The Open Web Application Security Project, a collaborative security education site, has released a list of the top 10 vulnerabilities in Web applications. The list, at www.owasp.org, is clearly written and full of real problems—with a variety of matching solutions. Heres the vulnerabilities list followed by eWEEK Labs recommendations.
1. Unvalidated Parameters
Nothing client computers send to Web applications should be accepted without validating the input. Input should be scanned two ways: First, input strings should get a low-level scrubbing using regular expressions or checks against enumerated values; second, application-level checks should be performed on input data.
2. Broken Access Control
Once users have logged in, each page in the application must enforce access control rules. Do not rely solely on characteristics of the data stream to do this; application-level checks must also enforce access controls. Encrypt traffic to block replay attempts and reauthenticate users before critical tasks as a defensive measure against session hijacking.
3. Broken Account and Session Management
If attackers can access a users session information, they can get around the whole authentication subsystem. Developers who use their own session key generation code must be able to strongly justify that decision or use the application servers session key logic.
4. Cross-Site Scripting Flaws
Parse user input to turn angle brackets (such as "<") into HTTP escape sequences to prevent scripting code from being stored on the server. Remember, ASCII characters can be encoded as Unicode to attempt to get around these checks.
5. Buffer Overflows
This is a risk only when user input is passed to components written in languages that dont have buffer overflow protection (C and C++ are the main problem languages). Avoid using these in Web application code. Keep third-party components patched.
6. Command Injection Gaps
This weakness arises when web applications pass user input to operating system programs or SQL databases without filtering out or escaping command termination or command separation characters. Attackers can then embed commands in their input; these commands will run on the Web server or database server. Databases must limit permissions of Web user log-ins.
7. Error-Handling Flaws
Never show default error messages to Web users. Intercept error conditions and display a generic message to avoid leaking information. Install an error-tracking mechanism to notice when a site is being probed for weaknesses.
8. Insecure Use of Cryptography
Every mainstream language now has strong cryptography support. Use a proven algorithm and dont store the key within source code, because source code disclosure bugs are relatively common in application severs.
9. Remote Administration Problems
Use strong authentication techniques and dont make these administration tools available remotely. If they are needed, use a virtual private network to restrict network access.
10. Web and Application Server Misconfiguration
Keep software for these servers thoroughly patched. Remove unnecessary extensions and default accounts and passwords. Configure applications to avoid leaking information. Implement security best practices.
West Coast Technical Director Timothy Dyck is at firstname.lastname@example.org.