600 likes | 682 Vues
Dinis Cruz OWASP Chief Evangelist dinis.cruz@owasp.net. OWASP 2.0 Enabling organizations to develop, maintain, and acquire applications they can trust. Mission. Enabling organizations to develop, maintain, and purchase applications that they can trust. OWASP Foundation.
E N D
Dinis Cruz OWASP Chief Evangelist dinis.cruz@owasp.net OWASP 2.0Enabling organizations to develop, maintain, and acquire applications they can trust
Mission • Enabling organizations to develop, maintain, and purchase applications that they can trust
OWASP Foundation • The OWASP Foundation is a 501c3 not-for-profit charitable organization that ensures the ongoing availability and support for our work. Participation in OWASP is free and open to all.
Security Spending Why OWASP?Attacks Shift Towards Application Layer % of Attacks % of Dollars 10% Web Applications 75% 90% Network Server 25% 2/3 of All Web Applications Are Vulnerable Sources: Gartner, Watchfire
History • 2000: Mark Curphey and Microsoft Word • 2001: OWASP Guide 1.0 • Sep 2002: Many volunteers finish 1.1.1 • Oct 2002: owasp-leaders created • Leaders from each project • This meritocracy still leads us today • 2003: OWASP Foundation created • 2006: tons of new projects and AoC 06 • (150k USD turnover) • 2007: more new projects and SpoC 007 • (350k USD turnover)
It’s about community • Built on great foundations built by our contributors • Greater peer to peer participation • Emphasis on local community building • More support for your projects
OWASP Projects are: • Alive on our wiki 2009 … 2007 2005 2003 2001
OWASP Body of Knowledge Guidance and Tools for Measuring and Managing Application Security Guide to Application Security Testing and Guide to Application Security Code Review VerifyingApplicationSecurity ManagingApplicationSecurity Guide to Building Secure Web Applications and Web Services Core Application SecurityKnowledge Base Chapters AppSec Conferences Projects ApplicationSecurityTools Acquiring andBuildingSecureApplications Tools for Scanning, Testing, Simulating, and Reporting Web Application Security Issues AppSecEducation and CBT Research to Secure New Technologies Research Projects to Figure Out How to Secure the Use of New Technologies (like Ajax) Principles Threat Agents, Attacks, Vulnerabilities, Impacts, and Countermeasures OWASP Community Platform (wiki, forums, mailing lists) Web Based Learning Environment and Guide for Learning Application Security OWASP Foundation 501c3
What Is Unique about OWASP? • Everything we do is free and open…
It’s about building a solid foundation • Transparency • Annual Report, financial details • Annual report (with financial details) starting 2006 • Move to more formal structure in 2007 timeframe (à la Apache, NetBSD, Debian, etc) • Improve membership experience • Membership packages • Individual • Corporate • Sponsor • Starter chapter pack
What is the OWASP Top 10? • The first (but not only) things you should focus on … http://www.owasp.org/index.php/Top_10
AoC 06 - Autumn of Code 2006 • The Open Web Application Security Project (OWASP) has recently launched a new project entitled "OWASP Autumn of Code 2006” that is aimed at financially sponsoring contributions to OWASP Projects. • On the 18th of September our call for entries ended and on the 25th of September we released our list of selected projects to be sponsored. OWASP has made the decision to sponsor 9 projects (5 at $3,500 USD and 4 at $5,000 USD) instead of our originally planned number of 8.
Autumn of Code 2006 - Projects • WebScarab NG – Rogan Dawes • Live CD – Joshua Perrymon • CAL9000 – Chris Loomis • SiteGenerator and ORG – Mike de Libero • Pantera – Simon Roses • Web Goat – Sherif Koussa • Testing Guide – Matteo Meucci • OWASP .NET Tools – Boris Maletic • OWASP Website and Branding – Aaron M. Holmes
SpoC 007 - Spring of Code 2007 The OWASP Spring of Code 2007 (SpoC 007) aims to financially sponsor contributions to OWASP Projects. SpoC 007 follows up the successful AoC 06 (OWASP Autumn Of Code 2006) in which 9 projects were sponsored and greatly improved. The objective of SpoC 007 is to allow contributors to allocate considerable resources on (existent or new) OWASP projects which are relevant and benefitial to the OWASP community. The initial Budget for SpoC 007 was $110,000 USD, and was funded by OWASP (using current membership fees and profits from past conferences) and newly joined members (currently SPI Dynamics and EDS).
SpoC 007 - Spring of Code 2007 • In parallel with the Request for Proposals OWASP is did a membership drive where membership fees commited during that period were be allocated to SpoC 007 projects (the new members have the option to chose which projects they would like to sponsor) • Cenzic and Vigilar joined as members during SpoC • Due to the quality of the proposals submited (via WIKI) OWASP decided to sponsor all submissions and to increase the sponsorships ( to $125,000 USD spread over 28 projects
Current projects (see website) • Release Quality • Beta Status • Alpha Status • Technology, Research, and Guides
Funding model • Need to increase OWASP individual and corporate members • Current funding model • Conferences • Corporate and Individual Memberships (to be GNI adjusted) • Advertising • Sponsorships
OWASP Membership • An active voice in the development of OWASP Materials that are becoming widely accepted as an application security standard for all organizations. • A OWASP Commercial License to use the materials within your organization without the restrictions associated with the various open source licenses used by the OWASP projects. • Timely electronic notification of updates to the OWASP Materials. • Visibility for your organization's tangible commitment to application security through its inclusion in the members list on the OWASP website and promotional materials. • The right to use the OWASP name and membership mark to show that you are an OWASP Member. Note that the mark must not be used in any way that might indicate that OWASP supports a commercial product or service. • Collaboration with other highly skilled people from organizations around the world, both virtually and in person during periodic OWASP AppSec conferences and chapter meetings. • Discounted registration fees for OWASP AppSec conferences to all individual members and all employees of member organizations.
Local chapters • Easily the most useful OWASP activity • Lots of chapters all around the world
Local chapter support • Use our Internet resources • Announce meetings well in advance • Have a schedule well in advance • Be consistent • Community: blogs, forum - in your local language • Present new stuff • ... or borrow other chapter’s slides
Guidelines for chapters • Encourage membership in OWASP • Try to be easily found and a popular time • Always try to meet, if only for drinkies • Local sponsorship by vendors is fine • Try not to be 0wned by the vendors (of any type) • Protect yourself - insurance, talk choices, etc
Leadership Focus • Developing OWASP Foundation and infrastructure • Helping you deliver timely, useful projects • Keeping today’s flagship products fresh and relevant • Winter, Spring, and Summer of Code 2007
OWASP Brand • Our brand is important to us • Need something to help get rid of freeloaders • Many firms abusing OWASP Top 10 / Guide brand • Need a 'brand management' project
Project Incubators • Initiate any project you like • Each project will have its own space • Community: Link to team member blogs and forum • Resources: Samples, downloads, private workspace
Quick tour of the new OWASP Top 10 • The first (but not only) things you should focus on … http://www.owasp.org/index.php/Top_10
A1: Cross Site Scripting (XSS) A2: Injection Flaws A3: Malicious File Execution A4: Insecure Direct Object Reference A5: Cross Site Request Forgery (CSRF) A6: Information Leakage and Improper Error Handling A7: Broken Authentication and Session Management A8: Insecure Cryptographic Storage A9: Insecure Communications A10: Failure to Restrict URL Access OWASP Top Ten – 2007 Update • Lauched here
A1. Cross-Site Scripting (XSS) • Occurs any time… • Raw data from attacker is sent to an innocent user • Raw data… • Stored in database • Reflected from web input (form field, hidden field, url, etc…) • Sent directly into rich JavaScript client • Virtually every web application has this problem • Try this in your browser – javascript:alert(document.cookie)
Finance Transactions Accounts Administration Communication Knowledge Mgmt E-Commerce Bus. Functions Custom Code Cross-Site Scripting Illustrated 1 Attacker sets the trap – update my profile Application with stored XSS vulnerability Attacker enters a malicious script into a web page that stores the data on the server Victim views page – sees attacker profile 2 Script runs inside victim’s browser with full access to the DOM and cookies 3 Script silently sends attacker Victim’s session cookie
A2. Injection Flaws • Injection means… • Tricking an application into including unintended commands in the data sent to an interpreter • Interpreters… • Take strings and interpret them as commands • SQL, OS Shell, LDAP, XPath, etc… • SQL injection is still quite common • Many applications still susceptible
Example: SQL Injection Illustrated 1 Attacker sends data containing SQL fragments Attacker enters SQL fragments into a web page that uses input in a query Attacker views unauthorized data 3 Finance Transactions Accounts Administration Communication Knowledge Mgmt E-Commerce Bus. Functions Custom Code Application sends modified query to database, which executes it 2 Database
A3: Malicious File Execution • Occurs when … • Attacker can influence an application to reference, upload, or create reference to a malicious file that gets executed • Example Scenarios • Very frequent flaw in PHP applications where untrusted variables are used in calls like include(), include_once(), require(), etc. • Application accepts name of file to execute as input, such as language choice drop down menus • Attacker supplies unauthorized reference to code (usually an attack script) • Uploading Asp, Aspx, Jsp, dlls, class files to the server • Malicious developers • Can occur in any framework, not just PHP: XSLT transforms, batch file includes, log files, etc.
Example: PHP Remote File Include Illustrated Attacker sends request that specifies the path to a malicious file in a parameter (or uploads a file to the server) 1 Attacker changes a parameter which is supplied to a file inclusion function Finance Transactions Accounts Administration Communication Knowledge Mgmt E-Commerce Bus. Functions Attacker views results of executing the attack, or takes control of the affected server 3 Custom Code application executes the specified file and executes the contents 2 File System
A4. Insecure Direct Object Reference • How do you protect access to data and other objects? • This is part of enforcing proper “authorization”, along with A10: Failure to Restrict URL Access • Frequently enforced by • Only listing the ‘authorized’ objects for the current user • Hiding the object references in hidden fields • This is called presentation layer access control, and doesn’t work • Attacker simply tampers with parameter value • For each parameter, a site needs to do 3 things • Verify the parameter is properly formatted • Verify the user is allowed to access the target object • Verify the requested mode of access is allowed to the target object (e.g., read, write, delete)
Insecure Direct Object Reference Illustrated • Attacker notices his acct parameter is 6065 ?acct=6065 • He modifies it to a nearby number ?acct=6066 • Attacker views the victim’s account information https://www.onlinebank.com/user?acct=6065
A5. Cross Site Request Forgery • Cross Site Request Forgery (CSRF) • An attack where the victim’s browser is tricked into issuing a command to a vulnerable web application • Imagine… • What if a hacker could steer your mouse and get you to click on links in your online banking application? • What could they make you do? • Attackers can use CSRF to… • Initiate transactions (transfer funds, logout user, close account, etc…) • Access sensitive data • Change account details • And much more…
Finance Transactions Accounts Administration Communication Knowledge Mgmt E-Commerce Bus. Functions Custom Code CSRF Illustrated Attacker sets the trap on some website on the internet(or simply via an e-mail) 1 Application with CSRF vulnerability Hidden <img> tag contains attack against vulnerable site While logged into vulnerable site,victim views attacker site 2 3 Vulnerable site sees legitimate request from victim and performs the action requested <img> tag loaded by browser – sends GET request (including credentials) to vulnerable site
A6. Information Leakage and Improper Error Handling • Web applications leak information and encounter error conditions • Frequently this invokes untested code paths • Attackers learn about your application through error messages • Identify attacks and handle appropriately • Never show a user a stack trace • If someone is attacking you, don’t keep trying to help • But how do you know which errors are attacks? • Most web applications are quite fragile • Especially when you use a tool like WebScarab
Improper Error Handling Illustrated • Many security mechanismsfail open • isAuthenticated() • isAuthorized() • isValid() • Bad logic (i.e., fail open) if (!security_test()) then return false return true • Good logic (i.e., fail secure) if (security_test()) then return true return false [Microsoft][ODBC Microsoft Access Driver] Syntax error in string in query expression 'last_name = 'bob' or foo''.
A7. Broken Authentication and Session Mgmt • HTTP is “stateless” protocol • Means credentials have to go with every request • Should use SSL for everything requiring authentication • Session management • SESSIONID used to track state since HTTP doesn’t • SESSIONID is just as good as credentials to an attacker • Never expose SESSIONID on network, in browser, in logs, … • Beware the side-doors • Change my password, remember my password, forgot my password, secret question, logout, email address, etc…
Finance Transactions Accounts Administration Communication Knowledge Mgmt E-Commerce Bus. Functions Custom Code Broken Authentication Illustrated 1 User sends credentials www.boi.com?JSESSIONID=9FA1DB9EA... Site uses URL rewriting (i.e., put session in URL) 2 3 User clicks on a link to http://www.hacker.com in a forum Hacker checks referer logs on www.hacker.com and finds user’s JSESSIONID 4 5 Hacker uses JSESSIONID and takes over victim’s account
A8. Insecure Cryptographic Storage • Storing sensitive data insecurely • Identify all sensitive data • Identify all the places that sensitive data is stored • Databases, files, directories, log files, backups, etc. • Protect with appropriate mechanisms • File encryption, database encryption, data element encryption • Use the mechanisms correctly • Use standard strong algorithms • Generate and protect keys • Be prepared for key change