At Clearent, we are starting preparations for our annual PCI audit. One of the components of the PCI audit is ensuring that web applications guard against the OWASP Top 10 Web Application Vulnerabilities. I thought this would be a good time to review that list.
The OWASP.org_PDF is the best source of information if you are creating web applications. Below is a listing of the 10 vulnerabilities and a brief explanation of them.
Top Ten Web Application Vulnerabilities:
- Injection: This vulnerability covers all kinds of injection attacks, including SQL injection. Applications need to ensure that user-entered data can’t modify execution paths of the application itself. It is important to guard against data coming into the application, as well as data being retrieved by the application.
- Broken Authentication and Session Management: Quite often developers create all of their application’s functionality themselves, and introduce bugs. Authentication and Session management are no different. If possible, use tried-and-true third party applications to handle these functions.
- Cross-Site Scripting (XSS): XSS is a nasty vulnerability that typically hijacks a user’s browser to access a malicious website or to steal data. Applications generally protect against this flaw by properly escaping data entered through the browser.
- Insecure Direct Object References: This vulnerability typically happens when a developer exposes file names, unique identifiers or other “internal” data that would allow an attacker to directly manipulate the system, bypassing data validation checks.
- Security Misconfiguration: Not locking down systems, changing default passwords, or keeping software up-to-date causes this vulnerability. All of these things seem obvious, but if they are obvious to us, they are obvious to attackers as well.
- Sensitive Data Exposure: Simply put, many applications expose things like credit card numbers and tax IDs. This information must be closely guarded.
- Missing Function Level Access Control: Applications should ensure that an action a user takes in a web application is one the user has been granted access to. This check should occur in the web application and on the server side portion of the application as well.
- Cross-Site Request Forgery (CSRF): This attack uses a user’s browser to submit requests on the user’s behalf without the user being aware of it. Application frameworks are getting smarter about this vulnerability and make it easy for developers to thwart this attack.
- Using Components with Known Vulnerabilities: Many applications utilize external frameworks, libraries, or applications. Care needs to be taken to ensure these third-party packages don’t have flaws that can be exploited.
- Unvalidated Redirects and Forwards: It is common to use HTTP redirects and forwards to control the flow of an application. These redirects and forwards can be used to send a user to a malicious site and cause harm.
This listing is not an exhaustive explanation of the vulnerabilities and their remedies, but it is a good introduction to the concepts of web application security. You can learn more about Clearent’s PCI Certification and Compliance at www.clearent.com/pci-compliance