The OWASP 2010 Top 10 Jason Montgomery, CISSP

The OWASP 2010 Top 10
Jason Montgomery, CISSP
OWASP Cincinnati – Aug 30, 2011
• Cyber Security Engineering Team, AEP
• Author / Technical Editor
• Professional K2 blackpearl, Wiley Press © 2009
• Professional C#, Beginning C#, etc.
• SANS Institute – sans.org
• DEV 532: Essential Secure Coding in ASP.NET
• DEV 544: Secure Coding in .NET: Developing
Defensible Applications
• GIAC GSSP .NET Steering Committee
•Developer
•Sys Admin
“Code is Law”
- Lawrence Lessig
Whose Vulnerable?
“When first tested, more than half of all applications
fail to meet acceptable security quality, and more
than 8 out of 10 web applications fail OWASP Top 10.”
VERACODE State of Software Security Report, 2011
http://info.veracode.com/rs/veracode/images/soss-v3.pdf
Whose Vulnerable?
Whitehat Website Security Statistics Report, Winter 2011
http://www.whitehatsec.com/home/resource/stats.html#winter11stats
Window of Exposure
Figure 1. 2010 at a Glance – Sorted by Industry
The average number of serious* vulnerabilities per website, the percentage of reported vulnerabilities
that have been resolved (Remediation Rate), and average that a website is exposed to at least one
serious vulnerability (Window of Exposure).
Source: Whitehat Website Security Statistics Report, Winter 2011
http://www.whitehatsec.com/home/resource/stats.html
What are some challenges to Secure
Applications?
Challenges to App Sec
Business (features) drives development, not
security (non-functional requirements)
Market Forces
“Don’t Worry, Be Crappy”
• Guy Kawasaki
Knowledge Gap
“Our developers are pretty smart. I’m sure they’ve got it
covered.”
“Our developers do amazing things. I’m sure they already
understand these issues.”
“We haven’t been hacked yet.”
Constraints
“We don’t have the time.”
“It’s too expensive.”
“We don’t have anyone here with the expertise.”
No Process to Incorporate Security
• No security in Software Development
Lifecycle
• Rely on Black box or white box scanning
• Only fix what’s found
• Little or no assurance
“6 Billion Crash Test Dummies”
- David Rice
Geekonomics: The Real Cost of Insecure Software
Software and Security
Common Weakness Enumeration (CWE)
Top x Lists
• OWASP Top 10 – 2010: The 10 Most Critical Web
Application Security Risks
• http://www.owasp.org/index.php/Category:OWASP_Top
_Ten_Project
• 2010 CWE-SANS Top 25 Most Dangerous Software Errors
• http://cwe.mitre.org/top25/
• http://www.sans.org/top25-softwa re-errors/
Software and Security
Why are these important?
• Raise Awareness / Education
• Industry Accepted Mitigation Techniques
• Collaboration
• Define common terms and Language for
describing issues
• Makes security measurable
• Help Prioritize
Secure vs. Defensible
Software Bugs vs. Flaws
• CWE defines ~658 Software Weaknesses
• 356 can be introduced during design
• 578 can be introduced during implementation
100% Security…?
Goal: Secure…or Defensible?
Add Security to the Development
Lifecycle
• The Building Security In Maturity
Model (BSIMM2)
• Software Assurance Maturity Model
(SAMM) – OWASP
• Microsoft SDLC
OWASP Top 10 - 2010
A1: Injection
A2: Cross-Site Scripting (XSS)
A3: Broken Authentication and Session Management
A4: Insecure Direct Object References
A5: Cross-Site Request Forgery (CSRF)
A6: Security Misconfiguration
A7: Insecure Cryptographic Storage
A8: Failure to Restrict URL Access
A9: Insufficient Transport Layer Protection
A10: Unvalidated Redirects and Forwards
A2: Cross-Site Scripting (XSS)
“The software does not sufficiently validate,
filter, escape, and/or encode user-controllable
input before it is placed in output that is used as
a web page that is served to other users.”
CWE-79
CWE Taxonomy of XSS
CWE-20: Improper
Input Validation
(Category)
CWE-74: Injection
(Class)
CWE-79: Cross-Site
Scripting (Base)
CWE-80: Basic XSS (V)
CWE-81: Improper
Sanitization of Script
in an Error Message
Web Page (V)
CWE-83: Improper
Neutralization of
Script in Attributes in
a Web Page(V)
CWE-84: Failure to
Resolve Encoded URI
Schemes in a Web
Page (V)
CWE-85: Doubled
Character XSS
Manipulations (V)
CWE-86: Improper
Neutralization of
Invalid Characters in
Identifiers in Web
Pages (V)
CWE-87: Failure to
Sanitize Alternate
XSS Syntax (V)
Cross-site Scripting Types
• Stored XSS
• Persisted to a data store, embedded
into DOM server-side
• Reflected XSS
• Reflected from client into the DOM
from Server
• DOM Based
• Reflected through URL back to client,
embedded into DOM by JavaScript
Reflected XSS Example
URL
http://site.com/Error.aspx?msg=%3Cscript%3Ealert('xss')%3B%3C%2Fscript%3E
Error.aspx Code
The following error occurred:
<%= Request.QueryString["msg"] %><br/>
Reflected XSS Example
URL
http://site.com/Error.aspx?msg=%3Cscript%3Ealert('xss')%3B%3C%2Fscript%3E
Error.aspx Code
The following error occurred:
<%= Request.QueryString["msg"] %><br/>
Output HTML
The following error occurred:
<script>alert('xss');</script><br/>
Context Matters
Web
• Html Entities
• Html Attributes
• JavaScript
• URL
• CSS / Style
XSS Injection Points
HTML Element
<div><%= Request.QueryString['message'] %></div>
HTML Attribute
<img alt="<%=Request.QueryString['altTxt']%>"
src=... />
HTML Comments
<!-- Debug: <%= Request.QueryString['value'] %> -->
XSS Injection Points Cont.
JavaScript variables / data
<script language="javascript">
function Redirect()
{
document.location = '<%= Request.QueryString["location"] %>';
}
</script>
Styles Attributes / CSS Files
<DIV STYLE="width: <%= untrustedInput %>" ... />
URL
<a href="http://www.site.com?value=<%= value %>">link</a >
Real XSS Examples
Source: http://sla.ckers.org/forum/read.php?3,44,632
http://www.ninjaproxy.com/cgiproxy/nph-proxy.pl/010110A/"<script>alert('boo')</script>
http://h20000.www2.hp.com/bizsupport/TechSupport/ProdSearch.jsp?lang=en&cc=us&t
askId=135&prod=%22%3E%3CSCRIPT%3Ealert(%22kefka%20was%20here%22)%3C/SCR
IPT%3E
http://www.jlist.com/SEARCH/%3Cbody_onload=alert('XSS')%3E/1/
http://photobucket.com/feedback.php?action=contact&email=asdf&subject=&feedback
=%3C/textarea%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E&send=Send
http://accessories.us.dell.com/sna/category.aspx?k=%22%3e%3Cscript%3Ealert('XSS')%3
C/script%3E&_nks=true&c=us&cs=19&l=en&s=dhs&x=0&y=0
http://www.pcworld.com/search/results?qt=%22onmouseover=%22alert('XSS')%22
XSS In the News
Facebook (Oct. 5th, 2010) - “wormable”
Twitter (Sept. 21st, 2010) – “wormable”
A1 / A2: Injection – Defense in Depth
 Constrain input through input validation
A1 / A2: Injection – Solution
 Must encode special characters
Injection: Ask Two Questions
Should I consume?
Inbound data
Web
Application
Outbound data
Info Store
Inbound data
Outbound data
Should I emit?
Injection Mitigation
Defense in Depth
• Assume all input is malicious
• (Re)use a vetted library
• Enforce Length Checks
• Enforce Type Checks
• Validate Input
• Whitelists/Blacklists
• Escape/Encode Output
• Properly encode/escape data
* Take care with regular expressions
Cross-Site Scripting (XSS) Mitigation
Defense In Depth
+ADw-script+AD4• Set consistent encoding
• Encode using whitelists
• Constrain Input
• Sanitize dangerous tags/attributes
Avoid allowing HTML input – (if possible)
• Prefer lightweight markup language (e.g.
BBCode) and convert to stylistic input
• Not always an option with WYSIWYG controls on
sites
Microsoft Web Protection Library (WPL)
AKA AntiXSS 4.0
Whitelists
• Narrowly defines allowable character sets and
encodes everything else
WPL Cross-Site Scripting (XSS) Sanitation
Web Protection Library
Sanitizer Class
“…transforms and filters HTML of executable scripts. A safe
list of tags and attributes are used to strip dangerous scripts
from the HTML. HTML is also normalized where tags are
properly closed and attributes are properly formatted.” [1]
Sanitizer.GetSafeHtml()
Sanitizes an entire HTML
Document.
Sanitizer.GetSafeHtmlFragment()
Sanitizes a fragment of an HTML
document.
UnicodeCharacterEncoder.MarkAsSafe()
Configures Encoder class with valid ranges of Unicode
Choose expected Lower, Lower Middle, Middle, Upper Middle,
and Upper from code chart codes:
1 UnicodeCharacterEncoder.MarkAsSafe(
2
LowerCodeCharts.BasicLatin,
3
LowerMidCodeCharts.LatinExtendedAdditional,
4
MidCodeCharts.MathematicalOperators |
5
MidCodeCharts.CurrencySymbols,
6
UpperMidCodeCharts.None,
7
UpperCodeCharts.None
8 );
WPL Encoder Class
Encoding Static Methods for Web
• Encoder.CssEncode()
• Encoder.HtmlEncode()
• Encoder.HtmlAttributeEncode()
• Encoder.UrlEncode()
• Encoder.HtmlFormEncode()
• Encoder.JavaScriptEncode()
• Encoder.VisualBasicScriptEncode()
XSS Injection Fixed
HTML Element
<div><%= Encoder.HtmlEncode(
Request.QueryString['message']) %></div>
HTML Attribute
<img alt="<%= Encoder.HtmlAttributeEncode(
Request.QueryString['altTxt'])%>"
src=... />
XSS Injection Fixed Cont.
JavaScript variables / data
1
2
3
4
5
6
7
<script language="javascript">
function Redirect()
{
document.location = '<%= Encoder.JavaScriptEncode(
Request.QueryString["location"]) %>';
}
</script>
Styles Attributes / CSS Files
<DIV STYLE="width: <%= Encoder.CssEncode(
untrustedInput) %>" ... />
ASP.NET 4.0 – Encoding
<div><%= Html.Encode(variableToEncode) %></div>
New Abbreviated Syntax
<div><%: variableToEncode %></div>
Change Default Encoding
1 <system.web>
2
<httpRuntime
3
encoderType="AntiXssEncoder, AssemblyName" />
4 </system.web>
ASP.NET 4.0 – Encoding
<div><%= Server.HtmlEncode(variableToEncode)%></div>
New Abbreviated Syntax
<div><%: variableToEncode %></div>
MVC 3 Razor View Engine
<div>@variableToEncode</div>
Default Encoder Blacklist
&
'
"
<
>
and range
0x0a – 0xFF
* Does NOT completely encode for HTML Attributes,
JavaScript, VBScript, URL, or CSS.
Replacing Default HttpEncoder
AntiXssEncoder.cs
1 public class AntiXssEncoder : HttpEncoder {
2
public AntiXssEncoder() {}
3
protected override void HtmlEncode(string value,
4
TextWriter output) {
5
output.Write(Encoder.HtmlEncode(value));
6
}
7
8 protected override void HtmlAttributeEncode(string value,
9
TextWriter output) {
10
output.Write(Encoder.HtmlAttributeEncode(value));
11
}
12 }
web.config
1 <system.web>
2
<httpRuntime
3
encoderType="AntiXssEncoder, AssemblyName" />
4 </system.web>
XSS Exploit Demo
BeEF: Browser Exploitation Framework
Contact
Email
• [email protected]
(put OWASP in the subject)
LinkedIn
• http://www.linkedin.com/in/jmonty
• http://www.twitter.com/j_monty
• http://www.twitter.com/SANSecDotNet
Blog
• http://www.securitythroughabsurdity.com