Results 1 to 6 of 6

Thread: Top 10 Web App Vulnerabilities

  1. #1
    Join Date
    Aug 2002

    Top 10 Web App Vulnerabilities

    February 3, 2003
    Top 10 Web App Vulnerabilities

    By Timothy Dyck

    The Open Web Application Security Project, a collaborative security education site, has released a list of the top 10 vulnerabilities in Web applications. The list, at www.owasp.org , is clearly written and full of real problems?with a variety of matching solutions. Here's the vulnerabilities list followed by eWEEK Labs' recommendations.

    1. Unvalidated Parameters

    Nothing client computers send to Web applications should be accepted without validating the input. Input should be scanned two ways: First, input strings should get a low-level scrubbing using regular expressions or checks against enumerated values; second, application-level checks should be performed on input data.

    2. Broken Access Control

    Once users have logged in, each page in the application must enforce access control rules. Do not rely solely on characteristics of the data stream to do this; application-level checks must also enforce access controls. Encrypt traffic to block replay attempts and reauthenticate users before critical tasks as a defensive measure against session hijacking.

    3. Broken Account and Session Management

    If attackers can access a user's session information, they can get around the whole authentication subsystem. Developers who use their own session key generation code must be able to strongly justify that decision or use the application server's session key logic.

    4. Cross-Site Scripting Flaws

    Parse user input to turn angle brackets (such as "<") into HTTP escape sequences to prevent scripting code from being stored on the server. Remember, ASCII characters can be encoded as Unicode to attempt to get around these checks.

    5. Buffer Overflows

    This is a risk only when user input is passed to components written in languages that don't have buffer overflow protection (C and C++ are the main problem languages). Avoid using these in Web application code. Keep third-party components patched.

    6. Command Injection Gaps

    This weakness arises when web applications pass user input to operating system programs or SQL databases without filtering out or escaping command termination or command separation characters. Attackers can then embed commands in their input; these commands will run on the Web server or database server. Databases must limit permissions of Web user log-ins.

    7. Error-Handling Flaws

    Never show default error messages to Web users. Intercept error conditions and display a generic message to avoid leaking information. Install an error-tracking mechanism to notice when a site is being probed for weaknesses.

    8. Insecure Use of Cryptography

    Every mainstream language now has strong cryptography support. Use a proven algorithm and don't store the key within source code, because source code disclosure bugs are relatively common in application severs.

    9. Remote Administration Problems

    Use strong authentication techniques and don't make these administration tools available remotely. If they are needed, use a virtual private network to restrict network access.

    10. Web and Application Server Misconfiguration

    Keep software for these servers thoroughly patched. Remove unnecessary extensions and default accounts and passwords. Configure applications to avoid leaking information. Implement security best practices.

    West Coast Technical Director Timothy Dyck is at timothy_dyck@ziffdavis.com.


    Some tools that IT departments should have on hand for top-notch Web app security:

    Web application scanners
    Web application security scanning tools can detect several types of Web application security flaws at once. They should be used to find security problems during the application development cycle. (See eWeek Labs' May 20, 2002, vulnerability assessment package at www.eweek.com/links.) Good examples include:
    * Sanctum Inc.'s AppScan
    * SPI Dynamics Inc.'s WebInspect
    * Kavado Inc.'s ScanDo
    * OWASP's Web Scarab (still in the planning stages)
    * Cenzic Inc.'s Hailstorm (a more general-purpose fault-injection system than the tools above)

    Web application firewalls
    This is an emerging product category that uses stateful traffic inspection to dynamically parse and filter incoming HTTP requests, allowing only legitimate requests to pass. This is an immature market segment, but its potential effectiveness is high, and we think this approach is the way of the future.
    * Sanctum's AppShield
    * Stratum8 Networks Inc.'s Stratum8 Application Protection System 100
    * OWASP's CodeSeeker (Version 1.0 release planned for early this year)

  2. #2
    amazing, you can copy and paste. /me claps

  3. #3
    Join Date
    Aug 2002
    I can also read at greater than a 4th grade level.

  4. #4
    Some Assembly Required ShagDevil's Avatar
    Join Date
    Nov 2002
    New Jersey
    that's your contribution Erok?
    amazing, you can copy and paste. /me claps
    So far as I can see, Mayhem is just trying to be helpful. What exactly is your purpose besides being an arrogant *****?
    I could care less if I get negged for this. someone has to be honest.
    The object of war is not to die for your country but to make the other bastard die for his - George Patton

  5. #5
    Join Date
    Jul 2002
    He shown the authors name and everything so I really don't see much of a problem here especially considering the fact that I've seen many members of AO post things from news sites and stuff all the time.

  6. #6
    Senior Member
    Join Date
    Oct 2002
    Sorry mayhem991 beat you to it, by almost a month.


    I\'m a SittingDuck, but the question is \"Is your web app a Sitting Duck?\"

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts