OWASP Top 10 Presentation

Posted by Brett Hardin on 21st October 2009

Reading time: 1 – 2 minutes

I recently did a presentation on the OWASP Top 10 for SecurityStreams. Nitesh Dhanjani of SecurityStreams was nice enough to allow me to embed the videos of the presentations on this site.

If you are new to the OWASP Top 10, I highly suggest to watch this presentation, it is about 45 minutes and should give you a high level understanding of all the OWASP Top 10.

If you are an executive or don’t have time to watch the full presentation, then I suggest watching the 10 minute executive presentation.

Make sure to watch them in HD (Upper right hand corner of the videos). Let me know your thoughts and comments.

OWASP Top 10 – Full Presentation

OWASP Top 10 – Executive Presentation

Categories: OWASP, Primer, Secure Development, Vulnerabilities, Web Application Security
Tags: , , , , , , , ,
21Oct

Writing Secure Code

Posted by Brett Hardin on 24th September 2009

Reading time: 2 – 2 minutes

Photo: Brajeshwar

Photo: Brajeshwar

If you are a developer, I guarantee that you have written insecure code. Universities train people to write code, but very little time is taken to help them focus on writing secure code.

As with anything, being able to identify security vulnerabilities and writing code securely takes practice. But how does a developer, who is already overburdened with enough work, find the time or resources to help him identify security vulnerabilities?

This is where spot spotthevuln.com comes in.

The purpose of the project is two fold, help developers write better code by enabling them to identify insecure code and hopefully work the project into teaching curriculum’s at colleges and universities in order to help new developers write more secure code.

Here is how the site works. On Monday at 8:00am PST, a piece of vulnerable code is posted. An business week is given to people in order to attempt to identify the vulnerability in the code. On Friday at 8:00am PST, the code fix is shown with a description of what was wrong with the code. All of the vulnerabilities are taken out of open source projects in order to show developers “real-life” scenarios. The fixes are the fixes that were actually deployed.

The whole point of spotthevuln.com is to help developers identify poor development choices when programming. What are your thoughts? Do you think this will help developers? If you are an instructor and would like to work spotthevuln.com into your curriculum, I suggest for you to reach out to spotthevuln.com.

The more developers know about security, the better off we all are.

Categories: General Thoughts, Secure Development
Tags: , , , , ,
24Sep

Insecure Direct Object Reference

Posted by Brett Hardin on 22nd July 2009

Reading time: 2 – 4 minutes

Photo: tim_norris

Photo: tim_norris

This is the fourth-part in a ten-part-series describing the OWASP Top 10. (See all the OWASP Top 10)

What is Insecure Direct Object Reference

Insecure Direct Object Reference is when a web application exposes an internal implementation object to the user. Some examples of internal implementation objects are database records, URLs, or files.

An attacker can modify the internal implementation object in an attempt to abuse the access controls on this object. When the attacker does this they may have the ability to access functionality that the developer didn’t intend to expose access to.

Examples of Insecure Direct Object Reference

Insecure direct object reference is a very broad category of vulnerabilities. There are many examples of these types of vulnerabilities found in the wild by other names. Open Redirects and Directory Traversal are two classic examples of an insecure direct object reference vulnerability.

Open Redirect

This is where the web application has a parameter that allows the website to redirect the user somewhere else. If this parameter is not implemented properly using a white list, attackers can use this in a phishing attack to lure potential victims to a site of their choosing. More information about Open Redirects can be found here.

Directory Traversal

Assume a web application allows for a file to be rendered to a user that is stored on the local machine. If the application isn’t verifying what files should be accessed, an attacker can request other files on the file system and those will also be displayed.

For instance, if the attacker notices the URL:

http://misc-security.com/file.jsp?file=report.txt

The attacker could modify the file parameter using a directory traversal attack. He modifies the URL to:

http://misc-security.com/file.jsp?file=../../../etc/shadow

Upon doing this the /etc/shadow file is returned and rendered by file.jsp demonstrating the page is susceptible to a directory traversal attack.

How Do You Prevent Insecure Direct Object Reference From Occurring in Your Application
As always, web application developers can prevent these attacks through good planning.

Developers should use indirect reference maps. Direct mapping can easily be guessed by attackers. Developers should avoid exposing private objects to users. File names, external/internal URL’s, and database keys are all examples of things that should not be displayed to the user.

If direct objects must be used, then the developers should ensure through validation that the user is authorized to view what they are attempting to access. In the directory traversal example, determine what files the user should access and only grant them privileges to those files. This is known as an “accept known good” approach and is always a good idea when it comes to developing secure applications.

Categories: OWASP, Vulnerabilities, Web Application Security
Tags: , , , , , , , , , , , , , ,
22Jul