OWASP Top 10 vulnerabilities
What is OWASP?
OWASP which stands for Open Web Application Security Project is an international non-profit organization dedicated to web application security. It produces various articles, methodologies, tools and technologies in the field of web application security. It was established in 2001 with the goal to protect web applications from cyber attacks.
What is OWASP Top 10?
OWASP Top 10 prioritizes most common web securities risks affecting the web applications. The point to consider here is that there are more than 10 security but only top 10 are included.
There are four criterias used for making this list. They are
- Ease of exploitability
- Prevalence
- Detectibility
- Business Impact
The list was firstly published in the year 2003. Then updated in the year 2004,2007,2010,2013 and 2017.
Top 10 Vulnerabilities
1.Injection
An Injection vulnerability allows attackers to send unfriendly,hostile data to an interpreter causing the data to be compiled and executed on the server. If your application is used to receive user input that goes into backend database,command or call, your application can fall to code injection attacks.
Prevention of Injection attacks
- Using a safe API
- Escape special characters
- Use positive server side input validation
2.Broken Authentication
As the name suggests, if the authentication is weaker then the application will surely and easily become vulnerable to attacks.
It becomes vulnearable to brute force or dictionary attacks. Examples of Broken authentication are Passwords are not properly hashed, Credential stuffing.
Prevention Of Broken Authentication
- Do not expose the Session Id in the URL
- Strong, complex passwords
3.Sensitive Data Exposure
This vulnerability occurs when application does not protect sensitive information. The may be any sensitive information such as passwords, tokens, credit cards ,etc. Here the potential impact is very high.
Ex. Password leaks
Prevention
- Data never stored in clear text
- Notice that generation of keys is secure
- Algorithms used to encrypt data are strong
4.XML External Entities
If a web application uses vulnerable component processing XML, attackers can upload XML or include hostile content, commands or code within an XML document.
Prevention
- Use simpler data formats like JSON and avoid Serialization
- Upgrade your XML processor and library
- Implement Whitelisting and sanitization of server side XML inputs.
Attackers can gain acess to user accounts, so that regular users can gain intended access priviliges. Strong access mechanisms are required to control broken access.
Prevention
- Deny access by default
- Enforce usage and rate limits
- Rate limit API and control access
- Validate JWT token after logout
This is the most commonly seen issue. This happens because of open cloud storage, insecure default configurations, etc.
Pevention
- Dynamic Application Security Testing(DAST)
7.Cross Site Scripting
XSS flaws occurs whenever an application includes untrusted data without any proper validation. XSS allows to execute script in victim's browserw hich can highjack user sessions.
Prevention
- Contexual output encoding
8.Insecure Deserialization
It often leads to remote code execution. They can be used to perform replay attacks, injection attacks and privilage escalation attacks.
Prevention
- Dont trust user input
9.Using Components with known Vulnerabilties
Many web applications rely on open source.Developers dont know about which open source components are in the application. Attackers can exploit an insecure component to take over server or steal sensitive data.
Prevention
- Use most recent CVEs
- Patch as soon as needed
10.Insufficient logging and Monitoring
This vulnerability allows attackers to pivot to other systems and maintain persistant threats.Attackers can rely on lack of monitoring.
Prevention
- Develop best practices of logging and monitoring
- Establish processes for reviewing internally
Comments
Post a Comment