OWASP Top 10 – Open Web Application Security Project

What is OWASP?
OWASP refers to Open Web Application Security Project. It is a non-profit organization that releases a list of top 10 security risks affecting web applications. Several organizations take this list into consideration to secure their web application security posture. As the technology is advancing day by day, so are the attack methodologies used by the hackers. Taking this into account, OWASP volunteers perform research and assessment and release a list after every three years. The first list was published in 2003, post which the new lists were updated in 2004, 2007, 2010, 2013, and 2017. The 2020 list is to be released yet.

OWASP Top 10

1. Injection

An injection vulnerability in a web application allows attackers to send untrusted data to an interpreter in the form of a command or query. An attacker can take the benefit of insecure input entry to enter into SQL database and execute their codes to perform edition, modification or deletion functions. The various types of injections include SQL injection, LDAP injection, command injection and NoSQL injection.

2. Broken Authentication

An application using weak authentication or consisting of vulnerabilities in authentication functions can result in the compromise of passwords, session tokens or keys. The attacker can use different brute force techniques to authenticate themselves as legitimate users and compromise and exploit that as well as other systems in the network.

3. Sensitive Data Exposure

improper protection of sensitive data like PII, financial details, passwords, etc. by the web application gives the hackers a chance to access these and perform various crimes such as frauds and identity theft. The attackers can execute a man-in-the-middle attack or steal cryptographic keys to gain access to sensitive data.

4. XML External Entities (XEE)

Web applications evaluating external entity references in XML are susceptible to this attack. If the web application parses XML input, the vulnerability in the parser can be exploited by hackers to disclose internal files, send data to unauthorized entity/ attacker, perform internal port scanning, remote code execution, and DoS attacks.

5. Broken Access Control

Improperly applied restrictions of access control on authenticated users can allow the hackers to perform actions as a privileged user, such as administrator, by bypassing authentication. It can be further exploited by the attacker to view sensitive information, access other users’ accounts and modify data, etc.

6. Security Misconfiguration

It is the most common vulnerability in the list and mostly results due to the usage of default configurations, HTTP header misconfiguration, verbose error messages etc. The attackers can make use of the verbose error to identify the vulnerabilities in the system and exploit them

7. Cross-Site Scripting

It is a client-side attack that takes advantage of improper input validation of the application and allows attackers to create and execute HTML or Javascripts on the victim’s browser, which can further be used for redirection, session hijacking and other nefarious purposes.

8. Insecure Deserialization

Web applications performing serialization and deserialization of data are susceptible to this attack. Improper deserialization or deserialization from untrusted sources can result in remote code execution. The attackers can also perform injection attacks or escalate their privileges.

9. Using Components With Known Vulnerabilities

The use of components like libraries and frameworks is quite common in today’s web applications. Attackers can exploit a vulnerability in these components as they also execute with the same privileges as the application. Taking a look from the wider angle, a vulnerability in these components can also result in the exploitation of all other applications using that component.

10. Insufficient Logging And Monitoring

Logging and monitoring can play a vital role in the detection and prevention of an attack. As per a study, it takes around 200 days to detect a breach and, in most cases, is identified by external parties conducting the forensic investigation. Proper monitoring and log retention policies thus play an essential role in aiding the detection by the internal security team as well as the investigation.