Open-source group names 10 scariest Web vulnerabilities
- By William Jackson
- Jan 13, 2003
The Open Web Application Security Project today released a list of the top 10 vulnerabilities in Web applications and services.
The group said it wants to focus government and private-sector attention on common weaknesses 'that require immediate remediation.'
'Also, in the longer term, this list is intended to be used by development teams and their managers during project planning,' the report noted. 'Ultimately, Web application developers must achieve a culture shift that integrates security into every aspect of their projects.'
OWASP is a volunteer open-source community project created to bring attention to security for online apps. It patterned its list on the SANS Institute and FBI top 20 list of network loopholes. Like the SANS-FBI list, the OWASP vulnerabilities are well known, but continue to represent significant risk because they are widespread. They can be exploited by code in HTTP requests that are not noted by intrusion detection systems and are passed through firewalls and into servers despite hardening.
The vulnerabilities, which focus on categories of problems rather than on specific applications, are:Unvalidated parameters, which let information to be used by an app before being validatedBroken access control, in which restrictions on authorized users are not enforcedBroken account and session management, which leave inadequately protected account credentials and session tokens vulnerable to hijackingCross-site scripting flaws, which let attacks be passed by an app to a browserBuffer overflows, which can crash an application and allow it to be taken overCommand injection flows, in which improper commands are passed by the app to another system for executionError-handling problems, which can provide an attacker with unintended information or deny service when errors occurInsecure use of cryptography, which provides weak protection when cryptography code is not properly integratedRemote administration flaws, in which administrative functions are not well protectedWeb and application server misconfiguration.
The complete report is available on the organization's Web site, www.owasp.org
William Jackson is a Maryland-based freelance writer.