未加星标

OWASP Top 10 Security Risks Part IV

字体大小 | |
[网络安全 所属分类 网络安全 | 发布者 店小二03 | 时间 2019 | 作者 红领巾 ] 0人收藏点击收藏

To bring awareness to what threatens the integrity of websites, we are continuinga series of posts on the OWASP top 10 security risks .

The OWASP Top 10 list consists of the 10 most seen application vulnerabilities:

Injection Broken Authentication Sensitive data exposure XML External Entities (XXE) Broken Access control Security misconfigurations Cross-Site Scripting (XSS) Insecure Deserialization Using Components with known vulnerabilities Insufficient logging and monitoring

In our previous posts, we explained the first six items on the OWASP Top 10 list. Today, we are going to explore items 7 and 8: cross-site scripting and insecure deserialization .

7. Cross-Site Scripting (XSS)

Cross Site Scripting (XSS) is a widespread vulnerability that affects many web applications. XSS attacks consist of injecting malicious client-side scripts into a website and using the website as a propagation method.

The danger behind XSS is that it allows an attacker to inject content into a website and modify how it is displayed, forcing a victim’s browser to execute the code provided by the attacker while loading the page.

XSS is present in about two-thirds of all applications.

Generally, XSS vulnerabilities require some type of interaction by the user to be triggered, either via social engineering or via a visit to a specific page. If an XSS vulnerability is not patched, it can be very dangerous to any website.

Examples of XSS Vulnerabilities

Imagine you are on your WordPress wp-admin panel adding a new post. If you are using a plugin with a stored XSS vulnerability that is exploited by a hacker, it can force the browser to create a new admin userwhile in thewp-admin panel or it can edit a post and perform other similar actions.

An XSS vulnerability gives the attacker almost full control of the most important software of computers nowadays: the browsers.

Last year, our research team disclosed a stored XSS vulnerability in the core of WordPress websites . Remote attackers could use this vulnerability to deface a random post on a WordPress site and storemalicious javascript codein it.

Types of XSS

According to OWASP , there are 3 types of XSS:


OWASP Top 10 Security Risks   Part IV
Types of XSS Reflected XSS

:

The application or API includes unvalidated andunescaped user input as part of HTML output. A successfulattack can allow the attacker to execute arbitrary HTML andJavaScript in the victim’s browser.

Typically the user will need tointeract with some malicious link that points to an attacker-controlled page, such as malicious watering hole websites,advertisements, or similar.

Stored XSS

:

The application or API stores unsanitized userinput that is viewed at a later time by another user or anadministrator. Stored XSS is often considered high or criticalrisk.

DOM XSS

:

JavaScript frameworks, single-page applications, andAPIs that dynamically include attacker-controllable data to apage are vulnerable to DOM XSS. Ideally, the application wouldnot send attacker-controllable data to unsafe JavaScript APIs.

Typical XSS attacks include session stealing, account takeover,MFA bypass,DOM-node replacement or defacement (such as Trojan login panels), attacks against the user’s browser such asmalicious software downloads, keylogging, and other client-sideattacks.

Reducing the Risks of XSS

There are technologies like the Sucuri Firewall designed to help mitigate XSS attacks. If you are a developer, here is some insight on how to identify and account for these weaknesses.

How to Prevent Broken Access Control

Preventive measures to reduce the chances of XSS attacks should take into account the separation of untrusted data fromactive browser content. OWASP gives some practical tips on how to achieve it:

Using frameworks that automatically escape XSS by design,such as the latest Ruby on Rails, React JS. Learn thelimitations of each framework’s XSS protection andappropriately handle the use cases which are not covered.

Escaping untrusted HTTP request data based on the context inthe HTML output (body, attribute, JavaScript, CSS, or URL) willresolve Reflected and Stored XSSvulnerabilities. TheOWASPCheat Sheet ‘XSS Prevention’has details on the required dataescaping techniques.

Applying context-sensitive encoding when modifying thebrowser document on the client side acts against DOM XSS.When this cannot be avoided, similar context-sensitiveescaping techniques can be applied to browser APIs asdescribed in theOWASP Cheat Sheet ‘DOM based XSSPrevention’.

Enabling aContent Security Policy (CSP)is a defense-in-depthmitigating control against XSS. It is effective if no othervulnerabilities exist that would allow placing malicious code vialocal file includes (e.g. path traversal overwrites or vulnerablelibraries from permitted content delivery networks). I have also written a post about Content Security Policy best practices if you want to learn more about this topic.

8. Insecure Deserialization

Note: OWASP informed that this security risk is added by an industry survey and not on quantifiable data research.

Every web developer needs to make peace with the fact that attackers/security researchers are going to try to play with everything that interacts with their application from the URLs to serialized objects.

In computer science, an object is a data structure; in other words, a way to structure data. To make it easier to understand some key concepts:

The process of serialization is converting objects to byte strings. The process of deserialization is converting byte strings to objects. Example of Attack Scenarios

According to OWASP, here are some examples of attack scenarios:

Scenario #1 :A React application calls a set of Spring Bo

本文网络安全相关术语:网络安全工程师 网络信息安全 网络安全技术 网络安全知识

代码区博客精选文章
分页:12
转载请注明
本文标题:OWASP Top 10 Security Risks Part IV
本站链接:https://www.codesec.net/view/628421.html


1.凡CodeSecTeam转载的文章,均出自其它媒体或其他官网介绍,目的在于传递更多的信息,并不代表本站赞同其观点和其真实性负责;
2.转载的文章仅代表原创作者观点,与本站无关。其原创性以及文中陈述文字和内容未经本站证实,本站对该文以及其中全部或者部分内容、文字的真实性、完整性、及时性,不作出任何保证或承若;
3.如本站转载稿涉及版权等问题,请作者及时联系本站,我们会及时处理。
登录后可拥有收藏文章、关注作者等权限...
技术大类 技术大类 | 网络安全 | 评论(0) | 阅读(230)