• Login
• Become a member
• RSS
• Part of the TechTarget network

---

If you create applications for the Web -- or just use Web applications -- you know how important it is for those applications to be secure. Hackers are always looking for that overlooked gap so they can work their way into your application and your data.

This learning

guide, which is based on the Open Web Application Security Project's top 10 project, walks you through the 10 most critical Web application security vulnerabilities and how to protect against them. You'll find articles, tips, expert advice and more to help ensure you're in the know about these threats.

Are there other topics you'd like to see learning guides on? Send me an e-mail and let me know what they are.
-- Michelle Davidson, Editor.

TABLE OF CONTENTS    What is OWASP?    Top 10 most critical Web application security vulnerabilities Unvalidated Input Broken Access Control Broken Authentication and Session Management Cross Site Scripting (XSS) Flaws Buffer Overflows Injection Flaws Improper Error Handling Insecure Storage Denial of Service Insecure Configuration Management

What is OWASP?

Return to Table of Contents

• This glossary definition of OWASP offers a concise view of the organization.


• About the Open Web Application Security Projectis an article explaining OWASP's structure and numerous application security projects.


• What is the OWASP Top Ten?


• PHP and the OWASP Top Ten Security Vulnerabilities

Top 10 most critical Web application security vulnerabilities

Return to Table of Contents

1. Unvalidated Input: Information from Web requests is not validated before being used by a Web application. Attackers can use these flaws to attack backend components through a Web application.
   (Return to Table of Contents)
   • OWASP Guide to Building Secure Web Applications and Web Services, Chapter 12:
     Data Validation
   • The importance of input validation and the hazards of ignoring this important application security measure.
   • Input Validation Attacks -- Chapter 6, Hacking Exposed Web Applications: This free book excerpt contains valuable input validation tips.
   • One simple rule to make your Web apps more secure is practicing proper input validation, according to application security expert Caleb Sima.
   • Never use unvalidated input as part of a directive to any internal component
   • A Guide to Building Secure Web Applications, Chapter 10: Data Validation
   • WinForms data validation
   • Top 7 PHP security blunders: Among the "blunders" are several vulnerabilities on this list.
   • modsecurity project (Apache module for HTTP validation): Version two of this tool is now available
   • Thick client application security: Because application security isn't just for Web apps
   • Nine ways to hack a Web app (PDF) contains a lot of useful information in an unfortunate PowerPoint format. This link is relevant to almost all OWASP Top Ten vulnerabilities.

2. Broken Access Control: Restrictions on what authenticated users are allowed to do are not properly enforced. Attackers can exploit these flaws to access other users' accounts, view sensitive files, or use unauthorized functions.
   (Return to Table of Contents)
   • Authorization determines which privileges a user is allowed.
   • An access control list is a good method for managing user privileges.
   • OWASP Guide to Building Secure Web Applications and Web Services, Chapter 10: Authorization: Expansive overview of authorization for applications.
   • OWASP Guide to Building Secure Web Applications and Web Services, Chapter 8: Web Services: Comprehensive, well-organized instructions for Web services security.
   • A Guide to Building Secure Web Applications, Chapter 8: Access Control and Authorization: This chapter covers discretionary, mandatory and role-based access control.
   • Access control and JSPs: J2EE expert Ramesh Nagappan discusses user privileges and Java Server Pages.
   • Limiting user access in ASP.NET: Expert Dan Cornell explains authentication and authorization in .NET applications.
   • Layered insecurity: Access control can be implemented with the proper security infrastructure, according to this article.
   • Access control options: Contains a list of access control commands.
   • A simple access control mechanism from Knowbot Operating Environment Software.
   • NetSwift iGate helps authenticate users, secure access: This is a product review from SC Magazine about the authentication tool.

3. Broken Authentication and Session Management: Account credentials and session tokens are not properly protected. Attackers that can compromise passwords, keys, session cookies, or other tokens can defeat authentication restrictions and assume other users' identities.
   (Return to Table of Contents)
   • Authentication -- a Whatis.com definition
   • OWASP Guide to Building Secure Web Applications and Web Services, Chapter 9: Authentication
   • OWASP Guide to Building Secure Web Applications and Web Services, Chapter 11: Session Management
   • Session prediction is the stealing of a session ID, which can result in exploits like session hijacking. Session IDs are often stored in cookies.
   • Session hijacking is a serious exploit that can be hard for many users to detect.
   • Securing Web apps against authenticated users: Sanitize your data and secure your applications.
   • Session fixation vulnerability in Web-based applications (PDF): This white paper from Acros is updated occasionally to stay current.
   • Password recovery: Thorough white paper on password recovery.
   • Authentication technologies and techniques
   • Simple authentication
   • User authentication on the Web
   • Web-based session management: Best practices in managing HTTP-based client sessions
   • Authentication and session management on the Web (PDF)
   • IBM WebSphere session management

4. Cross Site Scripting (XSS) Flaws: The Web application can be used as a mechanism to transport an attack to an end user's browser. A successful attack can disclose the end user's session token, attack the local machine, or spoof content to fool the user.
   (Return to Table of Contents)
   • Cross-site scripting (XSS) -- a Whatis.com definition.
   • Cross-site tracing (XST): a newer, more dangerous version of XSS. OWASP's Jeff Williams discusses this exploit in Cross-site tracing explained.
   • XSS leads OWASP's Top Ten for 2007: Cross-site scripting becomes the number one exploit, according to OWASP.
   • OWASP Guide to Building Secure Web Applications and Web Services, Chapter 12: Data Validation
   • Deal with cross-site scripting
   • The cross-site scripting FAQ
   • CERT advisory on malicious HTML tags
   • CERT "Understanding malicious content mitigation"
   • Understanding the cause and effect of CSS vulnerabilities
   • XSS cheat sheet -- Esp: for filter evasion
   • XSS, trust, and Barney
   • Prevent cross-site (XSS) malicious content
   • Five common application-level attacks and the countermeasures to beat them (webcast)

5. Buffer Overflows: Web application components in some languages that do not properly validate input can be crashed and, in some cases, used to take control of a process. These components can include CGI, libraries, drivers, and Web application server components.
   (Return to Table of Contents)
   • Buffer overflow -- a Whatis.com definition
   • OWASP Guide to Building Secure Web Applications and Web Services, Chapter 17: Buffer Overflows
   • How to prevent buffer overflow attacks: This Featured Topic contains a number of helpful links.
   • Integer overflow may lead to a buffer overflow attack.
   • Buffer overflow attacks and their countermeasures: An easy to understand article from Linux Journal.
   • Exploiting Software: How to Break Code -- Chapter 7: Buffer Overflow: This free book excerpt explains how these attacks work and what you can do to stave them off.
   • Defining and preventing buffer overflows: Tips and techniques for protecting against this Web exploit.
   • Buffer overflow exploits: The how and why: (PDF) White paper from McAfee.

6. Injection Flaws: Web applications pass parameters when they access external systems or the local operating system. If an attacker can embed malicious commands in these parameters, the external system may execute those commands on behalf of the web application.
   (Return to Table of Contents)
   • SQL injection is the tip of the iceberg as, "Malicious code injection: It's not just for SQL anymore" spells out. The good news is that injection attacks are similar enough that prevention methods are more or less universal.
   • In the podcast, Injection attacks -- Knowledge and prevention, Caleb Sima explains how injection attacks originate and how they can be stopped.
   • The family of injection attacks includes but is not limited to:
     • LDAP injection
     • SSI injection, there is a podcast from whatis.com describing this exploit.
     • cross-site scripting, see section above for more information on this exploit.
     • command injection, sometimes referred to as shell command injection.
     • XPath injection
     
     
   • OWASP Guide to Building Secure Web Applications and Web Services, Chapter 12: Data Validation
   • OWASP Guide to Building Secure Web Applications and Web Services, Chapter 13: Interpreter Injection
   • Automated SQL injection: What your enterprise needs to know -- Part 1: An interview with SQL injection authority Caleb Sima.
   • Automated SQL injection: What your enterprise needs to know -- Part 2: More wisdom from Caleb.
   • Browser injection flaws affect multiple browsers and platforms
   • Unlearning: The first step towards stopping SQL injection
   • Validating input with convenience and security

7. Improper Error Handling: Error conditions that occur during normal operation are not handled properly. If an attacker can cause errors to occur that the Web application does not handle, they can gain detailed system information, deny service, cause security mechanisms to fail, or crash the server.
   (Return to Table of Contents)
   • OWASP Guide to Building Secure Web Applications and Web Services, Chapter 15: Error Handling, Auditing and Logging
   • Error handling: This definition from whatis.com mentions the different types of errors.
   • Handling errors using exceptions: A comprehensive Java Tutorial on exceptions.
   • Error and exception handling: When and how to use exceptions.
   • JavaScript error handling
   • Error handling and debugging: From the Microsoft Developer Network.
   • : Covers custom exceptions, page level and application level error handling.
   • Error event handling for Visual Basic (VB).

8. Insecure Storage: Web applications frequently use cryptographic functions to protect information and credentials. These functions and the code to integrate them have proven difficult to code properly, frequently resulting in weak protection.
   (Return to Table of Contents)
   • OWASP Guide to Building Secure Web Applications and Web Services, Chapter 19: Cryptography
   • Cryptography: This definition from whatis.com explains the origins and modern uses of cryptography.
   • Java Cryptography Extension(JCE) :A valuable security tool for J2EE.
   • Why encryption is not enough (Webcast)
   • Protecting encrypted data from attacks: A tip from application security expert Amir Peles.
   • Beginning Cryptography with Java -- Chapter 2, Symmetric Key Cryptography: Free chapter excerpt discusses implementing encryption in Java applications, including using the JCE.
   • Cryptography and Java applications: In this Q&A, Java application security expert Ramesh Nagappan explains how to
   • How an attacker cracks a symmetric key-based system
   • Storing hashed, encrypted values in a database
   • How IPsec and SSL/TLS use symmetric and asymmetric encryption

9. Denial of Service: Attackers can consume Web application resources to a point where other legitimate users can no longer access or use the application. Attackers can also lock users out of their accounts or even cause the entire application to fail.
   (Return to Table of Contents)
   • Denial of service (DoS) attacks include buffer overflows, SYN attacks, Smurf attacks and more.
   • OWASP Guide to Building Secure Web Applications and Web Services, Chapter 22: Denial of Service Attacks
   • instructions from SANS.
   • Denial of service and Ajax: Application security experts Caleb Sima and Billy Hoffman discuss how DoS uniquely affects Ajax applications.
   • What is a land attack?
   • Denial of Service (DoS) Attack Resources
   • Denial-of-service or "nuke" attacks
   • Understanding denial-of-service attacks

10. Insecure Configuration Management: Having a strong server configuration standard is critical to a secure web application. These servers have many configuration options that affect security and are not secure out of the box.
    (Return to Table of Contents)
    • Configuration management -- a Whatis.com definition
    • OWASP Guide to Building Secure Web Applications and Web Services, Chapter 20: Configuration
    • Best practices for managing secure Web server configurations
    • Web server security best practices
    • Security tips for server configuration
    • YoLinux: Internet Web server and domain configuration tutorial
    • Do configuration management during design and development: Article recommends building application security into the software development life cycle (SDLC).
    • Windows configuration weaknesses: Descriptions and how to determine if you are vulnerable from SANS.
    • UNIX configuration weaknesses

More News and Tutorials

• Articles

  • Injection attacks -- Knowledge and prevention
  • Injection attacks -- Knowledge and prevention
  • How fault-injection attacks threaten applications
  • Application threats: CSRF, injection attacks and cookie replay
  • Five application security threats and how to counter them
• 
  

  • Defend against the SQL injection tool Havij, other SQL injection tools
  • Five application security threats and how to counter them
  • Security Think Tank: Quick time to market to blame for many SQLi attacks
  • How to use OWASP Broken Web Apps to prevent vulnerabilities
  • Application security: Testing for injection vulnerabilities

• Related glossary terms

  Terms for Whatis.com - the technology online dictionary

  • virtual patching
  • SQL injection

This was first published in January 2006

Join the conversationComment

All Rights Reserved,Copyright 2006 - 2013, TechTarget