Top 10 vulnerabilities and ways to prevent OWASP

The list of Top 10 OWASP vulnerabilities - the most critical web application security risks - has been updated.

The OWASP Top 10 project is referenced by many standards, tools, and organizations, including MITER, PCI DSS, DISA, FTC, and many others.?OWASP Top 10 is the recognized methodology for assessing web application vulnerabilities worldwide.

The Open Web Application Security Project (OWASP) is an open-source web application security project.?The OWASP community includes corporations, educational organizations, and individuals from around the world.?The community works to create freely available articles, tutorials, documentation, tools, and technologies.

The version of the standard is updated approximately every three years and reflects current trends in web application security.

OWASP Top 10 2013

List of the most dangerous risks (vulnerabilities) of web applications from 2013:

• A1 Code injection
• A2 Invalid Authentication and Session Management
• A3 Cross-site scripting
• A4 Insecure Direct Object References
• A5 Insecure configuration
• A6 Leakage of sensitive data
• A7 Lack of access control to a functional level
• A8 Cross-Site Request Forgery
• A9 Using Components with known vulnerabilities
• A10 Unvalidated redirects

OWASP Top 10 2017 RC

List of the most dangerous risks (vulnerabilities) of web applications from 2017:

• ?A1 Code injection
• A2 Invalid Authentication and Session Management
• A3 Cross-site scripting
• A4 Violation of access control
• A5 Insecure configuration
• A6 Leakage of sensitive data
• A7 Insufficient protection against attacks (NEW)
• A8 Cross-Site Request Forgery
• A9 Using Components with known vulnerabilities
• A10 Insufficient logging and monitoring

Changes

The first three - code injections, shortcomings of managing and storing session and cross-site scripting remained unchanged, this indicates that despite a large number of best practices for writing secure code, data cleansing tools, introducing various tokens, and other things, a web application is not safer. become.

The old category, Broken Access Control, returned to 4th place, which in the new edition consists of the merger of A4 and A7 from the 2013 edition.

7th place is now occupied by a new category - Insufficient Attack Protection.?Most web applications and environments lack the ability to detect, prevent, and respond to modern attacks, whether automated or manual.?Identifying and defending against attacks goes far beyond validating basic input (usually validating input values) and should include automatic detection, logging, reacting, and even blocking exploitation attempts.?Application owners also need to be able to quickly deploy anti-attack patches.?In other words, it is a direct recommendation to use a?web application firewall?to protect a web application.

From the 10th place, unvalidated redirects disappeared, and their place was taken by the unprotected means of API classes such as JavaScript, SOAP / XML, REST / JSON, RPC, GWT, and so on.?These classes are often insecure and contain many vulnerabilities.

?Injection

Injection vulnerabilities occur when an attacker uses a query or command to insert untrusted data into the interpreter via SQL, OS, NoSQL, or LDAP injection.?The data that is entered through this attack vector forces the application to do what it was not intended to do.?Not all applications are vulnerable to this attack, only applications that accept parameters as input are vulnerable to injection attacks.

Injection attacks can be prevented by

• Using a safer API that eliminates the use of an interpreter.
• Using parameterized queries when coding.
• Separating commands from data to avoid attacks.

Broken authentication

Broken authentication is a vulnerability that allows an attacker to use manual or automated methods to try to gain control of any account they want on the system.?In the worst conditions, they could also gain complete control over the system.?This vulnerability is also more dangerous because websites with broken authentication vulnerabilities are very common on the Internet.?Broken authentication typically occurs when applications improperly perform session management functions, allowing attackers to crack passwords, security keys, or session tokens.

Broken authentication attacks can be prevented by using

• Implementation of multi-factor authentication.
• Protecting user credentials.
• Sending passwords over encrypted connections.

Disclosure of confidential data

This vulnerability is one of the most common vulnerabilities on the OWASP list and occurs when applications and APIs do not adequately protect sensitive data such as financial data, social security numbers, usernames, and passwords or medical information, and this allows attackers to gain access to such information and commit fraud or steal personal data.

Attacks to disclose sensitive data can be prevented by

• Using a secure URL.
• Use of strong and unique passwords.
• Encryption of all confidential information that needs to be preserved.

XML External Objects (XXE)

This vulnerability occurs in web applications that parse XML input.?This occurs when poorly configured XML processors evaluate external object references in XML documents and send sensitive data to an unauthorized external object.?A storage device such as a hard drive.?By default, most XML parsers are vulnerable to XXE attacks.

XXE attacks can be prevented with

• Using fewer complex data formats such as JSON.
• Updated XML processors and libraries.
• Using SAST tools.

Violated access control

This vulnerability occurs when there is compromised access to resources, which means that there are some misconfigured missing restrictions for authenticated users that allow them to gain access to unauthorized functions or data such as access to other accounts, confidential documents, etc. help in session management and try to access data from unexpired session tokens, which gives them access to many valid IDs and passwords.

Access Control Violation Attacks can be prevented by using

• Deleting accounts that are no longer needed or inactive.
• Disable unnecessary services to reduce the load on the servers.
• Using penetration testing.

Invalid security configuration

It is estimated that up to 95% of cloud computing hacks are the result of human error, and this fact leads us to the next vulnerability called security misconfiguration.?The vulnerability relates to an incorrect implementation of security designed to protect application data.?As we know, the developer's job is mainly to work on the functionality of the websites, not on the security, and this flaw allows hackers to track the security configuration and find new possible ways to enter the websites.?The most common cause of this vulnerability is not patching or updating systems, frameworks, and components.

Misconfiguration attacks can be prevented by

• Using Dynamic Application Security Testing (DAST).
• Disable the use of passwords by default.
• Keep track of cloud resources, apps, and servers.

Cross-Site Scripting (XSS)

It is also a widespread vulnerability that affects nearly 53% of all web applications.?The XSS vulnerability allows a hacker to inject malicious client scripts into a website and then use the web application as an attack vector to intercept user sessions or redirect the victim to malicious websites.

Cross-site scripting attacks can be prevented

• Using appropriate response headers.
• Input filtering and output encoding.
• Use of content security policy.
• Applying a zero-trust approach to user input.

Insecure deserialization

The Insecure Deserialization vulnerability allows an attacker to remotely execute code in an application, tamper with or delete serialized (written to disk) objects, perform injection attacks, replay attacks, and escalate privileges.?This attack is also known as untrusted deserialization.?This is a serious application security issue that affects most modern systems.

Insecure deserialization attacks can be prevented with

• Implementation of digital signatures.
• Using penetration testing.
• Isolating code that deserializes and running it in low-privilege environments to prevent unauthorized actions.

Using components with known vulnerabilities

Currently, there are many open-source software components and freely available software components (libraries, frameworks) available to developers, and if any component with a known vulnerability arises, it becomes a weak link that can affect the security of the entire system.?application.?This is also due to the fact that developers are often unaware of which open source and third-party components are present in their applications, and this makes it difficult for developers to update components when new vulnerabilities are discovered in their current versions.

This attack can be prevented

• Removing all unnecessary dependencies.
• Using a virtual patch.
• Use of components only from official and verified sources.

Insufficient logging and monitoring

It is estimated that the time from attack to detection can take up to 200 days, and often more.?Meanwhile, attackers can interfere with servers, corrupt databases, and steal confidential information.?Insufficient logging and ineffective security integration allow attackers to switch systems and maintain persistent threats.

Insufficient logging and monitoring attacks can be prevented

• Implementation of logging and auditing software.
• Creation of an effective monitoring system.
• Think like an attacker and use a penetration check method.