Wednesday 18 April 2012

Toshiba UK, ICO and OWASP Top 10 A4 error

The UK Information Commissioner's Office (ICO) has ruled that Toshiba UK breached the UK Data Protection Act by publishing the personal details of 20 competition entrants on its website. According to The Register:
  • "A security fault with the incremental numbering of the competition entrants registration URL created the potential for access to other customers' personal data for a two-month period," the regulator said.
By changing the values in the URL, it was possible to see the details of other users. It looks like this was an OWASP Top 10 2010-A4-"Insecure Direct Object References" issue.

When designing your own application you need to perform authorization checks to ensure that the user has permission to access the requested resource. The OWASP Top 10 gives more guidance on how to implement this.

It's surprising how few of the ICO undertakings are related to web site issues. You can look at the ICO's "Taking Action" page to get a feel for what type of issues cause problems.

Useful Links on this blog:
Useful Links:

Social: DiggIt! Reddit Stumble Google Bookmarks Technorati Slashdot

Tuesday 17 April 2012

Tuesday Top Tip - John Melton's Year of Security (for Java)

If you haven't come across it yet, you should head over and have a look at John Melton's Year of Security For Java series. Each week he covers a different security topic.

While the series is aimed at Java, a lot of the entries so far are general and apply to any environment.

Useful Links

Social: DiggIt! Reddit Stumble Google Bookmarks Technorati Slashdot

Sunday 15 April 2012

Security out of the box

A small experiment. Take the following simple HTML file which allows a user to enter a value in a HTML form and submit it:

Submit something:
<FORM method="post">
   <input type="text" size="100" name="namexss" ><br>
   <input type="submit" name="submit" value="Submit Form"><br>



 If you name this file  testxss1.php and execute it using a simple XSS type attack as shown
When you press Submit Form, the form is accepted and PHP doesn't complain.


If you name this file testxss1.aspx and execute it using the same XSS attack string, you will get a nice error: recognizes that an XSS attack was attempted and per default blocks it.


It shows how different frameworks offer different levels of security"out of the box". This is the exact same file. But run it through and you get better XSS protection.  It's important that you understand the security features that your chosen technologies offer you.

These tests used default versions of version 4 and php version 5.3.3 installed locally on IIS. It is not very scientific and is not intended to show that any framework is better than another. The aim is to show that different products support security in different manners and that development teams need to understand their specific chosen products.


Social: DiggIt! Reddit Stumble Google Bookmarks Technorati Slashdot

Tuesday 10 April 2012

Tuesday Top Tip - Qualys SSL Labs

If you are configuring SSL on your website or online application (and you should be these days), use the resources over at Qualys SSL Labs.

The SSL/TLS Deployment Best Practices gives good advice. Read this before your purchase your SSL certificate and follow its advice. For example, it talks about how to use SSL properly in your application design, what key length to use etc.

What I particularly like is the SSL Server Test facility. After you have configured your SSL certificate, go to the SSL Server Test page.  Enter your URL in the Domain Name field (but make sure to check the "Do not show the results on the boards" box). Click the Submit button and SSL Server Test will analyze your SSL configuration.

This takes a few minutes, but will give you a result. You should be looking to get an A. It will tell you of any problems in your SSL configuration. Fix those and resubmit.

Keep repeating until SSL Server Test gives you an A....and then you can feel smug.

Useful Qualys Links:

Social: DiggIt! Reddit Stumble Google Bookmarks Technorati Slashdot

Sunday 1 April 2012

XSS , OWASP Top 10, Verizon DBIR 2012

Last week, Verizon released their annual Verizon Data Breach Investigation Report (DBIR) 2012.

This report investigated 855 incidents involving "174 million compromised records".

XSS (Cross Site Scripting) is not mentioned in the document. (The 2011 edition at least mentioned it). This implies that Verizon has not found XSS to be a significant cause of the incidents that it investigated.

The conclusion seems to be that while XSS is regularly found in online applications, it does not seem to be exploited very much, so the risk associated with XSS is (relatively) low.

According to OWASP:
The OWASP Top 10 "presents a more concise risk focused list of the Top 10 Most Critical Web Application Security Risks."
The OWASP Top 10 currently has XSS as the number 2 risk, ahead of such issues related to credentials (passwords etc). The potential problem with this ranking is that organisations will prioritize their application security programs based on the OWASP Top 10. This means they could be placing too much emphasis on topics such as XSS and not enough emphasis on topics such as credential management.

It will be interesting to see the rankings in the next edition of the  OWASP Top 10 201?

Useful Links

Social: DiggIt! Reddit Stumble Google Bookmarks Technorati Slashdot