theDocumentId => 754407 OWASP's Common Web Program Security Problems: Part 2

Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

9/26/2019
11:05 AM
Larry Loeb
Larry Loeb
Larry Loeb
50%
50%

OWASP's Common Web Program Security Problems: Part 2

We continue the countdown of OWASP's Top Ten nasties.

In the last article, we considered five out of the ten most common web security vulnerabilities. This time we finish the list.

6. Security misconfiguration
Configuration that defines security must be deployed for the application, frameworks, application server, web server, database server and platform of a public-facing web application. If these specifics are not properly configured, an attacker can simply bypass any security measures.

This also means updating to the most recent version of any of these components is going to be a positive security measure. The objects that seem to be most vulnerable to attack by this method include the URL, form fields and input fields.

A strong application architecture that providing robust separation and security between the included components is always good. Simple steps like changing default usernames and passwords as well as disabling directory listings and implementing access control checks after the installation of new software versions can directly address the problem.

7. Insecure cryptographic storage
If sensitive data is not stored securely on the web application's database, it provides yet another way for an attacker to gain that data.

Storing data securely on a database means using encryption as well as performing hashing of the data. Salting is random data appended to the original data before hashing, and makes the data harder to decrypt.

Should, for example, a password database be exposed through an injection attack, what the attacker comes away with should still be relatively secure if it has been encrypted properly.

Developers in general have a lousy track record of implementing cryptography. Using only approved public algorithms such as AES, RSA public key cryptography or SHA-256 always works out better than creating custom application-specific cryptography.

8. Failure to restrict URL Access
It's not generally realized that web applications check URL access rights before rendering protected links and buttons. Applications need to perform equivalent access control checks every time such pages are accessed.

An attacker can access privilege pages by guessing about an application's structure if those pages have no check associated with them. Being able to access “sensitive” pages, invoke functions and view confidential information may all result from not checking a user's access rights. Role-based authorization policies will work best in this case.

9. Insufficient transport layer protection
This is where weak algorithms, the processing of expired or invalid certificates, or not using SSL rear their head. There are a number of things that can be involved, but they will all center around data in transit. Things will be done poorly, but done in transit.

Basic steps like using secure HTTP are necessary, even considering the additional transactional computing costs of HTTPS. Once enabled, credential transfer that is performed only over HTTPS will stop most Man-in-the-Middle attacks.

Check that your certificates are valid. Have your renewal reminders for them set at the CA.

10. Unvalidated redirects and forwards
If there is not proper validation when your site redirects to other pages, threat actors can redirect victims to phishing or malware sites. They can use forwards to get access to unauthorized pages. So, try not to use them. If they must be used, do not involve any user parameters when calculating the eventual destination. OWASP offers a multitude of items relating to web security, of which only a few have been described here.

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-37443
PUBLISHED: 2021-07-25
NCH IVM Attendant v5.12 and earlier allows path traversal via the logdeleteselected check0 parameter for file deletion.
CVE-2021-37444
PUBLISHED: 2021-07-25
NCH IVM Attendant v5.12 and earlier suffers from a directory traversal weakness upon uploading plugins in a ZIP archive. This can lead to code execution if a ZIP element's pathname is set to a Windows startup folder, a file for the inbuilt Out-Going Message function, or a file for the the inbuilt Au...
CVE-2021-37445
PUBLISHED: 2021-07-25
In NCH Quorum v2.03 and earlier, an authenticated user can use directory traversal via logprop?file=/.. for file reading.
CVE-2021-37446
PUBLISHED: 2021-07-25
In NCH Quorum v2.03 and earlier, an authenticated user can use directory traversal via documentprop?file=/.. for file reading.
CVE-2021-37447
PUBLISHED: 2021-07-25
In NCH Quorum v2.03 and earlier, an authenticated user can use directory traversal via documentdelete?file=/.. for file deletion.