OWASP Top 10 - Application Security (2017)

Written by on  
COVER_PAGE

The Open Web Application Security Project (OWASP) is a non-profit community helps organizations to develop secured applications. The OWASP Top 10 Web Application Security Risks was updated in 2017 to provide guidance to developers and security professionals on the most critical vulnerabilities that are commonly found in web applications, which are mostly found in web application.The list is usually refreshed in every 3-4 years.They come up with standards, freeware tools and conferences that help organizations as well as researchers.

OWASP Top 10 - Application Security (2017)

Introduction

The Open Web Application Security Project (OWASP) is a non-profit community helps organizations to develop secured applications. The OWASP Top 10 Web Application Security Risks was updated in 2017 to provide guidance to developers and security professionals on the most critical vulnerabilities that are commonly found in web applications, which are mostly found in web application.The list is usually refreshed in every 3-4 years.They come up with standards, freeware tools and conferences that help organizations as well as researchers.

The following are a brief overview about the OWASP Top 10 Web Application Security vulnerabilities:

  1. Injection
  2. Broken Authentication
  3. Sensitive Data Exposure
  4. XML External Entity
  5. Broken Access Control
  6. Security Misconfiguration
  7. Cross-Site Scripting
  8. Insecure Deserialization
  9. Using Components With Known Vulnerabilities
  10. Insufficient Logging and Monitoring

Injection

Injection attacks occur when the user is able to input untrusted data tricking the application to execute unintended commands without proper authorization. Injections flaws can be - SQL injection, PHP injection, LDAP injection, Code injection and OS injection.

With a successful attack, an attacker can gain:

  1. Unauthorized access to an application: An attacker can successfully bypass an application’s authentication mechanism to have illegitimate access to it.
  2. Information disclosure: An attack could lead to a complete data leakage from the database server.
  3. Loss of data availability: An attacker can delete records from the database server.
  4. Compromised data integrity: As SQL statements are also used to modify or add the record, an attacker can use SQL injection to modify or add data stored in a database. This would lead to compromised data integrity.

Mitigation:

  1. Validating data i.e rejecting suspicious-looking data.
  2. Sanitizing user-submitted data, refers to cleaning up the suspicious parts of the data.
  3. Prepared statements with parameterized queries.
  4. Stored procedures.
  5. Principle of least privilege. This is a standard security control that helps minimize the potential damage of a successful attack.For example, accounts that only require read access are only granted read access to the table they need to access.
  6. A database admin can set controls to minimize the amount of information an injection attack can expose.

Broken Authentication

Vulnerabilities in Broken authentication occurs when the application is incorrectly configured or mismanages session related information such that the users identity gets compromised. The information can be in the form of session cookies, passwords, secret keys etc.

For example, an attacker can take a list containing thousands of known username/password combinations obtained during a data breach and use a script to try all those combinations on a login system to see if there are any that work.

With a successful attack, an attacker can gain:

  1. Unauthorized access to an application: An attacker can successfully bypass an application’s authentication mechanism to have illegitimate access to it.
  2. Information disclosure: An attack could lead to a complete data leakage from the database server if admin authentication is breached.
  3. Compromised data integrity: CRUD operations may take place by an admin account under the control of an attacker.

Mitigation:

  1. Usage of multifactor authentication.
  2. Using a SSL Certificate (HTTPS) on your application.
  3. Implementing an idle session timeout.
  4. Using cookies generated using secure algorithms and implementing HTTPS only read.
  5. Rate-limiting repeated login attempts.
  6. Forcing the usage of strong passwords.
  7. Forced login/logout after a password change.
  8. Invalidate tokens and cookies after logout.

Sensitive Data Exposure

Attackers can sniff or modify the sensitive data in web applications and APIs if not properly protected. Attack can lead to leak of financial data, usernames and passwords, or health information that could enable attackers to access such information to commit fraud or steal identities. One popular method for stealing sensitive information is using a man-in-the-middle(MITM) attack.

With a successful attack, an attacker can gain:

  1. Information disclosure: An attack could lead to a complete data leakage from the database server or may lead to sensitive data stored somewhere in the server.

Mitigation:

  1. Use strong encryption keys.
  2. Encrypt all data in transit and at rest.
  3. Use secure protocols and algorithms.
  4. Disable caching of responses with sensitive data.
  5. Using a SSL Certificate (HTTPS) on your application.

XML External Entity

This is an attack against a web application that parses XML input. Poorly configured XML processors evaluate external entity references within XML documents. Attackers can use external entities for attacks including remote code execution, and to disclose internal files and SMB file shares.

With a successful attack, an attacker can gain:

  1. Execute remote code: An attack could lead to a complete or partial takeover of the server.

Mitigation:
3. Accept a less complex type of data such as JSON.
4. Disable the use of external entities in an XML application.
5. Avoiding serialization of sensitive data.
6. Using Web Application Firewalls to detect and block attacks.
7. Having code reviews often.
8. Whitelisting code at server side to prevent malicious XML upload.

Broken Access Control

Improperly configured application allows attackers to access unauthorized resource or other users accounts, viewing sensitive documents, modifying data and access rights. Applications have different types of account depending on the users such as admins, operators, reporting groups and many more. Common problem is that the developers restrict the privileges just on the UI side and not on the server side. If exploited, each user can have admin rights.

Do not confuse Broken Access Control with Broken Authentication!
Broken Authentication refers to an attacker gaining access over the account of another person
Broken Access Control refers to an attacker doing changes to a system which they should not be allowed to do

With a successful attack, an attacker can gain:

  1. Information disclosure: An attack could lead to sensitive data leakage.
  2. Compromised data integrity: CRUD operations may take place by an unauthorized account under the control of an attacker.

Mitigation:

  1. Use secured authorization tokens.
  2. Restrict access of all resources based on various roles.
  3. Implement server side resource restriction.

Security Misconfiguration

This risk refers to improper implementation of controls such as misconfiguration of security headers, error messages containing sensitive information (information leakage), and not patching or upgrading systems, frameworks, and components.
This is the most common vulnerability on the list, and is often the result of using default configurations. Examples of these security misconfigurations are weak passwords, default passwords, default scripts stored on the servers, default directories, default error messages etc.

With a successful attack, an attacker can gain:

  1. Information disclosure: An attack could lead to a complete data leakage from the database server or may lead to sensitive data stored somewhere in the server.
  2. Complete Takeover: An attack could lead to the whole server being taken over by the attacker.

Mitigation:

  1. Review the security of the configurations.
  2. Install only the required features from a framework.
  3. Do ensure that defaults are changed.
  4. Ensuring that error messages are more general.

Cross-Site Scripting

Cross-site scripting (XSS) vulnerabilities occur when web applications allow attacker to insert malicious code or untrusted script into a url path or onto the web application. XSS is of 3 type i.e Reflected, Stored and DOM based XSS. These types refer to the way the attack is stored and executed.

With a successful attack, an attacker can gain:

  1. Information disclosure: An attack could lead to a complete data leakage from the database server.
  2. Account takeover: An attack could lead to an account being taken over by the attacker.
  3. Website defacement: An attack could deface the website.
  4. Unintended actions: An attack could lead to an attacker forcing the user(s) to make unintended actions.

Mitigation:

  1. Enabling Content-Security-policy(CSP).
  2. Escaping untrusted characters.
  3. Validating data i.e rejecting suspicious-looking data.
  4. Sanitizing user-submitted data, refers to cleaning up the suspicious parts of the data.

Insecure Deserialization

Serialization means taking objects from the application code and converting them into a format that can be used for another purpose, such as storing the data to disk or streaming it. Deserialization is just the opposite: converting serialized data back into objects the application can use.
An insecure deserialization exploit is the result of deserializing data from untrusted sources.

With a successful attack, an attacker can gain:

  1. DDoS attack: An attack could lead to the server being unavailable to users.
  2. Execute remote code: An attack could lead to a complete or partial takeover of the server.

Mitigation:

  1. Encryption of serialized data.
  2. Deserializers to run with least privileges.

Using Components With Known Vulnerabilities

Web developers use components such as libraries and frameworks in their web applications and these component are piece of software that helps developers to avoid redundant work. So attacker look for vulnerability in these components and this can lead to hundreds of thousands of components vulnerable to attacks. Examples are use of vulnerable PHP version, Unpatched windows, out-dated kernel version and many more. Attackers can exploit an insecure component to take over the server or steal sensitive data.

With a successful attack, an attacker can gain:

  1. Information disclosure: An attack could lead to a complete data leakage from the database server or may lead to sensitive data stored somewhere in the server.
  2. Complete Takeover: An attack could lead to the whole server being taken over by the attacker.

Mitigation:

  1. Frequently patch the process.
  2. Remove unused components from their application.
  3. Ensuring components are up to date.
  4. Ensure components are received from a trusted source.

Insufficient Logging and Monitoring

To ensure the malicious intent of the attackers gets noticed, it is essential to log all the activity and monitor it for any suspicious behavior.For example, Junk traffic, too many login attempts from a particular source etc.The average discovery time for a breach is around 200 days after it has happened. Insufficient logging and ineffective integration with security incident response systems allow attackers to pivot to other systems and maintain persistent threats.

Mitigation:

  1. 24x7 monitoring of application traffic.
  2. Log analysis.
  3. Implement incident response plans.

Conclusion

The above vulnerabilities are one of the most common and are to be kept in mind as a priority while developing or testing web applications

Share:

0 Comments:

Post a Comment