January 14, 2003 8:07 AM PST
Report: Watch out for Web site flaws
In a 23-page report, the Open Web Applications Security Project said that the OWASP Top Ten is intended to help developers and corporate security administrators close the holes that allow attackers into many companies.
"When an organization puts up a Web application, they invite the world to send them HTTP requests," the report said. "Attacks buried in those requests sail past firewalls, filters, platform hardening, and intrusion detection systems without notice because they are inside legal HTTP requests."
Web sites that send information to other applications, such as a database or e-commerce server, inside the company's network should be analyzed for the 10 security problems as soon as possible, according to the report.
The top vulnerability: Sites that don't validate information before sending it to another server. Attackers can use such a flaw to send malicious code designed to compromise back-end applications through the Web server.
Another major problem, the report said, is a failure to enforce restrictions on user activity. Many attackers log on as one user and then find ways of accessing the data of other users on the system.
Other major issues include cross-site scripting, buffer overflows and remote administration flaws.
"This list is an important development for consumers and vendors alike," Stephen Christey, principal information security engineer for the MITRE Group, a nonprofit system engineering contractor, said in a statement. "It will educate vendors to avoid the same mistakes that have been repeated countless times in other Web applications."
Christey added that the list gives consumers a set of requirements to which they could hold software makers accountable.
The OWASP list resembles a set of 20 flaws released by the SysAdmin, Audit, Networking and Security (SANS) Institute and the FBI every year.