WebApp Sec mailing list archives
Re: Top Ten Web App Sec Problems
From: "Jeff Williams @ Aspect" <jeff.williams () aspectsecurity com>
Date: Mon, 2 Dec 2002 21:16:17 -0500
Steven, thanks for searching the public databases. That will help provide some better justification for our top ten list. I'm afraid that many serious flaws won't make it into those lists because they only apply to one site's custom code. I believe the best top ten list is going to come from the minds of the people on this list who have been inside web applications for the past few years. Another issue in putting together a "top ten" list is the "superclass" issue you raised. Some of these problems are categories, others are very specific instances of a vulnerability. I think we should try to list vulnerabilities that are "just right" ;-) We should try to minimize overlap between vulnerabilities, yet draw a big enough circle that a reasonable class of problems is represented. A final factor that should go into the "top ten" decision process is the overall risk represented by a vulnerability. How easy is the hole to discover? Are there existing tools to search for it? Do you need special tools to exploit? What are the consequences of exploiting the hole? Our choices should represent the ones that we think will be the most serious for industry during the next year or so. Here's my initial list of candidates -- obviously there are more than 10, so we'll need to weed out a few - Cross Site Scripting (XSS) - Operating System Command Injection - Thread Safety Problems - Reliance on Client-Side Security - SQL Injection - Error Handling (includes stack traces, database dumps, error codes) - Buffer Overflow (includes format strings) - Tainted Parameters - Insecure Use of Encryption (includes key and cert handling, algorithm, initialization, randomness) - Insecure Email Functions (send an email from our site) - Insecure Storage of Keys and Passwords - Insecure Backside Protocols (includes credentials and use of ssl) - Insecure Server Configuration (latest patches, dir listing, traversal, sandbox, sample apps, old files, ssl) - Broken Access Control (includes canonicalization – URL, hex, unicode) - Broken Authentication (includes credentials in cleartext) - Session Hijacking - Broken Account Management (includes password changing, forgot my password) - Revealing Client-Side Comments I'm looking forward to everyone's feedback on these. --Jeff Jeff Williams Aspect Security, Inc. www.aspectsecurity.com ----- Original Message ----- From: Steven M. Christey To: webappsec () securityfocus com Sent: Monday, December 02, 2002 4:33 PM Subject: Re: Top Ten Web App Sec Problems Based on CVE statistics, cross-site scripting is the 2nd most frequently publicly reported vulnerability this calendar year, overall. Since XSS is mostly specific to web apps, this probably makes it the #1 vulnerability in deployed web apps (though web browsers and servers are sometimes subject to XSS too). I do not have an easy way of finding the CVE items for web-specific vulnerabilities and summarizing those. Also, the vulnerability statistics are not as low-level as I'd like with respect to web-specific issues like parameter tampering. For what it's worth, here are my general impressions for web apps (which excludes server- and browser-side vulnerabilities): Top Three (my best guess) ------------------------- - XSS is widespread. - Probably a good percentage of all reported directory traversal issues are in web apps; wild guess is 50-60% of all traversal. Note: this includes many canonicalization errors, but I don't have that level of detail. - Probably a good percentage of authentication and privilege escalation errors are in web apps; my wild guess is 50-60% of all reported authentication issues, and 30-40% of all privilege management issues. Others ------ - Other common issues are: (a) storing sensitive files under the web document root with world-readable/writable permissions, (b) plaintext passwords, (c) buffer overflows [although probably near the tail end of the top ten, since many web apps use scripting languages that aren't subject to overflows], (d) shell metacharacters, and (e) real pathname information leaks [though there are several different causes of such leaks] - High-profile, "interesting" bugs like SQL injection and PHP remote file execution / variable tampering are not that frequent, relatively speaking. This makes some sense since many web apps don't use a database, and many don't use PHP. - As I said in my Bugtraq post last week, "malformed input" is a poorly understood "superclass" of vulnerability. Upon reflection, I don't think I've seen too many issues in web apps that are related to malformed inputs. If this is true (and it may not be), then I wonder if auditors are even looking for this type of issue, as it often results in "only" a DoS whose scope may be limited. Steve
Current thread:
- Re: Top Ten Web App Sec Problems, (continued)
- Re: Top Ten Web App Sec Problems bt (Nov 30)
- Re: Top Ten Web App Sec Problems Alex Russell (Dec 02)
- Re: Top Ten Web App Sec Problems Andrew Jaquith (Dec 02)
- Re: Top Ten Web App Sec Problems Alex Russell (Dec 02)
- RE: Top Ten Web App Sec Problems Richard M. Smith (Dec 02)
- Re: Top Ten Web App Sec Problems Kevin Spett (Dec 02)
- Re: Top Ten Web App Sec Problems Alex Lambert (Dec 02)
- Re: Top Ten Web App Sec Problems Marc Slemko (Dec 02)
- RE: Top Ten Web App Sec Problems Richard M. Smith (Dec 03)