Google





The Top 10 Web Application Security Risks

Luc K. Richard
April 4, 2005

The Open Web Application Security Project (OWASP) is an all-volunteer group of IT security professionals that produces free, open-source documentation, tools, and standards related to (as their name implies) the security of Web-based applications. For the past two years, OWASP has been publishing a Top-10 list of the most critical Web application security vulnerabilities.

The list for 2004 includes (drum roll please)…

  1. Unvalidated input. Many Web applications do not validate input before submitting it to their backend. And many that do only use JavaScript validation, which can easily be circumvented. Attackers are well aware of this #1 security flaw and can easily send invalid – and malicious – input to backend components.
  2. Broken access control. Applications don't always properly enforce access control rules and restrictions. As a result, attackers often have free access to files, information and/or functions that should have been forbidden.
  3. Broken authentication. Account credentials and session tokens aren't always properly protected and/or managed. A smart attacker can therefore compromise passwords, keys, session cookies or other tokens and easily bypass your system's authentication mechanism and assume another users' identity.
  4. Cross-site scripting. An attacker can use cross-site scripting (sometimes known as XSS ) to transport or send malicious scripts to another end user's browser. Such an attack can disclose the end user's session token and/or spoof content and fool the user.
  5. Buffer overflows. Web application components (CGIs, libraries, drivers and other server components) that do not properly validate input can be crashed and/or used to take control of a process.
  6. Injection flaws. When accessing an external system or the local operating system, Web applications sometime need to pass user-defined parameters. If the Web application does not validate the user's input, an attacker can easily embed malicious commands in the parameters, thereby getting the external or operating system to execute them.
  7. Improper error handling. Like any other application, Web applications are sometimes subject to error conditions during their normal operation. An attacker can easily force such errors, thereby gaining access to detailed system information, generating a DoS attack, or causing other security mechanisms to either fail or crash the server.
  8. Insecure storage. Web applications that use cryptographic functions to protect information and credentials have proven difficult to code properly. As a result, the system is not as secured as it should be and an attacker can easily access and decrypt that information.
  9. DoS attacks. Attackers can bombard a Web application's interface or Web service to the point where other legitimate users can no longer access or use the application; an attack referred to as a denial of service . On a similar note, attackers can lock users out of their accounts or cause an application to fail or crash using other measures.
  10. Insecure configuration management. All Web application servers have security configuration options that are turned off by default. Many administrators leave these options off because (a) they're not aware of them, or (b) they affect the system's performance. Having the appropriate level of configuration is essential to the security of any Web application server.

For more information regarding these risks, including examples, references, tips to determine whether or not your Web application is vulnerable, or to learn how to protect yourself, visit the OWASP Web site at http://www.owasp.org.

 

This article was originally published on www.gantthead.com.