Скачать презентацию OWASP Foundation Los Angeles Chapter http www Скачать презентацию OWASP Foundation Los Angeles Chapter http www

a195299681b1cb5e4a4126c7004c6300.ppt

  • Количество слайдов: 37

OWASP Foundation – Los Angeles Chapter <http: //www. owasp. LA. org <Twitter: @owaspla <Email: OWASP Foundation – Los Angeles Chapter

Top 10 Web Security Controls February 2012 Top Ten Controls v 1 Eoin Keary Top 10 Web Security Controls February 2012 Top Ten Controls v 1 Eoin Keary and Jim Manico Page 2

(1) Query Parameterization (PHP PDO) $stmt = $dbh->prepare( (1) Query Parameterization (PHP PDO) $stmt = $dbh->prepare("INSERT INTO REGISTRY (name, value) VALUES (: name, : value)"); $stmt->bind. Param(': name', $name); $stmt->bind. Param(': value', $value); February 2012 Top Ten Controls v 1 Eoin Keary and Jim Manico Page 3

XSS: Why so Serious? Session hijacking Site defacement Network scanning Undermining CSRF defenses Site XSS: Why so Serious? Session hijacking Site defacement Network scanning Undermining CSRF defenses Site redirection/phishing Load of remotely hosted scripts Data theft Keystroke logging February 2012 Top Ten Controls v 1 Eoin Keary and Jim Manico Page 4

(2) XSS Defense by Data Type and Context Data Type Context Defense Numeric, Type (2) XSS Defense by Data Type and Context Data Type Context Defense Numeric, Type safe language Doesn’t Matter Cast to Numeric String HTML Body HTML Entity Encode String HTML Attribute, quoted Minimal Attribute Encoding String HTML Attribute, unquoted Maximum Attribute Encoding String GET Parameter URL Encoding String Untrusted URL Validation, avoid javascript: URL’s, Attribute encoding, safe URL verification String CSS Strict structural validation, CSS Hex encoding, good design HTML Body HTML Validation (JSoup, Anti. Samy, HTML Sanitizer) Any DOM XSS Cheat sheet Untrusted Java. Script Any Sandboxing JSON Client parse time JSON. parse() or json 2. js February 2012 Top Ten Controls v 1 Eoin Keary and Jim Manico Page 5

Danger: Multiple Contexts Browsers have multiple contexts that must be considered! HTML Body HTML Danger: Multiple Contexts Browsers have multiple contexts that must be considered! HTML Body HTML Attributes