Appsec

OWASP top 10 Open Web Application Security Project https://owasp.org/ OWASP top 10 - 2013 (Book_ release it!) Injection Broken Authentication and Session Management Cross Site Scripting (XSS) Broken Access Control Security Misconfiguration Sensitive Data Exposure Insufficient Attack Protection Cross-Site Request Forgery (CSRF) Using Components with Known Vulnerabilities Underprotected APIs (src: Book_ release it! - Michael Nygard) 2017 added (4) XML External Entities (XXE) covered in (2013.1) OWASP Injection by [[book-release-it-michael-nygard.md|Book_ release it!...

Broken Access Control application problems that allow attackers to access data they shouldn't eg. other user’s data eg. system data like passwords file a) direct object access url probing anti-pattern: database IDs in URLs pattern: unique non-sequential IDs pattern: generic URL that is session sensitive (eg. /users/me) pattern: session-specific mapping from random IDs to real IDs 😞 service must populate all response URLs 😞 links will not persist across sessions (violates REST) authorize access to objects...

session session hijacking anti-pattern: session id in plain text ref: cross site scripting (XSS) session fixation (hacker creates valid session, and tries to get the target to use it) Anti-pattern: authenticating an existing session pattern: generate a new session ID when (re)authenticating session prediction Anti-pattern: session IDs based on user’s own data Anti-pattern: sequential session ids just because a session looks random, does not mean it is random guidelines for handling session IDs !...

a) server-side rendering // Don't do this String queryBox = "<input type='text' value ='" + request.getParameters("search") + "' />"; b) front-end apps 😞 put content straight into DOM without escaping c) admin / customer-service GUIs eg. contact form form submitted with hostile data admin pulls up the record executes on admin’s browser eg. log viewers put hostile data in log string admin uses web log viewer executes on admin’s browser solution...

Cross-Site Request Forgery (CSRF) pattern: use anti-CSRF tokens for requests with side-effects eg. password changes, address changes, purchases pattern: SameSite cookie policy Set-Cookie: SID=...; SameSite=strict 😞not zero-cost -> requires changes in session management approach session “read” cookie: not same-site (GET requests) session “write” cookie: same-site strict (state changing requests) ref: Cross-Site Request Forgery Prevention - OWASP Cheat Sheet (src: Model_ OWASP top 10 Book_ release it! - Michael Nygard)

Injection in general, if a service builds queries by bashing strings together and any of those strings come from a user, that service is vulnerable. A) database (SQL) injection “comes from a user” data from a database may have originated from a user as well B) XML injection OWASP XML External Entities (XXE) (src: Book_ release it! - Michael Nygard)

Insufficient Attack Protection We must always assume that attackers have unlimited access to other machines behind the firewall. pattern: track illegitimate requests by their origin pattern: log bad requests by source principal pattern: use API Gateways to block callers by API key pattern: use API Gateways to throttle request rate by API key (src: Model_ OWASP top 10 Book_ release it! - Michael Nygard)

Security Misconfiguration takes the form of omission default passwords pattern: seek out Admin consoles and change the default password pattern: disable running servers on Base OS images (eg. redis, mongo, postgres, zookeeper, …) anti-pattern: servers listening too broadly anti-pattern: sample applications in production pattern: every admin uses a personal account pattern: log admin & internal calls (src: Model_ OWASP top 10 Book_ release it! - Michael Nygard)

Sensitive Data Exposure All the valuable things people can steal from you or use against you. eg. credit cards, medical records, insurance files, purchasing data, emails pattern: applications request data encryption keys, which are encrypted themselves anti-pattern: don’t leave decryption keys laying around where and attacker could retrieve them (eg. in memory) AWS Cloud: use AWS Key Management Service (KMS) On Premise: HashiCorp Vault anti-pattern: half-heartedly using an encryption tool you picked...

Underprotected APIs pattern: bulkheading to limit the size of hacks pattern: communicate with most secure possbile public-facing API: TLS pattern: configure to reject protocol downgrades pattern: keep root Certificate Authority (CA) files up to date business-to-business: bi-directional certificates pattern: verify with generative testing library that your parser (JSON / XML / …) is hardened against malicious input pattern: fuzz-testing APIs & check failure responses rejects safely (src: Model_ OWASP top 10 [[book-release-it-michael-nygard....