Difference between revisions of "Enterprise Business Application Security Development Issues"

From OWASP
Jump to: navigation, search
(Created page with " === Development of guides === == Objective == This document will describe different areas of program vulnerabilities that can be found in Enterprise Business applications...")
 
Line 1: Line 1:
  
=== Development of guides ===
+
=== Development Issues ===
  
 
== Objective  ==
 
== Objective  ==
  
This document will describe different areas of program vulnerabilities that can be found in Enterprise Business applications and ERP systems.  
+
This document will describe different areas of program vulnerabilities that can be found in source code of Enterprise Business applications and ERP systems.  
  
 
== Purpose  ==
 
== Purpose  ==
Line 12: Line 12:
 
== Intro  ==
 
== Intro  ==
  
There are many different languages and technologies that can be used to develop business applications and write costom code. Here, we will try to categorize it first by dividing into Server and Client side. Top 10 list of vulnerabilities for both areas will be shown.  
+
There are many different languages and technologies that can be used to develop business applications and write costom code such as ABAP for SAP, PeopleCode for PeopleSoft,X++ for Microsoft Dynamics, PL/SQL for Oracle EBS, LotusScript for Lotus and much much more. Here, we will try to categorize them into 9 main areas filtered by criticality.  
  
 
== Main  ==
 
== Main  ==
  
Crosslinks to CWE SANS OWASP and risks with descriptions will be added soon.  
+
Crosslinks to CWE, SANS, OWASP and risks with descriptions will be added soon.  
  
[[Image:Dev1.png|484x290px]] <br>
+
== 9 most critical types of issues in source code (EASAD-9-2013) ==
  
<br>
+
1 injections (Code sql os)
 
+
2 critical calls (to db to os )
<br>
+
3 missing or bad access control checks (miss auth checks )
 
+
4 directory/path traversal (write, read, smbrelay)
<br>
+
5 Modification of displayed content (XSS stored, linked, js/html injections)
 
+
6 backdoors (hardcoded credentials)
<br>
+
7 covert channels (sockets, http calls, ssrf's, )
 
+
8 information  disclose (hardcoded users, passwords, debug information,
<br>
+
9 obsolete statements ( READ TABLE, kernel methods,….)
 
+
<br>
+
 
+
<br>
+
 
+
== Top 10 Server vulnerabilities (EASAD) ==
+
 
+
1 XSS<br>
+
2 Improper Access Control<br>
+
3 Information disclosure<br>
+
4 Command/code injection in proprietary language<br>
+
5 SQL Injection <br>
+
6 Missing Encryption of Sensitive Data<br>
+
7 Buffer overflows <br>
+
8 Path traversal<br>
+
9 CSRF <br>
+
10 Use of a Broken or Risky Cryptographic Algorithm
+
  
== Top 10 Frontend vulnerabilities (EASFD) ==
 
  
1 Buffer overflows (ActiveX)<br>
 
2 Exposed Dangerous Method or Function (ActiveX)<br>
 
3 Insecure scripting server access <br>
 
4 File handling Frontend vulnerabilities<br>
 
5 Use of a Broken or Risky Cryptographic Algorithm<br>
 
6 Cleartext Storage of Sensitive Information<br>
 
7 Use of hard-coded password<br>
 
8 Lack of integrity checking for front-end application<br>
 
9 Cleartext Transmission of Sensitive Information<br>
 
10 Vulnerable remote services
 
  
 
== Links  ==
 
== Links  ==
Line 68: Line 40:
 
== Authors  ==
 
== Authors  ==
  
Alexander Polyakov (ERPScan Research Group) <br>
+
Alexander Polyakov
Mikhail Markevich <br>
+
Alexander Minojenko
Dmitry Evdokimov (ERPScan Research Group) <br>
+
Pavel Kuzmin
Alexey Sintsov (ERPScan Research Group)
+

Revision as of 15:42, 15 September 2013

Contents

Development Issues

Objective

This document will describe different areas of program vulnerabilities that can be found in source code of Enterprise Business applications and ERP systems.

Purpose

The purpose of this document is to increase awareness of the developers of Enterprise Business software. Here, we will collect top software vulnerabilities in server side and frontend side that can exist in Business Applications.

Intro

There are many different languages and technologies that can be used to develop business applications and write costom code such as ABAP for SAP, PeopleCode for PeopleSoft,X++ for Microsoft Dynamics, PL/SQL for Oracle EBS, LotusScript for Lotus and much much more. Here, we will try to categorize them into 9 main areas filtered by criticality.

Main

Crosslinks to CWE, SANS, OWASP and risks with descriptions will be added soon.

9 most critical types of issues in source code (EASAD-9-2013)

1 injections (Code sql os) 2 critical calls (to db to os ) 3 missing or bad access control checks (miss auth checks ) 4 directory/path traversal (write, read, smbrelay) 5 Modification of displayed content (XSS stored, linked, js/html injections) 6 backdoors (hardcoded credentials) 7 covert channels (sockets, http calls, ssrf's, ) 8 information disclose (hardcoded users, passwords, debug information, 9 obsolete statements ( READ TABLE, kernel methods,….)


Links

coming soon


Authors

Alexander Polyakov Alexander Minojenko Pavel Kuzmin