Re: Top Ten Web App Sec Problems

>> = Steve Christey
> = Jeff Williams

>> It sounds like you're advocating a "top ten" that's based on other

Agreed. There is a bias in what's publicly reported, too - reflected by "fads" (why else is XSS so popular these days? oh yeah, it's really easy to find) and the amount of efforts by researchers. There are too many cases when a piece of software suffers the "death of a thousand cuts" with advisory after advisory on variants of the same issue, which often demonstrates how incomplete the original research was.

>The public vulnerability databases don't list problems with individual

We've had to deal with this in CVE and, in short, stay away from it. The general approach has been to record problems that require "customer action."

>Companies don't release information about vulnerabilities in their

Maybe some bold company will do this one day, I hope... and while many in the security community will sing their praises, their stock price would probably plummet :-(

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

>I'd like to see a top ten list that helps to crystallize the issue for

I'd like to see something that customers can use to tell their vendors "we want you to guarantee that you won't make these mistakes." Something that the security community can use to say "this is the same old issue and vendors shouldn't be making such obvious mistakes." That's a little pie-in-the-sky, but one benefit of the SANS Top Ten was that it gave "management" a means of talking about vulnerabilities in a non-technical fashion.

>Roughly how big do you think the risk from web application

That's a great question. In web apps, you have situations which the risk to the end user is as important (or more so) than risk to the server/provider, and the customer may have different priorities, security-wise, than the server/provider.

I bet the "real" answer will change over the next few years, too. Server software seems to be getting much more robust, at least from major vendors. Major server software these days is hit by "interesting" or new problems more often than not. As server software is better protected, people may start looking at web apps more than they already do.

>I think we should select the vulnerabilities that pose the greatest

Makes sense - and easier said than done :-)

Here's my cut, which is probably biased by the overall set of publicly known vulnerabilities. One "pro" of this bias would be that it captures errors made by programmers of widely varying skill levels (instead of companies who hire consultants, who might be in better shape overall). This may in some sense reflect the lowest hanging fruit.

• Directory traversal
• XSS (for 3 reasons: it's commonplace, every single input is suspect, and educating programmers about XSS will have cascading effects)
• Shell metacharacters / OS system command injection
• Poor credential management (cookies, whatever)
• Unprotected privileged apps (i.e. bypassing the "login" screen and directly accessing a program that should require authentication, but assumes the login screen handled it)
• Parameter/form tampering
• Canonicalization (since it can defeat otherwise good input validation)
• SQL injection
• storing sensitive files under the web root
• plaintext passwords - in URLs or in data files
• bad crypto
• buffer overflows

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

OK, that's 12 ;-)

One thing that would be nice to see is a document that is organized around overall application functionality, versus vulnerability type. Many secure programming doc's are organized by vulnerability type instead of, say, "managing files," "protecting data," "processing incoming data," "using encryption," "performing authentication," etc. Some bug types will cross many functional areas, but this sort of organization might be more useful to programmers.

• Steve