The Ten Most Critical Web Application Security Vulnerabilities

1
The Ten Most CriticalWeb Application
SecurityVulnerabilities
Ryan J.W Chen
2
Outline

• OWASP Top Ten Vulnerabilities

A8 Insecure Storage
A3 Broken Authentication and Session Management
A1 Unvalidated Input
A2 Broken Access Control
A7 Improper Error Handling
A5 Buffer Overflows
A6 Injection Flaws
A4 Cross Site Scripting (XSS) Flaws
A9 Denial of Service
A10 Insecure Configuration Management
3
Example Web Application
Internal Network
DMZ
Protected Network
Internet
Browser
Web Server
Application Server
Database Server
4
Top Ten Vulnerabilities this year last year
5
A1 Unvalidated Input (1/3)

• Attacker can tamper with any part of an HTTP
  request, including url, querystring, headers,
  cookies, form fields, and hidden field.
• Related Attack
• A4 Cross site Scripting
• A5 Buffer Overflows
• A6 Injection Flaws

6
A1 Unvalidated Input (2/3)
Any malicious user can see the QueryString and
modify it!
Example (SQL Injection)
http//www.yoursite.com/phones/phonelist.cgi?phone
id34
http//www.yoursite.com/phones/phonelist.cgi?phone
id34delete from phones
SELECT name, phone FROM phones WHERE phoneid34
DELETE FROM phones
7
A1 Unvalidated Input (3/3)

• Countermeasures
• Parameter should be validate before they are
  used.
• Data type
• Allow character set
• Minimum and maximum length
• Whether null is allowed
• Whether the parameter is require or not
• Whether duplicates are allowed
• Numeric range

8
A2 Broken Access Control

• Access Control Authorization
• Countermeasures
• Use access control matrix to define access
  control rules.
• Administrative function can use VPN to protect.

Forced browsing past access control checks
Path traversal
Insecure session IDs or keys
Client-side caching
File permissions may allow access to
config/password files
9
A3 Broken Authentication and Session Management

• Weak authentication
• Countermeasures
• Strong passwords
• Account List protection
• Session ID Protection (SSL)

Password-only
Trust relationships between hosts
Unencrypted secrets could be sniffed
Easily guessable usernames
10
A4 Cross Site Scripting (XSS) Flaws

• Attacker uses a trust application/company to send
  malicious code to end-user.

cookie robbed!!
Source Bo
11
A5 Buffer Overflows

• Mostly affects web/app servers
• Goal crash the target app and get a shell
• Countermeasures
• Keep up with bug reports
• Periodically scan your website
• Code reviews

Example

• echo vrfy perl e print a x 1000 nc
  www.targetsystem.com 25

Replace this with something like this

• char shellcode \xeb\xlf\x5e\x89\x76\x08

12
A6 Injection Flaws

• Allows attacker to relay malicious code through a
  web application to another system.
• Countermeasures
• Avoid system calls (use libraries instead)
• Validate input information.
• Run with limited privileges

Path traversal ../
Add more commands rm r
SQL injection OR 11
13
A7 Improper Error Handling

• Helps attacker know how to target the
  application.
• Countermeasures
• Code review
• Modify default error pages (404, 401, etc.)

Example
File not found vs. Access denied
14
A8 Insecure Storage

• Insecure storage of sensitive information.
• Countermeasures
• Use a one-way hash function(SHA-1) instead of
  storing encrypted data.
• Make sure no open vulnerabilities in cryptography.

15
A9 Denial of Service

• Legitimate users cant be serviced.
• Countermeasures
• Limit the sources allocated to any user to a bare
  minimum.
• Avoid any unnecessary access to databases or
  other expensive resource.

Exhaust the system resources
Legitimate account lock out
16
A10 Insecure Configuration Management

• Developers ? web masters
• Countermeasures
• Configure all security mechanisms.
• Turn off all unused services.
• Set up and audit roles, permissions, and
  accounts.
• logging and alerts.

Configuration problems
Unpatched security flaws in the server software.
Improper file and directory permission.
Default accounts with their default passwords.