OWASP Top 10 - Room for Improvement
“The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are.†- quote from OWASP Top Ten.
I did a brief search on Google and did not see any obvious objections or flames with regards to the OWASP Top Ten. The industry as a whole seems to be adopting it, including automated web application testing tools and penetration testing companies. I recently performed the PCI Visa/MasterCard assault course, which also rates (or did) its application testing against this standard. These are my thoughts (or mad rantings):
Some of my likes:
* I like the idea behind having a web application standard. OWASP has pushed this more then anyone else that I have seen.
* A10 (Insecure Configuration Management) is actually specific, quite nice.
Some of my dislikes:
* The headings and definitions can be confusing
* The more detailed links seem to go off topic and intertwine with each other (i.e. A1, A4 & A6)
* In my opinion they are not ordered by priority (not sure if they are meant to be)
* Some relevant information is lacking (i.e. weak usernames and passwords, user enumeration vulnerabilities)
* When was the last time it was updated or do such generic issues not require change? If so, is this really an effective measure in testing and development?
Comments:
I never really payed much attention to the OWASP Top Ten. However, this is quickly becoming the web application testing standard. To be honest, this scares me. To me, the OTP (OWASP Top Ten) is just not where it should be for the publicity its recieving. It is mostly generic, chunky and confusing. I don’t see how anyone can claim to use the OWASP Top Ten with any degree of accuracy.
Thoughts:
My idea of the OWASP Top Ten include more specifics and less talk. These specifics should be measured with current attack trends. Regular updates are crucial.
Thoughts welcome, the OWASP Top Ten are as follows:
A1 Unvalidated Input
Information from web requests is not validated before being used by a web application. Attackers can use these flaws to attack backend components through a web application.
A2 Broken Access Control
Restrictions on what authenticated users are allowed to do are not properly enforced. Attackers can exploit these flaws to access other users’ accounts, view sensitive files, or use unauthorized functions.
A3 Broken Authentication and Session Management
Account credentials and session tokens are not properly protected. Attackers that can compromise passwords, keys, session cookies, or other tokens can defeat authentication restrictions and assume other users’ identities.
A4 Cross Site Scripting
The web application can be used as a mechanism to transport an attack to an end user’s browser. A successful attack can disclose the end user?s session token, attack the local machine, or spoof content to fool the user.
A5 Buffer Overflow
Web application components in some languages that do not properly validate input can be crashed and, in some cases, used to take control of a process. These components can include CGI, libraries, drivers, and web application server components.
A6 Injection Flaws
Web applications pass parameters when they access external systems or the local operating system. If an attacker can embed malicious commands in these parameters, the external system may execute those commands on behalf of the web application.
A7 Improper Error Handling
Error conditions that occur during normal operation are not handled properly. If an attacker can cause errors to occur that the web application does not handle, they can gain detailed system information, deny service, cause security mechanisms to fail, or crash the server.
A8 Insecure Storage
Web applications frequently use cryptographic functions to protect information and credentials. These functions and the code to integrate them have proven difficult to code properly, frequently resulting in weak protection.
A9 Application Denial of Service
Attackers can consume web application resources to a point where other legitimate users can no longer access or use the application. Attackers can also lock users out of their accounts or even cause the entire application to fail.
A10 Insecure Configuration Management
Having a strong server configuration standard is critical to a secure web application. These servers have many configuration options that affect security and are not secure out of the box.
References:
http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
David,
Your totally right and we are aware that the Top 10 needs updating. Behind the scenes we are doing just that. I am currently working on the ASP.NET Top 10 and others are updating it to reflect todays web applications and their insecurities.
As with many organisations that rely on people’s free time to do the work, progress is slow. I have a day job and also a life. We would love to see all these companies adopting it offering some support for us to move forward and actually spend more time, but in reality that wont happen.
The Top 10 does have a place in todays web enabled Internet and we are fully aware of the need to get it updated ASAP!
Daniel
OWASP
Daniel,
Good to see you have a life :)
I can totally understand your point of view. Life’s balancing act is always a challenge. However, the project states that it is “sponsored” by Aspect Security. I expect outdated material from open source projects, but I would have expected “sponsored” material to be a little better?
Late to the party again, but oh well:
Although you may argue that A2 is broad enough to cover it, CSRF certainly deserves a point of it’s own. It’s one of the top three web app problems (behind SQL and XSS injections) and has very different mitigation techniques from any other bullet on the list..
If someone who’s logged into their bank account goes to visit my website, with an image embedded pointing to http://bank.com/index.php?cmd=changepass&newpass=WideOpen .. thats a wide open hole.
It’s a fairly comprehensive list otherwise though .. and when limited to only 10 points, i find it more than adequate.
-maluc