The Guide To OWASP top 10 Vulnerabilities in Web application
What is OWASP top 10?
Owasp stands for Open Web Application Security Project, non-profitable organization and founded in 2001, it is one of the major concepts in data application security field. It only focuses on the Back-End part than the designing issues. It is an open forum for discussion regarding web app security field and free resources for the free development team. It guides you to business critical issues related to web app which are more popular nowadays. They come up with standards and conferences to help the organization as well enthusiast and researches in the domain of security.
Owasp top 10 is the list of the most encountered application vulnerability,
It shows their risks, impact, and countermeasures. It keeps updating and the latest release has been released this year. The organization publishes a list of top web security vulnerabilities based on the data from various security organizations. It appeals to all companies to adopt this awareness document within their organization and start the process of ensuring that their web application for minimizes risks.
OWASP Top 10 Web Application Vulnerabilities
2. Broken authentication
3. Sensitive data exposure
4. XML External Entities (XXE)
5. Broken Access control
6. Security misconfiguration
7. Cross site scripting (XSS)
8. Insecure Deserialization
9. Using components with known vulnerabilities
10. Insufficient logging and monitoring
If your application receives user inputs and fetches data without validating them then your application falls under this category. The big company are hit by this type of attack, a successful attack may result in viewing unauthorized user lists, altering the entire tables and may also have full access and rights to the database which leads actually to business loss.
How it works
using SQL queries, the attacker can request to view, alter the content of a database
Initially, SQL is a language to talk with a database, it is fairly like English, you can actually say things like “select from this table”, it does not seem to be a complicated language like the remaining programming languages and you get results back from the database. This was fine until the www came along and attackers have got a different view when it comes to searching for a piece of information from a database
A hacker visits a website, navigates to its application where it is tied to some sensitive data, he/she can use the login page by knowing that it is tied to a database, whenever the attacker enters some strings in the username and password fields, there has to be some type of functionality that ties the credentials to the database, there has to be some type of validation that checks for the entered credentials before being able to make it through to the next page or to the account page
- Prepared statements force the developer to first define all the SQL code and then pass in each parameter to the query later
- Stored procedures require a developer to build SQL statements that are parameterized
- Use of safe API
the prevalence of broken authentication is widespread due to the design and implementation of most identity and access controls. The attacker can detect this vulnerability using manual methods and exploit them using automated tools with password lists and dictionary attack, the attacker has to gain access to only a few accounts or just one admin account to compromise the system depending on the domain
How it works
A broken authentication vulnerability can allow an attacker to use a manual or automated tool to try to have control over an account. If it validates then a valid session ID is given to the user, it also allows bypassing the authentication methods that are used by a web application. The objective is to take over one or more accounts to get the same privileges as the victim.
Default password could also be tried in such an attack where knowing the default manufacturer’s device for example ‘admin’ ‘admin’ , ‘root’ ‘password’, ‘root’ ‘toor’ as username and password.
- Credentials have to be protected when it is stored using a robust cryptographic algorithm.
- Session ID should not be exposed in the URL.
- There should be a timeout for every session when it exceeds its limit.
- Credentials should not be sent over HTTP protocol.
- Implement multi-factor authentication where possible
3. Sensitive data exposure
Every data has to be treated with high confidentiality but Letting unauthorized users read what it contents then it leads to this type of attack. A hacker takes advantages of inadequate security and unencrypted data stored while being transmitted or processed. It occurs when a secure channel is not implemented correctly if so, it leaves a hole for the attacker to steal sensitive information such as password, payment details or anything else.
- Encrypt the data and define accessibility
- Secure authentication gateways using HTTP
- Prevent weak password
4. XML External Entities (XXE)
An application is vulnerable to this attack if it enabled users to upload a malicious XML which further exploits the code and this can be used to steal, execute data, execute a remote request from the server, scan internal systems and perform other malicious tasks.
The attacker can exploit vulnerable XML processors if they can upload XML or include hostile content in an XML document, exploiting vulnerable code, dependencies or integrations
- Use a web application firewall to detect and block.
- Code review.
- Useless complex data formats whenever possible.
- Patch or upgrade all XML processor and libraries.
5.Broken access control
It refers to the policies that users cannot get access outside of their intended account, failure will typically lead to unauthorized information disclosure, stealing user’s credentials to impersonate a user and perform malicious activities with all permissions that had been set for the user during the first day of its existence and this allows the attacker to exploit and access unauthorized functionalities.
This type of vulnerability is common due to the lack of automated detection and effective functional testing. The most critical situation depends on what kind of information or features the attacker can get access to from a basic a small to a big amount of data.
- Strong password policy
- Secure password files
- Use of multifactor authentication
- Restrict access to systems
- Account management
- User awareness
- Log access control failures to alert admin
This type of vulnerability could occur when there is an unnecessary feature enabled in the web application. It can happen at any level of an application stack, including its platform, web server, etc. This can happen when leaving open unused operating system ports or using outdated software libraries and the main issue is due to the wrong application logic
The attacker will often attempt to exploit unpatched flaws or access default account, unprotected files and directories to gain unauthorized access or knowledge of the system, these flaws result in a complete system compromise.
- Remove any unnecessary features or plugins
- Change username and password for any default account
- Not to present stack traces to users
- Set the appropriate settings
- Setting up an automated process to check all the necessary features after adding any new feature
7.Cross site scripting (XSS)
Malicious code can be used to do all sorts of malicious tasks, like stealing user’s cookies, allowing for someone to use the website pretending to be that user, redirect to phishing, force a user to make an action, It can modify the page to make it look different or behave differently. It may be obvious to see a code on the end of a URL, techniques of hiding it are also possible. It needs to be something that interacts with either a database or file storage.
Input validation is necessary wherever the website takes something from the user such as a parameter from a URL or data from a text post, an obvious way to mitigate this attack is to limit allowable user inputs and this can be done by establishing a list of restricted characters, for example, you can prevent user from inputting certain scripting characters like < > or quotes and this work only as you include every potentially dangerous character and sometimes it is difficult to come up with everything so another technique should be implemented to add additional security. Applying context-sensitive encoding. Escaping untrusted HTTP request.
Serialization is a way to store an object or structure as text that can be easily stored and transmitted, an example would be a game that stores the state locally as an object. When a game is finished, the state would be sent to the server that logs all the high scores, it is not possible to directly send the object, which is why it is serialized, the server now retrieves the data from the client but to do anything with the data, the server needs to reverse the serialization process which is nothing but deserialization.
Developers know to sanitize normal user input as it could contain anything, but as serialized data is handled as an object, this is often forgotten. Another example when you finished playing a game and want to submit your high score a serialized object of the game state is included in the URL, an attacker can insert a payload into the URL, the server will deserialize the object and make it part of the query which will result in showing the score of everybody instead
Some tools can discover deserialization flaws but human assistance is frequently needed to validate the problem. This flaw can lead to remote code execution attack also. Implementing integrity checks such as digital signatures on any serialized objects, logging deserialization exceptions, and failures such as where the incoming type is not the expected type or the deserialization throw exceptions. Restricting or monitoring incoming and outgoing network connectivity from containers or servers that deserialize and alerting if a user deserializes constantly
9.Using components with known vulnerabilities
Some vulnerable components like framework or application or anything else that can be identified and exploited. Defining third-party components is like any part of the web application developed outside your organization. Let’s consider components as either binary or source code distributed to you from outside your company, these could be open source and accessible in the public domain or commercial and available to limited paying customers. Developers find and use libraries from a variety of places, nearly every web application on the planet uses open source components on either the server side or the client side.
some companies have a very open policy with regards to selecting components allowing developers to use their discretion during the development process, other organizations restrict the use of outside components allowing only those components considered approved by some formal internal process.
If you do not know the versions of all components you use including client side and server side, if the software is vulnerable, or outdated, this includes the operating system, database, APIs and all
components and libraries.
- It is the architect’s responsibility to design a highly secure base model with a good design pattern as per the business requirements
- It is the developer’s job to write the code in a secure way with efficient testing.
- Maintain a secured network and firewall to monitor.
- Conduct often security audits to be safe from any attack.
- All components have to be up to date
- Obtain components only from official sources only.
- Remove unused features, unnecessary dependencies, and file.
10.Insufficient logging and monitoring
Crucial to network security or any organization that wants to deploy any kind of network security and this is mandatory otherwise if you do not log network events and you do not monitor the state of the network then how to know your network and users are behaving as expected, not breaking policies, it can be that users are trying on purpose to bypass the built-in configured network security policies and technologies or if an intruder trying to take over the network and leaking sensitive data.
For example, users trying to get more access to the internet than they are allowed to or they are in systems are infected and without them even knowing there was an infected system and the malicious code residing on the system trying to leak information out of the company to the attacker in the internet. Monitoring means that is you are going to have the more devices that you are going to send logs from and again the more device is going to monitor them which means that you have a huge amount of data to be processed and interpreted by your logging system which is not possible by a human being, imagine like you have a huge network where you have many users and similar devices and a lot of traffic happening back and forth, a human cannot correlate, grab all of those logs and understand what happens.
- Ensure that logs are generated in a way that can be easily interpreted by a centralized log
- Establish an incident response and a backup
- Establish a security auditing regularly
- Establish an effective monitoring and alerting