owasp – an introduction
DESCRIPTION
OWASP – an Introduction. Simon Bennetts OWASP chapter and project lead [email protected]. Manchester Linux Users Group February 2011. What is OWASP?. Open Web Application Security Project Promotes secure software development Oriented to the delivery of web oriented services - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: OWASP – an Introduction](https://reader030.vdocuments.mx/reader030/viewer/2022032414/5681336f550346895d9a830e/html5/thumbnails/1.jpg)
Copyright 2007 © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation
OWASP
http://www.owasp.org
OWASP – an Introduction
Simon BennettsOWASP chapter and project [email protected]
Manchester Linux Users GroupFebruary 2011
![Page 2: OWASP – an Introduction](https://reader030.vdocuments.mx/reader030/viewer/2022032414/5681336f550346895d9a830e/html5/thumbnails/2.jpg)
OWASP 2
What is OWASP?
Open Web Application Security ProjectPromotes secure software developmentOriented to the delivery of web oriented
servicesFocused primarily on the “back-end” than web-
design issuesAn open forum for discussionA free resource for any development team
![Page 3: OWASP – an Introduction](https://reader030.vdocuments.mx/reader030/viewer/2022032414/5681336f550346895d9a830e/html5/thumbnails/3.jpg)
OWASP 3
What is OWASP?
Open Web Application Security ProjectNon-profit, volunteer driven organization
All members are volunteers All work is donated by sponsors
Provide free resources to the community Software, Publications, Articles, Standards Testing and Training Software Local Chapters & Mailing Lists
Supported through sponsorships Corporate support through financial or project
sponsorship Personal sponsorships from members
![Page 4: OWASP – an Introduction](https://reader030.vdocuments.mx/reader030/viewer/2022032414/5681336f550346895d9a830e/html5/thumbnails/4.jpg)
OWASP
OWASP Top Ten
4
Category: Detection
Type: Documentation
Status: Release quality
An awareness document that describes the top ten most common web application security risks
![Page 5: OWASP – an Introduction](https://reader030.vdocuments.mx/reader030/viewer/2022032414/5681336f550346895d9a830e/html5/thumbnails/5.jpg)
OWASP
OWASP Developers Guide
5
Category: Protection
Type: Documentation
Status: Release quality
Guidance on building security in to web applications and web services
![Page 6: OWASP – an Introduction](https://reader030.vdocuments.mx/reader030/viewer/2022032414/5681336f550346895d9a830e/html5/thumbnails/6.jpg)
OWASP
OWASP Code Review Guide
6
Category: Detection
Type: Documentation
Status: Release quality
Best practices for reviewing source code for application defects
![Page 7: OWASP – an Introduction](https://reader030.vdocuments.mx/reader030/viewer/2022032414/5681336f550346895d9a830e/html5/thumbnails/7.jpg)
OWASP
OWASP Testing Guide
7
Category: Detection
Type: Documentation
Status: Release quality
Application security tests and testing methodology
![Page 8: OWASP – an Introduction](https://reader030.vdocuments.mx/reader030/viewer/2022032414/5681336f550346895d9a830e/html5/thumbnails/8.jpg)
OWASP
OWASP AntiSamy
8
Category: Protection
Type: Tool
Status: Release quality
API (available in Java and .NET) for validating rich HTML/CSS input from users to prevent exposure to cross-site scripting and phishing attacks
![Page 9: OWASP – an Introduction](https://reader030.vdocuments.mx/reader030/viewer/2022032414/5681336f550346895d9a830e/html5/thumbnails/9.jpg)
OWASP
OWASP Enterprise Security API
9
Category: Protection
Type: Tool
Status: Release quality
A collection of security methods needed to build secure web applications (Java EE, .NET, classic ASP, PHP, ColdFusion, Python, JavaScript, Objective C, Force.com, Ruby, Swingset)
![Page 10: OWASP – an Introduction](https://reader030.vdocuments.mx/reader030/viewer/2022032414/5681336f550346895d9a830e/html5/thumbnails/10.jpg)
OWASP
OWASP ModSecurity Core Rule Set
10
Category: Protection
Type: Tool
Status: Release quality
A set of critical protections against attacks across most every web architecture, for the ModSecurity web application firewall Apache web server module
![Page 11: OWASP – an Introduction](https://reader030.vdocuments.mx/reader030/viewer/2022032414/5681336f550346895d9a830e/html5/thumbnails/11.jpg)
OWASP
OWASP WebScarab
11
Category: Detection
Type: Tool
Status: Release quality
HTTP intercepting proxy and tool for performing security testing on web applications
![Page 12: OWASP – an Introduction](https://reader030.vdocuments.mx/reader030/viewer/2022032414/5681336f550346895d9a830e/html5/thumbnails/12.jpg)
OWASP
OWASP JBroFuzz
12
Category: Detection
Type: Tool
Status: Release quality
A web application protocol fuzzer for requests being made over HTTP and/or HTTPS
![Page 13: OWASP – an Introduction](https://reader030.vdocuments.mx/reader030/viewer/2022032414/5681336f550346895d9a830e/html5/thumbnails/13.jpg)
OWASP
OWASP WebGoat
13
Category: Life cycle
Type: Tool
Status: Release quality
A deliberately insecure J2EE web application designed to provide web application security lessons
![Page 14: OWASP – an Introduction](https://reader030.vdocuments.mx/reader030/viewer/2022032414/5681336f550346895d9a830e/html5/thumbnails/14.jpg)
OWASP
OWASP AppSensor project
14
Category: Protection
Type: Documentation (& Tool)
Status: Beta
A framework for detecting and responding to attacks from within the application – application layer intrusion detection and prevention
![Page 15: OWASP – an Introduction](https://reader030.vdocuments.mx/reader030/viewer/2022032414/5681336f550346895d9a830e/html5/thumbnails/15.jpg)
OWASP
OWASP Zed Attack Proxy
15
Category: Detection
Type: Tool
Status: Beta
HTTP intercepting proxy / penetration testing tool for developers and functional testers
![Page 16: OWASP – an Introduction](https://reader030.vdocuments.mx/reader030/viewer/2022032414/5681336f550346895d9a830e/html5/thumbnails/16.jpg)
OWASP 16
OWASP AppSec Tutorial Series
![Page 17: OWASP – an Introduction](https://reader030.vdocuments.mx/reader030/viewer/2022032414/5681336f550346895d9a830e/html5/thumbnails/17.jpg)
OWASP
What else is there?
17
Scores of other projects Common numbering scheme Wiki Cheat sheet series Codes of Conduct Committees Collaborative activities Podcast and newsletter Mailing lists Local chapters
![Page 18: OWASP – an Introduction](https://reader030.vdocuments.mx/reader030/viewer/2022032414/5681336f550346895d9a830e/html5/thumbnails/18.jpg)
OWASP
The OWASP top 10
A1: Injection Especially SQL:
A2: Cross-Site Scripting (XSS) Injecting HTML / Javascript:
A3: Broken Authentication and Session Management A multitude of sins, including session hijacking
A4: Insecure Direct Object References Not checking that the user is allowed to access the specified object https://www.mybank.com/AccDetails?acc=12345678
A5: Cross-Site Request Forgery (CSRF) Performing an action on a GET request, like: https://www.mybank.com/Transfer?
dest=bad.hacker&amount=100000 <img src="https://www.mybank.com/Transfer?... height="0"
width="0"/>18
' OR 1=1 --
<script>alert('XSS!');</script>
![Page 19: OWASP – an Introduction](https://reader030.vdocuments.mx/reader030/viewer/2022032414/5681336f550346895d9a830e/html5/thumbnails/19.jpg)
OWASP
The OWASP top 10
A6: Security Misconfiguration Out of date software, default passwords, detailed error
messages, …
A7: Insecure Cryptographic Storage E.g. storing passwords hashed with DES (hello Gawker!)
A8: Failure to Restrict URL Access E.g. Hoping https://example.com/admin wont be found
A9: Insufficient Transport Layer Protection http:// instead of https://
A10: Unvalidated Redirects and Forwards http://www.example.com/redirect.jsp?url=evil.com http://www.example.com/boring.jsp?fwd=admin.jsp
19
![Page 20: OWASP – an Introduction](https://reader030.vdocuments.mx/reader030/viewer/2022032414/5681336f550346895d9a830e/html5/thumbnails/20.jpg)
OWASP 20
Questions