Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

9/26/2019
11:05 AM
Larry Loeb
Larry Loeb
Larry Loeb
50%
50%

OWASP's Common Web Program Security Problems: Part 2

We continue the countdown of OWASP's Top Ten nasties.

In the last article, we considered five out of the ten most common web security vulnerabilities. This time we finish the list.

6. Security misconfiguration
Configuration that defines security must be deployed for the application, frameworks, application server, web server, database server and platform of a public-facing web application. If these specifics are not properly configured, an attacker can simply bypass any security measures.

This also means updating to the most recent version of any of these components is going to be a positive security measure. The objects that seem to be most vulnerable to attack by this method include the URL, form fields and input fields.

A strong application architecture that providing robust separation and security between the included components is always good. Simple steps like changing default usernames and passwords as well as disabling directory listings and implementing access control checks after the installation of new software versions can directly address the problem.

7. Insecure cryptographic storage
If sensitive data is not stored securely on the web application's database, it provides yet another way for an attacker to gain that data.

Storing data securely on a database means using encryption as well as performing hashing of the data. Salting is random data appended to the original data before hashing, and makes the data harder to decrypt.

Should, for example, a password database be exposed through an injection attack, what the attacker comes away with should still be relatively secure if it has been encrypted properly.

Developers in general have a lousy track record of implementing cryptography. Using only approved public algorithms such as AES, RSA public key cryptography or SHA-256 always works out better than creating custom application-specific cryptography.

8. Failure to restrict URL Access
It's not generally realized that web applications check URL access rights before rendering protected links and buttons. Applications need to perform equivalent access control checks every time such pages are accessed.

An attacker can access privilege pages by guessing about an application's structure if those pages have no check associated with them. Being able to access “sensitive” pages, invoke functions and view confidential information may all result from not checking a user's access rights. Role-based authorization policies will work best in this case.

9. Insufficient transport layer protection
This is where weak algorithms, the processing of expired or invalid certificates, or not using SSL rear their head. There are a number of things that can be involved, but they will all center around data in transit. Things will be done poorly, but done in transit.

Basic steps like using secure HTTP are necessary, even considering the additional transactional computing costs of HTTPS. Once enabled, credential transfer that is performed only over HTTPS will stop most Man-in-the-Middle attacks.

Check that your certificates are valid. Have your renewal reminders for them set at the CA.

10. Unvalidated redirects and forwards
If there is not proper validation when your site redirects to other pages, threat actors can redirect victims to phishing or malware sites. They can use forwards to get access to unauthorized pages. So, try not to use them. If they must be used, do not involve any user parameters when calculating the eventual destination. OWASP offers a multitude of items relating to web security, of which only a few have been described here.

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-12512
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated reflected POST Cross-Site Scripting
CVE-2020-12513
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated blind OS Command Injection.
CVE-2020-12514
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to a NULL Pointer Dereference that leads to a DoS in discoveryd
CVE-2020-12525
PUBLISHED: 2021-01-22
M&M Software fdtCONTAINER Component in versions below 3.5.20304.x and between 3.6 and 3.6.20304.x is vulnerable to deserialization of untrusted data in its project storage.
CVE-2020-12511
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to a Cross-Site Request Forgery (CSRF) in the web interface.