OWASP TOP 10 Explained
Hello World!
Through this write-up, I’ll try to educate you about OWASP and the OWASP top 10 Vulnerabilities for Web Applications.
What is OWASP?
OWASP stands for Open Web Application Security Project.
What does OWASP do?
The Internet has connected almost everything to the online world. From making a call to sending messages, making payments, sharing stories, making groups, creating a thread on any topic, and having opinions from various people across the globe and what not! The Internet has made the world a very small place it seems!
Now, when you’re spending so much of your time on the internet, it's obvious that your data goes online wherever you sign up. Being a citizen of the modern world, every person who is connected to the internet must know that their data is their ultimate strength and weakness. If in the wrong hands, your data can be used in a way that you cannot even imagine in the wildest of your dreams! Moreover, the recent data breaches and cyber-attacks are a perfect example of how much value your data is!
That’s where organizations like OWASP come into the picture!
OWASP does the work of making the internet a safer place by building open source community-driven projects, conducting hundreds of cybersecurity conferences worldwide under their hundreds of chapters and thousands of members from different parts of the world.
What is OWASP TOP 10?
Over the years of its establishment, the OWASP Foundation has found out the 10 most common vulnerabilities that exist in the web applications present on the internet. The OWASP Top 10 Vulnerabilities are as follows:
A1: INJECTION
Of all the bugs known, the Injection category surely tops the list. This includes bugs like SQL Injection, NOSQL Injection, LDAP Injection, OS Command Injection, and similar bugs.
Injection type of bugs take advantage of the fact that sometimes untrusted input is accepted by a web application and the data is sent over to the server in the form of a command or query and the server returns sensitive information.
Just imagine there’s an input field where you are supposed to search for an item from the website and you enter any Linux OS command such as cat /etc/passwd and the command is not validated and directly sent to the server for processing. You’ll be able to see the list of users! Well, another example is submitting an SQL query that can return user credentials and even credit card information! That’s how Injection type bugs work.
A2: Broken Authentication and Session Management
Authentication functionality in any web application verifies the genuineness of a user. How about someone verifying your genuineness on your behalf? Are you going to like that? Of course not! The Broken Authentication category includes bugs such as Session related bugs, Authentication bypass, etc.
If such issues exist, it is a serious privacy concern for user data security! Also, sessions not invalidated after password reset or logout, etc can lead to compromising data. This is how Broken Authentication and session management work.
A3: Sensitive Data Exposure
What would happen if the file containing usernames and passwords is made publicly available on the website? What would happen if API keys are leaked in JS files or Exif geolocation data is not removed from images? All these are sensitive information about either a person or a website. Sensitive data exposure includes vulnerabilities such as Disclosure of secrets, token leakage via referrer, sensitive token in URL, etc
A4: XML-External Entities (XXE)
XML is often used for storing and transmission of data. XXE occurs when certain sensitive functions which can be abused to an attacker’s advantage are left enabled in XML parsers. This results in the parser accepting malicious input and processing it and returning sensitive information. It’s a very rare vulnerability nowadays.
A5: Broken Access Controls
There must be some secrets in your life which you would not want anyone to know and it must be only limited to you. Similarly, there are certain resources of the website which should only be accessed by the admin or the owner of that website. When we talk about Broken Access control bugs, we’re talking about permissions, privilege, etc. The permissions for sensitive data access must be properly defined, also the user roles must be properly defined as well. If not done so, a low privileged user would be able to access sensitive information. This category includes bugs like SSRF, User Enumeration,
IDOR, etc.
A6: Security Misconfiguration
Security Misconfigurations are the most common bugs found on web apps. This category includes missing HTTP headers, default credentials, Email spoofing bugs, OAuth misconfiguration, etc. These bugs can range from low severity to high severity as well. Also if a CMS or framework is used, it should be regularly patched.
A7: Cross-Site Scripting
Commonly known as XSS, Cross-Site Scripting Occurs when the user can inject malicious Javascript code into the input fields and the input is not validated properly. Sometimes, the same malicious script is stored on the server-side as well, which can affect the whole website. XSS is of 3 types. Reflected, Stored, and DOM-based.
A8: Insecure Deserialization
Serialization is the process of converting data objects into a serial format so that they can be stored on the server-side. Whereas deserialization is converting the serial format of data back to the data object form. An insecure deserialization bug occurs when the deserialization function trusts malicious input and processes it. This can lead to attacks such as Remote code execution, Denial of Service, Privilege escalation, etc.
A9: Using Components with known vulnerabilities
This category includes the CVE’s, and libraries, plugins, and frameworks that have vulnerabilities discovered within them already. If such components are used in a web app, they can be easily exploited and abused to one’s advantage.
Eg. Using an older version of WordPress CMS can lead to user enumeration. Using older versions of struts can lead to Apache struts RCE.
A10: Insufficient Logging and Monitoring
Proper monitoring and logging can help to evade a lot of serious threats to a system. Suppose an attacker is performing a brute force attack, if monitored properly, the attacker’s IP address can be blocked or the account can be locked thus preventing the system from getting compromised. Therefore strict logging and monitoring must be implemented to ensure the safety of systems as prevention is better than cure.
To conclude, we can say that majority of the issues arise when arbitrary input is trusted so every website should implement systems where no input is trusted, input is properly validated and encoded to avoid attacks.
LinkedIn: Bhavak Kotak
Instagram: bhavak_29
:NOTE:
All the images belong to their respective owners.
Your valuable comments and suggestions are always welcome...
Comments
Post a Comment