OWASP Top 10 Vulnerabilities | Security Compass

The OWASP Top 10 (Open Web Application Security Project) focuses on security concerns for web applications. Put together by a team of cybersecurity experts from around the world, the OWASP Top 10 documents the 10 most critical issues affecting web security each year.

The aim of the project is to raise organizations’ and individuals’ awareness about current, pervasive threats to web applications. This enables them to improve processes, elaborate on security protocols, and mitigate risks.

Here’s a brief breakdown of the issues that made it into the OWASP Top 10–2017 list.

1. Injection

These attacks occur when the hacker sends untrusted data to a web application through a data submission channel, such as form input. The data input causes the web application to execute unintended commands.

For instance, a hacker can submit SQL database code into a data submission channel that is expecting a username in plain text. If the form input is insecure, the web application will execute the SQL code. Examples of injections include:

  • LDAP queries.
  • PHP queries.
  • SQL queries.
  • OS commands.

2. Broken Authentication

This occurs when vulnerabilities in the web application’s authentication system are exploited, giving attackers access to user or admin accounts. In some cases, the web application mismanages session-related information, enabling hackers to compromise the user’s identity.

This information could be in the form of secret keys, passwords, session cookies, or others.

3. Sensitive Data Exposure

If a web application doesn’t provide adequate security for sensitive data, attackers could modify or sniff out the data and use it for their own purposes. For instance, applications that use weak Transport Layer Security (TLS) or weak encryption keys are susceptible to man-in-the-middle attacks.

The exposure of sensitive data can be mitigated by encrypting all sensitive data, disabling caching of responses with sensitive data, and using secure protocols and algorithms.

4. XML External Entities (XEE)

These kinds of attacks are carried out against web applications that parse XML inputs. A web application that is vulnerable to XXE attacks will allow the upload of malicious XML. The XML code looks to exploit vulnerabilities in the parser or its dependencies by referencing an external entity.

The malicious code could execute a request for sensitive data to be sent to the unauthorized external entity, which then passes the data on to the attacker.

5. Broken Access Control

A broken access control allows attackers to bypass authorization protocols and execute tasks as if they were users with admin rights and privileges. In many instances, developers do not restrict user privileges on the server side; they do so only the UI side.

Attackers can exploit such a vulnerability and get access to directories, databases, restricted pages, and the like.

6. Security Misconfiguration

One of the most common vulnerabilities on this list, security misconfiguration, occurs when an application uses default configurations or encounters an issue and displays overly-descriptive error messages to the user.

Such messages could reveal the application’s vulnerabilities to hackers, enabling them to prepare more malicious, customized attacks. Examples of security misconfiguration include:

  • default error messages.
  • default directories.
  • default scripts stored on servers.
  • default passwords.
  • weak passwords, etc.

7. Cross-Site Scripting

This occurs when a web application allows users to insert custom code into a web page or URL path. Attackers exploit such vulnerabilities to run malicious JavaScripts on the victim’s browser, enabling it to steal data, deface websites, etc. There are three types of XSS:

  • DOM-based.
  • Stored.
  • Reflected.

For instance, attackers (posing as a bank) can send phishing emails to victims. The email will contain a link to the bank’s official website with Javascript code tagged on to its end. If the site has no protection against cross-site scripting, the malicious code is run on the victim’s browser, enabling attackers to steal sensitive information.

8. Insecure Deserialization

This targets web applications that often serialize and deserialize data. An insecure deserialization exploit is caused by deserializing data from untrusted sources, resulting in remote code execution attacks and DDoS attacks.

Although implementing type checks and monitoring deserialization is advised, the only sure method of preventing this form of attack is prohibiting the deserialization of data from untrusted sources.

9. Using Components with Known Vulnerabilities

In order to provide needed functionality and avoid redundant work, most web developers use various components such as coding/network frameworks, vulnerable functions, and libraries when building web applications.

Attackers constantly search for vulnerabilities within these components, which they can exploit to launch an attack.

Some of the components with known vulnerabilities include:

  • Vulnerable jQuery version.
  • Unpatched Windows.
  • Outdated kernel version — Linux.
  • Use of vulnerable PHP version.

10. Insufficient Logging and Monitoring

Measures for detecting data breaches within web applications are still below par. The average time taken by developers to detect a breach is 200 days after the fact. This is a lot of time for attackers to cause damage before the implementation of protective countermeasures.

As such, OWASP advises developers to implement logging, monitoring, and incident response plans to ensure the early detection of attacks.

This list assists organizations in pinpointing possible vulnerabilities in their web security. The OWASP Top 10 should serve as a benchmark for application security testing. With the recent advances and improvements made to Agile methodologies, writing software, testing suites, and security protocols, developers already have the tools to ensure that the security risks listed on the OWASP Top 10 are adequately and permanently addressed.

Previous Article
Security Compass Named a 2019 TAG Cyber Distinguished Vendor
Security Compass Named a 2019 TAG Cyber Distinguished Vendor

Security Compass is proud to announce its designation as a Distinguished Vendor in this year’s 2019 TAG Cyb...

Next Article
SD Elements Expands its Support for Operational Security
SD Elements Expands its Support for Operational Security

Our expert platform has now been expanded to support operational security.

Find out how our solution builds security and compliance into software.

Free Demo