Geeks With Blogs
The Library of Software Testing Pavankumar Pothuraju's weblog

A list of the top 10 most critical Web application security problems is available from the Open Web Application Security Project (OWASP), an open Source community project that develops tools and documentation to help organizations secure Web applications and Web services.





The groups says the list combines its members' collective knowledge and should help organizations focus on the most serious vulnerabilities. They represent equal risks to network security, and you should give them the same degree of attention.

OWASP stresses that none of the issues are new; many have been well-known for decades. However, it says major software developers continue to make the same mistakes, placing customers and even the entire Internet at risk.

The flaws are common, and unsophisticated attackers can exploit them with readily available tools. As OWASP explains, organizations in effect invite the world to send them HTTP requests when they deploy a Web application. Attacks buried in these requests sneak past firewalls, filters, SSL, and intrusion detection systems (IDSs) undetected because they're inside legal HTTP requests. For this reason, Web application code is part of the security perimeter and can't be ignored.

The list includes the following:

  • Unvalidated parameters: In this scenario, information from Web requests isn't validated before the Web application uses it. Attackers can use these flaws to attack backside components through a Web application.
  • Broken access control: Organizations fail to enforce restrictions on what authenticated users are allowed to do. Attackers can exploit these flaws to access other users' accounts, view sensitive files, or use unauthorized functions.
  • Broken account and session management: Account credentials and session tokens aren't properly protected. Attackers that can compromise passwords, keys, session cookies, or other tokens can defeat authentication restrictions and assume other users' identities.
  • Cross-site scripting (XSS) flaws: An attacker can use the Web application as a mechanism to transport himself to a user's browser. A successful attack can disclose the user's session token, attack the local machine, or spoof content to fool the user.
  • Buffer overflows: Attackers can crash Web application components in some languages that don't properly validate input and, in some cases, use those components to take control of a process. These components can include CGI, libraries, drivers, and Web application server components.
  • Command injection flaws: Web applications pass parameters when they access external systems or the local operating system. If an attacker can embed malicious commands in these parameters, the external system might execute them on behalf of the Web application.
  • Error handling problems: Some Web applications don't properly handle error conditions that occur during normal operation. If an attacker can cause errors to occur that the web application does not handle, they can gain detailed system information, deny service, cause security mechanisms to fail, or crash the server.
  • Insecure use of cryptography: Web applications frequently use cryptographic functions to protect information and credentials. These functions and the code to integrate them have proven difficult to code properly, frequently resulting in weak protection.
  • Remote administration flaws: Many Web applications let administrators access the site using a Web interface. If these administrative functions aren't carefully protected, an attacker can gain full access to all aspects of a site.
  • Web and application server misconfiguration: Having a strong server configuration standard is critical to a secure Web application. Web and application server have many configuration options that affect security; they aren't secure "out of the box."

"[The list] will educate vendors to avoid the same mistakes that have been repeated countless times in other Web applications," says Stephen Christey, an editor with Mitre CVE, which works to standardize the names for all known vulnerabilities and security exposures. "But it also gives consumers a way of asking vendors to follow a minimum set of expectations for Web application security and, just as importantly, to identify which vendors are not living up to those expectations"

Posted on Friday, August 6, 2004 4:14 PM Web Testing | Back to top

Comments on this post: Top 10 most critical Web application security problems

No comments posted yet.
Your comment:
 (will show your gravatar)

Copyright © Pavankumar Pothuraju | Powered by: