Following a format similar to that of the annual SANS/FBI list of system vulnerabilities, the Open Web Application...
Security Project (OWASP) released today its list of the top 10 most critical Web application security problems.
Admittedly, the list hardly reveals anything earth shattering. A release from OWASP points out that most of the security issues are not new, but in many cases they have not yet been addressed by developers.
Programming flaws are prominent on the list, unlike the SANS list which was dominated by configuration woes.
"Web application code has so much power that it can access the database and the backend stuff, it's not enough to configure your box well, you have to look at the code," said Jeff Williams, one of the project leaders and CEO of Aspect Security, a Columbia, Maryland-based application security vendor. "That's where all the power is."
In an OWASP explainer, the organization said it deliberated over its interpretation of Web application security. The group weighed arguments about whether it should limit its list to vulnerabilities that impact only developers writing custom code or whether it should use a broader definition that would include the entire application layer, including libraries, server configuration and application layer protocols. In the end, OWASP went with a wide interpretation but decided against examining network and infrastructure security issues.
"With network security, the problem is that most companies are using the same components in their infrastructure. So, of there is a vulnerability, likely they are all impacted," Williams said. "That's not so with Web application code where coding is all customized. If we were to do a real examination of the top vulnerabilities, they would not apply to everybody. I think the categories of flaws we chose is very relevant."
Williams pointed out as examples that cross-site scripting and unvalidated parameters flaws, both on the OWASP list, plague a huge percentage of Web sites.
"The process of coming up with these categories involved talking to lots of experts and examining what we see frequently and narrow it down to this list," Williams said. "There are going to be arguments and that's part of the purpose of this exercise. If there are arguments, then we've raised awareness."
The list includes:
- Unvalidated parameters: Attackers frequently exploit this vulnerability to gain access to back-end components. Here, information from Web requests is not validated before being used by a Web application.
- Broken access control: An exploit to this flaw could give an outsider access to user accounts, sensitive files or functions. Here, restrictions on what actions users may take are not enforced.
- Broken account and session management: Attackers exploiting this hole can access passwords, keys, session cookies and other tokens to gain account credentials.
- Cross-site scripting (XSS) flaws: A cracker may exploit one of these flaws to use a Web application to transport an attack to a user's browser. This flaw can expose a local machine or enable an attacker to spoof content.
- Buffer overflows: Overrunning a buffer in a Web application could enable an attacker to take control of processes like CGI, libraries, drivers and Web application server components.
- Command injection flaws: Attackers exploit this flaw by injecting malicious commands via a Web application. As the application passes parameters while accessing an external system or local operating system, those systems may be fooled into executing the malicious commands.
- Error-handling problems: Error conditions that happen during normal use are not handled properly by a Web application. An attacker may cause an error to occur and create a denial-of-service condition.
- Insecure use of cryptography: Web cryptography fails to protect information and credentials.
- Remote administration flaws: Attackers may exploit weak remote administration functions to gain root access to a Web site.
- Web and application server misconfiguration: Server configuration is weak out-of-the-box and administrators need to secure Web applications manually.
OWASP is a volunteer-driven open-source project that is working on software tools and documentation that focus on secure Web applications and Web services. Its work is released under the GNU public licenses. Leaders said they would update this list every six months.
FOR MORE INFORMATION: