OWASP Top 10- Web Application Vulnerabilities (PART- 2)

Hey, readers! Hope you’ve all understood the top 5 vulnerabilities from our last blog. Now, gear up for the Part 2 of the OWASP Top 10 vulnerabilities. We’re digging deeper into the rabbit hole, so get ready!

Here is the link for previous Top 5 Vulnerabilities.

6. Vulnerable and Outdated Components

A06:2021-Vulnerable and Outdated Components was previously titled Using Components with Known Vulnerabilities and is #2 in the Top 10 community survey, but also had enough data to make the Top 10 via data analysis. This category moves up from #9 in 2017 and is a known issue that we struggle to test and assess risk. It is the only category not to have any Common Vulnerability and Exposures (CVEs) mapped to the included CWEs, so a default exploit and impact weights of 5.0 are factored into their scores.

Modern distributed web applications often incorporate to the software components or libraries used in an application that have known security vulnerabilities or are not up-to-date with the latest security patches. Any component with a known vulnerability or outdated components becomes a weak link that can impact the security of the entire application.

CWE stands for “Common Weakness Enumeration.” Which is a community-developed list of common software and hardware weakness types that can serve as a common language for describing, mitigating, and preventing security vulnerabilities. CWE is maintained by the MITRE Corporation and provides a standardized way of identifying and categorizing security weaknesses in software and systems.

Known Vulnerabilities: These are vulnerabilities that have been identified and documented by security researchers or the software community.

Outdated Components: May lack the latest security updates and patches, making them susceptible to known exploits. The longer a component goes without updates, the higher the risk of it being compromised.

Common Issues Leading to Vulnerable and Outdated Components:

1. Organizations might not know all the parts in their software, especially external tools and elements, making it hard to see the full picture.
2. Modern software often relies on numerous dependencies, creating a complex dependency chain. Keeping track of updates for all components in this chain can be challenging.
3. Organizations may lack the resources to continuously monitor and update software & hardware components.

Preventive Measures:

1. Regularly update all software components, including third-party libraries and dependencies.
2. Implement automated tools for scanning and monitoring dependencies to identify vulnerabilities promptly. These tools can provide real-time alerts when vulnerabilities are discovered.
3. When specifying dependencies, consider using version pinning to ensure that a specific version of a component is used. This prevents unintended upgrades that may introduce vulnerabilities.
4. Security Training and Awareness can lead to better decision-making during the development process.
5. Prioritize the assessment & evaluation of third-party components during the software development lifecycle(SDLC) as well as before integrating them into your application.

7. Identification and Authentication Failures

A07:2021-Identification and Authentication Failures was previously Broken Authentication and is sliding down from the second position, and now includes CWEs that are more related to identification failures. This category is still an integral part of the Top 10, but the increased availability of standardized frameworks seems to be helping.

When applications make mistakes in checking who’s using them securely, unauthorized people can steal important information like passwords or access codes security keys, or session tokens and permanently or temporarily assume the identities and permissions of other users. With this stolen information, they can pretend to be other users and do things they’re not supposed to do within the application. These vulnerabilities can lead to unauthorized access, account hijacking, and other security breaches.

Common Issues Leading to Identification and Authentication Failures:

1. Lack of Multi-Factor Authentication (MFA)
2. Inadequate Password Policies allowing users to create weak, repeated or guessable passwords.
3. Neglecting proper session management, including secure handling of session tokens and timely expiration, can expose users to session hijacking attacks.

Preventive Measures:

1. Implement Multi-Factor Authentication (MFA)
2. Enforce Strong Password Policies that require users to create strong, complex passwords. Regularly prompt users to update their passwords and discourage password reuse.
3. Use secure and up-to-date authentication protocols, such as OAuth 2.0 or OpenID Connect, to protect against known vulnerabilities in older protocols.
4. Regular Security Audits and Testing to identify and address vulnerabilities in the identification and authentication processes.
5. Implement secure session management practices, including the use of secure session tokens, timely expiration, and ensuring that sessions are invalidated after logout.

8. Software and data Integrity Failure

A08:2021-Software and Data Integrity Failures is a new category for 2021, focusing on making assumptions related to software updates, critical data, and CI/CD pipelines without verifying integrity. One of the highest weighted impacts from Common Vulnerability and Exposures/Common Vulnerability Scoring System (CVE/CVSS) data mapped to the 10 CWEs in this category. Insecure Deserialization from 2017 is now a part of this larger category.

Software and Data Integrity Failures refer to vulnerabilities that arise when assumptions related to software updates, critical data, and continuous integration/continuous deployment (CI/CD) pipelines are made without proper verification of their integrity. It encompasses a range of issues, including insecure deserialization, which was previously a standalone category.

Insecure deserialization occurs when an application does not properly validate or sanitize serialized input data. Serialization is the process of converting data structures or objects into a format that can be easily stored or transmitted, such as JSON or XML. Deserialization is the reverse process, reconstructing the original data from the serialized format. If this process is not adequately secured, it can lead to various security risks.

Common Issues Leading to Software and Data Integrity Failures:

1. Assuming that data received from external sources, such as APIs or user input, is trustworthy without proper validation can lead to integrity failures.
2. Accepting and applying software updates or patches without verifying their integrity can introduce malicious code into the system.
3. Insecure CI/CD Pipelines can allow attackers to inject malicious code during the development or deployment process.

CI/CD stands for Continuous Integration and Continuous Deployment. It’s a set of practices and automated processes that ensure code changes are built, tested, and deployed reliably and efficiently.

Preventive Measures:

1. Implement robust input validation and data sanitization (cleaning and validating data) mechanisms to ensure that data received from external sources is valid and free from malicious content.
2. Always verify the integrity of software updates and patches before applying them. This can involve using cryptographic signatures or checksums to confirm the authenticity of the files.
3. Implement security measures in CI/CD pipelines, such as code signing, secure storage of credentials, and regular security audits, to prevent the introduction of unauthorized code.
4. Follow least Privilege Principle.
5. Use Secure Serialization Formats and libraries that have built-in protections against common deserialization vulnerabilities. Additionally, consider using formats that support features like encryption.

9. Security Logging & Monitoring Failures

A09:2021-Security Logging and Monitoring Failures was previously Insufficient Logging & Monitoring and is added from the industry survey (#3), moving up from #10 previously. This category is expanded to include more types of failures, is challenging to test for, and isn’t well represented in the CVE/CVSS data. However, failures in this category can directly impact visibility, incident alerting, and forensics.

It refers to the weakness where an organization or system doesn’t adequately keep track of what’s happening within its network or applications, and it doesn’t have the means to detect and respond to security incidents effectively. This basically means inadequate practices in logging and monitoring systems within an application or network. These failures can impact an organization’s ability to detect and respond to security incidents effectively.

Common Issues Leading to Security Logging and Monitoring Failures:

1. Lack of comprehensive logging means that security events or potential threats are not recorded, making it challenging to identify and investigate security incidents.
2. Monitoring systems may not cover all critical areas, leaving potential attack vectors unobserved and allowing malicious activities to go undetected.
3. If the logging and monitoring systems are not configured properly, or if alerting mechanisms are not effective, security incidents may not be promptly detected or responded to.

Preventive Measures:

1. Develop and implement a proper logging strategy that captures relevant security events. Log critical actions, authentication attempts, and potential security incidents to establish a detailed audit trail.
2. Regular Log Analysis is necessary for identifying patterns or anomalies which indicates potential security threats.
3. Monitoring All Critical Components of application or network, including servers, databases, network traffic, and user activities.
4. Effective Alerting Mechanisms to notify authority when suspicious activities are detected. Alerts should be clear, actionable, and prioritize critical events for timely response.
5. Incident Response Planning along with continuous Monitoring and Improvement for addressing new challenges.

10. Server-Side Request Forgery?(SSRF)

A10:2021-Server-Side Request Forgery is added from the Top 10 community survey (#1). The data shows a relatively low incidence rate with above average testing coverage, along with above-average ratings for Exploit and Impact potential. This category represents the scenario where the security community members are telling us this is important, even though it’s not illustrated in the data at this time.

This occurs when an attacker can manipulate the server into making unintended requests to internal resources. In SSRF attacks, the attacker tricks the server into making requests on its behalf, potentially leading to unauthorized access to internal systems, data exposure, or the exploitation of vulnerabilities within the server’s network.

Common Issues Leading to?SSRF:

1. Failing to properly validate user inputs, such as URLs or parameters, can allow attackers to manipulate the server into making requests to unintended destinations.
2. Poorly segmented networks may allow an attacker to exploit SSRF to access internal resources that should not be reachable from the server.
3. If the application follows redirects specified in user-provided URLs without proper validation, an attacker could manipulate these redirects to make the server issue requests to unintended destinations, possibly internal resources that should be protected.

Preventive Measures for?SSRF:

1. ?When possible, use safe APIs and protocols that don’t allow direct access to internal resources. Restrict the server’s ability to make requests to external entities and follow the principle of least privilege.
2. Network Segmentation to restrict access between different segments of the network. Ensure that internal resources are not directly accessible from the server.
3. Firewall Configuration to block outgoing requests to certain sensitive or internal IP ranges.
4. Logging and Monitoring mechanisms to detect suspicious requests.
5. Implement Content Security Policy (CSP) headers to control which domains are allowed to be accessed by the application.