OWASP Top 10 Vulnerabilities

The OWASP Top 10 Web Application vulnerabilities is to provide guidance to developers and security professionals about the most critical vulnerabilities that are commonly found in web applications, which can be easily exploited by attackers. OWASP listed these vulnerabilities by selecting and prioritized them according to there impact and detect-ability. These vulnerabilities are submitted by more than 40 firms that is specialize in application security and an industry survey that was completed by over 500 individual professionals.

 

 

WHAT IS NEW IN OWASP-2017 ?

when we compare the vulnerabilities of year 2013 & 2017, we found two new vulnerabilities that are.

1. Insecure Deserialization

2. Insufficient Logging & Monitoring

And Insecure Direct Object References [2013] is merged with Missing Function Level Access Control [2013] and named as Broken Access Control [2017].

 

1. INJECTION

Injection is on top in both 2013 & 17, It occurs when untrusted data is sent to an interpreter as part of a command or query.Types can be found as SQL, NoSQL, OS, and LDAP injection.Any source of data can be play a role of injection vector like environment variables, input parameters, external and internal web services.

Attackers can took advantage of this vulnerability if user-supplied data is not validated, filtered, sanitized by the developers.

 

2. BROKEN AUTHENTICATION

Weak implementation of authentication, session management mechanism, and when restrictions are not applied properly on authenticated users.Using default,weak, guessable credentials, storing password in plain text or without strong encryption can lead to bypass authentication by attackers. Improper key, tokens creation as well as destroying mechanism, implementation of weak or ineffective credential recovery and forgot-password processes can led to Broken Authentication.

 

 

3. SENSITIVE DATA EXPOSURE

When data is not handled with proper security at both states in rest and when in transit. Attackers can took advantage to steal,and can modify it according to him. Communication over insecure channels (HTTP), storing data in plain text , weak implementation of encryption algorithms, and sharing information over public WiFi can expose sensitive data. Exploring data can lead to severe crimes like  identity theft, Financial frauds and many more.

 

 

4. XML EXTERNAL ENTITIES (XXE)

When applications use the XML format to transmit data between the browser and the server, It can allow an attacker to view files on the application server file system, and to interact with any backend or external systems that the application itself can access.XML external entity injection vulnerability allows an attacker to interact with an application’s processing of XML data and can be used to request local data or files, remote code execution and denial of service (DoS) attack .

 

 

5. BROKEN ACCESS CONTROL

Improper enforcement of what authenticated users are allowed to do like when user can perform task above its privileges.For example a user is logged in with his or any account and able to gain access to administrator account,now he can perform tasks like access other accounts, modify or delete other users data,accounts,view sensitive information and can also change other access rights.It is recommend to use of an access control matrix to define the access control rules to prevent Broken Access Control .

 

 

6. SECURITY MISCONFIGURATION

Security Misconfiguration is found generally when an application security system managed poorly or using  insecure default credentials, incomplete configuration, misconfigured HTTP headers, displaying error message containing sensitive information like path of directories, not updating and upgrading of OS, frameworks, libraries can give advantage to attacker.And unauthorized access to files, directories should be restricted. unnecessary ports, services and pages should be disabled.

 

 

7. CROSS-SITE SCRIPTING (XSS)

When an attacker able to  execute malicious script in victim’s browser,any source of data can play a role of injection vector like environment variables,  input parameters. XSS can lead to  hijack user session, steal cookies, redirect victim to websites of his choice , deface websites.And can be exploited easily if  user-supplied data is not validated, filtered, sanitized by the designers.

 

 

8. INSECURE DESERIALIZATION

Reassembling a series of bits back into a file or object is called deserialization.An attacker could provide an object that, when deserialized, gives the attacker access privileges or execute malicious code. Insecure Deserialization can lead to remote code execution, privilege escalation, various injection attack.

 

 

9. USING COMPONENTS WITH KNOWN VULNERABILITIES

Applications using vulnerable, unpatched components like frameworks, software modules, libraries. Attackers can easily exploit known vulnerabilities and it can expose sensitive data, other vulnerabilities present in the application.

Regular security checkups, using updated components can help to prevent this vulnerability.

 

10. INSUFFICIENT LOGGING & MONITORING

If we are poor at monitoring & maintaining logs  than we are allowing  attackers to work unnoticed. And if the attacker is unnoticed it can place backdoor, maintain persistence, and can also reach other systems in organization.where as Sufficient monitoring can help to detect attack at earlier stage and logs can help to improve security configurations, detect loopholes and will also helpful in forensic analysis .

 

That’s it for now, In upcoming blogs we will discuss each vulnerability in details like how these can be exploited and how we can secure our applications.

 

In case of any help or query, please contact us or raise a ticket at [email protected] .

 

 

 

Category(s) vulnerability
. . .

Comment

Add Your Comment

Be the first to comment.

css.php