OWASP Top 10

The is a list of critical security risks endangering websites and web apps. It is a regularly-updated report outlining security concerns for web application security, focusing on the 10 most critical risks. The report is put together by a team of security experts from all over the world. OWASP refers to the Top 10 as an ‘awareness document’ and they recommend that all companies incorporate the report into their processes in order to minimize and/or mitigate security risks.

Access controls are designed to prevent users from acting outside their intended permissions. Users can take actions beyond the scope of their authorized permissions if there are vulnerabilities in these controls or if they do not exist. Access control enforces policy such that users cannot act outside of their intended permissions. Failures typically lead to unauthorized information disclosure, modification, or destruction of all data or performing a business function outside the user's limits.

Common Vulnerabilities include:

• Violation of the principle of least privileges wherein access is granted to everybody instead of what is necessary to do their job

• Use of default passwords and credentials

• Ability to tamper with URL, API access requests, etc. to bypass access control checks

• Design flaws, bugs, etc. that allow privilege escalation

• Insecure direct object references that allow attackers to view/ modify user accounts

• Metadata manipulation, etc.

• Directory listing

• Cross-site request forgery

Many web applications and APIs do not properly protect sensitive data with strong encryption. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data must be encryption at rest and in transit, using a modern (and correctly configured) encryption algorithm.

Common Cryptographic Failures include:

• Data stored in plaintext

• Using old cryptographic algorithms and encryption protocols

• Using default, old, or reused keys

• Unvalidated/ improperly validated server certificates and chain of trust

• Using deprecated cryptographic hash functions, etc.

• Unencrypted communication

Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. One of the most common injections is. The SQL injection vulnerability allows attackers to interfere with queries made by the application to the database. Attackers insert malicious SQL statements into the entry field in which the application runs. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.

Comman attacks include:

• SQL Injection

• Command Execution

Common Vulnerabilities that Enable Injections:

• Application accepts/ runs un-sanitized and unvalidated user inputs

• Dynamic queries and non-parameterized calls being used without context-aware parsing

• Hostile data being concatenated or used within ORM search parameters

Insecure design is focused on the risks associated with flaws in design and architecture. It focuses on the need for threat modeling, secure design patterns, and principles. The flaws in insecure design are not something that can be rectified by an implementation. Insecure design also refers to the flawed or inadequate design practices in the development and deployment of web applications, which can result in the creation of vulnerabilities that can be exploited by attackers.

Examples of insecure design include the use of inadequate or outdated security controls, the use of components with known vulnerabilities, and the use of weak cryptography. Insecure design can also include the lack of proper input validation and error handling, which can result in the injection of malicious code into a system, as well as insufficient access control, which can allow unauthorized access to sensitive information.

Command attacks includes:

• Information leakage

• File upload vulnerabilities

Some Factors That Cause the Insecure Design Flaw:

• Insecure SDLC practices

• Use of legacy components

• Use of codes, themes, plugins, frameworks, libraries, etc. with known vulnerabilities

• Not testing enough and not testing early

• Coding flaws and misconfigurations

• Lack of business risk profiling

• Flawed business logic

Application Security Misconfiguration attacks exploit configuration weaknesses found in web applications. Many applications come with necessary developer features that are dangerously unsafe if not deactivated during live production, such as debug and QA features. These features may provide means for a hacker to bypass authentication methods and gain access to sensitive information, perhaps with elevated privileges.

Common Vulnerabilities:

• Lack of adequate security hardening across the application

• Unnecessary features such as ports, services, pages, accounts, privileges, etc. are enabled/ installed

• Incorrect, incomplete, or outdated security configurations

• Default accounts, passwords, configurations, etc.

• Insecurely configured permissions on cloud services

• Misconfigured HTTPS headers

• Outdated/ unpatched software or components

• Overly informative error messages

Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts.

Common Vulnerabilities:

• Using components with known vulnerabilities

• Using outdated (patches aren’t released anymore) or incompatible components

• Using components on the client and server-side without knowing their versions

• Improperly configured components

• Not regularly updating components with the latest patches

• Not regularly scanning for vulnerabilities

• Developers not testing the compatibility of libraries (updated, upgraded, or patched)

Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities temporarily or permanently.

Common Vulnerabilities:

• Weak, default, and well-known passwords allowed

• Weakly-hashed and/or plaintext password data stores

• Ineffective/ missing multifactor authentication

• Ineffectively validated session IDs, authentication tokens, etc.

• Weak forgot password/ credential recovery procedures

• Session identifiers exposed in URL/ reused after successful login

Software and data integrity failures relate to code and infrastructure that does not protect against integrity violations. An example of this is where an application relies upon plugins, libraries, or modules from untrusted sources, repositories, and content delivery networks (CDNs). An insecure deployment pipeline can introduce the potential for unauthorized access, malicious code, or system compromise. Lastly, many applications now include auto-update functionality, where updates are downloaded without sufficient integrity verification and applied to the previously trusted application. Attackers could potentially upload their own updates to be distributed and run on all installations.

Common Vulnerabilities:

• Faulty assumptions about software updates

• Insecure CI/CD pipelines

• Application depends on libraries, plugins, and modules from untrusted sources, CDNs, repositories, etc.

• Insecure deserialization

• Auto-update functionalities enabled without integrity checks and validation

Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data. Most breach studies show time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.

Common Vulnerabilities:

• Insufficient, unclear, or no logging of auditable events (logins, failed logins, etc.)

• Logs not examined for unusual or suspicious activities

• Storing logs locally

• Real-time monitoring, detection, and alerting systems, response escalation mechanisms, and incident response plans are not in place/ not effective.

• Error and warning messages unclear, inadequate, or not present

Server-Side Request Forgery (SSRF) flaws occur whenever a web application fetches a remote resource without validating the user-supplied URL. It allows an attacker to coerce the application to send a crafted request to an unexpected destination, even when protected by a firewall, VPN, or another type of network access control list (ACL).

Attackers can easily bypass firewalls, VPNs, and access control lists, coercing applications to send crafted messages to unexpected destinations. This way, they can access and/or modify resources, plant malware, execute code, compromise systems, etc.

Coming up more in next pages, where I will explain about each vulnerabilities, impact and their mitigation in details.