Trends & Vision Newsletter

Table of Contents

Upcoming Webinars
(click to register)

   

THE THREE MOST UNDERRATED WEB FLAWS

By Jeff Williams, Aspect Security CEO and volunteer Chair of OWASP

We’ve all known about SQL injection and Cross-Site Scripting (XSS) for years, but the attackers haven’t stopped innovating. In the last few years, attackers have started to explore the following common vulnerabilities. Eliminating these problems requires some dedication, but many organizations are well underway in systematically stamping these problems out. For information on these and other critical web application security risks, please see the recently released OWASP Top 10 for 2010.

  1. Cross-Site Request Forgery (CSRF) – Do your forms and links contain an unpredictable token? If not, hackers can attack anyone who is currently logged into your site by luring them to a malicious website. When the victim visits the website, their browser is tricked into sending a request (or multiple requests) to your application. Since they’re logged in, these requests look completely legitimate. The attacker can do anything a legitimate user can do. To stop these forged requests, just generate a random token and include it in forms and links. Then verify that each incoming request has the right token – otherwise it’s forged!
  2. Direct Object References Do your web pages refer to server-side data using an “id” that is actually the name of a file, a database key, or part of a URL? You always need to verify the user is authorized for the target object. Otherwise, attackers may be able to manipulate this “direct object reference” to steal data. They may simply iterate through possible values or they may try some form of injection (such as a ../ or null-byte attack) to access unauthorized data. Fortunately, it’s an easy fix. Simply replace all your “id” parameters with an user specific indirect reference to prevent leaking the actual reference! Alternatively, you can perform an access control check each time you receive a request. Either way, you stop attackers from abusing your application.
  3. Clickjacking – Can your pages be framed? If so, an attacker can create an invisible frame containing your site, and hover it over another web page. When you attempt to click on the malicious page, your clicks (and potentially keystrokes) go to the frame, and activate functions in your application. Like CSRF attacks, this allows attackers to force victims to take arbitrary actions on their accounts, causing whatever damage is possible. To stop clickjacking you’ll need a two-prong approach. First, add the X-FRAME-OPTIONS header with a value of DENY or SAMEORIGIN. This only really works with IE8 today, but it won’t hurt anything and should be part of your standard build. For other browsers, you’ll need to insert a “framebreaker” script in all your pages. There are a lot out there, just make sure your framebreaker hides the page until the script runs and doesn’t affect the page load experience.
References: