UNIT2-AWAS PDF

Summary

This document provides an overview of web application security, focusing on the OWASP Top 10 security risks. It explains each risk and provides mitigation strategies. The document emphasizes the importance of proactive security measures to prevent threats.

Full Transcript

CSF- 403
ADVANCED WEB
APPLICATIONS
SECURITY
UNIT II
Aditya Rajesh More
OWASP

The Open Worldwide Application Security Project (OWASP) is an online community that produces freely
available articles, methodologies, documentation, tools, and technologies in the fields of IoT, system
software and web application security.
The OWASP provides free and open resources. It is led by a non-profit called The OWASP Foundation.
The OWASP Top 10 - 2021 is the published result of recent research based on comprehensive data
compiled from over 40 partner organizations.

Advanced Web Applications Security Unit II- by Aditya More 2
What is the OWASP Top 10?

The OWASP Top 10 is a regularly-updated report outlining security concerns for web application security,
focusing on the 10 most critical risks.
The report is put together by a team of security experts from all over the world.
OWASP refers to the Top 10 as an ‘awareness document’ and they recommend that all companies
incorporate the report into their processes in order to minimize and/or mitigate security risks.

Advanced Web Applications Security Unit II- by Aditya More 3
What is the OWASP Top 10?

Advanced Web Applications Security Unit II- by Aditya More 4
OWASP Top 10

1. Broken Access Control (A01:2021):
Explanation: Exploitable flaws that allow unauthorized access to sensitive data, functionality, or systems. Imagine a
user with regular access accidentally gaining administrator privileges due to a security lapse.
Mitigation: Implement proper access control mechanisms based on user roles and permissions. Regularly review and
audit access controls to ensure they remain effective.

2. Cryptographic Failures (A02:2021):
Explanation: Weak encryption algorithms, insecure key management, or improper use of cryptography can expose
data or compromise application security. Think of using a simple lock on a treasure chest, making it easy for
someone to steal the valuables.
Mitigation: Use strong encryption algorithms and industry-standard key management practices. Regularly rotate
cryptographic keys to maintain security.

Advanced Web Applications Security Unit II- by Aditya More 5
OWASP Top 10

3. Injection (A03:2021):
Explanation: Malicious code is injected into user inputs, manipulating the application's logic or stealing data. Imagine
a hacker injecting code into a login form to bypass security and steal user credentials.
Mitigation: Implement robust data validation to sanitize user inputs and prevent them from containing malicious
code. Use parameterized queries or stored procedures to prevent SQL injection attacks.

4. Insecure Design (A04:2021):
Explanation: Fundamental security flaws built into the application design can leave it vulnerable to various attacks.
Think of building a house with weak foundations, making it susceptible to collapse.
Mitigation: Implement secure coding practices throughout the development lifecycle. Conduct security reviews
during the design and development phases to identify and address potential vulnerabilities.

Advanced Web Applications Security Unit II- by Aditya More 6
OWASP Top 10

5. Security Misconfiguration (A05:2021):
Explanation: Improper security settings, default configurations, or disabled security features can weaken an
application's defenses. Imagine having a firewall but leaving it turned off, exposing your network to threats.
Mitigation: Follow security best practices when configuring security features. Regularly review and update security
configurations to address new vulnerabilities.

6. Vulnerable and Outdated Components (A06:2021):
Explanation: Using components with known vulnerabilities or failing to update them promptly exposes applications
to exploits. Imagine using a library with a known security hole, making your application vulnerable to attack.
Mitigation: Implement dependency management to track used components and versions. Use tools to identify known
vulnerabilities in dependencies. Regularly update components and patch vulnerabilities promptly.

Advanced Web Applications Security Unit II- by Aditya More 7
OWASP Top 10

7. Identification and Authentication Failures (A07:2021):
Explanation: Weak authentication mechanisms (e.g., simple passwords) or authorization controls allow unauthorized
access. This could involve easily guessable passwords or lack of multi-factor authentication.
Mitigation: Enforce strong password policies with complexity requirements and regular rotation. Implement multi-
factor authentication for sensitive actions. Use secure session management techniques and validate user sessions.

8. Software and Data Integrity Failures (A08:2021):
Explanation: The application lacks mechanisms to ensure the integrity of data or code, allowing for potential
manipulation. Imagine a system where data can be tampered with without detection, leading to incorrect results or
stolen information.
Mitigation: Implement robust data validation to ensure user inputs are as expected and sanitize them to prevent
unexpected behavior. Utilize strong hashing algorithms to verify data integrity.

Advanced Web Applications Security Unit II- by Aditya More 8
OWASP Top 10
9. Security Logging and Monitoring Failures (A09:2021):
Explanation: The application doesn't adequately log security events or monitor for suspicious activity,
hindering attack detection and response. Imagine a house with no security cameras or alarms, making it
difficult to detect a break-in.
Mitigation: Implement a SIEM solution to centralize security logs from various sources. Utilize log
analysis tools to identify suspicious patterns and potential breaches. Deploy intrusion detection systems
(IDS) to monitor network traffic for signs of malicious activity.

10. Server-Side Request Forgery (SSRF) (A10:2021):
Explanation: Attackers exploit vulnerabilities to trick the server into making unauthorized requests to
internal systems or external resources. Imagine a hacker manipulating a web application to steal sensitive
data from the server's internal database.
Mitigation: Implement strict input validation to sanitize user-provided URLs and prevent them from
accessing unauthorized resources. Enforce resource access control on the server-side to restrict what the
application can access. Consider using firewalls to further restrict outbound traffic from the server.

Advanced Web Applications Security Unit II- by Aditya More 9
OWASP Top 10- Scenarios for understanding

1. Broken Access Control (A01:2021):
Scenario: An online banking application accidentally grants a regular customer full administrator access due to a coding
error. This allows the customer to see and modify other users' accounts, potentially leading to financial theft.
Explanation: Broken access control means unauthorized users can access sensitive information or functionalities they
shouldn't have permission for. Imagine a fancy apartment building where someone can bypass security and access other
apartments.

2. Cryptographic Failures (A02:2021):
Scenario: An e-commerce website stores customer credit card information using a weak encryption algorithm. Hackers
exploit this weakness to steal credit card details, leading to financial losses for customers.
Explanation: Cryptographic failures occur when data encryption is weak or key management practices are poor. It's like
using a simple lock on your treasure chest, making it easy for someone to steal the valuables inside.

Advanced Web Applications Security Unit II- by Aditya More 10
OWASP Top 10- Scenarios for understanding

3. Injection (A03:2021):
Scenario: A social media platform has a vulnerability in its search function. Hackers inject malicious code into a search
query, allowing them to steal user login credentials or take control of user accounts.
Explanation: Injection attacks involve inserting malicious code into user inputs to manipulate the application. Imagine a
prankster writing weird instructions (like adding soap instead of sugar) into a bakery's cake order form, ruining the final
product.

4. Insecure Design (A04:2021):
Scenario: A mobile app for financial transactions lacks proper input validation. Hackers can exploit this flaw to send
invalid but high transaction amounts, potentially causing unauthorized money transfers.
Explanation: Insecure design flaws are built into the core of the application from the beginning. Imagine building a
house on sand - it might look pretty, but it's structurally weak and vulnerable to collapse.

Advanced Web Applications Security Unit II- by Aditya More 11
OWASP Top 10- Scenarios for understanding

5. Security Misconfiguration (A05:2021):
Scenario: A web server has a security feature like a firewall turned off by default. Hackers discover this
misconfiguration and launch attacks on the server, compromising sensitive data.
Explanation: Security misconfiguration happens when security features are either disabled or not set up
correctly.expand_more Imagine having a home security system with a fancy alarm but leaving the back door unlocked.

6. Vulnerable and Outdated Components (A06:2021):
Scenario: A popular online forum uses a third-party library with a known security vulnerability. Hackers exploit this
vulnerability to inject malicious code into the forum, potentially stealing user data or launching further attacks.
Explanation: Using outdated or vulnerable components is like using building materials with known cracks - they become
weak points that attackers can exploit.

Advanced Web Applications Security Unit II- by Aditya More 12
OWASP Top 10- Scenarios for understanding

7. Identification and Authentication Failures (A07:2021):
Scenario: An online gaming platform allows users to set weak passwords with minimal complexity requirements.
Hackers use brute-force attacks to guess passwords and gain access to user accounts, potentially stealing virtual items or
in-game currency.
Explanation: Weak authentication mechanisms make it easier for attackers to gain unauthorized access. Imagine a club
with a bouncer who lets anyone with a specific colored shirt in, regardless of whether they're on the guest list.

8. Software and Data Integrity Failures (A08:2021):
Scenario: A healthcare provider's system lacks proper data integrity checks. Hackers can tamper with patient medical
records undetected, potentially leading to incorrect diagnoses or stolen personal information.
Explanation: Data integrity failures occur when the application can't guarantee the information it stores or uses hasn't
been tampered with. Imagine a library where anyone can rewrite the information on book labels, causing confusion and
making it difficult to find the right book.
Advanced Web Applications Security Unit II- by Aditya More 13
OWASP Top 10- Scenarios for understanding

9. Security Logging and Monitoring Failures (A09:2021):
Scenario: A company's network lacks proper security logging and monitoring. Hackers launch a cyberattack that goes
unnoticed for weeks, allowing them to steal sensitive data before it's detected.
Explanation: Without proper logging and monitoring, it's difficult to detect suspicious activity or security incidents.
Imagine a house with no security cameras or alarms - a break-in might happen without anyone noticing.

10. Server-Side Request Forgery (SSRF) (A10:2021):
Scenario: An e-commerce website has an SSRF vulnerability. Hackers exploit this to trick the server into sending
unauthorized requests to the company's internal database, potentially stealing customer credit card information.
Explanation: SSRF vulnerabilities allow attackers to manipulate a server into making unauthorized requests. Imagine a
personal assistant who can order anything you tell them, but in this case, a hacker is giving the orders, forcing the server
to fetch sensitive data.

Advanced Web Applications Security Unit II- by Aditya More 14
Importance of Web Security

Web security is typically not comprised of a single solution. Rather, it’s many tools working together,
which all need to be configured, managed, updated and patched.

An advanced persistent threat is difficult for administrators to detect. It’s also extremely difficult to
contain because it creates backdoors and spreads across the network. This makes it almost impossible to
completely eradicate. Web security must be able to proactively find and contain these threats before they
spread.

Cybersecurity infrastructure is not the only way to keep your organization safe. Simple strategies are also
effective for stopping threats. Make sure that users must learn these strategies so they don’t
unintentionally expose data or become an easy target for attackers.
Advanced Web Applications Security Unit II- by Aditya More 15
Importance of Web Security- Common web security strategies

Strong passwords. Users should be required to create complex passwords and frequently change them.
Strong passwords reduce an attacker’s window of opportunity after a phishing attack or when credentials
are stolen.
Multifactor authentication (MFA). An MFA system adds an extra layer of security. It works by sending a
personal identification number (PIN) to a user’s smartphone or email during the authentication process.
Without the PIN an attacker cannot authenticate.
Virtual private network (VPN). Every remote worker should connect to the internal network through a
virtual private network. A VPN encrypts traffic between devices and the network to keep data safe from
man-in-the-middle attacks.
Security awareness. Most data breaches are caused by human error. Every organization should have a
program that teaches users how to identify common cyber attacks.
Advanced Web Applications Security Unit II- by Aditya More 16
Web application security vs. Network security
Aspect Web Application Security Network Security
Protection of web applications from Protection of networks and their devices from
Definition
vulnerabilities and attacks unauthorized access and attacks

Application logic, input validation, session Network topology, protocol analysis, traffic monitoring,
Primary Focus Areas
management, authentication, and authorization and device configuration

SQL Injection, Cross-Site Scripting (XSS), Cross- Distributed Denial of Service (DDoS), Man-in-the-
Common Threats Site Request Forgery (CSRF), Remote Code Middle (MitM) attacks, packet sniffing, IP spoofing, port
Execution (RCE), session hijacking scanning

Web Application Firewalls (WAF), Static
Firewalls, Intrusion Detection Systems (IDS), Intrusion
Application Security Testing (SAST), Dynamic
Key Tools and Prevention Systems (IPS), Virtual Private Networks
Application Security Testing (DAST), Runtime
Technologies (VPN), Secure Sockets Layer (SSL)/Transport Layer
Application Self-Protection (RASP), Content
Security (TLS), Network Access Control (NAC)
Security Policy (CSP)

Code review, input validation, parameterized Network segmentation, subnetting, use of demilitarized
Security Techniques queries, secure session management, HTTPS, zones (DMZ), encryption (IPSec, SSL/TLS), multi-factor
OAuth, JWT (JSON Web Tokens) authentication (MFA), security policies (ACLs, VLANs)

Advanced Web Applications Security Unit II- by Aditya More 17
Web application security vs. Network security
Aspect Web Application Security Network Security
HTTP/S requests, API calls, user input fields, IP packets, open ports, unpatched network devices,
Attack Vectors
cookies, form submissions network protocols (e.g., TCP/IP, UDP)
Secure coding practices, regular vulnerability
Regular network scans, applying security patches,
assessments, security patch management,
implementing strong firewall rules, traffic analysis and
Preventive Measures application layer encryption, implementing
anomaly detection, using encrypted communication
Content Security Policy (CSP), Cross-Origin
channels
Resource Sharing (CORS)
Relevant Standards OWASP Top Ten, PCI DSS, NIST SP 800-53 (for ISO/IEC 27001, NIST SP 800-53 (for networks), CIS
and Guidelines web apps), SANS CWE Top 25 Controls, ITU-T Recommendations
Application Performance Monitoring (APM),
Security Information and Event Management Network traffic analysis, anomaly detection systems,
Monitoring and
(SIEM) for web logs, real-time user activity SIEM for network logs, flow-based monitoring (e.g.,
Detection
monitoring, anomaly detection in application NetFlow, sFlow), Deep Packet Inspection (DPI)
behavior
Data exfiltration, unauthorized access to sensitive Network outages, interception of sensitive data, lateral
Typical Attack
data, account takeover, loss of data integrity, movement within the network, loss of control over
Consequences
downtime, compliance violations network devices, data breaches affecting multiple systems
Advanced Web Applications Security Unit II- by Aditya More 18
HTTP request-response

An HTTP (Hypertext Transfer
Protocol) request is a fundamental part
of web communications, forming the
basis of data exchange on the internet.
It’s a protocol used for fetching
resources, such as HTML documents,
images, and other files, from web
servers. The communication between a
client (like a web browser) and a server
occurs through these HTTP requests.

Advanced Web Applications Security Unit II- by Aditya More 19
HTTP request-response

Request Line: An HTTP request starts with a request line, which includes the following:
Method: This indicates the action to be performed on the resource. Common methods include GET
(retrieve a resource), POST (submit data to the server), PUT (update a resource), DELETE (remove
a resource), and others.
Request URL: The URL of the resource being requested.
HTTP Version: The version of the HTTP protocol being used.

Advanced Web Applications Security Unit II- by Aditya More 20
HTTP request-response

1. Request Headers: Following the request line are headers, which provide additional information about
the request. This can include details about the client’s browser, the types of responses that the client will
accept, cookies, and more.
2. Blank Line: A blank line indicates the end of the headers section.
3. Request Body (Optional): Not all requests have a body. Bodies are typically included in POST or PUT
requests, where you’re sending data to the server (like form inputs or file uploads). The body contains
the data being sent.

Advanced Web Applications Security Unit II- by Aditya More 21
The structure of HTTP requests

Advanced Web Applications Security Unit II- by Aditya More 22
HTTP request-response

GET: Used to request data from a specified resource. It retrieves information without altering the
server's state.

POST: Used to send data to the server to create or update a resource. The server processes the data
included in the body of the request.

Advanced Web Applications Security Unit II- by Aditya More 23
HTTP request-response

PUT: Used to update a resource or create a new resource if it does not exist, with the data included in
the body of the request.

This request updates the user with ID 123, or creates a new user if the ID does not exist, with the provided
JSON data.

Advanced Web Applications Security Unit II- by Aditya More 24
HTTP request-response

DELETE: Used to remove a specified resource from the server.

This request asks the server to delete the user
with ID 123.

HEAD: Similar to GET, but it requests only the headers without the response body. Useful for checking
resource metadata.

This request retrieves only the headers of the "index.html"
page, such as the Content-Type and Content-Length, without
the actual page content.

Advanced Web Applications Security Unit II- by Aditya More 25
HTTP request-response

OPTIONS: Used to describe the communication options for the target resource, revealing which
methods are supported.

This request asks the server to list the HTTP methods
available for the "index.html" resource.

TRACE: Used for diagnostic purposes. It echoes back the received request, allowing the client to see
what changes or additions have been made by intermediate servers.

This request is sent to test the path to the "index.html"
resource, returning the exact request that was sent.

Advanced Web Applications Security Unit II- by Aditya More 26
HTTP request-response

PATCH: Used to apply partial modifications to a resource, allowing updates to specific fields without
sending the entire resource.

This request updates only the "age" field of
the user with ID 123 to 31.

Advanced Web Applications Security Unit II- by Aditya More 27