OWASP Top-10 Session Notes
(conducted by Kenneth Van Wyk on 7th – 9th May 2008 at Park Orchard Hotel Singapore)
1. Cross site scripting
Attacker can do 1) Take over session 2) install malware 3) copy/steal sensitive data
remediation: 1) input validation, not simple, blocking “<>”,”<script></script” 2) input encoding
2. Inject flaws
The most common is SQL injection. Consinder the following input to an HTML form, a variable called “username”, enter with “’ or 1=1 –“
Remediation: 1) parameterized queries via PreparedStatement at server side 2) stored procedures, it’s safe but SQL engine dependent
3. Malicious file execution
Can occur whenever a user directly affect an interpreted system resource name, generally in combination with sending input to command interpreter.
Best practices: Server hardening, compartmentalize, access control
4. Insecure direct object reference
Another input validation issue, unchecked user input allowing an attacker to access an unintended resource
Best practice: a positive input validation, OS-layer data access and compartmentalization
5. Cross site request forgery
Phishers beginning to actively use this technology
attacker sends an image request to victim, and image arrived via spam email
6. Information leakage and improper error handling
information can leak from an application, hidden field, file/folder naming, badly handled errors.
7. Broken authentication and session management
mistakes are common: credentials transmitted unencrypted, passed in GET, session cookie revealed or guessable.
8. Insecure crypto storage
problem abound: key management, poorly chosen keys, inadequate algorithm. And remember “encoding” is not the same as “encrypting”
Tips: store keys in safe place, use strong key are not easily guessed, use strong algorithm, avoid re-using keys.
9. Insecure comms
”in transit” portion of insecure crypto, key management is biggest problem.
10. Failure to restrict URL access
attacks need a browse to guess a URL, admin function commonly hidden this way (via www.xxx.com/admin or whatever can be guessed)