Top 10 Open Web Application Security Project (OWASP) Risks
17 September 2020SafeAeon Inc.
What is Open Web Application Security Project (OWASP)?
The Open Web Application Security Project or OWASP is a non-profit foundation, a global organization that is devoted to improving the Web Application Security. It is a community-led forum that includes the developers, engineers, and freelancers that provide resources and tools for Web application security. Web application security deals with the attack vectors on websites, web applications, Web services such as APIs. OWASP is dedicatedly providing unbiased, practical information about web security and which may prevent attackers from planting malware, stealing data, or completely taking over your systems or Web-servers.
OWASP researches reveal that most of the applications and websites fail to comply with its risk policy even when these vulnerabilities are easy to find and fix. The reason behind this fall is that the developers are not well trained in cybersecurity and secure coding practices.
Owasp Top 10 Security Risks
From the user endpoint, the web application development landscape is changing day by day, a higher number of risks are following along. OWASP top 10 list down the risks which are as follows: –
An injection attack occurs when untrusted data is sent to a code interpreter in the form of an input or in some other data submission mode to a web application. The most common and well-known injection attack is the SQL injection attack, where an attacker inserts SQL statements or queries for accessing the contents of the database. If that form input is not correctly secured, this results in the SQL code being executed. There are also many other types of injection attacks which include the LDAP, OS, XPATH injection
How to Prevent Injection Attack?
Preventing injection attacks depends on the technology used on the website. For example, If WordPress is used, it could minimize the code injection by keeping this technology to a minimum number of Plugins and themes installation.
Also, other prevention techniques are the use of positive or Whitelist server-side input validation, Escaping the individual characters using escape syntax for the interpreter, Limit the usage of SQL controls within queries to prevent the disclosure of records in case of SQL injection.
There are two types of activities, either the business is successful or either the operation is blocked. Always give priority to the fruitful service and investigate it because another one is already blocked.
A precious rule is that SOC analyst has to analyze the activity, whether it is successful or not.
This risk consists of the functions related to authentication and session management, which are implemented incorrectly, which allows attackers to use manual or autonomous methods to gain complete control over the system. The websites with broken authentication are standard on the web. It usually refers to the logic issues that occur on the applications or websites authentication mechanism where a malicious user uses brute-force the authentication to confirm as a valid user in a system
How to Avoid Broken Authentication Vulnerabilities
To avoid Broken Authentication vulnerabilities, there should be enough time to test the code for authenticating issues or for weak password checks, Not applying the default credentials, particularly for admin users, Align password rotation, and complexity policy for users.
Sensitive Data Exposure
It is one of the most widespread vulnerabilities on the OWASP list. Sensitive data exposure exploits data such as login credentials, Credit card numbers, Social security numbers, Medical information, Personally identifiable information (PII), Other personal information. An organization needs to understand the importance of protecting users’ data and privacy. This should comply with their local privacy laws.
How to Avoid Sensitive Data Exposure Risk
Sensitive Data exposure risk can be reduced by encrypting all sensitive data as well as not enabling the temporary cache of any confidential information. Also, web application developers must take care to ensure that they are not unnecessarily storing any sensitive data.
Broken Access Control
This attack can be described as the impact of improperly configured or missing restrictions on authenticated users by allowing them to access unauthorized data, such as accessing the other user account and viewing sensitive documents.
The examples of Broke Access control are Access to a hosting control / administrative panel, Access to a server via FTP / SFTP / SSH, Access to a website’s executive committee, Access to other applications on your server, Access to a database.
How to Prevent Broken Access control?
Broken Access control can be prevented by implementing access control mechanism once and reuse them throughout the application.
XML External Entities (XXE) Prevention
This attack can be prevented by using less complicated data formats such as JSON, also by avoiding the serialization of sensitive data. Patching or upgrading the XML processors and libraries in the underlying operating system results in preventing the attack.
It is the most commonly seen issue. This appears as a result of insecure default configurations, Unpatched flaws, Unused pages, Unprotected files, and directories Unnecessary services. It occurs as failed implementation security controls for a server or a web application or doing so with errors.
It can occur at any part of a claim, so it’s both highly prevalent and easily detectable. The attack risk also refers to a misconfiguration of security headers and error messages containing sensitive information.
Security Misconfiguration Prevention
It can be prevented or mitigated by having a minimal platform without any unnecessary features, components, documentation, and samples.
Cross-Site Scripting (or XSS)
Cross-site scripting allows attackers to execute the scripts in the victim’s browser, which hijack user sessions. It is a widespread vulnerability that affects many websites. Eventually, Cross-site scripting requires some interaction by the user. It can be classified as stored, reflected, and DOM-based XSS.
Cross-Site Scripting (XSS) Prevention
Cross-site scripting can be prevented by using frameworks that escape XSS design automatically, also by applying context-sensitive encoding when modifying the browser document on the client-side.
The process of converting the byte strings to objects is known as deserialization. It leads to remote code execution. Also, if deserialization doesn’t result in remote code execution, it can be used to perform attacks like injection attacks, replay attacks, and privilege escalation attacks.
Insecure Deserialization Prevention
Insecure deserialization can be prevented by implementing integrity checks such as digital signatures, which lead to serialized objects and helps in preventing data tampering. Monitoring deserialization can also help to generate the alert if the user deserializes constantly.
Using Components With Known Vulnerabilities
The current scenario these days is that simple websites such as personal blogs have a lot of dependencies. It could agree with us all that we are failing to update the piece of software frontend and backend, introducing a substantial risk. So it opens the door to the attacker to increase the attack surface for the known vulnerabilities.
Using Components with Known Vulnerabilities Prevention
One of the ways to prevent the use of vulnerable components is to remove all known interdependencies of sensitive applications. They are only obtaining the elements from the official sources. Use of virtual patching with the help of a website application firewall.
Insufficient logging and monitoring
This type of issue arises when there is a lack of understanding of the security perspective, or security is not our goal. Lack of monitoring and inefficient logging can increase the damage of a website compromise. Keeping the audit log is essential to check the suspicious change to a website.
Insufficient Logging and Monitoring Prevention
It can be prevented by ensuring that the logs have been generated in a format that can be easily consumed by log management software.