Summary

This document provides an overview of web application security, focusing on the OWASP Top 10 security risks. It explains each risk and provides mitigation strategies. The document emphasizes the importance of proactive security measures to prevent threats.

Full Transcript

CSF- 403 ADVANCED WEB APPLICATIONS SECURITY UNIT II Aditya Rajesh More OWASP The Open Worldwide Application Security Project (OWASP) is an online community that produces freely available articles, methodologies, documentation, tools, and technologies in the fields of IoT, system software and...

CSF- 403 ADVANCED WEB APPLICATIONS SECURITY UNIT II Aditya Rajesh More OWASP The Open Worldwide Application Security Project (OWASP) is an online community that produces freely available articles, methodologies, documentation, tools, and technologies in the fields of IoT, system software and web application security. The OWASP provides free and open resources. It is led by a non-profit called The OWASP Foundation. The OWASP Top 10 - 2021 is the published result of recent research based on comprehensive data compiled from over 40 partner organizations. Advanced Web Applications Security Unit II- by Aditya More 2 What is the OWASP Top 10? The OWASP Top 10 is a regularly-updated report outlining security concerns for web application security, focusing on the 10 most critical risks. The report is put together by a team of security experts from all over the world. OWASP refers to the Top 10 as an ‘awareness document’ and they recommend that all companies incorporate the report into their processes in order to minimize and/or mitigate security risks. Advanced Web Applications Security Unit II- by Aditya More 3 What is the OWASP Top 10? Advanced Web Applications Security Unit II- by Aditya More 4 OWASP Top 10 1. Broken Access Control (A01:2021): Explanation: Exploitable flaws that allow unauthorized access to sensitive data, functionality, or systems. Imagine a user with regular access accidentally gaining administrator privileges due to a security lapse. Mitigation: Implement proper access control mechanisms based on user roles and permissions. Regularly review and audit access controls to ensure they remain effective. 2. Cryptographic Failures (A02:2021): Explanation: Weak encryption algorithms, insecure key management, or improper use of cryptography can expose data or compromise application security. Think of using a simple lock on a treasure chest, making it easy for someone to steal the valuables. Mitigation: Use strong encryption algorithms and industry-standard key management practices. Regularly rotate cryptographic keys to maintain security. Advanced Web Applications Security Unit II- by Aditya More 5 OWASP Top 10 3. Injection (A03:2021): Explanation: Malicious code is injected into user inputs, manipulating the application's logic or stealing data. Imagine a hacker injecting code into a login form to bypass security and steal user credentials. Mitigation: Implement robust data validation to sanitize user inputs and prevent them from containing malicious code. Use parameterized queries or stored procedures to prevent SQL injection attacks. 4. Insecure Design (A04:2021): Explanation: Fundamental security flaws built into the application design can leave it vulnerable to various attacks. Think of building a house with weak foundations, making it susceptible to collapse. Mitigation: Implement secure coding practices throughout the development lifecycle. Conduct security reviews during the design and development phases to identify and address potential vulnerabilities. Advanced Web Applications Security Unit II- by Aditya More 6 OWASP Top 10 5. Security Misconfiguration (A05:2021): Explanation: Improper security settings, default configurations, or disabled security features can weaken an application's defenses. Imagine having a firewall but leaving it turned off, exposing your network to threats. Mitigation: Follow security best practices when configuring security features. Regularly review and update security configurations to address new vulnerabilities. 6. Vulnerable and Outdated Components (A06:2021): Explanation: Using components with known vulnerabilities or failing to update them promptly exposes applications to exploits. Imagine using a library with a known security hole, making your application vulnerable to attack. Mitigation: Implement dependency management to track used components and versions. Use tools to identify known vulnerabilities in dependencies. Regularly update components and patch vulnerabilities promptly. Advanced Web Applications Security Unit II- by Aditya More 7 OWASP Top 10 7. Identification and Authentication Failures (A07:2021): Explanation: Weak authentication mechanisms (e.g., simple passwords) or authorization controls allow unauthorized access. This could involve easily guessable passwords or lack of multi-factor authentication. Mitigation: Enforce strong password policies with complexity requirements and regular rotation. Implement multi- factor authentication for sensitive actions. Use secure session management techniques and validate user sessions. 8. Software and Data Integrity Failures (A08:2021): Explanation: The application lacks mechanisms to ensure the integrity of data or code, allowing for potential manipulation. Imagine a system where data can be tampered with without detection, leading to incorrect results or stolen information. Mitigation: Implement robust data validation to ensure user inputs are as expected and sanitize them to prevent unexpected behavior. Utilize strong hashing algorithms to verify data integrity. Advanced Web Applications Security Unit II- by Aditya More 8 OWASP Top 10 9. Security Logging and Monitoring Failures (A09:2021): Explanation: The application doesn't adequately log security events or monitor for suspicious activity, hindering attack detection and response. Imagine a house with no security cameras or alarms, making it difficult to detect a break-in. Mitigation: Implement a SIEM solution to centralize security logs from various sources. Utilize log analysis tools to identify suspicious patterns and potential breaches. Deploy intrusion detection systems (IDS) to monitor network traffic for signs of malicious activity. 10. Server-Side Request Forgery (SSRF) (A10:2021): Explanation: Attackers exploit vulnerabilities to trick the server into making unauthorized requests to internal systems or external resources. Imagine a hacker manipulating a web application to steal sensitive data from the server's internal database. Mitigation: Implement strict input validation to sanitize user-provided URLs and prevent them from accessing unauthorized resources. Enforce resource access control on the server-side to restrict what the application can access. Consider using firewalls to further restrict outbound traffic from the server. Advanced Web Applications Security Unit II- by Aditya More 9 OWASP Top 10- Scenarios for understanding 1. Broken Access Control (A01:2021): Scenario: An online banking application accidentally grants a regular customer full administrator access due to a coding error. This allows the customer to see and modify other users' accounts, potentially leading to financial theft. Explanation: Broken access control means unauthorized users can access sensitive information or functionalities they shouldn't have permission for. Imagine a fancy apartment building where someone can bypass security and access other apartments. 2. Cryptographic Failures (A02:2021): Scenario: An e-commerce website stores customer credit card information using a weak encryption algorithm. Hackers exploit this weakness to steal credit card details, leading to financial losses for customers. Explanation: Cryptographic failures occur when data encryption is weak or key management practices are poor. It's like using a simple lock on your treasure chest, making it easy for someone to steal the valuables inside. Advanced Web Applications Security Unit II- by Aditya More 10 OWASP Top 10- Scenarios for understanding 3. Injection (A03:2021): Scenario: A social media platform has a vulnerability in its search function. Hackers inject malicious code into a search query, allowing them to steal user login credentials or take control of user accounts. Explanation: Injection attacks involve inserting malicious code into user inputs to manipulate the application. Imagine a prankster writing weird instructions (like adding soap instead of sugar) into a bakery's cake order form, ruining the final product. 4. Insecure Design (A04:2021): Scenario: A mobile app for financial transactions lacks proper input validation. Hackers can exploit this flaw to send invalid but high transaction amounts, potentially causing unauthorized money transfers. Explanation: Insecure design flaws are built into the core of the application from the beginning. Imagine building a house on sand - it might look pretty, but it's structurally weak and vulnerable to collapse. Advanced Web Applications Security Unit II- by Aditya More 11 OWASP Top 10- Scenarios for understanding 5. Security Misconfiguration (A05:2021): Scenario: A web server has a security feature like a firewall turned off by default. Hackers discover this misconfiguration and launch attacks on the server, compromising sensitive data. Explanation: Security misconfiguration happens when security features are either disabled or not set up correctly.expand_more Imagine having a home security system with a fancy alarm but leaving the back door unlocked. 6. Vulnerable and Outdated Components (A06:2021): Scenario: A popular online forum uses a third-party library with a known security vulnerability. Hackers exploit this vulnerability to inject malicious code into the forum, potentially stealing user data or launching further attacks. Explanation: Using outdated or vulnerable components is like using building materials with known cracks - they become weak points that attackers can exploit. Advanced Web Applications Security Unit II- by Aditya More 12 OWASP Top 10- Scenarios for understanding 7. Identification and Authentication Failures (A07:2021): Scenario: An online gaming platform allows users to set weak passwords with minimal complexity requirements. Hackers use brute-force attacks to guess passwords and gain access to user accounts, potentially stealing virtual items or in-game currency. Explanation: Weak authentication mechanisms make it easier for attackers to gain unauthorized access. Imagine a club with a bouncer who lets anyone with a specific colored shirt in, regardless of whether they're on the guest list. 8. Software and Data Integrity Failures (A08:2021): Scenario: A healthcare provider's system lacks proper data integrity checks. Hackers can tamper with patient medical records undetected, potentially leading to incorrect diagnoses or stolen personal information. Explanation: Data integrity failures occur when the application can't guarantee the information it stores or uses hasn't been tampered with. Imagine a library where anyone can rewrite the information on book labels, causing confusion and making it difficult to find the right book. Advanced Web Applications Security Unit II- by Aditya More 13 OWASP Top 10- Scenarios for understanding 9. Security Logging and Monitoring Failures (A09:2021): Scenario: A company's network lacks proper security logging and monitoring. Hackers launch a cyberattack that goes unnoticed for weeks, allowing them to steal sensitive data before it's detected. Explanation: Without proper logging and monitoring, it's difficult to detect suspicious activity or security incidents. Imagine a house with no security cameras or alarms - a break-in might happen without anyone noticing. 10. Server-Side Request Forgery (SSRF) (A10:2021): Scenario: An e-commerce website has an SSRF vulnerability. Hackers exploit this to trick the server into sending unauthorized requests to the company's internal database, potentially stealing customer credit card information. Explanation: SSRF vulnerabilities allow attackers to manipulate a server into making unauthorized requests. Imagine a personal assistant who can order anything you tell them, but in this case, a hacker is giving the orders, forcing the server to fetch sensitive data. Advanced Web Applications Security Unit II- by Aditya More 14 Importance of Web Security Web security is typically not comprised of a single solution. Rather, it’s many tools working together, which all need to be configured, managed, updated and patched. An advanced persistent threat is difficult for administrators to detect. It’s also extremely difficult to contain because it creates backdoors and spreads across the network. This makes it almost impossible to completely eradicate. Web security must be able to proactively find and contain these threats before they spread. Cybersecurity infrastructure is not the only way to keep your organization safe. Simple strategies are also effective for stopping threats. Make sure that users must learn these strategies so they don’t unintentionally expose data or become an easy target for attackers. Advanced Web Applications Security Unit II- by Aditya More 15 Importance of Web Security- Common web security strategies Strong passwords. Users should be required to create complex passwords and frequently change them. Strong passwords reduce an attacker’s window of opportunity after a phishing attack or when credentials are stolen. Multifactor authentication (MFA). An MFA system adds an extra layer of security. It works by sending a personal identification number (PIN) to a user’s smartphone or email during the authentication process. Without the PIN an attacker cannot authenticate. Virtual private network (VPN). Every remote worker should connect to the internal network through a virtual private network. A VPN encrypts traffic between devices and the network to keep data safe from man-in-the-middle attacks. Security awareness. Most data breaches are caused by human error. Every organization should have a program that teaches users how to identify common cyber attacks. Advanced Web Applications Security Unit II- by Aditya More 16 Web application security vs. Network security Aspect Web Application Security Network Security Protection of web applications from Protection of networks and their devices from Definition vulnerabilities and attacks unauthorized access and attacks Application logic, input validation, session Network topology, protocol analysis, traffic monitoring, Primary Focus Areas management, authentication, and authorization and device configuration SQL Injection, Cross-Site Scripting (XSS), Cross- Distributed Denial of Service (DDoS), Man-in-the- Common Threats Site Request Forgery (CSRF), Remote Code Middle (MitM) attacks, packet sniffing, IP spoofing, port Execution (RCE), session hijacking scanning Web Application Firewalls (WAF), Static Firewalls, Intrusion Detection Systems (IDS), Intrusion Application Security Testing (SAST), Dynamic Key Tools and Prevention Systems (IPS), Virtual Private Networks Application Security Testing (DAST), Runtime Technologies (VPN), Secure Sockets Layer (SSL)/Transport Layer Application Self-Protection (RASP), Content Security (TLS), Network Access Control (NAC) Security Policy (CSP) Code review, input validation, parameterized Network segmentation, subnetting, use of demilitarized Security Techniques queries, secure session management, HTTPS, zones (DMZ), encryption (IPSec, SSL/TLS), multi-factor OAuth, JWT (JSON Web Tokens) authentication (MFA), security policies (ACLs, VLANs) Advanced Web Applications Security Unit II- by Aditya More 17 Web application security vs. Network security Aspect Web Application Security Network Security HTTP/S requests, API calls, user input fields, IP packets, open ports, unpatched network devices, Attack Vectors cookies, form submissions network protocols (e.g., TCP/IP, UDP) Secure coding practices, regular vulnerability Regular network scans, applying security patches, assessments, security patch management, implementing strong firewall rules, traffic analysis and Preventive Measures application layer encryption, implementing anomaly detection, using encrypted communication Content Security Policy (CSP), Cross-Origin channels Resource Sharing (CORS) Relevant Standards OWASP Top Ten, PCI DSS, NIST SP 800-53 (for ISO/IEC 27001, NIST SP 800-53 (for networks), CIS and Guidelines web apps), SANS CWE Top 25 Controls, ITU-T Recommendations Application Performance Monitoring (APM), Security Information and Event Management Network traffic analysis, anomaly detection systems, Monitoring and (SIEM) for web logs, real-time user activity SIEM for network logs, flow-based monitoring (e.g., Detection monitoring, anomaly detection in application NetFlow, sFlow), Deep Packet Inspection (DPI) behavior Data exfiltration, unauthorized access to sensitive Network outages, interception of sensitive data, lateral Typical Attack data, account takeover, loss of data integrity, movement within the network, loss of control over Consequences downtime, compliance violations network devices, data breaches affecting multiple systems Advanced Web Applications Security Unit II- by Aditya More 18 HTTP request-response An HTTP (Hypertext Transfer Protocol) request is a fundamental part of web communications, forming the basis of data exchange on the internet. It’s a protocol used for fetching resources, such as HTML documents, images, and other files, from web servers. The communication between a client (like a web browser) and a server occurs through these HTTP requests. Advanced Web Applications Security Unit II- by Aditya More 19 HTTP request-response Request Line: An HTTP request starts with a request line, which includes the following: Method: This indicates the action to be performed on the resource. Common methods include GET (retrieve a resource), POST (submit data to the server), PUT (update a resource), DELETE (remove a resource), and others. Request URL: The URL of the resource being requested. HTTP Version: The version of the HTTP protocol being used. Advanced Web Applications Security Unit II- by Aditya More 20 HTTP request-response 1. Request Headers: Following the request line are headers, which provide additional information about the request. This can include details about the client’s browser, the types of responses that the client will accept, cookies, and more. 2. Blank Line: A blank line indicates the end of the headers section. 3. Request Body (Optional): Not all requests have a body. Bodies are typically included in POST or PUT requests, where you’re sending data to the server (like form inputs or file uploads). The body contains the data being sent. Advanced Web Applications Security Unit II- by Aditya More 21 The structure of HTTP requests Advanced Web Applications Security Unit II- by Aditya More 22 HTTP request-response GET: Used to request data from a specified resource. It retrieves information without altering the server's state. POST: Used to send data to the server to create or update a resource. The server processes the data included in the body of the request. Advanced Web Applications Security Unit II- by Aditya More 23 HTTP request-response PUT: Used to update a resource or create a new resource if it does not exist, with the data included in the body of the request. This request updates the user with ID 123, or creates a new user if the ID does not exist, with the provided JSON data. Advanced Web Applications Security Unit II- by Aditya More 24 HTTP request-response DELETE: Used to remove a specified resource from the server. This request asks the server to delete the user with ID 123. HEAD: Similar to GET, but it requests only the headers without the response body. Useful for checking resource metadata. This request retrieves only the headers of the "index.html" page, such as the Content-Type and Content-Length, without the actual page content. Advanced Web Applications Security Unit II- by Aditya More 25 HTTP request-response OPTIONS: Used to describe the communication options for the target resource, revealing which methods are supported. This request asks the server to list the HTTP methods available for the "index.html" resource. TRACE: Used for diagnostic purposes. It echoes back the received request, allowing the client to see what changes or additions have been made by intermediate servers. This request is sent to test the path to the "index.html" resource, returning the exact request that was sent. Advanced Web Applications Security Unit II- by Aditya More 26 HTTP request-response PATCH: Used to apply partial modifications to a resource, allowing updates to specific fields without sending the entire resource. This request updates only the "age" field of the user with ID 123 to 31. Advanced Web Applications Security Unit II- by Aditya More 27

Use Quizgecko on...
Browser
Browser