avatarDevNest

Summary

The OWASP Top 10 is a critical list that outlines the most significant web application security risks, providing guidance on how to protect against them.

Abstract

The OWASP Top 10 is an essential resource for web application security, maintained by the non-profit organization OWASP. It details the most critical security risks, such as Broken Access Control, Cryptographic Failures, and Injection, based on real-world data from 2021. The document emphasizes the importance of secure design, proper configuration, and regular updates to mitigate these risks. It also covers the need for strong authentication mechanisms, the management of vulnerable components, and the implementation of robust logging and monitoring to detect and respond to breaches. The OWASP Top 10 serves as a framework for developers, security professionals, and organizations to assess and prioritize web application security risks effectively.

Opinions

  • The OWASP Top 10 is recognized as a key document for understanding and mitigating web application security risks.
  • Regular updates to the OWASP Top 10 are crucial to keep pace with evolving security threats.
  • Proper implementation of access controls is vital to prevent unauthorized access to sensitive data.
  • The use of strong encryption algorithms and secure key management is emphasized to protect against cryptographic failures.
  • Input validation and sanitization are seen as critical measures to prevent injection attacks.
  • Insecure design is a root cause of many vulnerabilities, highlighting the need for security considerations during the design phase.
  • Misconfigurations are a common source of security breaches, underscoring the importance of following security configuration standards.
  • The use of outdated or vulnerable components in applications increases the risk of security incidents.
  • Multi-factor authentication and secure password management are recommended to enhance identification and authentication processes.
  • Ensuring software and data integrity is crucial in maintaining the security of the software supply chain.
  • Effective security logging and monitoring are essential for active breach detection and response.
  • Mitigating Server-Side Request Forgery (SSRF) vulnerabilities requires both network-layer and application-layer controls.
  • The OWASP Top 10 is considered a foundational element for organizations aiming to improve their security posture and reduce the likelihood of successful cyber attacks.

OWASP Top 10 — explained with examples

In this article I’m going to discuss about one of the most important topics in web application security: the OWASP Top 10.

First of all you should know that OWASP is a non-profit organization dedicated to improving the security of software.

OWASP Top 10 is a regularly updated list of the most critical security risks to web applications, based on data from real-world attacks and vulnerabilities and it was lastly updated in 2021.

Let’s explore what the OWASP Top 10 is, why it matters and how you can use it to better protect your applications from cyber threats.

A01:2021 - Broken Access Control

What is it?

In order to understand what broken access control is, first we need to understand what access control is.

Access control is present in a web application in order to allow users to access only the parts they are authorized to, this should prevent one user to access another user sensitive data for instance.

This being said, broken access control is when a user can perform unauthorized requests.

In the example below, John can access Richard’s data.

How to prevent

  • Deny access by default to all private resource
  • Minimize Cross-Origin Resource Sharing ( CORS )
  • Implement access control mechanism and use it on each request which handles private data
  • Disable web server directory listing and ensure file metadata (e.g., .git) and backup files are not present within web roots.
  • Log all unauthorized access attempts and add alerts so you get notified when some abnormal traffic occurs
  • Add rate-limiting to your API so you prevent scanning tools which can be used by attackers.
  • Stateful session identifiers should be invalidated on the server after logout. Stateless JWT tokens should rather be short-lived so that the window of opportunity for an attacker is minimized. For longer lived JWTs it’s highly recommended to follow the OAuth standards to revoke access.

A02:2021 — Cryptographic Failures

What is it

This category includes vulnerabilities such as:

  • use of weak or outdated encryption algorithms
  • poor key management practices like the use of hardcoded passwords
  • incorrect use of cryptographic functions.

These vulnerabilities can lead to serious security breaches, such as unauthorized access to sensitive data or the ability to modify encrypted data

How to prevent

  • Use strong and modern encryption algorithms such as AES, RSA, and SHA.
  • Choose appropriate key sizes for encryption algorithms based on current security standards. For example, AES-128 or AES-256 are recommended for secure communication and storage of sensitive data.
  • Ensure that keys are securely generated, stored, and distributed. Avoid hard-coding keys within source code or storing them in easily accessible locations. You can use several tools for that: ( hashicorp vault, AWS secrets manager, etc )
  • Use secure communication protocols like TLS (Transport Layer Security) to ensure secure transmission of data over the network.
  • Use cryptographically secure random number generators for generating keys and initialization vectors (IVs).
  • Use appropriate cryptographic modes like GCM (Galois Counter Mode) for encryption and authentication.
  • Do not create your own cryptographic algorithms or protocols. Use standardized and tested cryptographic libraries and protocols.
  • Regularly review and update cryptographic controls to ensure they meet current security standards.
  • Educate developers and users about the importance of strong encryption and the risks associated with weak and outdated encryption algorithms.
  • Implement cryptographic testing to verify that cryptographic controls are implemented correctly and are providing the desired level of security.

A03:2021 — Injection

What is it

This involves an attacker injecting malicious code or input into an application, with the intent of manipulating the application’s behavior or accessing sensitive data.

Injection vulnerabilities typically occur when an application fails to properly validate and sanitize user input, and then uses that input to dynamically generate or execute code or commands.

The attacker can exploit these vulnerabilities to execute arbitrary code, extract sensitive data, or gain unauthorized access to the system.

Common types of injection attacks include SQL injection, command injection, and cross-site scripting (XSS).

How to prevent

  • Sanitize all input coming from users on the server-side. Use escaping techniques based on the tool you are using
  • Use LIMIT and other SQL controls within queries to prevent mass disclosure of records in case of SQL injection.

A04:2021 — Insecure Design

What is it

Insecure Design refers to vulnerabilities in an application or system that arise from poor or insufficient consideration of security in the design phase.

Here are some examples:

  • Lack of proper access controls and permission settings in an application can lead to unauthorized access to sensitive data or functionality, such as administrative functions or user data. This can occur if the system does not have a proper authentication mechanism or if access controls are not properly implemented.
  • Communication between different components of a system may be vulnerable to interception or tampering if insecure protocols are used. Examples of insecure protocols include HTTP, FTP, and Telnet, which do not provide encryption or authentication. Use of such protocols can expose sensitive data or allow for injection attacks.
  • Inadequate or incorrect error handling can allow an attacker to glean valuable information about an application or system, such as database structures or server names. This information can be used to craft targeted attacks or exploit known vulnerabilities. Insecure error handling may also lead to information leakage, which can disclose sensitive data to unauthorized parties.
  • Improper validation of user input can lead to injection attacks, such as SQL injection or cross-site scripting (XSS). This occurs when an attacker injects malicious code or input into the application via input fields, which can then be executed by the application, allowing the attacker to gain access to sensitive data or perform unauthorized actions.

How to prevent

  • Ensure that access controls and permissions are properly implemented, and that only authorized users have access to sensitive data and functionality. Use a multi-factor authentication mechanism to increase security.
  • Use secure communication protocols, such as HTTPS, FTPS, and SFTP, to encrypt and authenticate communication between system components. Implement additional security controls, such as firewalls and intrusion detection/prevention systems, to detect and prevent attacks.
  • Implement proper error handling mechanisms to prevent information leakage and to protect against attacks. Use generic error messages that do not disclose sensitive data, and log errors to a secure location for analysis.
  • Ensure that user input is properly validated and sanitized before being used in the application. Use input validation libraries or frameworks to automatically sanitize input, and use parameterized queries to prevent SQL injection attacks. Additionally, implement strict data validation rules to prevent the use of malicious input in other forms of injection attacks, such as cross-site scripting.

A05:2021 — Security Misconfiguration

What is it

This refers to security vulnerabilities that arise from misconfigured systems or applications, which can leave them open to attack or data leakage. It can occur when systems are not properly configured, patched, or updated, or when default settings are not changed or unnecessary services are enabled.

Here are some examples:

  • Default Passwords: Many systems and applications come with default passwords that are easily guessed or publicly available. Failure to change these passwords can lead to unauthorized access to sensitive data or system functions.
  • Unused Services: Unused services or applications can create vulnerabilities in a system, especially if they are left enabled or unpatched. Attackers can exploit these vulnerabilities to gain access to sensitive data or perform unauthorized actions.
  • Improper file permissions: Incorrect file permissions can allow unauthorized access to sensitive files or data. This can occur if files are not properly secured or if permissions are too permissive, allowing anyone to access the data.

How to prevent

  • Secure Configuration Standards: Use established security configuration standards, such as the Center for Internet Security (CIS) or National Institute of Standards and Technology (NIST), to ensure that systems are properly configured and hardened.
  • Continuous Monitoring: Implement continuous monitoring and automated vulnerability scanning to identify potential security misconfigurations in systems and applications. Ensure that system logs are properly configured to capture security events.
  • Regular Updates and Patching: Ensure that all systems and applications are regularly updated and patched to protect against known vulnerabilities. This includes both software updates and firmware updates.
  • Principle of Least Privilege: Follow the principle of least privilege, which limits user access to only those resources and data that are necessary to perform their job functions. This can prevent unauthorized access to sensitive data and functions.
  • Security Testing: Conduct regular security testing, including penetration testing and vulnerability assessments, to identify potential security misconfigurations and vulnerabilities in systems and applications. This can help to identify and remediate vulnerabilities before they can be exploited.

A06:2021 — Vulnerable and Outdated Components

What is it

You can see this as a subcomponent of A05 above, but this focuses only on vulnerabilities arising from outdated or vulnerable components used in applications and systems.

How to prevent

  • Remove unused dependencies, unnecessary features, components, files, and documentation.
  • Continuously inventory the versions of both client-side and server-side components (e.g., frameworks, libraries) and their dependencies using tools like versions, OWASP Dependency Check, retire.js, etc. Continuously monitor sources like Common Vulnerability and Exposures (CVE) and National Vulnerability Database (NVD) for vulnerabilities in the components. Use software composition analysis tools to automate the process. Subscribe to email alerts for security vulnerabilities related to components you use.
  • Only obtain components from official sources over secure links. Prefer signed packages to reduce the chance of including a modified, malicious component
  • Monitor for libraries and components that are unmaintained or do not create security patches for older versions. If patching is not possible, consider deploying a virtual patch to monitor, detect, or protect against the discovered issue.

A07:2021 — Identification and Authentication Failures

What is it

This vulnerability can occur when applications fail to implement proper user identification and authentication mechanisms, such as weak password policies or insecure password storage.

Examples:

  • Weak password policies or default passwords: This can include policies that allow weak passwords or the use of default passwords, which can be easily guessed or cracked by attackers.
  • Insecure password storage: This can occur when passwords are not properly hashed or encrypted, making them vulnerable to theft and exploitation.
  • Lack of multi-factor authentication: Without multi-factor authentication, attackers can gain access to systems or data by simply obtaining a user’s username and password.
  • Session fixation attacks: This can occur when an attacker forces a user’s session ID to a known value, enabling them to hijack the user’s session and gain access to sensitive data.
  • Brute-force attacks: Attackers can use automated tools to guess passwords, which can be successful if weak password policies are in place.

A08:2021 — Software and Data Integrity Failures

What is it

This refers to vulnerabilities related to software and data integrity failures. It includes installing software from untrusted sources, insecure CI/CD pipelines, and insecure auto-update functionality. Insecure deserialization is another vulnerability that falls under this category.

How to prevent

  • Use digital signatures or similar mechanisms to verify software or data integrity and authenticity
  • Ensure libraries and dependencies are from trusted repositories or consider hosting an internal vetted repository
  • Use a software supply chain security tool to detect known vulnerabilities in components
  • Review code and configuration changes to minimize the introduction of malicious code or configuration
  • Properly segregate, configure, and control access to CI/CD pipelines to maintain code integrity

A09:2021 — Security Logging and Monitoring Failures

What is it

Insufficient logging and monitoring can prevent active breach detection and response.

How to prevent

  • Auditable events must be logged, and warnings and errors must generate clear messages.
  • Logs of applications and APIs must be monitored for suspicious activity and stored securely.
  • Appropriate alerting thresholds and response escalation processes must be in place and effective.
  • The application must be able to detect, escalate, or alert for active attacks in real-time or near real-time.

A10:2021 — Server-Side Request Forgery (SSRF)

What is it

SSRF vulnerabilities occur when an attacker has full or partial control of the request sent by the web application. A common example is when an attacker can control the third-party service URL to which the web application makes a request.

Examples:

  • SSRF flaws occur when user-supplied URLs are not validated during remote resource fetching.
  • Attackers can exploit SSRF flaws to send crafted requests to unexpected destinations.
  • Firewalls, VPNs, and network access control lists may not protect against SSRF attacks.
  • The incidence and severity of SSRF vulnerabilities are increasing due to the complexity of modern web architectures and cloud services.

How to prevent

Network layer:

  • Segment remote resource access in separate networks
  • Enforce “deny by default” firewall policies or network access control rules

Application layer:

  • Sanitize and validate all client input
  • Enforce URL schema, port, and destination
  • Do not send raw responses or use HTTP redirections
  • Avoid URL consistency issues
  • Don’t use deny lists or regex to mitigate SSRF

Additional measures:

  • Don’t deploy security services on front systems
  • Use network encryption for high protection needs

In conclusion, the OWASP Top 10 is a widely recognized and referenced document in the cybersecurity industry.

It provides a framework of the top 10 most critical web application security risks that organizations should be aware of and address. Understanding the OWASP Top 10 is important for developers, security professionals, and decision-makers to assess and prioritize security risks within their organization’s web applications. By addressing the OWASP Top 10, organizations can strengthen their security posture and reduce the likelihood of successful attacks against their web applications.

Cybersecurity
Security
Software Development
Programming
Web Development
Recommended from ReadMedium
avatarShaikh Minhaz
Bug Bounty Methodology — Step By Step Guide To Find Subdomains And Vulnerable URLs

Everybody in cybersecurity wants to do bug bounty, find some bugs, and earn bounties. Nowadays, people are getting very tempted by seeing…

4 min read
avatarAlexander Nguyen
The resume that got a software engineer a $300,000 job at Google.

1-page. Well-formatted.

4 min read
avatarsecureITmania
Never use the GET method for Sensitive Actions in Web App: Ft. CSRF

The Limitation of Cookie’s “SameSite: Lax” Security

3 min read
avatarJonathan Mondaut
How ChatGPT Turned Me into a Hacker

Discover how ChatGPT helped me become a hacker, from gathering resources to tackling CTF challenges, all with the power of AI.

4 min read
avatarNeetrox
Windows Event IDs That Every Cybersecurity Analyst MUST Know

Uncovering Threats with Critical Windows Event IDs

8 min read
avatarMuthu D
How I Bypassed 2FA and Earned My First Bounty $$$

Hacker Summary:

3 min read