Mydoom – not the only threat
With Mydoom tagged as the fastest spreading e-bug in Net history, companies and individuals have been sensitized to the dangers of electronic virii to an extent that’s never occurred before.
But ebugs are far from being the only threat out there, as OWASP (Open Web Application Security Project) points out.
OWASP was started in September 2000 to create an open source community where people could advance their knowledge about web application and web services security issues by either contributing to the education of others, or by learning about the topic from documentation and software produced by the project, it says.
“When an organization puts up a web application, they invite the world to send them http requests,” says OWASP. “Attacks buried in these requests sail past firewalls, filters, platform hardening, and intrusion detection systems without notice because they are inside legal http requests.”
And OWASP’s second annual list of the top 10 most critical Web application security vulnerabilities includes a new issue – Application Denial of Service – that, “we see as having starting to become prevalent and restates the categories to align with the future OASIS WAS XML standard (due later 2004),” it says here.
What’s on the Top Ten?
- Unvalidated input
- Broken access control
- Broken authentication and session management
- Cross site scripting
- Buffer overflows
- Injection flaws
- Imroper error handling
- Insecure storage
- Denial of service
- Insecure configuration management
Earthweb’s Jon Desmond breaks the list down here like this:
Non-validated input – Attackers can use information not validated before used by a Web application to reach backend components.
Broken access control – Results from improper enforcement of restrictions on what authenticated users are allowed to do; attackers exploit to access other accounts or use unauthorized functions.
Broken authentication and session management – Account credentials and session tokens not properly protected, allowing attackers to compromise passwords, keys, session cooker or tokens, and assume the identities of other users.
Cross site scripting – The Web application is used as a mechanism to transport an attack to the end user’s browser. A successful attack can disclose the end user’s session token or spoof content to fool the user.
Buffer overflows – Web application components written in languages that do not properly validate input can crash and in some cases, be used to take control of a process. These components can include CGI, libraries, drivers and Web application server components.
Injection flaws – Web applications pass parameters when they access external system or the local OS. If an attacker embeds malicious commands in the parameters, the external system may execute those commands on behalf of the Web application.
Improper error handling – Refers to error conditions that occur during normal operations that are not handled properly. Attackers can use these to gain detailed system information, deny service, and cause security mechanisms to fail or crash the server.
Insecure storage – Web applications that use cryptographic functions to protect information and credentials have proven difficult to code properly, resulting in weak protection.
Denial of service – As mentioned above, attackers consume Web application resources o the point where other legitimate users can no longer access or use the application. Attackers can also lock users out of their accounts or cause an application to fail.
Insecure configuration management - Web servers have many configuration options that effect security and are not secure out of the box. Having a strong configuration standard is critical.
Go here for a detailed Top Ten.
