OWASP Top 10

by Cody Dumont
June 4, 2014

Web application security is a key concern for SecurityCenter users.  The software security community created the Open Web Application Security Project (OWASP) to help educate developers and security professionals.  This dashboard provides SecurityCenter users the ability to monitor web application security by identifying the top 10 most critical web application security flaws as described in OWASP’s Top Ten awareness document.

The dashboard and its components are available in the SecurityCenter Feed, an app store of dashboards, reports, and assets.  The dashboard requirements are:

  • SecurityCenter 4.8
  • Nessus 5.2.6
  • LCE 4.2.2
  • PVS 4.0.2

SecurityCenter Continuous View (SC CV) customers have the ability to monitor web application security through several methods, all of which are described in this dashboard.  The dashboard is comprised of seven components, starting with two 90-day trend graphs, depicting critical and high severity vulnerabilities discovered over the past six months.  There are two indicator components that monitor web server, SQL Server, and IDS logs for web application events.  The third indicator component provides a view into several web application security issues starting with injection vulnerabilities and ending with cross-site scripting (XSS) vulnerabilities.  There is a table with all informational vulnerabilities related to web application security.  The final component is a detailed matrix showing vulnerabilities mapped to the ten most critical web application security risks identified in OWASP’s Top Ten document. https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

 The OWASP ten most critical web application security risks are:

  • A1 – Injection: Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. 
  • A2 – Broken Authentication and Session Management: Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities.
  • A3 – Cross-Site Scripting (XSS): XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. 
  • A4 – Insecure Direct Object References: A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. 
  • A5 – Security Misconfiguration: Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. 
  • A6 – Sensitive Data Exposure: Many web applications do not properly protect sensitive data, such as credit cards, tax IDs, and authentication credentials. 
  • A7 – Missing Function Level Access Control: Most web applications verify function level access rights before making that functionality visible in the UI. 
  • A8 – Cross-Site Request Forgery (CSRF): A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. 
  • A9 – Using Known Vulnerable Components: Components, such as libraries, frameworks, and other software modules, almost always run with full privileges. 
  • A10 – Unvalidated Redirects and Forwards: Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages. 

The components of this dashbaord are:

OWASP Top 10 - 90 Day Trend Analysis for Critical Severity Web Vulnerabilities

This component collects the vulnerabilities from the CGI Abuses, CGI Abuses : XSS, and Web Servers plugin families for both active and passive vulnerabilities.  The trend graph provides a trend analysis of all critical severity vulnerabilities over the past three months.

 OWASP Top 10 - Top 10 Indicators

This component collects the vulnerabilities from the CGI Abuses, CGI Abuses : XSS, and Web Servers plugin families for both active and passive vulnerabilities.  The CGI Abuses family Checks for web-based CGI programs with publicly documented vulnerabilities. These checks include SQL injection, Local File Inclusion (LFI), Remote File Inclusion (RFI), Directory Traversal, and more.  For web-based CGI programs with publicly documented cross-site scripting (XSS) vulnerabilities, the CGI Abuses : XSS plugin family is used. For web server vulnerabilities, the Web Server plugin family can detect vulnerabilities in web servers such as Apache HTTP Server, IBM Lotus Domino, Microsoft IIS, and many more. The matrix is comprised of three columns, with the first displaying a count of affected hosts, followed by the number of vulnerabilities. The vulnerability count includes low, medium, high and critical severities.  The third column provides an analysis of known exploitable vulnerabilities. Each row is dedicated to one of the OWASP Top 10 most critical web application security flaws.  

 OWASP Top 10 - Web Informational Vulnerabilities

This component provides detailed information about web application services.  The information provided includes application versions, external URLs, harvested email addresses, file inventories and more.  This information may not represent a vulnerability; however, the information should be reviewed to properly assess risk.

OWASP Top 10 - 90 Day Trend Analysis for High Severity Web Vulnerabilities

This component collects the vulnerabilities from the CGI Abuses, CGI Abuses : XSS, and Web Servers plugin families for both active and passive vulnerabilities.  The trend graph provides a trend analysis of all high severity vulnerabilities over the past three months.

OWASP Top 10 - Web App Result Indicator

This component provides a summary of the common web application security flaws recommended for tracking in PCI DSS v3 Section 6.5.  Listed below are the PCI application security flaw summaries found in Section 6.5.1-9.

  • 6.5.1 Injection Flaws: Injection flaws, particularly SQL injection. Also consider OS Command Injection, LDAP and XPath injection flaws as well as other injection flaws.
  • 6.5.2 Buffer Overflows: Buffer overflows occur when an application does not have appropriate bounds checking on its buffer space.
  • 6.5.4 Insecure Communications: applications that fail to adequately encrypt network traffic using strong cryptography are at increased risk of being compromised and exposing cardholder data.
  • 6.5.5 Improper Error Handling: Applications can unintentionally leak information about their configuration or internal workings, or expose privileged information through improper error handling methods.
  • 6.5.6 All High Risk Vulnerabilities:  All vulnerabilities identified by an organization’s vulnerability risk-ranking process (defined in Requirement 6.1) to be “high risk” and that could affect the application should be identified and addressed during application development.
  • 6.5.7 Cross-Site Scripting (XSS): XSS flaws occur whenever an application takes user-supplied data and sends it to a web browser without first validating or encoding that content. XSS allows attackers to execute script in the victim's browser, which can hijack user sessions, deface web sites, possibly introduce worms, etc.
  • 6.5.8 Improper Access Control: Such as insecure direct object references, failure to restrict URL access, directory traversal, and failure to restrict user access to functions.
  • 6.5.9 Cross-site Request Forgery (CSRF): A CSRF attack forces a logged-on victim's browser to send a pre-authenticated request to a vulnerable web application, which then enables the attacker to perform any state-changing operations the victim is authorized to perform.

More information on PCI compliance can be found at https://www.pcisecuritystandards.org.

OWASP Top 10 - Web Events

This component provides indicators for logs collected by LCE that reflect potential vulnerabilities to web applications.  The indicators focus on the intrusion, threatlist, stats, web-access, and web-error event types.  The indicators for threatlist and intrusion turn red when a match is found.  The red indicator means immediate attention is required to determine if a system has been compromised.  The other indicators will turn yellow when a match is found; these indicators suggest a warning, and should be reviewed to determine the severity.

OWASP Top 10 - SQL Events

This component provides indicators for logs collected by LCE that reflect potential vulnerabilities to databases used in web applications. The first four indicators monitor specific normalized events, which are commonly seen if a web application is compromised.  These indicators will turn red when a match is found and immediate attention is warranted.  The fifth indicator is for all SQL intrusion events and will turn red when a match is found and immediate attention is warranted.  The remaining three indicators are for various SQL related issues, which could indicate an attack is underway and will turn yellow when a match is found. The description of the first four indicators are:

  • Suspicious_SQL-User_Database_Dump: A suspicious SQL query was detected which attempted to dump a list of system users. 
  • Suspicious_SQL-Command_Execution: A suspicious SQL query with a potential SQL injection event was detected.
  • Suspicious_SQL-Injection_Attack_Detected: The LCE has detected a SQL query containing patterns commonly found with large-scale automated SQL injection attacks.  These queries commonly contain long strings of characters repetitive string concatenation and other uncommon SQL usage.  Examining the query in question especially against other queries commonly executed against the same database should show that it stands out and requires review to see if any malicious commands have been executed.
  • Suspicious_SQL_Query_Detected: A suspicious SQL query was detected