OWASP's Common Web Program Security Problems: Part 2

In the last article, we considered five out of the ten most common web security vulnerabilities. This time we finish the list.

6. Security misconfiguration
Configuration that defines security must be deployed for the application, frameworks, application server, web server, database server and platform of a public-facing web application. If these specifics are not properly configured, an attacker can simply bypass any security measures.

This also means updating to the most recent version of any of these components is going to be a positive security measure. The objects that seem to be most vulnerable to attack by this method include the URL, form fields and input fields.

A strong application architecture that providing robust separation and security between the included components is always good. Simple steps like changing default usernames and passwords as well as disabling directory listings and implementing access control checks after the installation of new software versions can directly address the problem.

7. Insecure cryptographic storage
If sensitive data is not stored securely on the web application's database, it provides yet another way for an attacker to gain that data.

Storing data securely on a database means using encryption as well as performing hashing of the data. Salting is random data appended to the original data before hashing, and makes the data harder to decrypt.

Should, for example, a password database be exposed through an injection attack, what the attacker comes away with should still be relatively secure if it has been encrypted properly.

Developers in general have a lousy track record of implementing cryptography. Using only approved public algorithms such as AES, RSA public key cryptography or SHA-256 always works out better than creating custom application-specific cryptography.

8. Failure to restrict URL Access
It's not generally realized that web applications check URL access rights before rendering protected links and buttons. Applications need to perform equivalent access control checks every time such pages are accessed.

An attacker can access privilege pages by guessing about an application's structure if those pages have no check associated with them. Being able to access “sensitive” pages, invoke functions and view confidential information may all result from not checking a user's access rights. Role-based authorization policies will work best in this case.

9. Insufficient transport layer protection
This is where weak algorithms, the processing of expired or invalid certificates, or not using SSL rear their head. There are a number of things that can be involved, but they will all center around data in transit. Things will be done poorly, but done in transit.

Basic steps like using secure HTTP are necessary, even considering the additional transactional computing costs of HTTPS. Once enabled, credential transfer that is performed only over HTTPS will stop most Man-in-the-Middle attacks.

Check that your certificates are valid. Have your renewal reminders for them set at the CA.

10. Unvalidated redirects and forwards
If there is not proper validation when your site redirects to other pages, threat actors can redirect victims to phishing or malware sites. They can use forwards to get access to unauthorized pages. So, try not to use them. If they must be used, do not involve any user parameters when calculating the eventual destination. OWASP offers a multitude of items relating to web security, of which only a few have been described here.

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.