2004 Top Ten Network security vulnerabilities _ security related

New release of international Security Organization: 2004 Top Ten Network application vulnerabilities

The second annual Top Ten Network Application security vulnerabilities list released by the IT security Professional's open Network Application Security Program (OWASP) adds to the "Denial of service" type of vulnerability, which has been a common occurrence in the last year. "We predict that this year, major e-commerce sites will be attacked by denial of service, because hackers have become bored with a number of user passwords," said Coffer Mark, chairman of the OWASP, a consultant to the "Cornerstone" (a company that provides strategic security services). "For example: when a hacker with a large number of email accounts is attacking, the user's password on the E-commerce site is changed, he gets it."


When Coffer in Charles
Schwab is engaged in IT security work, he and other company's colleague formed the owasp, and began to undertake to protect the website security related important question to evaluate. Eventually, in the following year, they published a nearly 200-page guide to the owasp literature. This information is directed to IT security professionals and programmers, with downloads up to 1.5 million times.


Coffer said: "It has been recognized far beyond our estimates." "But programmers say they need something that can be seen to CIOs and other executives, so last year it released its first ten Web application security vulnerabilities list." Here are the top ten weakest links in the 2004:


Unverified parameters: An attacker could exploit this information to attack the application software component before it was validated before being used by a network application.

Failed access control: the restrictive condition of controlling access rights of various authorized users is improperly applied, which causes attackers to exploit these vulnerabilities to access other users ' accounts or to use unauthorized functions.

Invalid account and conversation management: Account certificates and dialog token are not properly protected, leading to illegal operation of passwords, keys, conversation information or token, and authentication through other users;

Cross-site Scripting vulnerabilities: Network applications can be used by attackers as a device to transfer an attack to an end user's browser. A successful attack can acquire the conversation information of the end user or can spoof the content to deceive the user.


Buffer overflow: A network application program component that is written in a language that does not correctly validate input information is likely to destroy a process, and in some cases can be used to control a process. These components may include Common Gateway Interfaces (CGI), libraries, drivers, and network application server components.


Command injection vulnerability: When a network application software accesses an external system or a local operating system, the network application may pass some parameters. If an attacker could embed malicious commands in these parameters, the external system might execute the commands in the name of the network application software.


Incorrect handling of errors: Some errors occurred during the user's normal operation of the system, and these errors were not properly handled. In this case, attackers can use these errors to obtain detailed system information, to deny service, to cause the security system to be paralyzed or to destroy the server.


Unsecured storage: Network applications that use encryption to protect information and certificates have been proven to be difficult to encode properly, leading to a weakening of the protection function.

Denial of service: As mentioned above, attackers are extremely consumed with network application resources, so that other legitimate users are no longer able to exploit these resources or use applications. An attacker can also block a user's account or cause an account request to be unavailable.


Non-secure configuration management: Having a Shande server configuration standard is critical to protecting network applications. These servers have a number of configuration options that can affect security, and if you choose an error, it will cause it to lose security. "Network application security faces a variety of challenges," Coffer said. "Many of the problems are human logic problems that can never be found by technical means." There is no panacea. It is a logical problem, a kind of new problem that needs to be solved. ”