WASP Periodic Table of Vulnerabilities

January 5, 2018 | Author: Anonymous | Category: Business, Management, Business Information Systems
Share Embed Donate

Short Description

Download WASP Periodic Table of Vulnerabilities...


OWASP Periodic Table of Vulnerabilities James Landis [email protected]

The AppSec Profession


Project Goal GOAL

Existing ‘Taxonomies’

OWASP Top Ten (2013)

• Focuses on just the riskiest issue categories • Measures DREAD attributes • Recommends high-level solutions, and secure libraries like ESAPI

• Attempts to enumerate, but not classify, all web WASC Threat application attacks and weaknesses Classification • Includes a view (Development Phase View) which (v2) shows SDLC mapping • Officially avoids recommending solutions SANS Common • Focuses on riskiest issues (just more of them) Weakness • Measures DREAD attributes Enumeration • Recommends solutions, categorized by SDL phase (CWE-25)

Failed Approaches

• Developer Training • “Enumerating Badness”, “Penetrate and Patch” (h/t Marcus Ranum) – Some vulnerability classes, automated tests – Yes! – Other classes (e.g. Logic flaws), manual tests – No!

• Firewalls • Root cause analysis (XSS == SQLi, XSS != SQLi) • Everything else we’ve been doing


• Accepting Reality – HTTP not stateless – People might try to hurt us

• Platform Security Continuum Vulnerable by Default

Secure by Design

• Make it impossible to make mistakes • Economies of Scale

Divide and Conquer

Browsers and Standards Perimeter and Platform

Generic Frameworks Custom Frameworks Custom Code

User agents, plugins, HTTP protocol, SSL/TLS, Content Security Policy (CSP), Same Origin Policy (SOP), IETF RFC, etc. Application proxies, content distribution networks (CDNs), application firewalls, web servers, database servers, application servers, operating systems, etc. Web application runtime environments Development platforms unique to individual businesses/verticals Business logic unique to each application

Economies of Scale

Browsers and Standards

WebDev Mistakes

Code Changes

Perimeter and Platform

Generic Frameworks Custom Frameworks Custom Code



• Avoid reproducing existing documentation – Describe just enough of the solution to show how it’s distributed between targets – References, references, references!

• Minimize original research – Most solutions enforce old ideas in frameworks – Browser/standards require some new thought

• Mobile, thick client vulnerabilities excluded



OWASP'Periodic'Table'of'Vulnerabilities Perimeter'and'Platform




Browsers'and' Standards'@ ' Session' Management

Browsers'and' Standards'@ ' Content' Management


Selected Examples

Perimeter Browser Generic Custom Vulnerability /Infrastructur Custom Code /Standards Framework Framework e Clickjacking

Browser vendor standardization on safe framing


Change default for cross-domain writes

Improper Input Handling

Abuse of Functionality

Automatically set X-Frame-Options header

Configurable XFO policy

Automatic nonce checking, configurable Provide APIs for Provide APIs for positive positive validation validation of of custom types common types

Never use primitives

Define abuse cases for all features

Case Study - XSS

• Decouple presentation and data – easy with AJAX, not with Web 1.0 • What if content IS markup? • Secure framework might have steep learning curve / difficult adoption path • Browser sandboxing • CSP, Caja, IFRAME seamless/sandbox

Developer Training



CSRF HTTPRS Clickjacking Application DDoS Improper Input Handling Redirector Abuse Logical Flaws Remote File Include OS Commanding XML External Entities

AFTER Logical Flaws Function Abuse Input Validation Secure Framework

Drawbacks and Benefits

• DOESN’T help us with legacy/current applications • DOES help drive remediation planning / gap analysis in existing applications • DOES focus remediation toward areas with greatest force multiplier (e.g. Top Ten Defenses) • DOES allow objective evaluation of firewalls and frameworks


View more...


Copyright � 2017 NANOPDF Inc.