What is OWASP? What are The Top 10 OWASP Vulnerabilities?
Here Are the Top 10 OWASP Vulnerabilities & the Ways to Prevent Them
OWASP is a community of several professionals where everyone is allowed to volunteer for participating and working to create documentation, tools, forums, and videos for application security. And, all these materials are available for free of cost along with open source license. The best example of OWASPs work is their top 10 project that produces vulnerabilities reports of their own called OWASP Top 10.
What’s OWASP Top 10?
Here’s the OWASP Top 10 report as per 2017, whereas 2020 is in progress.
- Broken Authentication
- Sensitive Data Exposure
- XML External Entities (XXE)
- Broken Access Control
- Security Misconfigurations
- XSS (Cross-Site Scripting)
- Insecure Deserialization
- Using Components With Known Vulnerabilities
- Insufficient Logging & Monitoring
Some of the examples include the submission of SQL database code in a form where plaintext username was expected. If that form isn’t secured enough, it could result in the execution of that submitted SQL code, which is also known as a SQL injection attack.
2. Broken Authentication
However, some strategies can be applied like using 2-factor authentication (2FA), avoiding the usage of default login credentials, keeping strong passwords, session timeouts, random session ID. Limiting or delaying the repetitive login attempts through rate limiting, logging failed attempts.
3. Sensitive Data Exposure
4. XML External Entities (XXE)
However, it can be prevented, and one of the ways to do it is limiting web applications to accept less complex data formats like JSON, patching XML libraries, and parsers while disabling usage of external entities within an XML application.
5. Broken Access Control
However, attacks on such broken access control can be prevented with the use of authorization tokens along with tight controls on it, for example reusing access control verification in the entire application, minimum usage of cross-origin resource sharing (CORS). Denying other resources by default and maintaining logs about access control failures and alerting admins.
6. Security Misconfigurations
Though, DAST (Dynamic Application System Testing) can be used for detecting such misconfigurations. And, some of the ways through which you can prevent this attack is by the secure installation process, removing unnecessary and unused features or frameworks—patch installation, reviewing permissions and updating configurations.
7. XSS (Cross-Site Scripting)
One way to overcome such an issue is by not trusting HTTP requests sent through user-generated content, making use of modern web development frameworks such as Ruby on Rails.
8. Insecure Deserialization
Some of the ways to avoid such attacks are like not accepting serialized objects coming from untrusted sources, implementing integrity checks while enforcing strict constraints at the time of Deserialization, restricting network connectivity from servers that do Deserialization.
9. Using Components With Known Vulnerabilities
Attackers may try to look for vulnerabilities in such components, and if they find so, many websites will be open to this vulnerability, which can be exploited.
Some precautions that can be taken are like, using components from official sources and keeping it updated—removing unused components and monitoring sources if there’s any vulnerability in the used component.
10. Insufficient Logging & Monitoring
As a precautionary measure, OWASP suggests web developers implement logging and monitoring along with incident response plans so attacks can be detected as early as possible if it’s happening on their applications.