With the recent release of OWASP’s Top Ten Most Critical Web Application Security Risks, I thought I’d take an opportunity to offer a sincere Thank You from every web app pen tester to all organizations that have not yet implemented web app security testing in their software development lifecycle.
More importantly, I’d like pass along a quick note of thanks on a risk-by-risk basis from both pen testers and attackers alike.
A1-Injection: We appreciate all the hard work that went into designing the user interface. Now, if you’ll excuse us, we’re going to slide by those pages and send commands directly to your backend OS, database, and LDAP directory.
A2-Broken Authentication and Session Management: We’re just going to pretend to be legitimate (authorized) users, and your app is going to let us. Thanks for saving us from the hassle of social engineering our way into a valid credential set.
A3-Cross-Site Scripting (XSS): Thanks for letting us use YOUR website to execute OUR scripts in your users’ web browsers. How important is brand reputation, anyway?
A4-Insecure Direct Object References: Who cares about logging in when we can browse directly to our target web pages, files, and directories? It’s so much easier to get what we’re after that way.
A5-Security Misconfiguration: Oh, so you deployed an app with default admin pages and you didn’t change the admin password? Thanks for making it easy for us to take full control of your app!
A6-Sensitive Data Exposure: Thank you for not encrypting social security numbers, credit card numbers, and passwords. You saved us a TON of time trying to crack that encryption.
A7-Missing Function Level Access Control: Since we can trigger privileged functions with our normal user accounts, we don’t need to waste any effort trying to compromise those privileged accounts. What a time saver!
A8-Cross-Site Request Forgery (CSRF): Since you didn’t properly deauthenticate your user, we’re going to grab their authorization token and send a request directly to your app. Now we don’t have to attack your app at all, since we can impersonate authorized users.
A9-Using Components with Known Vulnerabilities: Whew! We were scared there for a minute when we found out that you were doing security testing during your internal QA process. Thank god you didn’t include the third party libraries that your developers had to use to make sure they hit the project deadline.
A10-Unvalidated Redirects and Forwards: Again, we want to express our gratitude that you’re allowing us to abuse… er, use your brand to lure your users to our sites. You’re the best!
It’s a damn good thing that organizations like OWASP, SANS, MITRE, WASC, and NIST don’t provide things like cheat sheets, web app security scanners, source code security analyzers, or secure libraries to make it easier for development teams to incorporate security into the SDLC, or we’d be in a world of hurt. 😉