This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Top 10 2010-A9-Insufficient Transport Layer Protection"
From OWASP
| (7 intermediate revisions by 2 users not shown) | |||
| Line 1: | Line 1: | ||
| − | {{Top_10_2010:TopTemplate|useprev=2010PrevLink|usenext=2010NextLink|prev=A8-Failure to Restrict URL Access|next=A10 | + | {{Top_10_2010:TopTemplate|useprev=2010PrevLink|usenext=2010NextLink|prev=A8-Failure to Restrict URL Access|next=A10-Unvalidated Redirects and Forwards}} |
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | Detecting basic flaws is easy. Just observe the site’s network traffic. More subtle flaws require inspecting the design of the application and the server configuration. | + | {{Top_10_2010:SummaryTableHeaderBeginTemplate}} |
| − | + | {{Top_10_2010:SummaryTableValue-3-Template|Exploitability|DIFFICULT}} | |
| − | + | {{Top_10_2010:SummaryTableValue-2-Template|Prevalence|COMMON}} | |
| − | + | {{Top_10_2010:SummaryTableValue-1-Template|Detectability|EASY}} | |
| − | </ | + | {{Top_10_2010:SummaryTableValue-2-Template|Impact|MODERATE}} |
| + | {{Top_10_2010:SummaryTableHeaderEndTemplate}} | ||
| + | <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Consider anyone who can monitor the network traffic of your users. If the application is on the internet, who knows how your users access it. Don’t forget back end connections.</td> | ||
| + | <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Monitoring users’ network traffic can be difficult, but is sometimes easy. The primary difficulty lies in monitoring the proper network’s traffic while users are accessing the vulnerable site.</td> | ||
| + | <td colspan=2 {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Applications frequently do not protect network traffic. They may use SSL/TLS during authentication, but not elsewhere, exposing data and session IDs to interception. Expired or improperly configured certificates may also be used.<br/><br/>Detecting basic flaws is easy. Just observe the site’s network traffic. More subtle flaws require inspecting the design of the application and the server configuration.</td> | ||
| + | <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Such flaws expose individual users’ data and can lead to account theft. If an admin account was compromised, the entire site could be exposed. Poor SSL setup can also facilitate phishing and MITM attacks.</td> | ||
| + | <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Consider the business value of the data exposed on the communications channel in terms of its confidentiality and integrity needs, and the need to authenticate both participants.</td> | ||
| + | {{Top_10_2010:SummaryTableEndTemplate}} | ||
| − | {{Top_10_2010: | + | {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|number=1|risk=9}} |
| − | The best way to find out if an application has | + | The best way to find out if an application has sufficient transport layer protection is to verify that: |
# SSL is used to protect all authentication related traffic. | # SSL is used to protect all authentication related traffic. | ||
# SSL is used for all resources on all private pages and services. This protects all data and session tokens that are exchanged. Mixed SSL on a page should be avoided since it causes user warnings in the browser, and may expose the user’s session ID. | # SSL is used for all resources on all private pages and services. This protects all data and session tokens that are exchanged. Mixed SSL on a page should be avoided since it causes user warnings in the browser, and may expose the user’s session ID. | ||
| Line 32: | Line 21: | ||
# All session cookies have their ‘secure’ flag set so the browser never transmits them in the clear. | # All session cookies have their ‘secure’ flag set so the browser never transmits them in the clear. | ||
# The server certificate is legitimate and properly configured for that server. This includes being issued by an authorized issuer, not expired, has not been revoked, and it matches all domains the site uses. | # The server certificate is legitimate and properly configured for that server. This includes being issued by an authorized issuer, not expired, has not been revoked, and it matches all domains the site uses. | ||
| − | + | {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|number=2|risk=9}} | |
| − | |||
| − | {{Top_10_2010: | ||
Providing proper transport layer protection can affect the site design. It’s easiest to require SSL for the entire site. For performance reasons, some sites use SSL only on private pages. Others use SSL only on ‘critical’ pages, but this can expose session IDs and other sensitive data. At a minimum, do all of the following: | Providing proper transport layer protection can affect the site design. It’s easiest to require SSL for the entire site. For performance reasons, some sites use SSL only on private pages. Others use SSL only on ‘critical’ pages, but this can expose session IDs and other sensitive data. At a minimum, do all of the following: | ||
# Require SSL for all sensitive pages. Non-SSL requests to these pages should be redirected to the SSL page. | # Require SSL for all sensitive pages. Non-SSL requests to these pages should be redirected to the SSL page. | ||
| Line 41: | Line 28: | ||
# Ensure your certificate is valid, not expired, not revoked, and matches all domains used by the site. | # Ensure your certificate is valid, not expired, not revoked, and matches all domains used by the site. | ||
# Backend and other connections should also use SSL or other encryption technologies. | # Backend and other connections should also use SSL or other encryption technologies. | ||
| − | + | {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|number=3|risk=9}} | |
| − | |||
| − | {{Top_10_2010: | ||
<u>Scenario #1</u>: A site simply doesn’t use SSL for all pages that require authentication. Attacker simply monitors network traffic (like an open wireless or their neighborhood cable modem network), and observes an authenticated victim’s session cookie. Attacker then replays this cookie and takes over the user’s session. | <u>Scenario #1</u>: A site simply doesn’t use SSL for all pages that require authentication. Attacker simply monitors network traffic (like an open wireless or their neighborhood cable modem network), and observes an authenticated victim’s session cookie. Attacker then replays this cookie and takes over the user’s session. | ||
| Line 49: | Line 34: | ||
<u>Scenario #3</u>: A site simply uses standard ODBC/JDBC for the database connection, not realizing all traffic is in the clear. | <u>Scenario #3</u>: A site simply uses standard ODBC/JDBC for the database connection, not realizing all traffic is in the clear. | ||
| + | {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|number=4|risk=9}} | ||
| + | {{Top_10_2010:SubSubsectionOWASPReferencesTemplate}} | ||
| − | + | For a more complete set of requirements and problems to avoid in this area, see the [http://www.owasp.org/index.php/ASVS#tab=Downloads ASVS requirements on Communications Security (V10)]. | |
| − | + | * [[Transport_Layer_Protection_Cheat_Sheet | OWASP Transport Layer Protection Cheat Sheet]] | |
| − | For a more complete set of requirements and problems to avoid in this area, see the [http://www.owasp.org/index.php/ASVS#tab= | + | * [[Top_10_2007-Insecure_Communications | OWASP Top 10-2007 on Insecure Communications]] |
| − | * [ | ||
| − | * [ | ||
* [http://www.owasp.org/index.php/Guide_to_Cryptography#Insecure_transmission_of_secrets OWASP Development Guide: Chapter on Cryptography] | * [http://www.owasp.org/index.php/Guide_to_Cryptography#Insecure_transmission_of_secrets OWASP Development Guide: Chapter on Cryptography] | ||
| − | * [ | + | * [[Testing_for_SSL-TLS | OWASP Testing Guide: Chapter on SSL/TLS Testing]] |
{{Top_10_2010:SubSubsectionExternalReferencesTemplate}} | {{Top_10_2010:SubSubsectionExternalReferencesTemplate}} | ||
* [http://cwe.mitre.org/data/definitions/319.html CWE Entry 319 on Cleartext Transmission of Sensitive Information] | * [http://cwe.mitre.org/data/definitions/319.html CWE Entry 319 on Cleartext Transmission of Sensitive Information] | ||
* [https://www.ssllabs.com/ssldb/index.html SSL Labs Server Test] | * [https://www.ssllabs.com/ssldb/index.html SSL Labs Server Test] | ||
* [http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf Definition of FIPS 140-2 Cryptographic Standard] | * [http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf Definition of FIPS 140-2 Cryptographic Standard] | ||
| − | {{Top_10_2010: | + | {{Top_10_2010:BottomAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|useprev=2010PrevLink|usenext=2010NextLink|prev=A8-Failure to Restrict URL Access|next=A10-Unvalidated Redirects and Forwards}} |
| + | |||
| + | [[Category:OWASP Top Ten Project]] | ||
Latest revision as of 18:32, 16 October 2010
NOTE: THIS IS NOT THE LATEST VERSION. Please visit the OWASP Top 10 project page to find the latest edition.
| ← A8-Failure to Restrict URL Access | Top 10 Risks |
A10-Unvalidated Redirects and Forwards → |
| Threat Agents | Attack Vectors | Security Weakness | Technical Impacts | Business Impacts | |
|---|---|---|---|---|---|
| Application Specific | Exploitability DIFFICULT |
Prevalence COMMON |
Detectability EASY |
Impact MODERATE |
Application / Business Specific |
| Consider anyone who can monitor the network traffic of your users. If the application is on the internet, who knows how your users access it. Don’t forget back end connections. | Monitoring users’ network traffic can be difficult, but is sometimes easy. The primary difficulty lies in monitoring the proper network’s traffic while users are accessing the vulnerable site. | Applications frequently do not protect network traffic. They may use SSL/TLS during authentication, but not elsewhere, exposing data and session IDs to interception. Expired or improperly configured certificates may also be used. Detecting basic flaws is easy. Just observe the site’s network traffic. More subtle flaws require inspecting the design of the application and the server configuration. |
Such flaws expose individual users’ data and can lead to account theft. If an admin account was compromised, the entire site could be exposed. Poor SSL setup can also facilitate phishing and MITM attacks. | Consider the business value of the data exposed on the communications channel in terms of its confidentiality and integrity needs, and the need to authenticate both participants. | |
|
Am I Vulnerable To 'Insufficient Transport Layer Protection'?
The best way to find out if an application has sufficient transport layer protection is to verify that:
|
How Do I Prevent 'Insufficient Transport Layer Protection'?
Providing proper transport layer protection can affect the site design. It’s easiest to require SSL for the entire site. For performance reasons, some sites use SSL only on private pages. Others use SSL only on ‘critical’ pages, but this can expose session IDs and other sensitive data. At a minimum, do all of the following:
|
|
Example Attack Scenarios
Scenario #1: A site simply doesn’t use SSL for all pages that require authentication. Attacker simply monitors network traffic (like an open wireless or their neighborhood cable modem network), and observes an authenticated victim’s session cookie. Attacker then replays this cookie and takes over the user’s session. Scenario #2: A site has improperly configured SSL certificate which causes browser warnings for its users. Users have to accept such warnings and continue, in order to use the site. This causes users to get accustomed to such warnings. Phishing attack against the site’s customers lures them to a lookalike site which doesn’t have a valid certificate, which generates similar browser warnings. Since victims are accustomed to such warnings, they proceed on and use the phishing site, giving away passwords or other private data. Scenario #3: A site simply uses standard ODBC/JDBC for the database connection, not realizing all traffic is in the clear. |
References
OWASP For a more complete set of requirements and problems to avoid in this area, see the ASVS requirements on Communications Security (V10).
External |
| ← A8-Failure to Restrict URL Access | Top 10 Risks |
A10-Unvalidated Redirects and Forwards → |
