Posted by hyperguard on April 21, 2010
You have probably heard that the PCI DSS requirement 6.5 has been impacted by the updated OWASP’s Top 10 Web application risk ranking. Specifically, new risks “security misconfiguration” and “un-validated redirects and forwards” have been added to list. As stated in the PCI DSS standard,
“The vulnerabilities listed at 6.5.1 through 6.5.10 were current in the OWASP guide when this version of PCI DSS [1.2] was published [July, 2009]. However, if and when the OWASP guide is updated, the current version must be used for these requirements.”
We’re not particularly happy with the “security misconfiguration” addition since – at least in the current formulation and examples. This topic appears to be a bit too general, as examples listed in the recommendations also cover hardening of operating systems, which is certainly important but perhaps not in the core of web application security. However, if restricted to applications, hyperguard – configured properly – does protect against the typical attack vectors lists, such as unauthorized access to unused pages or un-patched flaws.
On the other hand, the “un-validated redirects and forwards” is one hyperguard has protected users against for a long time. As our customers know, hyperguard has a proud history of security far beyond OWASP recommendations.
Here’s how you can cover your compliance issues for the new “un-validated redirects and forwards” Top 10 risk:
- Use the hyperguard Whitelist Handler and validate all parameters used in URLs. For example the url=evil.com in the request http://www.example.com/redirect.jsp?url=evil.comThe Whitelist Handler validates attributes of HTTP requests (in URLs and also the HTTP Post request body). An argument is ONLY valid if it matches with a regular expression set in the Protected-Form-Fields settings.If the parameters do not match with the existing regular expressions for the protected input fields, the configuration item “allow-unknown-form-fields” can be setup to unconditionally allow them. If this option is not activated, hyperguard will reject the request – with an error code. Unconditionally allowed requests are flagged in the log files, this information can be used by the administrator to further enhance the managed whitelist.
- For output checks on redirects, use hyperguard’s Script Handler to define the target of a redirect and to define which domain(s) are permitted.
This will take care of your compliance issue with the “un-validated redirects and forwards” OWASP risk. Our technical team is available for further help with this issue – just email us and we’ll sort out your issues: email@example.com
Follow this discussion on Twitter @hyperguard
Posted in Post | Tagged: Hyperguard, OWASP, Risk, Top 10 | Leave a Comment »
Posted by hyperguard on April 19, 2010
Today, OWASP announced an updated list of the top 10 risks associated with the use of web applications in an enterprise. This is the first time the list has been updated since 2007. The report explains these risks to software developers and managers to help organizations better secure their Web applications and services.
OWASP Top Ten List:
- Cross-Site Scripting (XSS)
- Broken Authentication and Session Management
- Insecure Direct Object References
- Cross-Site Request Forgery (CSRF)
- Security Misconfiguration
- Insecure Cryptographic Storage
- Failure to Restrict URL Access
- Insufficient Transport Layer Protection
- Unvalidated Redirects and Forwards
Two risks were removed from the list—malicious file execution because it has become a less prevalent issue and information leakage and improper error handling because its impact is typically minimal.
Security misconfiguration and un-validated redirects and forwards are new to the list. Security misconfiguration was added because good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. According to OWASP, all these settings should be defined, implemented, and maintained as many are not shipped with secure defaults—this includes keeping all software up to date.
Un-validated redirects and forwards were added because Web applications frequently redirect and forward users to other pages and websites and use un-trusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites or use forwards to access unauthorized pages.
The report also includes how to assess the possibility that your Web application could be at risk and offers some mitigation tips. Download the full report here.
Posted in Post | Tagged: OWASP, Top 10, Web Application Security | Leave a Comment »
Posted by hyperguard on February 3, 2010
If you really look at security breaches you will notice that the vast majority are caused from the outside—not the inside. Security experts and industry personnel have led us to believe that disgruntled employees, misplaced documents, flash drives and devices and sheer management policies are more prevalent than hackers. Well guess again. We spoke to art of defence’s Sebastian Haase on this and he shared with us that this is not necessarily the case. Yes—internal breaches do occur and they are serious, but so are external hacks, particularly those to the web application layer. If you look at Jeremiah Grossman’s presentation, Web Vulnerabilities Revealed: What everyone knew, but afraid to believe, you will read startling web vulnerabilities statistics based on the OWASP Top Ten and realize that these weakness are clear openings for hackers.
According to Jeremiah’s presentation, 9 out of 10 websites have serious vulnerabilities and sites with urgent, critical or high severity issues will not pass PCI compliance—a major concern for financial services, retail and e-commerce. Another consideration to think about is the amount of time it takes to fix vulnerability—67 days! This known weakness heightens the situation for companies and increases the chance of a severe breach. It is important to shield applications from web vulnerabilities with a distributed web application firewall (dWAF) and protect against widespread external hacks.
Follow this conversation on twitter @hyperguard
Posted in Post | Tagged: dWAF, OWASP, security breach, Top 10, web vulnerabilities | 1 Comment »
Posted by hyperguard on November 25, 2009
On episode 54 of the OWASP podcast, OWASP chapter head for Germany, Georg Hess and CEO and co-founder of art of defence speaks with Matt Tesauro at the OWASP’s AppSecDC show on the top 10 release candidate 2010 and the impacts it will have on the industry.
Listen here for OWASP insight on the release candidate.
Posted in Post | Tagged: OWASP, Risk, Top 10, web vulnerabilities | Leave a Comment »