Search
OWASP Top 10 Overview
Posted on

OWASP Top 10 Overview

Ted Kaminski's Picture
Ted Kaminski

OWASP top 10

The OWASP top 10 is a document outlining risks and remediation guidance for the most critical web application security vulnerabilties. The report ranks risks in order of their perceived severity and is based on a consensus of security experts. The purpose is to offer security professionals insight on the magnitude of potential impacts so that they may incorporate recommendations into their security practices.

OWASP maintains the top 10 and updates it every 2 to 4 years in accordance to changes within the web userspace. Web developers use it as a key checklist to address compliance standards. Organizations looking to improve their security practices should integrate it into their software development lifecycle.

owasptop10

OWASP Official: owasp.org/www-project-top-ten/

Categories

1. Broken Access Control:

Broken access control is when an attacker is able to access user accounts without the approriate permissions.

  • Example: the attacker is able to view/modify an administrators account in the system by changing an applications primary key.
  • Solution: It’s crititcal to detect unintended access-controls. Changes in infrastructure may warrant trust boundries for data access.

2. Cryptographic Failures:

Sensitive data being exposed through cryptographic failures can lead to system compromise.

  • Example: Information being transmitted by improperly implemented or depreciated protocols such as HTTP, DES/3DES, TLS. Sensitive data being stored in cleartext.
  • Remediation: Verify all internal traffic at every endpoint is not transmitting information in cleartext including load balancers, web-servers, and back-end systems. Encryption must be enforced using non-default keys.

3. Injection:

Code injection involves an attacker providing invalid data to make an application do something unintended.

  • Example: injection traditionally happens when you ask a user for input like their username/password, and instead of a name/id the user gives you an SQL statement that is unknowingly ran on that database. This can lead to data exposure and remote code execution (RCE).
  • Remediation: Heavily sanitize user-inputs to make sure nothing invalid makes its way through. Code review all SELECT statements to identify and mitigate problems before production deployment.

4. Insecure Design:

Insecure design is a board category representing different weaknesses that are “missing or ineffective control design”

  • Example: E-commerce sites that do not have preventative measures against bot accounts.
  • Remediation: Threat model an entire system to assess authenticity, access control and business logic. Limiting resource comsumpton by user. Evaluate security and privacy-related controls.

5. Security Misconfiguration:

Shortcomings in how a system is initially configured can increase vulnerablility.

  • Example: default passwords or null accounts are enabled.
  • Remediation: Tools such as Covertly include a checker that identifies exposures and prompts error messages.

6. Vulnerable and outdated components:

Applications and services that are no longer supported need to be removed or replaced. This includes unpatched components and libraries.

  • Example: Older operating systems that are installed for legacy reasons often do not have the latest security patches available post installation.
  • Remediation: Research the software and services being used in your infrastructure to assess if there are any common vulnerabiliies and exposures (CVEs) with the version being used in production. Verify compnents are obtained from offical sources with secure links.

7. Identifcation and Authentication failures:

Functions related to authentication and session management can be implemented incorrectly. This can allow attackers to compromise passwords, keywords and sessions.

  • Example: A web application that allows short-non-complex passwords or allowing too many password attempts in a period of time.
  • Remediation: Multfactor authentication can help reduce the risk of compromised accounts.

8. Software and Data Integrity failures:

Software that doesn’t protect against data integrity violations are at risk to accepting pluggins, libraries, and modules from untrusted sources. This can allow unauthorizes access, malicious code, and remote code execution.

  • Example: Many applications include auto-update functionality where updates are downloaded without sufficient integrity. Attackers can potentially upload their own updates to be distributed on all installations.
  • Remediation: Use digital signatures to verify updates are from the expected source unaltered. Ensure the code review process for changes does not introduce malicious inclusions.

9. Security Logging and Monitoring Failures:

Logging and monitoring should be performed frequently to guarantee that a site is secure. Failing to log sign-ins, actvities and other important events will compromise your ability to create a timeline of events in the occurence of an incident or data breach.

  • Example: A server that doesn’t enable logging by default makes auditing processes difficult to approach.
  • Remediation: Pentesters can study the logs to identify shortcomings and vulnerabilties. Enable proper logging services to increase visibility and send alerts for active attacks in real time.

10. Server-Side Request Forgery (SSRF):

Web applications that fetch a remote resource from a user supplied link can allow an attacker to craft requests to an unexpected destination. This often bypasses protections such as VPNs and access control lists.

  • Example: Internal servers that are unsegmented can be scanned for open ports to connect or reject SSRF payload connections.
  • Remediation: Segment remote resources to reduce the impact of SSRF. Log all accept and blocked network flows on firewalls.