OWASP Top Ten 2018

1. Injection

Introduction

“Injection attacks occur when the user is able to input untrusted data tricking the application/system to execute unintended commands.”

Injections can be – SQL queries, PHP queries, LDAP queries and OS commands. Before we jump to the examples: Let’s ponder on a few things:

Q: What to inject?

A: Queries, OS commands, codes and URL argument manipulations.

Q: Where to inject?

A: Wherever a user input is required or use can modify data. It can be a text box, username/password field, feedback fields, comment field, URL etc.

Q: Why to inject?

A: To check if the application is vulnerable.

Countermeasure

• Input sanitization: Implement whitelisting approach at server side for what all can be accepted.
• Use of safe API’s and parametrized queries.

2. Broken Authentication

Introduction

“Broken authentication occurs when the application mismanages session related information such that the user’s identity gets compromised. The information can be in the form of session cookies, passwords, secret keys etc.”

The aim here is to either get into someone else’s session or use a session which has been ended by the user or steal session related information. Let’s check a few scenarios. 

Countermeasure

• Use of multifactor authentication
• Session isolation
• Idle session timeouts
• Using secured cookies

3. Sensitive data exposure

Introduction

“Attackers can sniff or modify the sensitive data if not handled securely by the application. A few examples include use if weak encryption keys, use of weak TLS.”

The goal is to identify sensitive data bits and exploit them.

Countermeasure

• Encrypt all data in transit and at rest.
• Use secure protocols and algorithms.
• Disable caching of responses with sensitive data. Hackers might get the cached copies and steal the information from them.

4. XML External Entities (XXE)

Introduction

“An application is vulnerable to XXE attacks if it enabled users to upload a malicious XML which further exploits the vulnerable code and/or dependencies.”

This can be used to execute code, steal data and perform other malicious tasks.  

Countermeasure

• Avoid serialization of sensitive data
• Implement whitelisting approach at server side to prevent malicious XML upload.
• Use of WAF to detect and block XXE.
• Code review 

5. Broken Access control

Introduction

“Broken access control occurs if a user is able to access unauthorized resources, this can be access to restricted pages, database, directories etc.”

Applications have various account types depending on the users: admins, operators and reporting groups etc. One common problem is that the developers restrict the privileges just on the UI side and not on the server side. If exploited, each user can have admin rights.

Countermeasure

• Invalidate tokens and cookies after logout.
• Forced login/logout after a password change.
• Server side resource restriction e.g. directories.
• Restrict access to all resources basis roles.

6. Security misconfigurations

Introduction

Developers and IT staff ensure functionality and not the security. The configurations are done on the application server, DB server, proxy, applications and other devices need to be in line with the security requirements. Most of the security requirements get missed unless identified by experts or hackers.

Examples of these security misconfigurations are weak passwords, default passwords, default scripts stored on the servers, default directories, default error messages etc. 

Countermeasure

• Have a hardening process in place for both hardware and applications. Do ensure that defaults are changed.
• Install only the required features from a framework.
• Review the security of the configurations at fixed intervals.

7. Cross Site Scripting (XSS)

Introduction

Cross-site scripting occurs when an attacker is able to insert untrusted data/scripts into a web page. The data/scripts inserted by the attackers get executed in the browser can steal users data, deface websites etc.

XSS is of 3 types:

• Reflected
• Stored
• DOM-based   

Countermeasure

• Output encoding and escaping untrusted characters.
• Enabling Content-Security-policy (CSP)

8. Insecure Deserialization

Introduction

Some of the applications save data on the client side and they may be using object serialization. Applications which rely on the client to maintain state may allow tampering of serialized data. This is a new entry in the list and is difficult to exploit. 

Countermeasure

• Encryption of the serialized data.
• Deserializers to run with least privileges

9. Using Components with known vulnerabilities

Introduction

If any components with known vulnerabilities are used by the application, this may lead to security breaches or server takeover. The components can be coding frameworks, libraries, vulnerable functions, network frameworks etc.

Countermeasure

• Frequent patching process.
• Subscribe to various forums which share the latest vulnerabilities along with the CVE numbers and mitigation techniques/fixes. Check if the vulnerability affects the devices/software in your inventory and fix them.

10. Insufficient logging and monitoring

Introduction

With all the countermeasures in place attacks still happen and that gets noticed only after an incident has happened. If undetected the attackers could have compromised the systems long back and gained persistence. 

To ensure the malicious intent of the attackers gets noticed beforehand, it is essential to log all the activity and monitor it for any suspicious behavior.  

Countermeasure

• 24x7 monitoring of application traffic and log analysis.
• Effective Security Incident and response procedures to be in place and practice. 

Source

• greycampus.com