The second annual list of the top 10 most critical Web application security vulnerabilities, released by the Open Web Application Security Project (OWASP) of IT security professionals, adds the category of denial of service vulnerabilities because they have become more prevalent in the past year.

"We predict that this year a major e-commerce site will suffer a denial of service attack because the hacker has resent many of the user passwords," says Mark Curphey, chairman of OWASP and director of consulting for Foundstone, a firm offering strategic security services. The hack results when an attacker, for example, rents a high volume of email names and runs an attack that can reset the user's password on an e-commerce site.

OWASP emerged from efforts by Curphey, when he was working in IT security for Charles Schwab, and his peers in other firms to define the major issues around securing Web sites. The resulting OWASP guide, some 200 pages long and aimed at IT security professionals and developers, was downloaded 1.5 million times over the following year."The uptake was greater than we expected," Curphey says.

But the developers said they wanted something they could show to the CIO and other executives, so last year the group issues its first Top 10 List of Critical Web Application Security Vulnerabilities. Here is the top 10 list for 2004:

  • Non-validated input -- Attackers can use information not validated before used by a Web application to reach backend components.

  • Broken access control -- Results from improper enforcement of restrictions on what authenticated users are allowed to do; attackers exploit to access other accounts or use unauthorized functions.

  • Broken authentication and session management -- Account credentials and session tokens not properly protected, allowing attackers to compromise passwords, keys, session cooker or tokens, and assume the identities of other users.

  • Cross site scripting -- The Web application is used as a mechanism to transport an attack to the end user's browser. A successful attack can disclose the end user's session token or spoof content to fool the user.

  • Buffer overflows -- Web application components written in languages that do not properly validate input can crash and in some cases, be used to take control of a process. These components can include CGI, libraries, drivers and Web application server components.

  • Injection flaws -- Web applications pass parameters when they access external system or the local OS. If an attacker embeds malicious commands in the parameters, the external system may execute those commands on behalf of the Web application.

  • Improper error handling -- Refers to error conditions that occur during normal operations that are not handled properly. Attackers can use these to gain detailed system information, deny service, and cause security mechanisms to fail or crash the server.

  • Insecure storage -- Web applications that use cryptographic functions to protect information and credentials have proven difficult to code properly, resulting in weak protection.

  • Denial of service -- As mentioned above, attackers consume Web application resources o the point where other legitimate users can no longer access or use the application. Attackers can also lock users out of their accounts or cause an application to fail.

  • Insecure configuration management -- Web servers have many configuration options that effect security and are not secure out of the box. Having a strong configuration standard is critical.
  • "There are challenges around Web application security," says Curphey. "Many of the issues are human logic issues which can never be found by technology. There is no silver bullet. It's a logic puzzle, a new breed of problem to be solved."