- Static content:- Server serves web pages created by people.
- Dynamic content via server-side code:- Server generates web pages based on input from user and a database using code executed on server.
E.g. - CGI scripts (Perl, Python, PHP, Ruby, Java, ASP, etc.)
- Dynamic content via client-side code:- Code embedded in web page is executed in browser and can manipulate web page as a data structure (Domain Object Model = DOM)
Web applications have a large attack surface = places that might contain vulnerabilities that can be exploited. A vault with a single guarded door is easier to secure than a building with many doors and windows.
- Client side surface:- form inputs (including hiddenfields), cookies, headers, query parameters, uploaded files, mobile code
- Server attack surface: web service methods, databases
- AJAX attack surface: union of the above
These were divided into six categories:
- Broken Authentication (62%) - This vulnerability relates to the application’s login mechanism, which may enable the attacker to guess username and passwords and thus launch a brute-force attack.
- Broken Access Controls (71%) - The application fails to properly protect access to sensitive information. An attacker can be able to view other user’s personal information.
- SQL Injection (32%) - This allows the attacker to submit arbitrary input to the application and interfere with the application’s back-end database. An attacker may be able to modify or retrieve data from the application or execute commands on the database.
- Information Leakage (78%) - In this case the application exposes sensitive data or information that might be useful for the attacker when targeting the application.
- Cross-site Request Forgery (92%) - This allows the attacker to create malicious and unintended actions in the application with other user’s behalf.
The OWASP Top 10 - 2013 Release Candidate includes the following changes as compared to the 2010 edition:
- A1 Injection
- A2 Broken Authentication and Session Management (was formerly A3)
- A3 Cross-Site Scripting (XSS) (was formerly A2)
- A4 Insecure Direct Object References
- A5 Security Misconfiguration (was formerly A6)
- A6 Sensitive Data Exposure (merged from former A7 Insecure Cryptographic Storage and former A9 Insufficient Transport Layer Protection)
- A7 Missing Function Level Access Control (renamed/broadened from former A8 Failure to Restrict URL Access)
- A8 Cross-Site Request Forgery (CSRF) (was formerly A5)
- A9 Using Known Vulnerable Components (new but was part of former A6 – Security Misconfiguration)
- A10 Unvalidated Redirects and Forwards