The OWASP 2010 Top 10 Jason Montgomery, CISSP OWASP Cincinnati – Aug 30, 2011 • Cyber Security Engineering Team, AEP • Author / Technical Editor • Professional K2 blackpearl, Wiley Press © 2009 • Professional C#, Beginning C#, etc. • SANS Institute – sans.org • DEV 532: Essential Secure Coding in ASP.NET • DEV 544: Secure Coding in .NET: Developing Defensible Applications • GIAC GSSP .NET Steering Committee •Developer •Sys Admin “Code is Law” - Lawrence Lessig Whose Vulnerable? “When first tested, more than half of all applications fail to meet acceptable security quality, and more than 8 out of 10 web applications fail OWASP Top 10.” VERACODE State of Software Security Report, 2011 http://info.veracode.com/rs/veracode/images/soss-v3.pdf Whose Vulnerable? Whitehat Website Security Statistics Report, Winter 2011 http://www.whitehatsec.com/home/resource/stats.html#winter11stats Window of Exposure Figure 1. 2010 at a Glance – Sorted by Industry The average number of serious* vulnerabilities per website, the percentage of reported vulnerabilities that have been resolved (Remediation Rate), and average that a website is exposed to at least one serious vulnerability (Window of Exposure). Source: Whitehat Website Security Statistics Report, Winter 2011 http://www.whitehatsec.com/home/resource/stats.html What are some challenges to Secure Applications? Challenges to App Sec Business (features) drives development, not security (non-functional requirements) Market Forces “Don’t Worry, Be Crappy” • Guy Kawasaki Knowledge Gap “Our developers are pretty smart. I’m sure they’ve got it covered.” “Our developers do amazing things. I’m sure they already understand these issues.” “We haven’t been hacked yet.” Constraints “We don’t have the time.” “It’s too expensive.” “We don’t have anyone here with the expertise.” No Process to Incorporate Security • No security in Software Development Lifecycle • Rely on Black box or white box scanning • Only fix what’s found • Little or no assurance “6 Billion Crash Test Dummies” - David Rice Geekonomics: The Real Cost of Insecure Software Software and Security Common Weakness Enumeration (CWE) Top x Lists • OWASP Top 10 – 2010: The 10 Most Critical Web Application Security Risks • http://www.owasp.org/index.php/Category:OWASP_Top _Ten_Project • 2010 CWE-SANS Top 25 Most Dangerous Software Errors • http://cwe.mitre.org/top25/ • http://www.sans.org/top25-softwa re-errors/ Software and Security Why are these important? • Raise Awareness / Education • Industry Accepted Mitigation Techniques • Collaboration • Define common terms and Language for describing issues • Makes security measurable • Help Prioritize Secure vs. Defensible Software Bugs vs. Flaws • CWE defines ~658 Software Weaknesses • 356 can be introduced during design • 578 can be introduced during implementation 100% Security…? Goal: Secure…or Defensible? Add Security to the Development Lifecycle • The Building Security In Maturity Model (BSIMM2) • Software Assurance Maturity Model (SAMM) – OWASP • Microsoft SDLC OWASP Top 10 - 2010 A1: Injection A2: Cross-Site Scripting (XSS) A3: Broken Authentication and Session Management A4: Insecure Direct Object References A5: Cross-Site Request Forgery (CSRF) A6: Security Misconfiguration A7: Insecure Cryptographic Storage A8: Failure to Restrict URL Access A9: Insufficient Transport Layer Protection A10: Unvalidated Redirects and Forwards A2: Cross-Site Scripting (XSS) “The software does not sufficiently validate, filter, escape, and/or encode user-controllable input before it is placed in output that is used as a web page that is served to other users.” CWE-79 CWE Taxonomy of XSS CWE-20: Improper Input Validation (Category) CWE-74: Injection (Class) CWE-79: Cross-Site Scripting (Base) CWE-80: Basic XSS (V) CWE-81: Improper Sanitization of Script in an Error Message Web Page (V) CWE-83: Improper Neutralization of Script in Attributes in a Web Page(V) CWE-84: Failure to Resolve Encoded URI Schemes in a Web Page (V) CWE-85: Doubled Character XSS Manipulations (V) CWE-86: Improper Neutralization of Invalid Characters in Identifiers in Web Pages (V) CWE-87: Failure to Sanitize Alternate XSS Syntax (V) Cross-site Scripting Types • Stored XSS • Persisted to a data store, embedded into DOM server-side • Reflected XSS • Reflected from client into the DOM from Server • DOM Based • Reflected through URL back to client, embedded into DOM by JavaScript Reflected XSS Example URL http://site.com/Error.aspx?msg=%3Cscript%3Ealert('xss')%3B%3C%2Fscript%3E Error.aspx Code The following error occurred: <%= Request.QueryString["msg"] %><br/> Reflected XSS Example URL http://site.com/Error.aspx?msg=%3Cscript%3Ealert('xss')%3B%3C%2Fscript%3E Error.aspx Code The following error occurred: <%= Request.QueryString["msg"] %><br/> Output HTML The following error occurred: <script>alert('xss');</script><br/> Context Matters Web • Html Entities • Html Attributes • JavaScript • URL • CSS / Style XSS Injection Points HTML Element <div><%= Request.QueryString['message'] %></div> HTML Attribute <img alt="<%=Request.QueryString['altTxt']%>" src=... /> HTML Comments <!-- Debug: <%= Request.QueryString['value'] %> --> XSS Injection Points Cont. JavaScript variables / data <script language="javascript"> function Redirect() { document.location = '<%= Request.QueryString["location"] %>'; } </script> Styles Attributes / CSS Files <DIV STYLE="width: <%= untrustedInput %>" ... /> URL <a href="http://www.site.com?value=<%= value %>">link</a > Real XSS Examples Source: http://sla.ckers.org/forum/read.php?3,44,632 http://www.ninjaproxy.com/cgiproxy/nph-proxy.pl/010110A/"<script>alert('boo')</script> http://h20000.www2.hp.com/bizsupport/TechSupport/ProdSearch.jsp?lang=en&cc=us&t askId=135&prod=%22%3E%3CSCRIPT%3Ealert(%22kefka%20was%20here%22)%3C/SCR IPT%3E http://www.jlist.com/SEARCH/%3Cbody_onload=alert('XSS')%3E/1/ http://photobucket.com/feedback.php?action=contact&email=asdf&subject=&feedback =%3C/textarea%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E&send=Send http://accessories.us.dell.com/sna/category.aspx?k=%22%3e%3Cscript%3Ealert('XSS')%3 C/script%3E&_nks=true&c=us&cs=19&l=en&s=dhs&x=0&y=0 http://www.pcworld.com/search/results?qt=%22onmouseover=%22alert('XSS')%22 XSS In the News Facebook (Oct. 5th, 2010) - “wormable” Twitter (Sept. 21st, 2010) – “wormable” A1 / A2: Injection – Defense in Depth Constrain input through input validation A1 / A2: Injection – Solution Must encode special characters Injection: Ask Two Questions Should I consume? Inbound data Web Application Outbound data Info Store Inbound data Outbound data Should I emit? Injection Mitigation Defense in Depth • Assume all input is malicious • (Re)use a vetted library • Enforce Length Checks • Enforce Type Checks • Validate Input • Whitelists/Blacklists • Escape/Encode Output • Properly encode/escape data * Take care with regular expressions Cross-Site Scripting (XSS) Mitigation Defense In Depth +ADw-script+AD4• Set consistent encoding • Encode using whitelists • Constrain Input • Sanitize dangerous tags/attributes Avoid allowing HTML input – (if possible) • Prefer lightweight markup language (e.g. BBCode) and convert to stylistic input • Not always an option with WYSIWYG controls on sites Microsoft Web Protection Library (WPL) AKA AntiXSS 4.0 Whitelists • Narrowly defines allowable character sets and encodes everything else WPL Cross-Site Scripting (XSS) Sanitation Web Protection Library Sanitizer Class “…transforms and filters HTML of executable scripts. A safe list of tags and attributes are used to strip dangerous scripts from the HTML. HTML is also normalized where tags are properly closed and attributes are properly formatted.” [1] Sanitizer.GetSafeHtml() Sanitizes an entire HTML Document. Sanitizer.GetSafeHtmlFragment() Sanitizes a fragment of an HTML document. UnicodeCharacterEncoder.MarkAsSafe() Configures Encoder class with valid ranges of Unicode Choose expected Lower, Lower Middle, Middle, Upper Middle, and Upper from code chart codes: 1 UnicodeCharacterEncoder.MarkAsSafe( 2 LowerCodeCharts.BasicLatin, 3 LowerMidCodeCharts.LatinExtendedAdditional, 4 MidCodeCharts.MathematicalOperators | 5 MidCodeCharts.CurrencySymbols, 6 UpperMidCodeCharts.None, 7 UpperCodeCharts.None 8 ); WPL Encoder Class Encoding Static Methods for Web • Encoder.CssEncode() • Encoder.HtmlEncode() • Encoder.HtmlAttributeEncode() • Encoder.UrlEncode() • Encoder.HtmlFormEncode() • Encoder.JavaScriptEncode() • Encoder.VisualBasicScriptEncode() XSS Injection Fixed HTML Element <div><%= Encoder.HtmlEncode( Request.QueryString['message']) %></div> HTML Attribute <img alt="<%= Encoder.HtmlAttributeEncode( Request.QueryString['altTxt'])%>" src=... /> XSS Injection Fixed Cont. JavaScript variables / data 1 2 3 4 5 6 7 <script language="javascript"> function Redirect() { document.location = '<%= Encoder.JavaScriptEncode( Request.QueryString["location"]) %>'; } </script> Styles Attributes / CSS Files <DIV STYLE="width: <%= Encoder.CssEncode( untrustedInput) %>" ... /> ASP.NET 4.0 – Encoding <div><%= Html.Encode(variableToEncode) %></div> New Abbreviated Syntax <div><%: variableToEncode %></div> Change Default Encoding 1 <system.web> 2 <httpRuntime 3 encoderType="AntiXssEncoder, AssemblyName" /> 4 </system.web> ASP.NET 4.0 – Encoding <div><%= Server.HtmlEncode(variableToEncode)%></div> New Abbreviated Syntax <div><%: variableToEncode %></div> MVC 3 Razor View Engine <div>@variableToEncode</div> Default Encoder Blacklist & ' " < > and range 0x0a – 0xFF * Does NOT completely encode for HTML Attributes, JavaScript, VBScript, URL, or CSS. Replacing Default HttpEncoder AntiXssEncoder.cs 1 public class AntiXssEncoder : HttpEncoder { 2 public AntiXssEncoder() {} 3 protected override void HtmlEncode(string value, 4 TextWriter output) { 5 output.Write(Encoder.HtmlEncode(value)); 6 } 7 8 protected override void HtmlAttributeEncode(string value, 9 TextWriter output) { 10 output.Write(Encoder.HtmlAttributeEncode(value)); 11 } 12 } web.config 1 <system.web> 2 <httpRuntime 3 encoderType="AntiXssEncoder, AssemblyName" /> 4 </system.web> XSS Exploit Demo BeEF: Browser Exploitation Framework Contact Email • [email protected] (put OWASP in the subject) LinkedIn • http://www.linkedin.com/in/jmonty • http://www.twitter.com/j_monty • http://www.twitter.com/SANSecDotNet Blog • http://www.securitythroughabsurdity.com
© Copyright 2024