The Open Web Application Security Project (OWASP) has long studied Web application security flaws. The last OWASP Top Ten list, published in 2007, was instrumental in educating developers about oft-exploited Web vulnerabilities, from cross-site scripting to unrestricted URL access. This April, the OWASP published an all new 2010 list, focused on putting today's most common flaws into a risk management context.
The goal: To help developers learn from others' mistakes and help enterprises better manage the business risks that these applications create. Patching vulnerabilities after deployment is not only inefficient, but increasingly ineffective. Instead, the OWASP Top Ten 2010 recommends adopting a more holistic approach to developing secure code and deploying security controls that together manage business risk from the get-go.
To assist the OWASP with this endeavor, we dedicate this month's eSecurityPlanet column to publicizing the Top Ten 2010 Web app risk list [PDF]. By helping to spread the list far and wide, we hope to help make the World Wide Web a safer place for all.
Raising awareness and more
The OWASP Top Ten 2010 is a refinement of a candidate list circulated last fall. It incorporates input from security experts across the globe and represents a consensus view on today's most critical Web app security flaws. However, the Top Ten is by definition a moving target app development methods and tools continue to evolve, and so do associated attack vectors and weaknesses. Increasing awareness of this year's Top Ten is a great start, but maintaining awareness of new vectors and weaknesses is crucial.
Furthermore, the 2010 list not only identifies common weaknesses it offers insight into their likelihood of being exploited and potential technical and business consequences. For example, cross-site scripting is the most prevalent Web app flaw. But cross-site scripting poses only moderate technical impact, such as letting attackers hijack browser sessions or deface Websites. Ultimately, business impact depends on the Web app being attacked and its importance to an enterprise.
By putting flaws into context this way, the OWASP Top Ten 2010 enumerates risk factors and provides a framework that organizations can use to evaluate and reduce their own risk exposure. Finally, this year's Top Ten delivers readily-accessible guidance on how to determine if your app is vulnerable to each risk factor and steps you can take to reduce that vulnerability, along with prevention cheat sheets, tutorials, and test tips.
This year's "biggest losers"
And now, without further ado, we present a brief summary of the OWASP Top Ten 2010 enterprise Web application security risks.
1: Injection: Web apps may be vulnerable to LDAP, OS, and SQL injection attacks when untrusted, potentially malicious data is sent as part of a command or query, causing a vulnerable interpreter to run commands or access data in an unexpected manner.
2: Cross-Site Scripting: Apps that accept and send untrusted potentially malicious data to a Web browser without proper validation and escaping may be vulnerable to XSS attacks that exploit these flaws to execute hostile scripts.
3: Broken Authentication and Session Management: Apps that do not correctly authenticate and manage sessions may be vulnerable to attacks that exploit compromised passwords, keys, tokens, etc., in order to falsely assume another users identity.
4: Insecure Direct Object References: Apps that make references to internal implementation objects such as files, directories, or indices may be vulnerable to attacks that manipulate these exposed references in order to reach unauthorized data.
5: Cross-Site Request Forgery: CSRF attacks occur when a browser is forced to send a forged HTTP request containing a logged-in session user's cookie or other authentication data, causing a vulnerable Web app to treat the forged request as legitimate.
6: Security Misconfiguration: Web apps, frameworks, associated servers, and underlying platforms may all be vulnerable to a wide variety of attacks if not kept up-to-date and correctly configured with secure settings.
7: Insecure Cryptographic Storage: Sensitive data, such as credit cards, social security numbers, passwords, and other credentials must be protected against unauthorized access through correct use of appropriate cryptographic techniques, such as encryption and hashing.
8: Failure to Restrict URL Access: Web apps must verify URL access rights not only before rendering protected links and buttons, but every time the underlying "hidden" Web pages are accessed to prevent unauthorized access using forged URLs.
9: Insufficient Transport Layer Protection: Web apps that fail to properly authenticate, encrypt, and protect sensitive traffic as it transits a network may be vulnerable to a variety of confidentiality and integrity attacks.
10: Unvalidated Redirects and Forwards: Web apps that redirect or forward users to other URLs without proper validation of input data used to make such decisions may be vulnerable to attacks that redirect users to phishing or malware sites.
Whether you are a Web app designer, developer, or program manager, or a security professional responsible for protecting your organization against Web security risks, we recommend reading the full OWASP Top 10 2010 report [PDF]. For quick descriptions, advice and more, follow the links given above to visit the OWASP T10 wiki.
Lisa Phifer owns Core Competence, a consulting firm focused on business use of emerging network and security technologies. A 28-year industry veteran, Lisa enjoys helping companies large and small to assess, mitigate, and prevent Internet security threats through sound policies, effective technologies, best practices, and user education.