Hosting Provided By

Re: Top Ten Web App Sec Problems

From: Steven M. Christey <coley(at)linus.mitre.org>
Date: Mon Dec 02 2002 - 16:33:55 EST

Based on CVE statistics, cross-site scripting is the 2nd most frequently publicly reported vulnerability this calendar year, overall. Since XSS is mostly specific to web apps, this probably makes it the #1 vulnerability in deployed web apps (though web browsers and servers are sometimes subject to XSS too).

I do not have an easy way of finding the CVE items for web-specific vulnerabilities and summarizing those. Also, the vulnerability statistics are not as low-level as I'd like with respect to web-specific issues like parameter tampering.

For what it's worth, here are my general impressions for web apps (which excludes server- and browser-side vulnerabilities):

Top Three (my best guess)

XSS is widespread.
Probably a good percentage of all reported directory traversal issues are in web apps; wild guess is 50-60% of all traversal. Note: this includes many canonicalization errors, but I don't have that level of detail.
Probably a good percentage of authentication and privilege escalation errors are in web apps; my wild guess is 50-60% of all reported authentication issues, and 30-40% of all privilege management issues.

Others

Other common issues are: (a) storing sensitive files under the web document root with world-readable/writable permissions, (b) plaintext passwords, (c) buffer overflows [although probably near the tail end of the top ten, since many web apps use scripting languages that aren't subject to overflows], (d) shell metacharacters, and (e) real pathname information leaks [though there are several different causes of such leaks]
High-profile, "interesting" bugs like SQL injection and PHP remote file execution / variable tampering are not that frequent, relatively speaking. This makes some sense since many web apps don't use a database, and many don't use PHP.
As I said in my Bugtraq post last week, "malformed input" is a poorly understood "superclass" of vulnerability. Upon reflection, I don't think I've seen too many issues in web apps that are related to malformed inputs. If this is true (and it may not be), then I wonder if auditors are even looking for this type of issue, as it often results in "only" a DoS whose scope may be limited.

Steve Received on Mon Dec 2 16:39:21 2002

This message: [ Message body ]
Next message: Dan Cuthbert: "Re: WebAppSec Training Courses in UK"
Previous message: phuc4(at)hushmail.com: "WebAppSec Training Courses in UK"
Maybe in reply to: Mark Curphey: "Top Ten Web App Sec Problems"
Next in thread: Richard M. Smith: "RE: Top Ten Web App Sec Problems"
Reply: Richard M. Smith: "RE: Top Ten Web App Sec Problems"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:45 EDT

Do you need help?