Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

9/26/2019
11:05 AM
Larry Loeb
Larry Loeb
Larry Loeb
50%
50%

OWASP's Common Web Program Security Problems: Part 2

We continue the countdown of OWASP's Top Ten nasties.

In the last article, we considered five out of the ten most common web security vulnerabilities. This time we finish the list.

6. Security misconfiguration
Configuration that defines security must be deployed for the application, frameworks, application server, web server, database server and platform of a public-facing web application. If these specifics are not properly configured, an attacker can simply bypass any security measures.

This also means updating to the most recent version of any of these components is going to be a positive security measure. The objects that seem to be most vulnerable to attack by this method include the URL, form fields and input fields.

A strong application architecture that providing robust separation and security between the included components is always good. Simple steps like changing default usernames and passwords as well as disabling directory listings and implementing access control checks after the installation of new software versions can directly address the problem.

7. Insecure cryptographic storage
If sensitive data is not stored securely on the web application's database, it provides yet another way for an attacker to gain that data.

Storing data securely on a database means using encryption as well as performing hashing of the data. Salting is random data appended to the original data before hashing, and makes the data harder to decrypt.

Should, for example, a password database be exposed through an injection attack, what the attacker comes away with should still be relatively secure if it has been encrypted properly.

Developers in general have a lousy track record of implementing cryptography. Using only approved public algorithms such as AES, RSA public key cryptography or SHA-256 always works out better than creating custom application-specific cryptography.

8. Failure to restrict URL Access
It's not generally realized that web applications check URL access rights before rendering protected links and buttons. Applications need to perform equivalent access control checks every time such pages are accessed.

An attacker can access privilege pages by guessing about an application's structure if those pages have no check associated with them. Being able to access “sensitive” pages, invoke functions and view confidential information may all result from not checking a user's access rights. Role-based authorization policies will work best in this case.

9. Insufficient transport layer protection
This is where weak algorithms, the processing of expired or invalid certificates, or not using SSL rear their head. There are a number of things that can be involved, but they will all center around data in transit. Things will be done poorly, but done in transit.

Basic steps like using secure HTTP are necessary, even considering the additional transactional computing costs of HTTPS. Once enabled, credential transfer that is performed only over HTTPS will stop most Man-in-the-Middle attacks.

Check that your certificates are valid. Have your renewal reminders for them set at the CA.

10. Unvalidated redirects and forwards
If there is not proper validation when your site redirects to other pages, threat actors can redirect victims to phishing or malware sites. They can use forwards to get access to unauthorized pages. So, try not to use them. If they must be used, do not involve any user parameters when calculating the eventual destination. OWASP offers a multitude of items relating to web security, of which only a few have been described here.

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Enterprises are Attacking the Cybersecurity Problem
Concerns over supply chain vulnerabilities and attack visibility drove some significant changes in enterprise cybersecurity strategies over the past year. Dark Reading's 2021 Strategic Security Survey showed that many organizations are staying the course regarding the use of a mix of attack prevention and threat detection technologies and practices for dealing with cyber threats.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-42258
PUBLISHED: 2021-10-22
BQE BillQuick Web Suite 2018 through 2021 before 22.0.9.1 allows SQL injection for unauthenticated remote code execution, as exploited in the wild in October 2021 for ransomware installation. SQL injection can, for example, use the txtID (aka username) parameter. Successful exploitation can include ...
CVE-2020-28968
PUBLISHED: 2021-10-22
Draytek VigorAP 1000C contains a stored cross-site scripting (XSS) vulnerability in the RADIUS Setting - RADIUS Server Configuration module. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the username input field.
CVE-2020-28969
PUBLISHED: 2021-10-22
Aplioxio PDF ShapingUp 5.0.0.139 contains a buffer overflow which allows attackers to cause a denial of service (DoS) via a crafted PDF file.
CVE-2020-36485
PUBLISHED: 2021-10-22
Portable Ltd Playable v9.18 was discovered to contain an arbitrary file upload vulnerability in the filename parameter of the upload module. This vulnerability allows attackers to execute arbitrary code via a crafted JPEG file.
CVE-2020-36486
PUBLISHED: 2021-10-22
Swift File Transfer Mobile v1.1.2 and below was discovered to contain a cross-site scripting (XSS) vulnerability via the 'path' parameter of the 'list' and 'download' exception-handling.