The OWASP Top 10 is a list of the top10 most dangerous and most used or found flaws/vulnerabilities in web applications (web-based queries such as websites). OWASP Top 10 is released and maintained by the OWASP organization. If you do not know what is OWASP top 10 start reading this article and at the end, you will get to know more about OWASP Top 10.
OWASP – About
OWASP stands for Open Web Application Security Project. The main motive of the OWASP non-profit organization is to implement and create awareness related to Web Security, Application Security, and Vulnerability Assessment. They have three methods to do so which are, Industry standards, workshops, and conferences. OWASP was founded in 2001 by Mark Curphey. You may also visit their website here to know more about OWASP Top 10 more regarding OWASP Top 10.
OWASP TOP 10 – Purpose
Basically, OWASP TOP 10 is released for creating awareness towards powerful web application security attacks. It represents the most common and widely used critical security risks in web applications which are most exploited. The OWASP TOP 10 list also explains how the security risks which are mentioned in the OWASP TOP 10 list are exploited in the wild and how to overcome those security risks. To know more about OWASP Top 10 and the types of threats that are discussed in it you may skip the section below and start reading below the heading OWASP TOP 10 – A Brief Explanation.
OWASP TOP 10 – Types of Attacks
As the name suggests OWASP Top 10, this list comprises of the 10 most widespread and common dangerous attacks or threats towards web applications of which all 10 are mentioned below in sequential order.
Injection
Broken Authentication and Session Management
Sensitive Data Exposure
XML External Entity
Broken Access Control
Security Misconfiguration
Broken Authentication and Session Management
Sensitive Data Exposure
XML External Entity
Broken Access Control
Security Misconfiguration
Cross-Site Scripting
Insecure deserialization
Using Components with Known Vulnerabilities
Insufficient Logging and Monitoring
Insecure deserialization
Using Components with Known Vulnerabilities
Insufficient Logging and Monitoring
OWASP TOP 10 – A Brief Explanation
This section will tell you about a brief explanation on the OWASP Top 10 threats. Start reading from below to know more about OWASP Top 10.
Injection
Injection attack is that attack in which the attacker uses query or injects commands in the website in different forms. Some of the injection flaws, such as SQL injection, LDAP injection, and CRLF injection, occur when an attacker sends untrusted data to an interpreter malicious code which the attacker wants to get executed that is executed as a command without proper authorization of the website owner or anyone.
Security Tip: The web developers while making websites should always use parameterized queries. This will prevent
Broken authentication and session management
Broken authentication and session management is a very comprehensive thing. What it actually deals with is incorrectly configured authenticated sessions of users which lead the attacker to gain the passwords, keys, or even session tokens which ultimately lead to the account and identity thefts of users.
Security Tip: Dedicated Apps such as FIDO, that is, multi-factor authentication step/process can be very effective against such attacks and thefts.
Sensitive Data Exposure
Sensitive Data Exposure, as the name of the vulnerability hints, is exposure or leakage of sensitive user data which can be usernames, passwords, health information or financial details from applications and API’s that are not properly secured.
Security Tip: You may comply with the data protection regulations to avoid this.
XML External Entity
XML External Entity is a reference which represents references of poorly configured and managed XML files and documents. Attackers use the external identities or documents along with remote file execution which is a type of query given to the website. This vulnerability discloses all the files and even the databases present inside the web application.
Security Tip: To configure websites from XML External Entity they must use static application security testing which helps in discovering the issue/threat by analyzing the dependencies and configuration files.
Broken Access Control
This issue or threat is very dangerous as in this vulnerability the attacker may take down any other user and can get access to the full identity of the victim if improperly configured restrictions are in a web application. Apart from viewing the data of the victim, the attacker can also change, edit and even delete the information/credentials of the victim.
Security Tip: penetration testing getting done for such jobs are a must as it will give you a list of non-functional access controls.
Security Misconfiguration
Security misconfiguration is the improper control and management of application data which is unsafe. If this risk is found in any web application then it simply suggests security header of the web application is misconfigured and poorly managed, information leakage in the form of error messages which contain very sensitive data of several users. Security misconfigurations in any web application are generally not patched or upgraded which makes it vulnerable and so it is placed in the list of OWASP TOP 10.
Security Tip: DAST, Dynamic Application Security Testing can help overcome this vulnerability by detecting out the misconfigurations in the web application.
Cross Site Scripting
Cross Site Scripting also is known as the XSS vulnerability is one of the most common and dangerous vulnerabilities in web applications. The vulnerability gives the attackers the capability to inject client-side scripts or malicious code or query which may perform as redirecting the web applications clients or visitors to a different website.
Security Tip: Developers should always encode data and input validation to the web application. Hiring an ethical Hacker or a penetration tester can also help the web owner to overcome and fix this flaw.
Insecure deserialization
Insecure deserialization is a flaw that can enable an attacker to execute any malicious code or command in the web application remotely which can also be considered as tampering or deleting objects or data from the web application, it also gives the attacker to conduct injection attacks, and elevate privileges and give the attacker the admin privileges.
Security Tip: The use of Application security tools can detect deserialization flaws but penetration testing is frequently needed to validate the problem of insecure deserialization.
Using components with known vulnerabilities
Web Developers frequently do not know which open source and third-party components they have used in their web application while building, this also makes it difficult to update the used components when new vulnerabilities are discovered in web applications or web application components. Attackers can take advantage of this and can exploit an insecure component in the web application to take over the server or steal sensitive data stored in the server.
Security Tip: Software composition analysis should be conducted at the time at which the website is complete so that all the known vulnerabilities can be detected and fixed. Static analysis can also identify insecure versions of components.
Insufficient Logging and Monitoring
The common time interval which is applied or taken to detect any issue or breach is frequently measured in weeks or months. Insufficient logging and ineffective integration with security may lead to incidents which can be very dangerous allowing attackers to pivot to other systems and servers and maintaining persistent threats in the form of backdoors.
Security Tip: Once a while every web developer or web owner is suggested to get a check of their website by an ethical hacker or penetration testers. Also, the owner should think like an attacker or a hacker and use pen testing skills (if he has) to find out if you have sufficient monitoring and the most important of all those is to examine the web applications logs after pen testing.
So, I think that by now you must be knowing everything about the OWASP Top 10 threats towards web applications and how to secure your web application towards them. You may also check my website for any other topic as well.
No comments:
Post a Comment