NOW READ THIS
("Security Advisory")

Go Back

Submitted by: Bill Hickey
NCVA List Master

NRT-0302 Top 10 Web Site Vulnerabilities:


Press reports over the past year have heralded breakdowns in Web site security leading to increasing numbers of disruptions and large-scale data exposures. The Open Web Application Security Project (OWASP) has posted its assessment of the top 10 Web site vulnerabilities, briefly described here:

  1. CROSS-SITE SCRIPTING flaws are exploited when an application sends user data to a web browser without first validating or encoding the content. This allows hackers to execute malicious scripts in a browser. It lets them hijack user sessions, deface web sites, insert hostile content, and conduct phishing and malware attacks.
  2. INJECTION FLAWS involve user-supplied data being sent to interpreters as part of a command or query, making it possible for hackers to trick the interpreter - which interprets text-based commands - into executing unintended commands. Injection flaws allow attackers to create, read, update, or delete any arbitrary data available to the application.
  3. MALICIOUS FILE EXECUTION is performing remote code execution to remotely install rootkits or completely compromise a system. Any type of web application is vulnerable if it accepts filenames or files from users. The vulnerability may be most common with PHP, a widely used scripting language for web development.
  4. INSECURE DIRECT OBJECT REFERENCE involves manipulating direct object references to gain unauthorized access to other objects. It typically involves URLs or form parameters containing references to objects such as files, directories, database records, or keys.
  5. CROSS SITE REQUEST FORGERY involves taking control of a victim's browser when it is logged onto a web site, and sending malicious requests to the web application. Web sites are extremely vulnerable, partly because they tend to authorize requests based on session cookies or "remember me" functionality.
  6. INFORMATION LEAKS AND IMPROPER ERROR HANDLING in web applications, such as leaking information about an application's internal state through detailed debug error messages, can be leveraged to launch or even automate powerful attacks.
  7. BROKEN AUTHENTICATION AND SESSION MANAGEMENT features allow user and administrative accounts to be hijacked, such as when applications fail to protect credentials and session tokens from beginning to end. Weaknesses are often introduced through ancillary authentication functions such as logout, password management, timeout, remember me, secret question, and account update.
  8. INSECURE CRYPTOGRAPHIC STORAGE occurs because many web developers fail to encrypt sensitive data in storage, even though cryptography is a key part of most web applications. Even when encryption is present, it is often poorly designed and uses inappropriate ciphers.
  9. INSECURE COMMUNICATIONS result from a failure to encrypt network traffic when it is necessary to protect sensitive communications. Attackers gain access not only to conversations, but also transmissions of credentials and sensitive data.
  10. FAILURE TO RESTRICT URL ACCESS is a problem for web pages that are supposed to be restricted to a small subset of privileged users, such as administrators. There is often no real protection of these pages, and intruders gain access by "forced browsing" which involves making educated guesses about URLs.

(www.zone-h.org 10OCT07)


Last Modified: Saturday, 27-Oct-2007 18:03:52 EDT