Mitigation of OWASP Top 10 (2021) Vulnerabilities:

The Open Web Application Security Project (OWASP) is a non-profit entity dedicated to offering guidance for secure software application development and maintenance. It gained prominence through its compilation of the Top 10 web application security vulnerabilities. These vulnerabilities highlight critical risks that impact web applications.

More significantly, the OWASP Top 10 elucidates various categories of application security risks, offering preventive measures for developers and prescribing best practices to mitigate existing vulnerabilities.

First introduced in 2003, subsequent versions of the OWASP Top 10 were released in 2004, 2007, 2010, 2013, 2017,?and?2021."

In this article we cover the following OWASP web application security risks:

A1. Broken Access Control

A2. Cryptographic Failures

A3. Injections

A4. Insecure Design

A5. Security Misconfigurations

A6. Vulnerable and Outdated Components

A7. Identification and Authentication Failures

A8. Software and Data Integrity Failures

A9. Security Logging and Monitoring Failures

A10. Server-side Request Forgery (SSRF)

A1. Broken Access Control-

When access control is breached, an attacker can gain access to user accounts, admin panels, databases, servers, sensitive information, business-critical applications, and other sensitive assets. It can allow unauthorized users to modify privileges to their advantage, and perform destructive operations such as tampering with data or destroying it

• Least Privileges Approach
• Build strong access control with role-based authentication mechanisms
• Deny basic access to features except public resources
• Keep your servers lean by turning off unnecessary services and removing inactive and unnecessary accounts
• If you have multiple access points, disable unnecessary access points.
• Rate limiting API and controller access
• Sensitive data should not be stored in the root directory.
• The server directory listing must be disabled.

A2. Cryptographic Failures-

Cryptographic failures (formerly listed in the Top 10 as “sensitive data exposure”) moved from position 3 to 2. It emphasizes encryption errors or lack of encryption that can lead to the exposure of sensitive data.

• Encrypt all data at rest using secure and trusted encryption algorithms, keys and protocols.
• Encrypt all data in transit using modern security protocols such as TLS.
• Identify and enforce strong security controls for all sensitive data.
• Do not collect and store sensitive data unless absolutely necessary.
• Do not cache sensitive data or data collection forms.
• Disable form autocomplete.
• Store passwords using strong, proven hash functions.

A3. Injections-

Injection is an attack against a website that exploits vulnerabilities in the database or other part of the operating environment. Most injection attacks rely on a web application’s inability to distinguish user inputs from its own code. The attacker can then run malicious code in the application context, gaining access to protected areas and sensitive data.

• Injection attacks might use structured query language (SQL) to retrieve information or perform a database operation that the attacker should not be allowed to perform. Other types of injection include command injection, which occurs at the operating system level, carriage return line feed (CRLF) injection, and lightweight directory access protocol (LDAP) injection.
• Adopt an API that completely bypasses the interpreter, use parameterized queries, or move to an object-relational mapping (ORM) approach.
• Use allowlist validation for inputs on the server side. Most injection attacks rely on special characters, and allowlists defining which characters or inputs are allowed can reduce the risk. However they are not foolproof.
• Use LIMIT and other SQL constraints in queries to avoid exposing large amounts of data in case of SQL injection.

A4. Insecure Design-

This is a new category introduced by OWASP in 2021. It focuses on design and architectural flaws. Avoiding them requires careful threat modeling, taking security into consideration at the software design stage, and using reference architectures.

• Integrate security from the start of the software development lifecycle (SDLC).
• Build ready-to-use libraries of security-oriented design patterns, components, and frameworks for new applications and avoid building from scratch.
• Use threat modeling to design critical functions such as access control, authentication, business logic, and key flow.
• Add security concerns and controls into every user story developed as part of a software release.
• Divide the application into tiers and identify attack scenarios for each tier.
• Use plausibility testing to check whether certain inputs are acceptable at all, going from frontend to backend.

A5. Security Misconfigurations-

Common setup issues, such as incorrect access control configuration, can allow attackers to quickly and easily gain access to sensitive data and application functions. These include inappropriate permissions, unnecessary feature activation, use of default accounts and passwords, misconfigured HTTP headers, and detailed error messages.

• Define a clear, easy deployment process that enforces application hardening.
• Use preconfigured templates, each with different credentials, to ensure identical configuration of development, testing, and production environments.
• Maintain a securely configured container image registry.
• Remove unused features and services and deploy applications with minimal configuration.
• Regularly update and patch applications.
• Use automated workflows to validate security configurations and detect misconfigurations, and fix any discovered issues immediately.

A6. Vulnerable and Outdated Components-

Most web applications use third-party components, either open source or proprietary. These components contain code that is outside the organization’s control, which can lead to undesirable outcomes like accent control violations and injection attacks.

• Maintain an up-to-date inventory of all components used by applications and their versions.
• Continuously scans components, libraries, and their dependencies for vulnerabilities.
• Keep all components up to date. Apply a virtual patch (a security policy or rule that can protect against exploit) if a patch is not immediately available from the vendor.
• Remove deprecated or unneeded components, features, and dependencies from your application.
• Only use components and third party software from official and trusted sources.

A7. Identification and Authentication Failures-

Functions related to user authentication and session management, if not properly implemented, can expose users to security credentials, grant excessive privileges, or enable users to impersonate other identities.

• Enforce the use of multi-factor authentication.
• Do not use default credentials, especially administrator privileges.
• Implement a strong password policy.
• Deploy a secure session manager that generates timed session IDs.
• Monitor failed login attempts and set limits and delays.
• Use strong user registration and credential recovery processes.
• A8. Software and Data Integrity Failures-

Data integrity is becoming a primary concern for software security. This is a new category introduced by OWASP in 2021, which focuses on the integrity of software updates, critical application data, and CI/CD pipelines. A software and data integrity failure occurs when any of these are tampered with by an attacker, and other components within the application do not verify their integrity.

• Use digital signatures or similar mechanisms to verify that data or software has not been tampered with and that it came from its intended source.
• Use software supply chain security tools such as OWASP CycloneDX and OWASP Dependency-Check to ensure that components are free of design flaws.
• Ensure that the CI/CD pipeline uses segmentation, access control, and parameterization to protect code integrity from build through to production deployment.
• Do not send unsigned or unencrypted compiled data to untrusted clients, unless measures have been taken to identify tampering or duplication of the data.

A9. Security Logging and Monitoring Failures-

When suspicious behavior occurs in an application and logging and monitoring are not in place, security breaches are much more likely to be successful. This category focuses on identifying, escalating, and resolving security incidents. Detecting a breach is almost impossible without logging and monitoring.

• Instantly detect suspicious activity with out-of-the-box logging and auditing software.
• Make sure logs are contextual and available in a format that enables in-depth forensic analysis.
• Implement security controls to prevent attackers from tampering with log data.

A10. Server-side Request Forgery (SSRF)-

This category was added to the OWASP Top 10 list in 2021 because it was the top vulnerability voted in the OWASP Top 10 Community Survey. An SSRF vulnerability allows an attacker to access data on a remote resource based on an unauthenticated, custom URL. Even servers protected by a firewall or VPN can be vulnerable to this vulnerability, if they accept unvalidated user input.

• Always perform validation of user input and sanitize all inputs.
• If an application has remote resource access functionality, ensure it is isolated from other aspects of the application.
• Block unsolicited incoming traffic with default deny firewall policy.
• Prevent clients from receiving raw responses.
• Create an allowlist of ports, destinations, and URL schemes.
• Disable HTTP Redirection.