Скачать презентацию OWASP App Sec US 09 Highlights Ofer Maor
ae2b3f75bc2919fbdd00d3141d08ef2c.ppt
- Количество слайдов: 60
OWASP App. Sec US 09 Highlights Ofer Maor CTO, Hacktics OWASP Israel Dec 2009 http: //www. webappsec. org/ Copyright © 2009 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-Share. Alike 2. 5 License. To view this license, visit http: //creativecommons. org/licenses/by-sa/2. 5/ The OWASP Foundation http: //www. owasp. org/
Introduction OWASP App. Sec US 09– Held in DC, Nov 2009 2 Training Days, 2 Conference Days (+ Summit) 60 Lectures presented in the Conference Today: 30 Minutes Summary! Metrics & Statistics (By Chris Wysopal) 2009 Trends (By Ryan Barnett) OWASP Top 10 2010 RC 1 (By Dave Wichers) Additional OWASP Projects OWASP Enterprise Security API (By Jeff Wiliams) OWASP Live CD (By Matt Tesauro) Learning by Breaking (By Chuck Willis) OWASP Israel – Dec 2009 2
Web Application Security Testing Statistics Source: Application security metrics from the organization on down to the vulnerabilities Presented By: Chris Wysoapl, Veracode OWASP Israel – Dec 2009 3
WASC Web Application Security Statistics Project 2008 Purpose Collaborative industry wide effort to pool together sanitized website vulnerability data and to gain a better understanding about the web application vulnerability landscape. Ascertain which classes of attacks are the most prevalent regardless of the methodology used to identify them. MITRE CVE project for custom web applications. Goals Identify the prevalence and probability of different vulnerability classes. Compare testing methodologies against what types of vulnerabilities they are likely to identify. OWASP Israel – Dec 2009 4
Project Team Project Leader Sergey Gordeychik Project Contributors Sergey Gordeychik, Dmitry Evteev (POSITIVE TECHNOLOGIES) Chris Wysopal, Chris Eng (VERACODE) Jeremiah Grossman (WHITEHAT SECURITY) Mandeep Khera (CENZIC) Shreeraj Shah (BLUEINFY) Matt Lantinga (HP APPLICATION SECURITY CENTER) Lawson Lee (dns – used Web. Inspect) Campbell Murray (ENCRIPTION LIMITED) OWASP Israel – Dec 2009 5
Summary 12186 web applications with 97554 detected vulnerabilities more than 13%* of all reviewed sites can be compromised completely automatically About 49% of web applications contain vulnerabilities of high risk level detected by scanning manual and automated assessment by white box method allows to detect these high risk level vulnerabilities with probability up to 80 -96% 99% of web applications are not compliant with PCI DSS standard * Web applications with Brute Force Attack, Buffer Overflow, OS Commanding, Path Traversal, Remote File Inclusion, SSI Injection, Session Fixation, SQL Injection, Insufficient Authentication, Insufficient Authorization vulnerabilities detected by automatic scanning. OWASP Israel – Dec 2009 6
Compared to 2007 WASS Project Number of sites with SQL Injection fell by 13% Number of sites with Cross-site Scripting fell 20% Number of sites with different types of Information Leakage rose by 24% Probability to compromise a host automatically rose from 7 to 13 %. OWASP Israel – Dec 2009 7
Probability to detect a vulnerability OWASP Israel – Dec 2009 8
% of total vulnerabilities OWASP Israel – Dec 2009 9
Manual vs. Automatic – Top Vulnerabilities * Vulnerability Class Manual Tests Existing Tools 0. 21% 0. 09% 37. 66% 0. 02% 0% 0. 54% 0. 14% 0. 03% 11. 65% 72. 68% 0. 14% 0. 13% Content Spoofing 19. 75% Credential/Session Prediction 7. 27% Cross Site Scripting 56. 73% CSRF 6. 89% HTTP Response Splitting 11. 45% Path Traversal 7. 26% Predictable Resource Location 13. 94% Session Fixation 6. 56% SQL Injection 19. 47% Information Leakage 40. 41% Insufficient Authentication 11. 66% Insufficient Authorization 13. 27% Notes: 1. Not part of Chris’s Lecture 2. Based on Partial Participation of Automatic Tools (as well as Manual Assessment Providers) OWASP Israel – Dec 2009 10
Web Application Security Trends January – June 2009 Source: The Web Hacking Incidents Database (WHID) Report: January – June 2009 Presented By: Ryan Barnett, Breach Security OWASP Israel – Dec 2009 11
OWASP Israel – Dec 2009 12
OWASP Israel – Dec 2009 13
OWASP Israel – Dec 2009 14
OWASP Top 10 2010 Source: OWASP Top 10 2010 rc 1 Presented By: Dave Wichers, Aspect Security OWASP Israel – Dec 2009 15
What’s Changed? It’s About Risks, Not Just Vulnerabilities • New title is: “The Top 10 Most Critical Web Application Security Risks” OWASP Top 10 Risk Rating Methodology • Based on the OWASP Risk Rating Methodology, used to prioritize Top 10 2 Risks Added, 2 Dropped • Added: A 6 – Security Misconfiguration • Was A 10 in 2004 Top 10: Insecure Configuration Management • Added: A 8 – Unvalidated Redirects and Forwards • Relatively common and VERY dangerous flaw that is not well known • Removed: A 3 – Malicious File Execution • Primarily a PHP flaw that is dropping in prevalence • Removed: A 6 – Information Leakage and Improper Error Handling • A very prevalent flaw, that does not introduce much risk (normally) OWASP Israel – Dec 2009
Mapping from 2007 to 2010 Top 10 OWASP Top 10 – 2007 (Previous) OWASP Top 10 – 2010 (New) A 2 – Injection Flaws A 1 – Injection A 1 – Cross Site Scripting (XSS) A 2 – Cross Site Scripting (XSS) A 7 – Broken Authentication and Session Management A 3 – Broken Authentication and Session Management A 4 – Insecure Direct Object Reference = A 4 – Insecure Direct Object References A 5 – Cross Site Request Forgery (CSRF) = A 5 – Cross Site Request Forgery (CSRF)
OWASP Top 10 Risk Rating Methodology Threat Agent ? Attack Vector 1 2 3 XSS Example Weakness Prevalence Weakness Detectability Technical Impact Easy Widespread Easy Severe Average Common Average Moderate Difficult Uncommon Difficult Minor 2 1 1 2 1. 3 * Business Impact 2 ? 2. 6 weighted risk rating OWASP Israel – Dec 2009
A 6 – Security Misconfiguration Web applications rely on a secure foundation • All through the network and platform • Don’t forget the development environment Is your source code a secret? • Think of all the places your source code goes • Security should not require secret source code CM must extend to all parts of the application • All credentials should change in production Typical Impact • Install backdoor through missing network or server patch • XSS flaw exploits due to missing application framework patches • Unauthorized access to default accounts, application functionality or data, or unused but accessible functionality due to poor server configuration OWASP Israel – Dec 2009
A 6 – Avoiding Security Misconfiguration Verify your system’s configuration management Secure configuration “hardening” guideline Automation is REALLY USEFUL here Must cover entire platform and application Keep up with patches for ALL components This includes software libraries, not just OS and Server applications Analyze security effects of changes Can you “dump” the application configuration Build reporting into your process If you can’t verify it, it isn’t secure Verify the implementation Scanning finds generic configuration and missing patch problems OWASP Israel – Dec 2009
A 8 – Unvalidated Redirects and Forwards Web application redirects are very common • And frequently include user supplied parameters in the destination URL • If they aren’t validated, attacker can send victim to a site of their choice Forwards (aka Transfer in. NET) are common too • They internally send the request to a new page in the same application • Sometimes parameters define the target page • If not validated, attacker may be able to use unvalidated forward to bypass authentication or authorization checks Typical Impact • Redirect victim to phishing or malware site • Attacker’s request is forwarded past security checks, allowing unauthorized function or data access OWASP Israel – Dec 2009
Unvalidated Redirect Illustrated Attacker sends attack to victim via email or webpage Bus. Functions E-Commerce Knowledge Mgmt Communication Victim clicks link containing unvalidated parameter Transactions Application redirects victim to attacker’s site Accounts 2 3 Administration From: Internal Revenue Service Subject: Your Unclaimed Tax Refund Our records show you have an unclaimed federal tax refund. Please click here to initiate your claim. Finance 1 Custom Code Request sent to vulnerable site, including attacker’s destination site as parameter. Redirect sends victim to attacker site http: //www. irs. gov/taxrefund/claim. jsp? year=2006 & … &dest=www. evilsite. com Evil Site 4 Evil site installs malware on victim, or phish’s for private information OWASP Israel – Dec 2009
Unvalidated Forward Illustrated 1 Attacker sends attack to vulnerable page they have access to Request sent to vulnerable page which user does have access to. Redirect sends user directly to private page, bypassing access control. 2 Application authorizes request, which continues to vulnerable page public void sensitive. Method( Http. Servlet. Request request, Http. Servlet. Response response) { try { // Do sensitive stuff here. . } catch (. . . Filter public void do. Post( Http. Servlet. Request request, Http. Servlet. Response response) { try { String target = request. get. Parameter( "dest" ) ); . . . request. get. Request. Dispatcher( target ). forward(request, response); } catch (. . . 3 Forwarding page fails to validate parameter, sending attacker to unauthorized page, bypassing access control OWASP Israel – Dec 2009
A 8 – Avoiding Unvalidated Redirects and Forwards There a number of options 1. Avoid using redirects and forwards as much as you can 2. If used, don’t involve user parameters in defining the target URL 3. If you ‘must’ involve user parameters, then either a) Validate each parameter to ensure its valid and authorized for the current user, or b) (preferred) – Use server side mapping to translate choice provided to user with actual target page Defense in depth: For redirects, validate the target URL after it is calculated to make sure it goes to an authorized external site ESAPI can do this for you!! See: Security. Wrapper. Response. send. Redirect( URL ) http: //owasp-esapi-java. googlecode. com/svn/trunk_doc/org/owasp/esapi/filters/ Security. Wrapper. Response. html#send. Redirect(java. lang. String) Some thoughts about protecting Forwards Ideally, you’d call the access controller to make sure the user is authorized before you perform the forward (with ESAPI, this is easy) With an external filter, like Siteminder, this is not very practical Next best is to make sure that users who can access the original page are ALL authorized to access the target page. OWASP Israel – Dec 2009
OWASP ESAPI (Enterprise Security API) Source: Don’t Write Security Code! (The OWASP Enterprise Security API) Presented By: Jeff Williams, Aspect Security OWASP Israel – Dec 2009 25
Reality Check Financial Government Technology Banking Healthcare Insurance Publishing Retail Utilities Education 90% of applications are vulnerable Applications average 20 serious vulnerabilities OWASP Israel – Dec 2009 26
http: //www. owasp. org/index. php/ESAPI OWASP ESAPI Project Charter… To ensure that strong simple security controls are available to every developer in every environment OWASP Israel – Dec 2009 27
Before After OWASP Israel – Dec 2009 28
Project Scorecard Authentication Identity Access Control * Input Validation * Output Escaping Canonicalization Encryption Random Numbers Exception Handling Logging Intrusion Detection Security Configuration WAF OWASP Israel – Dec 2009 29
Select ESAPI Early Adopters Many unnamed financial orgs… OWASP Israel – Dec 2009 30
Better Input Validation // validate request against developer-defined patterns Validation. Error. List error. List = new Validation. Error. List(); String name = ESAPI. validator(). get. Valid. Input( "Name", form. get. Name(), “User. Name", 255, false, error. List); Integer weight = ESAPI. validator(). get. Valid. Integer( “User. Weight", form. get. Weight(), 1, 10000, false, error. List); request. set. Attribute(“VERROR”, error. List ); … // get validation errors and update web page Validation. Error. List errors = (Validation. Error. List)request. get. Attribute(“VERROR"); // update page OWASP Israel – Dec 2009 31
Stamping Out XSS Rule #1: HTML Element Content ESAPI. encoder. encode. For. HTML(input) Rule #2: HTML Common Attributes ESAPI. encoder. encode. For. HTMLAttribute(input) Rule #3: HTML Javascript Data Values ESAPI. encoder. encode. For. Java. Script(input) Rule #4: HTML Style Property Values ESAPI. encoder. encode. For. CSS(input) Rule #5: HTML URL Attributes ESAPI. encoder. encode. For. URL(input) Use these in components and developers won’t even know! OWASP Israel – Dec 2009 32
OWASP Israel – Dec 2009 33
Stopping Insecure Direct Object References // setup a map and store somewhere safe - like the session! Set file. Set = new Hash. Set(); file. Set. add. All(. . . ); Access. Reference. Map map = new Access. Reference. Map( file. Set ); . . . // create an indirect reference to send to browser String ref = map. get. Indirect. Reference( file 1 ); String href = "esapi? file=" + ref ); . . . // get direct reference String ref = request. get. Parameter( "file" ); File file = (File)map. get. Direct. Reference( ref ); OWASP Israel – Dec 2009 34
Identity Everywhere // check the current user’s credentials User user = ESAPI. authenticator(). login(); // display their last login time User user = ESAPI. authenticator(). get. Current. User() ; out. println( “Login: “ + user. get. Last. Login. Time() ); // rotate their session id ESAPI. http. Utilities(). change. Session. Identifier(); // kill their session and session cookie ESAPI. authenticator(). logout; You can rotate your session without losing Israelcontents the – Dec 2009 OWASP 35
ESAPI Web App Firewall (WAF) Critical Application? PCI requirement? 3 rd party application? Legacy application? Incident response? attacker user WAF ESAPI Virtual patches Authentication rules URL access control Egress filtering Attack surface reduction Real-time security OWASP Israel – Dec 2009 36
Documentation Javadoc http: //owasp-esapijava. googlecode. com/svn/trunk_d oc/index. html Banned APIs http: //www. owasp. org/index. php/ ESAPI_Secure_Coding_Guideline Release Notes http: //www. owasp. org/images/d/d 0/Java. EEESAPI_2. 0 a_Release. Notes. doc Install Guide http: //www. owasp. org/images/4/4 c/Java. EE-ESAPI_2. 0 a_install. doc OWASP Israel – Dec 2009 37
OWASP Live CD Source: OWASP Live CD An open environment for web application security Presented By: Brad Causey OWASP Israel – Dec 2009 38
General goals going forward Showcase great OWASP projects Provide the best, freely distributable application security tools/documents Ensure that the tools provided are easy to use as possible Continue to document how to use the tools and how the modules were created Align the tools with the OWASP Testing Guide v 3 to provide maximum coverage Awesome training environment OWASP Israel – Dec 2009 39
Where are we now? Current Release App. Sec. DC Nov 2009 DOH! Previous Releases App. Sec. EU May 2009 Austin. Terrier Feb 2009 Portugal Release Dec 2008 So. C Release Sept 2008 Beta 1 and Beta 2 releases during the So. C Overall downloads = 330, 081 (of 2009 -10 -05) ~5, 094 GB of bandwidth since launch (Jul 2008) Most downloads in 1 month = 81, 607 (Mar 2009) OWASP Israel – Dec 2009 40
Available Tools: 26 'Significant' OWASP Tools: Web Scarab WSFuzzer Web Goat Wapiti a tool for performing all types of security testing on web apps and web services an online training environment for hands-on learning about app sec CAL 9000 a collection of web app sec testing tools especially encoding/decoding JBro. Fuzz a web application fuzzer for requests being made over HTTP and/or HTTPS. a fuzzer with HTTP based SOAP services as its main target audits the security of web apps by performing "black-box" scans Dir. Buster a multi threaded Java app to brute force directory and file names SQLi. X a SQL Injection scanner, able to crawl, detect SQL-i vectors OWASP Israel – Dec 2009 41
Available Tools: 26 'Significant' Other Proxies: Burp Suite Scanners: SQL-i: sqlmap w 3 af Paros Grendel Scan Spike Proxy Nikto Rat Proxy Others: namp SQL Brute Fierce Domain Scanner Httprint Maltego CE Duh: Zenmap Metasploit Firefox netcat Wireshark tcpdump OWASP Israel – Dec 2009 42
Where are we going? The cool fun stuff ahead Project Tindy Project Aqua Dog Builder vs Breaker Auto-update installed tools Website update OWASP Education Project Minor release tweaks Crazy Pie in the Sky idea OWASP Israel – Dec 2009 43
Project Tindy & Aqua Dog Project Tindy OWASP Live CD installed to a virtual hard drive Persistence! VMware, Virtual Box & Paralles Project Aqua Dog OWASP Live CD on a USB drive VM install + VM engine + USB drive = mobile app sec platform Currently testing Qemu is the current VM engine OWASP Israel – Dec 2009 44
What have you done for me lately? For Testers / QA testers Wide array of tools, preconfigured and ready to go Nice “jump kick” to keep in your laptop bag Great platform to test or learn the tools For App Sec Professionals Both dynamic and static tool coverage Ability to customize the job your on For Trainers Ready to go environment for students Ability to customize for the class OWASP Israel – Dec 2009 45
How can you get involved? Join the mail list Announcements are there – low traffic Post on the App. Sec. Live. org forums Download an ISO or VM Complain or praise, suggest improvements Submit a bug to the Google Code site Create deb package of a tool How I create the debs will be documented, command by command I'll answer questions gladly Suggest missing tools, docs or links Do a screencast of one of the tools being used on the OWASP Live CD OWASP Israel – Dec 2009 46
Learn More OWASP Site: http: //www. owasp. org/index. php/Category: OWASP_Live_CD_Projec t or just look on the OWASP project page (release quality) http: //www. owasp. org/index. php/Category: OWASP_Project or Google “OWASP Live CD” Download & Community Site: http: //App. Sec. Live. org Previously: http: //mtesauro. com/livecd/ OWASP Israel – Dec 2009 47
Learning by Breaking Source: Learning by Breaking A New Project for Insecure Web Apps Presented By: Chuck Willis, MANDIANT OWASP Israel – Dec 2009 48
Problem Was looking for web applications with vulnerabilities where I could: Test web application scanners Test manual techniques Test source code analysis tools Look at the code that implements the vulnerabilities Modify code to fix vulnerabilities Test web application firewalls OWASP Israel – Dec 2009 49
Option – Web. Goat It is a great learning tool, but It is a training environment, not a real application Same holds for other “artificial” applications OWASP Israel – Dec 2009 50
Option – Proprietary “Free” Apps Realistic applications with vulnerabilities Often closed source, which prevents some uses Can conflict with one another Can be difficult to install Licensing restrictions OWASP Israel – Dec 2009 51
Solution Create a set of broken, open source applications Put them all on a VMWare Virtual Machine Donate it to OWASP Profit? OWASP Israel – Dec 2009 52
Intentionally Broken Apps OWASP Web. Goat version 5. 3 (Java) OWASP Vicnum version 1. 3 (Perl) Mutillidae version 1. 3 (PHP) Damn Vulnerable Web Application version 1. 06 (PHP) OWASP Israel – Dec 2009 53
Intentionally Broken Apps OWASP CSRFGuard Test Application version 2. 2 (Java) Mandiant Struts Forms (Java/Struts) Simple ASP. NET Forms (ASP. NET/C#) Simple Form with DOM Cross Site Scripting (HTML/Java. Script) LOOKING FOR DONATIONS! OWASP Israel – Dec 2009 54
Old Versions of Real Applications php. BB 2. 0. 0 (PHP, released April 4, 2002) Word. Press 2. 0. 0 (PHP, released December 31, 2005) Yazd version 1. 0 (Java, released February 20, 2002) LOOKING FOR IDEAS! OWASP Israel – Dec 2009 55
Where are the vulnerabilities? Don’t have a master list of vulnerabilities (yet) Counting on the community to contribute Experimenting with using the issue tracker at Google Code to allow the community to contribute vulnerabilities as they are found May move to wiki page(s) on the OWASP site OWASP Israel – Dec 2009 56
What’s in a name? Tentatively called “OWASP Broken Web Applications Project” I’m open to suggestions OWASP Israel – Dec 2009 57
The Future Establish as an OWASP project Wiki page Mailing list Update project for collaboration Create and maintain documentation Push content to Google Code Incorporate additional broken apps The larger, the better Would like more real / realistic applications Adobe Flash (could use some help here) Ruby on Rails? OWASP Israel – Dec 2009 58
More Information and Downloads More information can be found at http: //code. google. com/p/owaspbwa/ Version 0. 9 of the VM has been released! Linked from the blog at mandiant. com I have a few CDs of the VM for anyone who wants them OWASP Israel – Dec 2009 59
Thank You! Questions? OWASP Israel – Dec 2009 60