Lock it down: Use the revised OWASP Top Ten to secure your Web applications -- Part 1

by Tom Olzak | Feb 15, 2007 6:18:00 PM

Tags: SECURITY, Tom Olzak, XSS, OWASP Top, authentication, Web application

Takeaway: For the first time since 2004, the Open Web Application Security Project (OWASP) is updating its Top 10 Vulnerabilities list. As a supplement to an previously published article on the 2004 OWASP Top 10, this is the second in a series of articles in which Tom Olzak explores the 10 vulnerabilities the OWASP believes present the highest risk to Web application environments.

This article is also available as a TechRepublic download.

In Part 1 of this series I listed the OWASP Top 10 Web application vulnerabilities created in 2004. Shortly after that article was posted, I received an e-mail from Andrew van der Stock, OWASP executive director, giving me a heads up about the upcoming revised list. OWASP plans to release the 2007 top 10 vulnerabilities list in March. Release Candidate 1 (RC1) of the documentation was posted last week on the OWASP Web site. So I'm revising the series to cover the 2007 vulnerabilities.

The 2007 OWASP Top 10

There are some similarities between the 2004 and 2007 lists, as shown in Table A. Unvalidated input, buffer overflows, insecure configuration management, and denial of service were dropped from the list. On the other hand, broken authentication and session management was split into two new list entries.

The new vulnerabilities on the list include (from RC1):

• A3. Insecure Remote File Include – Code vulnerable to remote file inclusion allows attackers in include hostile code and data, resulting in devastating attacks, such as total server compromise.
• A5. Cross Site Request Forgery (CSRF) – A CSRF attack forces a logged on victim's browser to send a pre-authenticated request to a vulnerable Web application, which then forces the victim's browser to perform a hostile action to the benefit of the attacker.
• A9. Insecure Communications – Applications frequently fail to encrypt network traffic when it is necessary to protect sensitive information.

Table A

OWASP Top 10 2007	OWASP Top 10 2004
A1. Cross Site Scripting (XSS)	A4. Cross Site Scripting (XSS)
A2. Injection Flaws	A6. Injection Flaws
A3. Insecure Remote File Include (NEW)	_
A4. Insecure Direct Object Reference	A2. Broken Access Control (split in 2007 T10)
A5. Cross Site Request Forgery (CSRF) (NEW)	_
A6. Information Leakage and Improper Error Handling	A7. Improper Error Handling
A7. Broken Authentication and Session Management	A3. Broken Authentication and Session Management
A8. Insecure Cryptographic Storage	A8. Insecure Storage
A9. Insecure Communications (NEW)	Discussed under A10. Insecure Configuration Management
A10. Failure to Restrict URL Access	A2. Broken Access Control (split in 2007 T10)
_	A1. Unvalidated Input
_	A5. Buffer Overflows
_	A9. Denial of Service
_	A10. Insecure Configuration Management

Table A (OWASP, OWASP Top 10 2007 RC1)

The 2007 vulnerabilities were selected by extracting the top 10 Web application security issues from the MITRE Vulnerability Trends for 2006. The MITRE data on the 2007 OWASP Top 10 are depicted in Figure A.

Figure A

MITRE Vulnerability Trends

Missing from the list

At first it was a little surprising that unvalidated input was removed from the list. Even a superficial review of the 2004 and 2007 vulnerability lists shows that this is a common cause of many of the other listed weaknesses. However, this omission is probably not significant since many of the 2007 list entries describe careful attention to input validation as an important exploit defense.

Overflow vulnerabilities (i.e. buffer overflows, integer overflows, and format string issues) are omitted since they are found mostly in low level development languages, like C or C++. The most common Web development environments are not nearly as susceptible to these types of issues. Figure B shows the probability of occurrence of overflow vulnerabilities across popular environments.

Figure B

Probability of occurrence of overflow vulnerabilities (From OWASP Buffer Overflows, 2006)

Looking at this table, it's apparent that the languages and environments most commonly used for Web application development today (e.g. Java, .NET, Perl) are safe. This doesn't mean that using .NET technology, for example, makes you completely immune. Errors in the programming language or development environment itself might introduce one or two overflow problems.

Another common mistake organizations make is relying on the safety of an environment like .NET while developing applications that call external tools and applications that are written in unsafe low level languages like "C" and "C++". The larger the number of tools and applications written in unsafe languages and integrated into a Web application environment, the greater the risk.

Although denial-of-service (DoS) attack weaknesses are still a problem, they didn't rank high enough on the MITRE rankings to make it to the list. This should not be interpreted as a license to ignore DoS vulnerabilities.

Finally, insecure configuration management also failed to make onto the 2007 list. This is the only dropped vulnerability I believe should have remained. Maintaining a secure, stable environment in which to run Web applications is an important part of Web application assurance. In addition to the servers on which the applications run, other supporting services provided by the underlying infrastructure include:

• Data storage
• Directory services
• Mail
• Messaging

An effective configuration management program is a key element in the protection of information assets. Attacks against a network are opportunistic. In other words, crackers are looking for soft targets, the compromise of which requires the lowest possible work factor. Infrastructure configuration might not be an actual component of a Web application, but it must provide a strong environment in which to deliver Web-based services.

The final word

In the articles to follow, I'll explore the 2007 OWASP Top 10. We'll look at causes for these vulnerabilities and how to defend against potential exploits. According to RC1, defending against the items on the Top 10 should provide the foundation for reducing the likelihood of:

• Phishing attacks than can exploit any of the Top 10, particularly XSS, and weak or non-existent authentication or authorization checks.
• Privacy violations from poor validation, business rule and weak authorization checks.
• Identity theft through poor or non-existent cryptographic controls, remote file include, and authentication, business rule, and authorization checks.
• Systems compromised through remote file include and end of business class of data alteration or destruction attacks via injections.
• Financial loss through unauthorized transactions and CSRF attacks.
• Reputation loss

Part 2 in this series will look at the first of the 2007 Top 10 -- cross site scripting (XSS).

Print/View all Posts Comments on this article

IS OWASP A GOVERNMENT AGENCY? BALTHOR | 02/15/07