What is OWASP and OWASP Top Ten?
Welcome to Secumantra! In this post, we will learn what OWASP is and what it offers. As we are mainly talking about web application security on this blog, let’s get familiar with OWASP and OWASP Top Ten. We will frequently refer this for next few blog posts and discuss related topics.
OWASP and OWASP Top 10
The Open Web Application Security Project (OWASP) is one of the most respected authorities in the field of web application security. As the name implies, it is an open source project and an international non-profit organization with the goal of improving web application security.
The OWASP Foundation works to improve the security of web applications through its community-led open source software projects, tools, methodologies, forums and conferences. It is technology agnostic and not focused on any particular platform or technology. OWASP Top 10 is one of the most popular OWASP project. One more example is OWASP ZAP (web app scanner) which we will discuss in a separate topic later.
OWASP Top Ten is the list of 10 most common web application vulnerabilities found in recent years and the best OWASP resource so far. OWASP foundation and team of security experts all over the world regularly releases a report focusing on these 10 critical security risks, current version being edition 2017.
This document is globally recognized by companies as the first step towards making their web applications more secure. For each of these security vulnerability, OWASP Top Ten talks about related threat agents, impacts and mitigation strategies.
Since web application vulnerability risk changes (becoming more or less critical) over time, the OWASP Top Ten List is periodically updated to reflect these changes. Here is the list of security risks reported in the OWASP Top 10 2017 edition:
Note: Don’t worry if you are not familiar with some of the vulnerabilities mentioned below or even all of them. We will discuss all of these vulnerabilities one by one in detail over next few topics.
1. Injection
An injection attack happens when untrusted data is sent to an interpreter as part of a command or query with an intention to do something that the application was not supposed to do. It may come from any injection flaws, such as SQL, NoSQL, OS, and LDAP injection. SQL injection is the most widespread form of injection and is typically talked about.
Attacker’s primary goal here is to find a way to run his own code on your web server. It will help him to get valuable confidential data or probably can corrupt the data from server.
Anything that accepts parameters as input can potentially be vulnerable to a code injection attack. So validating and/or sanitizing user-submitted data will be helpful to avoid such risks.
For more details, visit this post.
2. Broken Authentication
While using a web application, browser communicates with the web server by sending and receiving messages using HTTP. HTTP is a stateless protocol meaning server doesn’t remember who you are between requests. But web applications always need to associate incoming messages with a particular user, which forces web applications to implement their own state management systems.
Generally this is done by generating a unique token (called session identifier) for each user and associate the user’s data with this token. For each subsequent requests this token is included in the request which in turn is used to identify a particular user and corresponding data is served.
Broken authentication is a vulnerability present in such authentication and session management systems. If implemented incorrectly, it allows attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities temporarily or permanently. It can give attackers access to user accounts and even the ability to compromise an entire system using an admin account.
For more details, visit this post.
3. Sensitive Data Exposure
Web applications and APIs may not properly protect sensitive data like login credentials, credit card information, medical information etc. Attackers can steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. This risk is called sensitive data exposure and is one of the important vulnerability in OWASP Top Ten 2017.
It is important for a company to protect users’ information and local privacy laws. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser like disabling caching.
For more details, visit this post.
4. XML External Entities (XEE)
An XML External Entities (XEE) attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser.
Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks.
It is better to avoid such complex type of input and use something simpler like JSON. Also Static application security testing (SAST) can be used to discover such issues.
For more details, visit this post.
5. Broken Access Control
Access control is the system which controls access to the information or application features based on different user roles like a guest, normal user or an admin. It is also called authorization.
Improperly configured or missing restrictions on authenticated users allow them to access unauthorized functionality or data, such as accessing other users’ accounts, viewing sensitive documents, and modifying data and access rights.
Web applications need to implement role based access control depending on how critical information being handled. Penetration testing can also be helpful to find out broken access control vulnerabilities.
For more details, visit this post.
6. Security Misconfiguration
Security misconfiguration is the most common vulnerability. This is commonly a result of insecure default configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information.
Not only must all operating systems, frameworks, libraries, and applications be securely configured, but they must be patched/upgraded in a timely fashion. Removing any unused features, making error messages more general, dynamic application security testing could help mitigating this risk.
For more details, visit this post.
7. Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS) is one of the widespread vulnerability that affects many web applications. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions or redirect the user to malicious sites.
XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user-supplied data using a browser API that can create HTML or JavaScript. Escaping untrusted HTTP requests as well as validating and/or sanitizing user-generated content will be helpful to avoid this risk. Many modern web development frameworks also provide some built-in cross-site scripting protection.
For more details, visit this post.
8. Insecure Deserialization
An insecure deserialization happens for web applications which frequently serialize and deserialize data. Now deserialization data from untrusted sources may lead to remote code execution.
Insecure deserialization flaws can enable an attacker to execute code in the application remotely, tamper or delete serialized (written to disk) objects, conduct injection attacks, and elevate privileges.
For more details, visit this post.
9. Using Components With Known Vulnerabilities
Many web applications use open source or third party components today. Components, such as libraries or frameworks run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts.
To avoid the risk of using components with known vulnerabilities, we should take care of using only needed and that too from trusted sources. Always keep these components up to date and apply suggested patches.
For more details, visit this post.
10. Insufficient Logging And Monitoring
Most breach studies show time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring. Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data.
For more details, visit this post.
Before we discuss each of these vulnerability in detail, we shall have a brief understanding about OWASP Application Security Risk and Risk Rating Methodology.
Changes To OWASP Top 10
There are some vulnerabilities which are not there in this list but was part for previous edition. For example CSRF attack is retired now which was present in 2013 edition, many frameworks now protect against CSRF by default and very few applications are vulnerable to this risk now. Although not in the top ten list now, old applications can still be vulnerable to such risks.
In general, there are many changes to development and lot of modern JavaScript frameworks came into existence. So lot of code is running on client side and we need to make it secure. Another change is lot of applications are going from on-prim to cloud completely with the help of different cloud offerings like AWS, Azure or Google Cloud. This is the reason Top 10 list gets updated periodically and it is a good thing!
Conclusion
The OWASP Foundation is one of the most respected authorities in the field of web application security and it releases OWASP Top Ten List periodically enlisting most common security vulnerabilities. All companies should adopt this report as a starting point and ensure to mitigate these risks as minimum security measures.
The OWASP Top Ten List is very widely referenced and security professionals regularly use it as a reference point. So you should be familiar with these vulnerabilities and the underlying causes. Remember security in the cloud is everyone’s responsibility and we know there is no silver bullet!
Thank you for reading. Stay Safe, Stay Secure!
If you find any error or have a suggestion, please feel free to drop an email at [email protected].