OWASP (Open web application security project) community defines specific standards that can help organizations build secure applications when followed. This article talks about the OWASP top 10 most critical web application security risks.
What is OWASP?
As businesses move their operations online, the number of potential web application security risks increases. While many of these risks can be mitigated through proper security measures, some remain unavoidable. The Open Web Application Security Project (OWASP) has prepared a list of the top 10 web application security risks to assist enterprises in understanding and mitigating these threats.
OWASP is a non-profit foundation whose goal is to improve the overall security of software, regardless of its application or use. There are hundreds of local chapters across the globe with tens of thousands of developer and security members. They offer educational and training conferences, tools and resources to combat security risks in applications, and are a great source for community building and networking. They have been in existence and practicing their mission statement for nearly two decades and are widely respected by programmers, system administrators, and the IT community at large.
Security breaches are becoming more and more common. In fact, according to the 2016 Verizon Data Breach Report, one in every four hacking-related breaches that happened in 2016 was found on a small business. What’s worse is that there are 10 different vulnerabilities hackers commonly use to get your data. These vulnerabilities are presented by the OWASP Top 10. It is important to know what these vulnerabilities mean, how to prevent them, and how to stay secure. The sections below present a discussion on OWASP and its top 10 vulnerabilities.
What are the OWASP Top 10 Security Vulnerabilities?
Vulnerabilities in an application are defects or flaws that may be exploited to threaten the availability, confidentiality, and integrity of the application. The OWASP Top 10 comprises a collection of the most significant security vulnerabilities often encountered in web applications. Developers may build secure apps that protect their customers’ sensitive data from attackers by developing code and thorough testing while keeping these risks in mind.
Figure 1: The OWASP Top 10 Vulnerabilities
The OWASP Top 10 Vulnerabilities are:
- Broken Access Control
- Cryptographic Failures
- Insecure Design
- Security Misconfiguration
- Vulnerable and Outdated Components
- Identification and Authentication Failures
- Software and Data Integrity Failures
- Security Logging and Monitoring Failures
- Server-Side Request Forgery
Broken Access Control
Access control, often known as authorization, is the process by which an application allows access to certain users while denying access to others. Broken access control implies the lack of access control for a given resource and is the most common issue found in web applications. It is also known as Invalid Access Control. This can occur due to a lack of policies and procedures, or the failure to enforce access control once it is in place. Hackers can exploit this flaw to cause financial loss or identify confidential data. A hacker can gain access to a system by exploiting this issue.
Cryptographic failures often occur in data encryption and decryption used to secure sensitive information such as passwords, credit card numbers, and personal health records. There are three basic types of cryptographic failures: ciphertext disclosure, key management, and algorithm weaknesses.
An injection is a process that refers to incorporating insecure code into an application’s source code. Injection attacks can help gain access to secure areas and confidential information. Using injection attacks, intruders may get access to sensitive data and confidential information by posing as trustworthy users.
SQL injections, CRLF injections, and LDAP injections are examples of injections. Application security testing is a method that can detect injection vulnerabilities and provide mitigation measures such as using parameterized queries or eliminating special characters from the user input.
Injection flaws occur when malicious code is sent to your application in an unsafe manner. This can happen in two ways:
- A user enters the malicious code into a form field, and it gets interpreted as code by the application.
- Malicious code entered a URL is executed on the server, intercepting, and manipulating requests before they reach your application.
The injection flaw occurs when input from a user is not sanitized before being sent to a web application. This can happen when accepting user input in form fields, such as email addresses or passwords, on a web page. An attacker can then craft a malicious script that sends the user’s input to the application and injects malicious commands such as SQL, PHP, or script commands.
Insecure design is a general term that describes how developers design websites. It can mean anything from loosely securing sensitive information to failing to implement access control. Some common design flaws that lead to security issues include failure to consider all factors when designing a website, inability to properly validate data received from users, and failure to use a secure design process.
This flaw occurs when the security configuration of a web application is incorrect. It can happen when developers ignore, overlook, or misunderstand the security configuration. It commonly leads to users being able to view sensitive information, such as usernames and passwords, when it should be hidden from view. This can occur when the webserver incorrectly maps an HTTP request from a browser to a file on the server.
Vulnerable and Outdated Components
This flaw results when an application contains components that have known limitations or are known to be exploitable. That is, the application was designed with known security issues in mind. Known components include software libraries, protocols, programming languages, operating systems, and web browsers.
For example, a web application written in PHP and Apache could contain known vulnerabilities if the software libraries were outdated. The application could also include known assumptions on the user’s computer, such as the operating system being Windows XP. Hackers can exploit these components to cause security issues that could lead to the loss of sensitive information or security breach.
Identification and Authentication Failures
If authentication is not implemented correctly, it might pose a severe security risk. Authentication flaws may enable attackers to gain access to user accounts and perhaps the power to compromise a whole system. Attackers may readily exploit these flaws to steal legitimate users’ identities.
One means of avoiding broken authentication is multifactor authentication. Additionally, before releasing the application to the production environment, you can take advantage of DAST, and SCA scans to identify and remove privacy concerns. Additionally, session management should be implemented securely with regular checks for validity and expiration after a certain length of time with no activity.
You must have additional security measures in place to safeguard your organization’s intellectual property, such as, using SSL/TLS for data that would be transferred over the wire and implementing security measures like encryption at rest or in transit. Protecting sensitive information may be as simple as implementing data encryption, tokenization, and effective key management.
Software and Data Integrity Failures
This flaw occurs when the application contains software or data known to be faulty. For example, a web application written in PHP could include erroneous data from the database. The application could also contain incorrect code from jQuery, where the programmer missed a security check. This could allow unauthorized access to sensitive information.
Security Logging and Monitoring Failures
This flaw occurs when the application fails to log or monitor user activity. It commonly leads to an attacker gaining unauthorized access to sensitive information, such as usernames and passwords. When the application fails to create log files that accurately detail user activity, it can occur. It can also happen when the application fails to monitor activity and take corrective actions if something is wrong.
Server-Side Request Forgery
This flaw occurs when the server accepts an incoming request but does not verify its authenticity or validity. For example, an application could obtain the login credentials from someone but not ensure that it was from the expected user. In this case, the server would accept login credentials from anyone. A hacker could then forge a user’s credentials and send the malicious request to the server. The server would then authenticate the malicious script and execute it, allowing the hacker to access the system.
Summary of OWASP Vulnerabilities Developers Should Know
Web application security risks are a serious concern for businesses of all sizes. Any organization that does business via the internet is vulnerable to a security breach. The OWASP Top 10 is a list of the most prevalent web application vulnerabilities. These vulnerabilities are graded from one to ten, with one being the most critical and ten least critical. This list is updated periodically to include new vulnerabilities as they are discovered.