What is OWASP?

The Open Web Application Security Protect (OWASP) project is a non-profit organisation with one vision that all contributed efforts are freely available and readily accessible to anyone wanting to improve their web application security posture. More broadly OWASP offer various materials including documentation, tooling, training videos and forum discussion, with the OWASP Top Ten web application vulnerabilities being best-known project gaining popularity in the web application security space.

What is the OWASP Top 10?

The project is globally recognised by both security professionals and developers who use the project to improve on secure coding methods. The Open Web Application Security Protect (OWASP) Top 10 is an online community who produce documentation and guidelines surrounding the most current and critical risks impacting modern day web applications.

The below outlines the security risks currently reported by the OWASP Top 10 Project:

1. Injection

Injection flaws, such as SQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter or program through input provided to a web application. This allows malicious data that the attacker has entered to trick the web application into executing the commands to attempt some level of application compromise.

2. Broken Authentication

Broken authentication vulnerabilities occur when functions related to the login process are implemented poorly. When this type of vulnerability is present, access to user accounts and in some cases the entire system can be achieved depending on the level or privilege on the compromised account.

What has become more prevalent in the industry is the use of two-factor (2FA) authentication and implementing restrictions on the number of consecutive login attempts before accounts are locked out.

3. Sensitive Data Exposure

It is still not uncommon to see unfiltered access to web application and API data which can include what is know as Personally Identifiable Information (PII). This information can consist of credit card, medical and various other types of sensitive data. Attackers may use this stolen data to then commit fraud and identity crime.

To minimise the risk, ensure data is encrypted both in transit and at rest. Data exposure can also be reduced by disabling caching of sensitive information by the web browser. The purpose of this is to increase page load times so the page does not have to be re-fetched from the web.

4. XML External Entities (XXE)

This attack is used to exploit web applications that parse XML (Extensible Markup Language) input, injecting XML that is referenced to an external entity. An external entity in this instance is referring to data storage. The XML parser can be tricked into sending data to an external entity, which can then be used to pass sensitive information onto the attacker.

The use of XML is slowly being phased out due to its level of complexity and security issues. To prevent XML based web application attacks, use less complex data types such as JavaScript Object Notation (JSON) for progressive secure web development.

5. Broken Access Control

The use of access controls restricts access to areas of an application. A broken access control allows an attacker to bypass these restrictions and perform tasks as if they were the authorised privileged user, such as an administrator.

These types of bypass techniques can be prevented with an authorisation token for each privileged request that a user makes. Using the token confirms that the user is who they say they are, preventing any bypass or privilege escalation.

It is important to understand that this vulnerability can lead to a GDPR breach, if one user’s data is exposed to another.

6. Security Misconfiguration

Security misconfiguration is a commonly seen web application vulnerability. This is often the result of insecure default configurations that can lead to a compromise. Some examples include verbose error messages, incomplete configurations, and open cloud storage.

Some example misconfigurations that have been seen are surrounding cloud storage and exposed Amazon S3 buckets. Worryingly, these S3 buckets can be identified openly by anyone and does not require a skilled adversary. Research suggests that in the last 18 months leading up to the middle of 2020, nearly 80% of companies experienced a cloud data breach according to a survey of 300 CISOs.

7. Cross-Site Scripting (XSS)

Cross-site scripting (XSS) flaws occur when a web application allows users to insert arbitrary code into a web page without proper input validation. This vulnerability can be exploited to execute malicious JavaScript to hijack user sessions, plant key loggers and deface websites.

Cross-site scripting was once more prevalent in applications, but due to modern application frameworks that provide built-in protections the issue is becoming less common.

8. Insecure Deserialization

This attack targets web applications of which many often serialize and deserialize data. Serialization is when an object is converted into bytes to store it to memory or disk. Deserialization is the opposite, converting the bytes back into an object so it can be transferred.

The vulnerability occurs when an attacker can tamper with the data before converting it back into an object, hence the name insecure deserialization. The result of this can lead to Distributed Denial-of-Service (DDoS) and remote code execution attacks.

Deserialization attacks can be monitored, however, the most effective approach is to deny the deserialization of data from untrusted sources.

9. Using Components with Known Vulnerabilities

Modern applications make use of various frameworks and libraries of which inherit the same level of privilege as the application. The purpose of this is to help developers to incorporate needed functionality into their applications. Attackers will look for vulnerabilities in these additional components to compromise the application.

While developers of these libraries and frameworks offer security patches and updates to remediate the identified vulnerabilities, some developers will still end up unintentionally using vulnerable components either by simply not using the latest version or through neglect.

The best approach is to log all used frameworks and libraries, utilising trusted sources and noting when they were installed and have a patch management strategy in place. Also minimising the use of these additional components can reduce the overall risk.

10. Insufficient Logging & Monitoring

Many web applications continue to lack insufficient logging and monitoring, leading to breaches going unnoticed. The vulnerability can lead to attackers gaining persistence within a system leaving the attacker with an unlimited amount of time to pivot, add or delete data and further compromise the application or associated systems.

It recommended to implement a centralised logging and monitoring system with effective incident response to reduce the time it takes to detect and act on a breach.

OWASP Penetration Testing

Web application testing is one of the core services offered by Rego Information Security. Our team of security professionals have years of industry experience combined with both academic and industry related certifications, enabling us to identify all variants of vulnerabilities impacting modern day applications.