OWASP stands for Online Web Application Security Project. It aims to raise awareness about application security by identifying some of the most critical risks facing organizations.
So the newly released list are:
- Broken Authentication.
- Sensitive Data Exposure.
- XML External entities.
- Broken Access Control.
- Security Misconfiguration.
- Cross-site Scripting(XSS).
- Insecure Deserialization.
- Using Components With Known Vulnerabilities.
- Insufficient Logging and Monitoring.
Flaws such as SQL, NoSQL, OS occur when untrusted or unverified data is sent to an interpreter as a part of a query.
Ex: SQL injection is a popular attack.
1. Use safe API, which avoids the use of interpreter entirely.
2. Whitelist server-side input validation. This is not a complete defense as many applications require special characters, such as text areas or APIs for mobile applications.
3. Use LIMIT and other SQL controls within queries to prevent mass disclosure of records in case of SQL injection.
It refers to improper authentication, such as session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities temporarily or permanently.
1. Implement multi-factor authentication to prevent automated, credential stuffing, brute force, and stolen credential re-use attacks.
2. Do not deploy with any default credentials, particularly for admin users.
3. Implement weak-password checks, such as testing new or changed passwords against a list top worst passwords.
Sensitive Data Exposure
Web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser.
1. Classify data processed, stored or transmitted by an application. Identify which data is sensitive according to privacy laws, regulatory requirements, or business needs.
2. Apply controls as per the classification.
3. Don’t store sensitive data unnecessarily. Discard it as soon as possible or use PCI DSS compliant tokenization or even truncation. Data that is not retained cannot be stolen.
4. Make sure to encrypt all sensitive data at rest.
5. Ensure up-to-date and strong standard algorithms, protocols, and keys are in place; use proper key management.
XML External Entities
External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks.
1. Implement positive (“whitelisting”) server-side input validation, filtering, or sanitization to prevent hostile data within XML documents, headers, or nodes.
2. Verify that XML or XSL file upload functionality validates incoming XML using XSD validation or similar.
3. Patch or upgrade all XML processors and libraries in use by the application or on the underlying operating system.
Broken Access Control
Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users’ accounts, view sensitive files, modify other users’ data, change access rights, etc.
1. With the exception of public resources, deny by default.
2. Implement access control mechanisms once and re-use them throughout the application, including minimizing CORS usage.
3. Model access controls should enforce record ownership, rather than accepting that the user can create, read, update, or delete any record.
4. Unique application business limit requirements should be enforced by domain models.
5. Disable web server directory listing and ensure file metadata (e.g. .git) and backup files are not present within web roots.
6. Log access control failures, alert admins when appropriate (e.g. repeated failures).
It is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Not only must all operating systems, frameworks, libraries, and applications be securely configured, but they must be patched/upgraded in a timely fashion.
1. A minimal platform without any unnecessary features, components, documentation, and samples. Remove or do not install unused features and frameworks.
2. An automated process to verify the effectiveness of the configurations and settings in all environments.
3. A repeatable hardening process that makes it fast and easy to deploy another environment that is properly locked down. Development, QA, and production environments should all be configured identically, with different credentials used in each environment.
1. Using frameworks that automatically escape XSS by design, such as the latest Ruby on Rails, React JS. Learn the limitations of each framework’s XSS protection and appropriately handle the use cases which are not covered.
Insecure deserialization often leads to remote code execution. Even if deserialization flaws do not result in remote code execution, they can be used to perform attacks, including replay attacks, injection attacks, and privilege escalation attacks.
1. Monitoring deserialization, alerting if a user deserializes constantly.
2. Implementing integrity checks such as digital signatures on any serialized objects to prevent hostile object creation or data tampering.
Using Components With Known Vulnerabilities
Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover.
1. Remove unused dependencies, unnecessary features, components, files, and documentation.
2. Only obtain components from official sources over secure links. Prefer signed packages to reduce the chance of including a modified, malicious component.
Insufficient Logging and monitoring.
Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data.
1. Ensure that logs are generated in a format that can be easily consumed by a centralized log management solutions.
2. Ensure high-value transactions have an audit trail with integrity controls to prevent tampering or deletion, such as append-only database tables or similar.
For more details, visit the official website