OWASP and Theatre Manager
The OWASP Top 10 for 2010 is interesting reading for application developers, web site builders and end users. The internet has many good features, but it is not a safe place if you are not aware.
 |
Each year, the Arts Management team reviews the top 10 and, for those that are applicable, ensures that the web sales module provides a defence against the top 10 per PCI standard 5.1. Responses are posted here. Merchants should also be aware of these. |
2010 Top 10 list
| Description | Thestre Manager Implementation | |
| A1 | SQL Injection | OWASP 's preferred option is to use a safe API which avoids the use of the interpreter entirely or provides a parameterized interface.
In Theatre Manager, all web pages access the web listener using an API and each parameter is scrubbed on the way to the web listener for specific values. |
| A2 | Cross-Site Scripting (XSS) | OWASP 's preferred option is to properly escape all untrusted data based on the HTML context (body, attribute, JavaScript, CSS, or URL) that the data will be placed into.
Theatre Manager looks for any attempt to put javascript and other characters into a form and simply removes them. We have determined that there is no valid need to have words like <script> in a enterable fields like name or address. |
| A3 | Broken Authentication and Session Management | Theatre Manager uses cookies for session managment. All data in the cookie is 3DES encrypted, along with a date and time.
If the web listener notices that the cookie comes back and is an earlier time than expected, then it discards the request. There are no session ID's allowed in the URL. |
| A4 | Insecure Direct Object References | Theatre Manage does not allow direct access to any object in the database through the user of an API. Users cannot retrieve data in an unauothorized way. |
| A5 | Cross-Site Request Forgery (CSRF) | Theatre Manager does not allow access to the database except via API. It also forces a timeout for inactivity.
At worst, a hacker taking the time and effort to put an API call into a jpeg and tricking a person buying tickets into sending that to your Web Listener might find a seat or add a ticket to a shopping cart. The key is that the impact, should it even happen, is low. |
| A6 | Security Misconfiguration (NEW) | The primary prevention to this is PCI security scans and upgrading of Theatre Manager components on a regular basis and following any implementation notes. |
| A7 | Insecure Cryptographic Storage | Theatre Manager handles encryption of the key card information and reommends shredding of unused data after a period of time.
The majority of this OWASP item refers to storage, backups and a venue's internal processes. |
| A8 | Failure to Restrict URL Access | This does not apply to Theatre Manager's web lsiteners due to the API's used to control access to the system. Accessing the limited number of web pages in the htdocs directory in a direct manner does nothing unless they are processed by a web listener. Further, all requests are send through a specialized Apache module that adds additional tokens not known visible in the browser and re-routes the URL and does some NAT translation of its own. |
| A9 | Insufficient Transport Layer Protection | Theatre Manager web listener suggests using SSL for all traffic - which mean turning on port 443 to the apache server.
Ensuring the SSL certificate is current is a responsibility of the monthly PCI scan process. |
| A10 | Unvalidated Redirects and Forwards (NEW) | Theatre Manager does not use re-directs in any web page. |