January 14, 2003 8:07 AM PST

Report: Watch out for Web site flaws

Related Stories

FBI names most wanted security flaws

October 2, 2002

FBI to release computer-security updates

September 30, 2002

Software security group launches

September 26, 2002

Patchwork security

January 24, 2001
A group of security experts on Monday released a list of Web site flaws that it believes are the primary culprits in undermining the security of online applications.

In a 23-page report, the Open Web Applications Security Project said that the OWASP Top Ten is intended to help developers and corporate security administrators close the holes that allow attackers into many companies.

"When an organization puts up a Web application, they invite the world to send them HTTP requests," the report said. "Attacks buried in those requests sail past firewalls, filters, platform hardening, and intrusion detection systems without notice because they are inside legal HTTP requests."

Web sites that send information to other applications, such as a database or e-commerce server, inside the company's network should be analyzed for the 10 security problems as soon as possible, according to the report.

The top vulnerability: Sites that don't validate information before sending it to another server. Attackers can use such a flaw to send malicious code designed to compromise back-end applications through the Web server.

Another major problem, the report said, is a failure to enforce restrictions on user activity. Many attackers log on as one user and then find ways of accessing the data of other users on the system.

Other major issues include cross-site scripting, buffer overflows and remote administration flaws.

"This list is an important development for consumers and vendors alike," Stephen Christey, principal information security engineer for the MITRE Group, a nonprofit system engineering contractor, said in a statement. "It will educate vendors to avoid the same mistakes that have been repeated countless times in other Web applications."

Christey added that the list gives consumers a set of requirements to which they could hold software makers accountable.

The OWASP list resembles a set of 20 flaws released by the SysAdmin, Audit, Networking and Security (SANS) Institute and the FBI every year.

 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.