owasp top 10

Download Owasp Top 10

Post on 10-Feb-2017

21 views

Category:

Engineering

0 download

Embed Size (px)

TRANSCRIPT

  • A

    SEMINAR REPORT

    ON

    OWASP Top - 10

    Submitted for partial fulfillment award of

    BACHELOR OF TECHNOLOGY

    Degree In

    Computer Science and Engineering

    By

    SHIVAM PORWAL

    (131234040048)

    UNDER the Supervision of

    Er. SADIK KHAN

    Department of Computer Science and Engineering,

    Institute of Engineering and Technology,

    BUNDELKHAND UNIVERSITY JHANSI

  • 1

    CERTIFICATE

    TO WHOM IT MAY CONCERN

    This is to certify that Mr. SHIVAM PORWAL (131234040048) student of B. TECH

    (Computer Science and Engineering) final year (7th semester) has given a seminar on

    OWASP Top - 10

    SEMINAR INCHARGE

    Date: Er. SADIK KHAN

    Lecturer of Computer Science & Engg. Dept.,

    I.E.T. B.U. Jhansi,

  • 2

    Acknowledgement

    Whenever a module of work is completed successfully, a source of inspiration and guidance is

    always there for students. I hereby take the opportunity to thanks all those persons to helped me

    in developing this seminar.

    I would like to express my gratitude to Er. Sadik khan, the seminar incharge for the guidance

    and help I received from him.

    I would also like to thanks Er. B.B Niranjan (Co-Ordinator of CSE), Er. B.P. Gupta, Er. Vijay

    Kumar Verma, Dr. Lalit Kumar Gupta, Er. Anurag Kumar, Er. Akshay Saxena, Er.

    Hemant Rai and all other faculty members I.E.T. Computer Engineering Dept. For their timely

    and precious help.

    SHIVAM PORWAL

  • 3

    TABLE OF CONTENTS

    Sr No.

    Topics

    Page No.

    1. What is OWASP 4

    2. Introduction to OWASP TOP 10 5

    3. OWASP Top 10 List 6

    4. Top 10 Vulnerabilities 7

    5. Successful Attack & Risk Path

    10

    6. Risk Rating of OWASP Top 10

    11

    7. Whats next for Developers?

    12

    8. Whats next for Verifiers and

    Organizations?

    13

    9. Conclusion

    14

    10. References 15

  • 4

    1. What is OWASP?

    The OWASP Foundation came online on December 1st 2001 it was established as a not-for-profit charitable organization in the United States on April 21, 2004 to ensure the ongoing availability and support for our work at OWASP. OWASP is an international organization and the OWASP Foundation supports OWASP efforts around the world. OWASP is an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted. All of the OWASP tools, documents, forums, and chapters are free and open to anyone interested in improving application security. OWASP advocate approaching application security as a people, process, and technology problem because the most effective approaches to application security include improvements in all of these areas. OWASP can be found at www.owasp.org.

    OWASP is a new kind of organization. Their freedom from commercial pressures allows us to provide unbiased, practical, cost-effective information about application security. OWASP is not affiliated with any technology company, although owasp support the informed use of commercial security technology. Similar to many open-source software projects, OWASP produces many types of materials in a collaborative and open way. The OWASP Foundation is a not-for-profit entity that ensures the project's long-term success.

    Principles

    Free & Open

    Governed by rough consensus & running code

    Abide by a code of ethics (see ethics)

    Not-for-profit

    Not driven by commercial interests

    Risk based approach

    http://wayback.archive.org/web/*/http:/www.owasp.orghttps://www.owasp.org/index.php/Main_Pagehttps://www.owasp.org/index.php/Main_Pagehttps://www.owasp.org/index.php/OWASP_Foundation

  • 5

    2. Introduction to OWASP Top - 10

    Every few years, OWASP releases the OWASP Top 10, a list of the Top 10 most critical

    application security risks faced by developers and organizations, with a goal of helping

    developers and security teams better secure the applications they design and deploy. Because

    the risks to applications are always evolving, The OWASP Top 10 list is revised each time to

    reflect these changes, along with the techniques and best practices for avoiding and

    remediating the vulnerabilities. In addition to the OWASP Top 10 for web applications, OWASP

    has also created similar lists for Internet of Things vulnerabilities, as well as mobile security

    issues. The list is compiled by evaluating the overall threat as well as the regularity of the

    threats faced. Some risks may be rare but when exploited could be fatal, while others are

    common but easy to guard against.

    Latest release and accepted worldwide OWASP TOP 2013

    Under construction (possible in DEC-2016) OWASP TOP 2016

    How it works

    The OWASP Top 10 for 2013 is based on 8 datasets from 7 firms that specialize in application security, including 4 consulting companies and 3 tool/SaaS vendors (1 static, 1 dynamic, and 1 with both). This data spans over 500,000 vulnerabilities across hundreds of organizations and thousands of applications. The Top 10 items are selected and prioritized according to this prevalence data, in combination with consensus estimates of exploitability, detectability, and impact estimates.

    Aim:

    The primary aim of the OWASP Top 10 is to educate developers, designers, architects, managers, and organizations about the consequences of the most important web application security weaknesses. The Top 10 provides basic techniques to protect against these high risk problem areas and also provides guidance on where to go from here.

    https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Projecthttps://www.owasp.org/index.php/Category:OWASP_Top_Ten_Projecthttps://www.checkmarx.com/2016/02/12/cybersecurity-organizations-resources-need-know/

  • 6

    3. OWASP Top 10 List

    FIGURE 1: OWASP TOP 10 2013 Vulnerabilities

    FIGURE 2: Comparison between OWASP TOP 10 2013 and OWASP TOP 10 2010 Vulnerabilities

  • 7

    4. Top 10 Vulnerabilities

    I. Injection

    Injections are at the head of the OWASP Top 10, and occur when a database or other areas of

    the web app where inputs arent properly sanitized, allowing malicious or untrusted data into

    the system to cause harm. SQL injection attacks are simply when data is sent to any form of

    code interpreter that can be run as a command or in the case of a database a query. The

    idea is that the data fools the interpreter into either handing over data that the attacker

    wants or it executes commands that may be hostile in the environment.

    FIGURE 3: Injection Vulnerability

    II. Broken Authentication & Session Management

    Broken Authentication and Session Management vulnerabilities allow anonymous attacks aimed at attempting to steal valuable data, especially Personally Identifiable Information. If authentication or session management protocols have not been implemented properly, they may enable a hostile to steal passwords, session keys or tokens or otherwise assume or exploit a_users_identity.

    FIGURE 4: Use Of Unknown Session ID

  • 8

    III. Cross-Site Scripting XSS

    Cross-Site Scripting, often shortened as XSS, attempts to trick a browser into accepting data that isnt from a trusted source. Applications that allow user input but dont have control over output are highly vulnerable to XSS. If successful, XSS allows the attacker to take over a user session, cause damage to a website or force the user to visit another site (often a website hosting further hostile code). There are three different kinds of XSS attacks, referred to as Stored XSS, DOM Based XSS, and Reflected XSS.

    FIGURE 5: Cross Site Scripting Vulnerability

    IV. Insecure Direct Object References

    Insecure Direct Object References occur when authentication isnt properly executed. If an application is vulnerable, malicious users may be able to gain administrative access to the application. If no access control check or other protection is in place, an attacker could manipulate that type of reference to access data theyre not authorized for.

    V. Security Misconfiguration

    When security processes and practices arent correctly followed, or implemented, Security Misconfigurations can easily be used by attackers to detect weak areas that would allow them to access privileged data. Configuration of the whole application environment including servers, platforms, etc. needs to be properly defined, implemented and controlled or it can lead to security holes.

    VI. Sensitive Data Exposure

    When security controls like SSL and HTTPS are not properly implemented, data can be leaked or stolen through a Sensitive Data Exposure vulnerability. Sensitive data such a