Slide 1

The OWASP 2010 Top 10 Jason Montgomery, CISSP OWASP Cincinnati Aug 30, 2011

Slide 2

Cyber Security Engineering Team, AEP Author / Technical Editor Professional K2 blackpearl, Wiley Press 2009 Professional C#, Beginning C#, etc. SANS Institute sans.org DEV 532: Essential Secure Coding in ASP.NET DEV 544: Secure Coding in.NET: Developing Defensible Applications GIAC GSSP.NET Steering Committee Developer Sys Admin 2011 Jason Montgomery

Slide 3

Code is Law - Lawrence Lessig 2011 Jason Montgomery

Slide 4

Slide 5

When first tested, more than half of all applications fail to meet acceptable security quality, and more than 8 out of 10 web applications fail OWASP Top 10. VERACODE State of Software Security Report, 2011 http://info.veracode.com/rs/veracode/images/soss-v3.pdf Whose Vulnerable? 2011 Jason Montgomery

Slide 6

Whose Vulnerable? Whitehat Website Security Statistics Report, Winter 2011 http://www.whitehatsec.com/home/resource/stats.html#winter11stats

Slide 7

2011 Jason Montgomery Window of Exposure Source: Whitehat Website Security Statistics Report, Winter 2011 http://www.whitehatsec.com/home/resource/stats.html Figure 1. 2010 at a Glance Sorted by Industry The average number of serious* vulnerabilities per website, the percentage of reported vulnerabilities that have been resolved (Remediation Rate), and average that a website is exposed to at least one serious vulnerability (Window of Exposure).

Slide 8

What are some challenges to Secure Applications?

Slide 9

Business (features) drives development, not security (non-functional requirements) 2011 Jason Montgomery Challenges to App Sec

Slide 10

Dont Worry, Be Crappy Guy Kawasaki 2011 Jason Montgomery Market Forces

Slide 11

Our developers are pretty smart. Im sure theyve got it covered. Our developers do amazing things. Im sure they already understand these issues. We havent been hacked yet. 2011 Jason Montgomery Knowledge Gap

Slide 12

We dont have the time. Its too expensive. We dont have anyone here with the expertise. 2011 Jason Montgomery Constraints

Slide 13

No security in Software Development Lifecycle Rely on Black box or white box scanning Only fix whats found Little or no assurance 2011 Jason Montgomery No Process to Incorporate Security

Slide 14

6 Billion Crash Test Dummies - David Rice Geekonomics: The Real Cost of Insecure Software 2011 Jason Montgomery

Slide 15

Common Weakness Enumeration (CWE) Top x Lists OWASP Top 10 2010: The 10 Most Critical Web Application Security Risks http://www.owasp.org/index.php/Category:OWASP_Top _Ten_Project http://www.owasp.org/index.php/Category:OWASP_Top _Ten_Project 2010 CWE-SANS Top 25 Most Dangerous Software Errors http://cwe.mitre.org/top25/ http://www.sans.org/top25-softwa re-errors/ 2011 Jason Montgomery Software and Security

Slide 16

Why are these important? Raise Awareness / Education Industry Accepted Mitigation Techniques Collaboration Define common terms and Language for describing issues Makes security measurable Help Prioritize 2011 Jason Montgomery Software and Security

Slide 17

Software Bugs vs. Flaws CWE defines ~658 Software Weaknesses 356 can be introduced during design 578 can be introduced during implementation 100% Security? Goal: Secureor Defensible? 2011 Jason Montgomery Secure vs. Defensible

Slide 18

The Building Security In Maturity Model (BSIMM2) Software Assurance Maturity Model (SAMM) OWASP Microsoft SDLC 2011 Jason Montgomery Add Security to the Development Lifecycle

Slide 19

A1: Injection A2: Cross-Site Scripting (XSS) A3: Broken Authentication and Session Management A4: Insecure Direct Object References A5: Cross-Site Request Forgery (CSRF) A6: Security Misconfiguration A7: Insecure Cryptographic Storage A8: Failure to Restrict URL Access A9: Insufficient Transport Layer Protection A10: Unvalidated Redirects and Forwards 2011 Jason Montgomery OWASP Top 10 - 2010

Slide 20

The software does not sufficiently validate, filter, escape, and/or encode user-controllable input before it is placed in output that is used as a web page that is served to other users. CWE-79 2011 Jason Montgomery A2: Cross-Site Scripting (XSS)

Slide 21

2011 Jason Montgomery CWE Taxonomy of XSS CWE-20: Improper Input Validation (Category) CWE-74: Injection (Class) CWE-79: Cross-Site Scripting (Base) CWE-80: Basic XSS (V) CWE-81: Improper Sanitization of Script in an Error Message Web Page (V) CWE-83: Improper Neutralization of Script in Attributes in a Web Page(V) CWE-84: Failure to Resolve Encoded URI Schemes in a Web Page (V) CWE-85: Doubled Character XSS Manipulations (V) CWE-86: Improper Neutralization of Invalid Characters in Identifiers in Web Pages (V) CWE-87: Failure to Sanitize Alternate XSS Syntax (V)

Slide 22

Stored XSS Persisted to a data store, embedded into DOM server-side Reflected XSS Reflected from client into the DOM from Server DOM Based Reflected through URL back to client, embedded into DOM by JavaScript Cross-site Scripting Types 2011 Jason Montgomery

Slide 23

Reflected XSS Example The following error occurred: http://site.com/Error.aspx?msg= %3Cscript%3Ealert('xss')%3B%3C%2Fscript%3E Error.aspx Code URL 2011 Jason Montgomery

Slide 24

Reflected XSS Example The following error occurred: http://site.com/Error.aspx?msg= %3Cscript%3Ealert('xss')%3B%3C%2Fscript%3E Error.aspx Code URL The following error occurred: alert('xss'); Output HTML 2011 Jason Montgomery

Slide 25

Web Html Entities Html Attributes JavaScript URL CSS / Style 2011 Jason Montgomery Context Matters

Slide 26 2011 Jason Montgomery"> 2011 Jason Montgomery"> 2011 Jason Montgomery" title="XSS Injection Points HTML Element HTML Attribute HTML Comments --> " src=... /> 2011 Jason Montgomery">

XSS Injection Points HTML Element HTML Attribute HTML Comments --> " src=... /> 2011 Jason Montgomery

Slide 27 ">link 2011 Jason Montgomery">

XSS Injection Points Cont. JavaScript variables / data Styles Attributes / CSS Files URL function Redirect() { document.location = ' '; } function Redirect() { document.location = ' '; } "... /> ">link 2011 Jason Montgomery

Slide 28

Real XSS Examples http://www.ninjaproxy.com/cgiproxy/nph-proxy.pl/010110A/" alert('boo') Source: http://sla.ckers.org/forum/read.php?3,44,632http://sla.ckers.org/forum/read.php?3,44,632 http://h20000.www2.hp.com/bizsupport/TechSupport/ProdSearch.jsp?lang=en&cc=us&t askId=135&prod=%22%3E%3CSCRIPT%3Ealert(%22kefka%20was%20here%22)%3C/SCR IPT%3E http://www.jlist.com/SEARCH/%3Cbody_onload=alert('XSS')%3E/1/ http://photobucket.com/feedback.php?action=contact&email=asdf&subject=&feedback =%3C/textarea%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E&send=Send http://accessories.us.dell.com/sna/category.aspx?k=%22%3e%3Cscript%3Ealert('XSS')%3 C/script%3E&_nks=true&c=us&cs=19&l=en&s=dhs&x=0&y=0 http://www.pcworld.com/search/results?qt= %22onmouseover=%22alert('XSS')%22 2011 Jason Montgomery

Slide 29

Facebook (Oct. 5 th, 2010) - wormable Twitter (Sept. 21 st, 2010) wormable 2011 Jason Montgomery XSS In the News

Slide 30

Constrain input through input validation 2011 Jason Montgomery A1 / A2: Injection Defense in Depth

Slide 31

Must encode special characters 2011 Jason Montgomery A1 / A2: Injection Solution

Slide 32

Injection: Ask Two Questions Web Application Should I consume? Should I emit? Inbound data Outbound data Info Store Outbound data Inbound data 2011 Jason Montgomery

Slide 33

Defense in Depth Assume all input is malicious (Re)use a vetted library Enforce Length Checks Enforce Type Checks Validate Input Whitelists/Blacklists Escape/Encode Output Properly encode/escape data * Take care with regular expressions 2011 Jason Montgomery Injection Mitigation

Slide 34

Defense In Depth Set consistent encoding Encode using whitelists Constrain Input Sanitize dangerous tags/attributes Avoid allowing HTML input (if possible) Prefer lightweight markup language (e.g. BBCode) and convert to stylistic input Not always an option with WYSIWYG controls on sites 2011 Jason Montgomery Cross-Site Scripting (XSS) Mitigation +ADw-script+AD4-

Slide 35

AKA AntiXSS 4.0 Whitelists Narrowly defines allowable character sets and encodes everything else Microsoft Web Protection Library (WPL) 2011 Jason Montgomery

Slide 36

Web Protection Library Sanitizer Class transforms and filters HTML of executable scripts. A safe list of tags and attributes are used to strip dangerous scripts from the HTML. HTML is also normalized where tags are properly closed and attributes are properly formatted. [1] 2011 Jason Montgomery WPL Cross-Site Scripting (XSS) Sanitation Sanitizer.GetSafeHtml() Sanitizes an entire HTML Document. Sanitizer.GetSafeHtmlFragment() Sanitizes a fragment of an HTML document.

Slide 37

UnicodeCharacterEncoder.MarkAsSafe() Configures Encoder class with valid ranges of Unicode Choose expected Lower, Lower Middle, Middle, Upper Middle, and Upper from code chart codes: 2011 Jason Montgomery

Slide 38

Encoding Static Methods for Web Encoder.CssEncode() Encoder.HtmlEncode() Encoder.HtmlAttributeEncode() Encoder.UrlEncode() Encoder.HtmlFormEncode() Encoder.JavaScriptEncode() Encoder.VisualBasicScriptEncode() WPL Encoder Class

Slide 39 " src=... /> " src=... /> 2011 Jason Montgomery"> " src=... /> " src=... />

XSS Injection Fixed HTML Element HTML Attribute 2011 Jason Montgomery

Slide 40 '; } function Redirect() { document.location = ''; } 2011 Jason Montgomery">

XSS Injection Fixed Cont. JavaScript variables / data Styles Attributes / CSS Files function Redirect() { document.location = ''; } function Redirect() { document.location = ''; } 2011 Jason Montgomery

Slide 41

ASP.NET 4.0 Encoding Change Default Encoding New Abbreviated Syntax 2011 Jason Montgomery

Slide 42 and range 0x0a 0xFF Default Encoder Blacklist 2011 Jason Montgomery">

ASP.NET 4.0 Encoding New Abbreviated Syntax * Does NOT completely encode for HTML Attributes, JavaScript, VBScript, URL, or CSS. @variableToEncode MVC 3 Razor View Engine & '" and range 0x0a 0xFF Default Encoder Blacklist 2011 Jason Montgomery

Slide 43

Replacing Default HttpEncoder 12341234 12341234 web.config public class AntiXssEncoder : HttpEncoder { public AntiXssEncoder() {} protected override void HtmlEncode(string value, TextWriter output) { output.Write(Encoder.HtmlEncode(value)); } protected override void HtmlAttributeEncode(string value, TextWriter output) { output.Write(Encoder.HtmlAttributeEncode(value)); } } 1 2 3 4 5 6 7 8 9 10 11 12 AntiXssEncoder.cs 2011 Jason Montgomery

Slide 44

XSS Exploit Demo BeEF: Browser Exploitation Framework 2011 Jason Montgomery

Slide 45

Email j.monty@gmail.com (put OWASP in the subject) LinkedIn http://www.linkedin.com/in/jmonty http://www.twitter.com/j_monty http://www.twitter.com/SANSecDotNet Blog http://www.securitythroughabsurdity.com 2011 Jason Montgomery Contact