Group Names Top Web Application Flaws


Unvalidated parameters--when information from Web requests isn't validated before being used by a Web application--tops a group of application security experts' list of the 10 most significant Web application vulnerabilities.

The list from the Open Web Application Security Project (OWASP)--an open-source community project-- follows the format of the SANS top 20 list, which successfully draws attention to network vulnerabilities, said Jeff Williams, CEO of Aspect Security and OWASP's spokesman.

The other top Web application vulnerabilities are broken access control, broken account and session management, cross-site scripting (XSS) flaws, buffer overflows, command injection flaws, error handling problems, insecure use of cryptography, remote administration flaws and Web and application server misconfiguration.

"We believe the risk from Web application vulnerabilities is the same or greater as the risk presented by network vulnerabilities, but they're not getting nearly the attention," he said. "We felt there was a real need to present these vulnerabilities in a way that organizations could understand them."

The vulnerabilities in the list aren't new but for whatever reason have been largely ignored in software development, he said.

"Essentially, it boils down to programmers making mistakes that hackers can use to compromise Web applications," he said. "It's stunningly prevalent."

While companies are deploying firewalls and intrusion-detection systems, attacks buried in HTTP requests get past those tools, according to OWASP. By breaking into a Web application, an attacker can access valuable corporate information, Williams said.

The top 10 list is a "call to arms," that raises awareness in the government and private sectors of Web application flaws, he said. "They should demand applications that don't have these flaws," he added.

The list, which includes full descriptions of the vulnerabilities and recommended protections, is available at www.owasp.org.