What is OWASP?
The Open Web Application Security Project, or OWASP, is a nonprofit organization dedicated to web application security. One of the OWASP‘s basic fundamental key is that all their content is freely available and easily accessible on their website, enabling anyone to improve their web-based security. The materials they provide include texts, tools, videos, and forums. Perhaps their most popular project is OWASP Top 10.
What is OWASP Top 10?
The OWASP Top 10 is a frequently updated report that inscribes security concerns of the web application, focusing on ten critical risks. The report is composed by a team of security experts from around the world. OWASP refers to the Top 10 as an ‘awareness document’ and recommends that all companies include a report on their policies in order to reduce security risks.
Following are the security risks included in the OWASP Top 10 report:-
Injection attacks occurs when unreliable data is sent to the interpreter through a form submission or other data entry in a web application. For example, an attacker enters a SQL database code in the username field. If that form submission is not properly protected, this could lead to execution of that SQL code. This is known as SQL injection attacks.
Injection attacks can be averted by validating user-submitted data. The database manager can set controls to reduce the amount of information an injection attack can reveal.
2.) Broken Authentication
The vulnerability in authentication panel (login) can give attackers access to user accounts and even the ability to compromise the entire system using an administrator account. For example, an attacker could take a list containing thousands of known user / password combinations found during data breaches and use the script to try all of those combinations in the login system to see if something works.
Other risk reduction authentication strategies require dual authentication (2FA) as well as limiting or delaying repeated login attempts using the standard limit.
3.) Sensitive Data Exposure
If web applications do not protect sensitive data such as financial information and passwords, attackers may gain access to that data and may use it for malicious purposes. The risk of data exposure can be reduced by encrypting all sensitive data and disabling temporary storage of any sensitive information. Additionally, web application developers should take care to ensure that they do not unnecessarily store any sensitive data.
4.) XML External Entities
This is a type of attack against a web application that transmits XML inputs. This attack occurs when XML input containing a reference to an external entity is processed by a misconfigured XML parser. These attacks may reveal confidential information, generate denial of service attacks, server side request forgery, scanning of ports, and other system attacks.
To prevent XXE attacks there should be less usage of complex data formats such as JSON and avoiding serialization of sensitive data. Another way of preventing such attack is patching and upgrading of XML processors and libraries used by the application and also disabling external entity and DTD processing. Implementation of web application firewall can help detect and block XXE attacks.
5.) Broken Access Control
Broken access controls allow attackers get authorization and perform tasks as if they were legitimate users as administrators. For example a web application may allow a user to change which account he or she has signed into by simply changing a portion of the URL, without further verification.
Access controls can be protected by ensuring that the web application uses authorization tokens. Many services issue authorization tokens when users sign in. All user-rights applications will require an authorization token. This is a secure way to verify that the user is what they claim to be, without always entering their login details.
6.) Security Misconfiguration
This is the most common risk factor in the list, and it is often the result of using default configuration or displaying error actions. For instance, an application could show errors which may expose vulnerabilities in the application. This can be mitigated by removing any unused features from the code and ensuring that error messages are normal. To prevent such type of attacks one should not install unused features or frameworks.
7.) Cross-Site Scripting
This can be mitigated by frameworks which can automatically block XSS attacks such as Ruby on Rails, React JS. Also by implementing Content Security Policy cross site scripting attacks can be mitigated.
8.) Insecure Deserialization
Serialization means fetching objects from the application code and converting them into a format that can be used for other purpose, such as storing of data to disk or streaming it. Deserialization means conversion of serialized data into objects the application can use.
An insecure deserialization is the consequence of deserializing data from untrusted sources which can result in DDoS attacks and remote code execution. Certain steps can be taken to try and catch attackers, such as monitoring deserialization and implementing type checks, which can be the only way to evade insecure deserialization attacks.
9.) Using Components With Known Vulnerabilities
Many modern web developers use items such as libraries and frameworks in their web applications. These are pieces of software that help engineers avoid unnecessary work and provide much-needed performance; A typical example involve frameworks such as React and small libraries that used to add sharing icons. Some attackers look for vulnerabilities in these areas that they can use to plan attacks. An attacker who finds a security hole in one of these sections can leave hundreds of thousands of sites at risk of exploitation.
To prevent the risk of running components with known vulnerabilities, developers should minimize the use of unused components, as well as ensure that they are receiving the components from a trusted source and making sure they are up to date.
10. Insufficient Logging And Monitoring
This occurs when auditable events such as logins or failed logins are not properly logged, warnings and error generation, applications and API logs not getting monitored, logs being stored locally or when response processes are not in place.
To prevent this ensure that there should be proper implementation of logging and monitoring and incident response system to ensure awareness of intrusion in applications.