OWASP Top 10 and your Recruitment Website - Part 1

Posted By: Dmitry Kulshitsky, 8:30am Monday 09 August 2010

OWASP has recently updated their list of the top 10 most prevalent security vulnerabilities. Since this list covers all major aspects of computer security it is interesting to check what are the issues that are relevant to a typical recruitment website or job board and (exercising the 80/20 rule) what are the key questions we should ask ourselves (or our IT/security staff) to be sure that we don't miss anything critical.

The recommendations below are just for your reference and are not meant to replace a proper security audit process, but they are a good place to start the conversation about the state of security of your website.

A1 – Injection The first thing that comes to mind here is SQL injection, which we have covered before. But make no mistake – this class of vulnerabilities includes all types of injections not just SQL (e.g. LDAP, shell command, XPath etc). A typical developer will probably be aware of SQL injections but not about other ones.

OWASP puts injections at the top of the list. Recruitment websites and job boards contain sensitive data (e.g. usernames, passwords, resumes, addresses, phone numbers etc), so it should come as no surprise that the relevance is set to high.

Questions to ask:
Quick tests to perform:

A2 – Cross-Site Scripting (XSS)
We have covered cross-site scripting (XSS) before. For recruitment websites and job boards there are 2 relevant major issues that may arise:
  1. Stealing cookies – this will allow an attacker to impersonate your clients and login to their accounts
  2. Embedding unauthorised HTML/JavaScript/frames. See previous article on hidden iframe injections
Questions to ask:
Quick test to perform:

A3 – Broken Authentication and Session Management

Relevance: Medium-High
Impact: Usually Severe

A typical recruitment website or job board has a login function for job seekers and advertisers. If authentication and/or session management mechanisms are broken, this could result in attackers getting access to your clients’ accounts.

Questions to ask:

Guest blog post by Dmitry Kulshitsky, Security Architect at SEEK.