OWASP Top 10 List of Web Application Security Risks for 2010

Today we have a guest post from Qualys Security Research Engineer Michael Shema.

The Open Web Application Security Project (OWASP) has updated its Top 10 list of Web Application Security Risks for 2010. The new list reflects a better understanding of how web applications are most commonly being attacked – or at least the most common risks discovered by security professionals. It’s important for organizations to understand that the list is a risk-based selection of web app vulns. For example, security misconfigurations (A6) appeared in the 2004 version, was dropped in 2007, and re-appears now in 2010. Also, malicious file execution (A3 from the 2007 version) was dropped because the main culprit, poorly configured and written PHP apps, can benefit from improvements to the default PHP settings. However, this doesn’t mean those problems have gone away. If you haven’t upgraded your PHP installation, then your site is still highly vulnerable.

The list doesn’t explicitly call out a very important exploit against web applications: logic attacks — attacks against the site’s workflows. These types of attacks have a generic description, but tend to be very specific to each web site. They’re related to broken auth and session management (A3) in that they take advantage of poor controls over a user’s activity. Logic attacks target assumptions the site makes about a user’s click path or the sequence in which a workflow is expected to be completed. These attacks rarely rely on injection of malicious content or otherwise invalid input. Instead, they very often repeat steps that the web app didn’t expect to be repeated or perform actions out of their expected order. It’s these vulns that are gaining prominence with JavaScript-heavy apps that push a lot of logic to the browser without verifying actions on the server.

It’s still important for web site owners to keep track of the OWASP Top 10 in order to understand how threats evolve. CRSF didn’t appear on the list in 2004, but apps have been vulnerable to it since 2000 and earlier (it takes advantage of a fundamental nature of HTML and HTTP). It’s just that CSRF attacks weren’t well defined or widely understood before the list could be updated in 2007.

Also keep in mind the Top 10 list is primarily for web site owners to understand how to improve their site’s security and to know what types of attacks seem most prolific. Some of the items, like XSS and CSRF also target the web browser. As a visitor to a possibly insecure web site, it’s fortunately still possible to apply some defenses in the browser, whether simply keeping the browser and its plug-ins up to date or using a security plug-in like NoScript.

And while developers scour their sites for risks associated with this Top 10 list, web users need to be aware of the prevalence of malware. Malware isn’t actually an attack against the web site; the attacker needs to use some other vulnerability in order to sneak malicious code onto a web page. However, malware is still a significant concern for users how are trying to keep their personal information secure.