Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

9/26/2019
11:05 AM
Larry Loeb
Larry Loeb
Larry Loeb
50%
50%

OWASP's Common Web Program Security Problems: Part 2

We continue the countdown of OWASP's Top Ten nasties.

In the last article, we considered five out of the ten most common web security vulnerabilities. This time we finish the list.

6. Security misconfiguration
Configuration that defines security must be deployed for the application, frameworks, application server, web server, database server and platform of a public-facing web application. If these specifics are not properly configured, an attacker can simply bypass any security measures.

This also means updating to the most recent version of any of these components is going to be a positive security measure. The objects that seem to be most vulnerable to attack by this method include the URL, form fields and input fields.

A strong application architecture that providing robust separation and security between the included components is always good. Simple steps like changing default usernames and passwords as well as disabling directory listings and implementing access control checks after the installation of new software versions can directly address the problem.

7. Insecure cryptographic storage
If sensitive data is not stored securely on the web application's database, it provides yet another way for an attacker to gain that data.

Storing data securely on a database means using encryption as well as performing hashing of the data. Salting is random data appended to the original data before hashing, and makes the data harder to decrypt.

Should, for example, a password database be exposed through an injection attack, what the attacker comes away with should still be relatively secure if it has been encrypted properly.

Developers in general have a lousy track record of implementing cryptography. Using only approved public algorithms such as AES, RSA public key cryptography or SHA-256 always works out better than creating custom application-specific cryptography.

8. Failure to restrict URL Access
It's not generally realized that web applications check URL access rights before rendering protected links and buttons. Applications need to perform equivalent access control checks every time such pages are accessed.

An attacker can access privilege pages by guessing about an application's structure if those pages have no check associated with them. Being able to access “sensitive” pages, invoke functions and view confidential information may all result from not checking a user's access rights. Role-based authorization policies will work best in this case.

9. Insufficient transport layer protection
This is where weak algorithms, the processing of expired or invalid certificates, or not using SSL rear their head. There are a number of things that can be involved, but they will all center around data in transit. Things will be done poorly, but done in transit.

Basic steps like using secure HTTP are necessary, even considering the additional transactional computing costs of HTTPS. Once enabled, credential transfer that is performed only over HTTPS will stop most Man-in-the-Middle attacks.

Check that your certificates are valid. Have your renewal reminders for them set at the CA.

10. Unvalidated redirects and forwards
If there is not proper validation when your site redirects to other pages, threat actors can redirect victims to phishing or malware sites. They can use forwards to get access to unauthorized pages. So, try not to use them. If they must be used, do not involve any user parameters when calculating the eventual destination. OWASP offers a multitude of items relating to web security, of which only a few have been described here.

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-0488
PUBLISHED: 2021-04-15
In pb_write of pb_encode.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-178754781
CVE-2021-27129
PUBLISHED: 2021-04-15
CASAP Automated Enrollment System version 1.0 contains a cross-site scripting (XSS) vulnerability through the Students > Edit > ROUTE parameter.
CVE-2021-27544
PUBLISHED: 2021-04-15
Cross Site Scripting (XSS) in the "add-services.php" component of PHPGurukul Beauty Parlour Management System v1.0 allows remote attackers to execute arbitrary code by injecting arbitrary HTML into the "sername" parameter.
CVE-2021-27545
PUBLISHED: 2021-04-15
SQL Injection in the "add-services.php" component of PHPGurukul Beauty Parlour Management System v1.0 allows remote attackers to obtain sensitive database information by injecting SQL commands into the "sername" parameter.
CVE-2020-7270
PUBLISHED: 2021-04-15
Exposure of Sensitive Information in the web interface in McAfee Advanced Threat Defense (ATD) prior to 4.12.2 allows remote authenticated users to view sensitive unencrypted information via a carefully crafted HTTP request parameter. The risk is partially mitigated if your ATD instances are deploye...