This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Top 10-2017 A3-Sensitive Data Exposure"

From OWASP
Jump to: navigation, search
(Moved page back to page to content of 2013-A5 as a reference to compare changes)
m (Editorial changes e.g. added a link)
 
(5 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
{{Top_10_2013:TopTemplate
 
{{Top_10_2013:TopTemplate
     |usenext=2013NextLink
+
     |useprev=2017PrevLink
     |next=A6-{{Top_10_2010:ByTheNumbers
+
     |prev=A2-{{Top_10_2010:ByTheNumbers
              |6
+
        |2
              |year=2017
+
        |year=2017
              |language=en}}
+
        |language=en
     |useprev=2013PrevLink
+
    }}
     |prev=A4-{{Top_10_2010:ByTheNumbers
+
     |usenext=2017NextLink
              |4
+
     |next=A4-{{Top_10_2010:ByTheNumbers
              |year=2017
+
        |4
              |language=en}}
+
        |year=2017
 +
        |language=en
 +
    }}
 
     |year=2017
 
     |year=2017
 
     |language=en
 
     |language=en
 
}}
 
}}
 
+
<!--- 2017 Sensitive Data Exposure --->
 
{{Top_10_2010:SummaryTableHeaderBeginTemplate|year=2017|language=en}}
 
{{Top_10_2010:SummaryTableHeaderBeginTemplate|year=2017|language=en}}
{{Top_10:SummaryTableTemplate|exploitability=1|prevalence=2|detectability=1|impact=2|year=2017|language=en}}
+
{{Top_10-2017:SummaryTableTemplate|exploitability=2 |prevalence=3 |detectability=2 |impact=3 |year=2017|language=en}}
 
{{Top_10_2010:SummaryTableHeaderEndTemplate|year=2017}}
 
{{Top_10_2010:SummaryTableHeaderEndTemplate|year=2017}}
    <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2017}}>
+
    <td colspan=2 {{Template:Top_10_2010:SummaryTableRowStyleTemplate|year=2017}}>
Consider anonymous external attackers as well as users with their own accounts that may attempt to compromise the system. Also consider insiders wanting to disguise their actions.
+
<!--- Threat Agent: --->
</td>
+
Rather than directly attacking crypto, attackers steal keys, execute man-in-the-middle attacks, or steal clear text data off the server, while in transit, or from the user’s client, e.g. browser. A manual attack is generally required. Previously retrieved password databases could be brute forced by Graphics Processing Units (GPUs). </td>
    <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2017}}>
+
    <td colspan=2  {{Template:Top_10_2010:SummaryTableRowStyleTemplate|year=2017}}>
Attacker accesses default accounts, unused pages, unpatched flaws, unprotected files and directories, etc. to gain unauthorized access to or knowledge of the system.
+
<!--- Security Weakness: --->
 
+
Over the last few years, this has been the most common impactful attack. The most common flaw is simply not encrypting sensitive data. When crypto is employed, weak key generation and management, and weak algorithm, protocol and cipher usage is common, particularly for weak password hashing storage techniques. For data in transit, server side weaknesses are mainly easy to detect, but hard for data at rest. </td>
</td>
+
    <td colspan=2  {{Template:Top_10_2010:SummaryTableRowStyleTemplate|year=2017}}>
    <td colspan=2  {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2017}}>
+
<!--- Impacts: --->
Security misconfiguration can happen at any level of an application stack, including the platform, web server, application server, database, framework, and custom code. Developers and system administrators need to work together to ensure that the entire stack is configured properly. Automated scanners are useful for detecting missing patches, misconfigurations, use of default accounts, unnecessary services, etc.
+
Failure frequently compromises all data that should have been protected. Typically, this information includes sensitive personal information (PII) data such as health records, credentials, personal data, and credit cards, which often require protection as defined by laws or regulations such as the EU GDPR or local privacy laws. </td>
 
 
</td>
 
    <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2017}}>
 
The system could be completely compromised without you knowing it. All of your data could be stolen or modified slowly over time.
 
 
 
Recovery costs could be expensive
 
 
 
</td>
 
    <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2017}}>
 
The system could be completely compromised without you knowing it. All your data could be stolen or modified slowly over time.
 
 
 
Recovery costs could be expensive.</td>
 
 
{{Top_10_2010:SummaryTableEndTemplate|year=2017}}
 
{{Top_10_2010:SummaryTableEndTemplate|year=2017}}
  
{{Top_10:SubsectionTableBeginTemplate|type=main|year=2017}} {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=vulnerableTo|position=firstLeft|risk=5|year=2017|language=en}}
+
{{Top_10:SubsectionTableBeginTemplate|type=main}}
Is your application missing the proper security hardening across any part of the application stack? Including:
+
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=isTheApplicationVulnerable|position=firstLeft|year=2017|language=en}}
# Is any of your software out of date? This includes the OS, Web/App Server, DBMS, applications, and all code libraries (see new A9).
+
The first thing is to determine the protection needs of data in transit and at rest. For example, passwords, credit card numbers, health records, personal information and business secrets require extra protection, particularly if that data falls under privacy laws, e.g. EU's General Data Protection Regulation (GDPR), or regulations, e.g. financial data protection such as PCI Data Security Standard (PCI DSS). For all such data:
# Are any unnecessary features enabled or installed (e.g., ports, services, pages, accounts, privileges)?
+
* Is any data transmitted in clear text? This concerns protocols such as HTTP, SMTP, and FTP. External internet traffic is especially dangerous. Verify all internal traffic e.g. between load balancers, web servers, or back-end systems.
# Are default accounts and their passwords still enabled and unchanged?
+
* Are any old or weak cryptographic algorithms used either by default or in older code?  
# Does your error handling reveal stack traces or other overly informative error messages to users?
+
* Are default crypto keys in use, weak crypto keys generated or re-used, or is proper key management or rotation missing?
# Are the security settings in your development frameworks (e.g., Struts, Spring, ASP.NET) and libraries not set to secure values?
+
* Is encryption not enforced, e.g. are any user agent (browser) security directives or headers missing?
 
+
* Does the user agent (e.g. app, mail client) not verify if the received server certificate is valid?
Without a concerted, repeatable application security configuration process, systems are at a higher risk.
+
See ASVS <u>[[ASVS_V7_Cryptography|Crypto (V7)]]</u>, <u>[[ASVS_V9_Data_Protection|Data Protection (V9)]]</u> and <u>[[ASVS_V10_Communications|SSL/TLS (V10)]]</u>.
  
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=howPrevent|position=right|risk=5|year=2017|language=en}}
+
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=howToPrevent|position=right|year=2017|language=en}}
The primary recommendations are to establish all of the following:
+
Do the following, at a minimum, and consult the references:
# A repeatable hardening process that makes it fast and easy to deploy another environment that is properly locked down. Development, QA, and production environments should all be configured identically (with different passwords used in each environment). This process should be automated to minimize the effort required to setup a new secure environment.
+
* Classify data processed, stored or transmitted by an application. Identify which data is sensitive according to privacy laws, regulatory requirements, or business needs.
# A process for keeping abreast of and deploying all new software updates and patches in a timely manner to each deployed environment. This needs to include '''all code libraries as well (see new A9)'''.
+
* Apply controls as per the classification.
# A strong application architecture that provides effective, secure separation between components.
+
* Don't store sensitive data unnecessarily. Discard it as soon as possible or use PCI DSS compliant tokenization or even truncation. Data that is not retained cannot be stolen.
# Consider running scans and doing audits periodically to help detect future misconfigurations or missing patches.
+
* Make sure to encrypt all sensitive data at rest.
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=example|position=left|risk=5|year=2017|language=en}}
+
* Ensure up-to-date and strong standard algorithms, protocols, and keys are in place; use proper key management.
'''Scenario #1:''' The app server admin console is automatically installed and not removed. Default accounts aren’t changed. Attacker discovers the standard admin pages are on your server, logs in with default passwords, and takes over.
+
* Encrypt all data in transit with secure protocols such as TLS with perfect forward secrecy (PFS) ciphers, cipher prioritization by the server, and secure parameters. Enforce encryption using directives like HTTP Strict Transport Security (<u>[[HTTP_Strict_Transport_Security_Cheat_Sheet|HSTS]]</u>).
 +
* Disable caching for response that contain sensitive data.
 +
* Store passwords using strong adaptive and salted hashing functions with a work factor (delay factor), such as <u>[https://www.cryptolux.org/index.php/Argon2 Argon2]</u>, <u>[https://wikipedia.org/wiki/Scrypt scrypt]</u>, <u>[https://wikipedia.org/wiki/Bcrypt bcrypt]</u> or <u>[https://wikipedia.org/wiki/PBKDF2 PBKDF2]</u>.
 +
* Verify independently the effectiveness of configuration and settings.
  
'''Scenario #2:''' Directory listing is not disabled on your server. Attacker discovers she can simply list directories to find any file. Attacker finds and downloads all your compiled Java classes, which she decompiles and reverse engineers to get all your custom code. She then finds a serious access control flaw in your application.
+
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=exampleAttackScenarios|position=left|year=2017|language=en}}
 +
<b>Scenario #1</b>: An application encrypts credit card numbers in a database using automatic database encryption. However, this data is automatically decrypted when retrieved, allowing an SQL injection flaw to retrieve credit card numbers in clear text. 
  
'''Scenario #3:''' App server configuration allows stack traces to be returned to users, potentially exposing underlying flaws. Attackers love the extra information error messages provide.
+
<b>Scenario #2</b>: A site doesn't use or enforce TLS for all pages or supports weak encryption. An attacker monitors network traffic  (e.g. at an insecure wireless network), downgrades connections from HTTPS to HTTP, intercepts requests, and steals the user's session cookie. The attacker then replays this cookie and hijacks the user's (authenticated) session, accessing or modifying the user's private data. Instead of the above they could alter all transported data, e.g. the recipient of a money transfer.
  
'''Scenario #4:''' App server comes with sample applications that are not removed from your production server. Said sample applications have well known security flaws attackers can use to compromise your server.
+
<b>Scenario #3</b>: The password database uses unsalted or simple hashes to store everyone's passwords. A file upload flaw allows an attacker to retrieve the password database. All the unsalted hashes can be exposed with a rainbow table of pre-calculated hashes. Hashes generated by simple or fast hash functions may be cracked by GPUs, even if they were salted.
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=references|position=right|risk=5|year=2017|language=en}}
 
{{Top_10_2010:SubSubsectionOWASPReferencesTemplate}}
 
* [https://www.owasp.org/index.php/Configuration  OWASP Development Guide: Chapter on Configuration]
 
* [https://www.owasp.org/index.php/Error_Handling  OWASP Code Review Guide: Chapter on Error Handling]
 
* [https://www.owasp.org/index.php/Testing_for_configuration_management  OWASP Testing Guide: Configuration Management]
 
* [https://www.owasp.org/index.php/Testing_for_Error_Code_(OWASP-IG-006)  OWASP Testing Guide: Testing for Error Codes]
 
* [https://www.owasp.org/index.php/A10_2004_Insecure_Configuration_Management  OWASP Top 10 2004 - Insecure Configuration Management ]
 
  
For additional requirements in this area, see the [https://www.owasp.org/index.php/ASVS  ASVS requirements area for Security Configuration (V12)].
+
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=references|position=right|year=2017|language=en}}
 +
{{Top_10_2010:SubSubsectionOWASPReferencesTemplate|year=2017|language=en}}
 +
* <u>[[OWASP_Proactive_Controls#7:_Protect_Data|OWASP Proactive Controls: Protect Data]]</u>
 +
* <u>[[:Category:OWASP_Application_Security_Verification_Standard_Project|OWASP Application Security Verification Standard]]</u> (<u>[[ASVS_V7_Cryptography|V7]]</u>, <u>[[ASVS_V9_Data_Protection|9]]</u>, <u>[[ASVS_V10_Communications|10]]</u>)
 +
* <u>[[Transport_Layer_Protection_Cheat_Sheet|OWASP Cheat Sheet: Transport Layer Protection]]</u>
 +
* <u>[[User_Privacy_Protection_Cheat_Sheet|OWASP Cheat Sheet: User Privacy Protection]]</u>
 +
* <u>[[Password_Storage_Cheat_Sheet|OWASP Cheat Sheet: Password]]</u> and <u>[[Cryptographic_Storage_Cheat_Sheet|Cryptographic Storage]]</u>
 +
* <u>[[OWASP_Secure_Headers_Project|OWASP Security Headers Project]]</u>
 +
* <u>[[HTTP_Strict_Transport_Security_Cheat_Sheet|OWASP Cheat Sheet: HSTS]]</u>
 +
* <u>[[Testing_for_weak_Cryptography|OWASP Testing Guide: Testing for weak cryptography]]</u>
  
{{Top_10_2010:SubSubsectionExternalReferencesTemplate|language=en}}
+
{{Top_10_2010:SubSubsectionExternalReferencesTemplate|year=2017|language=en}}
* [http://www.pcmag.com/article2/0,2817,11525,00.asp  PC Magazine Article on Web Server Hardening]
+
* <u>[https://cwe.mitre.org/data/definitions/220.html CWE-220: Exposure of sens. information through data queries]</u>
* [http://cwe.mitre.org/data/definitions/2.html CWE Entry 2 on Environmental Security Flaws]
+
* <u>[https://cwe.mitre.org/data/definitions/310.html CWE-310: Cryptographic Issues]</u>
* [http://benchmarks.cisecurity.org/downloads/benchmarks/ CIS Security Configuration Guides/Benchmarks]
+
* <u>[https://cwe.mitre.org/data/definitions/311.html CWE-311: Missing Encryption]</u>
 +
* <u>[https://cwe.mitre.org/data/definitions/312.html CWE-312: Cleartext Storage of Sensitive Information]</u>
 +
* <u>[https://cwe.mitre.org/data/definitions/319.html CWE-319: Cleartext Transmission of Sensitive Information]</u>
 +
* <u>[https://cwe.mitre.org/data/definitions/326.html CWE-326: Weak Encryption]</u>
 +
* <u>[https://cwe.mitre.org/data/definitions/327.html CWE-327: Broken/Risky Crypto]</u>
 +
* <u>[https://cwe.mitre.org/data/definitions/359.html CWE-359: Exposure of Private Information (Privacy Violation)]</u>
  
 
{{Top_10_2013:BottomAdvancedTemplate
 
{{Top_10_2013:BottomAdvancedTemplate
     |type={{Top_10_2010:StyleTemplate}}
+
     |type=box
     |usenext=2013NextLink
+
     |useprev=2017PrevLink
     |next=A6-{{Top_10_2010:ByTheNumbers
+
     |prev=A2-{{Top_10_2010:ByTheNumbers
              |6
+
        |2
              |year=2017
+
        |year=2017
              |language=en}}
+
        |language=en
     |useprev=2013PrevLink
+
    }}
     |prev=A4-{{Top_10_2010:ByTheNumbers
+
     |usenext=2017NextLink
              |4
+
     |next=A4-{{Top_10_2010:ByTheNumbers
              |year=2017
+
        |4
              |language=en}}
+
        |year=2017
 +
        |language=en
 +
    }}
 
     |year=2017
 
     |year=2017
 
     |language=en
 
     |language=en
 
}}
 
}}
 +
 +
<!-- [[Category:OWASP Top Ten Project]] -->

Latest revision as of 16:30, 1 January 2018

← A2-Broken Authentication
2017 Table of Contents

PDF version

A4-XML External Entities (XXE) →
Threat Agents / Attack Vectors Security Weakness Impacts
App Specific Exploitability: 2
 Prevalence: 3
 Detectability: 2
 Technical: 3
 Business ?
Rather than directly attacking crypto, attackers steal keys, execute man-in-the-middle attacks, or steal clear text data off the server, while in transit, or from the user’s client, e.g. browser. A manual attack is generally required. Previously retrieved password databases could be brute forced by Graphics Processing Units (GPUs). Over the last few years, this has been the most common impactful attack. The most common flaw is simply not encrypting sensitive data. When crypto is employed, weak key generation and management, and weak algorithm, protocol and cipher usage is common, particularly for weak password hashing storage techniques. For data in transit, server side weaknesses are mainly easy to detect, but hard for data at rest. Failure frequently compromises all data that should have been protected. Typically, this information includes sensitive personal information (PII) data such as health records, credentials, personal data, and credit cards, which often require protection as defined by laws or regulations such as the EU GDPR or local privacy laws.
Is the Application Vulnerable?

The first thing is to determine the protection needs of data in transit and at rest. For example, passwords, credit card numbers, health records, personal information and business secrets require extra protection, particularly if that data falls under privacy laws, e.g. EU's General Data Protection Regulation (GDPR), or regulations, e.g. financial data protection such as PCI Data Security Standard (PCI DSS). For all such data:

  • Is any data transmitted in clear text? This concerns protocols such as HTTP, SMTP, and FTP. External internet traffic is especially dangerous. Verify all internal traffic e.g. between load balancers, web servers, or back-end systems.
  • Are any old or weak cryptographic algorithms used either by default or in older code?
  • Are default crypto keys in use, weak crypto keys generated or re-used, or is proper key management or rotation missing?
  • Is encryption not enforced, e.g. are any user agent (browser) security directives or headers missing?
  • Does the user agent (e.g. app, mail client) not verify if the received server certificate is valid?

See ASVS Crypto (V7), Data Protection (V9) and SSL/TLS (V10).

How to Prevent

Do the following, at a minimum, and consult the references:

  • Classify data processed, stored or transmitted by an application. Identify which data is sensitive according to privacy laws, regulatory requirements, or business needs.
  • Apply controls as per the classification.
  • Don't store sensitive data unnecessarily. Discard it as soon as possible or use PCI DSS compliant tokenization or even truncation. Data that is not retained cannot be stolen.
  • Make sure to encrypt all sensitive data at rest.
  • Ensure up-to-date and strong standard algorithms, protocols, and keys are in place; use proper key management.
  • Encrypt all data in transit with secure protocols such as TLS with perfect forward secrecy (PFS) ciphers, cipher prioritization by the server, and secure parameters. Enforce encryption using directives like HTTP Strict Transport Security (HSTS).
  • Disable caching for response that contain sensitive data.
  • Store passwords using strong adaptive and salted hashing functions with a work factor (delay factor), such as Argon2, scrypt, bcrypt or PBKDF2.
  • Verify independently the effectiveness of configuration and settings.
Example Attack Scenarios

Scenario #1: An application encrypts credit card numbers in a database using automatic database encryption. However, this data is automatically decrypted when retrieved, allowing an SQL injection flaw to retrieve credit card numbers in clear text. 

Scenario #2: A site doesn't use or enforce TLS for all pages or supports weak encryption. An attacker monitors network traffic (e.g. at an insecure wireless network), downgrades connections from HTTPS to HTTP, intercepts requests, and steals the user's session cookie. The attacker then replays this cookie and hijacks the user's (authenticated) session, accessing or modifying the user's private data. Instead of the above they could alter all transported data, e.g. the recipient of a money transfer.

Scenario #3: The password database uses unsalted or simple hashes to store everyone's passwords. A file upload flaw allows an attacker to retrieve the password database. All the unsalted hashes can be exposed with a rainbow table of pre-calculated hashes. Hashes generated by simple or fast hash functions may be cracked by GPUs, even if they were salted.

References

OWASP

External

← A2-Broken Authentication
2017 Table of Contents

PDF version

A4-XML External Entities (XXE) →
© 2002-2017 OWASP Foundation This document is licensed under the Creative Commons Attribution-ShareAlike 3.0 license. Some rights reserved. CC-by-sa-3 0-88x31.png
Retrieved from "https://wiki.owasp.org/index.php?title=Top_10-2017_A3-Sensitive_Data_Exposure&oldid=236483"