owasp top 10

42
OWASP Top 10 - 2013 The ten most critical web application security risks

Upload: linh-thai-hoang

Post on 15-Sep-2015

232 views

Category:

Documents


2 download

DESCRIPTION

OWASP Top 10 most dangerous security risk

TRANSCRIPT

OWASP Top 10 - 2013The ten most critical web application security risksA1 InjectionKhi nimLi Injection l li xy ra khi ngi tn cng nhp mt d liu lm thi hnh nhng cu lnh khng mun trn h thngMt trang web dng on code sau ly d liu t nhp d liu ca trang web:txtUserId = getRequestString("UserId");txtSQL = "SELECT * FROM Users WHERE UserId = " + txtUserId;A1 InjectionUser105 txtUserId = 105txtSQL = "SELECT * FROM Users WHERE UserId = " + 105;105Linh1996L hngtxtUserId = getRequestString("UserId");txtSQL = "SELECT * FROM Users WHERE UserId = " + txtUserId;15 or 1 = 1A1 InjectionNu bin txtUserId khng c kim tra, th ngi tn cng c th nhp mt d liu u vo khng theo ca ngi pht trini.e: ngi dng nhp vo mt String, UserID l mt integer User txtUserId = 15 or 1 = 1txtSQL = "SELECT * FROM Users WHERE UserId = " + 15 or 1 = 1;105L213106Z2341A5254:L hngLy d liu trc tip ca ngi dng nhp vo qua mt tham s cho mt hm c kim tra v x l

Lp mt danh sch kim tra nhng k t c cho php V d: Ch c nhp ch ci, khng c nhp k t c bitCch phng trnhtxtUserId = getRequestString("UserId");txtSQL = "SELECT * FROM Users WHERE UserId = @0";db.Execute(txtSQL,txtUserId);(txtUserId c thay vo @0)A2 Broken Authentication and Session MangagementKhi nimNhng chc nng ca ng dng lin quan n xc thc v qun l phin ng nhp thng khng c thit k chnh xcV d: ng dng khng bt buc ngi s dng dng mt mt khu an ton. Ngi s dng c th dng mt mt khu nh 1234Qua ngi tn cng c th ly cp mt khu, hay token ca phin ng nhpA mn in thoi ca B vo ti khon Facebook ca AA qun khng ng xut ti khon Facebook ca mnhPhin ng nhp ti khon ca A khng ht hn, B c th dng c ti khon ca AL hngA2 Broken Authentication and Session ManagementThit k cc chc nng lin quan n xc thc v qun l phin ng nhp theo tiu chun ca OWASP Tham kho thm: https://www.owasp.org/index.php/ASVS

Trnh li XSS khng b ly cp ID phin ng nhp (li A3 Cross Site Scripting s c ni phn sau)A2 Broken Authentication and Session ManagementCch phng trnhA3 Cross-Site ScriptingKhi nimLi XSS xy ra khi mt ng dng nhn vo nhng d liu khng ng tin v gi nhng d liu y cho trnh duyt ca ngi dngV d:mt on Javascript:

Li XSS thng gip ngi khai thc chim phin ng nhp ca ngi dng, deface trang web hay dn ngi dng n nhng trang web la oA dng trang web ca BTrang web ca B cho php A lp ti khon v cha nhng thng tin ring tTrang web ca B c li XSS trong chc nng tm kim http://bobssite.org?q=search termA3 Cross-Site ScriptingL hngsearch termA3 Cross-Site ScriptingChc nng tm kim ca trang web khi nhn c mt query:

Trang web s hin ra

"http://bobssite.org?q=puppiesL hng http://bobssite.org?q=puppiespuppiespuppies not foundA3 Cross-Site ScriptingChc nng tm kim ca trang web khi nhn c mt query bt thng nh:

Trang web s hin ra

alert('pwnd');L hng http://bobssite.org?q= >https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_SheetTham kho thm v d n AntiSamy: https://www.owasp.org/index.php/AntiSamyA4 Insecure Direct Object References Khi nimLi xy ra khi ngi pht trin l quyn truy cp vo nhng i tng bn trong h thng, nh file, nhng th mc bn trong h thng

http://example.com/app/editInfo?acct=123 A4 Insecure Direct Object References L hngMt ngi dng dng trang web sau thay i ti khon ca mnhNameAgeJaneFoster Ngi dng th thay i s acct ca mnh

Ngi dng c th thay i ti khon ca ngi khcA4 Insecure Direct Object References L hnghttp://example.com/app/editInfo?acct=124 NameAgeAdamIo A4 Insecure Direct Object References Kim tra quyn truy cp trc tip n i tng

Khi cung cp quyn truy cp trc tip n mt i tng, ng dng cn xc thc liu ngi dng c quyn truy cp i tng hay khng

Cch phng trnh

A4 Insecure Direct Object References Ch cung cp quyn truy cp gin tip n nhng i tng m ngi dng hin ti c php truy cpCch phng trnh

A5 Security MisconfigurationKhi nim Li xy ra khi admin dng nhng ci t khng an ton cho h thng hoc dng ci t mc nhng dng qun l server ca admin c ci t mc nh

V d: Window Server 2008, Java Application Server

Ngi tn cng truy cp vo trang admin trn server, dng ti khon admin mc nh, v chim quyn kim sotA5 Security Misconfiguration L hngA5 Security Misconfiguration C mt quy trnh r rng khi p dng mt mi trng mi cho h thng

Cp nht h thng mt cch hp l v nhanh chng khi c bn miV d:Nn cp nht nhanh nht c th khi bn mi n nh khi chy cho ng dng

Thit k ng dng c nhng tch bit an ton gia cc thnh phn

Kim tra ci t ca h thng nh kCch phng trnhA6 Sensitive Data ExposureKhi nimLi xy ra khi nhng thng tin nhy cm (nh th tn dng, thng tin xc thc) khng c bo v k lng

Khi , ngi tn cng c th ly cp hoc thay i nhng thng tin yA6 Sensitive Data ExposureL hngMt trang web c trang ng nhp ti khon:

Trang web thit k password vi phn password c hin th khi ngi dng nhp vo www.example.com/loginUserhello123PasswordPassword123A6 Sensitive Data ExposureL hng password nn c che bng k t khc khi c ngi dng nhp vo www.example.com/loginUserhello123Password****************A6 Sensitive Data ExposureKhng lu tr nhng thng tin nhy cm nu khng cn thit

M ho tt c nhng d liu nhy cm

Dng nhng quy trnh tiu chun v thut ton an ton qun l d liuTham kho thm: http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htmV hiu ho autocomplete khi yu cu ngi dng in vo nhng d liu nhy cm V hiu ho caching nhng trang cha d liu nhy cmCch phng trnhA7 Missing Function Level Access ControlKhi nimLi xy ra khi quyn s dng tnh nng ca mt ng dng khng c xc thc hp l

Khi , ngi tn cng c th s dng tnh nng ca ng dng m mnh khng c phpNgi tn cng truy cp nhng a ch URL di. C hai u cn xc thc. admin_getappinfo cn cn quyn truy cp ca admin

Trang web u tin c th vo c bi ti khon bnh thng

Trang web th hai ch nn c truy cp bi ti khon adminhttp://example.com/app/getappInfo A7 Missing Function Level Access ControlL hnghttp://example.com/app/admin_getappInfo Nu ngi tn cng dng ti khon bnh thng ca mnh vo trang admin_getappinfo thnh cng, ng dng web c l hngA7 Missing Function Level Access ControlL hnghttp://example.com/app/admin_getappInfo http://example.com/app/admin_getappInfo A7 Missing Function Level Access Controlm bo vic qun l quyn s dng cc tnh nng d dng v hp l

m bo rng mi tnh nng ca ng dng ch c th c truy cp bi mt nhm ngi dng nht nhCch phng trnhA8 Cross-Site Request Forgery (CSRF)Khi nim Li xy ra khi ngi tn cng lm trnh duyt ca ngi dng gi mt yu cu gi n trang web. Nu m ngi dng c xc thc vi trang web y, yu cu s c thc hinng dng cho php ngi dng thc hin yu cu chuyn tin:

Ngi tn cng xy dng mt yu cu chuyn tin cho ti khon ca mnh t ti khon ca ngi s dng, ri giu n vo mt th hnh nh ca trang web thuc quyn iu khin ca ngi tn cng