by Cody Dumont
June 4, 2014
Web application security is a key concern for any organization. The software security community created the Open Web Application Security Project (OWASP) to help educate developers and security professionals. This dashboard provides Tenable.sc users the ability to monitor web applications by identifying the top 10 most critical vulnerabilities as described in OWASP's Top 10 awareness document.
The OWASP Top 10 outlines several different aspects of web based security, for example Cross-Site scripting attacks, Security Misconfigurations, and Sensitive data exposure. The Top 10’s focus is to reduce risk across the most vulnerable aspects of conducting business across the internet. Following these guidelines empowers organizations to reduce risk to organizational and customer data theft.
Administrators need to ensure that their organization isn’t vulnerable to any of the attacks that relate to the 10 different focuses of the Top 10. In addition, the compliance related focuses, like the known vulnerable components and insufficient logging, are important for eliminating gaps in an organization’s security that aren’t directly tied to exploitable attacks.
This dashboard covers all aspects of the OWASP Top 10, and gives administrators the tools and information needed to aid their efforts. The chapters related to exploitable vulnerabilities gives organizations a roadmap for reducing attack risk. The compliance and logging chapters will also guide organizations on the steps that they need to take to mitigate business risk through strong security practice.
The dashboard is available in the Tenable.sc Feed, a comprehensive collection of dashboards, reports, assurance report cards and assets. The dashboard can be easily located in the Tenable.sc Feed under the category Security Industry Trends. The dashboard requirements are:
• Tenable.sc 5.2.0
• Nessus 8.4.0
• LCE 6.0.0
• NNM 5.9.0
Tenable.sc CV provides continuous network monitoring, vulnerability identification, risk reduction, and compliance monitoring. Tenable.sc CV continuously updated with information about advanced threats and zero-day vulnerabilities, and new types of regulatory compliance configuration audits. By integrating with Nessus, Tenable.sc CV provides the most comprehensive view of network security data.
The third indicator component provides a view into several web application security issues starting with injection vulnerabilities and ending with cross-site scripting (XSS) vulnerabilities. There is a table with all informational vulnerabilities related to web application security. The final component is a detailed matrix showing vulnerabilities mapped to the ten most critical web application security risks identified in OWASP’s Top Ten document. https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
The OWASP ten most critical web application security risks are:
- A1 – Injection: Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query.
- A2 – Broken Authentication and Session Management: Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities.
- A3 – Cross-Site Scripting (XSS): XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping.
- A4 – Insecure Direct Object References: A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key.
- A5 – Security Misconfiguration: Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform.
- A6 – Sensitive Data Exposure: Many web applications do not properly protect sensitive data, such as credit cards, tax IDs, and authentication credentials.
- A7 – Missing Function Level Access Control: Most web applications verify function level access rights before making that functionality visible in the UI.
- A8 – Cross-Site Request Forgery (CSRF): A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application.
- A9 – Using Known Vulnerable Components: Components, such as libraries, frameworks, and other software modules, almost always run with full privileges.
- A10 – Unvalidated Redirects and Forwards: Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages.
The components of this dashboard are:
OWASP Top 10 - 90 Day Trend Analysis for Critical Severity Web Vulnerabilities
This component collects the vulnerabilities from the CGI Abuses, CGI Abuses : XSS, and Web Servers plugin families for both active and passive vulnerabilities. The trend graph provides a trend analysis of all critical severity vulnerabilities over the past three months.
OWASP Top 10 - Top 10 Indicators
This component collects the vulnerabilities from the CGI Abuses, CGI Abuses : XSS, and Web Servers plugin families for both active and passive vulnerabilities. The CGI Abuses family Checks for web-based CGI programs with publicly documented vulnerabilities. These checks include SQL injection, Local File Inclusion (LFI), Remote File Inclusion (RFI), Directory Traversal, and more. For web-based CGI programs with publicly documented cross-site scripting (XSS) vulnerabilities, the CGI Abuses : XSS plugin family is used. For web server vulnerabilities, the Web Server plugin family can detect vulnerabilities in web servers such as Apache HTTP Server, IBM Lotus Domino, Microsoft IIS, and many more. The matrix is comprised of three columns, with the first displaying a count of affected hosts, followed by the number of vulnerabilities. The vulnerability count includes low, medium, high and critical severities. The third column provides an analysis of known exploitable vulnerabilities. Each row is dedicated to one of the OWASP Top 10 most critical web application security flaws.
OWASP Top 10 - Web Informational Vulnerabilities
This component provides detailed information about web application services. The information provided includes application versions, external URLs, harvested email addresses, file inventories and more. This information may not represent a vulnerability; however, the information should be reviewed to properly assess risk.
OWASP Top 10 - 90 Day Trend Analysis for High Severity Web Vulnerabilities
This component collects the vulnerabilities from the CGI Abuses, CGI Abuses : XSS, and Web Servers plugin families for both active and passive vulnerabilities. The trend graph provides a trend analysis of all high severity vulnerabilities over the past three months.
OWASP Top 10 - Web App Result Indicator
This component provides a summary of the common web application security flaws recommended for tracking in PCI DSS v3 Section 6.5. Listed below are the PCI application security flaw summaries found in Section 6.5.1-9.
- 6.5.1 Injection Flaws: Injection flaws, particularly SQL injection. Also consider OS Command Injection, LDAP and XPath injection flaws as well as other injection flaws.
- 6.5.2 Buffer Overflows: Buffer overflows occur when an application does not have appropriate bounds checking on its buffer space.
- 6.5.4 Insecure Communications: applications that fail to adequately encrypt network traffic using strong cryptography are at increased risk of being compromised and exposing cardholder data.
- 6.5.5 Improper Error Handling: Applications can unintentionally leak information about their configuration or internal workings, or expose privileged information through improper error handling methods.
- 6.5.6 All High Risk Vulnerabilities: All vulnerabilities identified by an organization’s vulnerability risk-ranking process (defined in Requirement 6.1) to be “high risk” and that could affect the application should be identified and addressed during application development.
- 6.5.7 Cross-Site Scripting (XSS): XSS flaws occur whenever an application takes user-supplied data and sends it to a web browser without first validating or encoding that content. XSS allows attackers to execute script in the victim's browser, which can hijack user sessions, deface web sites, possibly introduce worms, etc.
- 6.5.8 Improper Access Control: Such as insecure direct object references, failure to restrict URL access, directory traversal, and failure to restrict user access to functions.
- 6.5.9 Cross-site Request Forgery (CSRF): A CSRF attack forces a logged-on victim's browser to send a pre-authenticated request to a vulnerable web application, which then enables the attacker to perform any state-changing operations the victim is authorized to perform.
More information on PCI compliance can be found at https://www.pcisecuritystandards.org.
OWASP Top 10 - Web Events
This component provides indicators for logs collected by LCE that reflect potential vulnerabilities to web applications. The indicators focus on the intrusion, threatlist, stats, web-access, and web-error event types. The indicators for threatlist and intrusion turn red when a match is found. The red indicator means immediate attention is required to determine if a system has been compromised. The other indicators will turn yellow when a match is found; these indicators suggest a warning, and should be reviewed to determine the severity.
OWASP Top 10 - SQL Events
This component provides indicators for logs collected by LCE that reflect potential vulnerabilities to databases used in web applications. The first four indicators monitor specific normalized events, which are commonly seen if a web application is compromised. These indicators will turn red when a match is found and immediate attention is warranted. The fifth indicator is for all SQL intrusion events and will turn red when a match is found and immediate attention is warranted. The remaining three indicators are for various SQL related issues, which could indicate an attack is underway and will turn yellow when a match is found. The description of the first four indicators are:
- Suspicious_SQL-User_Database_Dump: A suspicious SQL query was detected which attempted to dump a list of system users.
- Suspicious_SQL-Command_Execution: A suspicious SQL query with a potential SQL injection event was detected.
- Suspicious_SQL-Injection_Attack_Detected: The LCE has detected a SQL query containing patterns commonly found with large-scale automated SQL injection attacks. These queries commonly contain long strings of characters repetitive string concatenation and other uncommon SQL usage. Examining the query in question especially against other queries commonly executed against the same database should show that it stands out and requires review to see if any malicious commands have been executed.
- Suspicious_SQL_Query_Detected: A suspicious SQL query was detected