1 / 15


OWASP Top Ten. #1 Unvalidated Input. Agenda. What is the OWASP Top 10? Where can I find it? What is Unvalidated Input? What environments are effected? How to determine if you are vulnerable How to protect yourself Demonstration. What is the OWASP Top 10?.

Télécharger la présentation


An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.


Presentation Transcript

  1. OWASP Top Ten #1 Unvalidated Input

  2. Agenda • What is the OWASP Top 10? • Where can I find it? • What is Unvalidated Input? • What environments are effected? • How to determine if you are vulnerable • How to protect yourself • Demonstration

  3. What is the OWASP Top 10? • Provides minimum standard for web app security. • Broad consensus about what the most critical web application security flaws are. • Compiled by a variety of security experts from around the world. • Available in multiple languages.

  4. Where is the Top Ten List • Provided on the OWASP web site • OWASP Sanctioned Project • http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project • Available either online (for browsing), in word format, or in PDF format.

  5. What is Unvalidated Input? • In order for a web application to be useful it must pass information from the client to the server and then back again. • The input passed from the client to the server helps the server determine how to respond to the client. • Although the client side has been programmed with a certain understanding of process flow in mind, malicious users can modify information before it is passed back to the server. In a vulnerable application this could cause problems if the malicious input is not handled properly.

  6. What is Unvalidated Input? • A surprisingly large number of applications rely only on client side validation of data. • The client side data transmission is susceptible to manipulation. • There is the possibility that this manipulation could cause problems on the server. • Cross Site Scripting Flaws • Buffer Overflows • Injection Flaws

  7. Effected Environments • All: • Web Servers • Application Servers • And Web Applications

  8. Are you vulnerable? • Any parameter passed through HTTP that is not carefully validated is thought to be “tainted.” • Therefore all HTTP parameters (both GET and POST) must be processed before anything is done with the variable. • There are libraries built into certain web packages and OWASP packages available for other packages. • Check to see if you are vulnerable. • Use a package like WebScarab to input a multitude of unexpected input to your web application. See what happens.

  9. Bad code: <?php $myvar = $_POST[‘fieldName’]; ?> Better code: <?php $myvar = validate($_POST[‘fieldName’]); ?> Are you vulnerable?

  10. How to Protect Yourself • Ensure that all parameters are validated before use. • An effective way of doing this is to write a centralized library to do the validate. • This library should use “positive” filtering specifications. In other words filter for data that should be there and ignore everything else.

  11. How to Protect Yourself • Definitions for positive filtering: • Data type (string, integer, real, etc.) • Allowed character set • Min and max field length • Null check (are nulls allowed?) • Required parameter check • Numeric range check • Is this a member of an enumeration • Regex patterns

  12. How to Protect Yourself • Third party Unvalidated Input Protection: • Web application firewalls • Configurable security “device” used to do input validation. • Is not called from the application nor is it part of the application. • Black-box style security.

  13. How to Protect Yourself • Third party Unvalidated Input Protection continued: • The OWASP Filters Project • Project is designed to be a group of re-usable filters for input validation • The Stinger HTTP request validation engine is an example of this implementation developed by OWASP for J2EE validation. • http://www.owasp.org/index.php/OWASP_Stinger_Project • Other projects are in the works (PHP for example).

  14. How to Protect Yourself • Be very careful about what you put into web forms • Use hidden inputs sparingly and smartly • Don’t always trust cookie data • Try to store persistent data other ways • Session • Database

  15. Unvalidated Input Demo • Demo will show two simple vulnerabilities: • SQL Injection Flaws • Cross Site Scripting Flaws

More Related