Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

Top 10 Most Critical Web Application Security Flaws - 02/02/04

Feb 2, 2004 8:11AM PST

Madrid, February 2, 2004 - eSecurityPlanet.com has published -at
http://www.esecurityplanet.com/trends/article.php/3305981- a list drawn up
by Open Web Application Security Project (OWASP) of the ten most critical
web application vulnerabilities in 2004.

The ten flaws in the OWASP list are:

- Non-validated input. Attackers could use non-validated data to reach
backend components.

- Broken access control. Improper application of restrictions on
authenticated users could give attackers access to other accounts or use
unauthorized functions.

- Broken authentication and session management. Account credentials and
session tokens are not properly protected, allowing attackers to compromise
passwords, keys, session cookies or tokens, and assume the identities of
other users.

- Cross-site scripting. This allows the web application to be used to
transport an attack on the end user's browser, leading to the disclosure of
the end user's session token or spoof content to fool the user.

- Buffer overflows. Web application components written in languages that do
not properly validate input can crash and in some cases, be used to take
control of a process.

- Injection flaws. Web applications pass parameters when they access
external systems or the local OS. If malicious commands are embedded in the
parameters, the external system may execute those commands on behalf of the
Web application.

- Improper error handling. This can lead to attackers gaining detailed
system information or causing denial of service.

- Insecure storage. Web applications that use cryptographic functions to
protect information and credentials have proven difficult to code properly,
resulting in weak protection.

- Denial of service. As mentioned, attackers use up Web application
resources to the point where other legitimate users can no longer access or
use the application. Attackers can also block user accounts or cause
application failures.

- Insecure configuration management. Having a strong configuration standard
is critical.

Discussion is locked