WebApp Sec mailing list archives
Re: Top Ten Web App Sec Problems
From: "Steven M. Christey" <coley () linus mitre org>
Date: Mon, 2 Dec 2002 16:33:55 -0500 (EST)
Based on CVE statistics, cross-site scripting is the 2nd most frequently publicly reported vulnerability this calendar year, overall. Since XSS is mostly specific to web apps, this probably makes it the #1 vulnerability in deployed web apps (though web browsers and servers are sometimes subject to XSS too). I do not have an easy way of finding the CVE items for web-specific vulnerabilities and summarizing those. Also, the vulnerability statistics are not as low-level as I'd like with respect to web-specific issues like parameter tampering. For what it's worth, here are my general impressions for web apps (which excludes server- and browser-side vulnerabilities): Top Three (my best guess) ------------------------- - XSS is widespread. - Probably a good percentage of all reported directory traversal issues are in web apps; wild guess is 50-60% of all traversal. Note: this includes many canonicalization errors, but I don't have that level of detail. - Probably a good percentage of authentication and privilege escalation errors are in web apps; my wild guess is 50-60% of all reported authentication issues, and 30-40% of all privilege management issues. Others ------ - Other common issues are: (a) storing sensitive files under the web document root with world-readable/writable permissions, (b) plaintext passwords, (c) buffer overflows [although probably near the tail end of the top ten, since many web apps use scripting languages that aren't subject to overflows], (d) shell metacharacters, and (e) real pathname information leaks [though there are several different causes of such leaks] - High-profile, "interesting" bugs like SQL injection and PHP remote file execution / variable tampering are not that frequent, relatively speaking. This makes some sense since many web apps don't use a database, and many don't use PHP. - As I said in my Bugtraq post last week, "malformed input" is a poorly understood "superclass" of vulnerability. Upon reflection, I don't think I've seen too many issues in web apps that are related to malformed inputs. If this is true (and it may not be), then I wonder if auditors are even looking for this type of issue, as it often results in "only" a DoS whose scope may be limited. Steve
Current thread:
- Top Ten Web App Sec Problems Mark Curphey (Nov 30)
- Re: Top Ten Web App Sec Problems zeno (Nov 30)
- Re: Top Ten Web App Sec Problems Mark Curphey (Nov 30)
- Re: Top Ten Web App Sec Problems Matt Curtin (Nov 30)
- Re: Top Ten Web App Sec Problems bt (Nov 30)
- Re: Top Ten Web App Sec Problems Alex Russell (Dec 02)
- Re: Top Ten Web App Sec Problems Andrew Jaquith (Dec 02)
- Re: Top Ten Web App Sec Problems Alex Russell (Dec 02)
- Re: Top Ten Web App Sec Problems Mark Curphey (Nov 30)
- Re: Top Ten Web App Sec Problems zeno (Nov 30)
- <Possible follow-ups>
- FW: Top Ten Web App Sec Problems Keith T. Morgan (Dec 02)
- Re: Top Ten Web App Sec Problems Steven M. Christey (Dec 02)
- RE: Top Ten Web App Sec Problems Richard M. Smith (Dec 02)
- Re: Top Ten Web App Sec Problems Kevin Spett (Dec 02)
- Re: Top Ten Web App Sec Problems Alex Lambert (Dec 02)
- Re: Top Ten Web App Sec Problems Marc Slemko (Dec 02)
- RE: Top Ten Web App Sec Problems Richard M. Smith (Dec 02)
- RE: Top Ten Web App Sec Problems Richard M. Smith (Dec 03)