The Web application security landscape is still dangerous as the new top 10 list of vulnerabilities from the Open Web Application Security Project (OWASP) illustrates.
The list indicates that companies still aren't taking Web application security quite seriously enough as most of the vulnerabilities are identical to those on last year's list, said Mark Curphey, chairman of OWASP and director of consulting at Foundstone Inc.
Other lists reflect specific vulnerabilities or security issues within applications but the OWASP list looks at broader issues. Curphey hopes security managers will take the list and hand it to their companies' developers.
"If you don't do anything else you can start to understand where you are today. You can get a feel of your security posture."
This year's list is as follows:
- Unvalidated input -- This year's top vulnerability is similar to last year where information from Web requests is not validated before being used by a Web application. For example, some online retailers have shopping carts that can be compromised enabling dishonest people to check out and "they pay as much as they want to for an item," Curphey said.
- Broken access control -- This refers to the way some systems' restrictions on what actions users may take are not enforced. "The system basically says 'Well, I can't validate a user so I will let them in and trust them,' " Curphey said.
- Broken authentication and session management -- This vulnerability has a couple of facets. First, some developers create applications with fairly weak authentication so the most basic of systems, like PDAs, can login. "The problem is this could allow attackers to hijack or create new user sessions," Curphey said. Additionally, logging off Web-based applications isn't always easy. "A person logging in from a public kiosk who is concerned about security would have limited options as rebooting the system wouldn't be possible," Curphey added.
- Cross site scripting flaws -- This kind of attack probably is on its way out because Microsoft has introduced mechanisms to control it in Internet Explorer and in its .NET framework. "But if you look at BugTraq, probably 30% of the vulnerabilities reported there involve cross-site scripting," Curphey said. "It's still a major issue for online banks and brokerages."
- Buffer overflows -- The days of buffer overflows are also probably limited as new programming languages from Microsoft and Java have more or less eliminated them. "The problem is there is still millions of lines of legacy code that in this economy is not going to be migrated," Curphey said.
- Injection flaws -- These occur when commands can be sent by attackers to a Web application, which is then run by the underlying machine. As the application passes parameters while accessing an external system or local operating system, those systems may be fooled into executing the malicious commands.
- Improper error handling -- This class of vulnerabilities is typified when a site tells someone who is trying to login specifically if the username or password is correct.
- Insecure storage -- There is a lot of good free cryptography products out there but many developers still want to try their hand at writing their own algorithms.
- Denial of service -- Again, these kinds of attacks are nothing new, but what is different is they are targeting the application not the operating system. Curphey predicts that there will be a major denial of service attack at the application layer on a major online retailer this year.
- Insecure configuration management -- This vulnerability means administrative functions can be accessed via the Web, that really shouldn't be.