Open Web Application Security Project Top 10

September 10, 2018

The OWASP Top 10 (Open Web Application Security Project) focuses on security concerns for web applications. Put together by a team of cybersecurity experts from around the world, the OWASP Top 10 documents the 10 most critical issues affecting web security each year.

The aim of the project is to raise organizations’ and individuals’ awareness about current, pervasive threats to web applications. This enables them to improve processes, elaborate on security protocols, and mitigate risks.

Here’s a brief breakdown of the issues that made it into the OWASP Top 10–2017 list.

1. Injection

These attacks occur when the hacker sends untrusted data to a web application through a data submission channel, such as form input. The data input causes the web application to execute unintended commands.

For instance, a hacker can submit SQL database code into a data submission channel that is expecting a username in plain text. If the form input is insecure, the web application will execute the SQL code. Examples of injections include:

  • LDAP queries.
  • PHP queries.
  • SQL queries.
  • OS commands.

2. Broken Authentication

This occurs when vulnerabilities in the web application’s authentication system are exploited, giving attackers access to user or admin accounts. In some cases, the web application mismanages session-related information, enabling hackers to compromise the user’s identity.

This information could be in the form of secret keys, passwords, session cookies, or others.

3. Sensitive Data Exposure

If a web application doesn’t provide adequate security for sensitive data, attackers could modify or sniff out the data and use it for their own purposes. For instance, applications that use weak Transport Layer Security (TLS) or weak encryption keys are susceptible to man-in-the-middle attacks.

The exposure of sensitive data can be mitigated by encrypting all sensitive data, disabling caching of responses with sensitive data, and using secure protocols and algorithms.

4. XML External Entities (XEE)

These kinds of attacks are carried out against web applications that parse XML inputs. A web application that is vulnerable to XXE attacks will allow the upload of malicious XML. The XML code looks to exploit vulnerabilities in the parser or its dependencies by referencing an external entity.

The malicious code could execute a request for sensitive data to be sent to the unauthorized external entity, which then passes the data on to the attacker.

5. Broken Access Control

A broken access control allows attackers to bypass authorization protocols and execute tasks as if they were users with admin rights and privileges. In many instances, developers do not restrict user privileges on the server side; they do so only the UI side.

Attackers can exploit such a vulnerability and get access to directories, databases, restricted pages, and the like.

6. Security Misconfiguration

One of the most common vulnerabilities on this list, security misconfiguration, occurs when an application uses default configurations or encounters an issue and displays overly-descriptive error messages to the user.

Such messages could reveal the application’s vulnerabilities to hackers, enabling them to prepare more malicious, customized attacks. Examples of security misconfiguration include:

  • default error messages.
  • default directories.
  • default scripts stored on servers.
  • default passwords.
  • weak passwords, etc.

7. Cross-Site Scripting

This occurs when a web application allows users to insert custom code into a web page or URL path. Attackers exploit such vulnerabilities to run malicious JavaScripts on the victim’s browser, enabling it to steal data, deface websites, etc. There are three types of XSS:

  • DOM-based.
  • Stored.
  • Reflected.

For instance, attackers (posing as a bank) can send phishing emails to victims. The email will contain a link to the bank’s official website with Javascript code tagged on to its end. If the site has no protection against cross-site scripting, the malicious code is run on the victim’s browser, enabling attackers to steal sensitive information.

8. Insecure Deserialization

This targets web applications that often serialize and deserialize data. An insecure deserialization exploit is caused by deserializing data from untrusted sources, resulting in remote code execution attacks and DDoS attacks.

Although implementing type checks and monitoring deserialization is advised, the only sure method of preventing this form of attack is prohibiting the deserialization of data from untrusted sources.

9. Using Components with Known Vulnerabilities

In order to provide needed functionality and avoid redundant work, most web developers use various components such as coding/network frameworks, vulnerable functions, and libraries when building web applications.

Attackers constantly search for vulnerabilities within these components, which they can exploit to launch an attack.

Some of the components with known vulnerabilities include:

  • Vulnerable jQuery version.
  • Unpatched Windows.
  • Outdated kernel version — Linux.
  • Use of vulnerable PHP version.

10. Insufficient Logging and Monitoring

Measures for detecting data breaches within web applications are still below par. The average time taken by developers to detect a breach is 200 days after the fact. This is a lot of time for attackers to cause damage before the implementation of protective countermeasures.

As such, OWASP advises developers to implement logging, monitoring, and incident response plans to ensure the early detection of attacks.

This list assists organizations in pinpointing possible vulnerabilities in their web security. The OWASP Top 10 should serve as a benchmark for application security testing. With the recent advances and improvements made to Agile methodologies, writing software, testing suites, and security protocols, developers already have the tools to ensure that the security risks listed on the OWASP Top 10 are adequately and permanently addressed.

How Security Compass can help you

Our award-winning policy-to-execution platform, SD Elements, helps clients to embed compliance and security controls into software, early on during their software development lifecycle.

We’ve updated SD Elements’ content database to cover the 2017 OWASP Top Ten. Our platform continuously checks against OWASP’s Top Ten list as well as other known software security vulnerabilities to automatically determine the privacy and security risks that your application is susceptible to.

We also offer a course which contains embedded training for OWASP Top 10 vulnerabilities, enabling your developers to learn exploits and suitable defenses.

Learn more about SD Elements here.

 

Previous Article
3 Reasons Why a One-size Fits all Secure SDLC Solution Won’t Work
3 Reasons Why a One-size Fits all Secure SDLC Solution Won’t Work

3 Reasons Why a One-size Fits all Secure SDLC Solution Won’t Work When we ask security contacts at our ente...

Next Article
How to Automatically Verify Security Requirements: SD Elements & Fortify Integration
How to Automatically Verify Security Requirements: SD Elements & Fortify Integration

We’re excited about our integration with Fortify. It follows on our recent Veracode integration. With these...