As a web security analyst, if you defend web applications or as a developer, you seek to adhere to SDLC practices, you must have referenced to the OWASP Top 10. Top 10 is covered with the most critical web application security flaws by global application security experts.
OWASP basically stands for Open Web Application Security Project. It is a not for profit global online community which consists of more than ten thousand members and hundreds of chapters that produce articles, tools, documentation and technologies in context of web application security.
In each three to four years, OWASP publishes its list of the top 10 critical web application vulnerabilities. The list contains the potential impact of each vulnerability and how to prevent them. OWASP Top 10 promotes managing risk through an application risk management program, along with awareness training, application testing, and its remedy.
The top 10 OWASP vulnerabilities in 2020 are:
- Injection
- Broken Authentication
- Sensitive Data Exposure
- XML External Entities (XXE)
- Broken Access Control
- Security Misconfigurations
- Cross-Site Scripting (XSS)
- Insecure Deserialization
- Using Components with known vulnerabilities
- Insufficient logging and monitoring
1. Injection
The vulnerabilities regarding injection takes place when an attacker uses a query or command to insert untrusted data into the interpreter through SQL, OS, NoSQL, or LDAP injection. The data that is injected via the attack vector makes the application do something it is not designed for. Not all the applications are vulnerable to this attack, only the applications which accept parameters as input are vulnerable to injection attacks.
How can you prevent Injection attacks?
Injection attacks can be prevented by
- Using parameterized queries when coding
- Using safe API which can avoid the use of the interpreter
- Differentiating commands from data to avoid exposure to attacks
2. Broken Authentication
When an attacker uses manual or automatic methods to gain control over any account, the vulnerability is considered as broken authentication. They can even get complete control over the systems in some cases. This vulnerability is dangerous because websites with broken authentication vulnerabilities are very common on the web. When applications incorrectly execute functions related to session management, broken authentication occurs in such situations. The intruders can compromise passwords, security keys, or session keys.
How can you prevent Broken Authentication attacks?
Broken Authentication attacks can be prevented by
- Protecting user credentials
- Implementing multi-factor authentication
- Sending passwords over encrypted connections
3. Sensitive Data Exposure
Sensitive Data Exposure is a very widespread vulnerability on the OWASP list. It occurs when applications and APIs don’t protect the sensitive data properly. Sensitive data includes financial data, social security number, usernames and passwords or health information. Attackers use this to gain access to such information and commit fraud or steal identities.
How can you prevent Sensitive Data Exposure attacks?
Sensitive Data Exposure attacks can be prevented by
- Using string and unique passwords
- Using the secure URLs
- Encrypting all the sensitive information that is not required to be stored
4. XML External Entities (XXE)
This vulnerability occurs for web applications that require XML input. It occurs when XML processors are poorly configured and used to evaluate external entity references within the XML documents and send sensitive data to an unauthorized external entity such as a hard drive. In general parlance, most of the XML parsers are vulnerable to XXE attacks.
How can you prevent XML External Entities (XXE) attacks?
XXE attacks can be prevented by
- Keeping XML processors and libraries updated
- Using SAST tools
- Using less complex data formats such as JSON
5. Broken Access Controls
Broken Access Controls occur when there is broken access to resources. This means that there are some improperly configured missing restrictions on authenticated users which allows them to get access to unauthorized functionality or data such as access to other accounts, confidential documents, and many more. While conducting this attack, attackers take help of session management and try to access the data from unexpired session tokens. By this, they can get access to many valid IDs and passwords.
How can you prevent Broken Access Control attacks?
Broken Access Controls can be prevented by
- Shutting down unnecessary services to reduce the burden on servers
- Deleting accounts that are no longer needed or not active
- Using penetration testing
6. Security Misconfiguration
As evidenced, most of the cloud breaches are because of human errors and are prone to security misconfiguration vulnerability. This vulnerability is caused because of improper implementation of security intended to keep application data safe. This risk includes sensitive information that the attackers could exploit.The work of developers on the functionality of the websites and not on the security. This drawback allows the hackers to keep track of the configuration of the security and find various ways to intrude the websites. This can occur because of not upgrading systems, frameworks and components.
How can you prevent Security Misconfiguration attacks?
Security Misconfiguration attacks can be prevented by
- Disabling the use of default passwords
- Keeping a check on cloud resources, applications and servers
- Using Dynamic application security testing (DAST)
7. Cross-Site Scripting (XSS)
A majority of the web applications are vulnerable to this attack. XSS vulnerability allows a hacker to inject malicious client-side scripts into a website and then use the application as an attack vector to steal user sessions, or redirect the target to malicious websites.
How can you prevent Cross-Site Scripting attacks?
Cross-Site Scripting attacks can be prevented by
- Filtering the input and encoding the output
- Using the content security policy
- Using appropriate response headers
- Applying a zero-trust approach to user input
8. Insecure Deserialization
This vulnerability allows an attacker to remotely execute code in the application, tamper or delete serialized objects, conduct injection attacks, replay attacks and elevate privileges. Insecure Deserialization is also known as untrusted Deserialization. This vulnerability is a serious application security issue which affects many modern systems.
How can you prevent Insecure Deserialization attacks?
Insecure Deserialization attacks can be prevented by
- Isolate the code that deserializes and runs it in low privilege environments to prevent unauthorized actions.
- Implementing digital signatures
- Using penetration testing
9. Using Components with known vulnerabilities
- Removing all unnecessary dependencies
- Using components only from official and verified sources
- Using virtual patching
10. Insufficient Logging and Monitoring
The estimated time from an attack to detection can take up to 200 days or more. In the course of time, attackers can tamper with servers, corrupt databases, steal confidential information. Insufficient logging and ineffective integration of the security systems allows the attackers to intrude to other systems and maintain persistent threats.
How can you prevent Insufficient Logging and Monitoring attacks?
Insufficient Logging and Monitoring attacks can be prevented by
- Establishing an effective monitoring system
- Implementing logging and audit software
- Thinking from the view point of an attacker and use penetration testing approach
.png)
Comments
Post a Comment