2011 cwe/sans top 25 with owasp top 10 and pci dss v2 mapping

The OWASP Foundationhttp://www.owasp.org

OWASP EducationComputer based training

2011 CWE/SANS Top 25 with OWASP Top 10 and PCI DSS V2 Mapping

Nishi KumarIT Architect Specialist

Chair, Software Security Forum at FISOWASP CBT Project Lead

OWASP Global Projects [email protected]

Keith TurpinThe Boeing Company

Application Security Assessments LeadOWASP Secure Coding Practices Lead

OWASP Global Projects [email protected]

mailto:[email protected]

mailto:[email protected]

2

Objectives

Provide an overview of the 2011 CWE/SANS Top 25

Discuss mapping relationships between CWE/SANS Top 25,

OWASP Top 10 for 2010 and PCI DSS V2

Understand the CWE/SANS Top 25 weaknesses andhow to remediate them

OrganizationsMITRE - http://www.mitre.org/The MITRE Corporation is a not-for-profit organization that manages several Federally Funded Research and Development Centers. Mitre currently runs various IT security projects including the Common Weakness Enumeration (CWE) and it is the official source for the CWE/SANS Top 25 Most Dangerous Software Errors.

CWE Database - http://cwe.mitre.org/

SANS - http://www.sans.org

The SysAdmin, Audit, Network, Security (SANS) Institute operates as a commercial research and education company. SANS is well known for its Internet Storm Center, its comprehensive list of computing security training programs and its work with Mitre on the CWE/SANS Top 25 Most Dangerous Software Errors.

3

http://www.mitre.org/

http://cwe.mitre.org/

http://www.sans.org/

Selection and Ranking

Builds on the original 2009 and 2010 versions

Methodology - Qualitative rather than quantitative

Factors in ranking:PrevalenceImportanceLikelihood of exploit

Initially started with 41 candidate weaknesses

4

5

2011 CWE/SANS Top 25Rank ID Name

[1] CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

[2] CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

[3] CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

[4] CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

[5] CWE-306 Missing Authentication for Critical Function[6] CWE-862 Missing Authorization[7] CWE-798 Use of Hard-coded Credentials[8] CWE-311 Missing Encryption of Sensitive Data[9] CWE-434 Unrestricted Upload of File with Dangerous Type

[10] CWE-807 Reliance on Untrusted Inputs in a Security Decision[11] CWE-250 Execution with Unnecessary Privileges[12] CWE-352 Cross-Site Request Forgery ('CSRF')

6

2011 CWE/SANS Top 25Rank ID Name

[13] CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

[14] CWE-494 Download of Code Without Integrity Check [15] CWE-863 Incorrect Authorization[16] CWE-829 Inclusion of Functionality from Untrusted Control Sphere[17] CWE-732 Incorrect Permission Assignment for Critical Resource [18] CWE-676 Use of Potentially Dangerous Function[19] CWE-327 Use of a Broken or Risky Cryptographic Algorithm [20] CWE-131 Incorrect Calculation of Buffer Size[21] CWE-307 Improper Restriction of Excessive Authentication Attempts

[22] CWE-601 URL Redirection to Untrusted Site ('Open Redirect')[23] CWE-134 Uncontrolled Format String[24] CWE-190 Integer Overflow or Wraparound[25] CWE-759 Use of a One-Way Hash without a Salt

7

OWASP Top 10 & SANS CWE Top 25 mapping

https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

http://www.sans.org/top25-software-errors/http://cwe.mitre.org/top25/

A1: Injection [1] CWE-89:

[2] CWE-78:

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

A2: Cross-Site Scripting (XSS)

[4] CWE-79: Improper Neutralization of Input During Web Page Generation('Cross-site Scripting')

A3: Broken Authentication and Session Management

[5] CWE-306:[7] CWE-798:[21] CWE-307:

Missing Authentication for Critical FunctionUse of Hard-coded CredentialsImproper Restriction of Excessive Authentication Attempts

A4: Insecure Direct Object References [6] CWE-285:[10] CWE-807:[13] CWE-22:

[15] CWE-863:

Improper AuthorizationReliance on Untrusted Inputs in a Security DecisionImproper Limitation of a Pathname to a Restricted Directory ('Path Traversal')Incorrect Authorization

8

OWASP Top 10 & SANS CWE Top 25 mapping

A5: Cross Site Request Forgery (CSRF)

[12] CWE-352: Cross-Site Request Forgery (CSRF)

A6: Security Misconfiguration [11] CWE-250[17] CWE-732[16] CWE-829:

Execution with Unnecessary PrivilegesIncorrect Permission Assignment for Critical ResourceInclusion of Functionality from Untrusted Control Sphere

A7: Insecure Cryptographic Storage

[8] CWE-311: [19] CWE-327: [25] CSE-759:

Missing Encryption of Sensitive Data Use of a Broken or Risky Cryptographic AlgorithmUse of a One-Way Hash without a Salt

A8: Failure to Restrict URL Access

[6] CWE-862:[15] CWE-863:

Missing AuthorizationIncorrect Authorization

A9: Insufficient Transport Layer Protection

[10] CWE-311:[24] CWE-327:

Missing Encryption of Sensitive Data Use of a Broken or Risky Cryptographic Algorithm

A10: Unvalidated Redirects and Forwards

[23] CWE-601: URL Redirection to Untrusted Site ('Open Redirect')

9

SANS CWE Top 25

The following do not directly map to the OWASP Top 10 2010[3] CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')[9] CWE-434: Unrestricted Upload of File with Dangerous Type

[14] CWE-494: Download of Code Without Integrity Check

[18] CWE-676: Use of Potentially Dangerous Function

[20] CWE-131: Incorrect Calculation of Buffer Size

[23] CWE-134: Uncontrolled Format String

[24] CWE-190: Integer Overflow or Wraparound

Mapping Considerations

SANS CWE Top 25 is only a fraction of the full CWE list of weaknesses

SANS CWE Top 25 applies to both web and non-web applications

OWASP defines ten risks focused on web applications

OWASP's list tends to use broader risk categories

PCI DSS requirements points to both of the above lists as industry best practices

PCI DSS specifies its own set of requirements

10

[1] CWE-89Improper Neutralization of Special Elements used in an SQL Command('SQL Injection')

• OWASP 2010: A1 Injection• PCI-DSS V2: 6.5.1 Injection flaws, particularly SQL injection.

OWASP Top 10 and PCI Mapping

• The software constructs a dynamic SQL statement using input that has not been properly neutralized

• Example of dynamic query modification:• String query = "SELECT * FROM accounts WHERE custID='" +

request.getParameter("id") +"'";• The attacker modifies the ‘id’ parameter in their browser to send: ' or '1'='1• This changes the meaning of the query, because 1=1 is always true, to

return all the records from the accounts database, instead of only the intended customer’s

• http://example.com/app/accountView?id=' or '1'='1

General Description

11

• Unauthorized access to data, authentication bypass, compromise of the host OS, use of database utilities to breach a perimeter (when the DB is deployed along network boundaries)

Potential Impacts

• Use a safe API to avoid using the interpreter entirely or to provide parameterized interface

• Use strongly typed parameterized queriesString sqlString = "select * from db_user where username=? …PreparedStatement stmt = connection.prepareStatement(sqlString); stmt.setString (1, username); …

• Input validation-Validate and Filter user input to remove special characters' " ` ; * % _ =&\|*?~<>^()[]{}$\n\r

• If the use of a dynamic query is required, then address special characters by removal, replacement, encoding or escaping

• Turn off all unnecessary database functionality

Common Mitigations

12

[1] CWE-89Improper Neutralization of Special Elements used in an SQL Command('SQL Injection')

[2] CWE-78Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

• OWASP 2010: A1 Injection• PCI-DSS V2: 6.5.1 Injection flaws


• The software constructs all or part of an OS command using input that has not been properly neutralized

• Variants include:• The software intends to execute a single, fixed program that is under its

own control using externally-supplied inputs as arguments to that program. However, if the program does not remove command separators from input, separators in the argument allow for the execution of additional programs

• The software accepts an input that it uses to fully select which program to run, as well as which commands to use. The application redirects this entire command to the operating system

General Description

13

• Execution of arbitrary code, authentication bypass, compromise of the host OS

Potential Impacts

• Utilize task specific built-in APIs to conduct operating system tasks• Run code in a "jail" or similar sandbox environment that enforces strict

boundaries between the process and the operating system• Properly neutralize all input from the client, especially command

separators and special characters which can effect intended execution• Conduct all data validation and encoding on a trusted system (e.g., The

server)

Common Mitigations

14

[2] CWE-78Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Example: Cchar last_name[20]; ...................................Declare array with 20 character limitprintf ("Enter your last name: ");scanf ("%s", last_name); ...........................Get input (no limit) and store in array

The software does not limit the size of the name entered by the user, so an entry of more than 20 characters will cause a buffer overflow, since the "last_name" array can only hold 20 characters

[3] CWE-120Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

• OWASP 2010: N/A• PCI-DSS V2: 6.5.2 Buffer overflow


• The software copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer

• Effects: C, C++ and Assembly

General Description

15

[3] CWE-120Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

• Allow for the execution of arbitrary code, which is usually outside the scope of a program's implicit security policy

Potential Impacts

• Use a language that does not allow this weakness to occur (e.g., Java)• Use a vetted library or framework that helps prevent this weakness (e.g.,

Strsafe.h library from Microsoft)• Use a compiler with features or extensions that provide a protection

mechanism against buffer overflows• Ensure the destination buffer size is equal to or larger than the source

buffer size• Utilize input validation to enforce length limits

Common Mitigations

16

[4] CWE-79Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

• OWASP 2010: A2 Cross-Site Scripting (XSS)• PCI-DSS V2: 6.5.7 Cross-site scripting (XSS)


• The software does not properly neutralize user-controllable input before using it in a web page. Variants include:• Reflected: The software reads data directly from the HTTP request

and reflects it back in the HTTP response• Stored: The software stores data in a database or other trusted data

store and includes that data as part of a future web page• DOM: Client supplied input is inserted into an HTML response page

by a client side script that processed Document Object Model (DOM) data (e.g., document.location, document.URL, etc)

General Description

17

Try this in your browser's address bar: javascript:alert(document.cookie)

[4] CWE-79Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

• Theft of session credentials, networks scans, key stroke loggers, XSS Proxy (allowing full control and viewing of exploited browser)

Potential Impacts

• Properly neutralize all input from the client. Be sure to address all content, used by the software, that originated in an HTTP Request

• Conduct all data validation and encoding on a trusted system (e.g., The server)• Establish and enforce appropriate data type, range and length controls for all

content• Use a vetted library or framework to make it easier to generate properly

encoded output including Microsoft's Anti-XSS library, the OWASP ESAPI Encoding module, and Apache Wicket

Common Mitigations

18

E.g. output encoding with HTML entity encoding: The < character becomes: < The " character becomes: " This tag <script> becomes: <script&gt

[5] CWE-306Missing Authentication for Critical Function

• OWASP 2010: A3 Broken Authentication and Session Management

• PCI-DSS V2: 8.5 Ensure proper user identification and authentication management


• The software does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources

General Description

19

[5] CWE-306Missing Authentication for Critical Function

• Unauthorized access to read or modify data• Ability to gain additional privileges that could lead to a

complete compromise of the software's security controls

Potential Impacts

• Utilize authentication for all information, resources and functionality, except those specifically intended to be public

• Ensure all authentication controls operate on a trusted system• Use a standardized, centralized, and tested implementation for all

authentication controls• Authentication services should utilize a centralized authentication store• All authentication controls need to fail securely• Map roles and use role-based access control (RBAC) to enforce the roles

at the appropriate boundaries

Common Mitigations

20

[6] CWE-862 Missing Authorization

• OWASP 2010: A4 Insecure Direct Object References• A8 Failure to Restrict URL Access

• PCI-DSS V2: 6.5.8 Improper Access Control


• The software does not perform an authorization check when an actor attempts to access a resource or perform an action

General Description

21

[6] CWE-862Missing Authorization



Potential Impacts

• Enforce authorization controls on every request• Map roles and use role-based access control (RBAC) to enforce the roles

at the appropriate boundaries• Enforce application logic flows to comply with business rules• Restrict access to files, URLs, protected functions, services, application

data, user and data attributes and security-relevant configuration information to only authorized users

Common Mitigations

22

[7] CWE-798Use of Hard-coded Credentials


• PCI-DSS V2: 8.5 Ensure proper user identification and authentication management


• The software contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data

• Variants include:• Inbound: The software contains an authentication mechanism that

checks the input credentials against a hard-coded set of credentials• Outbound: The software connects to another system or component, and

it contains hard-coded credentials for connecting to that component

General Description

23

[7] CWE-798Use of Hard-coded Credentials



Potential Impacts

• Outbound Authentication: Store passwords, keys, and other credentials outside of the code in a strongly-protected, encrypted configuration file or database that is protected from access by all outsiders, including other local users on the same system

• Inbound Authentication: Rather than hard-code a default username and password, key, or other authentication credentials for first time logins, utilize a "first login" mode that requires the user to enter a unique strong password or key

• If the software must contain hard-coded credentials or they cannot be removed, perform access control checks and limit which entities can access the feature that requires the hard-coded credentials

Common Mitigations

24

[8] CWE-311Missing Encryption of Sensitive Data

• OWASP 2010: A7 Insecure Cryptographic Storage• A9: Insufficient Transport Layer Protection

• PCI-DSS V2: 6.5.3 Insecure cryptographic storage• 6.5.4 Insecure communications• Additionally: 2.3, 3.4, 3.5, 3.6, 4.1, 4.2, 8.4


• The software does not encrypt sensitive or critical information before storage or transmission

• Unencrypted network traffic may be intercepted, monitored or in some cases altered

• Sensitive information stored in plain text may be accessed without authorization, if the data store is reached

General Description

25

[8] CWE-311Missing Encryption of Sensitive Data



Potential Impacts

• Implement encryption for the transmission of all sensitive information and for conducting critical operations (e.g., TLS, SSH and SFTP)

• Prevent unauthorized access by encrypting sensitive data, even on trusted systems

• Select a well-vetted algorithm that is currently considered to be strong (e.g., FIPS 140-2 or an equivalent standard). Periodically ensure that the cryptography used by the software has not become obsolete

• If the software relies on wireless communications, implement strong encryption for authentication and transmission

Common Mitigations

26

[9] CWE-434Unrestricted Upload of File with Dangerous Type

• OWASP 2010: N/A• PCI-DSS V2: N/A


• The software allows for the uploading or transfer files of dangerous types that can be automatically processed within the product's environment

• If proper validation of the file type is not done, a user may be able to upload a malicious file and then access that file to gain unauthorized privileges.

General Description

27

Example: This PHP file provides access to the host OS<?phpsystem($_GET['cmd']);?> http://server.example.com/upload_dir/malicious.php?cmd=ls%20-l

[9] CWE-434Unrestricted Upload of File with Dangerous Type



Potential Impacts

• The software should generate its own filename for an uploaded file instead of the user-supplied filename

• Validate uploaded files are the expected type by checking file headers • Prevent or restrict the uploading of any file that may be interpreted by the

web server • Turn off execution privileges on file upload directories• Do not save files in the same web context as the application

Common Mitigations

28

[10] CWE-807Reliance on Untrusted Inputs in a Security Decision

• OWASP 2010: A4 Insecure Direct Object References• PCI-DSS V2: 6.5.8 Improper Access Control


• The software does not perform or incorrectly performs an authorization check when an attempt is made to access a resource or perform an action

• The software bases access decisions on client accessible data or parameters.

• Any item in an HTTP request, that is used in addition to the session identifier to make access decisions, is at risk of attacker tampering

General Description

29

https://example.com/accountInfo?acct=Bob) Bob makes request for his own accthttps://example.com/accountInfo?acct=Tom) Bob makes request for Tom’s acct

[10] CWE-807Reliance on Untrusted Inputs in a Security Decision



Potential Impacts

• Enforce authorization controls on every request• Store data used to make authorization decisions only on a trusted system

(e.g. the server)• If this data must be exposed to the client, use integrity checking on the

server side to prevent tampering. (e.g., ASP.NET View State)• Enforce application logic flows to comply with business rules

Common Mitigations

30

[11] CWE-250Execution with Unnecessary Privileges

• OWASP 2010: A6 Security Misconfiguration• PCI-DSS V2: 6.5.8 Improper Access Control


• The software performs an operation at a privilege level that is higher than the minimum level required

• Running with extra privileges, such as root or Administrator, can disable the normal security checks being performed by the operating system or surrounding environment

• Other pre-existing weaknesses can turn into security vulnerabilities if they occur while operating at raised privileges

• An example might be an application connecting to a database as the schema/database owner

General Description

31

[11] CWE-250Execution with Unnecessary Privileges



Potential Impacts

• Run your code using the lowest privileges that are required to accomplish the necessary tasks

• Raise your privileges as late as possible, and drop them as soon as possible

• If possible, create isolated accounts with limited privileges that are only used for a single task

• Ensure privilege management functions account for the fact that spawned processes run at the privilege of the owning process, so if a process is running as root when a sub-process is executed, the sub-process will operate with root privileges

Common Mitigations

32

Example of a legitimate request:http://example.com/app/transferFunds?amount=1500&destinationAccount=4673243243

Example or a forged request using a hidden image tag:<img src=http://example.com/app/transferFunds?amount=1500&destinationAccount=attackersAcct# width="0" height="0" />

[12] CWE-352Cross-Site Request Forgery (CSRF)

• OWASP 2010: A5 Cross-Site Request Forgery (CSRF)• PCI-DSS V2: 6.5.9 Cross-site request forgery (CSRF)


• If the software does not sufficiently verify that the user "intentionally" submitted a request, a user with an active session may be tricked into executing an unintended action on the software. The URL and required parameters must be known to the attacker

General Description

33

[12] CWE-352Cross-Site Request Forgery (CSRF)

• Attackers can cause the victim to execute any action the victim is authorized to perform

Potential Impacts

• Use a vetted library to prevent this weakness (e.g., OWASP CSRFGuard, OWASP ESAPI Session Management control)

• Include an unpredictable token in each form and verify the token upon receipt of the form

• Utilize the HTTP POST method to avoid exposing the token in the URL• Re-authenticate users prior to performing critical operations

Common Mitigations

34

[13] CWE-22Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

• OWASP 2010: A4 Insecure Direct Object References• PCI-DSS V2: 6.5.8 Improper Access Control


• The software constructs dynamic directory or file path statements based on user supplied input that is not properly neutralized for special elements that can alter the path

• The “dot-dot-slash (../ or ..\)” sequences can be used to move up the directory structure and then navigate to a new location

• Adding a null byte (i.e. %00, or 0x00 in hex) may allow an attacker to bypass extension based file type restrictions by dropping everything after the null.

General Description

35

Expected Request: http://app/page.jsp?file=graphic.gifMalicious Request: http://app/page.jsp?file=serverlogs.txt%00.gif

Expected Request: http://app/page.jsp?include=file.txtMalicious Request: http://app/page.jsp?include=/../../../../../../../../../etc/passwd

[13] CWE-22Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

• Unauthorized access to read, create or overwrite critical files

Potential Impacts

• Replace direct object references by using place holder values and mapping them to the actual file names or paths

• Properly neutralize all input from the client, especially path characters (., /, \) and null bytes (%00)

• Conduct all data validation and encoding on a trusted system (e.g., The server)• Enforce authorization controls on every request

Common Mitigations

36

Direct object reference: http://app?file=Report123.xls

Mapped value reference: http://app?file=1 (In sever side code: 1 = Report123.xls)

[14] CWE-494Download of Code Without Integrity Check

• OWASP 2010: N/A• PCI-DSS V2: N/A


• The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code

General Description

37

Example: Java URL[] classURLs= new URL[]{ new URL("file:subdir/")};URLClassLoader loader = new URLClassLoader(classURLs);Class loadedClass = Class.forName("loadMe", true, loader);

This code does not ensure that the class loaded is the intended one, for example by verifying the class's checksum. An attacker may be able to modify the class file to execute malicious code.

[14] CWE-494Download of Code Without Integrity Check


complete compromise of the software or hosting environment's security controls

Potential Impacts

• Perform proper forward and reverse DNS lookups to detect DNS spoofing• Encrypt the code with a reliable encryption scheme before transmitting• Perform integrity checking on the transmitted code• Use code signing technologies such as Authenticode

Common Mitigations

38

[15] CWE-863 Incorrect Authorization

• OWASP 2010: A8 Failure to Restrict URL Access• A4 Insecure Direct Object References

• PCI-DSS V2: 6.5.8 Improper Access Control


• The software does not perform or incorrectly performs an authorization check when an attempt is made to access a resource or perform an action

• Example: The Software uses presentation layer access control. (URLs are treated like secrets. They are displayed on screen, appear in browser histories and log files, may be shared by users and are known to previously privileged users whose role has changed)

General Description

39

Attacker notices the URL indicates his role /user/getAccountsHe modifies it to another directory (role) /admin/getAccountsAttacker views more accounts than just their own

[15] CWE-863 Incorrect Authorization



Potential Impacts

• Enforce authorization controls on every request• Access control decisions must not depend on untrusted data• Map roles and use Role-Based Access Control (RBAC) to enforce the

roles at the appropriate boundaries• Enforce application logic flows to comply with business rules• Restrict access to files, URLs, protected functions, services, application

data, user and data attributes and security-relevant configuration information to only authorized users

• Ensure access control is enforced correctly on a trusted system

Common Mitigations

40

[16] CWE-829 Inclusion of Functionality from Untrusted Control Sphere

• OWASP 2010: A6 Security Misconfiguration • PCI-DSS V2: N/A


• The software imports, requires, or includes executable functionality from an untrusted source

• An example might be a web application including a weather widget from an external source

General Description

41

<div id="WeatherWidget"><script type="text/javascript" src="externalDomain.example.com/weatherwidget.js"></script></div>

[16] CWE-829 Inclusion of Functionality from Untrusted Control Sphere

42

• The functionality could be malicious in nature if the source becomes compromised or if the content is modified in transit

• The functionality may also have vulnerabilities that become inherited by the including application

Potential Impacts

• Evaluate the security of untrusted functionality before using it• Use a local version of the code whenever possible• Run your code in a "jail" or similar sandbox environment• Use anti-malware to monitor the execution of untrusted code

Common Mitigations

[17] CWE-732Incorrect Permission Assignment for Critical Resource

• OWASP 2010: A8 Failure to Restrict URL Access• PCI-DSS V2: 6.5.8 Improper Access Control


• The software specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors

• Changes to the operating environment, data sensitivity or user groups might result in inappropriate permissions

• Loose permissions are set to minimize problems during installation and configuration. This may require the administrator to proactively lock them down before moving to production, which does not always happen

General Description

43

[17] CWE-732Incorrect Permission Assignment for Critical Resource



Potential Impacts

• When using a critical resource verify that it has secure permissions • During program startup, explicitly set the default permissions to the most

restrictive setting possible• For all configuration files, executables, and libraries, make sure that they

are only readable and writable by the software's administrator• Do not assume that the system administrator will manually change the

configuration to the settings that you recommend in the manual• Map roles and use role-based access control (RBAC) to enforce the roles

at the appropriate boundaries

Common Mitigations

44

[18] CWE-676 Use of Potentially Dangerous Function

• OWASP 2010: N/A • PCI-DSS V2: N/A


• The program invokes a potentially dangerous function that could introduce a vulnerability if it is used incorrectly

• Most commonly identified in C and C++ application using functions like strcpy()

General Description

45

[18] CWE-676 Use of Potentially Dangerous Function

• System crash• Allow for the execution of arbitrary code• Unauthorized access to read or modify data

Potential Impacts

• Identify a list of prohibited API functions and prohibit the use of these functions, providing safer alternatives

• Refer to the Microsoft Security Development Lifecycle (SDL) Banned Function Calls

• http://msdn.microsoft.com/en-us/library/bb288454.aspx

Common Mitigations

46

http://msdn.microsoft.com/en-us/library/bb288454.aspx

[19] CWE-327Use of a Broken or Risky Cryptographic Algorithm

• OWASP 2010: A7: Insecure Cryptographic Storage• A9: Insufficient Transport Layer Protection

• PCI-DSS V2: 4.1 Use strong cryptography and security protocols• 6.5.3 Insecure cryptographic storage


• The software uses a broken or risky cryptographic algorithm. The algorithm may be dangerous because it is non-standard or because it is known to be weak

• The Data Encryption Standard (DES) was once considered a strong algorithm, however it is now regarded as insufficient for many applications and has been replaced by Advanced Encryption Standard (AES)

General Description

47

[19] CWE-327Use of a Broken or Risky Cryptographic Algorithm



Potential Impacts

• Select a well-vetted algorithm that is currently considered to be strong (e.g., FIPS 140-2 (i.e. Triple-DES, AES, RSA) or an equivalent standard)

• Periodically ensure that the cryptography used by the software has not become obsolete

• Design your software so that you can replace one cryptographic algorithm with another

• All cryptographic functions used to protect secrets from the application user must be implemented on a trusted system (e.g., The server)

• Protect master secrets from unauthorized access

Common Mitigations

48

[20] CWE-131Incorrect Calculation of Buffer Size



• The software does not correctly calculate the size to be used when allocating a buffer, which could lead to a buffer overflow

General Description

49

Example: Cint *id_sequence;id_sequence = (int*) malloc(3);if (id_sequence == NULL) exit(1);id_sequence[0] = 13579;id_sequence[1] = 24680;id_sequence[2] = 97531;

The size parameter used during the malloc() call is set to '3' which results in a buffer of 3 bytes. The intent was to create a buffer that holds three ints, and in C, each int requires 4 bytes, so an array of 12 bytes is needed. Executing the above code could result in a buffer overflow as 12 bytes of data is being saved into 3 bytes worth of allocated space

[20] CWE-131Incorrect Calculation of Buffer Size

• System crash• Allow for the execution of arbitrary code• Unauthorized access to read or modify data

Potential Impacts

• If you allocate a buffer for the purpose of transforming, converting, or encoding an input, make sure that you allocate enough memory to handle the largest possible encoding

• Understand your programming language's underlying representation and how it interacts with numeric calculation

• Utilize input validation to enforce length and range limits• Conduct all data validation and encoding on a trusted system (e.g., The

server)

Common Mitigations

50

[21] CWE-307 Improper Restriction of Excessive Authentication Attempts


• PCI-DSS V2: 8.5 Ensure proper user identification and authentication management for non-consumer users and administrators on all system components


• The software does not implement sufficient measures to prevent multiple failed authentication attempts within in a short time frame, making it more susceptible to brute force attacks

General Description

51

[21] CWE-307 Improper Restriction of Excessive Authentication Attempts

• Attackers may be able gain access by conducting attacks utilizing automated brute force or dictionary based attacks

Potential Impacts

• Enforce account locking, disabling or time outs after an established number of invalid login attempts (e.g., five attempts is common)

• Lockout messages should not indicate which data caused the lockout condition

• Controls need to be implemented on the logon page and also any other places where this type of attack might be used, such as password changing and recovery areas

• Combine with sophisticated challenge questions• Use Multi-Factor Authentication for highly sensitive or high value

transactional accounts

Common Mitigations

52

[22] CWE-601URL Redirection to Untrusted Site ('Open Redirect')

• OWASP 2010: A10 Unvalidated Redirects and Forwards• PCI-DSS V2: N/A


• A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect

General Description

53

Example: PHP $redirect_url = $_GET['url'];header("Location: " . $redirect_url);

This page could be used as part of a phishing scam by starting on a trusted domain, but redirecting users to a malicious site. An attacker could supply a user with the following link:

http://example.com/example.php?url=http://malicious.example.com

This is the same URL only obfuscated with URL encoding to mask the off site redirect: http://example.com/example.php?url=%68%74%74%70%3a%2f%2f%6d%61%6c%69%63%69%6f%75%73%2e%65%78%61%6d%70%6c%65%2e%63%6f%6d

[22] CWE-601URL Redirection to Untrusted Site ('Open Redirect')

• Compromise of the client machine through malware exposure• Client credential or sensitive information exposure through

spoofing content that implies the user is still on the trusted web site

Potential Impacts

• When the set of acceptable URLs is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs

• Do not pass user supplied data into a dynamic redirect. If this must be allowed, then the redirect should accept only validated, relative path URLs

• If absolute paths are used, either have the page add the domain component or strictly validate the domain

• Use an intermediate disclaimer page that provides the user with a clear warning that they are leaving your site

Common Mitigations

54

[23] CWE-134 Uncontrolled Format String



• The software uses externally-controlled format strings in printf style functions, which can lead to buffer overflows or data representation problems

General Description

55

Example C: int main(int argc, char **argv){

char buf[128];...snprintf(buf,128,argv[1]);}

This code allows an attacker to view the contents of the stack and write to the stack using a command line argument containing a sequence of formatting directives.

[23] CWE-134 Uncontrolled Format String

• System crash• Allow for the execution of arbitrary code• Data Corruption

Potential Impacts

• Ensure that all format string functions are passed a static string which cannot be controlled by the user and that the proper number of arguments are always sent to that function as well. If at all possible, use functions that do not support the %n operator in format strings

• Utilize input validation to enforce length and range limits• Conduct all data validation and encoding on a trusted system (e.g.,

The server)

Common Mitigations

56

[24] CWE-190Integer Overflow or Wraparound



• The software performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value

General Description

57

Example: Cnresp = packet_get_int();if (nresp > 0) {response = xmalloc(nresp*sizeof(char*));for (i = 0; i > nresp; i++) response[i] = packet_get_string(NULL);}

If nresp has the value 1073741824 and sizeof(char*) has its typical value of 4, then the result of the operation nresp*sizeof(char*) overflows, and the argument to xmalloc() will be 0, causing the subsequent loop iterations to overflow the heap buffer response

[24] CWE-190Integer Overflow or Wraparound

• System crash• Allow for the execution of arbitrary code• Data Corruption

Potential Impacts

• Ensure that all protocols are strictly defined, such that all out-of-bounds behavior can be identified simply, and require strict conformance to the protocol

• Use libraries or frameworks that make it easier to handle numbers without unexpected consequences. (e.g., SafeInt (C++) or IntegerLib (C or C++)

• Utilize input validation to enforce length and range limits• Conduct all data validation and encoding on a trusted system (e.g., The server)

Common Mitigations

58

[25] CWE-759 Use of a One-Way Hash without a Salt

• OWASP 2010: A7 Insecure Cryptographic Storage• PCI-DSS V2: 6.5.3 Insecure cryptographic storage


• The software uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the software does not also use a salt as part of the input

• This makes it easier for attackers to pre-compute the hash value using dictionary attack techniques such as rainbow tables

General Description

59

[25] CWE-759 Use of a One-Way Hash without a Salt



Potential Impacts

• Generate a random salt each time you process a new data that requires hashing

• Add the salt to the plaintext data before hashing it• When you store the hash, also store the salt. Do not use the

same salt for every piece of data that you process

Common Mitigations

60

2011 cwe/sans top 25 with owasp top 10 and pci dss v2 mapping

Documents