What is OWASP Top 10?
The OWASP Top 10 outlines the most critical security concerns for web applications. It’s a community project where cybersecurity experts worldwide work together to identify issues affecting web security regularly.
The project aims to raise awareness about current, pervasive threats to web applications. This enables them to improve processes, elaborate on security protocols, and mitigate risks.
Please see below a brief breakdown of the issues in the last OWASP Top 10 list, published in 2017. The OWASP Foundation is working on releasing an updated OWASP Top 10 list for 2020; however, it hasn’t been released as of December 2020.
A1 – Injection
These attacks occur when the hacker sends untrusted data to a web application through a data submission channel, such as form input. The data input causes the web application to execute unintended commands.
For instance, a hacker can submit SQL database code into a data submission channel expecting a username in plain text. If the form input is insecure, the web application will execute the SQL code. Examples of injections include:
- LDAP queries.
- PHP queries.
- SQL queries.
- OS commands.
A2 – Broken Authentication
This occurs when vulnerabilities in the web application’s authentication system are exploited, giving attackers access to user or admin accounts. In some cases, the web application mismanages session-related information, enabling hackers to compromise the user’s identity.
This information could be in the form of secret keys, passwords, session cookies, or others.
- Weak session IDs
- Sessions not invalidated on logout.
A3 – Sensitive Data Exposure
If a web application doesn’t provide adequate security for sensitive data, attackers could modify or sniff out the data and use it for their own purposes. For instance, applications that use weak Transport Layer Security (TLS) or weak encryption keys are susceptible to man-in-the-middle attacks.
The exposure of sensitive data can be mitigated by encrypting all sensitive data, disabling caching of responses with sensitive data, and using secure protocols and algorithms.
- Missing TLS encryption in transit.
- Passwords stored in cleartext in the database.
A4 – XML External Entities (XEE)
These kinds of attacks are carried out against web applications that parse XML inputs. A web application that is vulnerable to XXE attacks will allow the upload of malicious XML. The XML code looks to exploit vulnerabilities in the parser or its dependencies by referencing an external entity.
The malicious code could execute a request for sensitive data to be sent to the unauthorized external entity, which then passes the data on to the attacker.
- Internal file shares exploits
- Internal port scanning
- Remote code execution
- Denial of service attacks.
A5 – Broken Access Control
A broken access control allows attackers to bypass authorization protocols and execute tasks as if they were users with admin rights and privileges. In many instances, developers do not restrict user privileges on the server-side; they do so only on the UI side.
Attackers can exploit such a vulnerability and get access to directories, databases, restricted pages, and the like.
A6 – Security Misconfiguration
One of the most common vulnerabilities on this list, security misconfiguration, occurs when an application uses default configurations or encounters an issue and displays overly-descriptive error messages to the user.
Such messages could reveal the application’s vulnerabilities to hackers, enabling them to prepare more malicious, customized attacks.
Examples of security misconfiguration include:
- Java Spring Security has CSRF protection disabled.
- MongoDB open database (no password; default configuration)
A7 – Cross-Site Scripting
A8 – Insecure Deserialization
This targets web applications that often serialize and deserialize data. An insecure deserialization exploit is caused by deserializing data from untrusted sources, resulting in remote code execution attacks and DDoS attacks.
Although implementing type checks and monitoring deserialization is advised, the only sure method of preventing this form of attack is prohibiting the deserialization of data from untrusted sources.
A9 – Using Components with Known Vulnerabilities
To provide needed functionality and avoid redundant work, most web developers use various components such as coding/network frameworks, vulnerable functions, and libraries when building web applications.
Attackers constantly search for vulnerabilities within these components, which they can exploit to launch an attack.
Some of the components with known vulnerabilities include:
- Vulnerable jQuery version.
- Unpatched Windows.
- Outdated kernel version — Linux.
- Use of vulnerable PHP version.
A10 – Insufficient Logging and Monitoring
Measures for detecting data breaches within web applications are still below par. The average time taken by developers to detect a breach is 200 days after the fact. This is a lot of time for attackers to cause damage before the implementation of protective countermeasures.
As such, OWASP advises developers to implement logging, monitoring, and incident response plans to ensure the early detection of attacks.