Injection Flaws - Topmost Security Threat for Web Applications

Open Web Application Security Project (OWASP), a non-profit security community for open-source application, on April 19, 2010, issued its latest list of the ten most critical security threats related to web applications. The community, with this list, aims to assist companies in better protecting their online services and applications.

States OWASP in its report that SQL injection flaws, which occur when any software transmits dubious data in response to a query or command from an interpreter, are easy to exploit. The flaws make a severe impact, allowing a hacker to gain unauthorized access to a database or execute undesirable instructions. The result is data theft, non-accountability, corruption, blockage of access, or complete hijack of the host system.

XSS (cross-site scripting) vulnerabilities that earlier were No.1 threat on the Top Ten List are now at No.2. These vulnerabilities happen when any software accepts dubious data and subsequently transmits the same to an end-user's browser without adequate validation. XSS flaws has been rated as moderate since with these a hacker can run scripts inside a victim's Web-browser for defacing websites or take over user's sessions.

Moreover, stalled validation and session handling, unprotected references to direct objects and CSRF (cross-site request forgery) come as No.3, 4 and 5 respectively on the list.

Thereafter, on rank six are listed security misconfiguration, while on rank ten are unauthenticated forwards and redirects. Both are new entrants. With web redirects users are diverted onto unintended websites and if destination websites' data is devoid of proper authentication, then attackers can divert users onto malware or phishing websites.

States OWASP member Josh Abraham, it's now common to have security misconfiguration within Web applications. That's because a number of other configuration alternatives exist for developers. According to Abraham, in case the software is left susceptible or un-patched, hackers can exploit the framework's weaknesses, reported dark READING on April 19, 2010.

Abraham further says that he's observing increasing numbers of unauthenticated forwards and redirects in applications this year.

Finally, according to the report, unprotected cryptographic storage, non-restricted access to websites and inadequate transport layer security are ranked 7th, 8th and 9th on the list.

Related article: Insignificant Spam Rates in August 2011: Symantec

» SPAMfighter News - 4/29/2010