OWASP TOP 10

OWASP stands for Open Web Application Security Project is a non profit organization that works on the improvement of security of software. They publishes report outlining security concerns for web application security focusing on top 10 most critical risks at free of cost.

OWASP TOP 10 2017 report as follows:

1. Injection
2. Broken Authentication
3. Sensitive Data Exposure
4. XML External Entities
5. Broken Access Control
6. Security Misconfiguration
7. Cross Site Scripting
8. Insecure Deserialization
9. Using components with known vulnerabilities
10. Insufficient logging and monitoring

Injection

This flaw occurs when an untrusted data is inputted by end user sent to interpreter as part of query. For example in the input field of name, someone entered code related to SQL and application throws error related to that SQL query. This is called SQL injection.

Broken Authentication

Vulnerabilities in authentication mechanisms can give attackers the privileges’ to be some high user like admin which can lead to compromise the account and even to data breach. For example, an attacker can take a list containing thousands of known username/password combinations obtained during a data breach and use it to brute force into the system.

Sensitive Data Exposure

If web applications don’t protect sensitive data such as financial information and passwords, attackers can gain access to that data and utilize it for attacking purposes.

For example, pages like robot.txt that contains data related to credentials sometime are made publicly available.

XML External Entities(XXE)

This is an attack against a web application that parses XML input. This input can reference an external entity, attempting to exploit a vulnerability in the parser. An ‘external entity’ in this context refers to a storage unit, such as a hard drive. An XML parser can be duped into sending data to an unauthorized external entity, which can pass sensitive data directly to an attacker.

The best ways to prevent XEE attacks are to have web applications accept a less complex type of data, such as JSON, or at the very least to patch XML parsers and disable the use of external entities in an XML application.

XML or Extensible Markup Language is a markup language intended to be both human-readable and machine-readable. Due to its complexity and security vulnerabilities, it is now being phased out of use in many web applications.

JavaScript Object Notation (JSON) is a type of simple, human-readable notation often used to transmit data over the internet. Although it was originally created for JavaScript, JSON is language-agnostic and can be interpreted by many different programming languages.

Broken Access Control

Access control refers a system that controls access to information or functionality. Broken access controls allow attackers to bypass authorization and perform tasks as though they were privileged users such as administrators. For example a web application could allow a user to change which account they are logged in as simply by changing part of a url, without any other verification.

Security Misconfiguration

Security misconfiguration is the most well-known weakness on the rundown, and is frequently the aftereffect of utilizing default designs or showing exorbitantly verbose blunders. For example, an application could show a client excessively distinct mistakes which may uncover weaknesses in the application. This can be relieved by eliminating any unused highlights in the code and guaranteeing that blunder messages are more broad.

Cross-Site Scripting(XSS)

Cross-site scripting vulnerabilities occur when web applications allow users to add custom code into a URL path or onto a website that will be seen by other users. This vulnerability can be exploited to run malicious JavaScript code on a victim’s browser. For example, an attacker could send an email to a victim that appears to be from a trusted bank, with a link to that bank’s website. This link could have some malicious JavaScript code tagged onto the end of the URL. If the bank’s site is not properly protected against cross-site scripting, then that malicious code will be run in the victim’s web browser when they click on the link.

Insecure Deserialization

This threat targets the many web applications which frequently serialize and deserialize data. Serialization means taking objects from the application code and converting them into a format that can be used for another purpose, such as storing the data to disk or streaming it. Deserialization is just the opposite: converting serialized data back into objects the application can use.

Serialization is sort of like packing furniture away into boxes before a move, and deserialization is like unpacking the boxes and assembling the furniture after the move. An insecure deserialization attack is like having the movers tamper with the contents of the boxes before they are unpacked.

Using Components With Known Vulnerabilities

Many modern web developers use components such as libraries and frameworks in their web applications. These components are pieces of software that help developers avoid redundant work and provide needed functionality; common example include front-end frameworks like React and smaller libraries that used to add share icons or a/b testing. Some attackers look for vulnerabilities in these components which they can then use to orchestrate attacks. Some of the more popular components are used on hundreds of thousands of websites; an attacker finding a security hole in one of these components could leave hundreds of thousands of sites vulnerable to exploit.

Insufficient Logging And Monitoring

Many web applications are not taking enough steps to detect data breaches. The average discovery time for a breach is around 200 days after it has happened. This gives attackers a lot of time to cause damage before there is any response. OWASP recommends that web developers should implement logging and monitoring as well as incident response plans to ensure that they are made aware of attacks on their applications.