Injection, Broken Authentication and XSS are the main cyber risks

(To Alessandro Rugolo)
16/10/17

OWASP is a standard for the production of secure web applications and if we consider that now almost all applications are web ...

OWASP is also a global organization that aims to improve software security (v. article).
Among the most successful initiatives is the OWASP Top Ten, a list of the ten main cyber risks in application development.
In the 2013 the last still valid list was published while the next one should be released in November 2017.
At the beginning of the year the process began to update the list but the first attempt failed, having been rejected by the community.

The first draft of the 2017 Top Ten, still under discussion, indicates the following 10 major risks:

A1-Injection
A2-Broken Authentication and Session Management
A3-Cross-Site Scripting (XSS)
A4-Broken Access Control
A5-Security Misconfiguration
A6-Sensitive Data Exposure
A7-Insufficient Attack Protection
A8-Cross-Site Request Forgery (CSRF)
A9-Using Components with Known Vulnerabilities
A10-Underprotected APIs.

A list that is not easy to understand for those who do not have extensive knowledge in computer security.
Let's try to deepen the meaning of these terms with Walter Ambu (photo), founder of Entandoa startups which uses the OWASP methodology for secure software development.

Engineer Ambu, his company, Entando, develops secure software ... Can it help us understand more about development methodology? What kind of software do you care about? What kind of customers do you turn to? How devoted to research and development? And, above all, helps us understand better what are the main risks included in the OWASP Top Ten?

Entando is an Open Source software platform that simplifies the creation of next generation web applications and applications, the "Modern Applications".
What do we mean?
Today, companies and public administrations, especially the largest ones engaged in the race towards digitalization, have two problems: speed and harmonization.
On the one hand, they need to speed up application release times before a competitor does. On the other hand, they must tidy up an ever-growing portfolio of applications, characterized by all different interfaces and inconsistent user experiences that create problems for those who use them. Entando, thanks to the UX / UI (User eXperience / User Interface) pattern, acts as a "harmonizer" of the user experience and as an "accelerator", thanks to modern software development techniques based on containers, devops, CI / CD (Continuous Integration / Continuous Development), microservices.
It goes without saying that Entando must have, by nature, as Open Source, a strong natural propensity for innovation and research. The team is comprised of software engineers, IT specialists and Phd, who - in terms of "modernity" - also work in smart working.
As regards security, Entando develops according to the OWASP methodology ...

How has your company adopted this methodology? What are the benefits? Is it difficult to apply it to software production? Does the staff take courses? Collaborate with Universities?

Developing Modern Applications for companies and public administrations means giving assurances of innovation, quality, and security on the product software. For this reason Entando has decided to adopt the OWASP guidelines in addition to methodologies for checking and verifying the quality of the code.
Entando actively collaborates with the Pattern Recognition and Applications Lab of the University of Cagliari (http://pralab.diee.unica.it) whose IT security division is led by prof. Giorgio Giacinto. In particular, he was part of a project called sTATA (http://stata.diee.unica.it) which consists in the creation of a district with specific and advanced skills in the field of information security, within which ideas, solutions and innovative products can be developed in response to the risks of cyber attack to which citizens and companies are currently exposed. This project obviously included several phases, including training for the Entando staff involved in the implementation of the platform.

We know that there are still ongoing discussions on the 2017 Top Ten and that we will still have to wait to get to know the official one. But we leave these subtleties to the experts of the material and try to reason as if the Top Ten had already been released.
At the top, already in the 2013 and for now also in the draft proposal for the 2017, there is the category known as "Injection" which carries the definition: "Injection flaws, such as SQL, OS, XXE, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker's hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization".

IIn poor words, for non-experts, can you explain what it is?

By Injection we mean a broad class of attacks that allow an attacker to pass incoming data to a software that alter its expected execution. It is one of the most dangerous attacks for web applications. The result can range from data loss to the theft of sensitive data such as credit cards.
Amongst the different Injection types, SQL Injection is the most popular one.
SQL Injection is a hacking practice that involves hitting web applications that rely on databases. Because of the vulnerability, the attacker is able to operate on the database by reading, altering, or deleting the data in it unauthorized.

Among the real cases in which an attack of this category was used there is that of 2009 conducted against the Heartland Payment System. On that occasion, the credentials of 130 million credit and debit cards were stolen. But how do you improve the security of a system subject to this vulnerability?

It is necessary to verify the functionality of the controls on the incoming data, so that it is not possible to carry out arbitrary queries to the database by exploiting a failure or incorrect validation of the data received. To be even more clear, if a form on a site requires the insertion of a userid, the software must check that the data entered by the user is actually in the format of a userid and prevent the user from sending different data, maybe a string that can be interpreted as a command.

Thanks, now I think it's clearer to all of the meaning of "Injection".

Perhaps not everyone will fully understand the mechanisms underlying the attack but I think the most important thing is to make people aware that the use of web tools can present risks but that there are methods to minimize them. Engineer Ambu, the second on the list is Broken Authentication and Session Management.

What is it about?

In this case we are dealing with a vulnerability where an attacker can manipulate data that is typically stored in the so-called "session token," which is a unique identifier for the user surfing the web pages and used for exchange data between the client and server part of a web application. Famous cookies enable this mechanism. In this case, an attacker can even assume someone else's identity, modify passwords, and enter the systems. Let's imagine, for example, the damage a hacker can do by entering our bank account!

It can empty the bill! And maybe get information on the current accounts of people with whom we have working relationships. Potentially this puts at risk not only us but also people and companies with whom we are dealing.
Engineer Ambu, I certainly don't want to take too much time away asking you to analyze all ten vulnerabilities on the list but I think at least the third one deserves attention: Cross-Site Scripting (XSS), what is it?

Cross-Site Scripting is a common technique for identity theft.
In practice, an application takes charge of incoming data, for example from a form, without making any validation check, from this point of view it resembles the injection technique.
Malicious people can then inject through the browser code snippet of the javascript code in any form of the website causing any person's identity theft or modification of the web site even forcing the user to download a malware.

Engineer Ambu thank you for the time dedicated to us. I still take advantage of her presence and expertise to repeat that all these attack techniques can at least in part be harmless using the best practices of the OWASP methodology. In practice, using the OWASP methodology prevents most of the most common and dangerous attacks.

Exactly, OWASP is a preventative methodology. Its application in any case should not be considered as a panacea against all evils, but it is certainly very useful and deserves to be thoroughly studied by all those who are somehow dealing with software development and computer security. In this regard, the OWASP Day 20 will be held on October 2017 next October at the auditorium of the Faculty of Engineering and Architecture at Piazza d'Armi in Cagliari. An interesting event with regard to software security.
Among the guests will be Synopsys vice president, Gary McGraw, a globally recognized authority in the field of cyber security.
We at Entando will be present and there will be the opportunity to deepen the concepts just exposed and much more. We are waiting for you!

To learn more:
- https://www.owasp.org/index.php/Italy_OWASP_Day_2017
- https://www.computerworld.com/article/2527185/security0/sql-injection-at...
- https://www.w3schools.com/sql/sql_injection.asp

Events

Click on the days highlighted in red and find out what's in evidence.
Tales of military life
Send us your story
Tribute (due) to the 80th "Roma" infantry who takes leave with honor

Well, yes, we are now used to witnessing the closure of the barracks and perhaps even a little to burying the long history of the departments, a phenomenon which however does not erase the memories. It also touched...

Read the story
"Il Signor Parolini" (ninth part)

The baked chicken, as expected, had lived up to its reputation, consolidating, where needed, the undisputed culinary mastery of Gastone, chief ...

Read the story