OWASP top 10

OWASP stands for Online Web Application Security Project. It aims to raise awareness about application security by identifying some of the most critical risks facing organizations.

So the newly released list are:

  1. Injection.
  2. Broken Authentication.
  3. Sensitive Data Exposure.
  4. XML External entities.
  5. Broken Access Control.
  6. Security Misconfiguration.
  7. Cross-site Scripting(XSS).
  8. Insecure Deserialization.
  9. Using Components With Known Vulnerabilities.
  10. Insufficient Logging and Monitoring.

Injection:

Flaws such as SQL, NoSQL, OS occur when untrusted or unverified data is sent to an interpreter as a part of a query.

Ex: SQL injection is a popular attack.

Mitigation:

1. Use safe API, which avoids the use of interpreter entirely.

2. Whitelist server-side input validation. This is not a complete defense as many applications require special characters, such as text areas or APIs for mobile applications.

3. Use LIMIT and other SQL controls within queries to prevent mass disclosure of records in case of SQL injection.

Broken Authentication

It refers to improper authentication, such as session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities temporarily or permanently.

Mitigation:

1. Implement multi-factor authentication to prevent automated, credential stuffing, brute force, and stolen credential re-use attacks.

2. Do not deploy with any default credentials, particularly for admin users.

3. Implement weak-password checks, such as testing new or changed passwords against a list top worst passwords.

Sensitive Data Exposure

Web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser.

Mitigation:

1. Classify data processed, stored or transmitted by an application. Identify which data is sensitive according to privacy laws, regulatory requirements, or business needs.

2. Apply controls as per the classification.

3. Don’t store sensitive data unnecessarily. Discard it as soon as possible or use PCI DSS compliant tokenization or even truncation. Data that is not retained cannot be stolen.

4. Make sure to encrypt all sensitive data at rest.

5. Ensure up-to-date and strong standard algorithms, protocols, and keys are in place; use proper key management.

XML External Entities

External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks.

Mitigation:

1. Implement positive (“whitelisting”) server-side input validation, filtering, or sanitization to prevent hostile data within XML documents, headers, or nodes.

2. Verify that XML or XSL file upload functionality validates incoming XML using XSD validation or similar.

3. Patch or upgrade all XML processors and libraries in use by the application or on the underlying operating system.

Broken Access Control

Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users’ accounts, view sensitive files, modify other users’ data, change access rights, etc.

Mitigation:

1. With the exception of public resources, deny by default.

2. Implement access control mechanisms once and re-use them throughout the application, including minimizing CORS usage.

3. Model access controls should enforce record ownership, rather than accepting that the user can create, read, update, or delete any record.

4. Unique application business limit requirements should be enforced by domain models.

5. Disable web server directory listing and ensure file metadata (e.g. .git) and backup files are not present within web roots.

6. Log access control failures, alert admins when appropriate (e.g. repeated failures).

Security Misconfiguration

It is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Not only must all operating systems, frameworks, libraries, and applications be securely configured, but they must be patched/upgraded in a timely fashion.

Mitigation:

1. A minimal platform without any unnecessary features, components, documentation, and samples. Remove or do not install unused features and frameworks.

2. An automated process to verify the effectiveness of the configurations and settings in all environments.

3. A repeatable hardening process that makes it fast and easy to deploy another environment that is properly locked down. Development, QA, and production environments should all be configured identically, with different credentials used in each environment.

Cross-site Scripting(XSS)

Whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user-supplied data using a browser API that can create HTML or JavaScript. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.

Mitigation:

1. Using frameworks that automatically escape XSS by design, such as the latest Ruby on Rails, React JS. Learn the limitations of each framework’s XSS protection and appropriately handle the use cases which are not covered.

2. Escaping untrusted HTTP request data based on the context in the HTML output (body, attribute, JavaScript, CSS, or URL) will resolve Reflected and Stored XSS vulnerabilities.

Insecure Deserialization

Insecure deserialization often leads to remote code execution. Even if deserialization flaws do not result in remote code execution, they can be used to perform attacks, including replay attacks, injection attacks, and privilege escalation attacks.

Mitigation:

1. Monitoring deserialization, alerting if a user deserializes constantly.

2. Implementing integrity checks such as digital signatures on any serialized objects to prevent hostile object creation or data tampering.

Using Components With Known Vulnerabilities

Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover.

Mitigation:

1. Remove unused dependencies, unnecessary features, components, files, and documentation.

2. Only obtain components from official sources over secure links. Prefer signed packages to reduce the chance of including a modified, malicious component.

Insufficient Logging and monitoring.

Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data.

Mitigation:

1. Ensure that logs are generated in a format that can be easily consumed by a centralized log management solutions.

2. Ensure high-value transactions have an audit trail with integrity controls to prevent tampering or deletion, such as append-only database tables or similar.

For more details, visit the official website 

One thought on “OWASP top 10

  • November 6, 2018 at 4:42 pm
    Permalink

    I think this is one of the most vital information for me. And i’m gladreading your article. But should remark on some general things, The sitestyle is wonderful, the articles is really excellent : D.Good job, cheers

    Reply

Leave a Reply to Clorinda Sirpilla Cancel reply

Your email address will not be published. Required fields are marked *