Sunday, July 6, 2014

A10 Unvalidated Redirects and Forwards

If a user is redirected or forwarded to a page defined by an unverified entry, the target URL can be manipulated by an attacker. This attack is used to redirect a user to a malicious website through a website with a trusted domain name or to access an unauthorized internal page.
Impact on Security:
  • Attack on Confidentiality
  • Attack on Integrity
  • Attack on Availability
Detectability   : Easy
Exploitability  : Average
Impact           : Moderate

Possible Mitigation:
  1. Avoid using redirects and forwards.
  2. Don’t involve user parameters in calculating the destination.
  3. If destination parameters can’t be avoided, ensure that the supplied value is valid, and authorized for the user. IT is recommended that any such destination parameters be a mapping value, rather than the actual URL or portion of the URL, and that server side code translate this mapping to the target URL.
  4. Create a whitelist of allowed pages or external sites (blacklists should not be used).

Posted by at No comments:
Labels: , ,

Friday, July 4, 2014

A9 Using Components with Known Vulnerabilities

There are a lots of vulnerabilities discovered everyday and that is a major reason every software gives a patch/updates. Known software vulnerabilities are available to everyone on the Internet. If an attacker knows which components you use, he can retrieve these vulnerabilities and find a way to exploit them.

Impact on Security:
  • Attack on Confidentiality
  • Attack on Integrity
  • Attack on Availability
Detectability    : Difficult
Exploitability   : Average
Impact            : Moderate

Possible Mitigation:
  1. Identify all components and the version you are using including all dependencies.
  2. Monitor the security of these components in public database, project mailing lists, and security mailing lists, and keep them up to date.
  3. Where appropriate, consider adding security wrappers around components to disable unused functionality and/or secure weak or vulnerable aspects of the component.
Posted by at No comments:
Labels: , ,

A8 Cross-Site Request Forgery (CSRF)

CSRF exploits the trust that a site has in a user’s browser.  i.e. In CSRF, attacker creates a forged HTTP request and sends it to the victim’s browser by any means and force user to click on that link. If victim clicks that link, server considers it as a legitimate request and serves that request.
Impact on Security:
  • Attack on Integrity
Detectability   : Easy
Exploitability  : Average
Impact           : Moderate

Possible Mitigation:
  1. Include hte unique token in a hidden field. Prefer to include it in the body of HTTP request instead of including it in URL.
  2. Use CSRF Guard or ESAPI.
  3. Use CAPTCHA to prove they are user.
Posted by at No comments:
Labels: , , ,

Monday, June 30, 2014

A7 Missing Function Level Access Control

In a web application with different user roles, authentication is not enough. Each request must be controlled against user's role to ensure the user is authorized to use the requested function or access the requested page.
Possible Attacks:
  • Privilege Escalation
  • Directory Browising
Impact on Security:
  • Attack on Confidentiality
  • Attack on Integrity
  • Attack on Availability
Exploitability   : Easy
Detectability   : Average
Impact            : Moderate

Possible Mitigation:
  1. Deny all access by default. Check if user has permission to access then allow.
  2. If the function is invoked in a workflow, check to make sure the conditions are in the proper state to allow access.
  3. The enforcement mechanism should deny all access by default, requiring explicit grants to specific roles for access to every function.
Posted by at No comments:
Labels: , ,

Friday, June 27, 2014

A6 Sensitive Data Exposure

Sensitive data deserves extra protection such as encryption at rest or in transit. Failing to do that is known as sensitive data exposure.
Which data needs extra protection?
  • Username & Password
  • Debit/Credit Card Information
  • Personal Data
Possible Attack:
  • At Rest: If data is in rest, i.e. saved in database and strong cryptography is not applied then if any attacker will get access to the database (like using SQLi) he/she can easily see sensitive data.
  • In Transit: If communication is not encrypted, then any attacker can listen it (using Man in the Middle attack / using Packet sniffer) and can see sensitive data.
Impact on Security:
  1. Attack on Confidentiality
Detectability   : Average
Exploitability  : Difficult
Impact           : Severe
How to mitigate:
  1. Don't store sensitive data unnecessarily.
  2. Ensure strong standard algorithm and strong key are used.
  3. Ensure proper key management is in place.
  4. Ensure passwords are stored with an algorithm specially designed for password protection (like bcrypt, PBKDF2, scrypt).
  5. Disable autocomplete on forms collecting sensitive data and disable caching for pages that contain sensitive data.
Posted by at No comments:
Labels: , ,

Thursday, June 26, 2014

A5 Security Misconfiguration

Some developer/administrator leaves setting of OS or application on default mode which is not secure at all. Poorly configured security controls could allow malicious user to change your website, obtain unauthorized access, compromise files, or perform other unintended action.
What to configure:
  • OS
  • Web/App Server
  • DBMS
  • Applications
  • Third party framework
Impact on Security:
  1. Attack on Confidentiality
  2. Attack on Integrity
  3. Attack on Availability
Possible Mitigation:
  1. Keep OS updated
  2. Keep third party application up to date.
  3. Change default username and password.
  4. Disable directory listings if they are not necessary, or set access controls.
  5. Delete unnecessary files such as configuration or install file.
  6. Use strong encryption for anything sensitive.

Posted by at No comments:
Labels: , ,

A4 Insecure Direct Object References

Sometime developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check, attackers can manipulate these references to access unauthorized data.
Impact on Security:
  1. Attack on Confidentiality
Detectability   : Easy
Exploitability  : Easy
Impact               : Moderate
How to Prevent:
  1. Use per user or session indirect object reference. (The principle is simple: on server-side, for each direct reference, generate another identifier and use this identifier in your web page instead of the direct reference. The generated identifier can be a random value, a hash value, or a numeric suite. On server side, create a mapping table and map all these indirect references.)
  2. Check access. (Each use of a direct object reference from an untrusted source must include an access control check to ensure the user is authorized for the requested object.)

Posted by at No comments:
Labels: , ,

Tuesday, June 24, 2014

A3 Cross-Site Scripting (XSS)

XSS flaw occurs whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user session, deface websites, or redirect the user to malicious sites.
Types of XSS:
  1. Server Side Attack
    1. Stored XSS / Presistent XSS
    2. Reflected XSS / Non-Persistent XSS
  2. Client Side XSS
    1. Stored XSS / Persistent XSS
    2. Reflected XSS / Non-Persistent XSS
    3. DOM Based XSS 
Possible Attack:
  1. Attacker can access any cookies.
  2. Attacker can hijack user session.
  3. Attacker can retrieve sensitive information retained by browser.
  4. Attacker can rewrite the content of HTML page.
  5. Attacker can redirect user to malicious site.
  6. Attacker can deface website. 
Impacts on Security:
  1. Attack on Confidentiality
  2. Attack on Integrity
Detectibility   : Easy
Exploitability : Average
Impact          : Moderate
How to Prevent:
  1. Turn off HTTP TRACE support on all web server.
  2. Properly escape all untrusted data based on the HTML content (body, attribute, JavaScript, CSS, or URL) that the data will be placed into.
  3. Positive or “White-list” input validation is recommended.
Posted by at No comments:
Labels: , , ,

Monday, June 23, 2014

A2 Broken Authentication and Session Management

 This flaw allow attackers to compromise passwords, keys, or session tokens/IDs to assume other users' identities.

Possible attacks:
  1. Attack on user ID & Password if it is not encrypted in transit or at rest.
  2. If session IDs are exposed in URL, it can be stolen.
  3. Session hijacking & session fixation are possible.
  4. Session ID can be guessed if it is not unique & random.
  5. Session ID must be changed after authentication and should be handled properly.
Impact on Security:
  1. Attack on Confidentiality
  2. Attack on Integrity
  3. Attack on Availability
Detectibility   : Average
Exploitability : Average
Impact          : Severe
How to Prevent:
  1. Use strong encryption algorithm to encrypt data in transit or at rest.
  2. Do not give Session ID in URL.
  3. Change Session ID after login and frequently thereafter.
  4. Give unique & random session ID.
  5. Make strong efforts to avoid XSS flaws which can be used to steal session IDs. 
Posted by at No comments:
Labels: , , ,

Thursday, June 19, 2014

A1 INJECTION

Injection flaw occurs when an interpreter takes data as a query or command and executes it.
Types of Injection:
  1. SQL Injection
  2. LDAP Injection
  3. OS Injection 
1.SQL Injection: In SQL injection, attacker take advantage of badly configured database. i.e. if you pass any data to the database it will take it as a query instead of taking it as a data and it will execute that query to give some result to the end user.
          Taking advantage of SQL injection, any person/attacker can access the database or even in worst condition, he can manipulate or delete data.

Types of SQLi:
  1. Error based SQLi
  2. Blind SQLi
    • Boolean
    • Time Base
Impact of SQLi:
  1. Attack on Confidentiality
  2. Attack on Integrity
  3. Attack on Availability
2.LDAP Injection: In LDAP injection, if application is taking user input to generate any query then attackers take advantage of this to generate their desired LDAP query. A secure Web application should sanitize the parameters introduced by the user before constructing and sending the query to the server. In a vulnerable environment these parameters are not properly filtered and the attacker can inject malicious code.
          LDAP injection attacks are based on similar techniques to SQL injection attacks. 

3.OS Injection: OS injection or OS command injection vulnerability occurs when a developer uses invalidated user controlled parameters to execute operating system commands. OS command injection vulnerabilities allow attackers to run arbitrary commands on the remote server.

Detectability  :  Average
Exploitability  :  Easy
Impact           :  Severe

How to Prevent:
  1. Use a Safe API
  2. Carefully escape special characters using the specific escape syntax.
  3. Implement “White list” input validation.

Posted by at No comments:
Labels: , , , , , ,

Monday, June 16, 2014

OWASP TOP 10 (2013) : An Introduction


Today, web application has become more common in use. Most of the business has been registered there presence on the Internet and the important thing is, most of them are getting noticed by their target users. Users are also feeling comfortable on these websites as they are having a lot of advantage over there. For example, they can save their time and money or they can do research on comparing services or price before opting for any service.

Despite their advantages, web applications do have a number of security concerns which comes from improper coding. Serious weakness or vulnerabilities, allow hackers to gain direct and public access to database. A hacker can quickly access the data residing on the database through a dose of creativity and, with luck, negligence or human error, leading to vulnerabilities in the web applications.

If web applications are not secure, i.e., vulnerable to, at least one of the various forms of hacking techniques, then your entire database of sensitive information is at serious risk. Some hackers, for example, May maliciously inject code within vulnerable web applications to trick users and redirect them towards phishing sites. This technique is called Cross-Site Scripting and may be used even though the web servers and database engine contain no vulnerability themselves.

The Open Web Application Security Project (OWASP) is an online community dedicated to web application security. The OWASP community includes corporate, educational organizations, and individuals from around the world. This community works to creates freely-available articles, methodologies, documentation, tools, and technologies. The OWASP Top 10 is a powerful awareness document for web application security. This represents a broad consensus about what the most critical web application security flaws are. Project members include a variety of security experts from around the world who have shared their expertise to produce this list.

Following are the top 10 vulnerability categories listed by OWASP in 2013:
        A1 Injection
        A2 Broken Authentication and Session Management
        A3 Cross-Site Scripting (XSS)
        A4 Insecure Direct Object Reference
        A5 Security Misconfiguration
        A6 Sensitive Data Exposure
        A7 Missing Function Level Access Control
        A8 Cross Site Request Forgery
        A9 Using Components with Known Vulnerabilities
        A10 Unvalidated Redirects and Forwards

OWASP also provide ways to mitigate all these risks but they are very generic in nature and you may have to implement your own mitigation technique depending upon your environment like OS, database, application server and programming language.
Posted by at No comments:
Labels: , ,

Thursday, June 12, 2014

The CIA Triad

Let’s have a look at the definition of “Information Security”, given by three different organizations:

"Preservation of confidentiality, integrity and availability of information."
(ISO/IEC 27000:2009)

"Ensures that only authorized users (confidentiality) have access to accurate and complete information (integrity) when required (availability)."
(ISACA, 2008)

"The protection of information and information systems, from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability."
(CNSS, 2010)


As we can see, in all three definition given above, three things are common i.e. Confidentiality, Integrity, and Availability. These three properties are known as CIA Triad. 


Confidentiality: Confidentiality refers to limiting information access and disclosure to authorized users and preventing access by or disclosure to unauthorized ones.
          Possible attacks:
Ø Injection
Ø Authentication Bypass
Ø MITM (Man in the Middle)
Ø XSS
Ø Directory Browsing

Risks:
Ø Loss of Privacy
Ø Unauthorized access to information
Ø Identity Theft

Controls:
Ø Encryption
Ø Authentication
Ø Access control

Primary Focus:
Ø Information Security

Integrity: Integrity of information refers to protecting information from being modified by unauthorized users.

Possible attacks:
Ø Injection
Ø Authentication Bypass
Ø MITM (Man in the Middle)
Ø CSRF

Risks:
Ø Loss of Accuracy
Ø Loss of Reliability
Ø Fraud

Controls:
Ø Digital Signature
Ø Maker/Checker
Ø Audit Logs

Primary Focus:
Ø Operational Controls

Availability: Availability of information refers to ensuring that authorized users are able to access the information when needed.

Possible attacks:
Ø Injection
Ø DoS (Denial of Service)
Ø DDoS (Distributed Denial of Service)

Risks:
Ø Business disruption
Ø Loss of customer confidence
Ø Loss of Revenue

Controls:
Ø Back-up storage
Ø Sufficient capacity
Ø BCP Plans and Tests

Primary Focus:
Ø Business continuity planning

Posted by at No comments:
Labels: , ,
Subscribe to: Posts (Atom)