| By Roy
Mark
The 10 most critical Web
application security problems for government and the private
sector were unveiled Monday by the Open Web Application Security
Project (OWASP), the Washington, D.C.-based open source
community project. The list of vulnerabilities was created to
focus government and industry on the most serious of the
problems.
According to the report, the
flaws are "surprisingly common" and can be exploited
by unsophisticated attackers with easily available tools. When
an organization deploys a web application, OWASP
says, they invite the world to send HTTP requests. Attacks
buried in these requests "sail past firewalls, filters,
platform hardening, SSL, and IDS without notice" because
they are inside legal HTTP requests.
Therefore, the report
concludes, web application code is part of the security
perimeter and cannot be ignored.
"The OWASP Top Ten list
shines a spotlight directly on one of the most serious and often
overlooked risks facing government and commercial
organizations," said Jeffrey Williams, CEO of web
application security firm Aspect
Security. "A stunning number of organizations spend big
bucks securing the network and somehow forget about the
applications."
The report also stresses that
the security issues raised are not new.
"In fact, some have been
well understood for decades. Yet for some reason, major software
development projects are still making these mistakes and
jeopardizing not only their customers' security, but also the
security of the entire Internet," the OWASP Web site
states.
Added Peter G. Neumann,
moderator of the ACM Risks Forum,
"The underlying reality is shameful: most system and Web
application software is written oblivious to security
principles, software engineering, operational implications, and
indeed common sense."
The list includes:
Invalidated Parameters:
Information from web requests is not validated before being used
by a web application. Attackers can use these flaws to attack
backside components through a web application.
- Broken Access Control:
Restrictions on what authenticated users are allowed to do
are not properly enforced. Attackers can exploit these flaws
to access other users accounts, view sensitive files,
or use unauthorized functions.
- Broken Account and Session
Management: Account credentials and session tokens are not
properly protected. Attackers that can compromise passwords,
keys, session cookies, or other tokens can defeat
authentication restrictions and assume other users
identities.
- Cross-Site Scripting Flaws:
The web application can be used as a mechanism to transport
an attack to an end users browser. A successful attack
can disclose the end users session token, attack the
local machine, or spoof content to fool the user.
- Buffer Overflows: Web
application components in some languages that do not
properly validate input can be crashed and, in some cases,
used to take control of a process. These components can
include CGI, libraries, drivers, and web application server
components.
- Command Injection Flaws: Web
applications pass parameters when they access external
systems or the local operating system. If an attacker can
embed malicious commands in these parameters, the external
system may execute those commands on behalf of the web
application.
- Error Handling Problems:
Error conditions that occur during normal operation are not
handled properly. If an attacker can cause errors to occur
that the web application does not handle, they can gain
detailed system information, deny service, cause security
mechanisms to fail, or crash the server.
- Insecure Use of
Cryptography: Web applications frequently use cryptographic
functions to protect information and credentials. These
functions and the code to integrate them have proven
difficult to code properly, frequently resulting in weak
protection.
- Remote Administration Flaws:
Many web applications allow administrators to access the
site using a web interface. If these administrative
functions are not very carefully protected, an attacker can
gain full access to all aspects of a site.
- Web and Application Server
Misconfiguration: Having a strong server configuration
standard is critical to a secure web application. These
servers have many configuration options that affect security
and are not secure out of the box.
|
