George IakovakisJanuary 2016

George Iakovakis (giakovakhs@aueb.gr)

Athens University of Economics & Business (GR)

Introduction

What Web Application is…

Why Web applications become main threat to secrecy and integrity of our sensitive data…

What OWASP is…

Analysis of OWASP Top 10 - 2013

Contributions in two different areas :

Detection and prevention of web threats, using appropriate tools and techniques.

Presentation of attacks and trends with the most dangerous threats and vulnerabilities during 2013-2015.

3

OWASP Top 10 – 2013

4

Methodology

Introduction: A description of each threat, a definition and some statistics about it, using data sources like National Vulnerability Database (NVD), Aspect Security, Trustwave, Veracode, WhiteHat Security etc .

Types of Attack : Main attack methods and their subcategories, using Web Hacking Incident Database (WHID) which has real life examples and new entries for many attack methods.

Detection: Detection methods and tools, emphasizing to the most important ones.

Prevention: Prevention techniques and tools separately for every attack, examining the more suitable way to prevent the attacker from being harmful.

5

1. Injection Flaws

Types of Attack SQL Injection LDAP Injection XPath Injection

Detection Database firewall Injection Detection System Vulnerabilities scanning tools

Prevention Strong Authentication – Access Control Avoidance of detailed error messages Input data Validation Using encryption

6

Acunetix Statistical Vulnerabilities Report 2015

2. Broken Authentication and Session Management

Types of Attack Phishing attack Brute force attack Man in the middle attack

Detection IDS Black-list/White-list based tools

Prevention Using a trusted third party Awareness of Users Block the phishing e-mails by various spam filters Using Strong Encryption - Hashing - Salt Using multi factor authentication

7

Verizon 2015 Data Breach Investigations Report

3. Cross Site Scripting (XSS)

8

Types of Attack Persistent or Stored XSS Non-persistent or Reflected XSS DOM Based or Local XSS

Detection Code Review Web server logs

Online attack detection tools:IDS, Web Application Firewalls (WAF)

Prevention Attack prevention utilities/tools (IPS, WAF)

Separation of untrusted data from active browser content

Acunetix Report 2105

4. Insecure Direct Object References

Types of Attack

Path/Directory Traversal

Null Byte Injection

Detection

Using static analysis,

Firewall

Penetration testing

Prevention Access Control

Indirect reference map : The substitution of the internal reference with an alternate ID.

Input User Validation : Using Whitelist - Blacklist

9

5. Security Misconfiguration

Types of Attack

Clickjacking

Application Misconfiguration attacks

Server Misconfiguration attacks

Detection

Security configuration auditing tools

Prevention

Install latest updates and security patches

Change usernames, passwords and ports for default accounts

Monitor your logs

Don't run unnecessary servers or interpreters

10

6.Sensitive Data Exposure

11

Types of Attack SQL Injection

Phishing attack

Man in the middle attack

Prevention Enforce Strict Data Encryption

Have a well-defined password policy

Give access to data if required

Encrypt backups as well

Detection Data leak detection using scanning tools

7. Missing Function Level Access Control

Types of Attack Forced Browsing

DNS Hijacking

Detection Using scanning tools

Prevention Using role-based

authentication

mechanisms

Log sensitive actions

12

Application vulnerability likelihood – WhiteHat Report 2015

8. Cross Site Request Forgery (CSRF) (1/2)

CSRF vs XSS :

Cross-site scripting (XSS) exploits the trust a user has for a particular site

CSRF exploits the trust that a site has in a user's browser.

Types of Attack

Stored CSRF : Attacker can use the application itself to provide the victim the exploit link.

Reflected CSRF : Attacker uses a system outside the application to expose the victim to the exploit link or content

Detection : CSRF is currently difficult to detect reliably using automated techniques.

13

8. Cross Site Request Forgery (CSRF) (2/2)

14

Prevention

9. Using Components with Known

Vulnerabilities

Types of Attack Injections

Cross site scripting

Zero day attack

Detection Using Web Application Firewalls

Prevention Using good component practices

Using threat patterns

15

Aspect Security Report -2014

10. Unvalidated Redirects and Forwards

Types of Attack Redirection – Open Redirect attack

Detection Automated detection with website crawling tools

Manual code scanning

Prevention Force User Notification on Redirects and Forwards

White-Listing URLs

16

Conclusions

Web application vulnerabilities are increasingly posing serious

threats to organizations.

Encryption does not mean data is secured from the attacker.

Developers must give more attention to the inside attackers.

Administrators must give different authorization for different

types of users.

Attackers are particularly targeting sites that are likely to be

trusted by end users, such as social networking sites.

Website security should be a priority in any organization.

17

There is an age-old advisory that says:

“It’s too late to sharpen your sword

when the drum beats for battle”

18

References

1. Theoharidou M., Tsalis N., Gritzalis D., “In Cloud we trust: Risk-assessment-as-a-service”, in Proc. of the 7th IFIP International Conference on Trust Management, pp. 100-110, Springer (AICT 401), Spain, 2013.

2. Tsalis N., Mylonas A., Gritzalis D., “An intensive analysis of the availability of security and privacy browser add-ons”, in Proc. of the 10th International Conference on Risks and Security of Internet and Systems, Springer (LNCS), Greece, 2015.

3. Tsalis N., Virvilis N., Mylonas A., Apostolopoulos A., Gritzalis D., “Browser blacklists: A utopia of phishing protection”, in Security and Cryptography, Springer (CCIS), 2015.

4. Tsalis N., Theoharidou M., Gritzalis D., “Return on security investment for Cloud platforms”, in Proc. of the Economics of Security in the Cloud Workshop, pp. 132-137, IEEE Press, UK, 2013.

5. Virvilis N., Mylonas A., Tsalis N., Gritzalis D., "Security busters: Web browser security vs. rogue sites", Computers & Security, Vol. 52. pp. 90-105, July 2015.

6. Virvilis N., Tsalis N., Mylonas A., Gritzalis D., "Mobile devices: A phisher's paradise", in Proc. of the 11th International Conference on Security and Cryptography, pp. 79-87, ScitePress, Austria, 2014.

7. Virvilis N., Gritzalis D., “The Big Four - What we did wrong in Advanced Persistent Threat detection?”, in Proc. of the 8th International Conference on Availability, Reliability & Security, pp. 248-254, IEEE Press, Germany, 2013.

8. Virvilis N., Gritzalis D., “Trusted Computing vs. Advanced Persistent Threats: Can a defender win this game?”, in Proc. of 10th IEEE International Conference on Autonomic and Trusted Computing, pp. 396-403, IEEE Press, Italy, 2013.

19