Jul 14, 2010

OWASP 2010

Since 2003, OWASP (Open Web Application Security Project) has been making an effort to inform web decision makers of the 10 most critical web application security flaws are through their Top 10 Project (link to: http://www.owasp.org/index.php/OWASP_Top_10_Project). 2010 marks the third update to this list after a final draft to the original released in 2004 and an update to the list in 2007.

OWASP is “an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted.” Their work is derived from a collaboration of security professionals who serve as volunteers to bring information to the community in an open and unbiased manner. While the organization is not affiliated with any technology or security companies, they do support the use of commercial security products.

The Top 10
The Top 10 project is described by OWASP as:
The OWASP Top 10 provides a powerful awareness document for web application security. The OWASP Top 10 represents a broad consensus about what the most critical web application security flaws are.
One of the most noticeable changes to the Top 10 list is the focus being shifted from a list of the top 10 vulnerabilities to the top 10 risks. The reason for the shift is quite practical, “Actually, it moved from prevalence (which is one factor of likelihood) to risk, which takes into likelihood and prevalence to estimate risk. Organizations care about risk, not just likelihood, and the Top 10 was always about risk (really), but we weren’t as clear as we should be, so this update works to make that much more clear.” Dave Wichers, Project Leader for the Top 10 List.

Additionally, two risks were dropped from this update: Malicious File Execution due to tighter PHP security lowering the prevalence of this problem, and Information Leakage and Improper Error Handling because of a minimal zed impact of disclosing stack trace and error message information.

Injection

  • Examples of injection flaws are SQL, LDAP, HTTP header injection (cookies, requests), and OS command injections
  • Attacks occur when untrusted data, such as a query, command or argument, is sent to an interpreter
  • Vulnerable applications can be tricked into executing unintended commands or allowing the attacker to access, and modify, data

Cross Site Scripting

  • There are three types of XSS attacks: stored, reflected, and Dom based
  • XSS attacks occur when an application allows data that is not validated or escaped properly to be sent to a web browser
  • Malicious scripts are executed in the victim’s browser allowing the attacker to hijack the user’s session, steal cookies, deface web sites, redirect users to malicious web sites, and remote browser control

Broken Authentication and Session Management

  • Users are impersonated due to leaks or flaws in the authentication process
  • Attacks occur when a session ID is visible to others, timeouts are not properly set, SSL/TLS is not used, or any other flaw in the authentication scheme is detected
  • Flaws used against one account may be replicated against an account with higher privileges

Insecure Direct Object References

  • Attack occurs when an authorized user can change a parameter value that refers to a system object that they are not authorized for
  • Almost any reference that can be reached by URL to include: references to files, paths, database keys, reflection by class name (e.g. JDBC connector class)
  • Remote referencing includes: Web Services, CORBA, RMI, RPC

Cross Site Request Forgery (CSRF)

  • Attacker creates malicious code to generate a forged request that the attacker tricks the victim into submitting
  • Forged requests can be hidden in image tags, XSS attacks and a number of other techniques
  • CSRF attacks can complete any transactions that the victim is permitted to perform such as access data, transfer funds or make purchases

Security Misconfiguration

  • New to the 2010 update
  • Attacker exploits unsecured pages, default accounts, unpatched flaws or any other vulnerability that could have be addressed by proper configuration
  • These attacks can result in a complete system compromise

Failure to Restrict URL Access

  • This attack takes place when an authorized user can simply change a URL to access a privileged page
  • Attackers generally look for administrative functions to employ this attack on
  • Links can be obtained from: hidden fields, client-side code, robots.txt, configuration files, static XML files, directory access

Unvalidated Redirects and Forwards

  • New to the 2010 update
  • Unvalidated parameter allows an attacker to choose a destination page where they wish to send a victim to trick them into disclosing private information
  • Victims trust these links because the link is to a valid site

Insecure Cryptographic Storage

  • The most common reason for this attack is that data that should be encrypted is stored in cleartext
  • Can result from the poor use of encryption algorithms such as using home grown algorithms, insecure use of strong algorithms or the continued use of proven weak algorithms
  • The use of weak or unsalted hashes to protect passwords is another common flaw that leads to this risk

Insufficient Transport Layer Protection

  • Most commonly, this attack occurs when a site does not use SSL/TLS for pages that require authentication where an attacker can monitor network traffic to steal an authenticated user’s session cookie
  • Poorly configured SSL certificates can lull a user into accepting warnings for legitimate sites only to be tricked into accepting a phishing site’s certificate
  • Attacks can lead to account theft, phishing attacks and admin accounts being compromised