OWASP Top 10 Security Risks | Overview
Table of Contents
What is OWASP?
OWASP is a non-profit organization dedicated to web app security education.
The OWASP learning materials are accessible on their website. Their tools are useful for improving the security of web applications. This includes documents, tools, videos, and forums.
The OWASP Top 10 is a list that highlights the top security concerns for web apps today. They recommend that all companies include this report in their processes to cut security risks. Below is a list of security risks included in the OWASP Top 10 2017 report.
SQL injection occurs when an attacker sends inappropriate data to a web app to do disrupt the program in the application.
An example of a SQL Injection:
The attacker could enter an SQL query into an input form that requires a username plaintext. If the input form is not secured, it will result in the execution of an SQL query. This is referred to as SQL injection.
To protect web applications from code injection, make sure your developers use input validation on user-submitted data. Validation here refers to the rejection of invalid inputs. A database manager can also set controls to reduce the amount of information that can be disclosed in an injection attack.
To prevent SQL injection, OWASP recommends keeping data separate from commands and queries. The preferable option is to use a secure API to prevent the use of an interpreter, or to migrate to Object Relational Mapping Tools (ORMs).
Authentication vulnerabilities can allow an attacker to access user accounts and compromise a system using an admin account. A cybercriminal can use a script to try thousands of password combinations on a system to see which works. Once the cybercriminal is in, they can fake the identity of the user, giving them access to confidential information.
A broken authentication vulnerability exists in web applications that allow automated logins. A popular way to correct authentication vulnerability is the use of multifactor authentication. Also, a login rate limit could be included in the web app to prevent brute force attacks.
Sensitive Data Exposure
If web applications don’t protect sensitive attackers can access and use them for their gain. An on-path attack is a popular method for stealing sensitive information. The risk of exposure can is minimal when all sensitive data is encrypted. Web developers should ensure that no sensitive data is exposed on the browser or stored unnecessarily.
XML External Entities (XEE)
A cybercriminal may be able to upload or include malicious XML content, commands, or code within an XML document. This allows them to view files on the application server file system. Once they have access, they can interact with the server to perform server-side request forgery (SSRF) attacks.
XML external entity attacks can be prevented by allowing web applications to accept less complex data types such as JSON. Disabling XML external entity processing also reduces the chances of an XEE attack.
Broken Access Control
Access control is a system protocol that restricts unauthorized users to sensitive information. If an access control system is broken, attackers can bypass authentication. This gives them access to sensitive information as though they have authorization. Access Control can be secured by implementing authorization tokens on user login. On every request a user makes while authenticated, the authorization token with the user is verified, signaling that the user is authorized to make that request.
Security misconfiguration is a common issue that cybersecurity specialists observe in web applications. This occurs as a result of misconfigured HTTP headers, broken access controls, and the display of errors that expose info in a web app. You can correct a Security Misconfiguration by removing unused features. You should also patch or upgrade your software packages.
Cross-Site Scripting (XSS)
XSS vulnerability occurs when an attacker manipulates the DOM API of a trusted website to execute malicious code in a user’s browser. The execution of this malicious code often occurs when a user clicks on a link that appears to be from a trusted website. If the website is not protected from XSS vulnerability, it can be compromised. The malicious code that is executed gives an attacker access to the users’ login session, credit card details, and other sensitive data.
To prevent Cross-site Scripting (XSS), ensure that your HTML is well sanitized. This can be achieved by choosing trusted frameworks depending on the language of choice. You can use languages like .Net, Ruby on Rails, and React JS as they’d help to parse and clean your HTML code. Treating all data from authenticated or non-authenticated users as untrusted can reduce the risk of XSS attacks.
Deserialization is the transformation of serialized data from a server to an object. Deserialization of data is a common occurrence in software development. It is unsafe when data is deserialized from an untrusted source. This can potentially expose your application to attacks. Insecure deserialization occurs when deserialized data from an untrusted source leads to DDOS attacks, remote code execution attacks, or authentication bypasses.
To avoid insecure deserialization, the rule of thumb is to never trust user data. Every user input data should be treated as potentially malicious. Avoid deserialization of data from untrusted sources. Ensure that the deserialization function to be used in your web application is safe.
Using Components With Known Vulnerabilities
Libraries and Frameworks have made it much faster to develop web applications without needing to reinvent the wheel. This reduces redundancy in code evaluation. They pave the way for developers to focus on more important aspects of applications. If attackers discover exploits in these frameworks, every codebase using the framework would be compromised.
Component developers often offer security patches and updates for component libraries. To avoid component vulnerabilities, you should learn to keep your applications up to date with the latest security patches and upgrades. Unused components should be removed from the application to cut attack vectors.
Insufficient Logging And Monitoring
Logging and monitoring are important to show activities in your web application. Logging makes it easy to trace errors, monitor user logins, and activities.
Insufficient logging and monitoring occur when security-critical events are not logged properly. Attackers capitalize on this to carry out attacks on your application before there is any noticeable response.
Logging can help your company save money and time because your developers can easily find bugs. This allows them to focus more on solving the bugs than searching for them. In effect, logging can help keep your sites and servers up and running every time without them experiencing any downtime.
Good code isn’t just about functionality, it’s about keeping your users and application safe. The OWASP Top 10 is a list of the most critical application security risks is a great free resource for developers to write secure web and mobile apps. Training developers on your team to assess and log risks can save your team time and money in the long run. If you’d like to learn more about how to train your team on the OWASP Top 10 click here.