parsonsisconsulting

Parsons Software Security Consulting Blog

OWASP top ten reviewed by Software Security Expert

leave a comment »

OWASP Top 10 –2007 (Previous)
A2 –Injection Flaws
A1 –CrossSite Scripting (XSS)
A7 –Broken Authentication and Session Management
A4 –Insecure Direct Object Reference
A5 –Cross Site Request Forgery (CSRF)

A8 –Insecure Cryptographic Storage
A10 –Failure to Restrict URL Access
A9 –InsecureCommunications

A3–Malicious File Execution
A6 –Information Leakage and Improper Error Handling

OWASP Top 10 –2010 (New)
A1 –Injection
A2 –Cross-Site Scripting (XSS)
A3 –Broken Authentication and Session Management
A4 –Insecure Direct Object References
A5 –Cross-Site Request Forgery (CSRF)
A6 –Security Misconfiguration(NEW)
A7 –Insecure Cryptographic Storage
A8 –Failure to Restrict URL Access
A9 –Insufficient Transport Layer Protection
A10 –UnvalidatedRedirects and Forwards (NEW)

I was looking at the new OWASP top ten for 2010. I think that I agree with most of the findings. I find it interesting that OWASP has dropped SQL injection and changed it to injection. There are command injection findings that I see consulting from the code review level but I have never seen it from a pen test level. I have also seen LDAP query injection from both a code review level and pen test level. I agree that Cross Site Scripting is one of the most prevalent attacks in web application security today. Many of the developers that I interact with still do not see this as a risk. This is a huge vulnerability especially in phishing schemes.

Broken Authentication and Session management is something I see out in the wild all the time. Many of the cookies that I see on web sites are not marked as secure and are not random. This allows for attackers to steal the session or even guess another person’s session leading to information disclosure of another user. This could be devastating in high risk environments like banks.

Insecure object redirects is a vulnerability that I just started to see this year on my penetration testing engagements. I have yet to find this vulnerability in a code review. Has any one found this vulnerability in a code review?

Cross Site Request Forgery is a hard vulnerability to explain to developers and even harder to exploit. I would cogitate that this vulnerability is only exploited by the highly funded and well organized and motivated attackers and not the script kiddies.

Security Misconfiguration is something I see on a daily basis in penetration testing whether the server is Apache or IIS.

Insecure Cryptographic Storage are vulnerabilities that I have only found doing a code review. Many times I see people have plain text production database passwords inside of the web.config file. I also see people use insecure hashing algorithms like MD5 and SHA-1.

Matt Parsons, CISSP, MSM

http://www.parsonsisconsulting.com

mparsons1980 [at] gmail.com

Written by mparsons1980

November 20, 2010 at 10:27 am

Posted in Uncategorized

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: