Application Security around OWASP Top 10

1
Many thanks (content & inspiration) to:
Jim Manico, Eoin Keary & Troy Hunt

WARNING
This is an awareness document.
There are more than 10 issues.
You cannot secure an application
based on a top ten list.

$NEW_EMAIL = Request['new_email'];
update users set email='$NEW_EMAIL'
where id=132005;
SQL Injection

1. WHAT IF: $NEW_EMAIL = ';
2. update users set email='$NEW_EMAIL'
where id=132005;
3. update users set email='';--'
where id=132005;
SQL Injection

$stmt = $dbh->prepare(”update users set
email=:new_email where id=:user_id”);
$stmt->bindParam(':new_email', $email);
$stmt->bindParam(':user_id', $id);
Query Parameterization
(PHP PDO)

SqlConnection objConnection = new
SqlConnection(_ConnectionString);
objConnection.Open();
SqlCommand objCommand = new SqlCommand(
"SELECT * FROM User WHERE Name = @Name
AND Password = @Password",
objConnection);
objCommand.Parameters.Add("@Name",
NameTextBox.Text);
objCommand.Parameters.Add("@Password",
PassTextBox.Text);
SqlDataReader objReader =
objCommand.ExecuteReader();
(.NET)

String newName = request.getParameter("newName");
String id = request.getParameter("id");
//SQL
PreparedStatement pstmt = con.prepareStatement("UPDATE
EMPLOYEES SET NAME = ? WHERE ID = ?");
pstmt.setString(1, newName);
pstmt.setString(2, id);
//HQL
Query safeHQLQuery = session.createQuery("from
Employees where id=:empId");
safeHQLQuery.setParameter("empId", id);
(Java)

# Create
Project.create!(:name => 'owasp')
# Read
Project.all(:conditions => "name = ?", name)
Project.all(:conditions => { :name => name })
Project.where("name = :name", :name => name)
Project.where(:id=> params[:id]).all
# Update
Project.update_attributes(:name => 'owasp')
Query Parameterization Failure
(RoR)

Disable Browser Autocomplete
<form AUTOCOMPLETE="off">
<input AUTOCOMPLETE="off">
Only send passwords over HTTPS POST
Do not display passwords in browser
Input type=password
Store password based on need
Use a salt (de-duplication)
SCRYPT/PBKDF2 (slow, performance hit, easy)
HMAC (requires good key storage, tough)
[2][2]Password Defenses

1) Do not limit the type of characters or
length*
of user password
•) Limiting passwords to protect against
injection is doomed to failure
•) Use proper encoder and other defenses
described instead
Password Storage

2) Use a Cryptographically strong
credential-specific salt
•) Protect ([salt] + [password]);
•) Use a 32 char / 64 char salt
(may depend on protection function)
•) Do not depend on hiding / splitting /
otherwise obscuring the salt
Password Storage

3) Impose difficult verification on attacker
ONLY
•) HMAC-SHA256 ([private key], [salt] + [password])
•) Protect the key as any private key
•) Store key outside the credential store (
•) Improvement over (solely) salted schemes; relies on
proper key creation & management
Password Storage

4) Impose difficult verification on both
(impacts attacker more than defender)
•) pbkdf2([salt] + [password], c=10,000,000);
•) PBKDF2 when FIPS certification or
enterprise support on many platforms
required
•) Scrypt when resisting hardware accelerated
attacks is more important
Password Storage

Basic MFA Considerations
17
• Where do you send the token?
– Email (worst – yet, better than none!)
– SMS (ok)
– Mobile native app (good)
– Dedicated token (great)
– Printed Tokens (interesting)
• How do you handle thick clients?
– Email services, for example
– Dedicated and strong per-app passwords

Basic MFA Considerations
18
• How do you handle unavailable MFA devices?
– Printed back-up codes
– Fallback mechanism (like email)
– Call-in center
• How do you handle mobile apps?
– When is MFA not useful in mobile app scenarios?

“Forgot Password” design
Require identity questions
Last name, account number, email, DOB
Enforce lockout policy
Ask one or more good security questions
https://www.owasp.org/index.php/Choosing_and_Using_Security_Ques
tions_Cheat_Sheet
Send the user a randomly generated token via out-of-band
email, SMS or hardware / software token generator
Verify code in same web session
Enforce lockout policy
Change password
Enforce password policy

21
Video
[3][3]Cross Site Scripting (XSS)

Impact of XSS
– Session Hijacking
– Site Defacement
– Network Scanning
– Undermining CSRF Defenses
– Site Redirection/Phishing
– Load of Remotely Hosted Scripts
– Data Theft
– Keystroke Logging
– Attackers using XSS more frequently

XSS Prevention (.NET)
• WebForms/WebForms View Engine <%=Server.HtmlEncode(data)%>
• WebForms v4.0+ <%data%>
• MVC3+ Razor View Engine @data
• Data Binding in Web Forms v4 and below
<%#Server.HtmlEncode(Eval(“property”))%>
• Data Binding in v4.5 <%#Item.Property%>
• Better: ASP.Net 3.5 and below use AntiXss library directly
Microsoft.Security.Application.Encoder.HtmlEncode(message)

XSS Prevention (.NET)
• ASP.Net 4 (WebForms and MVC) <httpRuntime encoderType=
“Microsoft.Security.Application.AntiXssEncoder,AntiXssLibr
ary”/>
• ASP.Net 4.5 (AntiXss included in this version!)
<httpRuntime
encoderType=”System.WebSecurity.AntiXssEncoder,
System.Web, Version=4.0.0.0, Culture=neutral,
PublicKeyToken=b03f5f7f11d50a3a”/>
• JSON(MVC) Json.Encode(Model)
• Javascript encoding using AntiXss
Encoder.JavaScriptEncode(Model.FirstName)

• No third party libraries or configuration necessary
• This code was designed for high-availability/high-
performance encoding functionality
• Simple drop-in encoding functionality
• Performance, ESAPI integration
• More complete API (uri and uri component encoding,
etc) in some regards
• Java 1.5+
• Last updated January 30, 2014 (version 1.1.1)
https://www.owasp.org/index.php/OWASP_Java_Encoder_Project
OWASP Java Encoder Project

Web Page built in Java JSP is vulnerable to XSSWeb Page built in Java JSP is vulnerable to XSS
Problem
Solution
1) <input type="text" name="data" value="<%=
Encode.forHtmlAttribute(dataValue) %>" />
2) <textarea name="text"><%= Encode.forHtmlContent(textValue) %>" />
3) <button
onclick="alert('<%= Encode.forJavaScriptAttribute(alertMsg) %>');">
click me
</button>
4) <script type="text/javascript">
var msg = "<%= Encode.forJavaScriptBlock(message) %>";
alert(msg);
</script>

HTML Contexts
Encode#forHtmlContent(String)
Encode#forHtmlAttribute(String)
Encode#forHtmlUnquotedAttribute
(String)
XML Contexts
Encode#forXml(String)
Encode#forXmlContent(String)
Encode#forXmlAttribute(String)
Encode#forXmlComment(String)
Encode#forCDATA(String)
CSS Contexts
Encode#forCssString(String)
Encode#forCssUrl(String)
JavaScript Contexts
Encode#forJavaScript(String)
Encode#forJavaScriptAttribute(String)
Encode#forJavaScriptBlock(String)
Encode#forJavaScriptSource(String)
URI/URL contexts
Encode#forUri(String)
Encode#forUriComponent(String)

Other Encoding Libraries
• Ruby on Rails
– http://api.rubyonrails.org/classes/ERB/Util.html
• Reform Project
– Java, .NET v1/v2, PHP, Python, Perl, JavaScript, Classic ASP
– https://www.owasp.org/index.php/Category:OWASP_Encodin
g_Project
• ESAPI
– PHP.NET, Python, Classic ASP, Cold Fusion
– https://www.owasp.org/index.php/Category:OWASP_Enterpri
se_Security_API
• .NET AntiXSS Library
– http://wpl.codeplex.com/releases/view/80289

• Writte in Java; lets you include HTML authored by third-parties in
your web application while protecting against XSS
• Has an extensive test suite, and has undergone adversarial
security review
https://code.google.com/p/owasp-java-html-sanitizer/wiki/At
tackReviewGroundRules
• Very easy to use
• Allows for simple programmatic POSITIVE policy configuration.
No XML config.
• << Caja project (Google)
High performance & low memory utilization
OWASP HTML Sanitizer Project
https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project

Web Page is vulnerable to XSS because of untrusted HTMLWeb Page is vulnerable to XSS because of untrusted HTML
PolicyFactory policy = new HtmlPolicyBuilder()
.allowElements("a")
.allowUrlProtocols("https")
.allowAttributes("href").onElements("a")
.requireRelNofollowOnLinks()
.build();
String safeHTML = policy.sanitize(untrustedHTML);
PolicyFactory policy = new HtmlPolicyBuilder()
.allowElements("a")
.allowUrlProtocols("https")
.allowAttributes("href").onElements("a")
.requireRelNofollowOnLinks()
.build();
String safeHTML = policy.sanitize(untrustedHTML);
Solving real world problems
(using OWASP HTML Sanitizer)
Problem
Solution

• Pure JavaScript
– http://code.google.com/p/google-caja/wiki/JsHtmlSanitizer
• Python
– https://pypi.python.org/pypi/bleach
• PHP
– http://htmlpurifier.org/
– http://www.bioinformatics.org/phplabware/internal_utilities/htm
Lawed/
• .NET
– AntiXSS.getSafeHTML/getSafeHTMLFragment
– http://htmlagilitypack.codeplex.com/
• Ruby on Rails
– http://api.rubyonrails.org/classes/HTML.html
Other HTML Sanitizers

• JavaScript encode and delimit untrusted data as quoted
strings
• Avoid use of HTML rendering methods like innerHTML
– If you must do this, then sanitize untrusted HTML first
• Avoid code execution contexts
– eval(), setTimeout() or event handlers
• When possible, treat untrusted data as display text only
• To build dynamic interfaces, use
document.createElement("…"),
element.setAttribute("…","value"),
element.appendChild(…)
• Parse JSON with JSON.parse in the browser
DOM-based XSS Defense


SAFE use of JQuery

$(‘#element’).text(UNTRUSTED DATA);

UNSAFE use of JQuery

$(‘#element’).html(UNTRUSTED DATA);

39
[4][4]Insecure Direct Object Reference

40
Using fiddler an
attacker can
change the id and
access more
information
Insecure Direct Object Reference

41
We need to change the method signature (the ID is now a GUID), then translate it
back to the original, direct reference before going any further:
public Customer GetCustomer(Guid indirectId)
{ var customerId =
IndirectReferenceMap.GetDirectReference(indirectId); }
Insecure Direct Object Reference

[5][5]Security Misconfiguration
Is it really the developers' work? Or the sysadmins?
If the developers don't know, how will the application
security design be complete?
What about configuring in Dev & Testing environments?

• Harden the Operating System
– BIOS & grub passwords; secure physical access
– Use multiple partitions (not default install); use options like
ro, nosuid,noexec,nodev --make-runbindable ...
– Remove all unnecessary packages & drivers (e.g., do you
really need Xorg? All those fonts?)
– Lockdown others (cron, USB detect, IPv6, ctrl-alt-del,
– SSH password-less login with SSH keygen
– Enable ufw / iptables / … and a HIDS >> turn on remote
logging
– Oh yeah, regular patches & updates (wait!)
– Regular backups!
Hardening the servers (general)

• Run Tomcat under a Security Manager
– http://tomcat.apache.org/tomcat-6.0-doc/security-manage
r-howto.html
– Modify $CATALINA_BASE/conf/catalina.policy
PropertyPermission, RuntimePermission, FilePermission,
SocketPermission, NetPermission, ReflectPermission, …
– Configure package access (careful! test & debug!)
$CATALINA_BASE/conf/catalina.properties
– Restart Tomcat
$CATALINA_HOME/bin/catalina.sh start -security
(Unix)
%CATALINA_HOME%bincatalina start -security
(Windows)
Secure Config Tips (Tomcat)

• More tips
– http://www.tomcatexpert.com/blog/2011/11/02/best-
practices-securing-apache-tomcat-7
– Use Security LifeCycle Listener
– Lockdown connector interfaces
– Disable shutdown port?
– Secure your Web Manager
– Configure AccessLogValve and RemoteAddrValve
Secure Config Tips (Tomcat)

• Similar principles as Tomcat
– Use the Java Security Manager
– Configure policies and access permissions
– Use Security Realms
– Disable remote access to JMX
– Configure TLS (SSL?) carefully
remove old protos, weak crypto, renego, legacy support, etc.
– Secure the Management interfaces (disable HTTP mgmt?)
– ...
Secure Config Tips (JBOSS)

5 things to remember here :
• Error Handling (Enable Custom Errors)
• Disable TRACE
Securing web.config

• Disable Debugging
• HTTP Only cookies
Securing web.config

• Session State- UseCookies
Securing web.config

• Steps :
– Go to
“C:WindowsMicrosoft.NETFrameworkv4.0.30319”
using command prompt.
aspnet_regiis.exe -pe "connectionStrings" “<path
of Web.Config>”
• Decrypting the web.config
– Go to the same path
aspnet_regiis.exe -pd "connectionStrings" “<path
of Web.Config>”
Encrypting web.config

• Before Encrypting
References
http://www.owasp.org
http://
www.codeproject.com/Tips/795135/Encrypt-ConnectionString-in-Web-Config

55
[6][6]Sensitive Data Exposure

[8][8]
<img src="https://google.com/logo.png">
<img src="https://google.com/deleteMail/7/confirm=true">
<form method="POST" action="https://mybank.com/transfer">
<input type="hidden" name="account" value="23532632"/>
<input type="hidden" name="amount" value="1000"/>
</form>
<script>document.forms[0].submit()</script>
Cross Site Request Forgery

57
How many are already “logged in”?
Waiting to update your status, accept your credit card or email your friends
What if another tab manages to send a request?
What about others with the “remember me” checkbox?
No need for tab to be open... just send a request and they'll happily accept!
How many tabs on your browser?

59
Using fiddler we get the JSON

62
To add the anti-forgery tokens to a Razor page, use the HtmlHelper.AntiForgeryToken helper
method:
@using (Html.BeginForm("Manage", "Account"))
{ @Html.AntiForgeryToken() }
This method adds the hidden form field and also sets the cookie token.
<script>
@functions
{
public string TokenHeaderValue()
{
string cookieToken, formToken;
AntiForgery.GetTokens(null, out cookieToken, out formToken);
return cookieToken + ":" + formToken;
}
}
$.ajax("api/values", { type: "post", contentType: "application/json", data: { }, // JSON
data goes here dataType: "json", headers: { 'RequestVerificationToken':
'@TokenHeaderValue()' } }); </script>
Anti-Forgery Tokens

63
void ValidateRequestHeader
(HttpRequestMessage request)
{
string cookieToken = "";
string formToken = "";
IEnumerable<string> tokenHeaders;
if (request.Headers.TryGetValues("RequestVerificationToken", out tokenHeaders))
{
string[] tokens = tokenHeaders.First().Split(':');
if (tokens.Length == 2)
{
cookieToken = tokens[0].Trim(); formToken = tokens[1].Trim();
}
}
AntiForgery.Validate(cookieToken, formToken); }

if ((user.isManager() ||
user.isAdministrator() ||
user.isEditor()) &&
(user.id() != 1132)) {
//execute action
}
How do you change the policy of this code?
[7][7] Access Control

• Authorization: The process where a system determines
whether a specific user has access to a resource
• Permission: Represents app behavior only
• Entitlement: What a user is actually allowed to do
• Principle/User: Who/what you are entitling
• Implicit Role: Named permission, user associated
– if (user.isRole(“Manager”));
• Explicit Role: Named permission, resource associated
– if (user.isAuthorized(“report:view:3324”);
What is Access Control

• Hard-coded role checks in application code
• Lack of centralized access control logic
• Untrusted data driving access control decisions
• Access control that is “open by default”
• Lack of addressing horizontal access control in a
standardized way (if at all)
• Access control logic that needs to be manually added to
every endpoint in code
• Access Control that is “sticky” per session
• Access Control that requires per-user policy
Access Control DON'Ts

• Vertical Access Control Attacks
– A standard user accessing administration
functionality
• Horizontal Access Control Attacks
– Same role, but accessing another user's private
data
• Business Logic Access Control Attacks
– Abuse of one or more linked activities that
collectively realize a business objective
Attacks on Access Control

• Loss of accountability
– Attackers maliciously execute actions as other
users
– Attackers maliciously execute higher level
actions
• Disclosure of confidential data
– Compromising admin-level accounts often
results in access to user’s confidential data
• Data tampering
– Privilege levels do not distinguish users who can
only view data and users permitted to modify
data
Impact of poor Access Control

• Apache Shiro is a powerful and easy to use Java security
framework
• Offers developers an intuitive yet comprehensive
solution to authentication, authorization, cryptography,
and session management
• Built on sound interface-driven design and OO principles
• Enables custom behavior
• Sensible and secure defaults for everything
Apache SHIRO
http://shiro.apache.org/

Web Application needs secure access control mechanismWeb Application needs secure access control mechanism
if ( currentUser.isPermitted( "lightsaber:wield" ) ) {
log.info("You may use a lightsaber ring. Use it wisely.");
} else {
log.info("Sorry, lightsaber rings are for schwartz masters
only.");
}
if ( currentUser.isPermitted( "lightsaber:wield" ) ) {
log.info("You may use a lightsaber ring. Use it wisely.");
} else {
log.info("Sorry, lightsaber rings are for schwartz masters
only.");
}
Problem
Solution
Solving real world
Access Control problems

int winnebagoId = request.getInt("winnebago_id");
if ( currentUser.isPermitted( "winnebago:drive:" + winnebagoId) )
{
log.info("You are permitted to 'drive' the 'winnebago’. Here
are the keys.");
} else {
log.info("Sorry, you aren't allowed to drive this
winnebago!");
}
int winnebagoId = request.getInt("winnebago_id");
if ( currentUser.isPermitted( "winnebago:drive:" + winnebagoId) )
{
log.info("You are permitted to 'drive' the 'winnebago’. Here
are the keys.");
} else {
log.info("Sorry, you aren't allowed to drive this
winnebago!");
}
Solving real world
Access Control problems
Web Application needs secure access to a specific objectWeb Application needs secure access to a specific object
Problem
Solution

“GET” exposes sensitive authentication information in the URL
In Web Server and Proxy Server logs
In the http referer header
In Bookmarks/Favorites often emailed to others
“POST” places information in the body of the request and not the URL
Enforce HTTPS POST For Sensitive Data Transport
73
HTTP: POST vs GET
[E1]

» X-Frame-Options
» X-XSS-Protection
» X-Content-Type-Options
» Content Security Policy
» Access-Control-Allow-Origin
» HTTPS Strict Transport Security
» Cache-Control / Pragma
HTTP Response Headers
(security related)

Protects you from most classes of
Clickjacking
X-Frame-Options: DENY
X-Frame-Options: SAMEORIGIN
X-Frame-Options: ALLOW FROM
X-Frame-Options

X-XSS-Protection
Use the browser’s built in XSS Auditor
X-XSS-Protection: [0-1](; mode=block)?
X-XSS-Protection: 1; mode=block

Fixes mime sniffing attacks
Only applies to IE
X-Content-Type-Options = ‘nosniff’
X-ContentType-Options

• Anti-XSS W3C standard http://www.w3.org/TR/CSP/
• Move all inline script and style into external files
• Add the X-Content-Security-Policy response header to
instruct the browser that CSP is in use
• Define a policy for the site regarding loading of content
• Chrome version 25 and later (50%)
• Firefox version 23 and later (30%)
• Internet Explorer version 10 and later (10%)
Content Security Policy

Add the following as part of your HTTP Response
Cache-Control: no-store, no-cache, must-revalidate
Expires: -1
Disabling the browser cache

[E2][E2]Application Layer
Intrusion Detection
• Great detection points to start with
– Input validation failure server side when client side
validation exists
– Input validation failure server side on non-user editable
parameters
(hidden fields, checkboxes, radio buttons or select lists)
– Forced browsing to common attack entry points
e.g., /admin/secretlogin.jsp or honeypot URL (a fake path
listed in /robots.txt)

Application Layer
Intrusion Detection
• Others
– Blatant SQLi or XSS injection attacks
– Workflow sequence abuse (e.g. multi-part
form in wrong order)
– Custom business logic (e.g. basket vs
catalogue price mismatch)

OWASP AppSensor (Java)
• Project and mailing list
https://www.owasp.org/index.php/OWASP_
AppSensor_Project
• Four-page briefing, Crosstalk, Journal of
Defense Software Engineering
• http://www.crosstalkonline.org/storage/iss
ue-archives/2011/201109/201109-
Watson.pdf

[E3][E3]Encryption in transit
• Confidentiality, Integrity (in Transit) and Authenticity
– Authentication credentials and session identifiers must be encrypted in
transit via HTTPS/SSL
– Starting when the login form is rendered until logout is complete
• HTTPS configuration best practices
– https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sh
eet
• HSTS (Strict Transport Security)
– http://www.youtube.com/watch?v=zEV3HOuM_Vw
– Strict-Transport-Security: max-age=31536000
• Certificate Pinning
– https://www.owasp.org/index.php/Pinning_Cheat_Sheet

Strict-transport-security: max-age=10000000
Do all of your subdomains support SSL?
Strict-transport-security: max-age=10000000; includeSubdomains
Strict Transport Security (HSTS)
protected void Application_BeginRequest(Object sender, EventArgs e)
{
switch (Request.Url.Scheme)
{
case "https":
Response.AddHeader("Strict-Transport-Security", "max-
age=31536000");
break;
case "http":
var path = "https://" + Request.Url.Host +
Request.Url.PathAndQuery;
Response.Status = "301 Moved Permanently";
Response.AddHeader("Location", path);
break;
}
} // in global.asax

• What is Pinning
– Pinning is a key continuity scheme
– Detect when an imposter with a fake but CA validated
certificate attempts to act like the real server
• 2 Types of pinning
• Carry around a copy of the server’s public key;
– Great if you are distributing a dedicated client-server
application since you know the server’s certificate or public
key in advance
• Note of the server’s public key on first use (Trust-on-First-Use,
Tofu)
– Useful when no a priori knowledge exists, such as SSH or a
Browser
• https://www.owasp.org/index.php/Pinning_Cheat_Sheet
Certificate Pinning

File Upload Security
• Upload Verification
– Filename and Size validation + antivirus
• Upload Storage
– Use only trusted filenames + separate domain
• Beware of "special" files
– "crossdomain.xml" or "clientaccesspolicy.xml".
• Image Upload Verification
– Enforce proper image size limits
– Use image rewriting libraries
– Set the extension of the stored image to be a valid image extension
– Ensure the detected content type of the image is safe
• Generic Upload Verification
– Ensure decompressed size of file < maximum size
– Ensure that an uploaded archive matches the type expected (zip, rar)
– Ensure structured uploads such as an add-on follow proper standard
[E4][E4]

Application Security around OWASP Top 10

More Related Content

Application Security around OWASP Top 10