{"id":336,"date":"2009-11-13T11:25:53","date_gmt":"2009-11-13T16:25:53","guid":{"rendered":"http:\/\/www.webadminblog.com\/?p=336"},"modified":"2009-11-13T18:56:06","modified_gmt":"2009-11-13T23:56:06","slug":"owasp-top-10-2010","status":"publish","type":"post","link":"https:\/\/www.webadminblog.com\/index.php\/2009\/11\/13\/owasp-top-10-2010\/","title":{"rendered":"OWASP Top 10 &#8211; 2010"},"content":{"rendered":"<p>This presentation was by Dave WIchers, COO of Aspect Security and an OWASP Board Member.\u00a0 My notes are below:<\/p>\n<p><span style=\"text-decoration: underline;\"><strong>What&#8217;s Changed?<\/strong><\/span><\/p>\n<ul>\n<li>It&#8217;s about Risks, not just vulnerabilities\n<ul>\n<li>New title is: &#8220;The Top 10 Most Critical Web Application Security Risks&#8221;<\/li>\n<\/ul>\n<\/li>\n<li>OWASP Top 10 Risk Rating Methodology\n<ul>\n<li>Based on the OWASP Risk Rating Methodology, used to prioritize Top 10<\/li>\n<\/ul>\n<\/li>\n<li>2 Risks Added, 2 Dropped\n<ul>\n<li>Added: A6 &#8211; Security Misconfiguration\n<ul>\n<li>Was A10 in 2004 Top 10: Insecure Configuration Management<\/li>\n<\/ul>\n<\/li>\n<li>Added: A8 &#8211; Unvalidated Redirects and Forwards\n<ul>\n<li>Relatively common and VERY dangerous flaw that is not well know<\/li>\n<\/ul>\n<\/li>\n<li>Removed: A3 &#8211; Malicious File Execution\n<ul>\n<li>Primarily a PHP flaw that is dropping in prevalence<\/li>\n<\/ul>\n<\/li>\n<li>Removed: A6 &#8211; Information Leakage and Improper Error Handling\n<ul>\n<li>A very prevalent flaw, that does not introduce much risk (normally)<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ol>\n<li><strong>A1- <\/strong><strong>Injection: <\/strong>Tricking an application into including unintended commands in the data sent to an interpreter. (http:\/\/www.owasp.org\/index.php\/SQL_Injection_Prevention_Cheat_Sheet)<\/li>\n<li><strong>A2 &#8211; Cross Site Scripting (XSS):<\/strong> Raw data from attacker is sent to an innocent user&#8217;s browser.\u00a0 For large chunks of user supplied HTML, use OWASP&#8217;s AntiSamy to sanitize this HTML to make it safe.\u00a0 (http:\/\/www.owasp.org\/index.php\/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet)<\/li>\n<li><strong>A3 &#8211; Broken Authentication and Session Management:<\/strong> Means credentials have to go with every request.\u00a0 Should use SSL for everything requiring authentication.<\/li>\n<li><strong>A4 &#8211; Insecure Direct Object Reference:<\/strong> This is part of enforcing proper &#8220;Authorization&#8221;, along with A7 &#8211; Failure to Restrict URL Access.<\/li>\n<li><strong>A5 &#8211; Cross Site Request Forgery (CSRF):<\/strong> An attack where the victim&#8217;s browser is tricked into issuing a command to a vulnerable web application.\u00a0 Vulnerability is caused by browsers automatically including user authentication data with each request.\u00a0 (Check out OWASP CSRFGuard, OWASP CSRFTester, http:\/\/www.owasp.org\/index.php\/CSRF_Prevention_Cheat_Sheet)<\/li>\n<li><strong>A6 &#8211; Security Misconfiguration:<\/strong> All through the network and platform.\u00a0 Don&#8217;t forget the development environment.\u00a0 Think of all the places your source code goes.\u00a0 All credentials should change in production.<\/li>\n<li><strong>A7 &#8211; Failure to Restrict URL Access:<\/strong> This is part of enforcing proper &#8220;authorization&#8221;, along with A4 &#8211; Insecure Direct Object References.<\/li>\n<li><strong>A8 &#8211; Unvalidated Redirects and Forwards:<\/strong> Web application redirects are very common and frequently include user supplied parameters in the destination URL.\u00a0 If they aren&#8217;t validated, attacker can send victim to a site of their choice.<\/li>\n<li><strong>A9 &#8211; Insecure Cryptographic Storage:<\/strong> Storing sensitive data insecurely.\u00a0 Failure to identify all sensitive data.\u00a0 Failure to identify all the places that this sensitive data gets stored.\u00a0 Failure to properly protect this data in every location.<\/li>\n<li><strong>A10 &#8211; Insufficient Transport Layer Protection<\/strong><\/li>\n<\/ol>\n<p><span style=\"text-decoration: underline;\"><strong>OWASP Top 10 Risk Rating Methodology<\/strong><\/span><\/p>\n<ul>\n<li>Attack Vector (How hard for an attacker to use this flaw &#8211; 1 (Easy), 2 (Average), 3 (Difficult))<\/li>\n<li>Weakness Prevalence (How often is it found &#8211; 1 (Widespread), 2 (Common), 3 (Uncommon))<\/li>\n<li>Weakness Detectability (How hard is it for an attacker to find the flaw &#8211; 1 (Easy),\u00a0 2 (Average), 3 (Difficult))<\/li>\n<li>Technical Impact (1 (Severe), 2 (Moderate), 3 (Minor))<\/li>\n<\/ul>\n<p>This is generic across the internet, not specific to any organization.<\/p>\n<p>Started a new &#8220;Prevention Cheatsheet Series&#8221; that the Top 10 references (XSS, SQL Injection, Transport Layer Security, CSRF, Direct Object Reference).<\/p>\n<p>What is actually being released is RC1 of the Top 10 and they are encouraging people to provide comments through the end of the year and then use that feedback to post the final Top 10 in January 2010.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This presentation was by Dave WIchers, COO of Aspect Security and an OWASP Board Member.\u00a0 My notes are below: What&#8217;s Changed? It&#8217;s about Risks, not just vulnerabilities New title is: &#8220;The Top 10 Most Critical Web Application Security Risks&#8221; OWASP Top 10 Risk Rating Methodology Based on the OWASP Risk Rating Methodology, used to prioritize [&hellip;]<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[307,4],"tags":[335,76,350,349,346,175,353,357,361,348,352,619,358,354,12,360,355,356,333,177,622,351,176,347,345,359,102,174],"class_list":["post-336","post","type-post","status-publish","format-standard","hentry","category-owasp-appsec-dc-2009","category-web-app-sec","tag-335","tag-application","tag-authentication","tag-broken","tag-critical","tag-cross","tag-direct","tag-forgery","tag-forwards","tag-injection","tag-insecure","tag-management","tag-misconfiguration","tag-object","tag-owasp","tag-redirects","tag-reference","tag-request","tag-risks","tag-scripting","tag-security","tag-session","tag-site","tag-sql","tag-top-10","tag-unvalidated","tag-web","tag-xss"],"aioseo_notices":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/pfI0c-5q","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/336","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/comments?post=336"}],"version-history":[{"count":4,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/336\/revisions"}],"predecessor-version":[{"id":352,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/336\/revisions\/352"}],"wp:attachment":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/media?parent=336"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/categories?post=336"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/tags?post=336"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}