This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Top 10 2010-A9-Insufficient Transport Layer Protection"
Line 36: | Line 36: | ||
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|number=4|risk=9}} | {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|number=4|risk=9}} | ||
{{Top_10_2010:SubSubsectionOWASPReferencesTemplate}} | {{Top_10_2010:SubSubsectionOWASPReferencesTemplate}} | ||
− | For a more complete set of requirements and problems to avoid in this area, see the [http://www.owasp.org/index.php/ASVS#tab=Downloads ASVS requirements on Communications Security (V10)] | + | |
+ | For a more complete set of requirements and problems to avoid in this area, see the [http://www.owasp.org/index.php/ASVS#tab=Downloads ASVS requirements on Communications Security (V10)]. | ||
* [[Transport_Layer_Protection_Cheat_Sheet | OWASP Transport Layer Protection Cheat Sheet]] | * [[Transport_Layer_Protection_Cheat_Sheet | OWASP Transport Layer Protection Cheat Sheet]] | ||
* [[Top_10_2007-Insecure_Communications | OWASP Top 10-2007 on Insecure Communications]] | * [[Top_10_2007-Insecure_Communications | OWASP Top 10-2007 on Insecure Communications]] |
Revision as of 03:32, 6 May 2010
NOTE: THIS IS NOT THE LATEST VERSION. Please visit the OWASP Top 10 project page to find the latest edition.
← A8-Failure to Restrict URL Access | Top 10 Risks |
A10-Unvalidated Redirects and Forwards → |
Threat Agents | Attack Vectors | Security Weakness | Technical Impacts | Business Impacts | |
---|---|---|---|---|---|
Application Specific | Exploitability DIFFICULT |
Prevalence COMMON |
Detectability EASY |
Impact MODERATE |
Application / Business Specific |
Consider anyone who can monitor the network traffic of your users. If the application is on the internet, who knows how your users access it. Don’t forget back end connections. | Monitoring users’ network traffic can be difficult, but is sometimes easy. The primary difficulty lies in monitoring the proper network’s traffic while users are accessing the vulnerable site. | Applications frequently do not protect network traffic. They may use SSL/TLS during authentication, but not elsewhere, exposing data and session IDs to interception. Expired or improperly configured certificates may also be used. Detecting basic flaws is easy. Just observe the site’s network traffic. More subtle flaws require inspecting the design of the application and the server configuration. |
Such flaws expose individual users’ data and can lead to account theft. If an admin account was compromised, the entire site could be exposed. Poor SSL setup can also facilitate phishing and MITM attacks. | Consider the business value of the data exposed on the communications channel in terms of its confidentiality and integrity needs, and the need to authenticate both participants. |
Am I Vulnerable To 'Insufficient Transport Layer Protection'?
The best way to find out if an application has insufficient transport layer protection is to verify that:
|
How Do I Prevent 'Insufficient Transport Layer Protection'?
Providing proper transport layer protection can affect the site design. It’s easiest to require SSL for the entire site. For performance reasons, some sites use SSL only on private pages. Others use SSL only on ‘critical’ pages, but this can expose session IDs and other sensitive data. At a minimum, do all of the following:
|
Example Attack Scenarios
Scenario #1: A site simply doesn’t use SSL for all pages that require authentication. Attacker simply monitors network traffic (like an open wireless or their neighborhood cable modem network), and observes an authenticated victim’s session cookie. Attacker then replays this cookie and takes over the user’s session. Scenario #2: A site has improperly configured SSL certificate which causes browser warnings for its users. Users have to accept such warnings and continue, in order to use the site. This causes users to get accustomed to such warnings. Phishing attack against the site’s customers lures them to a lookalike site which doesn’t have a valid certificate, which generates similar browser warnings. Since victims are accustomed to such warnings, they proceed on and use the phishing site, giving away passwords or other private data. Scenario #3: A site simply uses standard ODBC/JDBC for the database connection, not realizing all traffic is in the clear. |
References
OWASP For a more complete set of requirements and problems to avoid in this area, see the ASVS requirements on Communications Security (V10).
External |
← A8-Failure to Restrict URL Access | Top 10 Risks |
A10-Unvalidated Redirects and Forwards → |