OWASPTOP10 2007RELEASECANDIDATE1
THETENMOSTCRITICALWEB APPLICATIONSECURITYVULNERABILITIES
2007UPDATE
©2002‐2007OWASPFoundation ThisdocumentislicensedundertheCreativeCommons Attribution‐ShareAlike2.5 Attribution‐ShareAlike2.5 license license
TableofCont ents ..................................... ........................................................ ...................................... ...................................... ...................................... ....................................... ....................................... .............................2 ..........2 Introduction .................................... ........................................................ ....................................... ...................................... ...................................... ...................................... ...................................... ...................................... ....................3 .3 Summary ...................................... ......................................................... ...................................... ....................................... ....................................... ...................................... ...................................... ...................................... .......................4 ....4 Methodology ...................................... ......................................................... ...................................... ...................................... ...................................... ...................................... ...................................... ....................................5 .................5 A1–CrossSiteScript A1–Cross SiteScript ing(XSS) .................................... ....................................................... ...................................... ...................................... ....................................... ....................................... .............................8 ..........8 A2–InjectionFlaws.................................. A2–Inje ctionFlaws..................................................... ...................................... ...................................... ...................................... ....................................... ....................................... .......................... ....... 11 A3–MaliciousF ileExecution ileExecut ion ..................................... ........................................................ ...................................... ...................................... ....................................... ....................................... .......................... ....... 13 A4–Insecur eDirectObjectRefer eDirectObj ectReference ence ...................................... ......................................................... ...................................... ...................................... ....................................... .............................. .......... 17 A5–CrossSiteRequ A5–Cross SiteRequestForg estForg ery(CSRF) ..................................... ........................................................ ...................................... ...................................... ....................................... .............................. .......... 19 A6–InformationLeakag A6–Infor mationLeakageandImp eandImproperEr roperErrorHand rorHandling ling ...................................... ......................................................... ...................................... ...................................... ..................... 22 A7–BrokenAuthenti A7–Broken AuthenticationandSe cationandSessionMana ssionMana gement ..................................... ........................................................ ...................................... ...................................... ....................... .... 24 A8–Insecur eCryptograp hicStorage............................ hicStorag e............................................... ....................................... ....................................... ...................................... ...................................... ....................... .... 26 A9–Insecur eCommunicat ions ..................................... ........................................................ ....................................... ....................................... ...................................... ...................................... ....................... .... 28 A10–FailuretoRestr A10–Failure toRestr ictURLAccess .................................... ....................................................... ...................................... ...................................... ...................................... .................................... ................. 30 WhereToGo FromHere FromH ere ....................................... .......................................................... ...................................... ...................................... ...................................... ...................................... ................................. .............. 32 References ...................................... .......................................................... ....................................... ...................................... ...................................... ...................................... ...................................... .................................... ................. 35
2
OWASP Top 10 2007
WelcometotheOWASPTop102 WelcometotheOWASPTop102007!This 007!Thistotallyre‐wr totallyre‐writtenediti itteneditionliststhemost onliststhemostseriouswebappli seriouswebapplication cation vulnerabilities, vulnerabilities,discusseshowto discusseshowtoprotectagai protectagainstthem,andprovi nstthem,andprovideslinksto deslinkstomoreinformation. moreinformation.
AIM
abouttheconsequencesofthemostc abouttheconsequencesofthemostcommonwebapplic ommonwebapplicationsecuri ationsecurityvulnerabil tyvulnerabilities.The ities.TheTop10 Top10 providesbasicmethodst providesbasicmethodstoprotectagains oprotectagainstthesevulnera tthesevulnerabilities– bilities–agreatstar agreatstarttoyoursecurecodi ttoyoursecurecodingsecurity ngsecurity program. .Itisinsufficient .Itisinsufficienttosecureyour tosecureyourcodejustonce.B codejustonce.By2008,thi y2008,thisTop10will sTop10will havechanged,andwithout havechanged,andwithoutchangingali changingalineofyoura neofyourapplication’s pplication’scode,youm code,youmaybevulnera aybevulnerable.Pleaserevi ble.Pleasereviewthe ewthe advicein Wheretogofromhere formoreinformation. formoreinformation. .Securewebapplications are
possiblewhenasecureSDLCi possiblewhenasecureSDLCisused.Secure sused.Secureprogramsaresecure programsaresecurebydesign,duri bydesign,duringdevelopmen ngdevelopment,andby t,andby
default.Thereareatle default.Thereareatleast300issues ast300issuesthataffectthe thataffecttheoverall overallsecurityofawe securityofawebapplic bapplication.These30 ation.These300+issuesare 0+issuesare detailedintheOWASPGuide detailedinthe OWASPGuide,whichisessentialrea ,whichisessentialreadingforanyone dingforanyonedevelopingwe developingwebapplications bapplicationstoday. today. .Pleasedonotadoptthis documentasapolicyorsta documentasapolicyorstandardwithout ndardwithouttalkingtous talkingtousfirst!Ify first!Ifyouneedasec ouneedasecurecodingpolic urecodingpolicyorstandard yorstandard,OWASP ,OWASP hassecurecodingpolici hassecurecodingpoliciesandstanda esandstandardsprojectsi rdsprojectsinprogress.Please nprogress.Pleaseconsiderjoini considerjoiningorfinanci ngorfinanciallyassis allyassistingwith tingwith theseefforts.
3
XSSflawsoccurwhenever XSSflawsoccurwheneveranapplic anapplicationtakesuser ationtakesusersupplieddataan supplieddataandsendsit dsendsit toawebbrowserwithoutfir toawebbrowserwithoutfirstvali stvalidatingorencodi datingorencodingthatcontent.X ngthatcontent.XSSallows SSallows attackerstoexecutescri attackerstoexecutescriptinthevic ptinthevictim’sbrowserwhi tim’sbrowserwhichcanhija chcanhijackuser ckuser sessions,defacewebsites sessions,defacewebsites,etc. ,etc. Injectionflaws,particularlySQLinjection,arecommoninwebapplications. Injectionoccurswhenuser Injectionoccurswhenuser‐supplieddat ‐supplieddataissenttoa aissenttoaninterpreteraspa ninterpreteraspartofa rtofa commandorquery.Theattac commandorquery.Theattacker’shostile ker’shostiledatatric datatrickstheinterpre kstheinterpreterinto terinto executingunintendedcom executingunintendedcommandsorchangi mandsorchangingdata. ngdata. Codevulnerabletoremote Codevulnerabletoremotefileincl fileinclusionallows usionallowsattackerstoi attackerstoincludehostile ncludehostile codeanddata,resul codeanddata,resultingindevas tingindevastatingattac tatingattacks,suchastotal ks,suchastotalserver server compromise. Adirectobjectreference Adirectobjectreferenceoccurswhenade occurswhenadeveloperexposesare veloperexposesareferenceto ferencetoan an internalimplementati internalimplementationobject,such onobject,suchasafile, asafile,directory, directory,databaserecord, databaserecord,or or key,asaURLorform key,asaURLorformparameter.Attack parameter.Attackerscanmani erscanmanipulatethosere pulatethosereferencesto ferencesto accessotherobjectswithout accessotherobjectswithoutauthoriza authorization. tion. ACSRFattackforcesal ACSRFattackforcesalogged‐onvictim ogged‐onvictim’sbrowsertose ’sbrowsertosendapre‐authenti ndapre‐authenticated cated requesttoavulnerablewe requesttoavulnerablewebapplic bapplication,whic ation,whichthenforcesthevic hthenforcesthevictim’sbrowser tim’sbrowser toperformahostileacti toperformahostileactiontothebenefitof ontothebenefitoftheattacker. theattacker. Applicationscanuni Applicationscanunintentionall ntentionallyleakin yleakinformationabout formationabouttheirconfigurati theirconfiguration, on, internalworkings,orvi internalworkings,orviolateprivac olateprivacythroughavari ythroughavarietyofapplic etyofapplicationproble ationproblems. ms. Attackersusethiswea Attackersusethisweaknesstoviola knesstoviolateprivacy, teprivacy,orconductfurther orconductfurtherattacks. attacks. Accountcredentialsa Accountcredentialsandsessiontokens ndsessiontokensareoftennotpr areoftennotproperlyprotecte operlyprotected. d. Attackerscompromisepas Attackerscompromisepasswords,keys,or swords,keys,orauthenticati authenticationtokenstoass ontokenstoassume ume otherusers’identities. Webapplicationsrarel Webapplicationsrarelyusecryptogr yusecryptographicfuncti aphicfunctionsproperlytoprotec onsproperlytoprotectdata tdata andcredentials.Atta andcredentials.Attackersuseweakl ckersuseweaklyprotecteddata yprotecteddatatoconduct toconductidentitythe identitytheft ft andothercrimes,suchas andothercrimes,suchascreditcar creditcardfraud. dfraud. Applicationsfreque Applicationsfrequentlyfail ntlyfailtoencryptnetwor toencryptnetworktrafficwhe ktrafficwhenitisnecessar nitisnecessaryto yto protectsensitivecomm protectsensitivecommunications. unications. Frequently,theonlypr Frequently,theonlyprotectionforsensi otectionforsensitivearea tiveareasofanapplic sofanapplicationisli ationislinksor nksor URLsarenotpresentedtouna URLsarenotpresentedtounauthorizedusers. uthorizedusers.Attackerscanus Attackerscanusethisweak ethisweakness ness toaccessandperformuna toaccessandperformunauthorizedoperati uthorizedoperations. ons.
4
OWASP Top 10 2007
OurmethodologyfortheTop10 OurmethodologyfortheTop102007wassimple 2007wassimple:takethe :taketheMITREVulner MITREVulnerabilityTre abilityTrendsfor2006 ndsfor2006,anddistilltheTop ,anddistilltheTop 10webapplicationsecurity issues.Therankedresultsa issues.Therankedresultsareasfollows reasfollows: :
Althoughwehavetried Althoughwehavetriedtopreservetheorder, topreservetheorder,wehavedeli wehavedeliberatelynotc beratelynotchosensomeweaknesse hosensomeweaknesses,suchasbuffe s,suchasbuffer r overflowsastheyarenotw overflowsastheyarenotwidelyappli idelyapplicabletoweb cabletowebapplication applicationsecurity. security.Inadditi Inaddition,wehavetrans on,wehavetransformedsome formedsome rawfindingsinto“meta”i rawfindingsinto“meta”issuestofull ssuestofullycapturetheroo ycapturetherootcauseofanis tcauseofanissuerepresented suerepresentedbythatdata. bythatdata. CrossSiteRequestForgery(CS CrossSiteRequestForgery(CSRF)isthemajor RF)isthemajornewadditiontot newadditiontothisediti hiseditionoftheOWASPTop1 onoftheOWASPTop10.Althoughraw 0.Althoughraw dataranksitat#36, dataranksitat#36,wefeelthat wefeelthatitisimporta itisimportantenoughthatappl ntenoughthatapplicationss icationsshouldstartprotec houldstartprotectioneffortst tioneffortstoday, oday, particularlyforhighvalueapplicationsandapplicationswhichdealwithsensitivedata. Wehavenotincludedl Wehavenotincludedlanguagespeci anguagespecific(C,C++ fic(C,C++,etc)issues, ,etc)issues,suchasbuffer suchasbufferoverflows,for overflows,formatstringatta matstringattacks,orany cks,orany oftheothercommonweaknesseswhic oftheothercommonweaknesseswhichplaguedesk hplaguedesktopandserversoftw topandserversoftware.Ifyouaredel are.Ifyouaredeliveringpr iveringprogramsfor ogramsfor desktoporserverplatforms,or desktoporserverplatforms,orareincludi areincludingtools,plug‐i ngtools,plug‐ins,orexternal ns,orexternalprogramstobec programstobecalledby alledbyyourweb yourweb application,westrongl application,westronglyrecommendyoure yrecommendyoureferencethe ferencetheOWASPGuide OWASPGuideandthebooksi andthebooksinthereferencessec nthereferencessectionfor tionfor moreinformationonhowto moreinformationonhowtobuildorusethese buildorusethesesafely. safely. Alloftheprotectionrec Alloftheprotectionrecommendationsprovi ommendationsprovidesolutionsforthe desolutionsforthethreemostprevale threemostprevalentwebapplic ntwebapplication ation frameworks:JavaEE,ASP.NET, frameworks:JavaEE,ASP.NET,andPHP.Othercomm andPHP.Othercommonwebapplic onwebapplicationframewor ationframeworks,suchasRuby ks,suchasRubyonRailsorPerl onRailsorPerl caneasilyadapttherec caneasilyadapttherecommendationstosui ommendationstosuittheirspecifi ttheirspecificneeds. cneeds.
BIASES Themethodologydescribeda Themethodologydescribedabovenecessaril bovenecessarilybiasestheTop10 ybiasestheTop10towardsdi towardsdiscoveriesby scoveriesbythesecurityrese thesecurityresearcher archer community.Thispatternof community.Thispatternofdiscoveryis discoveryissimilartothe similartothemethodsof methodsofactualattack,particularlyasitrelatestoentry‐ actualattack ,particularlyasitrelatestoentry‐ level("scriptkiddy") level("scriptkiddy")attackers.Pr attackers.Protectingyoursoft otectingyoursoftwareagain wareagainsttheTop10wi sttheTop10willprovi llprovideamodicumo deamodicumofprotection fprotection againstthemostcommonforms againstthemostcommonformsofattack, ofattack,butfarmoreimportant butfarmoreimportantly,help ly,helpsetacoursefor setacourseforimprovingt improvingthesecurityof hesecurityof yoursoftware.
5
MAPPING Therehavebeenchanges Therehavebeenchangestotheheadings,e totheheadings,evenwhereconte venwherecontentmapsclosel ntmapscloselytopreviousc ytopreviouscontent.Wenol ontent.Wenolongeruse ongeruse theWASXMLnamingscheme theWASXMLnamingschemeasithasnotk asithasnotkeptuptodatew eptuptodatewithmodernvulner ithmodernvulnerabili abilities,attacks, ties,attacks,and and countermeasures.Thetablebel countermeasures.Thetablebelowdepictshowthi owdepictshowthiseditionmapst seditionmapstotheTop10200 otheTop102004,andther 4,andtherawMITREranking: awMITREranking:
WHYWEHAVEDROPPEDSOMEIMPORTANTISSUES isamajorchallengefor isamajorchallengeforanydevelopment anydevelopmentteam,andis team,andisattherootofma attherootofmanyapplic nyapplication ation securityproblems.Infac securityproblems.Infact,manyofthe t,manyoftheotheritemsinthe otheritemsinthelistrec listrecommendvalidati ommendvalidatinginputasa nginputasapartofthesol partofthesolution. ution. Westillstronglyrecom Westillstronglyrecommendcreati mendcreatingacentralize ngacentralizedinputvali dinputvalidationmecha dationmechanismasapart nismasapartofyourweb ofyourwebapplicati applications. ons. Formoreinformation,rea Formoreinformation,readthefollowing dthefollowingdatavali datavalidationarticl dationarticlesatOWASP: esatOWASP:
http://www.owasp.org/index. http://www.owa sp.org/index.php/Data_Vali php/Data_Validation dation
http://www.owasp.org/index. http://www.owa sp.org/index.php/Testing_for_Dat php/Testing_for_Data_Validati a_Validation on areextremelyseriousvul areextremelyseriousvulnerabilitie nerabilitiesfor sfor
programswritteninlanguag programswritteninlanguagessuchasC essuchasCorC++.Remediati orC++.Remediationfortheseiss onfortheseissuesiscovered uesiscoveredbythetradi bythetraditionalnon‐ tionalnon‐ webapplicationsecuri webapplicationsecuritycommunity, tycommunity,suchasSANS,C suchasSANS,CERT,andprogramming ERT,andprogramminglanguage languagetoolvendors.Ify toolvendors.Ifyourcodeis ourcodeis
6
OWASP Top 10 2007 writteninalanguagetha writteninalanguagethatislike tislikelytosuffer lytosufferbufferoverflows, bufferoverflows,weencourageyou weencourageyoutoreadthebuffe toreadthebufferoverflow roverflow contentonOWASP:
http://www.owasp.org/index. http://www.owa sp.org/index.php/Buffer_overfl php/Buffer_overflow ow
http://www.owasp.org/index. http://www.owa sp.org/index.php/Testing_for_Buffe php/Testing_for_Buffer_Overflow r_Overflow isaseriousattackthatc isaseriousattackthatcanaffect anaffectanysitewri anysitewritteninanyla tteninanylanguage.Thera nguage.TherankingofDoS nkingofDoSby by
MITREisinsufficientto MITREisinsufficienttomaketheTop1 maketheTop10thisyear.I 0thisyear.Ifyouhaveconce fyouhaveconcernsaboutdeni rnsaboutdenialofservice alofservice,youshouldc ,youshouldconsult onsult theOWASPsiteandTestingGuide:
http://www.owasp.org/index. http://www.owa sp.org/index.php/Category:De php/Category:Denial_of_Servic nial_of_Service_Attack e_Attack
http://www.owasp.org/index. http://www.owa sp.org/index.php/Testing_for_De php/Testing_for_Denial_of_Servi nial_of_Service ce affectsallsystemstosomee affectsallsystemstosomeextent,partic xtent,particularlyPHP. ularlyPHP.However,the However,the
rankingbyMITREdoesnotal rankingbyMITREdoesnotallowustoincl lowustoincludethisissue udethisissuethisyear.W thisyear.Whendeployingyour hendeployingyourapplicati application,youshould on,youshould consultthelatestOWASPGui consultthelatestOWASPGuideandtheOWASP deandtheOWASPTestingGuide TestingGuidefordetaile fordetailedinformationreg dinformationregardingsecure ardingsecure configurationmanagement configurationmanagementandtesting andtesting: :
http://www.owasp.org/index. http://www.owa sp.org/index.php/Configurati php/Configuration on
http://www.owasp.org/index. http://www.owa sp.org/index.php/Testing_for_i php/Testing_for_infrastructure_c nfrastructure_configuration_mana onfiguration_management gement
VULNERABILITIES,NOTATTACKS Thepreviouseditionof ThepreviouseditionoftheTop10contai theTop10containedamixture nedamixtureofattacks,vul ofattacks,vulnerabilitie nerabilitiesandcounterme sandcountermeasures.Thistime asures.Thistime around,wehavefocuseds around,wehavefocusedsolelyonvul olelyonvulnerabilitie nerabilities.Iforganizati s.Iforganizationsusethis onsusethisdocumenttosecurethei documenttosecuretheirapplic rapplications, ations, andreducetheriskstot andreducetheriskstotheirbusiness,i heirbusiness,itwillle twillleadtoadirec adtoadirectreductionin treductioninthelikeli thelikelihoodof: hoodof:
Phishingattacksthatca Phishingattacksthatcanexploita nexploitanyofthesevul nyofthesevulnerabilities, nerabilities,particul particularlyXSS,an arlyXSS,andweakornon‐exi dweakornon‐existent stent authenticationorauthorizationchecks(A1,A4,A7,A10)
Privacyviolationsfrompoorvalidation,businessruleandweakauthorizationchecks(A2,A4,A6,A7,A10)
Identitytheftthroughpoororn Identitytheftthroughpoorornon‐existentcry on‐existentcryptographiccontrol ptographiccontrols(A8andA9) s(A8andA9),remotefile ,remotefileinclude(A include(A3) 3) andauthentication,busi andauthentication,businessrule,andauthor nessrule,andauthorizationc izationchecks(A4,A7 hecks(A4,A7,A10) ,A10)
Systemscompromisethroughremote Systemscompromisethroughremotefileincl fileinclude(A3)andendof ude(A3)andendofbusinesscl businessclassofdata assofdataalteration alterationor or destructionattacksviaInjections(A2)
Financiallossthr Financiallossthroughunauthorized oughunauthorizedtransactions transactionsandCSRFattacks( andCSRFattacks(A4,A5,A7 A4,A5,A7,A10) ,A10)
Reputationlossthroughexploi Reputationlossthroughexploitationofany tationofanyoftheabovevul oftheabovevulnerabili nerabilities(A1… ties(A1…A10) A10)
Onceanorganization Onceanorganizationmovesawayfromw movesawayfromworryingaboutreacti orryingaboutreactivecontrols, vecontrols,andmovesforwar andmovesforwardtoproactivel dtoproactively y reducingrisksapplic reducingrisksapplicabletothei abletotheirbusiness,t rbusiness,theywillim heywillimprovecompli provecompliancewithreg ancewithregulatoryregimes, ulatoryregimes,reduce reduce operationalcosts,and operationalcosts,andhopefullywil hopefullywillhavefarmore lhavefarmorerobustandsecure robustandsecuresystemsasare systemsasaresult. sult.
ACKNOWLEDGEMENTS WethanktheMITREProjectformakingVulnerabilityTypeDistributioninCVE VulnerabilityTypeDistributioninCVE data freelyavailable freelyavailableforuse.TheOW foruse.TheOWASPTopTenprojecti ASPTopTenprojectisledandsponsore sledandsponsoredby dbyAspect Aspect Security. Security .
7
Crosssitescripting, Crosssitescripting,betterknownasXS betterknownasXSS,isthemostpre S,isthemostprevalentandper valentandperniciouswe niciouswebapplicat bapplicationsecurit ionsecurityissue.XSS yissue.XSS flawsoccurwheneveranappl flawsoccurwheneveranapplicati icationtakesdatatha ontakesdatathatoriginated toriginatedfromauserandse fromauserandsendsittoaweb ndsittoawebbrowserwithout browserwithout firstvalidatingorencodingthatcontent. XSSallowsattackerstoe XSSallowsattackerstoexecutescript xecutescriptinthevicti inthevictim’sbrowser,whi m’sbrowser,whichcanhija chcanhijackusersessions ckusersessions,defacewe ,defacewebsites, bsites, inserthostilecontent,c inserthostilecontent,conductphishing onductphishingattacks, attacks,andtakeoverthe andtakeovertheuser’sbrowserusi user’sbrowserusingscriptingma ngscriptingmalware.The lware.The maliciousscripti maliciousscriptisusuallyJ susuallyJavaScript avaScriptbutanyscri butanyscriptinglanguages ptinglanguagesupportedbythevi upportedbythevictim’sbrowser ctim’sbrowserisapotenti isapotential al targetforthisattack.
ENVIRONMENTSAFFECTED Allwebapplicati Allwebapplicationframeworksare onframeworksarevulnerable vulnerabletocrosssitescri tocrosssitescripting. pting.
VULNERABILITY Therearethreeknowntypes Therearethreeknowntypesofcrosssitescri ofcrosssitescripting:reflec pting:reflected,stored,andD ted,stored,andDOMinjection. OMinjection.ReflectedX ReflectedXSSisthe SSisthe easiesttoexploit–apa easiesttoexploit–apagewillre gewillreflectusersuppli flectusersupplieddatadirec eddatadirectlybacktot tlybacktotheuser: heuser: echo $_REQUEST['userinput'];
StoredXSStakeshostiledat StoredXSStakeshostiledata,storesiti a,storesitinafile,a nafile,adatabase,orot database,orotherbackends herbackendsystem,andthen ystem,andthenatalaterstage atalaterstage, , displaysthedatatot displaysthedatatotheuser,unfil heuser,unfiltered.Thisise tered.Thisisextremelydangerous xtremelydangerousinsystemssuc insystemssuchasCMS,blogs, hasCMS,blogs,orforums, orforums, wherealargenumberofusers wherealargenumberofuserswillseei willseeinputfromotheri nputfromotherindividual ndividuals. s. WithDOMbasedXSSattac WithDOMbasedXSSattacks,thesite’s ks,thesite’sJavaScript JavaScriptcodeandvaria codeandvariablesaremani blesaremanipulatedrather pulatedratherthanHTMLele thanHTMLelements. ments. Alternatively,attac Alternatively,attackscanbeablen kscanbeablendorhybridof dorhybridofallthreetype allthreetypes.Thedangerwi s.Thedangerwithcrosssite thcrosssitescriptingi scriptingisnotthetype snotthetype ofattack,butthatiti ofattack,butthatitispossible. spossible. AttacksareusuallyimplementedinJavaScript,whichisapowerfulscriptinglanguage.UsingJavaScriptallows attackerstomanipulate attackerstomanipulateanyaspec anyaspectoftherenderedpag toftherenderedpage,including e,includingaddingnewel addingnewelements(suc ements(suchasaddingalogi hasaddingalogin n tilewhichforwardscr tilewhichforwardscredentialsto edentialstoahostilesit ahostilesite),manip e),manipulatingany ulatinganyaspectoftheint aspectoftheinternalDOMtree ernalDOMtree,anddeleti ,anddeletingor ngor changingthewaythe changingthewaythepagelooksandfeel pagelooksandfeels.JavaScri s.JavaScriptallowsthe ptallowstheuseofXmlHttpRe useofXmlHttpRequest,whichis quest,whichistypicall typicallyusedby yusedby sitesusingAJAXtechnol sitesusingAJAXtechnologies,eveni ogies,evenifvictimsi fvictimsitedoesnotuseAJAX tedoesnotuseAJAXtoday. today. UsingXmlHttpRequest,i UsingXmlHttpRequest,itissometimes tissometimespossibletogeta possibletogetaroundabrowser’s roundabrowser’ssamesourceorigi samesourceoriginationpolic nationpolicy‐thus y‐thus forwardingvictimda forwardingvictimdatatohostile tatohostilesites,andtoc sites,andtocreatecomplexw reatecomplexwormsandmalic ormsandmaliciouszombiestha iouszombiesthatlastasl tlastaslongasthe ongasthe browserstaysopen.AJAXatta browserstaysopen.AJAXattacksdonotha cksdonothavetobevisibl vetobevisibleorrequire eorrequireuserinterac userinteractiontoperform tiontoperformdangerouscross dangerouscross siterequestforgery(CSR siterequestforgery(CSRF)attacks(see F)attacks(seeA‐5). A‐5).
VERIFYINGSECURITY Thegoalistoverify Thegoalistoverifythatallthe thatalltheparametersin parametersintheapplic theapplicationarevali ationarevalidatedand/ore datedand/orencodedbeforebei ncodedbeforebeingincluded ngincluded inHTMLpages.
8
OWASP Top 10 2007 Automatedapproaches:Both Automatedapproaches:Bothvulnerabili vulnerabilityscanningtool tyscanningtoolsandstaticcode sandstaticcodeanalysis analysistoolscanfi toolscanfindsimpleX ndsimpleXSS SS problems,particularl problems,particularlyreflected yreflectedones.Theyfrequentl ones.Theyfrequentlycan'tfin ycan'tfindcomplexXSS dcomplexXSSflaws,suc flaws,suchaswhenthei haswhentheinjection njection occursinapeculia occursinapeculiarHTMLstructure rHTMLstructureorscript.They orscript.Theyarealsonotli arealsonotlikelytofindi kelytofindinstancesofDOMba nstancesofDOMbasedXSS. sedXSS. Manualapproaches:If Manualapproaches:Ifacentralize acentralizedvalidati dvalidationandencodi onandencodingmechanismisuse ngmechanismisused,themosteffi d,themostefficientwayto cientwaytoverify verify securityistocheckthe securityistocheckthecode.Ifadi code.Ifadistributedi stributedimplementationi mplementationisused,thenthe sused,thentheverificati verificationwillbec onwillbeconsiderably onsiderably moretime‐consuming.Testi moretime‐consuming.Testingistime‐c ngistime‐consumingbecause onsumingbecausetheattacksurface theattacksurfaceofmostappli ofmostapplicationsi cationsissolarge. ssolarge.
PROTECTION ThebestprotectionforXSSis ThebestprotectionforXSSisacombinati acombinationof"whitelis onof"whitelist"validati t"validationofallinc onofallincomingdataa omingdataandappropriatee ndappropriateencoding ncoding ofalloutputdata.Val ofalloutputdata.Validationall idationallowsthedetecti owsthedetectionofattac onofattacks,andencodingpre ks,andencodingpreventsanys ventsanysuccessfulscri uccessfulscriptinjection ptinjection fromrunninginthebrowser. PreventingXSSacrossanenti PreventingXSSacrossanentireapplica reapplicationrequire tionrequiresaconsistenta saconsistentarchitectural rchitecturalapproach: approach:
Useastandardinputvalidationmechanismtovalidateallinputdataforlength,type, syntax,andbusinessrulesbe syntax,andbusinessrulesbeforeaccepti foreacceptingthedatato ngthedatatobedisplayedors bedisplayedorstored.Usean"a tored.Usean"acceptknown cceptknown good"validationstrateg good"validationstrategy.Rejectinv y.Rejectinvalidinputra alidinputratherthanatte therthanattemptingtosani mptingtosanitizepotenti tizepotentiallyhostile allyhostiledata. data.
Ensurethatalluser‐suppli Ensurethatalluser‐supplieddatai eddataisHTMLentit sHTMLentityencodedbeforere yencodedbeforerendering ndering inHTML,takingthea inHTML,takingtheapproachtoencode pproachtoencodeallcharac allcharactersotherthana tersotherthanaverylimi verylimitedsubset.Thisi tedsubset.Thisisthe sthe approachoftheMicrosoftA approachoftheMicrosoftAnti‐XSSlibr nti‐XSSlibrary,andthe ary,andtheforthcomingOWASPP forthcomingOWASPPHPAnti‐XSSli HPAnti‐XSSlibrary. brary.
todetectXSSininputortoencod todetectXSSininputortoencodeoutput.Searc eoutput.Searchingforand hingforand replacingjustafewc replacingjustafewcharacters("<"" haracters("<"">"andother >"andothersimilarchara similarcharacters)iswe cters)isweakandhasbeen akandhasbeenattacked attacked successfully.
Languagespecific Languagespecificrecommendations: recommendations:
Java:UseStrutsoutputmechan Java:UseStrutsoutputmechanismssucha ismssuchas
s,orusethede ,orusethedefaultJSTLesc faultJSTLescapeXML="true" apeXML="true" attributein.D attributein.DoNOTuse<%=…%>unne oNOTuse<%=…%>unnested(thatis, sted(thatis,outsideofaproper outsideofaproperlyencode lyencodedoutput doutput mechanism).
.NET:UsetheMicrosoftAnti .NET:UsetheMicrosoftAnti‐XSSLibrary ‐XSSLibrary1.5freely 1.5freelyavailable availablefromMSDN.Do fromMSDN.Donotassignform notassignformfieldsdata fieldsdata username.Text = Request.QueryString("username");withoutusing directlyfromtheRequestobject:username.Text
thislibrary.Understa thislibrary.Understandwhich.NETc ndwhich.NETcontrolsautomatic ontrolsautomaticallyencodeo allyencodeoutputdata. utputdata.
htmlentities ()orhtmlspecialchars ()orusethesoontobe PHP:Ensureoutputispassedthroughhtmlentities
releasedOWASPPHPAnti‐XSSli releasedOWASPPHPAnti‐XSSlibrary. brary.
SAMPLES
http://cve.mitre.org/cgi‐bin/cvename.cgi?name=CVE‐2006‐4206
http://cve.mitre.org/cgi‐bin/cvename.cgi?name=CVE‐2005‐3966
http://cve.mitre.org/cgi‐bin/cvename.cgi?name=CVE‐2006‐5204
REFERENCES
OWASP–Crosssitescripting,http://www.owasp.org/index.php/Cr http://www.owasp.org/index.php/Cross_Site_Scri oss_Site_Scripting pting
OWASP–TestingforXSS,http://www.owasp.org/index.php/Testi http://www.owasp.org/index.php/Testing_for_Cross_site_s ng_for_Cross_site_scripting cripting
9
OWASPStingerProject(AJava OWASPStingerProject(AJavaEEvalida EEvalidationfil tionfilter)– ter)– http://www.owasp.org/index. http://www.owa sp.org/index.php/Category:OWASP_ php/Category:OWASP_Stinger_Project Stinger_Project
OWASPPHPFilterProject‐http://www.owasp.org/index.php/OWASP_PHP_Filters http://www.owasp.org/index.php/OWASP_PHP_Filters
OWASPEncodingProject‐http://www.owasp.org/index.php/Cate http://www.owasp.org/index.php/Category:OWASP_Encodi gory:OWASP_Encoding_Project ng_Project
RSnake,XSSCheatSheet,http://ha.ckers.org/xss.html http://ha.ckers.org/xss.html
Klein,A.,DOMBasedCr Klein,A.,DOMBasedCrossSiteScri ossSiteScripting, pting,http://www.we http://www.webappsec.org/projec bappsec.org/projects/article ts/articles/071105.sht s/071105.shtml ml
.NETAnti‐XSSLibrary‐ http://www.micr http://www.microsoft.com/downloads/de osoft.com/downloads/details.aspx? tails.aspx?FamilyID=e FamilyID=efb9c819‐53ff‐4 fb9c819‐53ff‐4f82‐ f82‐ bfaf‐e11625130c25&DisplayLang=en
10
OWASP Top 10 2007
Injectionflaws,part Injectionflaws,particularly icularlySQLinjecti SQLinjection,arecommoninw on,arecommoninwebapplic ebapplications.Injec ations.Injectionoccursw tionoccurswhenuser‐supplie henuser‐supplied d dataissenttoaninterpre dataissenttoaninterpreteraspartof teraspartofacommandorquery. acommandorquery.Theattacker’s Theattacker’sdatatricks datatrickstheinterpreter theinterpreterinto into executingunintendedcomm executingunintendedcommands.Injecti ands.Injectionflawsallow onflawsallowattackerstocre attackerstocreate,read,upda ate,read,update,ordelete te,ordeleteanyarbitrar anyarbitrary y dataavailableto dataavailabletotheapplic theapplication.Inthew ation.Intheworstcasescenari orstcasescenario,theseflaws o,theseflawsallowa allowanattackertocom nattackertocompletely pletely compromisetheapplication.
ENVIRONMENTSAFFECTED Allwebapplicati Allwebapplicationframeworksthat onframeworksthatuseinterpreters useinterpretersarevulnerabl arevulnerabletoinjecti etoinjectionattacks. onattacks.
VULNERABILITY Ifuserinputispassedi Ifuserinputispassedintoaninterpreter ntoaninterpreterwithoutvali withoutvalidationorenc dationorencoding,theappli oding,theapplicationis cationisvulnerable. vulnerable.Checkif Checkif userinputissuppliedt userinputissuppliedtodynamicqueri odynamicqueries,sucha es,suchas: s: $sql = "SELECT * FROM table WHERE id = '" . $_REQUEST['id’] . "’";
VERIFYINGSECURITY Thegoalistoverify Thegoalistoverifythatuserdatac thatuserdatacannotmodifythe annotmodifythemeaningofc meaningofcommandsandqueri ommandsandqueriessenttoanyof essenttoanyofthe the interpretersinvokedbytheapplication. Automatedapproaches:Many Automatedapproaches:Manyvulnerabili vulnerabilityscanning tyscanningtoolssearchfor toolssearchforinjection injectionproblems,partic problems,particularlySQL ularlySQLinjection. injection. Detectingwhethertheinjec Detectingwhethertheinjectionworkedornot tionworkedornotisdiffic isdifficultandpronetoe ultandpronetoerror.Statica rror.Staticanalysistool nalysistoolsthatsearch sthatsearchfor for usesofunsafeinterpreterAPI usesofunsafeinterpreterAPIsareuseful, sareuseful,butfrequentl butfrequentlycannotverify ycannotverifythatappropri thatappropriatevalida atevalidationorencodi tionorencoding ng mightbeinplacetoprotectagainstthevulnerability. Manualapproaches:Themo Manualapproaches:Themostefficie stefficientandaccura ntandaccurateapproachist teapproachistocheckthec ocheckthecodethatinvokesi odethatinvokesinterpreters.The nterpreters.The reviewershouldveri reviewershouldverifytheuseofas fytheuseofasafeAPIorthatapp afeAPIorthatappropriateval ropriatevalidationand/ idationand/orencodingha orencodinghasoccurred.Te soccurred.Testing sting canbeextremelytime‐co canbeextremelytime‐consumingandspotty nsumingandspottybecausethe becausetheattacksurface attacksurfaceofmostapplic ofmostapplicationsiss ationsissolarge. olarge.
PROTECTION Avoidtheuseofinterprete Avoidtheuseofinterpreterswhenpossible rswhenpossible.Ifyoumusti .Ifyoumustinvokeaninterpre nvokeaninterpreter,thekeyme ter,thekeymethodtoavoidi thodtoavoidinjections njections istheuseofsafeAPIs,s istheuseofsafeAPIs,suchasstronglyt uchasstronglytypedparameteri ypedparameterizedqueries zedqueriesandobjectrela andobjectrelationalmap tionalmapping(ORM)li ping(ORM)libraries. braries. Theseinterfaceshandle Theseinterfaceshandlealldataes alldataescaping,ordo caping,ordonotrequireesca notrequireescaping.Notetha ping.Notethatwhilesa twhilesafeinterfacesso feinterfacessolvethe lvethe problem,validationi problem,validationisstillrec sstillrecommendedinorder ommendedinordertodetectattac todetectattacks. ks. Usinginterpretersis Usinginterpretersisdangerous,soit'sw dangerous,soit'sworthittotakee orthittotakeextracare,s xtracare,suchasthefoll uchasthefollowing: owing:
whenconnectingtodatabas whenconnectingtodatabasesandotherbac esandotherbackendsystems kendsystems thatareusefultoanattacker intoaparameterizedinterface astheycanbeinjectable
11
(suchasmysql_query()orsimilar)
,suchasPHP’saddslashes() ,suchasPHP’saddslashes()orcharacterre orcharacterreplacement placement functionslikestr_repl functionslikestr_replace("’"," ace("’","’’").Thesearew ’’").Theseareweakandhave eakandhavebeensuccessfull beensuccessfullyexploitedby yexploitedbyattackers. attackers.
Languagespecific Languagespecificrecommendations: recommendations:
JavaEE–usestronglytyped JavaEE–usestronglytypedPreparedStateme PreparedStatement,orORMssuchas nt,orORMssuchasHibernateorSpri HibernateorSpring ng
.NET–usestronglytypedpara .NET–usestronglytypedparameterizedquerie meterizedqueries,suchasSqlC s,suchasSqlCommandwithSql ommandwithSqlParameteroran ParameteroranORMlike ORMlike Hibernate.
PHP–usePDOwithstronglytype PHP–usePDOwithstronglytypedparameterized dparameterizedqueries(usingbi queries(usingbindParam()) ndParam())
SAMPLES
http://cve.mitre.org/cgi http://cve. mitre.org/cgi‐bin/cvename.c ‐bin/cvename.cgi?name=CVE gi?name=CVE‐2006‐5121 ‐2006‐5121
http://cve.mitre.org/cgi http://cve. mitre.org/cgi‐bin/cvename.c ‐bin/cvename.cgi?name=CVE gi?name=CVE‐2006‐4953 ‐2006‐4953
http://cve.mitre.org/cgi http://cve. mitre.org/cgi‐bin/cvename.c ‐bin/cvename.cgi?name=CVE gi?name=CVE‐2006‐4592 ‐2006‐4592
REFERENCES
OWASP,http://www.owasp.org OWASP,http://www.owasp.org/index.php/SQL_ /index.php/SQL_Injection Injection
OWASP,http://www.owasp.org OWASP,http://www.owasp.org/index.php/G /index.php/Guide_to_SQL_Injec uide_to_SQL_Injection tion
OWASP,http://www.owasp.org OWASP,http://www.owasp.org/index.php/Re /index.php/Reviewing_Code_for_ viewing_Code_for_SQL_Injecti SQL_Injection on
OWASP,http://www.owasp.org OWASP,http://www.owasp.org/index.php/Tes /index.php/Testing_for_SQL_In ting_for_SQL_Injection jection
SQLInjection,http://www.spidy SQLInjection,http://www.spidynamics.c namics.com/papers/SQLInject om/papers/SQLInjectionWhitePaper ionWhitePaper.pdf .pdf
AdvancedSQLInjection, http://www.ngssoftwa http://www.ngssoftware.com/papers/ re.com/papers/advanced_s advanced_sql_injection. ql_injection.pdf pdf
MoreAdvancedSQLInjection,http://www.nextgenss.com/paper http://www.nextgenss.com/papers/more_advance s/more_advanced_sql_injec d_sql_injection.pdf tion.pdf
Hibernate,anadvance Hibernate,anadvancedobjectrelati dobjectrelationalmanager(O onalmanager(ORM)forJ2EEand.N RM)forJ2EEand.NET, ET,http://www.hibernate.org/ http://www.hibernate.org/
J2EEPreparedStatements,http://java.sun.com/docs/books/tutori http://java.sun.com/docs/books/tutorial/jdbc/basi al/jdbc/basics/prepared. cs/prepared.html html
Howto:ProtectfromSQLinjec Howto:ProtectfromSQLinjectioninASP.Net, tioninASP.Net, http://msdn2.microsoft.com http://msdn2. microsoft.com/en‐us/librar /en‐us/library/ms998271.a y/ms998271.aspx spx
12
PHPPDOfunctions,http://php.net/pdo http://php.net/pdo
OWASP Top 10 2007
Maliciousfileexecutionvulnerabilitiesarefoundinmanyapplications.Developerswilloftendirectlyuseor concatenatepotentiall concatenatepotentiallyhostilei yhostileinputwithfile nputwithfileorstreamfunc orstreamfunctions,orimpr tions,orimproperlytrusti operlytrustinputfiles.O nputfiles.Onmany nmany platforms,frameworksall platforms,frameworksallowtheuseofexterna owtheuseofexternalobjectre lobjectreferences,such ferences,suchasURLsorfil asURLsorfilesystemrefere esystemreferences.When nces.When thedataisinsuffici thedataisinsufficientlychec entlychecked,thiscan ked,thiscanleadtoarbitr leadtoarbitraryremoteand aryremoteandhostilecontent hostilecontentbeingincl beingincluded,processed uded,processed orinvokedbythewebserver. Thisallowsattackers Thisallowsattackerstoperform: toperform:
Remotecodeexecution
Remoterootkitinstall Remoterootkitinstallationandcomple ationandcompletesystemcompromise tesystemcompromise
OnWindows,internalsystem OnWindows,internalsystemcompromisemay compromisemaybepossiblethroug bepossiblethroughtheuseofPHP’sS htheuseofPHP’sSMBfilewrap MBfilewrappers pers
Thisattackispartic Thisattackisparticularlypreva ularlyprevalentonPHP,a lentonPHP,andextremecarem ndextremecaremustbetakenwi ustbetakenwithanystreamorfil thanystreamorfilefunctio efunctionto nto ensurethatusersuppliedi ensurethatusersuppliedinputdoesnotinfl nputdoesnotinfluencefilena uencefilenames. mes.
ENVIRONMENTSAFFECTED Allwebapplicati Allwebapplicationframeworksthat onframeworksthatallowuploade allowuploadedfilestobee dfilestobeexecutedarevul xecutedarevulnerabletorem nerabletoremotefileincl otefileinclude.By ude.By default,PHP4.0.4andl default,PHP4.0.4andlaterand5.xare aterand5.xarevulnerable vulnerabletoremotefilei toremotefileinclusion.O nclusion.Otherenvironments therenvironmentsaresuscepti aresusceptibleif bleif theyallowfileuploadintowebdirectories.
VULNERABILITY Acommonvulnerableconstr Acommonvulnerableconstructis: uctis: include $_REQUEST['filename’];
Notonlydoesthisall Notonlydoesthisallowevaluation owevaluationofremotehostile ofremotehostilescripts,i scripts,itcanbeusedto tcanbeusedtoaccessloc accesslocalfileserv alfileservers(ifPHPis ers(ifPHPis hosteduponWindows)duetoSMB hosteduponWindows)duetoSMBsupportinPHP’sfi supportinPHP’sfilesystemwrapper lesystemwrappers. s. Othermethodsofattackinclude:
Hostiledatabeingupl Hostiledatabeinguploadedtosessionfil oadedtosessionfiles,logdata es,logdata,andviai ,andviaimageuploads( mageuploads(typicalof typicalofforumsoftware) forumsoftware)
Usingcompressionoraudi Usingcompressionoraudiostreams,such ostreams,suchaszlib:// aszlib://orogg://whic orogg://whichdonotinspectthe hdonotinspecttheinternalPHPUR internalPHPURL L flagandthusallowac flagandthusallowaccesstoremoteresou cesstoremoteresourceseveni rcesevenifallow_url fallow_url_fopenorall _fopenorallow_url_incl ow_url_includeisdisable udeisdisabled d
UsingPHPwrappers,suchas UsingPHPwrappers,suchasphp://inputand php://inputandotherstotakeinpu otherstotakeinputfromtherequest tfromtherequestPOSTdatarather POSTdataratherthan than afile
data:;base64,PD9waHAgcGhwaW5mbygpOz8+ UsingPHP’sdata:wrapper,suchasdata:;base64,PD9waHAgcGhwaW5mbygpOz8+
Asthislistisextensi Asthislistisextensive(andperiodic ve(andperiodicallychange allychanges),itis s),itisvitaltouse vitaltouseaproperly aproperlydesignedsecuri designedsecurityarchitec tyarchitectureand tureand robustdesignwhendealing robustdesignwhendealingwithusersuppl withusersuppliedinputsi iedinputsinfluenci nfluencingthechoice ngthechoiceofserverside ofserversidefilenamesan filenamesandaccess. daccess.
13
AlthoughPHPexampleshavebeeng AlthoughPHPexampleshavebeengiven,thisa iven,thisattackisal ttackisalsoapplic soapplicableindiffere ableindifferentwaysto.N ntwaysto.NETandJ2EE. ETandJ2EE. Applicationswritte Applicationswritteninthoseframewor ninthoseframeworksneedtopayp ksneedtopayparticular articularattentiontoc attentiontocodeaccesssec odeaccesssecuritymechanism uritymechanismsto sto ensurethatfilenamessuppl ensurethatfilenamessuppliedbyorin iedbyorinfluencedby fluencedbytheuserdonotall theuserdonotallowsecurityc owsecuritycontrolstobeobvi ontrolstobeobviated. ated. Forexample,itispossi Forexample,itispossiblethatXML blethatXMLdocumentssubmit documentssubmittedbyanattac tedbyanattackerwill kerwillhaveahostile haveahostileDTDthatforce DTDthatforcesthe sthe XMLparsertoloadaremote XMLparsertoloadaremoteDTD,andparse DTD,andparseandprocessther andprocesstheresults.AnAustra esults.AnAustraliansec liansecurityfirmha urityfirmhasdemonstrated sdemonstrated thisapproachtoportsc thisapproachtoportscanningbehindfi anningbehindfirewalls.See rewalls.See[SIF01]inthis [SIF01]inthischapter’srefere chapter’sreferencesformorei ncesformoreinformation. nformation. Thedamagethisparticul Thedamagethisparticularvulnerabi arvulnerabilitycause litycausesisdirectl sisdirectlyrelatedto yrelatedtothestrengthofthes thestrengthofthesandbox/platfor andbox/platform m isolationcontrolsi isolationcontrolsintheframework.A ntheframework.AsPHPisrarel sPHPisrarelyisolatedandha yisolatedandhasnosandboxc snosandboxconceptorsecuri onceptorsecurityarchitec tyarchitecture, ture, thedamageisfarworse thedamageisfarworseforanattack foranattackthanotherplat thanotherplatformswithli formswithlimitedorparti mitedorpartialtrust,orare altrust,orarecontainedwi containedwithina thina suitablesandbox,suchas suitablesandbox,suchaswhenaweba whenawebappisrunning ppisrunningunderaJVMwith underaJVMwiththesecurity thesecuritymanagerproperl managerproperlyenabledand yenabledand configured(whichi configured(whichisrarelythe srarelythedefault). default).
VERIFYINGSECURITY Automatedapproaches:Vul Automatedapproaches:Vulnerabilitys nerabilityscanningtool canningtoolswillhave swillhavediffic difficultyidenti ultyidentifyingthepara fyingtheparametersthatareus metersthatareusedin edin afileincludeort afileincludeorthesyntaxforma hesyntaxformakingthemwork.S kingthemwork.Staticanal taticanalysistoolsc ysistoolscansearchfor ansearchfortheuseofdanger theuseofdangerousAPIs, ousAPIs, butcannotverifytha butcannotverifythatappropriateva tappropriatevalidation lidationorencodingmightbe orencodingmightbeinplace inplacetoprotectagai toprotectagainstthevulner nstthevulnerability. ability. Manualapproaches:Acode Manualapproaches:Acodereviewcan reviewcansearchforcodeth searchforcodethatmightall atmightallowafile owafiletobeincludedi tobeincludedintheappli ntheapplication,but cation,but therearemanypossiblemi therearemanypossiblemistakestorec stakestorecognize.Testingc ognize.Testingcanalsodetec analsodetectthesevulnera tthesevulnerabilities, bilities,butidentifyi butidentifyingthe ngthe particularparametersandtherightsyntaxcanbedifficult.
PROTECTION Preventingremotefileincl Preventingremotefileincludeflaws udeflawstakessomecarefu takessomecarefulplanning lplanningatthearchi atthearchitecturaland tecturalanddesignphases, designphases,throughto throughto thoroughtesting.Ingeneral thoroughtesting.Ingeneral,awell‐wr ,awell‐writtenapplic ittenapplicationwill ationwillnotuseuser‐suppli notuseuser‐suppliedinputi edinputinanyfile nanyfilenameforany nameforany server‐basedresource(such server‐basedresource(suchasimages,XML asimages,XMLandXSLtr andXSLtransformdocuments,or ansformdocuments,orscriptinc scriptinclusions),andw lusions),andwillhave illhave firewallrulesin firewallrulesinplaceprevent placepreventingnewoutbound ingnewoutboundconnectionsto connectionstotheInternetori theInternetorinternally nternallybacktoanyother backtoanyotherserver. server. However,manylegacy However,manylegacyapplicati applicationswillco onswillcontinuetohavea ntinuetohaveaneedtoaccep needtoacceptusersuppliedi tusersuppliedinput. nput. Amongthemostimportantconsi Amongthemostimportantconsiderationsare derationsare: :
Consideravariable Consideravariablenamingschemeto namingschemetoassistwithta assistwithtaintchecki intchecking: ng:
$hostile = &$_POST; // refer to POST variables, not $_REQUEST $safe[‘filename’]= validate_file_name($hostile[‘unsafe_filename’]); // make it safe
Thereforeanyoperationbase Thereforeanyoperationbaseduponhostilei duponhostileinputisimmedia nputisimmediately telyobvious: obvious:
require_once($_POST[‘unsafe_filename’] . ‘inc.php’);
require_once($safe[‘filename’] . ‘inc.php’);
Stronglyvalidateuseri Stronglyvalidateuserinputusing"acc nputusing"acceptknowngood"a eptknowngood"asastrategy sastrategy
Hideserver‐sidefile Hideserver‐sidefilenamesfromtheuser. namesfromtheuser.Forexample,ins Forexample,insteadofinclud teadofincluding$lang ing$language.".lang.php" uage.".lang.php",use ,use anarrayindexlikethis:
14
OWASP Top 10 2007 Français … $language = intval($_POST['language’]); if ($language > 0) { require_once($lang[$language]); // lang is array of strings eg "fr.lang.php" }
Disableallow_url_fopenandallow_url_includeinphp.iniandconsiderbuildingPHPlocallytonotinclude thisfunctionality.
Addfirewallrulesto Addfirewallrulestopreventwebserve preventwebserversmakingnewc rsmakingnewconnectionstoexterna onnectionstoexternalwebsitesa lwebsitesandinternal ndinternal systems.Forhighvaluesys systems.Forhighvaluesystems,isola tems,isolatethewebserveri tethewebserverinitsownVLAN nitsownVLANorprivates orprivatesubnet. ubnet.
Ensurethatfileandstrea Ensurethatfileandstreamsfunctions(s msfunctions(stream_*)arec tream_*)arecarefully arefullyvetted.Ensuretha vetted.Ensurethattheuserinputi ttheuserinputisnot snot suppliedanyfunctionwhichtakesafilenameargument,including:
include() include_once() require() require_once() fopen() imagecreatefromXXX() file() file_get_contents() copy() delete() unlink() upload_tmp_dir() $_FILES move_uploaded_file()
Beextremelycautiousif Beextremelycautiousifdataispasse dataispassedtosystem()eval() dtosystem()eval()passthru()or passthru()or`(thebackti `(thebacktickoperator). ckoperator).
Checkthatanyfiles Checkthatanyfilestakenfromthe takenfromtheuserforlegiti userforlegitimatepurposesc matepurposescannotbeotherwise annotbeotherwiseobviated,s obviated,suchas uchas includingusersupplie includingusersupplieddatainthe ddatainthesessionobjec sessionobject,avatarsandi t,avatarsandimages,PDFrep mages,PDFreports,temporaryfile orts,temporaryfiles,and s,and soon.
WithPHP,considerimplemen WithPHP,considerimplementingachr tingachrootjailorother ootjailorothersandboxmechanis sandboxmechanismssuchasvirt mssuchasvirtualizati ualizationto onto isolateapplicati isolateapplicationsfromeachother onsfromeachother
WithJ2EE,ensurethatthesec WithJ2EE,ensurethatthesecuritymanageri uritymanagerisenabledandpr senabledandproperlyconfig operlyconfiguredandthat uredandthattheapplicat theapplication ion isdemandingpermissionsa isdemandingpermissionsappropriatel ppropriately y
WithASP.NET,pleaserefert WithASP.NET,pleaserefertothedocumenta othedocumentationonpartial tiononpartialtrust,andde trust,anddesignyourappl signyourapplicationst icationstobe obe segmentedintrust,sothatmos segmentedintrust,sothatmostoftheapplic toftheapplicationexistsi ationexistsinthelowestpossi nthelowestpossibletruststatep bletruststatepossible ossible
SAMPLES
http://cve.mitre.org/cgi http://cve. mitre.org/cgi‐bin/cvename.c ‐bin/cvename.cgi?name=CVE gi?name=CVE‐2007‐0360 ‐2007‐0360
http://cve.mitre.org/cgi http://cve. mitre.org/cgi‐bin/cvename.c ‐bin/cvename.cgi?name=CVE gi?name=CVE‐2006‐5220 ‐2006‐5220
http://cve.mitre.org/cgi http://cve. mitre.org/cgi‐bin/cvename.c ‐bin/cvename.cgi?name=CVE gi?name=CVE‐2006‐4722 ‐2006‐4722
REFERENCES
OWASPGuide,http://www.owas OWASPGuide,http://www.owasp.org/index.php/Fi p.org/index.php/File_System#Incl le_System#Includes_and_Remote_fi udes_and_Remote_files les
OWASPTestingGuide,http://www.owasp.org/index.php/Tes http://www.owasp.org/index.php/Testing_for_Direc ting_for_Directory_Traversal tory_Traversal
OWASPPHPTop5,http://www.ow OWASPPHPTop5,http://www.owasp.org/index.php/P asp.org/index.php/PHP_Top_5#P1:_Remote_Cod HP_Top_5#P1:_Remote_Code_Execution e_Execution
15
StefanEsser, http://blog.php‐security. http://blog. php‐security.org/archive org/archives/45‐PHP‐5.2.0‐an s/45‐PHP‐5.2.0‐and‐allow_url d‐allow_url_include. _include.html html
[SIF01]SiftNetworks,We [SIF01]SiftNetworks,WebServices:Teac bServices:Teachinganolddog hinganolddognewtricks, newtricks, http://www.ruxcon.org.au/fil http://www.r uxcon.org.au/files/2006/web_ser es/2006/web_services_securi vices_security.ppt ty.ppt
http://www.owasp.org/index. http://www.owa sp.org/index.php/OWASP_Java_Ta php/OWASP_Java_Table_of_Contents# ble_of_Contents#Defining_a_ Defining_a_Java_Securi Java_Security_Policy ty_Policy
Microsoft‐ProgrammingforP Microsoft‐ProgrammingforPartialTrust, artialTrust,http://msdn2.microsoft.com/en‐ http://msdn2.microsoft.com/en‐ us/library/ms364059(VS.80).aspx
16
OWASP Top 10 2007
Adirectobjectreference Adirectobjectreferenceoccurswhen occurswhenadeveloperexposes adeveloperexposesareference areferencetoaninternal toaninternalimplementat implementationobject,suc ionobject,such h asafile,director asafile,directory,databaserec y,databaserecord,orkey, ord,orkey,asaURLor asaURLorformparameter.Unle formparameter.Unlessanacce ssanaccesscontrolchec sscontrolcheckisinpla kisinplace, ce, anattackercanmani anattackercanmanipulatethoserefer pulatethosereferencestoacce encestoaccessotherobjectswi ssotherobjectswithoutauthoriz thoutauthorization. ation.
ENVIRONMENTSAFFECTED Allwebapplicati Allwebapplicationframeworksare onframeworksarevulnerable vulnerabletoattacksonin toattacksoninsecuredirec securedirectobjectreferences tobjectreferences. .
VULNERABILITY Manyapplicationsexpose Manyapplicationsexposetheirinterna theirinternalobjectrefere lobjectreferencestousers.Att ncestousers.Attackersusepar ackersuseparametertamperingtoc ametertamperingtochange hange referencesandviolate referencesandviolatetheintendedbut theintendedbutunenforcedacc unenforcedaccesscontrol esscontrolpolicy.Frequentl policy.Frequently,thesereferenc y,thesereferencespointtofi espointtofile le systemsanddatabases,but systemsanddatabases,butanyexposedapplic anyexposedapplicationcons ationconstructcouldbe tructcouldbevulnerable. vulnerable. Forexample,ifcodeal Forexample,ifcodeallowsuseri lowsuserinputtospecifyfi nputtospecifyfilenamesorpa lenamesorpaths,itmay ths,itmayallowattac allowattackerstojumpoutof kerstojumpoutofthe the application’sdirec application’sdirectory,andacces tory,andaccessotherresource sotherresources. s. Français … require_once ($_REQUEST['language’]."lang.php");
Suchcodecanbeattacked Suchcodecanbeattackedusingastri usingastringlike"../. nglike"../../../../etc/ ./../../etc/passwd%00"usi passwd%00"using ngnullbyteinjection nullbyteinjection (seetheOWASP (seetheOWASP Guideformoreinfor Guide formoreinformation)toacce mation)toaccessanyfile ssanyfileonthewebserver’ onthewebserver’sfilesystem sfilesystem. . Similarly,reference Simil arly,referencestodatabasekey stodatabasekeysarefrequen sarefrequentlyexposed.Anat tlyexposed.Anattackercana tackercanattackthesepar ttacktheseparameterssimply ameterssimplyby by guessingorsearchingfor guessingorsearchingforanothervalid anothervalidkey.Often,these key.Often,thesearesequenti aresequentialinnature. alinnature.Intheexample Intheexamplebelow,eve below,evenifan nifan applicationdoesnotprese applicationdoesnotpresentanyli ntanylinkstounauthorize nkstounauthorizedcarts,andno dcarts,andnoSQLinjection SQLinjectionispossible, ispossible,anattacker anattackercanstill canstill changethecartIDparameter changethecartIDparametertowhateverc towhatevercarttheywant. arttheywant. int cartID = Integer.parseInt( request.getParameter( "cartID" ) ); String query = "SELECT * FROM table WHERE cartID=" + cartID;
VERIFYINGSECURITY Thegoalistoverify Thegoalistoverifythattheapplic thattheapplicationdoesnot ationdoesnotallowdirectobj allowdirectobjectreference ectreferencestobemanipul stobemanipulatedbyanattac atedbyanattacker. ker. Automatedapproaches:Vul Automatedapproaches:Vulnerabilitys nerabilityscanningtool canningtoolswillhave swillhavediffic difficultyidenti ultyidentifyingwhic fyingwhichparametersare hparametersare susceptibletomanipul susceptibletomanipulationorwhether ationorwhetherthemanipula themanipulationworked. tionworked.Staticanal Staticanalysistoolsrea ysistoolsreallycannot llycannotknowwhich knowwhich parametersmusthaveanac parametersmusthaveanaccesscontrolc cesscontrolcheckbeforeu heckbeforeuse. se. Manualapproaches:Codere Manualapproaches:Codereviewcan viewcantracecritic tracecriticalparameters alparametersandidentify andidentifywhetherthey whethertheyaresusceptible aresusceptibleto to manipulationinmanyc manipulationinmanycases.Penetratio ases.Penetrationtestingcan ntestingcanalsoverify alsoverifythatmanipul thatmanipulationispossi ationispossible.However,bot ble.However,bothof hof thesetechniquesaretime thesetechniquesaretime‐consumingandc ‐consumingandcanbespotty. anbespotty.
17
PROTECTION Thebestprotectionistoavoi Thebestprotectionistoavoidexposingdirec dexposingdirectobjectreferenc tobjectreferencestousersbyus estousersbyusinganindex, inganindex,map,orotheri map,orotherindirect ndirect methodthatiseasytova methodthatiseasytovalidate.If lidate.Ifadirectobjec adirectobjectreferencemustbe treferencemustbeused,ensuretha used,ensurethattheuseris ttheuserisauthorizedbefore authorizedbefore usingit. Establishingastandar Establishingastandardwayofreferri dwayofreferringtoappli ngtoapplicationobjects cationobjectsisimporta isimportant: nt:
Avoidexposingyourprivate Avoidexposingyourprivateobjectreferenc objectreferencestouserswhenever estouserswheneverpossible possible
Validateanyprivate Validateanyprivateobjectrefere objectreferencesextensivel ncesextensivelywithan"ac ywithan"acceptknowngood"a ceptknowngood"approach pproach
Verifyauthorization Verifyauthorizationtoallreferenc toallreferencedobjects edobjects
Ifyoumustexposeafile Ifyoumustexposeafilesystemreference systemreference,useanindex ,useanindexvalueorama valueoramaptopreventpa ptopreventpathandfilena thandfilename me manipulation. http://www.example.com/application?file=1
Ifyoumustexposedirectrefer Ifyoumustexposedirectreferencestodataba encestodatabasestructures,e sestructures,ensurethatSQL nsurethatSQLstatementsandother statementsandotherdatabase database accessmethodsonlyall accessmethodsonlyallowauthorizedre owauthorizedrecordstobeshown: cordstobeshown: int cartID = Integer.parseInt( request.getParameter( "cartID" ) ); User user = (User)request.getSession().getAttribute( "user" ); String query = "SELECT * FROM table WHERE cartID=" + cartID + " AND userID=" + user.getID();
SAMPLES
http://cve.mitre.org/cgi http://cve. mitre.org/cgi‐bin/cvename.c ‐bin/cvename.cgi?name=CVE gi?name=CVE‐2007‐0329 ‐2007‐0329
http://cve.mitre.org/cgi http://cve. mitre.org/cgi‐bin/cvename.c ‐bin/cvename.cgi?name=CVE gi?name=CVE‐2006‐4369 ‐2006‐4369
http://cve.mitre.org/cgi http://cve. mitre.org/cgi‐bin/cvename.c ‐bin/cvename.cgi?name=CVE gi?name=CVE‐2005‐0229 ‐2005‐0229
REFERENCES
18
OWASP,http://www.owasp.org OWASP,http://www.owasp.org/index.php/Tes /index.php/Testing_for_busine ting_for_business_logic ss_logic
OWASP,http://www.owasp.org OWASP,http://www.owasp.org/index.php/Tes /index.php/Testing_for_Direc ting_for_Directory_Traversal tory_Traversal
OWASP,http://www.owasp.org OWASP,http://www.owasp.org/index.php/C /index.php/Category:Access_C ategory:Access_Control_Vulnerabi ontrol_Vulnerability lity
OWASP Top 10 2007
Crosssiterequestforgeryi Crosssiterequestforgeryisnotanewatt snotanewattack,butissi ack,butissimpleandde mpleanddevastating.A vastating.ACSRFattackfor CSRFattackforcesalogged‐on cesalogged‐on victim’sbrowsertosenda victim’sbrowsertosendarequesttoav requesttoavulnerableweb ulnerablewebapplicati application,whichthe on,whichthenperformsthechosen nperformsthechosenactionon actionon behalfofthevictim behalfofthevictim,tothebenefit ,tothebenefitoftheattacker. oftheattacker.Thisvulner Thisvulnerabilityis abilityisextremelywi extremelywidespread,asanyw despread,asanyweb eb applicationthataut applicationthatauthorizesrequestsba horizesrequestsbasedonlyoncre sedonlyoncredentialstha dentialsthatareautomatic tareautomaticallysubmi allysubmittedbythebrowser ttedbythebrowseris is vulnerable.Unfortunatel vulnerable.Unfortunately,today,m y,today,mostwebapplic ostwebapplicationsrelysole ationsrelysolelyonautomat lyonautomaticallysubm icallysubmittedcredenti ittedcredentialssuchas alssuchas sessioncookies,Basic sessioncookies,BasicAuthenticati Authenticationcredential oncredentials,sourceIPaddre s,sourceIPaddresses,SSLcer sses,SSLcertificates,Wi tificates,Windowsdomain ndowsdomain credentials,etc. Thisvulnerabili Thisvulnerabilityisalsoknown tyisalsoknownbyseveral byseveralothernamesincl othernamesincludingSessi udingSessionRiding,One‐Cl onRiding,One‐ClickAttac ickAttacks,CrossSite ks,CrossSite ReferenceForgery,Hostile ReferenceForgery,HostileLinking, Linking,andAutomation andAutomationAttack.Theacr Attack.TheacronymXSRFisals onymXSRFisalsofrequently ofrequentlyused.OWASPand used.OWASPand MITREhavebothstandardize MITREhavebothstandardizedonthetermCross donthetermCrossSiteRequestForger SiteRequestForgeryandCSRF. yandCSRF.
ENVIRONMENTSAFFECTED Allwebapplicati Allwebapplicationframeworksare onframeworksarevulnerable vulnerabletoCSRF. toCSRF.
VULNERABILITY AtypicalCSRFattac AtypicalCSRFattackagainstafor kagainstaforummighttake ummighttaketheformofdirecti theformofdirectingtheusertoinv ngtheusertoinvokesomefunc okesomefunction,suchas tion,suchas theapplication’sl theapplication’slogoutpage.Thefoll ogoutpage.Thefollowingtagi owingtaginanywebpagev nanywebpageviewedbythe iewedbythevictimwil victimwillgenerateare lgeneratearequest quest whichlogsthemout:
Ifanonlinebankall Ifanonlinebankalloweditsapplic oweditsapplicationtoproces ationtoprocessrequests,suc srequests,suchastransferfunds hastransferfunds,asimil ,asimilarattackmig arattackmightallow: htallow:
Bothoftheseattackswor Bothoftheseattacksworkbecausetheuser’ kbecausetheuser’sauthorizati sauthorizationcredential( oncredential(typicall typicallythesessioncookie) ythesessioncookie)would would automaticallybeinc automaticallybeincludedwithsuc ludedwithsuchrequestsbythebr hrequestsbythebrowser,eventhoug owser,eventhoughtheattackerdi htheattackerdidn’tsupply dn’tsupplythat that credential. Ifthetagcontainingthe Ifthetagcontainingtheattackca attackcanbepostedtoav nbepostedtoavulnerablea ulnerableapplicati pplication,thenthelik on,thenthelikelihoodoffi elihoodoffindingloggedi ndingloggedin n victimsissignific victimsissignificantlyincre antlyincreased,simi ased,similartothei lartotheincreaseinriskbe ncreaseinriskbetweenstoredandre tweenstoredandreflectedXSSfl flectedXSSflaws.XSSfl aws.XSSflaws aws arenotrequiredforaC arenotrequiredforaCSRFattacktow SRFattacktowork,althoughany ork,althoughanyapplicati applicationwithXSSfla onwithXSSflawsissuscepti wsissusceptibletoCSRFbec bletoCSRFbecause ause aCSRFattackcanexpl aCSRFattackcanexploittheXSSfl oittheXSSflawtostealany awtostealanynon‐automatic non‐automaticallysubmitte allysubmittedcredential dcredentialthatmight thatmightbeinplace beinplaceto to protectagainstaCSRFatta protectagainstaCSRFattack.Manyappl ck.Manyapplicationwor icationwormshaveusedbothtec mshaveusedbothtechniquesinc hniquesincombination. ombination. Whenbuildingdefensesa WhenbuildingdefensesagainstCSRFa gainstCSRFattacks,youmus ttacks,youmustalsofocus talsofocusoneliminati oneliminatingXSSvulner ngXSSvulnerabilitie abilitiesinyour sinyour applicationsincesuc applicationsincesuchflawsca hflawscanbeusedtogetar nbeusedtogetaroundmostCSRFdefensesy oundmostCSRFdefensesyoumightputi oumightputinplace. nplace.
VERIFYINGSECURITY Thegoalistoverify Thegoalistoverifythattheapplic thattheapplicationprotec ationprotectsagainstCSRF tsagainstCSRFattacksbygener attacksbygeneratingand atingandthenrequirings thenrequiringsometype ometype ofauthorizationtoken ofauthorizationtokenthatisnotautoma thatisnotautomatically ticallysubmittedbythe submittedbythebrowser. browser.
19
Automatedapproaches:Vul Automatedapproaches:Vulnerabilitys nerabilityscannersshould cannersshouldbeabletodetec beabletodetectthelac tthelackofCSRFprotection kofCSRFprotectioninapplic inapplications ations withalittlebitoftraining.Staticanalysistools,ontheotherhand,willhaveadifficulttimerecognizingacustom mechanismforprotectingagainstthisattack. Manualapproaches:Pene Manualapproaches:Penetrationtestingi trationtestingisaquickw saquickwaytoverify aytoverifythatCSRFprotec thatCSRFprotectionisinpla tionisinplace.Toveri ce.Toverifythatthe fythatthe mechanismisstrongandpr mechanismisstrongandproperlyimpleme operlyimplemented,checki nted,checkingthecodeisthe ngthecodeisthemosteffici mostefficientcourse. entcourse.
PROTECTION Applicationsmustens Applicationsmustensurethattheyarenot urethattheyarenotrelyingonc relyingoncredentialsortok redentialsortokensthatareaut ensthatareautomaticall omaticallysubmittedby ysubmittedby browsers.Theonlysoluti browsers.Theonlysolutionistouseac onistouseacustomtokenthatt ustomtokenthatthebrowserwill hebrowserwillnot‘remember’ not‘remember’andthenautoma andthenautomatically tically includewithaCSRFattack. Thefollowingstrategie Thefollowingstrategiesshouldbeinhere sshouldbeinherentinall ntinallwebapplicati webapplications: ons:
EnsurethattherearenoXSSvul EnsurethattherearenoXSSvulnerabilitie nerabilitiesinyourappli sinyourapplication( cation(seeA1–CrossSi seeA1–CrossSiteScripting) teScripting)
Insertcustomrandomtokensi Insertcustomrandomtokensintoeveryformand ntoeveryformandURLthatwil URLthatwillnotbeautom lnotbeautomaticall aticallysubmittedbythe ysubmittedbythe browser.Forexample,
andthenverifythatthesub andthenverifythatthesubmittedtokeni mittedtokeniscorrectforthe scorrectforthecurrentuser. currentuser.Suchtokenscan Suchtokenscanbeuniquetotha beuniquetothat t particularfuncti particularfunctionorpageforthat onorpageforthatuser,orsimply user,orsimplyuniquetothe uniquetotheoverallsessi overallsession.Themorefoc on.Themorefocusedthe usedthe tokenistoaparticul tokenistoaparticularfunctionand arfunctionand/orparticul /orparticularsetofdata, arsetofdata,thestrongerthepr thestrongertheprotectionwill otectionwillbe,butthe be,butthe morecomplicateditwillbetoconstructandmaintain.
Forsensitivedataorval Forsensitivedataorvaluetransacti uetransactions,re‐authentic ons,re‐authenticateorusetransac ateorusetransactionsigni tionsigningtoensurethat ngtoensurethatthe the requestisgenuine.Consider requestisgenuine.Considersendingane‐mai sendingane‐mailorphoni lorphoningthecustomeri ngthecustomeriftheacti ftheactivityseemssuspic vityseemssuspicious, ious, toalerttheuserandpotenti toalerttheuserandpotentiallybac allybackoutthetransac koutthetransaction. tion.
useGETrequests(URLs)forsensiti useGETrequests(URLs)forsensitivedataortoperform vedataortoperformvaluetra valuetransactions.Use nsactions.UseonlyPOST onlyPOST methodswhenprocessingsensiti methodswhenprocessingsensitivedatafrom vedatafromtheuser. theuser.
ForASP.NET,
(Seereferences).Thisprovides (Seereferences).Thisprovidesasimilar asimilartypeofchec typeofchecktoa ktoa
randomtokenasdescribedabove. Whilethesesuggestionswil Whilethesesuggestionswilldiminis ldiminishyourexposuredram hyourexposuredramaticall atically,advanced y,advancedCSRFattacksc CSRFattackscanbypassman anbypassmanyof yof theserestrictions.Thestronge theserestrictions.Thestrongesttechniquei sttechniqueistheuseofuni stheuseofuniquetokens,andel quetokens,andeliminati iminatingallXSSvul ngallXSSvulnerabili nerabilitiesin tiesin yourapplication.
SAMPLES
20
http://cve.mitre.org/cgi http://cve. mitre.org/cgi‐bin/cvename.c ‐bin/cvename.cgi?name=CVE gi?name=CVE‐2007‐0192 ‐2007‐0192
http://cve.mitre.org/cgi http://cve. mitre.org/cgi‐bin/cvename.c ‐bin/cvename.cgi?name=CVE gi?name=CVE‐2006‐5116 ‐2006‐5116
MySpaceWormExplanationhttp://namb.la/popular/tech.html http://namb.la/popular/tech.html
OWASP Top 10 2007
AnattackwhichusesQui AnattackwhichusesQuicktimetoper cktimetoperformCSRFattacks formCSRFattacks http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9005607&intsr c=hm_list c=hm_list
REFERENCES
OWASPCSRF,http://www.ow OWASPCSRF,http://www.owasp.org/index.php/C asp.org/index.php/Cross‐Site_Request_Forge ross‐Site_Request_Forgery ry
OWASP,https://www.owasp.org/index.php/Testing_for_CSRF OWASP,https://www.owasp.org/index.php/Testing_for_CSRF
OWASPCSRFGuard,http://www.owasp.org/index.php/CSRF_Guard OWASPCSRFGuard,http://www.owasp.org/index.php/CSRF_Guard
OWASPPHPCSRFGuard,http://www.owasp.org/index.php/PHP_CSRF_Guard http://www.owasp.org/index.php/PHP_CSRF_Guard
RSnake,"WhatisCSRF?",http://ha.ckers.org/blog/200 http://ha.ckers.org/blog/20061030/wha 61030/what‐is‐csrf/ t‐is‐csrf/
Microsoft,ViewStateUserKeydetails, http://msdn2.microsoft.com http://msdn2. microsoft.com/en‐us/librar /en‐us/library/ms972969.a y/ms972969.aspx#securitybarrie spx#securitybarriers_topic2 rs_topic2
21
Applicationscanunintentionallyleakinformationabouttheirconfiguration,internalworkings,orviolateprivacy throughavarietyofappl throughavarietyofapplicationpr icationproblems.Applic oblems.Applicationscanal ationscanalsoleaki soleakinternalstatevi nternalstateviahowlongthe ahowlongtheytaketo ytaketo processcertainoperati processcertainoperationsorviadiffe onsorviadifferentresponsestodi rentresponsestodifferinginputs, fferinginputs,suchasdispl suchasdisplayingthesamee ayingthesameerrortextwith rrortextwith differenterrornumbers.Web differenterrornumbers.Webapplicati applicationswillofte onswilloftenleakinform nleakinformationaboutthei ationabouttheirinternal rinternalstatethroughde statethroughdetailedor tailedor debugerrormessages.
ENVIRONMENTSAFFECTED Allwebapplicati Allwebapplicationframeworksare onframeworksarevulnerable vulnerabletoinformationle toinformationleakageandi akageandimpropererrorhandli mpropererrorhandling. ng.
VULNERABILITY Applicationsfrequentl Applicationsfrequentlygenerateerr ygenerateerrormessagesanddis ormessagesanddisplaythemto playthemtousers.Manytimest users.Manytimestheseerrormessage heseerrormessagesare sare quiteusefultoattacker quiteusefultoattackers,astheyreve s,astheyrevealimplemen alimplementationdetail tationdetailsorinformati sorinformationthatisuseful onthatisusefulinexplori inexploringa nga vulnerability.There vulnerability.Thereareseveralc areseveralcommonexamples ommonexamplesofthis: ofthis:
Detailederrorhandli Detailederrorhandling,whereinduci ng,whereinducinganerror nganerrordisplaystoomuc displaystoomuchinformation, hinformation,suchasstac suchasstacktraces, ktraces, failedSQLstatements, failedSQLstatements,orotherdebuggi orotherdebugginginformation. nginformation.
Functionsthatproducedi Functionsthatproducedifferentresults fferentresultsbasedupondifferenti basedupondifferentinputs.Forexample nputs.Forexample,supplyingthe ,supplyingthesame same usernamebutdifferentpassw usernamebutdifferentpasswordstoalogin ordstoaloginfunctionshoul functionshouldproducethesame dproducethesametextfornosuch textfornosuchuser,and user,and badpassword.However,manysy badpassword.However,manysystemsproduce stemsproducedifferenterrorc differenterrorcodes. odes.
VERIFYINGSECURITY Thegoalistoverify Thegoalistoverifythattheapplic thattheapplicationdoesnotl ationdoesnotleakinformati eakinformationviaerror onviaerrormessagesorotherme messagesorothermeans. ans. Automatedapproaches:Vul Automatedapproaches:Vulnerabilitys nerabilityscanningtool canningtoolscanandproba scanandprobablywill blywillcauseerrormes causeerrormessagestobegener sagestobegenerated. ated. Detectingwhetherthemessage Detectingwhetherthemessagesleakinform sleakinformationisthec ationisthechallenge.St hallenge.Staticanaly aticanalysistoolsca sistoolscansearchfort nsearchfortheuseof heuseof APIsthatleakinformati APIsthatleakinformation,butwill on,butwillnotbeableto notbeabletoverifytheme verifythemeaningofth aningofthosemessages. osemessages. Manualapproaches:Acode Manualapproaches:Acodereviewcan reviewcansearchforimpr searchforimpropererrorhandli opererrorhandlingandotherpatter ngandotherpatternsthatleak nsthatleak information,butitis information,butitistime‐consuming.Te time‐consuming.Testingwill stingwillalsogenera alsogenerateerrormessage teerrormessages,butknowingw s,butknowingwhaterrorpaths haterrorpaths werecoveredisachallenge.
PROTECTION Developersshouldusetool DevelopersshouldusetoolslikeOWASP's slikeOWASP'sWebScarabt WebScarabtotrytomakethei otrytomaketheirapplica rapplicationgenerateerr tiongenerateerrors.Applicat ors.Applications ions thathavenotbeentestedi thathavenotbeentestedinthiswaywil nthiswaywillalmostcer lalmostcertainlygener tainlygenerateunexpecte ateunexpectederroroutput.Appli derroroutput.Applicationsshoul cationsshould d alsoincludeastandarde alsoincludeastandardexceptionhandli xceptionhandlingarchitect ngarchitecturetoprevent uretopreventunwantedinfor unwantedinformationfromleaki mationfromleakingtoattacker ngtoattackers. s. Preventinginformationleaka Preventinginformationleakagerequiresdis gerequiresdiscipline. cipline.Thefollowi Thefollowingpractice ngpracticeshaveproveneffe shaveproveneffective: ctive:
Ensurethattheentiresoftware Ensurethattheentiresoftwaredevelopment developmentteamsharesacom teamsharesacommonapproachtoexce monapproachtoexceptionhandli ptionhandling. ng.
Disableorlimit Disableorlimitdetailederrorha detailederrorhandling.I ndling.Inparticular nparticular,donotdispl ,donotdisplaydebuginformat aydebuginformationtoendusers, iontoendusers,stack stack traces,orpathinformation.
22
OWASP Top 10 2007
Ensurethatsecurepathsthat Ensurethatsecurepathsthathavemultipl havemultipleoutcomesreturn eoutcomesreturnsimilar similaroridentical oridenticalerrormessagesi errormessagesin n roughlythesametime.I roughlythesametime.Ifthisisnotpossi fthisisnotpossible,consi ble,considerimposingar derimposingarandomwaittime andomwaittimeforalltra foralltransactionsto nsactionsto hidethisdetailfromthea hidethisdetailfromtheattacker. ttacker.
SAMPLES
http://cve.mitre.org/cgi http://cve. mitre.org/cgi‐bin/cvename.c ‐bin/cvename.cgi?name=CVE gi?name=CVE‐2006‐4899 ‐2006‐4899
http://cve.mitre.org/cgi http://cve. mitre.org/cgi‐bin/cvename.c ‐bin/cvename.cgi?name=CVE gi?name=CVE‐2006‐3389 ‐2006‐3389
http://cve.mitre.org/cgi http://cve. mitre.org/cgi‐bin/cvename.c ‐bin/cvename.cgi?name=CVE gi?name=CVE‐2002‐0580 ‐2002‐0580
REFERENCES
OWASP,http://www.owasp.org/index.php/Error_Handling OWASP,http://www.owasp.org/index.php/Error_Handling
OWASP,http://www.owasp.org OWASP,http://www.owasp.org/index.php/C /index.php/Category:Sensitive ategory:Sensitive_Data_Protecti _Data_Protection_Vulnerabili on_Vulnerability ty
23
Properauthenticationand Properauthenticationandsessionmanageme sessionmanagementiscriti ntiscriticaltoweb caltowebapplicati applicationsecurity.Fl onsecurity.Flawsinthis awsinthisareamost areamost frequentlyinvolvethe frequentlyinvolvethefailure failuretoprotectcredenti toprotectcredentialsandsession alsandsessiontokensthrought tokensthroughtheirlifec heirlifecycle.These ycle.Theseflawscanle flawscanlead ad tothehijackingofuser tothehijackingofuseroradministrati oradministrativeaccounts, veaccounts,undermineauthori undermineauthorizationand zationandaccountabili accountabilitycontrols, tycontrols,andcause andcause privacyviolations.
ENVIRONMENTSAFFECTED Allwebapplicati Allwebapplicationframeworksare onframeworksarevulnerable vulnerabletoauthenticati toauthenticationandsessi onandsessionmanagementfl onmanagementflaws. aws.
VULNERABILITY Flawsinthemainauthent Flawsinthemainauthenticationmec icationmechanismarenot hanismarenotuncommon,butweakne uncommon,butweaknessesaremoreofte ssesaremoreoftenintroduced nintroduced throughancillarya throughancillaryauthenticati uthenticationfunctionssuc onfunctionssuchaslogout,passw haslogout,passwordmanagement, ordmanagement,timeout,rememberme, timeout,rememberme,secret secret question,andaccountupdate.
VERIFYINGSECURITY Thegoalistoverify Thegoalistoverifythattheapplic thattheapplicationproperly ationproperlyauthentic authenticatesusersandpr atesusersandproperlyprotects operlyprotectsidentities identitiesandtheir andtheir associatedcredentials. Automatedapproaches:Vul Automatedapproaches:Vulnerabilitys nerabilityscanningtool canningtoolshaveavery shaveaverydifficult difficulttimedetectin timedetectingvulnerabil gvulnerabilitiesinc itiesincustom ustom authenticationandsessi authenticationandsessionmanagementscheme onmanagementschemes.Staticanal s.Staticanalysistoolsare ysistoolsarealsonotli alsonotlikelytodetec kelytodetectauthenticati tauthentication on andsessionmanagementproble andsessionmanagementproblemsincustomc msincustomcode. ode. Manualapproaches:Codere Manualapproaches:Codereviewand viewandtesting,especi testing,especiallyincombi allyincombination,are nation,arequiteeffec quiteeffectiveatveri tiveatverifyingthatthe fyingthatthe authentication,session authentication,sessionmanagement,and management,andancill ancillaryfunctionsare aryfunctionsareallimple allimplementedproperly. mentedproperly.
PROTECTION Authenticationrelies Authenticationreliesonsecurecommunic onsecurecommunicationandcr ationandcredentialstor edentialstorage.Firstens age.FirstensurethatSSLis urethatSSListheonlyoption theonlyoptionfor for allauthenticatedpa allauthenticatedpartsoftheappli rtsoftheapplication(see cation(seeA9–InsecureCo A9–InsecureCommunicati mmunications)andthatall ons)andthatallcredentials credentialsarestoredi arestoredin n hashedorencryptedform(see hashedorencryptedform(seeA8–InsecureC A8–InsecureCryptographic ryptographicStorage). Storage). Preventingauthenticati Preventingauthenticationflawstake onflawstakescarefulpla scarefulplanning.Amongthe nning.Amongthemostimportantc mostimportantconsiderationsa onsiderationsare: re:
Useasingleauthentic Useasingleauthenticationmecha ationmechanismwithappropr nismwithappropriatestreng iatestrengthandnumberof thandnumberoffactors factors
Usethecontainerprovi Usethecontainerprovidedsessionmanage dedsessionmanagementmechanisman mentmechanismandnocustomcooki dnocustomcookies es
Createanewsessionuponsucc Createanewsessionuponsuccessfulauthenti essfulauthentication cation
Ensurethateverypagehas Ensurethateverypagehasalogoutli alogoutlink,andthatl nk,andthatlogoutdestroysal ogoutdestroysallserverside lserversidesessionstate sessionstateandclient andclient sidecookies
Ensureancillaryauthe Ensureancillaryauthenticationfunc nticationfunctions(questi tions(questionsandanswers, onsandanswers,passwordreset)are passwordreset)areasstrongasthe asstrongasthe mainonesanddon'tcontainflaws
24
exposeanycredentialsi exposeanycredentialsinURLsorlogs( nURLsorlogs(nosessionrewriti nosessionrewriting) ng)
OWASP Top 10 2007
SAMPLES
http://cve.mitre.org/cgi http://cve. mitre.org/cgi‐bin/cvename.c ‐bin/cvename.cgi?name=CVE gi?name=CVE‐2006‐6145 ‐2006‐6145
http://cve.mitre.org/cgi http://cve. mitre.org/cgi‐bin/cvename.c ‐bin/cvename.cgi?name=CVE gi?name=CVE‐2006‐6229 ‐2006‐6229
http://cve.mitre.org/cgi http://cve. mitre.org/cgi‐bin/cvename.c ‐bin/cvename.cgi?name=CVE gi?name=CVE‐2006‐6528 ‐2006‐6528
REFERENCES
OWASP,http://www.owasp.org OWASP,http://www.owasp.org/index.php/G /index.php/Guide_to_Authentic uide_to_Authentication ation
OWASP,http://www.owasp.org OWASP,http://www.owasp.org/index.php/Re /index.php/Reviewing_Code_for_ viewing_Code_for_Authentica Authentication tion
OWASP,http://www.owasp.org OWASP,http://www.owasp.org/index.php/Tes /index.php/Testing_for_authentic ting_for_authentication ation
25
Protectingsensitiveda Protectingsensitivedatawithcryptogr tawithcryptographyhasbec aphyhasbecomeakeypartof omeakeypartofmostwebapplic mostwebapplications.Simpl ations.Simplyfailing yfailingto to encryptsensitivedata encryptsensitivedataisverywi isverywidespread.Applic despread.Applicationsthatdoe ationsthatdoencryptfrequentl ncryptfrequentlycontainpoor ycontainpoorlydesigne lydesigned d cryptography,eitherusi cryptography,eitherusinginappropri nginappropriateciphersorma ateciphersormakingserious kingseriousmistakesusing mistakesusingstrongciphers. strongciphers.Theseflawsc Theseflawscan an leadtodisclosureofsensitivedataandcomplianceviolations.
ENVIRONMENTSAFFECTED Allwebapplicati Allwebapplicationframeworksare onframeworksarevulnerable vulnerabletoinsecurecryptog toinsecurecryptographicstor raphicstorage. age.
VULNERABILITY Preventingcryptographic Preventingcryptographicflawstake flawstakescarefulpl scarefulplanning.Themostc anning.Themostcommonproblemsare ommonproblemsare: :
Notencryptingsensitivedata
Usinghomegrownalgorithms
Insecureuseofstrongalgorithms
Continueduseofprovenweak Continueduseofprovenweakalgorithms(MD algorithms(MD5,SHA‐1,RC3, 5,SHA‐1,RC3,RC4,etc…) RC4,etc…)
Hardcodingkeys,andstori Hardcodingkeys,andstoringkeysi ngkeysinunprotectedstores nunprotectedstores
VERIFYINGSECURITY Thegoalistoverify Thegoalistoverifythattheapplic thattheapplicationproperly ationproperlyencryptssens encryptssensitiveinfor itiveinformationinstor mationinstorage. age. Automatedapproaches:Vul Automatedapproaches:Vulnerabilitys nerabilityscanningtool canningtoolscannotveri scannotverifycryptographi fycryptographicstoragea cstorageatall.Codesc tall.Codescanningtools anningtools candetectuseofknowncry candetectuseofknowncryptographicA ptographicAPIs,butcannotde PIs,butcannotdetectifiti tectifitisbeingusedpr sbeingusedproperlyorifthee operlyoriftheencryptioni ncryptionis s performedinanexternalcomponent. Manualapproaches:Lik Manualapproaches:Likescanning, escanning,testingcann testingcannotverifycr otverifycryptographicstor yptographicstorage.Codereview age.Codereviewisthebestw isthebestwayto ayto verifythatanapplic verifythatanapplicationencryp ationencryptssensitiveda tssensitivedataandhasprope taandhasproperlyimple rlyimplementedthemecha mentedthemechanismandkey nismandkey management.Thismayinvol management.Thismayinvolvetheexami vetheexaminationofthecon nationoftheconfigurati figurationofexternalsyste onofexternalsystemsinsomecases. msinsomecases.
PROTECTION Themostimportantaspecti Themostimportantaspectistoensurethate stoensurethateverythingthatshoul verythingthatshouldbeencrypted dbeencryptedisactuall isactuallyencrypted.The yencrypted.Thenyou nyou mustensurethatthecryptogr mustensurethatthecryptographyisimple aphyisimplementedproperly. mentedproperly.Astherearesomany Astherearesomanywaysofusi waysofusingcryptography ngcryptography improperly,thefoll improperly,thefollowingrecommendati owingrecommendationsshouldbet onsshouldbetakenaspartofyo akenaspartofyourtestingregim urtestingregimetohelpens etohelpensuresecure uresecure cryptographicmaterialshandling:
allowunqualifiedstaf allowunqualifiedstafftotrytocre ftotrytocreatecryptograph atecryptographicalgori icalgorithms.Useonly thms.Useonlyapprovedpublic approvedpublic algorithmssuchasAES,RSA algorithmssuchasAES,RSApublickeyc publickeycryptography,and ryptography,andSHA‐256or SHA‐256orbetterforhashing. betterforhashing.
26
useweakalgorithms,suc useweakalgorithms,suchasMD5/SHA1.F hasMD5/SHA1.Favorsaferal avorsaferalternatives, ternatives,suchasSHA‐256 suchasSHA‐256orbetter. orbetter.
OWASP Top 10 2007
Generatekeysofflinea Generatekeysofflineandstoreprivat ndstoreprivatekeyswithe ekeyswithextremecare xtremecare
Ensurethatinfrastructurecre Ensurethatinfrastructurecredentials dentialssuchasdatabase suchasdatabasecredenti credentialsorMQqueuea alsorMQqueueaccessdetails ccessdetailsare are securelyencryptedandnote securelyencryptedandnoteasilydecry asilydecryptedbylocal ptedbylocalorremoteusers orremoteusers
Ensurethatencrypteddatas Ensurethatencrypteddatastoredondiskis toredondiskisnoteasytodecr noteasytodecrypt.Forexam ypt.Forexample,databasee ple,databaseencryptioni ncryptionis s worthlessifthedatabasec worthlessifthedatabaseconnectionpool onnectionpoolprovidesunencr providesunencryptedaccess. yptedaccess.Allthisdoes Allthisdoesisslowdownthe isslowdownthe databaseandmakequeriesv databaseandmakequeriesveryslow. eryslow.
UnderPCIDataSecuritySta UnderPCIDataSecurityStandardrequireme ndardrequirement3,youmustprotec nt3,youmustprotectcardhol tcardholderdata.PCIDS derdata.PCIDSScompliancei Scomplianceis s mandatoryby2008formerc mandatoryby2008formerchantsandany hantsandanyoneelsedeali oneelsedealingwithcre ngwithcreditcards.Good ditcards.Goodpracticeist practiceistonever onever storeunnecessarydata,suc storeunnecessarydata,suchasthemagnetic hasthemagneticstripeinformati stripeinformationortheprima onortheprimaryaccountnum ryaccountnumber(PAN, ber(PAN, otherwiseknownasthecreditc otherwiseknownasthecreditcardnumber).I ardnumber).IfyoustorethePAN, fyoustorethePAN,theDSScompli theDSScompliancerequire ancerequirementsare mentsare heftyandcontinuing.Fore heftyandcontinuing.Forexample,youare xample,youareNEVERallowed NEVERallowedtostoretheCVV tostoretheCVVnumber(thethreedig number(thethreedigit it numberontherearofthecar numberontherearofthecard)underanyci d)underanycircumstances. rcumstances.Formoreinformati Formoreinformation,pleaseseethe on,pleaseseethePCIDSS PCIDSS Guidelinesandimplement Guidelinesandimplementcontrolsasnec controlsasnecessary. essary.
SAMPLES
http://cve.mitre.org/cgi http://cve. mitre.org/cgi‐bin/cvename.c ‐bin/cvename.cgi?name=CVE gi?name=CVE‐2006‐6145 ‐2006‐6145
http://cve.mitre.org/cgi http://cve. mitre.org/cgi‐bin/cvename.c ‐bin/cvename.cgi?name=CVE gi?name=CVE‐2005‐1664 ‐2005‐1664
http://cve.mitre.org/cgi http://cve. mitre.org/cgi‐bin/cvename.c ‐bin/cvename.cgi?name=CVE gi?name=CVE‐1999‐1101 ‐1999‐1101(TrueofmostJa (TrueofmostJavaEEservletc vaEEservletcontainers, ontainers, too)
REFERENCES
OWASP,http://www.owasp.org/index.php/Cryptography OWASP,http://www.owasp.org/index.php/Cryptography
OWASP,http://www.owasp.org OWASP,http://www.owasp.org/index.php/G /index.php/Guide_to_Cryptogr uide_to_Cryptography aphy
OWASP,http://www.owasp.org/index.php/Insecure_Storage OWASP,http://www.owasp.org/index.php/Insecure_Storage
OWASP,http://www.owasp.org OWASP,http://www.owasp.org/index.php/How_to_ /index.php/How_to_protect_sensiti protect_sensitive_data_in_URL ve_data_in_URL’s ’s
PCIDataSecurityStandardv1.1, https://www.pcisecuritys https://www. pcisecuritystandards.org/pdfs tandards.org/pdfs/pci_dss_v1‐1 /pci_dss_v1‐1.pdf .pdf
BruceSchneier,http://www.schneier.com/ BruceSchneier, http://www.schneier.com/
CryptoAPINextGeneration,http://msdn2.microsoft.com/en‐us/l http://msdn2.microsoft.com/en‐us/library/aa ibrary/aa376210.as 376210.aspx px
27
Applicationsfrequentl Applicationsfrequentlyfailt yfailtoencryptnetwork oencryptnetworktrafficwhe trafficwhenitisnecessar nitisnecessarytoprotectsensit ytoprotectsensitivecommunic ivecommunications. ations. Encryption(usually Encryption(usuallySSL)mustbeusedf SSL)mustbeusedforallauthe orallauthenticatedconnec nticatedconnections,especi tions,especiallyinter allyinternetaccessi netaccessiblewebpages blewebpages butbackendconnections butbackendconnectionsaswell.O aswell.Otherwise,theappli therwise,theapplicationwill cationwillexposeanauthe exposeanauthenticati nticationorsessiontoken.I onorsessiontoken.In n addition,encryptionshoul addition,encryptionshouldbeusedwheneverse dbeusedwheneversensitivedata, nsitivedata,suchascredi suchascreditcardorheal tcardorhealthinformati thinformationis onis transmitted.Applicati transmitted.Applicationsthatfall onsthatfallbackorcanbe backorcanbeforcedoutofane forcedoutofanencryptingmodec ncryptingmodecanbeabusedby anbeabusedbyattackers. attackers. ThePCIstandardrequires ThePCIstandardrequiresthatallcre thatallcreditcardinfor ditcardinformationbein mationbeingtransmitted gtransmittedovertheinternet overtheinternetbeencrypted. beencrypted.
ENVIRONMENTSAFFECTED Allwebapplicati Allwebapplicationframeworksare onframeworksarevulnerable vulnerabletoinsecurecommuni toinsecurecommunications. cations.
VULNERABILITY Failuretoencryptsensi Failuretoencryptsensitivecommuni tivecommunicationsmea cationsmeansthatanattac nsthatanattackerwhocan kerwhocansnifftraffic snifftrafficfromthenetw fromthenetworkwillbe orkwillbe abletoaccessthec abletoaccesstheconversation,i onversation,includingany ncludinganycredential credentialsorsensitive sorsensitiveinformati informationtransmitted. ontransmitted.Considerthat Considerthat differentnetworkswill differentnetworkswillbemoreorlesssusc bemoreorlesssusceptiblet eptibletosniffing.Howe osniffing.However,itisi ver,itisimportanttoreal mportanttorealizethatev izethateventually entuallya a hostwillbecompromisedon hostwillbecompromisedonalmosteveryne almosteverynetwork,andattac twork,andattackerswill kerswillquicklyi quicklyinstallas nstallasniffertoc niffertocapturethe apturethe credentialsofothersystems. UsingSSLforcommunic UsingSSLforcommunicationswithend ationswithendusersiscri usersiscritical,as tical,astheyarevery theyareverylikely likelytobeusinginsec tobeusinginsecurenetworksto urenetworksto accessapplicatio accessapplications.BecauseHTTPi ns.BecauseHTTPincludesauthent ncludesauthenticationcr icationcredentials edentialsorasessiontokenw orasessiontokenwitheverysi itheverysinglerequest, nglerequest, allauthenticatedt allauthenticatedtrafficneeds rafficneedstogooverSSL,not togooverSSL,notjusttheactual justtheactualloginre loginrequest. quest. Encryptingcommunicati Encryptingcommunicationswithbacke onswithbackendserversisal ndserversisalsoimportant. soimportant.Althoughthese Althoughthesenetworksarelik networksarelikelytobemore elytobemore secure,theinformation secure,theinformationandcredenti andcredentialstheycarr alstheycarryismoresensi yismoresensitiveandmoreexte tiveandmoreextensive.Therefore nsive.ThereforeusingSSLon usingSSLon thebackendisquiteimportant. Encryptingsensitiveda Encryptingsensitivedata,suchasc ta,suchascreditcardsa reditcardsandsocial ndsocialsecuritynumbers, securitynumbers,hasbecomea hasbecomeaprivacyand privacyandfinancial financial regulationformanyorg regulationformanyorganizations.Neg anizations.Neglectingtouse lectingtouseSSLforconnecti SSLforconnectionshandlingsuc onshandlingsuchdatacreates hdatacreatesacomplia acompliance nce risk.
VERIFYINGSECURITY Thegoalistoverify Thegoalistoverifythattheapplic thattheapplicationproperly ationproperlyencryptsal encryptsallauthenti lauthenticatedandsensi catedandsensitivecommunic tivecommunications. ations. Automatedapproaches:Vul Automatedapproaches:Vulnerabilitys nerabilityscanningtool canningtoolscanverifytha scanverifythatSSLis tSSLisusedonthefrontend, usedonthefrontend,andcanfin andcanfindmany dmany SSLrelatedflaws.However SSLrelatedflaws.However,thesetoolsdo ,thesetoolsdonothaveacce nothaveaccesstobackendc sstobackendconnectionsa onnectionsandcannotverify ndcannotverifythattheyare thattheyare secure.Staticanalys secure.Staticanalysistoolsmay istoolsmaybeabletohel beabletohelpwithanal pwithanalyzingsomec yzingsomecallstoback allstobackendsystems,but endsystems,butprobablywill probablywill notunderstandthecustomlogi notunderstandthecustomlogicrequiredfor crequiredforalltypesof alltypesofsystems. systems. Manualapproaches:Testi Manualapproaches:Testingcanverify ngcanverifythatSSLis thatSSLisusedandfindmany usedandfindmanySSLrelatedfl SSLrelatedflawsonthefronte awsonthefrontend,butthe nd,butthe automatedapproachesarepr automatedapproachesareprobablymoree obablymoreefficient.C fficient.Codereviewi odereviewisquiteeffic squiteefficientforveri ientforverifyingtheproper fyingtheproperuseof useof SSLforallbackendconnec SSLforallbackendconnections. tions.
28
OWASP Top 10 2007
PROTECTION Themostimportantprotectioni ThemostimportantprotectionistouseSSLonany stouseSSLonanyauthentic authenticatedconnec atedconnectionorwhenevers tionorwheneversensitivedata ensitivedataisbeing isbeing transmitted.Thereareanumber transmitted.Thereareanumberofdetail ofdetailsinvolvedwi sinvolvedwithconfig thconfiguringSSLforwe uringSSLforwebapplicat bapplicationsproperly, ionsproperly,so so understandingandanalyzi understandingandanalyzingyourenviron ngyourenvironmentisimpor mentisimportant. tant.
UseSSLforallconnec UseSSLforallconnectionsthatare tionsthatareauthenticate authenticatedortransmitti dortransmittingsensitive ngsensitiveorvaluedat orvaluedata,suchas a,suchas credentials,creditcarddetails,healthandotherprivateinformation.
Ensurethatcommunications Ensurethatcommunicationsbetweeninfra betweeninfrastructureelements, structureelements,suchasbetweenw suchasbetweenwebserversan ebserversand d databasesystemsareappropri databasesystemsareappropriatelyprotec atelyprotectedviatheuse tedviatheuseoftransportl oftransportlayersecurit ayersecurityorprotocollev yorprotocollevel el encryptionforcredentialsandintrinsicvaluedata.
IE7.0providesagreenbarfor IE7.0providesagreenbarforhightrustSSL hightrustSSLcertific certificates,butthisi ates,butthisisnotasuitable snotasuitablecontroltopr controltoprovesafeuse ovesafeuse ofcryptographyalone.It ofcryptographyalone.Itjustmeansyou justmeansyoupaidalotm paidalotmoreforacertific oreforacertificatethanmostfol atethanmostfolks. ks.
UnderPCIDataSecuritySta UnderPCIDataSecurityStandardrequireme ndardrequirement4,youmustprotec nt4,youmustprotectcardhol tcardholderdataintrans derdataintransit.PCIDSS it.PCIDSS complianceismandator complianceismandatoryby2008 yby2008formerchantsand formerchantsandanyoneelse anyoneelsedealingwit dealingwithcreditc hcreditcards.Ingeneral, ards.Ingeneral, client,partner,staff clie nt,partner,staffandadminis andadministrativeonli trativeonlineaccesstosystem neaccesstosystemsmustbeencry smustbeencryptedusingSSLor ptedusingSSLorsimilar. similar. Formoreinformation,ple Formoreinformation,pleaseseethePCID aseseethePCIDSSGuidelinesa SSGuidelinesandimpleme ndimplementcontrolsas ntcontrolsasnecessary. necessary.
SAMPLES
http://cve.mitre.org/cgi http://cve. mitre.org/cgi‐bin/cvename.c ‐bin/cvename.cgi?name=CVE gi?name=CVE‐2006‐6430 ‐2006‐6430
http://cve.mitre.org/cgi http://cve. mitre.org/cgi‐bin/cvename.c ‐bin/cvename.cgi?name=CVE gi?name=CVE‐2005‐4704 ‐2005‐4704
http://www.schneier.com/bl http://www.sc hneier.com/blog/archives/ og/archives/2005/10/sc 2005/10/scandinavian_ andinavian_at_1.html at_1.html
REFERENCES
OWASPTestingGuide ,TestingforSSL/TLS, ,TestingforSSL/TLS,https://www.owasp.org/index.php/Te https://www.owasp.org/index.php/Testing_for_SSL‐TL sting_for_SSL‐TLSS
OWASPGuide,http://www.owas OWASPGuide,http://www.owasp.org/index.php/G p.org/index.php/Guide_to_Crypt uide_to_Cryptography ography
Foundstone‐SSLDigger, http://www.foundstone.com/i http://www.foun dstone.com/index.htm?subnav=serv ndex.htm?subnav=services/navig ices/navigation.htm&subc ation.htm&subcontent=/service ontent=/services/overvie s/overvie w_s3i_des.htm w_s3i_des.htm
NIST,SP800‐52Guideli NIST,SP800‐52Guidelinesfortheselec nesfortheselectionanduseo tionanduseoftransportlaye ftransportlayersecurity(TL rsecurity(TLS)Implementati S)Implementations, ons, http://csrc.nist.gov/publ http://csrc. nist.gov/publications ications/nistpubs/800 /nistpubs/800‐52/SP800‐52.pdf ‐52/SP800‐52.pdf
NISTSP800‐95Guidetosec NISTSP800‐95Guidetosecurewebservic urewebservices, es,http://csrc. http://csrc.nist.gov/publi nist.gov/publications/dr cations/drafts.html#sp800‐9 afts.html#sp800‐95 5
29
Frequently,theonlyprote Frequently,theonlyprotectionforaU ctionforaURListhatli RListhatlinkstothatpage nkstothatpagearenotpresentedt arenotpresentedtounauthorized ounauthorizedusers. users. However,amotivated,sk However,amotivated,skilled,orj illed,orjustplainl ustplainluckyattac uckyattackermaybeabl kermaybeabletofindanda etofindandaccessthesepage ccessthesepages,invoke s,invoke functions,andviewda functions,andviewdata.Securit ta.Securitybyobscurityi ybyobscurityisnotsufficient snotsufficienttoprotectsen toprotectsensitivefunc sitivefunctionsanddat tionsanddatainan ainan application.Accessc application.Accesscontrolchecks ontrolchecksmustbeperformedbe mustbeperformedbeforearequesttoasens forearequesttoasensitivefunc itivefunctionisgra tionisgrantedwhich ntedwhich ensuretheuserisauthorize ensuretheuserisauthorizedtoaccess dtoaccessthatfunction. thatfunction.
ENVIRONMENTSAFFECTED Allwebapplicati Allwebapplicationframeworksare onframeworksarevulnerable vulnerabletofailuretore tofailuretorestrictURL strictURLaccess. access.
VULNERABILITY Theprimaryattackmeth Theprimaryattackmethodforthisvul odforthisvulnerability nerabilityiscalle iscalled"forcedbrowsi d"forcedbrowsing",whichenc ng",whichencompassesguessingl ompassesguessinglinksand inksand bruteforcetechniquestofi bruteforcetechniquestofindunprotected ndunprotectedpages.Applica pages.Applicationsfrequentl tionsfrequentlyallowacce yallowaccesscontrolc sscontrolcodetoevolveand odetoevolveand spreadthroughoutacodebase spreadthroughoutacodebase,resultingi ,resultinginacomplexm nacomplexmodelthatis odelthatisdifficult difficulttounderstandforde tounderstandfordevelopersand velopersand securityspecialistsalike.Thiscomplexitymakesitlikelythaterrorswilloccurandpageswillbemissed,leaving themexposed. Somecommonexamplesofthesefl Somecommonexamplesoftheseflawsinclude: awsinclude:
"Hidden"or"special"U "Hidden"or"special"URLs,rendered RLs,renderedonlytoadmini onlytoadministratorsorpri stratorsorprivilegedusers vilegedusersintheprese inthepresentationlayer, ntationlayer, butaccessibletoall butaccessibletoallusersift usersiftheyknowitexist heyknowitexists,suchas/admi s,suchas/admin/adduser.phpor n/adduser.phpor/approveTrans /approveTransfer.do.This fer.do.This isparticularlyprevalentwithmenucode.
Applicationsoftenal Applicationsoftenallowaccess lowaccessto"hidden"file to"hidden"files,suchasstati s,suchasstaticXMLorsys cXMLorsystemgeneratedreports temgeneratedreports,trusting ,trusting securitythroughobscurity securitythroughobscuritytohidethem. tohidethem.
Codethatenforcesanacc Codethatenforcesanaccesscontrolp esscontrolpolicybuti olicybutisoutofdateorins soutofdateorinsufficient. ufficient.Forexample,i Forexample,imagine magine /approveTransfer.dowasonce /approveTransfer.dowasonceavaila availabletoalluse bletoallusers,butsince rs,butsinceSOXcontrolswere SOXcontrolswerebroughtin,i broughtin,itisonly tisonly supposedtobeavailable supposedtobeavailabletoapprovers.A toapprovers.Afixmighthav fixmighthavebeentonotpre ebeentonotpresentittounauthor sentittounauthorizedusers, izedusers,but but noaccesscontrolisac noaccesscontrolisactuallyenforc tuallyenforcedwhenrequesti edwhenrequestingthatpage. ngthatpage.
Codethatevaluatespriv Codethatevaluatesprivilegesonthe ilegesontheclientb clientbutnotontheserver, utnotontheserver,asinthi asinthis sattackonMacWorld2007, attackonMacWorld2007, whichapproved"Plati whichapproved"Platinum"passesworth$1 num"passesworth$1700viaJa 700viaJavaScriptonthebr vaScriptonthebrowserratherthan owserratherthanontheserver. ontheserver.
VERIFYINGSECURITY Thegoalistoverify Thegoalistoverifythataccessc thataccesscontrolisenforce ontrolisenforcedconsistentl dconsistentlyintheprese yinthepresentationla ntationlayerandthebusi yerandthebusinesslogicfor nesslogicfor allURLsintheapplication. Automatedapproaches:Both Automatedapproaches:Bothvulnerabili vulnerabilityscannersandsta tyscannersandstaticanal ticanalysistoolsh ysistoolshavediffic avedifficultywithveri ultywithverifyingURL fyingURL accesscontrol,butfor accesscontrol,butfordifferentre differentreasons.Vulnerabil asons.Vulnerabilityscanners ityscannershavediffic havedifficultyguessing ultyguessinghiddenpagesa hiddenpagesand nd determiningwhichpages determiningwhichpagesshouldbeall shouldbeallowedforeachuser, owedforeachuser,whilesta whilestaticanalysi ticanalysisenginesstr senginesstruggletoidenti uggletoidentifycustom fycustom accesscontrolsinthec accesscontrolsinthecodeandlin odeandlinkthepresentati kthepresentationlayerwith onlayerwiththebusinesslogi thebusinesslogic. c. Manualapproaches:Themo Manualapproaches:Themostefficie stefficientandaccura ntandaccurateapproachist teapproachistouseacombinati ouseacombinationofcodereview onofcodereviewandsecurit andsecurity y testingtoverifythe testingtoverifytheaccesscontrol accesscontrolmechanism.If mechanism.Ifthemechanismi themechanismiscentralize scentralized,theveri d,theverificationc ficationcanbequite anbequite efficient.Ifthemecha efficie nt.Ifthemechanismisdis nismisdistributedacros tributedacrossanentirec sanentirecodebase,veri odebase,verificationc ficationcanbemoretime‐c anbemoretime‐consuming.If onsuming.If themechanismisenforcede themechanismisenforcedexternally(We xternally(WebSEALorSiteMi bSEALorSiteMinder),theconfig nder),theconfigurationmustbeex urationmustbeexaminedandteste aminedandtested. d.
30
OWASP Top 10 2007
PROTECTION Takingthetimetopl Takingthetimetoplanauthorizati anauthorizationbycreating onbycreatingamatrixtomap amatrixtomaptherolesan therolesandfunctionsofthe dfunctionsoftheapplica applicationisake tionisakey y stepinachievingprotec stepinachievingprotectionagains tionagainstunrestrictedUR tunrestrictedURLaccess.Web Laccess.Webapplic applicationsmustenforce ationsmustenforceaccesscon accesscontrolon trolon everyURLandbusinessfunc everyURLandbusinessfunction.Itis tion.Itisnotsufficient notsufficienttoputaccessc toputaccesscontrolintothe ontrolintothepresentationl presentationlayerandleave ayerandleavethe the businesslogicunprotec businesslogicunprotected.Itisals ted.Itisalsonotsufficie onotsufficienttocheckonc nttocheckonceduring eduringtheprocesstoensure theprocesstoensuretheuseris theuseris authorized,andthennot authorized,andthennotcheckagai checkagainonsubsequentsteps. nonsubsequentsteps.Otherwise,a Otherwise,anattackerca nattackercansimplyski nsimplyskipthestepwhere pthestepwhere authorizationischec authorizationischecked,andforgethe ked,andforgetheparameterv parametervaluesnecessar aluesnecessarytocontinueon ytocontinueonatthenextstep. atthenextstep. EnablingURLaccessc EnablingURLaccesscontroltakesso ontroltakessomecarefulpl mecarefulplanning.Amongthe anning.Amongthemostimportantc mostimportantconsiderations onsiderationsare: are:
Ensurethattheenforcementofy Ensurethattheenforcementofyouraccessc ouraccesscontrolmatrixis ontrolmatrixispartofthebusi partofthebusiness,architec ness,architecture,anddesig ture,anddesign n oftheapplication.
EnsurethatallURLsa EnsurethatallURLsandbusinessfuncti ndbusinessfunctionsareprotectedb onsareprotectedbyaneffective yaneffectiveaccessc accesscontrolmechanism ontrolmechanismthat that verifiestheuser’srole verifiestheuser’sroleandentitlemen andentitlementspriortoa tspriortoanyprocessingt nyprocessingtakingplace. akingplace.Makesurethisi Makesurethisisdone sdone duringeverystepofthewa duringeverystepoftheway,notjustonce y,notjustoncetowardsthebeginni towardsthebeginningofanymul ngofanymulti‐stepprocess. ti‐stepprocess.
Performapenetrationtestpri Performapenetrationtestpriortodeploymen ortodeploymentorcodedeliver torcodedeliverytoensurethat ytoensurethattheapplicati theapplicationcannotbe oncannotbe misusedbyamotivatedskil misusedbyamotivatedskilledattacker. ledattacker.
assumethatuserswillbe assumethatuserswillbeunawareofspeci unawareofspecialorhiddenU alorhiddenURLsorAPIs.Alw RLsorAPIs.Alwaysensurethat aysensurethat administrativeandhighprivilegeactionsareprotected.
toallfiletypesthat toallfiletypesthatyourapplic yourapplicationshouldnever ationshouldneverserve.Ideal serve.Ideally,this ly,thisfilterwould filterwouldfollowthe followthe "acceptknowngood"approac "acceptknowngood"approachandonlyal handonlyallowfile lowfiletypesthatyoui typesthatyouintendtoserve,e.g ntendtoserve,e.g.,.html,.pdf, .,.html,.pdf,.php. .php. Thiswouldthenblocka Thiswouldthenblockanyattemptstoac nyattemptstoaccesslogfil cesslogfiles,xmlfiles es,xmlfiles,etc.thaty ,etc.thatyouneverinte ouneverintendtoserve ndtoserve directly.
SAMPLES
http://cve.mitre.org/cgi http://cve. mitre.org/cgi‐bin/cvename.c ‐bin/cvename.cgi?name=CVE gi?name=CVE‐2007‐0147 ‐2007‐0147
http://cve.mitre.org/cgi http://cve. mitre.org/cgi‐bin/cvename.c ‐bin/cvename.cgi?name=CVE gi?name=CVE‐2007‐0131 ‐2007‐0131
http://cve.mitre.org/cgi http://cve. mitre.org/cgi‐bin/cvename.c ‐bin/cvename.cgi?name=CVE gi?name=CVE‐2006‐1227 ‐2006‐1227
REFERENCES
OWASP,http://www.owasp.org OWASP,http://www.owasp.org/index.php/Tes /index.php/Testing_for_Direc ting_for_Directory_Traversal tory_Traversal
OWASP,http://www.owasp.org/index.php/Forced_browsing OWASP,http://www.owasp.org/index.php/Forced_browsing
OWASP,http://www.owasp.org OWASP,http://www.owasp.org/index.php/G /index.php/Guide_to_Authorizat uide_to_Authorization ion
31
TheOWASPTop10isjustthe TheOWASPTop10isjustthebeginningofy beginningofyourwebapplic ourwebapplicationsecuri ationsecurityjourney. tyjourney. Theworld'ssixbillionpeoplecanbedividedintotwogroups:groupone,whoknowwhyeverygoodsoftware companyshipsproductswithknownbugs;andgrouptwo,whodon't.Thoseingroup1tendtoforgetwhatlife waslikebeforeouryouthfuloptimismwasspoiledbyreality.Sometimesweencounterapersoningrouptwo …whoisshockedthatanysoftwarecompanywouldshipaproductbeforeeverylastbugisfixed. EricSink,GuardianMay25,2006
Mostofyourusersandcustomers Mostofyourusersandcustomersareingrouptwo. areingrouptwo.Howyoudealwi Howyoudealwiththisproblemi ththisproblemisanopportuni sanopportunitytoimprove tytoimprove yourcodeandthestateofwe yourcodeandthestateofwebapplicati bapplicationsecurityi onsecurityingeneral.Bi ngeneral.Billionsof llionsofdollarsarel dollarsarelosteveryyear, osteveryyear,andmany andmany millionsofpeoplesuffe millionsofpeoplesufferidentit ridentitytheftandfraud ytheftandfraudduetothevulne duetothevulnerabilitie rabilitiesdiscussedi sdiscussedinthisdocument. nthisdocument.
FORARCHITECTSANDDESIGNERS Toproperlysecureyourappli Toproperlysecureyourapplications,you cations,youmustknowwhatyou’re mustknowwhatyou’resecuring( securing(assetclassi assetclassification), fication),knowthethreats knowthethreats andrisksofinsecuri andrisksofinsecurity,andaddress ty,andaddresstheseinastruc theseinastructuredway.Desig turedway.Designinganynon‐t ninganynon‐trivial rivialapplica applicationrequiresagoo tionrequiresagood d doseofsecurity.
Ensurethatyouapply"juste Ensurethatyouapply"justenough"securit nough"securitybaseduponthreatr ybaseduponthreatriskmodeli iskmodelingandassetcl ngandassetclassificati assification on
Askquestionsaboutbusiness Askquestionsaboutbusinessrequirements,par requirements,particularly ticularlymissingnon‐func missingnon‐functionalreq tionalrequirements uirements
WorkthroughtheOWASPSecureSoftwareContractAnnex WorkthroughtheOWASPSecureSoftwareContractAnnexwithyourcustomer
Encouragesaferdesign–i Encouragesaferdesign–includedefensei ncludedefenseindepthandsim ndepthandsimplerconstruc plerconstructs ts
Ensurethatyouhaveconsideredconfidentiality,integrity,andavailability
Ensureyourdesignsareconsis Ensureyourdesignsareconsistentwithsec tentwithsecuritypolic uritypolicyandstandards yandstandards,suchasCOB ,suchasCOBITorPCIDSS1. ITorPCIDSS1.1 1
FORDEVELOPERS Manydevelopersalready Manydevelopersalreadyhaveagoodhand haveagoodhandleonwebappl leonwebapplicationsec icationsecuritybasics. uritybasics.Toensureeffect Toensureeffectivemastery ivemasteryof of thewebapplicationsecuri thewebapplicationsecuritydomainre tydomainrequirespracti quirespractice.Anyonecan ce.Anyonecandestroy(i.e. destroy(i.e.performpenetrati performpenetrationtesting)–i ontesting)–it t takesamastertobuildsec takesamastertobuildsecuresoftware.Ai uresoftware.Aimtobecomeamaste mtobecomeamaster. r.
32
Consider joiningOWASPandattending joiningOWASPandattendinglocalchapter localchaptermeetings meetings
Askforsecurecodetrai Askforsecurecodetrainingifyou ningifyouhaveatraini haveatrainingbudget.Askfor ngbudget.Askforatraining atrainingbudgetifyou budgetifyoudon’thaveone don’thaveone
Designyourfeaturessecure Designyourfeaturessecurely–consi ly–considerdefenseindepth derdefenseindepthandsimplici andsimplicityindesign tyindesign
Adoptcodingstandardswhic Adoptcodingstandardswhichencouragesafer hencouragesafercodeconstruct codeconstructs s
Refactorexistingcodet Refactorexistingcodetousesaferconstruc ousesaferconstructsinyourchosenpl tsinyourchosenplatform,such atform,suchasparameterize asparameterizedqueries dqueries
OWASP Top 10 2007
ReviewtheOWASPGuide ReviewtheOWASPGuideandstarta andstartapplyingselec pplyingselectedcontrolst tedcontrolstoyourcode.Unli oyourcode.Unlikemostsecurityg kemostsecurityguides, uides, itisdesignedtohelp itisdesignedtohelpyoubuildsec youbuildsecuresoftware,notbre uresoftware,notbreakit akit
Testyourcodeforsecurity Testyourcodeforsecuritydefectsandma defectsandmakethispartof kethispartofyourunitandwe yourunitandwebtestingregime btestingregime
Buyacopyof"TheSecurityDevelopmentLifecycle "(see[HOW1]inthebookr "(see[HOW1]inthebookreferences)and eferences)andadoptmany adoptmany ofitspractices.
FOROPENSOURCEPROJECTS Opensourceisapartic Opensourceisaparticularchalle ularchallengeforwebappli ngeforwebapplicationsecuri cationsecurity.Thereareli ty.Thereareliterallymil terallymillionsof lionsofopensource opensource projects,fromonedevel projects,fromonedeveloperpersonal"i operpersonal"itches"throughtoma tches"throughtomajorprojectssuc jorprojectssuchasApache,Tomc hasApache,Tomcat,andlarge at,andlargescale scale webapplications,suc webapplications,suchasPostNuke. hasPostNuke.
Consider joiningOWASPandattending joiningOWASPandattendinglocalchapter localchaptermeetings meetings
Ifyourprojecthasmorethan4 Ifyourprojecthasmorethan4developers,c developers,considermaki onsidermakingatleastonede ngatleastonedeveloperasec veloperasecurityperson urityperson
Designyourfeaturessecure Designyourfeaturessecurely–consi ly–considerdefenseindepth derdefenseindepthandsimplici andsimplicityindesign tyindesign
Adoptcodingstandardswhic Adoptcodingstandardswhichencouragesafer hencouragesafercodeconstruct codeconstructs s
Adopttheresponsiblediscl Adopttheresponsibledisclosurepolic osurepolicytoensurethatsec ytoensurethatsecuritydefectsa uritydefectsarehandled rehandledproperly properly
Buyacopyof"TheSecurityDevelopmentLifecycle "andadoptmanyofitspractices.
FORAPPLICATIONOWNERS Applicationownersin Applicationownersincommercial commercialsettingsareofte settingsareoftentimeandresource ntimeandresourceconstraine constrained.Applicati d.Applicationownersshould: onownersshould:
WorkthroughtheOWASPSecureSoftwareContractAnnex WorkthroughtheOWASPSecureSoftwareContractAnnexwiththesoftwareproducers
Ensurebusinessrequirementsi Ensurebusinessrequirementsincludenon‐func ncludenon‐functionalrequi tionalrequirements(NFRs)s rements(NFRs)suchassecuri uchassecurityrequirements tyrequirements
Encouragedesignswhic Encouragedesignswhichincludesecure hincludesecurebydefaul bydefaultfeatures,defe tfeatures,defenseindepthandsi nseindepthandsimplicity mplicityindesign indesign
Employ(ortrain)developer Employ(ortrain)developerswhohaveastr swhohaveastrongsecuritybackg ongsecuritybackground round
Testforsecuritydefectsthrou Testforsecuritydefectsthroughouttheprojec ghouttheproject:design,build, t:design,build,test,andde test,anddeployment ployment
Allowresources,budgeta Allowresources,budgetandtimeinthe ndtimeintheprojectplant projectplantoremediatesecuri oremediatesecurityissues tyissues
FORC‐LEVELEXECUTIVES Yourorganizationmusthave Yourorganizationmusthaveasecuredevel asecuredevelopmentlife opmentlifecycle(SD cycle(SDLC)inpl LC)inplacethatsui acethatsuitsyourorganizat tsyourorganization.A ion.A reasonableSDLCnotonl reasonableSDLCnotonlyincludestesti yincludestestingfortheTop1 ngfortheTop10,itinclu 0,itincludes: des:
Forofftheshelfsoftware,e Forofftheshelfsoftware,ensurepurchasi nsurepurchasingpolicie ngpoliciesandcontractsi sandcontractsincludesecuri ncludesecurityrequirements tyrequirements
Forcustomcode,adoptsecure Forcustomcode,adoptsecurecodingprinci codingprinciplesinyo plesinyourpoliciesa urpoliciesandstandards ndstandards
33
34
Trainyourdevelopersi Trainyourdevelopersinsecurecoding nsecurecodingtechniquesande techniquesandensuretheykeep nsuretheykeeptheseskill theseskillsuptodate suptodate
Trainyourarchitects, Trainyourarchitects,designers,and designers,andbusinesspeoplei businesspeopleinwebapplic nwebapplicationsecuri ationsecurityfundamental tyfundamentals s
Adopttheresponsiblediscl Adopttheresponsibledisclosurepolic osurepolicytoensurethatsec ytoensurethatsecuritydefectsa uritydefectsarehandled rehandledproperly properly
OWASP Top 10 2007
OWASPPROJECTS OWASPisthepremiersitefor OWASPisthepremiersiteforwebapplic webapplicationsecuri ationsecurity.The ty.TheOWASPsite OWASPsitehostsmany hostsmanyprojects projects, ,forums forums, ,blogs blogs, , presentations, presentations ,tools tools,and ,andpapers papers.OWASPhoststwomajor .OWASPhoststwomajorwebapplicationsecuri webapplicationsecurityconferences tyconferencesperyear,andhas peryear,andhas over80localchapters over80local chapters. . ThefollowingOWASPprojec ThefollowingOWASPprojectsaremostli tsaremostlikelytobeuseful kelytobeuseful: :
OWASPGuidetoBuildingSe OWASPGuidetoB uildingSecureWebApplic cureWebApplications ations
OWASPTestingGuide
OWASPCodeReviewProject(indevelopment) OWASPCodeReviewProject (indevelopment)
OWASPPHPProject(indevelopment) OWASPPHPProject (indevelopment)
OWASPJavaProject OWASPJavaProject
OWASP.NETProject
BOOKS
[GAL1]GallagherT.,LandauerL.,JeffriesB.," HuntingSecurityBugs ",MicrosoftPress,ISBN073562187X
[HOW1]HowardM.,LipnerS.,"TheSecurityDevelopmentLifecycle ",MicrosoftPress,ISBN0735622140
[HOW2]HowardM.,LeBla [HOW2]HowardM.,LeBlancD.,"Writ ncD.,"WritingSecureC ingSecureCode",2nded., ode",2nded.,MicrosoftPress,I MicrosoftPress,ISBN07356 SBN0735617228 17228
[SCH1]SchneierB.,"PracticalCryptography ",Wiley,ISBN047122894X
WEBSITES
OWASP,http://www.owasp.org OWASP,http://www.owasp.org
MITRE,CommonWeaknesses–Vulner MITRE,CommonWeaknesses–VulnerabilityTre abilityTrends, nds,http://cwe.mi http://cwe.mitre.org/documents/vul tre.org/documents/vuln‐trends.html n‐trends.html
SANSTop20,http://www.sans.org/top20/ SANSTop20,http://www.sans.org/top20/
PCISecurityStandardsC PCISecurityStandardsCouncil,publi ouncil,publishersofthePCI shersofthePCIstandards,rele standards,relevanttoall vanttoallorganizati organizationsprocessing onsprocessingor or holdingcreditcarddata, https://www.pcisecuritystandards.org/
PCIDSSv1.1,https://www.pcise PCIDSSv1.1, https://www.pcisecuritysta curitystandards.org/pdfs/pci ndards.org/pdfs/pci_dss_v1‐1.pdf _dss_v1‐1.pdf
BuildSecurityIn,USCERT, https://buildsec https://buildsecurityin.us‐cer urityin.us‐cert.gov/daisy/bs t.gov/daisy/bsi/home.html i/home.html
35