Testing the OWASP Top 10 Security Issues

Testing the OWASP Top 10 Security Issues

Andy Tinkham & Zach Bergman, Magenic Technologies

Contact Us

1600 Utica Avenue South, Suite 800 St. Louis Park, MN 55416

1 (877)-277-1044 [email protected]

Who Are We?

» Magenic: Leading consultancy providing custom application development,

testing and QA services

» Andy

» 17 years of testing experience, focusing on automation, performance & other

technical testing

» Principal Consultant at Magenic, leading all our technical testing activities » Zach

» 3 years of testing experience, focusing on security & test automation » Consultant at Magenic, driving internal security growth & initiatives

Security Testing

» Testing focused on 3 aspects of a system

» Authentication – determining an entity is who they claim to be

» Authorization – determining whether an entity is allowed to use a

requested action or resource

» Accounting – documenting what occurs in the system

Authentication

Today…

» Talk about the most prevalent security vulnerabilities » Structure that talk using the OWASP Top 10 list

» Andy will describe issue

» Zach will demonstrate issue and talk about techniques to identify it » Cover some very basic testing techniques to find these

What is OWASP?

» Open Web Application Security Project

» Non-profit organization focused on improving the security of software » Around since 2001

» Not affiliated with any technology company

» Provide a variety of free tools, education, and information around

application security

» Local chapter: https://www.owasp.org/index.php/Minneapolis_St_Paul

Next meeting: 1/21/2013, Gunnar Peterson, “Mobile AppSec – How iOS and Android Apps fail and what to do to protect them”

What is the OWASP Top 10?

10. Unvalidated Redirects and Forwards 9. Insufficient Transport Layer Protection 8. Failure to Restrict URL Access

7. Insecure Cryptographic Storage 6. Security Misconfiguration

5. Cross-Site Request Forgery

4. Insecure Direct Object References

3. Broken Authentication & Session Management 2. Cross-Site Scripting

1. Injection

• Most critical web application security flaws • Occur frequently

• Easy to find • Easy to exploit

Why should you care about these issues?

» Security is a big deal

» 77 million user accounts compromised on Sony PlayStation network

» $1 trillion dollars worth of intellectual property stolen in 2008 (McAfee)

» Symantec estimates the global price tag of consumer cybercrime to be $110 billion with 18

victims every second

» 90% of businesses suffered some sort of hack in last 12 months (Research

Ponemon/Juniper Networks, June 2011)

» 83% of websites have had a high, critical or urgent issue (WhiteHat Security, 2009) » Poor security can lead to

» Unwanted information disclosure » Compromised data

» Financial and Reputational Costs

What Tools Will We Use?

» Burp Suite (http://www.portswigger.net/burp/) » Awesome Cookie Manager (Chrome App Store)

» BodgeIt Store (http://code.google.com/p/bodgeit/) » REST Console (Chrome App Store)

10. Unvalidated Redirects & Forwards

» Use of an app’s built-in redirect to access an unintended location

» http://yoursite.com/redirect.php?url=http://yoursite.com/admin.php » http://yoursite.com/redirect.php?url=http://badsite.com

» Users can be convinced to give information thinking they’re giving it to

you » Example Exploitability: Average Prevalence: Uncommon Detectability: Easy Impact: Moderate

Testing Technique: Look for redirect functions throughout application in URL or request parameters

9. Insufficient Transport Layer Protection

» Unencrypted data traversing networks can be seen, manipulated, and

used without user knowledge

» The session information from browser » User personally-identifiable information

Exploitability: Difficult Prevalence: Common Detectability: Easy Impact: Moderate

Testing Technique: See if HTTPS and TLS 1.1+ is being used on appropriate secure pages

9. Insufficient Transport Layer Protection

8. Failure to Restrict URL Access

» Typically happens when assumptions are made regarding users’

knowledge of the app’s layout/functionality – security by obscurity

» http://www.mysite.com/MySecretAdminConsole.php » http://www.mysite.com/ManagerReports

» Hidden or Unlisted resources

» Only show the user functionality they can use

Exploitability: Easy

Prevalence: Uncommon Detectability: Average Impact: Moderate

Testing Technique: Look for exposed URLs. If unlisted, check if URLs may be accessed with wrong authentication

7. Insecure Cryptographic Storage

» Apps may not secure sensitive data with appropriate cryptography or may

not store the artifacts around the cryptography securely

» Inside or Outside of the physical data storage » Stored plaintext

» Weak algorithm used

» Unrestricted access to decrypt function » Private keys accessible

Exploitability: Difficult Prevalence: Uncommon Detectability: Difficult Impact: Severe

Testing Technique: Look for sensitive data in plaintext. Look for encryption in transit. (#9)

6. Security Misconfiguration

» Configuration

» Default usernames/passwords » Default error messages

» Debugger sessions open

» Lack of updates being applied

Exploitability: Easy

Prevalence: Common Detectability: Easy Impact: Moderate

Testing Technique: Look for custom error messages. Look for debugger session being allowed.

6. Security Misconfiguration

» 401 - Unauthorized » 403 - Forbidden

5. Cross-Site Request Forgery (CSRF)

» http://www.store.com/AddToCart.aspx?itemID=1234

» http://www.blog.com/ChangePassword.php?NewPass=password » Attacker takes advantage of user’s currently stored sessions

» In other tabs of browser

» In browser if cookies haven’t been cleared after closing

Exploitability: Average Prevalence: Widespread Detectability: Easy

Impact: Moderate

Testing Technique: Look for actions, which can be completed by visiting a URL.

5. Cross-Site Request Forgery (CSRF)

» <img

src=“http://10.30.46.15/bodgeit/basket.jsp?productid=17&price=4.1&qu antity=1” >

4. Insecure Direct Object Reference

» Some application resources are accessible without going through access control » http://www.mysite.com/Report00032

» http://www.mysite.com/files/BugsToFix.pdf

» Manipulate requests to access resources

» http://www.mysite.com/Report00032 →

http://www.mysite.com/Report00033

» http://www.mysite.com/MyAccount.php?user=bob →

http://www.mysite.com/MyAccount.php?user=joan Exploitability: Easy _{Prevalence: Common}

Detectability: Easy Impact: Moderate

Testing Technique: Look for references to objects, and attempt to access other similar objects.

3. Broken Authentication & Session Management

» Poorly implemented protections can still be insecure, leading to

additional vulnerabilities

» Sessions should expire

» Logout should revoke the user’s session

» Login should revoke any active sessions for same user » User shouldn’t be able to manipulate or guess session » Key actions should revoke certain session permissions

» Session fixation Exploitability: Average _{Prevalence: Common}

Detectability: Average Impact: Severe

Testing Technique: Verify that sessions are actually revoked following key actions.

2. Cross-Site Scripting (XSS)

» Untrusted input is not cleaned prior to being passed back to the browser » Can involve rendered HTML, JavaScript or any other web content

Exploitability: Average

Prevalence: Very Widespread Detectability: Easy

Impact: Moderate

Testing Technique: Verify that input is being validated or escaped so that it does not execute.

1. Injection

» Untrusted input is not cleaned prior to being used by the application » Users may inject their own code into

» The App

» SQL Queries » XPath Queries

» Operating System » Browser/DOM

» Anywhere data is combined into executable statements

Exploitability: Easy

Prevalence: Common Detectability: Average Impact: Severe

Testing Technique: Verify that input is being validated so that it is not executed server-side.

» SELECT Username FROM Users WHERE Password = ‘our input here’

» SELECT Username FROM Users WHERE Password = ‘a’ or ‘b’=‘b’

1. Injection

Summary

» Security is a big deal

» As testers, we can begin to look for obvious issues in the course of our

normal work

» OWASP Top 10 lists 10 most prevalent web security issues & is a good

starting point

» All of these security issues require deeper analysis beyond these

Further Reading

» OWASP Top 10 document

(http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf)

» Troy Hunt’s OWASP Top 10 for .NET Developers eBook

(https://asafaweb.com/OWASP%20Top%2010%20for%20.NET%20developers.pdf)

» The Web Application Hacker’s Handbook, 2nd Ed. Dafydd Stuttard and Marcus Pinto

Questions

Contact us:

[email protected] [email protected]