON to convert it to native JavaScript objects. Instead use JSON.toJSON() and JSON.parse()  Run untrusted scripts in a sandbox (ECMAScript canopy, HTML 5 frame sandbox, etc) March 2012 Top Ten Controls v4.1 Jim Manico and Eoin Keary Page 16
(2) XSS Defense by Data Type and Context Data Type Context Defense String HTML Body HTML Entity Encode String HTML Attribute Minimal Attribute Encoding String GET Parameter URL Encoding String Untrusted URL URL Validation, avoid javascript: URL’s, Attribute encoding, safe URL verification String CSS Strict structural validation, CSS Hex encoding, good design HTML HTML Body HTML Validation (JSoup, AntiSamy, HTML Sanitizer) Any DOM DOM XSS Cheat sheet Untrusted JavaScript Any Sandboxing JSON Client parse time JSON.parse() or json2.js Safe HTML Attributes include: align, alink, alt, bgcolor, border, cellpadding, cellspacing, class, color, cols, colspan, coords, dir, face, height, hspace, ismap, lang, marginheight, marginwidth, multiple, nohref, noresize, noshade, nowrap, ref, rel, rev, rows, rowspan, scrolling, shape, span, summary, tabindex, title, usemap, valign, value, vlink, vspace, width March 2012 Top Ten Controls v4.1 Jim Manico and Eoin Keary Page 17
Attacks on Access Control Vertical Access Control Attacks  A standard user accessing administration functionality  “Privilege Escalation” Horizontal Access Control attacks  Same role, but accessing another user's private data Business Logic Access Control Attacks  Abuse of workflow March 2012 Top Ten Controls v4.1 Jim Manico and Eoin Keary Page 18
Best Practice: Code to the Activity if (AC.hasAccess(ARTICLE_EDIT, NUM)) { //execute activity } Code it once, never needs to change again Implies policy is persisted/centralized in some way Requires more design/work up front to get right March 2012 Top Ten Controls v4.1 Jim Manico and Eoin Keary Page 19
Best Practice: Use a Centralized Access Controller In Presentation Layer if (ACL.isAuthorized(VIEW_LOG_PANEL)) { <h2>Here are the logs</h2> <%=getLogs();%/> } In Controller try (ACL.assertAuthorized(DELETE_USER)) { deleteUser(); } March 2012 Top Ten Controls v4.1 Jim Manico and Eoin Keary Page 20
(3) Access Control Positive Patterns Code to the activity, not the role Centralize access control logic Design access control as a filter Fail securely (deny-by-default) Apply same core logic to presentation and server- side access control decisions Server-side trusted data should drive access control Provide privilege and user grouping for better management Isolate administrative features and access March 2012 Top Ten Controls v4.1 Jim Manico and Eoin Keary Page 21
Anatomy of an CSRF Attack Consider a consumer banking application that contains the following form <form action=“https://bank.com/Transfer.asp” method=“POST” id=“form1”> <p>Account Num: <input type=“text” name=“acct” value=“13243”/></p> <p>Transfer Amt: <input type=“text” name=“amount” value=“1000” /></p> </form> <script>document.getElementById(‘form1’).submit(); </script> March 2012 Top Ten Controls v4.1 Jim Manico and Eoin Keary Page 22
(4) Cross Site Request Forgery Defenses Cryptographic Tokens Primary and most powerful defense. Randomness is your friend. Request that cause side effects should use (and require) the POST method Alone, this is not sufficient Require users to re-authenticate Amazon.com does this *really* well Double-cookie submit Decent defense, but no based on randomness, based on SOP March 2012 Top Ten Controls v4.1 Jim Manico and Eoin Keary Page 23
Authentication Dangers Weak password Login Brute Force Username Harvesting Session Fixation Weak or Predictable Session Plaintext or poor password storage Weak "Forgot Password” feature Weak "Change Password” feature Credential or session exposure in transit via network sniffing Session Hijacking via XSS March 2012 Top Ten Controls v4.1 Jim Manico and Eoin Keary Page 24
(5) Authentication Defenses  2FA  Develop generic failed login messages that do not indicate whether the user-id or password was incorrect  Enforce account lockout after a pre-determined number of failed login attempts  Force re-authentication at critical application boundaries edit email, edit profile, edit finance info, ship to new address, change password, etc.  Implement server-side enforcement of credential syntax and strength March 2012 Top Ten Controls v4.1 Jim Manico and Eoin Keary Page 25
(6) Forgot Password Secure Design  Require identity and security questions  Last name, account number, email, DOB  Enforce lockout policy  Ask one or more good security questions  http://www.goodsecurityquestions.com/  Send the user a randomly generated token via out-of-band method  email, SMS or token  Verify code in same web session  Enforce lockout policy  Change password  Enforce password policy March 2012 Top Ten Controls v4.1 Jim Manico and Eoin Keary Page 26
(7) Session Defenses  Ensure secure session ID’s 20+ bytes, cryptographically random Stored in HTTP Cookies Cookies: Secure, HTTP Only, limited path  Generate new session ID at login time To avoid session fixation  Session Timeout Idle Timeout Absolute Timeout Logout Functionality March 2012 Top Ten Controls v4.1 Jim Manico and Eoin Keary Page 27
(8) Clickjacking Defense  Standard Option: X-FRAME-OPTIONS Header // to prevent all framing of this content response.addHeader( "X-FRAME-OPTIONS", "DENY" ); // to allow framing of this content only by this site response.addHeader( "X-FRAME-OPTIONS", "SAMEORIGIN" );  Frame-breaking Script defense: <style id="antiClickjack">body{display:none}</style> <script type="text/javascript"> if (self == top) { var antiClickjack = document.getElementByID("antiClickjack"); antiClickjack.parentNode.removeChild(antiClickjack) } else { top.location = self.location; } </script> March 2012 Top Ten Controls v4.1 Jim Manico and Eoin Keary Page 28
(9a) Secure Password Storage public String hash(String plaintext, String salt, int iterations) throws EncryptionException { byte[] bytes = null; try { MessageDigest digest = MessageDigest.getInstance(hashAlgorithm); digest.reset(); digest.update(ESAPI.securityConfiguration().getMasterSalt()); digest.update(salt.getBytes(encoding)); digest.update(plaintext.getBytes(encoding)); // rehash a number of times to help strengthen weak passwords bytes = digest.digest(); for (int i = 0; i < iterations; i++) { digest.reset(); bytes = digest.digest(bytes); } String encoded = ESAPI.encoder().encodeForBase64(bytes,false); return encoded; } catch (Exception ex) { throw new EncryptionException("Internal error", "Error"); }} March 2012 Top Ten Controls v4.1 Jim Manico and Eoin Keary Page 29
(9b) Password Security Defenses Disab le Browser Autocomplete  <form AUTOCOMPLETE="off”>  <input AUTOCOMPLETE="off”> Pass word and form fields  Input type=password Additi onal password securityManico and Eoin Keary March 2012 Top Ten Controls v4.1 Jim Page 30
(10) Encryption in Transit (TLS)  Authentication credentials and session identifiers must me be encrypted in transit via HTTPS/SSL Starting when the login form is rendered Until logout is complete All other sensitive data should be protected via HTTPS!  https://www.ssllabs.com free online assessment of public facing server HTTPS configuration  https://www.owasp.org/index.php/Transport_Layer_Protection_ for HTTPS best practices March 2012 Top Ten Controls v4.1 Jim Manico and Eoin Keary Page 31

More Related Content

PDF
New Methods in Automated XSS Detection & Dynamic Exploit Creation
byKen Belva
 
PPT
Top Ten Web Defenses - DefCamp 2012
byDefCamp
 
PDF
Complete xss walkthrough
byAhmed Elhady Mohamed
 
PDF
DEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menace
byFelipe Prado
 
PPT
XSS Primer - Noob to Pro in 1 hour
bysnoopythesecuritydog
 
PPTX
How to Develop a Secure Web Application and Stay in Mind? (PHDays 3)
byVladimir Kochetkov
 
PPT
Php Security By Mugdha And Anish
byOSSCube
 
PPTX
Web Application Security in front end
byErlend Oftedal
 
New Methods in Automated XSS Detection & Dynamic Exploit Creation
byKen Belva
 
Top Ten Web Defenses - DefCamp 2012
byDefCamp
 
Complete xss walkthrough
byAhmed Elhady Mohamed
 
DEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menace
byFelipe Prado
 
XSS Primer - Noob to Pro in 1 hour
bysnoopythesecuritydog
 
How to Develop a Secure Web Application and Stay in Mind? (PHDays 3)
byVladimir Kochetkov
 
Php Security By Mugdha And Anish
byOSSCube
 
Web Application Security in front end
byErlend Oftedal
 

What's hot

PPTX
W3 conf hill-html5-security-realities
byBrad Hill
 
PDF
The Ultimate IDS Smackdown
byMario Heiderich
 
PDF
Locking the Throneroom 2.0
byMario Heiderich
 
PDF
Application Security around OWASP Top 10
bySastry Tumuluri
 
PDF
The Future of Web Attacks - CONFidence 2010
byMario Heiderich
 
PDF
PHP Secure Programming
byBalavignesh Kasinathan
 
PDF
A XSSmas carol
bycgvwzq
 
PDF
CIS14: Developing with OAuth and OIDC Connect
byCloudIDSummit
 
PDF
Introduction to Cross Site Scripting ( XSS )
byIrfad Imtiaz
 
PDF
"Подход к написанию безопасного клиентского кода на примере React", Иван Елки...
byMoscowJS
 
PPTX
Web application Security
byLee C
 
PPT
Php & Web Security - PHPXperts 2009
bymirahman
 
PDF
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
byIvan Ortega
 
PDF
Thug: a new low-interaction honeyclient
byAngelo Dell'Aera
 
PPTX
Cross site scripting
byDilan Warnakulasooriya
 
PPTX
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
byCODE BLUE
 
PDF
2016 pycontw web api authentication
byMicron Technology
 
PDF
In the DOM, no one will hear you scream
byMario Heiderich
 
PPT
Xss talk, attack and defense
byPrakashchand Suthar
 
PDF
RoadSec 2017 - Trilha AppSec - APIs Authorization
byErick Belluci Tedeschi
 
W3 conf hill-html5-security-realities
byBrad Hill
 
The Ultimate IDS Smackdown
byMario Heiderich
 
Locking the Throneroom 2.0
byMario Heiderich
 
Application Security around OWASP Top 10
bySastry Tumuluri
 
The Future of Web Attacks - CONFidence 2010
byMario Heiderich
 
PHP Secure Programming
byBalavignesh Kasinathan
 
A XSSmas carol
bycgvwzq
 
CIS14: Developing with OAuth and OIDC Connect
byCloudIDSummit
 
Introduction to Cross Site Scripting ( XSS )
byIrfad Imtiaz
 
"Подход к написанию безопасного клиентского кода на примере React", Иван Елки...
byMoscowJS
 
Web application Security
byLee C
 
Php & Web Security - PHPXperts 2009
bymirahman
 
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
byIvan Ortega
 
Thug: a new low-interaction honeyclient
byAngelo Dell'Aera
 
Cross site scripting
byDilan Warnakulasooriya
 
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
byCODE BLUE
 
2016 pycontw web api authentication
byMicron Technology
 
In the DOM, no one will hear you scream
byMario Heiderich
 
Xss talk, attack and defense
byPrakashchand Suthar
 
RoadSec 2017 - Trilha AppSec - APIs Authorization
byErick Belluci Tedeschi
 

Similar to Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP Göteborg

PPT
Security Tech Talk
byMallikarjun Reddy
 
PPTX
Hackers versus Developers and Secure Web Programming
byAkash Mahajan
 
PPT
Top Ten Web Application Defenses v12
byJim Manico
 
PPTX
Top Ten Java Defense for Web Applications v2
byJim Manico
 
PDF
Rich Web App Security - Keeping your application safe
byJeremiah Grossman
 
PDF
Security Vulnerabilities: How to Defend Against Them
byMartin Vigo
 
PDF
Web Security Threats and Solutions
byIvo Andreev
 
PPTX
04. xss and encoding
byEoin Keary
 
PPT
Intro to Web Application Security
byRob Ragan
 
PDF
Owasp Top 10
byGaurav Narwani
 
ODP
a
bySandeep Kumar
 
PDF
The top 10 security issues in web applications
byDevnology
 
PDF
Crash Course In Brain Surgery
bymorisson
 
PDF
Ultimate xss
byARahim Özel
 
PDF
2 Roads to Redemption - Thoughts on XSS and SQLIA
byguestfdcb8a
 
PDF
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
bySam Bowne
 
PDF
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
bySam Bowne
 
PPT
Same Origin Policy Weaknesses
bykuza55
 
PDF
Ch 12 Attacking Users - XSS
bySam Bowne
 
PDF
Making Web Development "Secure By Default"
byDuo Security
 
Security Tech Talk
byMallikarjun Reddy
 
Hackers versus Developers and Secure Web Programming
byAkash Mahajan
 
Top Ten Web Application Defenses v12
byJim Manico
 
Top Ten Java Defense for Web Applications v2
byJim Manico
 
Rich Web App Security - Keeping your application safe
byJeremiah Grossman
 
Security Vulnerabilities: How to Defend Against Them
byMartin Vigo
 
Web Security Threats and Solutions
byIvo Andreev
 
04. xss and encoding
byEoin Keary
 
Intro to Web Application Security
byRob Ragan
 
Owasp Top 10
byGaurav Narwani
 
a
bySandeep Kumar
 
The top 10 security issues in web applications
byDevnology
 
Crash Course In Brain Surgery
bymorisson
 
Ultimate xss
byARahim Özel
 
2 Roads to Redemption - Thoughts on XSS and SQLIA
byguestfdcb8a
 
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
bySam Bowne
 
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
bySam Bowne
 
Same Origin Policy Weaknesses
bykuza55
 
Ch 12 Attacking Users - XSS
bySam Bowne
 
Making Web Development "Secure By Default"
byDuo Security
 

Recently uploaded

PDF
[BDD 2025 - Full-Stack Development] The Modern Stack: Building Web & AI Appli...
byWintari Yasmin
 
PPTX
Guardrails in Action - Ensuring Safe AI with Azure AI Content Safety.pptx
byUdaiappa Ramachandran
 
PPTX
UFCD 0797 - SISTEMAS OPERATIVOS_Unidade Completa.pptx
byscribddobruno
 
PDF
PCCC25(設立25年記念PCクラスタシンポジウム):エヌビディア合同会社 テーマ2「NVIDIA BlueField-4 DPU」
byPC Cluster Consortium
 
PDF
Mulesoft Meetup Online Portuguese: MCP e IA
byPedro Baroni
 
PDF
Integrating AI with Meaningful Human Collaboration
byCadabra Studio
 
PDF
Mastering Agentic Orchestration with UiPath Maestro | Hands on Workshop
byUiPathCommunity
 
PDF
DUBAI IT MODERNIZATION WITH AZURE MANAGED SERVICES.pdf
byLogicEra
 
PDF
"DISC as GPS for team leaders: how to lead a team from storming to performing...
byFwdays
 
PDF
[BDD 2025 - Mobile Development] Exploring Apple’s On-Device FoundationModels
byWintari Yasmin
 
PPTX
kernel PPT (Explanation of Windows Kernal).pptx
byINFOBYTES1
 
PPTX
"Feelings versus facts: why metrics are more important than intuition", Igor ...
byFwdays
 
PDF
So You Want to Work at Google | DevFest Seattle 2025
byMargaret Maynard-Reid
 
PDF
MuleSoft Meetup: Dreamforce'25 Tour- Vibing With AI & Agents.pdf
byTintu Jacob Shaji
 
PDF
[BDD 2025 - Mobile Development] Crafting Immersive UI with E2E and AGSL Shade...
byWintari Yasmin
 
PPTX
Connecting the unconnectable: Exploring LoRaWAN for IoT
byasasiraarthur
 
PDF
Open Source Post-Quantum Cryptography - Matt Caswell
byAll Things Open
 
PDF
The partnership effect: Libraries and publishers on collaborating and thrivin...
byBookNet Canada
 
PDF
Crane Accident Prevention Guide: Key OSHA Regulations for Safer Operations
bySharpEagle Technology
 
PDF
The Necessity of Digital Forensics, the Digital Forensics Process & Laborator...
bychrstnpetwinchester
 
[BDD 2025 - Full-Stack Development] The Modern Stack: Building Web & AI Appli...
byWintari Yasmin
 
Guardrails in Action - Ensuring Safe AI with Azure AI Content Safety.pptx
byUdaiappa Ramachandran
 
UFCD 0797 - SISTEMAS OPERATIVOS_Unidade Completa.pptx
byscribddobruno
 
PCCC25(設立25年記念PCクラスタシンポジウム):エヌビディア合同会社 テーマ2「NVIDIA BlueField-4 DPU」
byPC Cluster Consortium
 
Mulesoft Meetup Online Portuguese: MCP e IA
byPedro Baroni
 
Integrating AI with Meaningful Human Collaboration
byCadabra Studio
 
Mastering Agentic Orchestration with UiPath Maestro | Hands on Workshop
byUiPathCommunity
 
DUBAI IT MODERNIZATION WITH AZURE MANAGED SERVICES.pdf
byLogicEra
 
"DISC as GPS for team leaders: how to lead a team from storming to performing...
byFwdays
 
[BDD 2025 - Mobile Development] Exploring Apple’s On-Device FoundationModels
byWintari Yasmin
 
kernel PPT (Explanation of Windows Kernal).pptx
byINFOBYTES1
 
"Feelings versus facts: why metrics are more important than intuition", Igor ...
byFwdays
 
So You Want to Work at Google | DevFest Seattle 2025
byMargaret Maynard-Reid
 
MuleSoft Meetup: Dreamforce'25 Tour- Vibing With AI & Agents.pdf
byTintu Jacob Shaji
 
[BDD 2025 - Mobile Development] Crafting Immersive UI with E2E and AGSL Shade...
byWintari Yasmin
 
Connecting the unconnectable: Exploring LoRaWAN for IoT
byasasiraarthur
 
Open Source Post-Quantum Cryptography - Matt Caswell
byAll Things Open
 
The partnership effect: Libraries and publishers on collaborating and thrivin...
byBookNet Canada
 
Crane Accident Prevention Guide: Key OSHA Regulations for Safer Operations
bySharpEagle Technology
 
The Necessity of Digital Forensics, the Digital Forensics Process & Laborator...
bychrstnpetwinchester
 

Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP Göteborg

  • 1.
    Top 10 WebSecurity Controls March 2012 Top Ten Controls v4.1 Jim Manico and Eoin Keary Page 1
  • 2.
    (1) Query Parameterization(PHP PDO) $stmt = $dbh->prepare("INSERT INTO REGISTRY (name, value) VALUES (:name, :value)"); $stmt->bindParam(':name', $name); $stmt->bindParam(':value', $value); March 2012 Top Ten Controls v4.1 Jim Manico and Eoin Keary Page 2
  • 3.
    Query Parameterization (.NET) SqlConnectionobjConnection = new SqlConnection(_ConnectionString); objConnection.Open(); SqlCommand objCommand = new SqlCommand( "SELECT * FROM User WHERE Name = @Name AND Password = @Password", objConnection); objCommand.Parameters.Add("@Name", NameTextBox.Text); objCommand.Parameters.Add("@Password", PasswordTextBox.Text); SqlDataReader objReader = objCommand.ExecuteReader(); if (objReader.Read()) { ... March 2012 Top Ten Controls v4.1 Jim Manico and Eoin Keary Page 3
  • 4.
    Query Parameterization (Java) doublenewSalary = request.getParameter(“newSalary”) ; int id = request.getParameter(“id”); PreparedStatement pstmt = con.prepareStatement("UPDATE EMPLOYEES SET SALARY = ? WHERE ID = ?"); pstmt.setDouble(1, newSalary); pstmt.setInt(2, id); Query safeHQLQuery = session.createQuery("from Inventory where productID=:productid"); safeHQLQuery.setParameter("productid", userSuppliedParameter); March 2012 Top Ten Controls v4.1 Jim Manico and Eoin Keary Page 4
  • 5.
    Query Parameterization (Ruby) #Create Project.create!(:name => 'owasp') # Read Project.all(:conditions => "name = ?", name) Project.all(:conditions => { :name => name }) Project.where("name = :name", :name => name) # Update project.update_attributes(:name => 'owasp') # Delete Project.delete(:name => 'name') March 2012 Top Ten Controls v4.1 Jim Manico and Eoin Keary Page 5
  • 6.
    Query Parameterization (ColdFusion) <cfquery name="getFirst" dataSource="cfsnippets"> SELECT * FROM #strDatabasePrefix#_courses WHERE intCourseID = <cfqueryparam value=#intCourseID# CFSQLType="CF_SQL_INTEGER"> </cfquery> March 2012 Top Ten Controls v4.1 Jim Manico and Eoin Keary Page 6
  • 7.
    Query Parameterization (PERL) my$sql = "INSERT INTO foo (bar, baz) VALUES ( ?, ? )”; my $sth = $dbh->prepare( $sql ); $sth->execute( $bar, $baz ); March 2012 Top Ten Controls v4.1 Jim Manico and Eoin Keary Page 7
  • 8.
    XSS: Why soSerious? Session hijacking Site defacement Network scanning Undermining CSRF defenses Site redirection/phishing Load of remotely hosted scripts Data theft Keystroke logging March 2012 Top Ten Controls v4.1 Jim Manico and Eoin Keary Page 8
  • 9.
    Danger: Multiple Contexts Browsershave multiple contexts that must be considered! March 2012 Top Ten Controls v4.1 Jim Manico and Eoin Keary Page 9
  • 10.
    XSS in HTMLAttributes < i n p u t typ e = "te x t" n am e = "c o m m e n ts ” valu e = "U N T R U S T E D D AT A"> < i n p u t typ e = "te x t" n am e = "c o m m e n ts " valu e = "h e llo " o n m o u s e o ve r= "/* fi re attac k * /">  Attackers can add event handlers:  onMouseOver  onLoad  onUnLoad  etc… March 2012 Top Ten Controls v4.1 Jim Manico and Eoin Keary Page 10
  • 11.
    XSS in SourceAttribute  User input often winds up in src attribute  Tags such as < i m g s rc = ""> < i fram e s rc = "">  Example Request: h ttp ://e x am p le .c o m /vi e w I m ag e ? i m ag e n am e = m ym ap .jp g  Attackers can use javascript:/*attack*/ in src attributes March 2012 Top Ten Controls v4.1 Jim Manico and Eoin Keary Page 11
  • 12.
    URL Parameter Escaping  Escape all non alpha-num characters with the %HH format < a h re f= “/s e arc h ?d ata= U N T R U S T E D D AT A”>  Be careful not to allow untrusted data to drive entire URL’s or URL fragments  This encoding only protects you from XSS at the time of rendering the link  Treat DATA as untrusted after submitted March 2012 Top Ten Controls v4.1 Jim Manico and Eoin Keary Page 12
  • 13.
    XSS in theStyle Tag  Applications sometimes take user data and use it to generate presentation style U R L p aram e te r w ri tte n w i th i n s tyle tag  Consider this example: h ttp ://e x am p le .c o m /vi e w D o c u m e n t?b ac k g ro u n d = w h i te March 2012 Top Ten Controls v4.1 Jim Manico and Eoin Keary Page 13
  • 14.
    CSS Pwnage TestCase < d i v s tyle = "w i d th : < % = te m p 3% > ;"> M o u s e o ve r < / d i v> temp3 = ESAPI.encoder().encodeForCSS("expression(alert (String.fromCharCode (88,88,88)))"); < d i v s tyle = "w i d th : e x p re s s i o n 2 8 ale rt2 8 S tri n g 2 e fro m C h arC o d e 2 0 2 8 882 c 882 c 882 9 2 9 2 9 ;"> M o u s e o ve r < /d i v>  Pops in at least IE6 and IE7. li s ts .o w as p .o rg /p i p e rm ai l/o w as p -e s ap i /2 009- F e b ru ary/000405 .h tm l March 2012 Top Ten Controls v4.1 Jim Manico and Eoin Keary Page 14
  • 15.
    Javascript Context  Escape all non alpha-num characters with the xHH format <script>var x='U N T R U S T E D D AT A';</script>  You're now protected from XSS at the time data is assigned  What happens to x after you assign it? March 2012 Top Ten Controls v4.1 Jim Manico and Eoin Keary Page 15
  • 16.
    Best Practice: DOMBased XSS Defense  Untrusted data should only be treated as displayable text  JavaScript encode and delimit untrusted data as quoted strings  Use document.createElement("…"), element.setAttribute("…","value"), element.appendChild(…), etc. to build dynamic interfaces  Avoid use of HTML rendering methods  Understand the dataflow of untrusted data through your JavaScript code. If you do have to use the methods above remember to HTML and then JavaScript encode the untrusted data  Avoid passing untrusted data to eval(), setTimeout() etc.  Don’t eval() JSON to convert it to native JavaScript objects. Instead use JSON.toJSON() and JSON.parse()  Run untrusted scripts in a sandbox (ECMAScript canopy, HTML 5 frame sandbox, etc) March 2012 Top Ten Controls v4.1 Jim Manico and Eoin Keary Page 16
  • 17.
    (2) XSS Defenseby Data Type and Context Data Type Context Defense String HTML Body HTML Entity Encode String HTML Attribute Minimal Attribute Encoding String GET Parameter URL Encoding String Untrusted URL URL Validation, avoid javascript: URL’s, Attribute encoding, safe URL verification String CSS Strict structural validation, CSS Hex encoding, good design HTML HTML Body HTML Validation (JSoup, AntiSamy, HTML Sanitizer) Any DOM DOM XSS Cheat sheet Untrusted JavaScript Any Sandboxing JSON Client parse time JSON.parse() or json2.js Safe HTML Attributes include: align, alink, alt, bgcolor, border, cellpadding, cellspacing, class, color, cols, colspan, coords, dir, face, height, hspace, ismap, lang, marginheight, marginwidth, multiple, nohref, noresize, noshade, nowrap, ref, rel, rev, rows, rowspan, scrolling, shape, span, summary, tabindex, title, usemap, valign, value, vlink, vspace, width March 2012 Top Ten Controls v4.1 Jim Manico and Eoin Keary Page 17
  • 18.
    Attacks on AccessControl Vertical Access Control Attacks  A standard user accessing administration functionality  “Privilege Escalation” Horizontal Access Control attacks  Same role, but accessing another user's private data Business Logic Access Control Attacks  Abuse of workflow March 2012 Top Ten Controls v4.1 Jim Manico and Eoin Keary Page 18
  • 19.
    Best Practice: Codeto the Activity if (AC.hasAccess(ARTICLE_EDIT, NUM)) { //execute activity } Code it once, never needs to change again Implies policy is persisted/centralized in some way Requires more design/work up front to get right March 2012 Top Ten Controls v4.1 Jim Manico and Eoin Keary Page 19
  • 20.
    Best Practice: Usea Centralized Access Controller In Presentation Layer if (ACL.isAuthorized(VIEW_LOG_PANEL)) { <h2>Here are the logs</h2> <%=getLogs();%/> } In Controller try (ACL.assertAuthorized(DELETE_USER)) { deleteUser(); } March 2012 Top Ten Controls v4.1 Jim Manico and Eoin Keary Page 20
  • 21.
    (3) Access ControlPositive Patterns Code to the activity, not the role Centralize access control logic Design access control as a filter Fail securely (deny-by-default) Apply same core logic to presentation and server- side access control decisions Server-side trusted data should drive access control Provide privilege and user grouping for better management Isolate administrative features and access March 2012 Top Ten Controls v4.1 Jim Manico and Eoin Keary Page 21
  • 22.
    Anatomy of anCSRF Attack Consider a consumer banking application that contains the following form <form action=“https://bank.com/Transfer.asp” method=“POST” id=“form1”> <p>Account Num: <input type=“text” name=“acct” value=“13243”/></p> <p>Transfer Amt: <input type=“text” name=“amount” value=“1000” /></p> </form> <script>document.getElementById(‘form1’).submit(); </script> March 2012 Top Ten Controls v4.1 Jim Manico and Eoin Keary Page 22
  • 23.
    (4) Cross SiteRequest Forgery Defenses Cryptographic Tokens Primary and most powerful defense. Randomness is your friend. Request that cause side effects should use (and require) the POST method Alone, this is not sufficient Require users to re-authenticate Amazon.com does this *really* well Double-cookie submit Decent defense, but no based on randomness, based on SOP March 2012 Top Ten Controls v4.1 Jim Manico and Eoin Keary Page 23
  • 24.
    Authentication Dangers Weak password LoginBrute Force Username Harvesting Session Fixation Weak or Predictable Session Plaintext or poor password storage Weak "Forgot Password” feature Weak "Change Password” feature Credential or session exposure in transit via network sniffing Session Hijacking via XSS March 2012 Top Ten Controls v4.1 Jim Manico and Eoin Keary Page 24
  • 25.
    (5) Authentication Defenses 2FA  Develop generic failed login messages that do not indicate whether the user-id or password was incorrect  Enforce account lockout after a pre-determined number of failed login attempts  Force re-authentication at critical application boundaries edit email, edit profile, edit finance info, ship to new address, change password, etc.  Implement server-side enforcement of credential syntax and strength March 2012 Top Ten Controls v4.1 Jim Manico and Eoin Keary Page 25
  • 26.
    (6) Forgot PasswordSecure Design  Require identity and security questions  Last name, account number, email, DOB  Enforce lockout policy  Ask one or more good security questions  http://www.goodsecurityquestions.com/  Send the user a randomly generated token via out-of-band method  email, SMS or token  Verify code in same web session  Enforce lockout policy  Change password  Enforce password policy March 2012 Top Ten Controls v4.1 Jim Manico and Eoin Keary Page 26
  • 27.
    (7) Session Defenses Ensure secure session ID’s 20+ bytes, cryptographically random Stored in HTTP Cookies Cookies: Secure, HTTP Only, limited path  Generate new session ID at login time To avoid session fixation  Session Timeout Idle Timeout Absolute Timeout Logout Functionality March 2012 Top Ten Controls v4.1 Jim Manico and Eoin Keary Page 27
  • 28.
    (8) Clickjacking Defense Standard Option: X-FRAME-OPTIONS Header // to prevent all framing of this content response.addHeader( "X-FRAME-OPTIONS", "DENY" ); // to allow framing of this content only by this site response.addHeader( "X-FRAME-OPTIONS", "SAMEORIGIN" );  Frame-breaking Script defense: <style id="antiClickjack">body{display:none}</style> <script type="text/javascript"> if (self == top) { var antiClickjack = document.getElementByID("antiClickjack"); antiClickjack.parentNode.removeChild(antiClickjack) } else { top.location = self.location; } </script> March 2012 Top Ten Controls v4.1 Jim Manico and Eoin Keary Page 28
  • 29.
    (9a) Secure PasswordStorage public String hash(String plaintext, String salt, int iterations) throws EncryptionException { byte[] bytes = null; try { MessageDigest digest = MessageDigest.getInstance(hashAlgorithm); digest.reset(); digest.update(ESAPI.securityConfiguration().getMasterSalt()); digest.update(salt.getBytes(encoding)); digest.update(plaintext.getBytes(encoding)); // rehash a number of times to help strengthen weak passwords bytes = digest.digest(); for (int i = 0; i < iterations; i++) { digest.reset(); bytes = digest.digest(bytes); } String encoded = ESAPI.encoder().encodeForBase64(bytes,false); return encoded; } catch (Exception ex) { throw new EncryptionException("Internal error", "Error"); }} March 2012 Top Ten Controls v4.1 Jim Manico and Eoin Keary Page 29
  • 30.
    (9b) Password SecurityDefenses Disab le Browser Autocomplete  <form AUTOCOMPLETE="off”>  <input AUTOCOMPLETE="off”> Pass word and form fields  Input type=password Additi onal password securityManico and Eoin Keary March 2012 Top Ten Controls v4.1 Jim Page 30
  • 31.
    (10) Encryption inTransit (TLS)  Authentication credentials and session identifiers must me be encrypted in transit via HTTPS/SSL Starting when the login form is rendered Until logout is complete All other sensitive data should be protected via HTTPS!  https://www.ssllabs.com free online assessment of public facing server HTTPS configuration  https://www.owasp.org/index.php/Transport_Layer_Protection_ for HTTPS best practices March 2012 Top Ten Controls v4.1 Jim Manico and Eoin Keary Page 31

Editor's Notes

  • #4 March 25, 2012 ©2007 Ernst &amp; Young Advanced Security Center
  • #5 March 25, 2012 ©2007 Ernst &amp; Young Advanced Security Center
  • #6 March 25, 2012 ©2007 Ernst &amp; Young Advanced Security Center
  • #7 March 25, 2012 ©2007 Ernst &amp; Young Advanced Security Center
  • #8 March 25, 2012 ©2007 Ernst &amp; Young Advanced Security Center
  • #11 1 -
  • #12 2/1/12 ©2007 Ernst &amp; Young Advanced Security Center
  • #13 1 -
  • #15 1 -
  • #16 1 -
  • #17 Need to expand this section!
  • #23 March 25, 2012 ©2007 Ernst &amp; Young Advanced Security Center
  • #24 March 25, 2012 ©2007 Ernst &amp; Young Advanced Security Center
  • #26 March 25, 2012 ©2007 Ernst &amp; Young Advanced Security Center
  • #28 &gt; OUTLINE &gt; &gt; 1) Authentication, session management, and access control &gt;    - Pre and post authentication session IDs &gt;    - Session ID (temporary) equivalent to the strongest authentication method &gt;    (point to authentication cheatsheet) &gt; &gt; 2) Session ID secure properties &gt; 2.1) Session ID name fingerprinting &gt; 2.1) Session ID length &gt; 2.2) Session ID entropy &gt; 2.3) Session ID content &gt; 2.4) Cryptographically strong session id &gt; 2.5) Recommendations for a secure session management database &gt; &gt; 3) Session ID exchange mechanisms &gt; 3.1) Used vs. accepted session ID exchange mechanisms &gt; &gt; 4) Session ID sent via cookies &gt; 4.1) HTTPonly cookies &gt;    (point to XSS cheatsheet) &gt; 4.2) Secure cookies &gt;    (point to TLS cheatsheet) &gt; 4.3) Domain and path cookie attributes &gt; 4.4) Expire attribute &gt; 4.5) CSRF implications of cookies &gt;    (point to CSRF cheatsheet) &gt; 4.6) Cross-Site Tracing (XST) prevention &gt; 4.7) HTTP response splitting prevention &gt; 4.8) Cookie META tag prevention ???? &gt; &gt; 5) Session ID initial verification &gt; 5.1) Permissive and strict session management &gt; 5.2) Treat session ID as any other user input &gt; &gt; 6) Renew the session ID after any privilege level change &gt; &gt; 7) Session expiration (on both client and server) &gt; 7.1) Automatic session expiration &gt; 7.1.1) Idle timeout &gt; 7.1.2) Absolute timeout &gt; 7.2) Manual session expiration &gt; 7.2.1) Logout button &gt; 7.2.2) Javascript logout on window close &gt; 7.2.3) Features for disabling session cross-tab &gt; &gt; 8) Session hijacking detection &gt; 8.1) Binding the session ID to other user properties &gt; 8.2) Logging: Monitoring creation, life cycle, and destruction of session IDs &gt; 8.3) Are multiple simultaneous logons allowed? &gt; 8.4) Session management WAF protections &gt;