OWASP otherwise known as the Open Web Application Security Project is an international non-profit organization that produces articles, methodologies, documentation, tools, and technologies in web application security.
One defining feature that OWASP has is that all of their materials are freely accessible on their website which would make it possible for anyone to improve their own web application security. Their most popular project is the OWASP top 10 and it assesses each flaw class using the OWASP Risk Rating methodology, providing guidelines, examples, best practices for preventing attacks, and references for each risk. By understanding OWASP Top 10 and how to resolve them, application developers can take concrete steps toward a more secure application that helps keep users safe when it comes to malicious attacks.
OWASP TOP 10
The OWASP Top 10 is a list of the 10 most common security risks. The current edition was published in 2017, which would seem a bit old, but it is the latest available version and an update is expected anytime this year. Even not being an official standard, the list is widely used by many organizations, and cybersecurity experts to classify the severity of weaknesses and security breaches.
The OWASP Top 10, updated every three to four years, outlines security concerns for web application security, highlighting the 10 most critical risks.
OWASP Top 10 Vulnerabilities in 2021 are:
- Broken Authentication
- Sensitive Data Exposure
- XML External Entities (XXE)
- Broken Access Control
- Security Misconfigurations
- Cross-Site Scripting (XSS)
- Insecure Deserialization
- Using Components with Known Vulnerabilities
- Insufficient Logging and Monitoring
Code injection happens when a threat sends untrusted data to the web application aiming to make it do something that the application was not supposed to do.
Mitigation on injection attacks primarily depends on the technology used on your websites. For instances of WordPress users, minimizing plugins and themes installed, would greatly decrease vulnerability from injection attacks.
2. Broken Authentication
Broken authentication not only means credential misuse such as stolen username and password but it also refers to exploiting session management such as session hijacking and fixation attacks that allows attackers to act on behalf of the impersonated user.
Vulnerabilities in authentication systems can give attackers access to user accounts and even the ability to compromise an entire system using an admin account.
The best ways to prevent this are setting a strong password, implementing multi-factor authentication, and blocking users that have multiple failed logins.
3. Sensitive Data Exposure
Personal and financial data poses a high risk from threats given its sensitivity. Sensitive data exposure is becoming more relevant to online businesses as commerce continues to increase online.
A quick fix to mitigate sensitive data exposure is to encrypt all sensitive data as well as disabling cache of any sensitive information.
4. XML External Entities (XXE)
This is an attack against a web application that parses XML input. This vulnerability can also cause Denial of Service (DoS) or Server Side Request Forgery (SSRF) attacks which would force your application to send requests without your knowledge.
The best way to avoid XXE attacks is to make your web applications accept a simpler type of data or to at least patch XML parsers and disable the use of external entities in an XML application.
5. Broken Access Control
Broken access control is basically the unauthorized access to functions and data. This can be done by using the regular user’s account to access privileges of the admin account. Broken access control remains one of the most prevalent issues in the OWASP top 10 list.
6. Security Misconfiguration
Security misconfiguration is the most common vulnerability on the list. Some of them include poorly configured cloud permission settings, too detailed error messages, and no HTTP security headers.
One of the most common webmaster flaws is keeping the CMS default configuration and as such, the most common attacks are practically automated which mostly rely on users to only have default settings.
Security misconfiguration can be avoided by removing any unused features in the code and ensuring that error messages are more general.
7. Cross-Site Scripting (XSS)
8. Insecure Deserialization
Insecure deserialization is a situation where untrusted data is used to abuse the logic of an application. This threat targets many web applications that often serialize and deserialize data.
The most reliable countermeasure against this threat is to not accept serialized objects and prohibit deserialization of data from untrusted sources.
9. Using Components with Known Vulnerabilities
A lot of modern web developers use libraries and frameworks in their web applications. These components are pieces of software that aid developers avoid redundant work and provide functionality. Using components with known vulnerabilities may make your application prone to a variety of problems, but this can be mitigated keeping these components up-to-date.
10. Insufficient Logging and Monitoring
Insufficient logging and monitoring is not necessarily a vulnerability but more of an oversight of cyber security specialists. It basically refers to insufficient logging and monitoring of error and lack of reaction to various incidents. To combat this threat, one should store information such as HTTP code statuses, timestamps, API endpoint users, page locations or IP addresses in your logs.
With the popularity of the OWASP Top 10, many refer to it as a checklist and rely on it to bolster their defences against security risks. A number of companies offer services that specialize in cyber security and employing their services is a good step towards a secure cyberspace.
There is always a possibility of threats penetrating your defences but having the knowledge about them is the first step to fight against them and the best way to combat against them. Web applications are fastly and constantly updated, and along with new features new vulnerabilities may appear and then further included in the next OWASP Top 10 vulnerability list update.