OWASP TOP 10
What is OWASP?
The OWASP - Open Web Application Security Project is a nonprofit foundation that works to improve the security of software. OWASP regularly update its list after certain years.
There are 10 most common web applications vulnerabilities which are listed in owasp top 10.
It was first updated in 2013 and then in 2017 and the latest release in 2021 which we are using now.
The OWASP Foundation is the source for developers and technologists to secure the web. [OWASP](https://owasp.org/)
1. Broken Access Control
“Broken access control” is a flaw in the web application which occurs due to poor implementation of access control mechanisms that can be easily exploited.
This flaw allows attacker/unauthorised users to access the contents that they are not allowed to view, can perform “unauthorised functions”, and even an attacker can “delete the content”, or take over site administration.
**Remediation**
- Proper implementations of access control to the users.
- Delete any “inactive” or “unnecessary accounts”.
- Shut down unnecessary “service” and “access point”.
- Use “multi-factor authentication” at all access points
- Disable the web server directory listing
2. Cryptographic Failures
This flaw previously was known as sensitive data exposures and it arises when web applications send any data in “plain text”, use “outdated” and “insecure cryptographic algorithms”, or “weak crypto keys” etc are called cryptographic failures.
**General idea**
This security threat occurs when web applications do not adequately protect sensitive information like “credit card numbers”, “passwords”, “banking information”, “social security number”, or any similar crucial data whose leak can be critical for the user.
This flaw in web applications can cause financial loss, access to victim's accounts, blackmailing and ultimately decrease the trust in to brands.
**Remediation**
- Encrypt data while it is in transit and at rest.
- Use the most “up-to-date encryption” techniques.
- “Turn off autocomplete” on forms.
- Reduce/minimize the size of the “data surface” area.
- Use Strong adaptive and salted hashing functions when saving passwords.
3. Injection
An injection attack refers to untrusted data by an application that forces it to execute commands. Such data or malicious code is inserted by an attacker and can compromise data or the whole application.
The most common injection attacks are “SQL injections”, “cross-site scripting” (XSS), “HTML injections”, “command injections”, “CCS injection”, etc.
**Remediation**
- Separate the commands from the data.
- Data supplied by users must be validated, filtered, or sanitized.
- Use of a safe API that avoids the use of the interpreter altogether or uses parameterized queries
4. Insecure Design
This category of vulnerabilities is focused on the risks associated with flaws in design and architecture.
**Remediation**
- Development lifecycle with “AppSec professionals”.
- Limit user and “service resource” consumption.
- Implement “threat modelling” for crucial “authentication”, “access control”, “business logic”, “secure design patterns” and key flows.
5. Security Misconfiguration
Security misconfiguration is a flaw in web applications and generally arises due to “Default configurations”, “open ports”, “privileges”, “incorrect HTTP headers” etc.
**Remediation**
- Improving security level of “potentials flaw application”.
- Properly “configured” permissions.
- “Default accounts/passwords” be disabled or unchanged.
- “Error messages” should not display to users which contain “sensitive information”.
- The “latest security” features should be enabled.
- The “server”, “framework”, “libraries”, or “databases”, security settings must be set to “secure values”.
- Remove the “unnecessary features”, such as “ports”, “services”, “pages”, “accounts”, or “privileges” that are allowed or installed.
6. Vulnerable and Outdated Components
This category was previously known as “Using Components with Known Vulnerabilities”. Component vulnerabilities can arise when software is “vulnerable”, “unsupported”, “out of date”, or not upgraded “platform”, “framework”, and “dependencies” when patches come out.
**Remediation**
- Be aware of versions of “client-side” and “server-side” components used.
- Perform “vulnerability Assessments” to reduce attacks.
- Upgrade “platform”, “framework”, and other “dependencies”.
7. Identification and Authentication Failures
This is the vulnerability that exists in the web application when the web application does “not properly function” related to “identifications and authentications”, like “sessions management”, “password recovery”, and other “login credentials”.
Because of this attackers are able to compromise passwords, security keys, or session tokens or assume to identities and permissions of other users.
**Remediation**
- Implement “multi-factor authentication” (2FA)
- Do not deploy with “default credentials”, especially for users with admin privileges.
- Enforce “strong passwords”.
- Carefully “monitor failed login attempts”.
- Use a secure session manager that generates “random”, and “time-limited session IDs”.
- Never include “session IDs” in “URLs”.
8. Software and Data Integrity Failures
This is a new category in the “OWASP” list that relates to vulnerabilities in “software updates”, “critical data”, and “CI/CD pipelines” whose “integrity” is not verified.
Code and infrastructure that do not guard against integrity violations are referred to as software and data integrity failures
For example, an application that relies on plugins, libraries, or modules from unverified and untrusted sources, repositories, or content delivery networks (CDNs) may be exposed to such a type of failure.
**Remediation**
- Use “digital signatures”, or other similar measures.
- To protect the integrity of the code going through the “build” and “deploy” processes, make sure your “CI/CD pipeline” includes adequate. “segregation”, “configuration”, and “access control”.
- Verify that “unsigned” or “unencrypted” serialised data is not delivered to “untrustworthy clients” without an “integrity check” or “digital signature” to detect alteration or replay.
9. Security Logging and Monitoring Failures
It is one of the important vulnerabilities among “OWASP Top 10” and was previously known as “Insufficient Logging and Monitoring”.
This flaw arises when organizations do not have proper logging and monitoring tools to insure “all logs”, “detect suspicious activities” and “unauthorized access attempts”. And all the alerts should be properly managed by security professionals.
**Remediation**
- Log all login, “access control”, and “server-side input validations” failures.
- Logs must be in easily “readable format”.
10. Server-Side Request Forgery (SSRF)
Server-side request forgery issues arise when a web application does not validate the “user-supplied URL” when fetching a “remote resource”.
**Or**
SSRF is a web security flaw that allows an attacker to force a server-side application to send HTTP requests to any domain the attacker chooses.
**Remediation**
- Implement input validation.
- Use Regular Expressions (“RegEx”).
- Only “accept” the “intended IP address format” (IPv4 or IPv6).
- `Validate` incoming Domain Names.
— -
I have collected the above information from multiple articles and written
this post based on my understanding.
For more study on OWASP TOP 10, Please refer to the original post
Resources:
| —| — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — |
| 1 | [Article ](https://www.appsealing.com/owasp-top-10-vulnerabilities/) |
| 2 | [Article ](https://crashtest-security.com/owasp-top-10-2021/) |
| 3 | [Article](https://snyk.io/learn/owasp-top-10-vulnerabilities/) |
| 4 | [Article](https://owasp.org/www-project-top-ten/) |
Happy Learning!
Support me: If you like to support me, buy me a cup of Coffee☕
Follow me: Satya Prakash | LinkedIn | Twitter
