WebApp Sec mailing list archives
Re: Top Ten Web App Sec Problems
From: "Kevin Spett" <kspett () spidynamics com>
Date: Mon, 2 Dec 2002 18:28:03 -0500
There have been a number of publicized Hotmail problems that were being exploited. This was back when you could send scripted content in an email message and it would get executed. You would open your mail, it'd pop up a window saying "Oh, I'm sorry you'll have to log in again" or something. Kevin Spett SPI Labs http://www.spidynamics.com/ ----- Original Message ----- From: "Richard M. Smith" <rms () computerbytesman com> To: <webappsec () securityfocus com> Sent: Monday, December 02, 2002 6:13 PM Subject: RE: Top Ten Web App Sec Problems
Hi Steven, Are there any known examples of cross-site scripting bugs being exploited? Richard -----Original Message----- From: Steven M. Christey [mailto:coley () linus mitre org] Sent: Monday, December 02, 2002 4:34 PM To: webappsec () securityfocus com Subject: Re: Top Ten Web App Sec Problems Based on CVE statistics, cross-site scripting is the 2nd most frequently publicly reported vulnerability this calendar year, overall. Since XSS is mostly specific to web apps, this probably makes it the #1 vulnerability in deployed web apps (though web browsers and servers are sometimes subject to XSS too). I do not have an easy way of finding the CVE items for web-specific vulnerabilities and summarizing those. Also, the vulnerability statistics are not as low-level as I'd like with respect to web-specific issues like parameter tampering. For what it's worth, here are my general impressions for web apps (which excludes server- and browser-side vulnerabilities): Top Three (my best guess) ------------------------- - XSS is widespread. - Probably a good percentage of all reported directory traversal issues are in web apps; wild guess is 50-60% of all traversal. Note: this includes many canonicalization errors, but I don't have that level of detail. - Probably a good percentage of authentication and privilege escalation errors are in web apps; my wild guess is 50-60% of all reported authentication issues, and 30-40% of all privilege management issues. Others ------ - Other common issues are: (a) storing sensitive files under the web document root with world-readable/writable permissions, (b) plaintext passwords, (c) buffer overflows [although probably near the tail end of the top ten, since many web apps use scripting languages that aren't subject to overflows], (d) shell metacharacters, and (e) real pathname information leaks [though there are several different causes of such leaks] - High-profile, "interesting" bugs like SQL injection and PHP remote file execution / variable tampering are not that frequent, relatively speaking. This makes some sense since many web apps don't use a database, and many don't use PHP. - As I said in my Bugtraq post last week, "malformed input" is a poorly understood "superclass" of vulnerability. Upon reflection, I don't think I've seen too many issues in web apps that are related to malformed inputs. If this is true (and it may not be), then I wonder if auditors are even looking for this type of issue, as it often results in "only" a DoS whose scope may be limited. Steve
Current thread:
- Re: Top Ten Web App Sec Problems, (continued)
- Re: Top Ten Web App Sec Problems zeno (Nov 30)
- Re: Top Ten Web App Sec Problems Mark Curphey (Nov 30)
- Re: Top Ten Web App Sec Problems Matt Curtin (Nov 30)
- Re: Top Ten Web App Sec Problems bt (Nov 30)
- Re: Top Ten Web App Sec Problems Alex Russell (Dec 02)
- Re: Top Ten Web App Sec Problems Andrew Jaquith (Dec 02)
- Re: Top Ten Web App Sec Problems Alex Russell (Dec 02)
- Re: Top Ten Web App Sec Problems Mark Curphey (Nov 30)
- Re: Top Ten Web App Sec Problems zeno (Nov 30)
- RE: Top Ten Web App Sec Problems Richard M. Smith (Dec 02)
- Re: Top Ten Web App Sec Problems Kevin Spett (Dec 02)
- Re: Top Ten Web App Sec Problems Alex Lambert (Dec 02)
- Re: Top Ten Web App Sec Problems Marc Slemko (Dec 02)
- RE: Top Ten Web App Sec Problems Richard M. Smith (Dec 03)