Tuesday, November 12, 2013

OWASP Top 10 For the Average Internet User: Broken Authentication/Session Management

Where can it happen?

This can happen anywhere you need a username and password to login or anywhere that you are uniquely identified from other internet users.

What is it?

When you log on to a website that website needs a way to identify your internet traffic and keep you straight from all of the other people that are out there. Let's say when you log on to Facebook, Facebook tells you to identify yourself as user 150 everytime you go to a new page. As long as you send that number, Facebook knows to show you your friends, allow you to post new status updates, comment on pictures as yourself, etc.

But what if I (as an evil internet hacker) decided to browse Facebook and send them 150 as my identifier? Suddenly I become you! I can ask for my (your) chat history and see what girls you've talked to, I can post witty comments on your mothers pictures, I can unfriend your girlfriend! Mwwahaha!

Why should I care?

We really just covered this, but in case you don't care that I can unfriend your girlfriend on Facebook, what if I get your session token for your bank? Or your fandango or paypal account? Now your finances as well as your social life is at my mercy, which is very bad.

How can I protect myself?

Make sure that your websites log you in over a secure connection. This means that you should log in over ssl (you should see HTTPS at the beginning of the URL). Not many companies provide it, but it doesn't hurt to ask your bank or credit union how they handle your internet security before agreeing to do business with them online. That being said, the larger the company the more likely they are to put time and resources into ensuring your online security.

Tuesday, November 5, 2013

OWASP Top 10 For the Average Internet User: Injection

Where can it happen?

This can happen anywhere that a website allows users to enter text (Literally anywhere. Comment boxes, twitter updates, payment fields, username and password fields, etc, etc, etc) or anywhere that a website accepts text from the internet.

What is it?

A computer program is really just a series of letters and symbols put together by a person that a computer understands as instructions and then executes. When a computer program (like a website and your browser) handles text that you type, the distinction between the text and program is completely created by the computer. Think of it like a chocolate bar in a wrapper. The wrapper contains the chocolate bar and you can tell the difference, so you know to eat one and not the other.

But what if someone made a wrapper that looked and smelled like chocolate? You'd probably wind up with a mouthful of paper.

Injection is someone making the text they type into your website look and smell like program code so that the computer will run that code.

Why should I care?

Usually the program that is injected is SQL or javascript. Both of these are very bad. Javascript can make your browser do almost anything. The possibilities are only limited by the attackers imagination and the time they have to search for javascript tricks on the internet. If the attacker can find enough information about the website, they can make find a lot of information with SQL.

How do I protect myself?

Unfortunately this one is mostly on the people running the websites. The best thing you can do is to be careful what websites you visit. If someone sends you a link that doesn't look familiar, or you don't know why they're sending it to you find out more from them first.

You can also search for the name of the website on google. If you add "virus" or "malware" to the website's name, google should return some helpful results telling you if the website is known for suspicious activity.