Upload File

top 10 web security vulnerabilities

Download Top 10 Web Security Vulnerabilities

If you can't read please download the document

Upload: carol-mcdonald

Post on 16-Apr-2017

12.334 views

Category:

Documents


6 download

Report

TRANSCRIPT

OWASP Top 10 Web Security Vulnerabilities



Carol McDonald
Sun Microsystems

About the Speaker

Carol cDonald:

Java Architect at Sun Microsystems

Before Sun, worked on software development of:

Application to manage car Loans for Toyota (>10 million loans)

Pharmaceutical Intranet apps (Roche Switzerland)

Telecom Network Mgmt (Digital France)

X.400 Email Server (IBM Germany)

OWASP Top 10

Open Web Application Security Project

promotes the development of secure web applications

developers guide, test guide, top 10, ESAPI...

http://www.OWASP.org

OWASP TOP 10

The Ten Most Critical Issues

Aimed to educate about the most common web application security vulnerabilities

Living document: 2007 Top 10 different from 2004 Top 10

WebGoat and WebScarab from OWASP

Enterprise Security API

http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API

Frameworks and ESAPI

ESAPI is NOT a framework

collection of security building blocks, not lock in

Designed to help retrofit existing applications

Wrap your existing libraries and services

Extend and customize

Enterprise Security API

Enterprise Security API

A1: Cross Site Scripting XSS

Reflected XSS:

HTML page reflects user input data back to the browser, without sanitizing the response

out.writeln(You searched for: +request.getParameter(query);

Stored XSS:

Attackers script is stored on the server (e.g. blog) and later displayed in HTML pages, without proper filtering

out.writeln("" + guest.name + "" + guest.comment);

DOM XSS:

input data or data from the server written to dynamic HTML (DOM) elements, without filtering

A1 Cross Site Scripting Example

Site reflects the script back to user where it executes and sends thesession cookie to the hacker.

Hacker tricks user into sending request containing script in search parameter.

alert(document.cookie)

Allows hacker to execute script in victim's browser

Script executes with victim's trust of the affected site

Never Trust Input

HttpServletRequest.getParameter()

HttpServletRequest.getCookies()

HttpServletRequest.getHeader()

Etc

Bad patterns

Input unchecked -> Output == XSS

A1 Cross Site Scripting
Protection

Defense

Input Validation

do use White List (what is allowed), reject if invalid

do Not filter with black-list (what is not allowed)

Output Encoding

Set character Encoding for HTML pages:

user supplied data should be HTML or XML entity encoded before rendering

means < becomes <

in markup represented by


Top Routinely Exploited Vulnerabilities

Top Ten Security Vulnerabilities in z/OS Security Ten Security Vulnerabilities in z/OS Security ... stolen, or compromised – Your ... like calling my car legacy because it's still

ASP.NET security vulnerabilities

Top Ten Security Vulnerabilities on IBM i · Top 10 Security Vulnerabilities on IBM i • IBM i is one of the most securable systems available—but unless you actually use the features

Top web apps security vulnerabilities

Cigital's Top Web Application Security Vulnerabilities Compared to

Common Security Vulnerabilities in

SOFTWARE SECURITY VULNERABILITIES

Top 10 Web Security Vulnerabilities (OWASP Top 10)

Identifying Security Vulnerabilities Survey

Software Security (Vulnerabilities) And Physical Security

PeopleSoft Top 10 Security Risks - Integrigy PeopleSoft Top...-Java Service Listener (JSL)-Workstation Service Listener (WSL) Five critical security vulnerabilities, collectively referred

Top Network Vulnerabilities Over Time

Top 10 Security Vulnerabilities (2006)

OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF

Web Security Introduction to Computer Security CSC 405 · OWASP Top Ten Web Vulnerabilities • A5: Security Misconfiguration – Security depends on having a secure configuration

Recent Security Threats & Vulnerabilities Computer security

TDA357/DIT621 –Databasessecurity.pdf · • Avoid redundancy and update/deletion anomalies ... security vulnerabilities, including a "top ten vulnerabilities list" ... DO NOT EXPLORE

Statistics - Top Website Vulnerabilities

Top 5 SCADA Security Vulnerabilities

White Paper: The Security Vulnerabilities of LTE ... Paper The Security Vulnerabilities of LTE: ... WHITE PAPER | THE SECURITY VULNERABILITIES OF LTE: ... the dedicated RNC node and

TKOH Security Vulnerabilities

Top Ten Security Vulnerabilities on IBM i - ocean400.org · Top Ten Security Vulnerabilities on IBM i Carol Woodbury ... Total Available i5/OS Security Capabilities ue ... •Compliance

Learn About the Top Oracle E-Business Suite Security Vulnerabilities

Web Security Vulnerabilities - ajou.ac.krics.ajou.ac.kr/~aislab/WebGoat_Dant.pdf · OWASP Top Ten OWASP(Open Web Application Security Project) Top Ten Project List of 10 Most Critical

ITrust Whitepaper: Top 10 vulnerabilities

Voip Security Vulnerabilities 2036

Addressing Web Application Security Vulnerabilities · Beat the Hacker – Solutions Security, ... (Open Web Application Security Project) top ten web applications vulnerabilities

Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat USA Conference

SECURITY VULNERABILITIES IN WEBSITES

SECURITY TRENDS & VULNERABILITIES REVIEW WEB APPLICATIONS … · SECURITY TRENDS & VULNERABILITIES REVIEW WEB APPLICATIONS ff2017fl Contents ... SECURITY TRENDS & VULNERABILITIES

2016 Top 10 Critical Infrastructures and SCADA/ICS Cyber Security Vulnerabilities & Threats

SEC835 OWASP Top Ten Project. Top Ten Web App Vulnerabilities OWASP top ten web application vulnerabilities – 2007 report Vulnerabilities A1 - Cross Site

Application Security Vulnerabilities: OWASP Top 10 -2007

The top 10 security weakness (vulnerabilities) in web applications (OWASP Top 10)