OWASP Guide to Building

Secure Web Applications and

Web Services – v2.0

Jeff Williams
Chair – The OWASP Foundation
CEO – Aspect Security
jeff.williams@owasp.org

OWASP
AppSec DC
October 2005 Copyright © 2004 - The OWASP Foundation
Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation
License.

The OWASP
http://www.owasp.org
Foundation
The Guide

293 Book
Free and open
source
Gnu Free Doc License
Many contributors
Apps and web
services
Most platforms
Examples are J2EE,
ASP.NET, and PHP
Comprehensive OWASP AppSec DC 2
2005
Uses of the Guide

Developers
Use for guidance on implementing security
mechanisms and avoiding vulnerabilities

Project Managers
Use for identifying activities (threat modeling,
code review, penetration testing) that need to
occur

Security Teams
Use for structuring evaluations, learning about
application security, remediation approaches
OWASP AppSec DC 3
2005
The Guide Project
 Project Leader and Editor
 Andrew van der Stock, vanderaj@owasp.org

 Bio
 One of Australia's leading webappsec researchers
 Andrew has presented at many conferences, including
BlackHat USA, linux.conf.au, SAGE-AU, and AusCERT
 He helps with the OWASP Melbourne chapter and started the
OWASP Sydney chapter
 Moderator of webappsec@securityfocus.com
 Looks after UltimaBB, a secure forum
 System administration of Aussieveedubbers, one of Australia's
largest and busiest forums with over 3000 members
 Ex-President of SAGE-AU, the System Administrator's Guild of
Australia.
 In his copious spare time, he spends time with his cats, cars
and food, not necessarily in that order.

OWASP AppSec DC 4
2005
History

Guide 1.0
First released in June 2002
93 pages
Interim releases bring Guide to 149 pages by
2004

Guide 2.0
Released at Black Hat in July 2005
293 pages
Major new version
Complete re-write
Peer reviewed ... (in progress)
OWASP AppSec DC 5
2005
Massive Overhaul

 Developer standards  Interpreter Injection

 Threat Risk Modelling (includes LDAP and
 Phishing XML)
 Credit Card Handling  File System
 Admin interfaces
 Web Services
 18 new authentication  Unicode/Locale/I18N
 Buffer overflows
 11 new authorization
 12 new session  Cryptography
management  Privacy
 Error/Log/Audit  Configuration
 Data Validation  SQA
 Deployment
 Maintenance
OWASP AppSec DC 6
2005
Each Topic

 Includes Basic Information (like OWASP T10)

 How to Determine If You Are Vulnerable
 How to Protect Yourself

 Adds
 Objectives
 Environments Affected
 Relevant COBIT Topics
 Theory
 Best Practices
 Misconceptions
 Code Snippets

OWASP AppSec DC 7
2005
Guide 2.0 ~350 controls

Guide 1.0 Guide 1.1 Guide 2.0

350.0

262.5

175.0

87.5

0.0
Controls

OWASP AppSec DC 8
2005
Current State

Easily more useful than 1.1.1 and Top 10

28 chapters:
4 are done: content finished, peer reviewed,
edited
Most have more content than 1.1.1 and are
useful
7 are empty or incomplete
We need more volunteers:
Content authors
Technical Editors
Peer Reviewers
Helps if you can spel gud and no watAppSec
OWASP grama DC is 9
2005
Guide vs. Other Standards

All explained in the Guide

OWASP AppSec DC 10
2005
Threat Modeling

Introduces basic concepts

Covers STRIDE/DREAD, Trike, AS/NZS
4360, CVSS, and Octave

OWASP AppSec DC 11
2005
Advice and Best Practices

Credit card processing (ecommerce)

Anti-phishing
Best practices for secure development

OWASP AppSec DC 12
2005
Web Services

WS-Security
SAML
XML-DSIG
Lots more...

OWASP AppSec DC 13
2005
* Key Application Security
Areas *

OWASP AppSec DC 14
2005
Authentication

Major re-write
Covers a long list of areas:
Strong authentication, federated
authentication, client-side, positive
authentication, referer checks, remember my
password, default accounts, password strength,
encryption/hashing, automated reset, brute
force, timeout, logout, self-registration,
CAPTCHA

OWASP AppSec DC 15
2005
Authorization

Topics include:
ACL’s, centralization, authorization matrix,
client-side authorization tokens, access to
functions, access to static resources

OWASP AppSec DC 16
2005
Session Management

Complete re-write
Topics Include:
Permissive session generation, exposed
session variables, page and form tokens, weak
session ids, session encryption, session forging,
timeout, logout, hijacking, session brute
forcing, session fixation, HTTP split session
attacks, HTTP request smuggling

OWASP AppSec DC 17
2005
Data Validation

Complete re-write
Considerably shorter!
State of the art validation strategies
“Sanitize” is no longer an acceptable first
choice
Practical advice for several platforms
Topics:
Integrity checks, validation, business rule
validation, parameter tampering, hidden fields,
ASP.NET viewstate, URL encoding, HTML entity
encoding, special characters
OWASP AppSec DC 18
2005
Interpreter Injection

Shows how injection really works

For any interpreter
Covers many different interpreters
User agent injection
SQL Injection
ORM Injection
OS Command Injection
Code Injection
LDAP Injection
XML Injection (XPath / XSLT)

OWASP AppSec DC 19
2005
Canonicalization

The process of making Unicode and other

encodings “real” to the underlying
application
One of the last bastions of unexplored
vulnerability

Difficult to protect against

Unicode
Locale
Multiple encoding

OWASP AppSec DC 20
2005
Error Handling, Logging, Auditing

Complete re-write
Topics Include:
Traceability - aims for SOX compliance
Error messages, error handling
Don’t log noise, destruction, audit trails

OWASP AppSec DC 21
2005
File System

Goal: Minimize dangers from file based

operations

Topics:
File referencing, defacement, insecure
permissions, insecure indexing, unmapped files,
temp files, old files, second order injection

OWASP AppSec DC 22
2005
Buffer overflows

New(ish) section for one of the oldest

security problems
Heap, Stack, Buffer overflows
Integer and array overflows
Unicode overflows
String format overflows

Not really an issue for Java, .NET, PHP

Unless you’re invoking native libraries or
exec’ing operating system commands

OWASP AppSec DC 23
2005
Administrative Interfaces

Must have segregation of duties

Administrators are not users
To be effective, ensure that admin application
uses completely different RDBMS users
Prefer separate servers and access control lists
Security through obscurity not good
enough
Strong authentication

OWASP AppSec DC 24
2005
Cryptography

Revamped section
Future proofing (SHA1 / MD5 anyone?)
How to select algorithms
Poor secret storage
Stream ciphers

OWASP AppSec DC 25
2005
Privacy

 Objective is to ensure that the tracks left by an

application are minimalist and safe (enough)
 Completely revamped
 Major controls:
 Laws in effect
 Look for browser droppings (cookies, history, logs,
etc)
 The (in)-effectiveness of cache control
 GET vs POST
 What SSL really hides
 Various EU, AU, and US laws compared
 Information disclosure
 “Front page of the paper” test
OWASP AppSec DC 26
2005
Configuration

New Section
Objective is to ensure that an application
is safe out of the box
Code Access Security Policies
Default passwords (NO!)
Clear text passwords in config files
Connecting to RDBMs and middleware

OWASP AppSec DC 27
2005
Maintenance

Topics include:
Security incident response, rescues and fixes,
update notifications, permission checking

OWASP AppSec DC 28
2005
Denial of Service Attacks

Topics include:
Excessive consumption of resources
 Disk I/O
 CPU
 Network I/O
User Account Lockout

OWASP AppSec DC 29
2005
Coming Soon: Secure Deployment

Secure out of the box

Automated installs
Minimal attack surface area by default

OWASP AppSec DC 30
2005
Coming Soon: Software Quality
Assurance
Software Quality Assurance
How to improve your SQA to cover web
application security

Analysis and Testing

Types of testing
Unit, injection, code reviews, pen tests

OWASP AppSec DC 31
2005
Language Specific Chapters

Chapter dedicated to PHP

Lots of cool information on writing secure

PHP scripts

Will be joined by ASP.NET and J2EE in 2.1

OWASP AppSec DC 32
2005
XSS Cheat Sheet

Robert Hansen (RSnake)’s Cheat Sheet

95 different ways to inject code
Essential to test your apps with this list

OWASP AppSec DC 33
2005
Case Study: XMB Result

1.8 has been retired

Too hard to fix due to PHP brain damage
Insufficient dev resources to fix
1.9.1 is a high quality release
1.9.1 has been out for 8 months so far without
a public vulnerability
Far faster and more scalable than 1.8
Guide Success! Only one patch since May
2004
Previous releases used to require quarterly
updates (roughly the same as phpBB today)
OWASP AppSec DC 34
2005
Case Study: phpBB

phpBB
Hundreds of thousands of boards, millions use
phpBB
Needed to test out OWASP 2.0 with PHP code
and FOSS methodologies

Did not accept help (ahem)

Security problems still exist

OWASP AppSec DC 35
2005
Guide 2.1

Due November 2005

Fixes, reviews, and new content
Available in Word, PDF... and book form

No Starch Press will be publishing the

Guide 2.1 around November 2005

OWASP AppSec DC 36
2005