OWASP Top 10

November 5, 2014

Use the OWASP Application Security Verification Standard. Do not limit your focus to the OWASP Top 10 Vulnerabilities.

SQL Injection (SQLi)

Problem: Malicious user input is interpreted as a database query.

Cause: The malicious user input has had inadequate data validation by the web tier.

Detection: If you have the application tier source code, review it. If you don’t, mechanically test through the web tier (e.g., sqlmap).

Mitigation: Parametrize queries in the application; that is, use variables in prepared SQL statements. Never construct queries by concatenating user input. If you don’t have access to the application source code, use an already available known and proven HTML sanitizer. SQL Injection can be mitigated with a Web Application Firewall.

See Secure Web Application Development

  • Use Parameterized APIs for Data Access
  • Use Positive Input Validation
  • Avoid Using Command Interpreters
  • Escape Special Characters, If Parameterized APIs Are Not Available


Cross-site Scripting (XSS)

Problem: Malicious user input is displayed on a web page. The user’s web browser processes the malicious input, attacking themselves. The user shot themselves, but didn’t know they were holding a gun.

Cause: The malicious user input has had inadequate data validation by the web tier.

Detection: If you have the application tier source code, see the OWASP Code Review Guide article on Reviewing code for Cross-site scripting Vulnerabilities.  If you don’t, then the Browser Exploitation Framework (BeEF), XSS Cheat Sheet, burp and manual tests would be a start.

Mitigation: Use safe re-encoding of the user input before it is displayed on a web page. Use an already available known and proven encoder such as OWASP ESAPI. Input validation is often used, but displaying content in a safe manner is to be preferred. Cross-site scripting can be mitigated with a Web Application Firewall.

  • Escape All Untrusted Data in HTML Contexts
  • Use Positive Input Validation


Session Hijacking

Problem: In order to maintain a conversation, a web application needs to keep track of where it left off. The web application needs to preserve a session’s state. A person can impersonate a web application’s state, the web application can take incorrect actions.

Cause: Session tokens (how you maintain state in web applications) are passed in clear text.

Detection: Review packet captures for tokens passed in clear text.

Mitigation: Encrypt communication using HTTPS. Additionally, use session inactivity timeouts.

  • Centralize Authentication and Session Management Controls
  • Protect Session IDs from XSS


Parameter Manipulation (Insecure Direct Object References)

Cause: User supplies a value in the URL and the application accepts it.

Detection: Review packet captures for URL parameters.

Mitigation: If you have access to the application, server-side validation should be used. Is the returned value acceptable? Are there errors in business logic? Additionally, use session parameters (where the data elements are stored on the server side and accessed through the session identifier) instead of URL parameters (which are exposed on the client side). If you don’t have access to the application … a web application firewall can help sanitize input, but cannot prevent that input from being modified and cannot fix errors in business logic.

  • Use Per-User or Per-Session Indirect Object References
  • [OR] Check Access Control Permissions Whenever Performing Direct Object References
  • Disable Directory Browsing


Cross-site Request Forgery (CSRF)

Problem: The user establishes an authenticated session. The user then connects to an unrelated site. The unrelated site takes advantage of the user’s authenticated session to perform actions.

Cause: The user’s intended web application supports URLs which can specify complete session information using parameters. The unrelated site performs the unauthorized action through a crafted URL. The URL requires no user interaction, or minimal interaction.

Detection: Review web application for URL parameters. Review packet captures for URL parameters.

Mitigation: If you have access to the application, implement CSRF session tokens (for each page a new token is created and hidden on the user’s web page; the server checks the next transaction for the predetermined token). Session timeouts would limit the availability of authenticated sessions. Re-authentication before the transaction is completed would require user interaction.

  • Include Unique Tokens in HTTP Requests


CSRF Proof of Concept with OWASP ZAP

ASP.NET: The anti-forgery token can be used to help protect your application against cross-site request forgery. To use this feature, call the AntiForgeryToken method from a form and add the ValidateAntiForgeryTokenAttribute attribute to the action method that you want to protect.

Security Misconfiguration (Insecure Configuration)

Cause: Insufficient hardening. Lack of configuration management process. Lack of account management process. Lack of patch management process. Security patches not installed, unnecessary services enabled, default passwords, excessive permissions


Mitigation: Repeatable hardening process. Recurring inventory and audits.

  • Establish A Repeatable Hardening Process
  • Keep Up with Security Updates
  • Design a Strong Application Architecture
  • Run Scans and Perform Audits


Insecure Cryptographic Storage

Cause: Sensitive information is stored or transmitted in an insecure manner. The cryptographic method may be obsolete or the implementation may be weak.


Mitigation: There may be specific regulatory requirements to consider. Review information to determine if it is sensitive and if it should be stored. (Classify assets, model realistic weaknesses, determine threats which may exploit those weaknesses, implement defenses.) Use known, strong encryption methods, long keys and a key management system.

  • Consider the Threats You Plan to Protect Data from
  • Encrypt Off-site Backups
  • Ensure Strong Algorithms Are Used
  • Hash and Salt Passwords
  • Protect Keys and Passwords


Failure to Restrict URL Access (Forced Browsing)

Cause: Incorrect web server configuration. Insufficient restrictions in application logic. User can guess a URL that  provides access to information or processes that should be restricted.

Detection: Crawl the application for page access. Should these pages be exposed? Test exposed pages for insufficient authorization enforcement.

Mitigation: Authorization checks within the application. Page level authorization at the web server. Can be mitigated with a Web Application Firewall.

  • Require Authentication and Authorization for Each Sensitive Page
  • Use Role-based Authentication and Authorization
  • Make Authentication and Authorization Policies Configurable
  • Deny All Access by Default


Insufficient Transport Layer Protection (Clear-text Communication, Cookie Poisoning)

Cause: Sensitive information is sent unencrypted. This could include unencrypted session cookies which, if exposed, can be used to impersonate the authenticated user (capture their session).

Detection: Review packet captures for sensitive information passed in clear text.

Mitigation: Implement “always on” SSL (HTTPS) with strong keys (greater then 128 bit ciphers) and disable weaker protocols (SSLv1, SSLv2, SSLv3). Implement a key management policy. Alternately, encrypt the sensitive information (such as cookies) and sign it (so it cannot be modified). Consider disabling HTTP if the site is sensitive. Can be mitigated with a Web Application Firewall.

  • Enable SSL
  • Use SSL for All Sensitive Pages
  • Set the Secure Flag on All Sensitive Cookies
  • Use Only Strong SSL Algorithms
  • Use Valid SSL Certificates
  • Secure Backend Connections


Unvalidated Redirects and Forwards (Unchecked Redirects)

Cause: Lack of validation when using forms or parameters to forward or redirect users. This enables hackers to use your site as a trusted name or domain when redirecting to their malicious site.


Mitigation: Don’t use parameters to forward or redirect users. Use session information stored on the server. Alternately, whitelist the URLs that the user can be forwarded to and verify that the user has authority to access the web page.

  • Don’t Use Redirects or Forwards, If Possible
  • Don’t Use User Input for Calculating Destinations of Redirects or Forwards
  • Use Mapping Values When Calculating Destinations of Redirects or Forwards


Read the rest of this entry »


Security Awareness Training

October 19, 2014

Security Awareness Training Framework Wiki

Measuring Human Risk: What is Your Organization’s Security Score? The methodology and results of a multi-year human security risk assessment and security awareness initiative at Michigan Technological University.

This presentation covers effective security awareness training and measuring its effectiveness. When I was doing security awareness training it was largely saying the same thing as last time, expecting a different result. Additional ideas were always appreciated. This presentation is worth listening to and the handout contains useful information.
Securing The Human in EMEA – Next Generation Awareness Programs
Confidentiality – only authorized / appropriate persons have access to the particular information
Integrity – accurate and adequately complete information
Availability – all authorized persons have access as needed
Accountability – actions cannot be repudiated
Authentication – validate the agent
Authorization – control which agents can access which assets
Accounting – determine which agents access which assets and what they did there
Property Threat
Authentication Spoofing
Integrity Tampering
Non-Repudiation Repudiation
Confidentiality Disclosure
Availability Denial of Service
Authorization Elevation of Privilege
WASC Threat Classification
OWASP Application Security Verification Standard 2009 (pdf)

New hire initial assessment

October 9, 2014

You’ve just been hired and Information Security is now your responsibility.

Who has immediate concerns?

Introduce yourself and ask what most concerns them. Get their names. This is for your use only. Try to remember their names. Can you take a photograph?


NIST Special Publication 800-115: Technical Guide to Information Security Testing and Assessment [pdf]

What company policies and regulatory requirements exist? What compliance programs (SOX, PCI, HIPAA, SSAE 16) must be observed?

Individual Products

The National Checklist Program (NCP), defined by the NIST SP 800-70 Rev. 2, is the U.S. government repository of publicly available security checklists (or benchmarks) that provide detailed low level guidance on setting the security configuration of operating systems and applications. NCP is migrating its repository of checklists to conform to the Security Content Automation Protocol (SCAP). SCAP enables standards based security tools to automatically perform configuration checking using NCP checklists. For more information relating to the NCP please visit the information page or the glossary of terms.

Risk Assessment

The SANS 20 Critical Controls

  • When doing the inventory of authorized and unauthorized software. include software composition analysis. What libraries are being used? Do these libraries have vulnerabilities?

The California Department of Technology Risk Assessment Toolkit has links to great resources.

Prioritize Tasks

What gaps do you you fill first?

There will always be risk. What level of risk is acceptable?


Check your work. Repeat.

Enhancing Your Bitlocker Protection

July 23, 2014

Scenario: Your Windows laptop has Bitlocker protection that prevents unencrypted access to the hard drive if the laptop was powered off.

There are three successful physical attacks:

  1. Seize the hardware while the user is logged in and Windows is not locked.
  2. Seize the hardware while the user is logged in and has locked Windows.
  3. Seize the hardware immediately after the laptop as powered off.

In the first attack the thief has access to the unencrypted information. This is to be expected.

In the second and third cases, you would expect the thief to be denied access to the encrypted information. Actually, the thief could obtain the encryption keys through a Direct Memory Access (DMA) attack (attack 2) or by reading DRAM before the bits decay and memory fades (attack 3). This last approach is referred to as a “Cold Boot Attack”.

iSECPartners has made You’ll Never Take Me Alive to mitigate DMA attacks. If Windows is locked and either the power cord or wired internet is disconnected, then the system goes into hibernation. A side effect of hibernation is removing the encryption keys from memory. If you were working off battery power with a wireless network connection, then YoNTMA does not mitigate your risk.

How practical is a DMA attack? See Inception.

Securing a USB Drive

September 12, 2012

The problem: You want to transport information. A USB drive is a convenient solution, but comes with risks. There is always the risk that the drive could be misplaced or stolen. You need some way to encrypt the data so that your loss is limited to the drive, and the data on the drive does not fall into unscrupulous hands.


Dedicated secure drive and a strong password. By using a secure USB drive (and a strong password), the information on the lost or stolen secure USB drive is not disclosed. Avoid the older implementations, see Update Your Secure USB Drive.

  • SanDisk
  • Verbatim
  • Kingston
  • TAC Drive
  • IronKey
  • Imation secure USB drives
  • Kingston DataTraveler 4000-M, a managed version of their secure USB drive has been announced.  “Full device-state management for tight policy enforcement and lockdown of stolen/lost drives – without bricking; customization for easy asset tagging; and, full audit and backup/recovery for forensic analysis and compliance – including adherence to all data-at-rest regulations.”
  • Victorinox Secure Pro USB drive has been discontinued by the manufacturer. Return these devices for a refund.

Passthrough encryption device and strong password used with generic USB storage device.

  • The Enigma module is an inline USB encryption solution designed to provide real-time full disk encryption for any USB mass storage class (MSC) drive.

Dedicated secure drive with integrated keypad. A benefit of USB drives is their platform independence. If the USB drive requires a driver and a device with a keyboard, then you can’t plug it into your TV or Blu-Ray player. There are other dedicated secure drives with integrated keypads to enable the device to transport files to any device which accepts a USB drive.

Dedicated secure drive with integrated biometrics.

  • Apricorn Aegis Bio 3.0 USB 3.0 external drive safeguards data with secure fingerprint access and military grade 265-bit AES-XTS hardware encryption.

Ordinary USB drive with encryption software and strong password.

  • Ordinary USB drive and Bitlocker encryption.
  • Ordinary USB drive and TrueCrypt encryption. A copy of TrueCrypt Portable on the USB drive means you won’t need to install TrueCrypt on the host device to read the encrypted portion of the USB drive. (While use of TrueCrypt has been discouraged, it will still defeat almost any thief. See “Open Crypto Audit Project TrueCrypt Security Assessment” [pdf].)
  • Ordinary USB drive and Rohos Mini Drive or USB Safeguard. Both can reside upon the USB drive. Both offer a free version which encrypts up to 2 GB.
  • How to Create a Secure USB Drive in Ubuntu with Linux Unified Key Setup


  • Password strength. Easily guessed passwords turn encryption into an ineffective control. How do you enforce a strong password policy?
  • Remote wipe. The goal of an encryption implementation is to make it take longer to crack than is practical. (Easily guessed passwords make cracking practical.) After a short number of attempts, the device should wipe itself.
  • Key management. Can keys for these encrypted devices be managed centrally? If they cannot, is the information on these devices managed in another fashion?
  • Maintenance. If these devices must be updated, what approaches are available?
  • Inventory. How will these devices be tracked? What are the costs of not tracking them?

When reviewing these challenges, remember the risk from lost, unencrypted data. You may choose to accept a less-than-perfect management solution to limit the risk of information disclosure.

Running RatProxy in a Windows and cygwin environment

September 12, 2012

RatProxy can be considered a specialized protocol analyzer for interpreting HTML transactions. Suppose there is a web transaction that you are curious about. For example, it seems to return user-created text to you, and you suspect that this may indicate a cross-site scripting (XSS) attack is possible.


  1. I found How to Setup RatProxy on Windows to be a useful resource for installing Cygwin and RatProxy on Windows.
  2. The Firefox addon Elite Proxy Switcher is more than sufficient to make changing proxy settings simple.
  3. The 7-zip archive utility is used by the batch file which follows. Neither the batch file nor the utility are required, but you may find them convenient.
  4. Add a batch file (preserve.bat) to the c:\cygwin\bin folder:

    @echo off
    if (%1)==() goto ERRPARM
    ren ..\ratproxy\report.html %1.*
    “C:\Program Files\7-Zip\7z.exe” a ..\ratproxy\%1.zip ..\ratproxy\*.trace ..\ratproxy\ratproxy.log
    del ..\ratproxy\*.trace
    goto EXIT
    echo Name for report and zip file is required.

With that preparation complete, and with Firefox ready to submit your interaction:

  1. Open a command shell (cmd.exe).
  2. Paste these two lines into the command window:

    cd C:\cygwin\ratproxy
    ratproxy.exe -v c:\cygwin\ratproxy -w ratproxy.log -p 8080 -lextifscijmXC

    This creates a web proxy on port 8080. The “-lextifscijmXC” options may not be appropriate for your testing; see the RatProxy documentation.

  3. Change your browser to use this proxy (localhost:8080).  Traffic that is passed through the browser will go through RatProxy.
  4. Your test traffic occurs here.
  5. In the command window (from step 2) press Ctrl+C to quit RatProxy.
  6. Undo the browser proxy changes (from step 3).
  7. Create the RatProxy report by pasting these four lines into the command window (from steps 2 and 5). This runs the report in a bash shell.

    cd /ratproxy
    ./ratproxy-report.sh ratproxy.log > report.html

    This will require another Enter.

    C:\cygwin\ratproxy\report.html,  C:\cygwin\ratproxy\ratproxy.log and one or more .trace files in the C:\cygwin\ratproxy\ folder will contain the results of your testing. These .trace files are not Wireshark-compatible, but they are interpreted network protocol analyzer results.

  8. Clean up. To associate the report.html file with the .trace files and to prepare for the next traffic capture, I added a batch file (preserve.bat, text ) to c:\cygwin\bin. In the command window (from steps 2, 5 and 7), enter

    preserve <project>

    where <project> is a term you choose to remember what you were testing.

    You will now have a <project>.html file and a <project>.zip file in C:\cygwin\ratproxy\. You can close the command window.

In the html file you will see each POST transaction followed by a  [view trace] hyperlink (such as c:\cygwin\ratproxy/506875b7-2ac4.trace). The hyperlink wasn’t working anyway, but it does indicate which of the .trace files to associate with this POST transaction.

Microsoft Attack Surface Analyzer Error Message

August 5, 2012

Q: I have “Microsoft .NET Framework 4 Client Profile” installed, but when installing Microsoft Attack Surface Analyzer I get the message:

You are attempting to install Attack Surface Analyzer on a system without .Net 4 or above.  If you continue with the installation, only the command-line executable asa.exe and the data collection components of Attack Surface Analyzer will be installed.  To continue with installation, click Next.  If you do not want to continue with installation, click Cancel.

A: Do you also show “Microsoft .NET Framework 4 Extended” installed? If not, then install it before installing Microsoft Attack Surface Analyzer. Alternately, the command-line executable asa.exe is not such a bad idea.