What is OWASP? What are The Top 10 OWASP Vulnerabilities?

Here Are the Top 10 OWASP Vulnerabilities & the Ways to Prevent Them

The OWASP (Open Web Application Security Project) is one of the globally known non-profit organizations that solely work towards web application security. The main motive of OWASP is to offer all its security-related material free of cost on their website to help others improve the security of the web applications.

OWASP is a community of several professionals where everyone is allowed to volunteer for participating and working to create documentation, tools, forums, and videos for application security. And, all these materials are available for free of cost along with open source license. The best example of OWASPs work is their top 10 project that produces vulnerabilities reports of their own called OWASP Top 10.

What’s OWASP Top 10?

The OWASP Top 10 is the security report which is updated every three to four years. It consists of the list of the 10 common application-related vulnerabilities, which shows risks and impacts involved with it. The report is created by a team of security experts from all over the globe. OWASP generally termed it the ‘awareness document,’ which they further, recommend to all the companies to incorporate this report into the process so they can minimize their security risks.

Here’s the OWASP Top 10 report as per 2017, whereas 2020 is in progress.

Injection
Broken Authentication
Sensitive Data Exposure
XML External Entities (XXE)
Broken Access Control
Security Misconfigurations
XSS (Cross-Site Scripting)
Insecure Deserialization
Using Components With Known Vulnerabilities
Insufficient Logging & Monitoring

1. Injection

From error messages to leakage of sensitive information, injection is one of the flaws that can go south hills, and hard to recover disastrous outcomes can happen. Usually, an Injection attack takes place when any untrusted data is sent from a code interpreter to a form input or other web application where there’s a need to submit data.

Some of the examples include the submission of SQL database code in a form where plaintext username was expected. If that form isn’t secured enough, it could result in the execution of that submitted SQL code, which is also known as a SQL injection attack.

However, it can be prevented by validating user-submitted data, which means rejecting those data which looks suspicious. Also, a database admin can create control for minimizing the information that can stay vulnerable to an injection attack.

2. Broken Authentication

Similar to an injection attack, broken authentication is also dangerous. In this attack, attackers targets vulnerabilities of authentication systems, which can give access to the user’s account along with the ability to change the information within it, and if it’s an admin account, an entire system can be compromised using it. For instance, an attacker can get access to an entire list of usernames and password combinations at the time of a data breach and later on can run a script to check all those login details on a login system to make sure whether it’s working.

However, some strategies can be applied like using 2-factor authentication (2FA), avoiding the usage of default login credentials, keeping strong passwords, session timeouts, random session ID. Limiting or delaying the repetitive login attempts through rate limiting, logging failed attempts.

3. Sensitive Data Exposure

As the name implies, sensitive data such as financial information, user login details, health records get compromised as it’s in plaintext, and hackers take advantage of it by executing attacks like MiTM (Main-in-The-Middle) for stealing data in transit.

However, some preventive measures can be taken. For example, processing, storing or transmitting data as per the sensitivity while applying proper control, enforcing encryption, and using standard algorithms and proper key management, avoiding unnecessary data storage or disabling cache for responses that contain sensitive information.

4. XML External Entities (XXE)

It’s an attack where XML input is parsed against a web application. The input that’s parsed can refer to an external entity that attempts to exploit parser’s vulnerability. And, an external entity can refer to other things like storage units like a hard drive. As an XML parser can be tricked into sending data to an unintended external party, it means it can also pass on sensitive information to an attacker.

However, it can be prevented, and one of the ways to do it is limiting web applications to accept less complex data formats like JSON, patching XML libraries, and parsers while disabling usage of external entities within an XML application.

5. Broken Access Control

Access control means a system that provides control over functionalities. Likewise, broken access controls let attackers bypass authorization and let them perform tasks like their privileged users, for example, administrators. For instance, in this attack, a web application can allow an attacker to change the account in which they’re logged in by simply changing the part of a URL, without any verification.

However, attacks on such broken access control can be prevented with the use of authorization tokens along with tight controls on it, for example reusing access control verification in the entire application, minimum usage of cross-origin resource sharing (CORS). Denying other resources by default and maintaining logs about access control failures and alerting admins.

6. Security Misconfigurations

As the name implies, it refers to the improper implementation of various controls that keeps application data safe. Misconfiguring various things like ignoring verbose error messages that leak sensitive information, not upgrading systems, or neglecting to upgrade your system, making use of default configuration, not configuring security headers properly, can lead to this vulnerability.

Though, DAST (Dynamic Application System Testing) can be used for detecting such misconfigurations. And, some of the ways through which you can prevent this attack is by the secure installation process, removing unnecessary and unused features or frameworks—patch installation, reviewing permissions and updating configurations.

7. XSS (Cross-Site Scripting)

Cross-site scripting (XSS) isn’t among the top 5 threats, and in 2017 it also went down to 7th instead of the third. However, still, it’s one of the common vulnerability attacks which were submitted to the OWASP 2017 list.

Cross-site scripting usually occurs whenever someone tries to add custom code into a URL path or a website that is seen by other users. It’s one of the vulnerabilities that can be exploited for running malicious script such as JavaScript code on the victim’s browser.

For instance, an attacker may send an email message to a victim that seems to come from a trusted bank. Once you click on that link given into that email, it may activate a malicious JavaScript code in the user’s browser that can harm them like stealing session cookies, login credentials, or delivering malware.

One way to overcome such an issue is by not trusting HTTP requests sent through user-generated content, making use of modernweb development frameworks such as Ruby on Rails.

8. Insecure Deserialization

It’s the threat that frequently targets web applications. It’s involved in Serialization as well as Deserialization of the data. Here, Serialization means taking objects through the applications code and converting them into another format, which can be used for a different reason, like storage of data to disk. And Deserialization is the opposite of the Serialization. It means the conversion of serialized data back into its original objects that application can make use of. And, insecure Deserialization occurs when someone exploits the result of that deserialization data. It usually results in attacks like DDoS attacks.

Some of the ways to avoid such attacks are like not accepting serialized objects coming from untrusted sources, implementing integrity checks while enforcing strict constraints at the time of Deserialization, restricting network connectivity from servers that do Deserialization.

9. Using Components With Known Vulnerabilities

Nowadays, modern web developers use components, for instance, frameworks and libraries within their web applications. Components are nothing but software that is used for helping developers to avoid redundancy in their work by providing common functionalities. Some of the examples of these components are front-end frameworks such as React and small libraries, which are often used for adding share icons or a/b testing.

Attackers may try to look for vulnerabilities in such components, and if they find so, many websites will be open to this vulnerability, which can be exploited.

Some precautions that can be taken are like, using components from official sources and keeping it updated—removing unused components and monitoring sources if there’s any vulnerability in the used component.

10. Insufficient Logging & Monitoring

Many web applications aren’t taking sufficient steps that must be taken for detecting data breaches early on. On average, the discovery of any data breach within an organization is recognized within 6 months, which is more than enough for an attacker to cause damages that lead to huge losses.

As a precautionary measure, OWASP suggests web developers implement logging and monitoring along with incident response plans so attacks can be detected as early as possible if it’s happening on their applications.

Summary

What we see here in these top 10 OWASP vulnerabilities are some of the attacks that keep on repeating yearly. As a web developer, it must be taken as a lesson on what mistakes must be avoided while writing web applications code. A right mindset for a security management level is required for avoiding different functionalities at the cost of security.

AboutSSL’s Best Stuff

