owasp_logo

OWASP Top Ten: What you need to know Part 3

on May 22, 14 • by Roy Sarkar • with No Comments

Previously, we looked at how Klocwork handles several items on the OWASP Top 10 and today, we’ll look at the final two...

Home » Software Security » OWASP Top Ten: What you need to know Part 3

[Read part 1, part 2]

The OWASP Top 10 is a list of common and exploitable security vulnerabilities in code that’s derived from over five hundred thousand issues being researched today. Knowing this list and how to protect your code helps minimize risk for both yourself and your users. Previously, we looked at how Klocwork handles several items on the list and today, we’ll look at the final two.

A9 – Using Components with Known Vulnerabilities

This is one of the most common types of vulnerability as it’s the catch-all case for an application using commercial or open source software that’s known to have flaws. It’s also one of the most difficult to fix as you either know there’s an issue and can’t address it (for reasons such as cost, schedule, or skill set) or not know there’s an issue at all (since vulnerability reports are extremely difficult to come by).

There’s no dedicated Klocwork checker for this flaw as it’s really the result of not knowing what’s in your system. As OWASP states, “Virtually every application has these issues because most development teams don’t focus on ensuring their components/libraries are up to date. In many cases, the developers don’t even know all the components they are using, never mind their versions. Component dependencies make things even worse.”

You can do two things to get a picture of where you’re vulnerable:

• Use all Klocwork security checkers on all components within your application to ensure you’ve analyzed your code against many common vulnerabilities, whether publicly reported or not.
• Perform an open source audit to identify all open source packages used within your code base and receive an up-to-date report on security vulnerabilities.

A10 – Unvalidated Redirects and Forwards

This vulnerability, popular among attackers, allows access to sensitive information by tricking users into clicking web links. An attacker sets this up through an unvalidated redirect or forward that either takes the user to a malicious URL or allows access to administrative functionality. Here’s an example from the OWASP page:

http://www.example.com/boring.jsp?fwd=admin.jsp

Here, a forward is used to route the user to an admin page. If the forward request isn’t access controlled, an attacker can craft this URL and access the page.

Klocwork has several ways of finding this issue, including checks for unvalidated email address input (SV.EMAIL) and unvalidated input used in potentially dangerous locations (SV.TAINT). Consider this example of an application using an HTTP redirect:

protected void doPost(HttpServletRequest req, HttpServletResponse resp)
  throws ServletException, IOException
{
    String url = req.getParameter("HIDDEN_URL");
    if (url.length() == 0) {
        generatePage(req, resp);
    } else {
        resp.sendRedirect(url);
    }
}

The sendRedirect() function takes in data from an HTTP request parameter that contains unvalidated data. If the HIDDEN_URL parameter was set by an attacker, the user could be directed to a potentially malicious page – an attack known as HTTP response splitting. Klocwork reports a SV.HTTP_SPLIT issue where sendRedirect() is called and a traceback to the line where url is set.

That completes our walkthrough of how the OWASP Top Ten security vulnerabilities are handled by Klocwork. For a complete mapping between OWASP’s list and Klocwork’s checkers, visit this page.

Learn more:
• Read about the complete set of security standards that Klocwork supports, including OWASP, CWE, CERT, and DISA
• See the leading challenges driving code security and complexity issues in software today by watching this webinar

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top