Re: Top Ten Web App Sec Problems

["Kevin Spett" <kspett () spidynamics com>]

There have been a number of publicized Hotmail problems that were being
exploited.  This was back when you could send scripted content in an email
message and it would get executed.  You would open your mail, it'd pop up a
window saying "Oh, I'm sorry you'll have to log in again" or something.



Kevin Spett
SPI Labs
http://www.spidynamics.com/

----- Original Message -----
From: "Richard M. Smith" <rms () computerbytesman com>
To: <webappsec () securityfocus com>
Sent: Monday, December 02, 2002 6:13 PM
Subject: RE: Top Ten Web App Sec Problems


> Hi Steven,
>
> Are there any known examples of cross-site scripting bugs being
> exploited?
>
> Richard
>
> -----Original Message-----
> From: Steven M. Christey [mailto:coley () linus mitre org]
> Sent: Monday, December 02, 2002 4:34 PM
> To: webappsec () securityfocus com
> Subject: Re: Top Ten Web App Sec Problems
>
>
>
> Based on CVE statistics, cross-site scripting is the 2nd most
> frequently publicly reported vulnerability this calendar year,
> overall.  Since XSS is mostly specific to web apps, this probably
> makes it the #1 vulnerability in deployed web apps (though web
> browsers and servers are sometimes subject to XSS too).
>
> I do not have an easy way of finding the CVE items for web-specific
> vulnerabilities and summarizing those.  Also, the vulnerability
> statistics are not as low-level as I'd like with respect to
> web-specific issues like parameter tampering.
>
> For what it's worth, here are my general impressions for web apps
> (which excludes server- and browser-side vulnerabilities):
>
>
> Top Three (my best guess)
> -------------------------
>
> - XSS is widespread.
>
> - Probably a good percentage of all reported directory traversal
>   issues are in web apps; wild guess is 50-60% of all traversal.
>   Note: this includes many canonicalization errors, but I don't have
>   that level of detail.
>
> - Probably a good percentage of authentication and privilege
>   escalation errors are in web apps; my wild guess is 50-60% of all
>   reported authentication issues, and 30-40% of all privilege
>   management issues.
>
>
> Others
> ------
>
> - Other common issues are: (a) storing sensitive files under the web
>   document root with world-readable/writable permissions, (b)
>   plaintext passwords, (c) buffer overflows [although probably near
>   the tail end of the top ten, since many web apps use scripting
>   languages that aren't subject to overflows], (d) shell
>   metacharacters, and (e) real pathname information leaks [though
>   there are several different causes of such leaks]
>
> - High-profile, "interesting" bugs like SQL injection and PHP remote
>   file execution / variable tampering are not that frequent,
>   relatively speaking.  This makes some sense since many web apps
>   don't use a database, and many don't use PHP.
>
> - As I said in my Bugtraq post last week, "malformed input" is a
>   poorly understood "superclass" of vulnerability.  Upon reflection, I
>   don't think I've seen too many issues in web apps that are related
>   to malformed inputs.  If this is true (and it may not be), then I
>   wonder if auditors are even looking for this type of issue, as it
>   often results in "only" a DoS whose scope may be limited.
>
>
>
> Steve