OWASP Vulnerability #6 – Sensitive Data Exposure

Payments System Hacking. Online Credit Cards Payment Security Concept. Hacker in Black Gloves Hacking the System.

Number 6 on the OWASP Top 10 List is Sensitive Data Exposure.  This vulnerability occurs when data that should not be seen, such as credit card numbers, tax ID numbers, passwords, and social security numbers becomes exposed.  At Clearent, we pay close attention to this issue and work hard to ensure that our data is protected within our payments platform.

Intuitively, developers understand that data elements like credit card numbers and tax ID numbers need to be protected.  What they don’t always know, however, is how to protect that data.  It’s fairly obvious to realize the need to encrypt sensitive data or store it on encrypted hard disks.  What isn’t so obvious is the need for precautions for the mechanisms that transfer the sensitive data. And because many people don’t realize the need for this, it makes it possible to get their data by monitoring network traffic.  To this point, many of the recent payment breaches were accomplished by monitoring unencrypted network traffic inside a system. Read more

OWASP Vulnerability #7 – Missing Function Level Access Control

Rear view of young man typing and looking at computer monitor while sitting at the table in dark room

The next vulnerability to look at from the OWASP Top 10 List of Web Vulnerabilities is #7, Missing Function Level Access Control.  This vulnerability is easy to understand, but is important to acknowledge because of its abundance in web applications.  At Clearent, we have always paid close attention to function level access control because it is a critical element of the reporting and administration of our payments platform.

Applications that have missing function level access control allow an end user to simply enter a given URL or manually call a function that shouldn’t be exposed to them in order to access data or functionality that has not been explicitly assigned.  Sometimes this vulnerability is manifested by data or application navigation becoming exposed to a user that shouldn’t see it, but more often it is manifested by not performing a security check on individual function calls.  One of the easiest ways to test for this vulnerability is to log into an application as a user with restricted privileges, then type in the URL of a resource that requires more privilege, and see what happens.  If the restricted resource is brought up, the application has this vulnerability.  If not, the application is most likely doing the right things.

Read more

OWASP Vulnerability #8 – Cross-Site Request Forgery (CSRF)

 

Computer crime concept.Continuing with the discussion of the OWASP Top 10 Web Vulnerabilities, this post will look at number 8: cross-site request forgery. This particular vulnerability is difficult for many people to understand, but can be quite common in web applications. Because of its prevalence, Clearent has had to digest and understand this vulnerability in order to build a secure, PCI-compliant payments platform.

What is Cross-Site Request Forgery?

Cross-Site Request Forgery (CSRF) is a vulnerability where a website accepts requests from an agent that were not originated by an authorized user. This attack is best understood with an example. Let’s say a user is logged into their bank’s online banking website and while authenticated, the user visits another site by creating a new tab in the browser. The other site visited has a hidden link that sends a request to the user’s bank, initiating a transfer request to a bad guy’s bank account. The malicious request uses the cookies and session data of the authenticated user in the request, allowing the request to succeed. In this example, the bank site is susceptible to a Cross-Site Request Forgery. Read more

OWASP Security Vulnerability #9 – Components with Vulnerabilities

Developer Cyber Security PCI

This post is a continuation from my first Developer Blog post “PCI Check Up” – outlining the OWASP Top 10 web security vulnerabilities.  We keep these security vulnerabilities in mind as we build out our own payments platform and provide integration points to our partner developers.  In this post, I will review the number 9 OWASP web security vulnerability.

The number 9 vulnerability is Using Components with Known Vulnerabilities.  Most modern web applications take advantage of third-party libraries or frameworks that facilitate application development.  If those third-party components have vulnerabilities in them, then by extension any application that uses those components have security vulnerabilities.  It seems fairly obvious, but many developers simply lose site of this concern.

Read more

OWASP Security Vulnerability #10 – Unvalidated Redirects and Forwards

Payment Security PCI

In a previous post ”Developer PCI Check up”, I provided a high-level overview of the OWASP (Open Web Application Security Project) Top 10 web security vulnerabilities.  Ensuring that these security vulnerabilities don’t exist in a web application is a critical part of being PCI compliant.  This is the first of ten posts going into more detail on each of the vulnerabilities.

Number 10 on the list is Unvalidated Redirects and Forwards.  Quite often, modern web applications use HTTP redirects and forwards to control the flow of their application.  A vulnerable system can be used to redirect users to malicious sites or to download malicious code.  A system may be vulnerable if it uses query string parameters passed in the URL to redirect their application.  Here is an example of a URL that is vulnerable:

Read more

PCI Check Up

Clearent PCI

At Clearent, we are starting preparations for our annual PCI audit.  One of the components of the PCI audit is ensuring that web applications guard against the OWASP Top 10 Web Application Vulnerabilities.  I thought this would be a good time to review that list.

The OWASP.org_PDF is the best source of information if you are creating web applications.  Below is a listing of the 10 vulnerabilities and a brief explanation of them.

Top Ten Web Application Vulnerabilities:

  1. Injection: This vulnerability covers all kinds of injection attacks, including SQL injection.  Applications need to ensure that user-entered data can’t modify execution paths of the application itself.  It is important to guard against data coming into the application, as well as data being retrieved by the application.
  2. Broken Authentication and Session Management: Quite often developers create all of their application’s functionality themselves, and introduce bugs.  Authentication and Session management are no different.  If possible, use tried-and-true third party applications to handle these functions.
  3. Cross-Site Scripting (XSS): XSS is a nasty vulnerability that typically hijacks a user’s browser to access a malicious website or to steal data.  Applications generally protect against this flaw by properly escaping data entered through the browser.
  4. Insecure Direct Object References: This vulnerability typically happens when a developer exposes file names, unique identifiers or other “internal” data that would allow an attacker to directly manipulate the system, bypassing data validation checks.
  5. Security Misconfiguration: Not locking down systems, changing default passwords, or keeping software up-to-date causes this vulnerability.  All of these things seem obvious, but if they are obvious to us, they are obvious to attackers as well.
    Read more