While many would expect 60 percent to be a number sobering enough to get even the most stubborn sites to look more closely at securing their web sites, many web developers, IT managers and site owners are simply not aware of the threats their web applications face.
Since 2003, OWASP (Open Web Application Security Project) has been making an effort to inform web decision makers of the 10 most critical web application security flaws are through their Top 10 Project (link to: http://www.owasp.org/index.php/OWASP_Top_10_Project). 2010 marks the third update to this list after a final draft to the original released in 2004 and an update to the list in 2007.
OWASP is “an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted.” Their work is derived from a collaboration of security professionals who serve as volunteers to bring information to the community in an open and unbiased manner. While the organization is not affiliated with any technology or security companies, they do support the use of commercial security products.
The Top 10
The Top 10 project is described by OWASP as:
The OWASP Top 10 provides a powerful awareness document for web application security. The OWASP Top 10 represents a broad consensus about what the most critical web application security flaws are.
One of the most noticeable changes to the Top 10 list is the focus being shifted from a list of the top 10 vulnerabilities to the top 10 risks. The reason for the shift is quite practical, “Actually, it moved from prevalence (which is one factor of likelihood) to risk, which takes into likelihood and prevalence to estimate risk. Organizations care about risk, not just likelihood, and the Top 10 was always about risk (really), but we weren’t as clear as we should be, so this update works to make that much more clear.” Dave Wichers, Project Leader for the Top 10 List.
Additionally, two risks were dropped from this update: Malicious File Execution due to tighter PHP security lowering the prevalence of this problem, and Information Leakage and Improper Error Handling because of a minimal zed impact of disclosing stack trace and error message information.
- Cross Site Scripting (XSS)
- Broken Authentication and Session Management
- Insecure Direct Object References
- Cross Site Request Forgery (CSRF)
- Security Misconfiguration
- Failure to Restrict URL Access
- Unvalidated Redirects and Forwards
- Insecure Cryptographic Storage
- Insufficient Transport Layer Protection
- Examples of injection flaws are SQL, LDAP, HTTP header injection (cookies, requests), and OS command injections
- Attacks occur when untrusted data, such as a query, command or argument, is sent to an interpreter
- Vulnerable applications can be tricked into executing unintended commands or allowing the attacker to access, and modify, data
Cross Site Scripting
- There are three types of XSS attacks: stored, reflected, and Dom based
- XSS attacks occur when an application allows data that is not validated or escaped properly to be sent to a web browser
- Malicious scripts are executed in the victim’s browser allowing the attacker to hijack the user’s session, steal cookies, deface web sites, redirect users to malicious web sites, and remote browser control
Broken Authentication and Session Management
- Users are impersonated due to leaks or flaws in the authentication process
- Attacks occur when a session ID is visible to others, timeouts are not properly set, SSL/TLS is not used, or any other flaw in the authentication scheme is detected
- Flaws used against one account may be replicated against an account with higher privileges
Insecure Direct Object References
- Attack occurs when an authorized user can change a parameter value that refers to a system object that they are not authorized for
- Almost any reference that can be reached by URL to include: references to files, paths, database keys, reflection by class name (e.g. JDBC connector class)
- Remote referencing includes: Web Services, CORBA, RMI, RPC
Cross Site Request Forgery (CSRF)
- Attacker creates malicious code to generate a forged request that the attacker tricks the victim into submitting
- Forged requests can be hidden in image tags, XSS attacks and a number of other techniques
- CSRF attacks can complete any transactions that the victim is permitted to perform such as access data, transfer funds or make purchases
- New to the 2010 update
- Attacker exploits unsecured pages, default accounts, unpatched flaws or any other
vulnerability that could have be addressed by proper configuration
- These attacks can result in a complete system compromise
Failure to Restrict URL Access
- This attack takes place when an authorized user can simply change a URL to access a privileged page
- Attackers generally look for administrative functions to employ this attack on
- Links can be obtained from: hidden fields, client-side code, robots.txt, configuration files, static XML files, directory access
Unvalidated Redirects and Forwards
- New to the 2010 update
- Unvalidated parameter allows an attacker to choose a destination page where they wish to send a victim to trick them into disclosing private information
- Victims trust these links because the link is to a valid site
Insecure Cryptographic Storage
- The most common reason for this attack is that data that should be encrypted is stored in cleartext
- Can result from the poor use of encryption algorithms such as using home grown algorithms, insecure use of strong algorithms or the continued use of proven weak algorithms
- The use of weak or unsalted hashes to protect passwords is another common flaw that leads to this risk
Insufficient Transport Layer Protection
- Most commonly, this attack occurs when a site does not use SSL/TLS for pages that require authentication where an attacker can monitor network traffic to steal an authenticated user’s session cookie
- Poorly configured SSL certificates can lull a user into accepting warnings for legitimate sites only to be tricked into accepting a phishing site’s certificate
- Attacks can lead to account theft, phishing attacks and admin accounts being compromised
Minimizing the Risks
In addition to adopting the OWASP Top 10, the Payment Card Industry (PCI) standard has also made the implementation of a Web Application Firewall an option to fulfill one of the requirements for compliance.
Web Application Firewalls provide a deep inspection of IP packets, filtering malicious requests from reaching the web server while simultaneously weeding out responses that have been deemed inappropriate thus protecting sensitive information from being accessed illicitly.
dotDefender from Applicure works to mitigate risks posed by many of the OWASP Top Ten. As a Web Application Firewall, dotDefender protects your web site, your customers and your applications against:
- Injection attacks
- Cross site scripting attacks
- Indirect object references
- Cross site request forgeries
- Unvalidated redirects and forwards
For more information about how dotDefender can help protect against the risks associated with the top ten list, see the OWASP Best Practices page: Use of Web Application Firewalls.
The Most Vulnerable Programming Languages
Vendor Lock In or Ignorant Design?
Ponemon State of Web Application Security Report