OWASP Top 10 vulnerabilities

-
What is OWASP?

OWASP which stands for Open Web Application Security Project is an international non-profit organization dedicated to web application security.  It produces various articles, methodologies, tools and technologies in the field of web application security. It was established in 2001 with the goal to protect web applications from cyber attacks.



What is OWASP Top 10?  

OWASP Top 10 prioritizes most common web securities risks affecting the web applications. The point to consider here is that there are more than 10 security but only top 10 are included.
There are four criterias used for making this list. They are
  1. Ease of exploitability
  2. Prevalence
  3. Detectibility
  4. Business Impact
The list was firstly published in the year 2003. Then updated in the year 2004,2007,2010,2013 and 2017.

Top 10 Vulnerabilities

1.Injection

An Injection vulnerability allows attackers to send unfriendly,hostile data to an interpreter causing the data to be compiled and executed on the server. If your application is used to receive user input that goes into backend database,command or call, your application can fall to code injection attacks.  

Prevention of Injection attacks
  • Using a safe API
  • Escape special characters
  • Use positive server side input validation 
2.Broken Authentication
As the name suggests, if the authentication is weaker then the application will surely and easily become vulnerable to attacks.
It becomes vulnearable to brute force or dictionary attacks. Examples of Broken authentication are  Passwords are not properly hashed, Credential stuffing.

Prevention Of Broken Authentication 
  • Do not expose the Session Id in the URL
  • Strong, complex passwords
3.Sensitive Data Exposure
This vulnerability occurs when application does not protect sensitive information. The may be any sensitive information such as passwords, tokens, credit cards ,etc. Here the potential impact is very high.
Ex. Password leaks
Prevention 
  • Data never stored in clear text
  • Notice that generation of keys is secure
  • Algorithms used to encrypt data are strong
  
4.XML External Entities
If a web application uses vulnerable component processing XML, attackers can upload XML or include hostile content, commands or code within an XML document.
Prevention
  • Use simpler data formats like JSON and avoid Serialization
  • Upgrade your XML processor and library
  • Implement Whitelisting and sanitization of server side XML inputs.
5.Broken Access Control
Attackers can gain acess to user accounts, so that regular users can gain intended access priviliges. Strong access mechanisms are required to control broken access. 
Prevention
  • Deny access by default
  • Enforce usage and rate limits
  • Rate limit API and control access
  • Validate JWT token after logout
6.Security Misconfiguration
 This is the most commonly seen issue. This happens because of open cloud storage, insecure default configurations, etc.
Pevention
  • Dynamic Application Security Testing(DAST)
7.Cross Site Scripting
XSS flaws occurs whenever an application includes untrusted data without any proper validation. XSS allows to execute script in victim's browserw hich can highjack user sessions.
Prevention
  • Contexual output encoding
8.Insecure Deserialization
It often leads to remote code execution. They can be used to perform replay attacks, injection attacks and privilage escalation attacks.
Prevention
  • Dont trust user input
9.Using Components with known Vulnerabilties 
Many web applications rely on open source.Developers dont know about which open source components are in the application. Attackers can exploit an insecure component to take over server or steal sensitive data. 
Prevention
  • Use most recent CVEs
  • Patch as soon as needed
10.Insufficient logging and Monitoring
This vulnerability allows attackers to pivot to other systems and maintain persistant threats.Attackers can rely on lack of monitoring.
 Prevention
  • Develop best practices of logging and monitoring
  • Establish processes for reviewing internally

Comments

Post a Comment

Popular posts from this blog

T Bomb: SMS and Call Bomber! Hangs Your Smartphone!

-
Image
Discovering a tool which has capibility to hang your smartphone! T Bomb is an open source call and SMS bomber for Linux and Termux. T Bomb can send unlimited sms and calls on victim's phone so that the hang can get hang.  Installation Step 1. Type command  pkg install git Step 2. pkg install python Step 3. git clone https://github.com/TheSpeedX/TBomb.git Step 4. cd TBomb Step 5. chmod +x TBomb.sh  Now run the tool Step 6. cd TBomb Step 7. ./TBomb.sh And Boom!!! Now perform as per instructed. Press Enter Press 1 for SMS bomber Press 2 for Call bomber Press 3 To  Update (Works On Linux And Linux Emulators) Press 4 To  View Features Press 5 To  Exit Important: Only For Educational Purpose. We are not responsible if any kind of misuse of this tool is identified.
Read more

Phishing: A sweet poison!

-
Image
Phishing  is a fradulent attempt to obtain sensitive information such as passwords, usernames, credit card details by disguising oneself as a trustworthy entity in an electronic communication. This is how Phishing is defined.Got It? No. That's ok. You will get it by the end of this blog. Hackers are creative and they should be!  One such famous hacking technique or a way to gain information of target user is is called Phishing. Phising is method to gather personal information using mainly deceptive emails and websites. The goal is to make the target believe that the message,mail or website is something important for him for example a bank request,donation and to force him to click the link. It is one of the oldest type of cyberattacks dating back to 1990's and still one of the most popular attack between hackers. How Phishing got its name? Yes you guessed it right. Phishing is similar to word Fishing. The letter "f" is replaced by "p". As in fishing, the fis
Read more

Stay Secure Always!

-
Image
Stay Secure Always! We are living in 21st century. This era is what we can call it as an "Digital Era". The world is becoming digital day by day. Use of Smartphones, digital payments, and services based on internet are increasing. We can't imagine a single day without Internet today.It has made over life so easy. But as a coin has two sides, internet also has its evil side. Today "Data" is the currency. Data or we can say meaningful information is what matters the most. If you have data and you know how to use it, you can acquire the world. But if someone misused data it can also lead to death. So one should have knowledge about how to stay secure online. One should be aware of all the Digital Threats. So here are we....... Through InfoSec Hub you will be able to get knowledge about How to protect our data Kali Linux O.S. Hacking  Various attacks Various Tools And much more....So stay tuned.....
Read more