Top 10 2007-Insecure Communications - Revision history

Wichers at 02:45, 19 April 2010

2010-04-19T02:45:06Z

KirstenS: /* References */

2008-12-02T13:26:16Z

‎References

KirstenS: /* References */

2008-12-02T13:26:04Z

‎References

KirstenS: /* References */

2008-09-21T00:13:33Z

‎References

Neil Smithline at 04:13, 15 May 2007

2007-05-15T04:13:01Z

Neil Smithline at 01:06, 14 May 2007

2007-05-14T01:06:44Z

Neil Smithline at 17:33, 12 May 2007

2007-05-12T17:33:58Z

Neil Smithline at 17:33, 12 May 2007

2007-05-12T17:33:17Z

Neil Smithline: New page: {{Top_10_2007:TopTemplate|usenext=NextLink|next=-Failure to Restrict URL Access|useprev=PrevLink|prev=-Insecure Communications|usemain=MainLink|main=}} {{FIXUP|Neil Smithline|Insert Text...

2007-05-12T16:18:06Z

New page: {{Top_10_2007:TopTemplate|usenext=NextLink|next=-Failure to Restrict URL Access|useprev=PrevLink|prev=-Insecure Communications|usemain=MainLink|main=}} {{FIXUP|Neil Smithline|Insert Text...

New page

{{Top_10_2007:TopTemplate|usenext=NextLink|next=-Failure to Restrict URL Access|useprev=PrevLink|prev=-Insecure Communications|usemain=MainLink|main=}}

{{FIXUP|Neil Smithline|Insert Text Here}}

{{Top_10_2007:BottomTemplate|usenext=NextLink|next=-Failure to Restrict URL Access|useprev=PrevLink|prev=-Insecure Communications|usemain=MainLink|main=}}

← Older revision		Revision as of 02:45, 19 April 2010
Line 51:		Line 51:
	*NIST SP 800-95 Guide to secure web services, [http://csrc.nist.gov/publications/drafts.html http://csrc.nist.gov/publications/drafts.html#sp800-95]		*NIST SP 800-95 Guide to secure web services, [http://csrc.nist.gov/publications/drafts.html http://csrc.nist.gov/publications/drafts.html#sp800-95]

		+	{{Top_10_2007:BottomTemplate\|usenext=NextLink\|next=-Failure to Restrict URL Access\|useprev=PrevLink\|prev=-Insecure Cryptographic Storage\|usemain=MainLink\|main=}}

−	~~{{Top_10_2007~~:~~BottomTemplate\|usenext=NextLink\|next=-Failure to Restrict URL Access\|useprev=PrevLink\|prev=-Insecure Cryptographic Storage\|usemain=MainLink\|main=}}~~	+	[[Category:OWASP Top Ten Project]]

@@ Line 45: / Line 45: @@
 *CWE: CWE-311 (Failure to encrypt data), CWE-326 (Weak Encryption), CWE-321 (Use of hard-coded cryptographic key), CWE-325 (Missing Required Cryptographic Step), others.
 *WASC Threat Classification: No explicit mapping
-*OWASP ''Testing Guide'', [[Testing for SSL-TLS (OWASP-CM-001) Testing for SSL-TLS]]
+*OWASP ''Testing Guide'', [[Testing for SSL-TLS (OWASP-CM-001)|Testing for SSL-TLS]]
 *OWASP Development Guide, [[Guide_to_Cryptography]]
 *Foundstone - SSL Digger, [http://www.foundstone.com/index.htm?subnav=services/navigation.htm&subcontent=/services/overview_s3i_des.htm http://www.foundstone.com/index.htm?subnav=services/navigation.htm&subcontent=/services/overview_s3i_des.htm]

@@ Line 45: / Line 45: @@
 *CWE: CWE-311 (Failure to encrypt data), CWE-326 (Weak Encryption), CWE-321 (Use of hard-coded cryptographic key), CWE-325 (Missing Required Cryptographic Step), others.
 *WASC Threat Classification: No explicit mapping
-*OWASP ''Testing Guide'', [[Testing for SSL-TLS]]
+*OWASP ''Testing Guide'', [[Testing for SSL-TLS (OWASP-CM-001) Testing for SSL-TLS]]
 *OWASP Development Guide, [[Guide_to_Cryptography]]
 *Foundstone - SSL Digger, [http://www.foundstone.com/index.htm?subnav=services/navigation.htm&subcontent=/services/overview_s3i_des.htm http://www.foundstone.com/index.htm?subnav=services/navigation.htm&subcontent=/services/overview_s3i_des.htm]

@@ Line 45: / Line 45: @@
 *CWE: CWE-311 (Failure to encrypt data), CWE-326 (Weak Encryption), CWE-321 (Use of hard-coded cryptographic key), CWE-325 (Missing Required Cryptographic Step), others.
 *WASC Threat Classification: No explicit mapping
-*OWASP ''Testing Guide'', Testing for SSL / TLS, [https://www.owasp.org/index.php/Testing_for_SSL-TLS https://www.owasp.org/index.php/Testing_for_SSL-TLS]
+*OWASP ''Testing Guide'', [[Testing for SSL-TLS]]
-*OWASP Guide, [http://www.owasp.org/index.php/Guide_to_Cryptography http://www.owasp.org/index.php/Guide_to_Cryptography]
+*OWASP Development Guide, [[Guide_to_Cryptography]]
 *Foundstone - SSL Digger, [http://www.foundstone.com/index.htm?subnav=services/navigation.htm&subcontent=/services/overview_s3i_des.htm http://www.foundstone.com/index.htm?subnav=services/navigation.htm&subcontent=/services/overview_s3i_des.htm]
 *NIST, SP 800-52 Guidelines for the selection and use of transport layer security (TLS) Implementations, [http://csrc.nist.gov/publications/nistpubs/800-52/SP800-52.pdf http://csrc.nist.gov/publications/nistpubs/800-52/SP800-52.pdf]

@@ Line 1: / Line 1: @@
 {{Top_10_2007:TopTemplate|usenext=NextLink|next=-Failure to Restrict URL Access|useprev=PrevLink|prev=-Insecure Cryptographic Storage|usemain=MainLink|main=}}
 Applications frequently fail to encrypt network traffic when it is necessary to protect sensitive communications. Encryption (usually SSL) must be used for all authenticated connections, especially Internet-accessible web pages, but backend connections as well. Otherwise, the application will expose an authentication or session token. In addition, encryption should be used whenever sensitive data, such as credit card or health information is transmitted. Applications that fall back or can be forced out of an encrypting mode can be abused by attackers.
 The PCI standard requires that all credit card information being transmitted over the internet be encrypted.
@@ Line 35: / Line 31: @@
 The most important protection is to use SSL on any authenticated connection or whenever sensitive data is being transmitted. There are a number of details involved with configuring SSL for web applications properly, so understanding and analyzing your environment is important. For example, IE 7.0 provides a green bar for high trust SSL certificates, but this is not a suitable control to prove safe use of cryptography alone.
-*Use SSL for all connections that are authenticated or transmitting sensitive or value data, such as credentials, credit card details, health and other private information.
+*Use SSL for all connections that are authenticated or transmitting sensitive or value data, such as credentials, credit card details, health and other private information
-*Ensure that communications between infrastructure elements, such as between web servers and database systems, are appropriately protected via the use of transport layer security or protocol level encryption for credentials and intrinsic value data.
+*Ensure that communications between infrastructure elements, such as between web servers and database systems, are appropriately protected via the use of transport layer security or protocol level encryption for credentials and intrinsic value data
-*Under PCI Data Security Standard requirement 4, you must protect cardholder data in transit. PCI DSS compliance is mandatory by 2008 for merchants and anyone else dealing with credit cards. In general, client, partner, staff and administrative online access to systems must be encrypted using SSL or similar. For more information, please see the PCI DSS Guidelines and implement controls as necessary.
+*Under PCI Data Security Standard requirement 4, you must protect cardholder data in transit. PCI DSS compliance is mandatory by 2008 for merchants and anyone else dealing with credit cards. In general, client, partner, staff and administrative online access to systems must be encrypted using SSL or similar. For more information, please see the PCI DSS Guidelines and implement controls as necessary
 == Samples ==
@@ Line 48: / Line 44: @@
 *CWE: CWE-311 (Failure to encrypt data), CWE-326 (Weak Encryption), CWE-321 (Use of hard-coded cryptographic key), CWE-325 (Missing Required Cryptographic Step), others.
-*WASC Threat Classification: No explicit mapping OWASP ''Testing Guide'', Testing for SSL / TLS, [https://www.owasp.org/index.php/Testing_for_SSL-TLS https://www.owasp.org/index.php/Testing_for_SSL-TLS]
+*WASC Threat Classification: No explicit mapping
 *OWASP Guide, [http://www.owasp.org/index.php/Guide_to_Cryptography http://www.owasp.org/index.php/Guide_to_Cryptography]
 *Foundstone - SSL Digger, [http://www.foundstone.com/index.htm?subnav=services/navigation.htm&subcontent=/services/overview_s3i_des.htm http://www.foundstone.com/index.htm?subnav=services/navigation.htm&subcontent=/services/overview_s3i_des.htm]
 *NIST, SP 800-52 Guidelines for the selection and use of transport layer security (TLS) Implementations, [http://csrc.nist.gov/publications/nistpubs/800-52/SP800-52.pdf http://csrc.nist.gov/publications/nistpubs/800-52/SP800-52.pdf]
 *NIST SP 800-95 Guide to secure web services, [http://csrc.nist.gov/publications/drafts.html http://csrc.nist.gov/publications/drafts.html#sp800-95]
 {{Top_10_2007:BottomTemplate|usenext=NextLink|next=-Failure to Restrict URL Access|useprev=PrevLink|prev=-Insecure Cryptographic Storage|usemain=MainLink|main=}}

← Older revision		Revision as of 01:06, 14 May 2007
Line 2:		Line 2:


−	{{FIXUP\|Neil Smithline\|~~Insert~~ Text Here}}	+	{{FIXUP\|Neil Smithline\|Replace With Final Text Here}}
		+
		+
		+	Applications frequently fail to encrypt network traffic when it is necessary to protect sensitive communications. Encryption (usually SSL) must be used for all authenticated connections, especially Internet-accessible web pages, but backend connections as well. Otherwise, the application will expose an authentication or session token. In addition, encryption should be used whenever sensitive data, such as credit card or health information is transmitted. Applications that fall back or can be forced out of an encrypting mode can be abused by attackers.
		+
		+	The PCI standard requires that all credit card information being transmitted over the internet be encrypted.
		+
		+	== Environments Affected ==
		+
		+	All web application frameworks are vulnerable to insecure communications.
		+
		+	== Vulnerability ==
		+
		+	Failure to encrypt sensitive communications means that an attacker who can sniff traffic from the network will be able to access the conversation, including any credentials or sensitive information transmitted. Consider that different networks will be more or less susceptible to sniffing. However, it is important to realize that eventually a host will be compromised on almost every network, and attackers will quickly install a sniffer to capture the credentials of other systems.
		+
		+	Using SSL for communications with end users is critical, as they are very likely to be using insecure networks to access applications. Because HTTP includes authentication credentials or a session token with every single request, all authenticated traffic needs to go over SSL, not just the actual login request.
		+
		+	Encrypting communications with backend servers is also important. Although these networks are likely to be more secure, the information and credentials they carry is more sensitive and more extensive. Therefore using SSL on the backend is quite important.
		+
		+	Encrypting sensitive data, such as credit cards and social security numbers, has become a privacy and financial regulation for many organizations. Neglecting to use SSL for connections handling such data creates a compliance risk.
		+
		+	== Verifying Security ==
		+
		+	The goal is to verify that the application properly encrypts all authenticated and sensitive communications.
		+
		+	Automated approaches: Vulnerability scanning tools can verify that SSL is used on the front end, and can find many SSL related flaws. However, these tools do not have access to backend connections and cannot verify that they are secure. Static analysis tools may be able to help with analyzing some calls to backend systems, but probably will not understand the custom logic required for all types of systems.
		+
		+	Manual approaches: Testing can verify that SSL is used and find many SSL related flaws on the front end, but the automated approaches are probably more efficient. Code review is quite efficient for verifying the proper use of SSL for all backend connections.
		+
		+	== Protection ==
		+
		+	The most important protection is to use SSL on any authenticated connection or whenever sensitive data is being transmitted. There are a number of details involved with configuring SSL for web applications properly, so understanding and analyzing your environment is important. For example, IE 7.0 provides a green bar for high trust SSL certificates, but this is not a suitable control to prove safe use of cryptography alone.
		+
		+	*Use SSL for all connections that are authenticated or transmitting sensitive or value data, such as credentials, credit card details, health and other private information.
		+	*Ensure that communications between infrastructure elements, such as between web servers and database systems, are appropriately protected via the use of transport layer security or protocol level encryption for credentials and intrinsic value data.
		+	*Under PCI Data Security Standard requirement 4, you must protect cardholder data in transit. PCI DSS compliance is mandatory by 2008 for merchants and anyone else dealing with credit cards. In general, client, partner, staff and administrative online access to systems must be encrypted using SSL or similar. For more information, please see the PCI DSS Guidelines and implement controls as necessary.
		+
		+	== Samples ==
		+
		+	*[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6430 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6430]
		+	*[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4704 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4704]
		+	*[http://www.schneier.com/blog/archives/2005/10/scandinavian_at_1.html http://www.schneier.com/blog/archives/2005/10/scandinavian_at_1.html]
		+
		+	== References ==
		+
		+	*CWE: CWE-311 (Failure to encrypt data), CWE-326 (Weak Encryption), CWE-321 (Use of hard-coded cryptographic key), CWE-325 (Missing Required Cryptographic Step), others.
		+	*WASC Threat Classification: No explicit mapping OWASP ''Testing Guide'', Testing for SSL / TLS, [https://www.owasp.org/index.php/Testing_for_SSL-TLS https://www.owasp.org/index.php/Testing_for_SSL-TLS]
		+	*OWASP Guide, [http://www.owasp.org/index.php/Guide_to_Cryptography http://www.owasp.org/index.php/Guide_to_Cryptography]
		+	*Foundstone - SSL Digger, [http://www.foundstone.com/index.htm?subnav=services/navigation.htm&subcontent=/services/overview_s3i_des.htm http://www.foundstone.com/index.htm?subnav=services/navigation.htm&subcontent=/services/overview_s3i_des.htm]
		+	*NIST, SP 800-52 Guidelines for the selection and use of transport layer security (TLS) Implementations, [http://csrc.nist.gov/publications/nistpubs/800-52/SP800-52.pdf http://csrc.nist.gov/publications/nistpubs/800-52/SP800-52.pdf]
		+	*NIST SP 800-95 Guide to secure web services, [http://csrc.nist.gov/publications/drafts.html http://csrc.nist.gov/publications/drafts.html#sp800-95]
		+
		+



	{{Top_10_2007:BottomTemplate\|usenext=NextLink\|next=-Failure to Restrict URL Access\|useprev=PrevLink\|prev=-Insecure Cryptographic Storage\|usemain=MainLink\|main=}}		{{Top_10_2007:BottomTemplate\|usenext=NextLink\|next=-Failure to Restrict URL Access\|useprev=PrevLink\|prev=-Insecure Cryptographic Storage\|usemain=MainLink\|main=}}

← Older revision		Revision as of 17:33, 12 May 2007
Line 1:		Line 1:
−	{{Top_10_2007:TopTemplate\|usenext=NextLink\|next=-Failure to Restrict URL Access\|useprev=PrevLink\|prev=-Insecure ~~Cryptograhic~~ Storage\|usemain=MainLink\|main=}}	+	{{Top_10_2007:TopTemplate\|usenext=NextLink\|next=-Failure to Restrict URL Access\|useprev=PrevLink\|prev=-Insecure Cryptographic Storage\|usemain=MainLink\|main=}}