Web Security: Lecture 6

Question 1

OWASP Top 10 Web App Security Risk (SBC ISS MCUU)

Answer 1

1) SQL Injection
2) Broken Authentication and Session Management
3) Cross Site Scripting (XSS)
4) Insecure Direct Object References
5) Security Misconfiguration
6) Sensitive Data Exposure
7) Missing Function Level Access Control
8) Cross Site Request Forgery (CSRF)
9) Using Components with Known Vulnerabilities
10) Unvalidated Redirect and Forward Examples

Question 2

What is each OWASP & Mitigations

Answer 2

1) SQL Injection:
\+ Inject SQL commands into URL or data entry field
- Eg. fred' OR '1'='1, ' OR 1=1--, adding ' in URL causes error
\+ Mitigations: 
- Sanitise user input
- Adding escape character
- Prepared Statements, Stored Procedures
- Use date picker or drop-down lists etc

2) Broken Authentication and Session Management
+ Error in implementation
- Eg. No timeouts, passwords not hashed and salted before stored, session info not encrypted, password formulation

3) Cross Site Scripting (XSS)
+ Injection of malicious scripts in data entry fields, 3 Types:
- Reflected (Non-persistent) XSS, passed via a query or URL, payload not stored
- Stored (Persistent) XSS, script stored into target server such as database
- DOM-Based XSS, injection of the malicious script within a document object model, eg cookies. Craft malicious script, then trick user in clicking and transmitting the request with the script to the web server.
+ Examples: Hijack user sessions, deface website, redirect user to malicious sites
+ Mitigation
- Adding escape characters
- Sanitize user inputs

4) Insecure Direct Object References
+ An authorised user changes a parameter value which refers to an object they do have authorisation for to one they don’t
+ Mitigation
- Check for access rights for each object
- Use drop-down etc.

5) Security Misconfiguration
+ Incorrect access rights or not patching vulnerabilities
+ Eg. Google dorking, directory traversal
+ Mitigation
- Apply the Principle of Least Privilege when giving access rights.

6) Sensitive Data Exposure
+ Managed to see content when successful SQLI, did not encrypt password etc, about data itself and not how to get to the data.
+ Mitigation
- Protect the data, encrypted: hash with salt instead of plain text.
- Employee training/awareness

7) Missing Function Level Access Control
+ Able to access a function that you have no privilege
+ Mitigation
- Check access to functionality before providing it
- Apply Principle of Least Privilege

8) Cross Site Request Forgery (CSRF)
+ Tricking authenticated victim to execute undesired actions, social engineering.
+ Mitigation
- Include unpredictable ‘challenge’ tokens for each session
- Send employees for training or education

9) Using Components with Known Vulnerabilities
+ About patching and trying to minimize the attack surface
+ What are the components installed

10) Unvalidated Redirect and Forward Examples
+ Mitigation
- Avoid redirect and forwards by letting the user confirm if they want to go to the page.
- Have a list of ‘trusted’ URLs
- Prevent the redirect or forward