What is OWASP?
The OWASP Open Web Application Security Project
is a nonprofit foundation that works to improve the security of software
. OWASP regularly update its list every 4 to 5 years.
There are 10
most common web applications vulnerabilities
which are listed in owasp top 10
.
It was first updated in 2013
and then in 2017
and the latest release is 2021
which we are using now.
The OWASP Foundation is the source for developers and technologists to secure the web. OWASP
—
1. Broken Access Control
Broken access control
is a flaw in the web application which occurs due to poor implementation of access control mechanisms that can be easily exploited.
This flaw allows attacker/unauthorised users to access the contents that they are not allowed to view, can perform unauthorised functions
, and even an attacker can delete the content
, or take over site administration.
Remediation
- Proper implementations of access control to the users.
- Delete any
inactive
or unnecessary accounts
.
- Shut down unnecessary
service
and access point
.
- Use
multi-factor authentication
at all access points.
- Disable the web server directory listing.
2. Cryptographic Failures
This flaw previously was known as sensitive data exposures and it arises when web applications send any data in plain text
, use outdated
and insecure cryptographic algorithms
, or weak crypto keys
etc are called cryptographic failures
.
General idea
This security threat occurs when web applications do not adequately protect sensitive information like credit card numbers
, passwords
, banking information
, social security number
, or any similar crucial data whose leak can be critical for the user.
This flaw in web applications can cause financial loss, access to victim’s accounts, blackmailing and ultimately decrease the trust in to brands.
Remediation
- Encrypt data while it is in transit and at rest.
- Use the most
up-to-date encryption
techniques.
Turn off autocomplete
on forms.
- Reduce/minimize the size of the
data surface
area.
- Use Strong adaptive and salted hashing functions when saving passwords.
3. Injection
An injection attack refers to untrusted data by an application that forces it to execute commands. Such data or malicious code is inserted by an attacker and can compromise data or the whole application.
The most common injection attacks are SQL injections
, cross-site scripting
(XSS), HTML injections
, command injections
, CCS injection
, etc.
Remediation
- Separate the commands from the data.
- Data supplied by users must be validated, filtered, or sanitized.
- Use of a safe API that avoids the use of the interpreter altogether or uses parameterized queries
4. Insecure Design
This category of vulnerabilities is focused on the risks associated with flaws in design and architecture.
Remediation
- Development lifecycle with
AppSec professionals
.
- Limit user and
service resource
consumption.
- Implement
threat modelling
for crucial authentication
, access control
, business logic
, secure design patterns
and key flows.
5. Security Misconfiguration
Security misconfiguration is a flaw in web applications and generally arises due to Default configurations
, open ports
, privileges
, incorrect HTTP headers
etc.
Remediation
- Improving security level of
potentials flaw application
.
- Properly
configured
permissions.
Default accounts/passwords
be disabled or unchanged.
Error messages
should not display to users which contain sensitive information
.
- The
latest security
features should be enabled.
- The
server
, framework
, libraries
, or databases
, security settings must be set to secure values
.
- Remove the
unnecessary features
, such as ports
, services
, pages
, accounts
, or privileges
that are allowed or installed.
6. Vulnerable and Outdated Components
This category was previously known as Using Components with Known Vulnerabilities
. Component vulnerabilities can arise when software is vulnerable
, unsupported
, out of date
, or not upgraded platform
, framework
, and dependencies
when patches come out.
Remediation
- Be aware of versions of
client-side
and server-side
components used.
- Perform
vulnerability Assessments
to reduce attacks.
- Upgrade
platform
, framework
, and other dependencies
.
7. Identification and Authentication Failures
This is the vulnerability that exists in the web application when the web application does not properly function
related to identifications and authentications
, like sessions management
, password recovery
, and other login credentials
.
Because of this attackers are able to compromise passwords, security keys, or session tokens or assume to identities and permissions of other users.
Remediation
- Implement
multi-factor authentication
(2FA)
- Do not deploy with
default credentials
, especially for users with admin privileges.
- Enforce
strong passwords
.
- Carefully
monitor failed login attempts
.
- Use a secure session manager that generates
random
, and time-limited session IDs
.
- Never include
session IDs
in URLs
.
8. Software and Data Integrity Failures
This is a new category in the OWASP
list that relates to vulnerabilities in software updates
, critical data
, and CI/CD pipelines
whose integrity
is not verified.
Code and infrastructure that do not guard against integrity violations are referred to as software and data integrity failures
For example, an application that relies on plugins, libraries, or modules from unverified and untrusted sources, repositories, or content delivery networks (CDNs) may be exposed to such a type of failure.
Remediation
- Use
digital signatures
, or other similar measures.
- To protect the integrity of the code going through the
build
and deploy
processes, make sure your CI/CD pipeline
includes adequate. segregation
, configuration
, and access control
.
- Verify that
unsigned
or unencrypted
serialised data is not delivered to untrustworthy clients
without an integrity check
or digital signature
to detect alteration or replay.
9. Security Logging and Monitoring Failures
It is one of the important vulnerabilities among OWASP Top 10
and was previously known as Insufficient Logging and Monitoring
.
This flaw arises when organizations do not have proper logging and monitoring tools to insure all logs
, detect suspicious activities
and unauthorized access attempts
. And all the alerts should be properly managed by security professionals.
Remediation
- Log all login,
access control
, and server-side input validations
failures.
- Logs must be in easily
readable format
.
10. Server-Side Request Forgery (SSRF)
Server-side request forgery issues arise when a web application does not validate the user-supplied URL
when fetching a remote resource
.
Or
SSRF is a web security flaw that allows an attacker to force a server-side application to send HTTP requests to any domain the attacker chooses.
Remediation
- Implement input validation.
- Use Regular Expressions (
RegEx
).
- Only
accept
the intended IP address format
(IPv4 or IPv6).
Validate
incoming Domain Names.
—
I have collected the above information from multiple articles
and written
this post
based on my understanding.
For more study on OWASP TOP 10
, Please refer to the original post
Support me: If you like to support me, buy me a cup of coffee ☕
Follow me: @0xKayala | Satya Prakash