Beyond the Top 10

John & Mary Beth King

Equifax

• CVE-2017-5638: March 9th, 2017
• Equifax Breach: Mid-May, 2017

Application Security Requirements

• Developer knowledge & ownership
• Organizations must be Agile
• Long-term commitment

OWASP Top 10 (v2013)

• A1 – Injection
• A2 – Broken Authentication and Session Management
• A3 – Cross-Site Scripting (XSS)
• A4 – Insecure Direct Object References
• A5 – Security Misconfiguration
• A6 – Sensitive Data Exposure
• A7 – Missing Function Level Access Control
• A8 - Cross-Site Request Forgery (CSRF)
• A9 - Using Components with Known Vulnerabilities
• A10 – Unvalidated Redirects and Forwards

We'll Cover

• Session Cookie Flags
• Third-party Scripts
• Cross-origin Resource Sharing (CORS)

Session Cookie Flags

• Secure
• HttpOnly
• SameSite*

* Not yet widely supported

Third-party Scripts

"The issue involves a third-party vendor that Equifax uses to collect website performance data, and that vendor's code running on an Equifax website was serving malicious content. Since we learned of the issue, the vendor's code was removed from the webpage and we have taken the webpage offline to conduct further analysis."

(https://www.cnbc.com/2017/10/12/equifax-says-it-might-have-been-breached-again.html

Third-party Scripts

• Local copy or proxy
• Sandbox / iFrame
• Subresource Integrity (SRI)
• Content Security Policy (CSP)

Cross-origin Resourse Sharing (CORS)

CORS

• Limitations of Access-Control-Allow-Origin
• Dangers of Access-Control-Allow-Credentials

SRI & CSP Guides

• https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity
• https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
• https://www.sitepoint.com/improving-web-security-with-the-content-security-policy/
• https://www.owasp.org/index.php/Content_Security_Policy_Cheat_Sheet

★ Awesome Articles ★

GitHub Engineering

• https://githubengineering.com/subresource-integrity/
• https://githubengineering.com/githubs-csp-journey/
• https://githubengineering.com/githubs-post-csp-journey/

★ More Awesome Articles ★

PortSwigger Web Security Blog

Exploiting CORS Misconfigurations for Bitcoins and Bounties
James Kettle
http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html

OWASP Resources

• OWASP Top 10
• OWASP Application Security Verification Standard (ASVS)
  
• OWASP Zed Attack Proxy

Join Us

Get involved in the Rochester OWASP Chapter
https://www.owasp.org/index.php/Rochester

Thanks!

JohnNKing.com/slides/rss2017
github.com/JohnNKing/appsecdemo-php

John N. King <john@westwindsecurity.com>
Mary Beth King <marybeth@westwindsecurity.com>

This presentation made possible by:
Rochester Security Summit
Rochester Chapter of OWASP

Slides made with Reveal.js