What is OWASP?
Open Web Application Security Project or OWASP is an online community dedicated to web application security. The community works towards finding the most critical web application security flaws and the issues reported by this community are often easy to find and exploit and hence it is a cause of worry for all businesses. These are specific issues that vulnerability detection services like Appknox use to help pinpoint areas of weakness and stop security issues before they happen. This community has many different projects under its umbrella, one of which is the 'OWASP Top 10 Project'.
What is OWASP Top 10?
The goal of the OWASP Top 10 project is to raise awareness about application security by identifying some of the most critical risks facing organizations. The Top 10 project is referenced by many standards, books, tools, and organizations, including MITRE, PCI DSS, DISA, FTC, and many more.
The list represents a broad consensus about what the most critical web application security flaws are. Project members include a variety of security experts from around the world who have shared their expertise to produce this list.
The Top 10 Vulnerabilities:
As per the last update, here are the top vulnerabilities as reported by OWASP, arranged in order of severity:
An injection attack is a common security vulnerability where a threat actor injects a piece of malicious code in order to let an application perform abruptly. SQL injection attacks are among the most common injection attacks where an SQL code is injected in order to expose parts of a database.
Also referred to as broken authentication and session management, these vulnerabilities involve hackers gaining unauthorized access to user credentials and falsely getting into databases and programs.
This vulnerability is a common occurrence in security systems that are poorly configured and managed. As it can take place at any level of the security infrastructure, it is very common and can be detected and mitigated with ease.
Broken Access Control
This vulnerability generally takes place when a user is able to perform certain functions or gain access to files and information without having genuine access. Two earlier vulnerabilities called 'insecure direct object references' and 'missing function level access control' were combined to be known as broken access control.
Cross-Site Scripting (XSS)
The cross-site scripting vulnerability takes place when a trusted site extends its permissions to an unknown or malicious third-party site. In general, users give certain permissions to trusted sites. Hackers somehow modify the pages of those trusted sites to extend those permissions to some untrusted third-party and gain access to sensitive information and spread malicious content.
Sensitive Data Exposure
It is one of the most serious security vulnerabilities and causes a lot of damage to individuals and businesses worldwide. Any web application dealing with sensitive business or user information is vulnerable to data exposure issues.
XML External Entities (XXE)
Whenever an external file is specified in an XML document, XML processors are used in order to load their contents. However, attackers use this opportunity to get the contents of local files in the system, access remotely located files, and also develop executable code using the XML processor.
Serialization and deserialization are generally used to turn objects to data and transmit and recreate it in the same state at another place or at another time. In the case of insecure deserialisation, attackers send malicious objects which upon deserialization provide special privileges to them or let them execute malicious code at the target places.
Using Components with Known Vulnerabilities
It is surprisingly common in web apps to have components with known security vulnerabilities. That component could be the operating system, web server, CMS, or some library or associated plugins. Using these components without having a backup plan can prove detrimental to any security system.
Insufficient Logging and Monitoring
While sufficient monitoring and logging alone can't prevent hackers from launching an attack on your systems, the sheer absence of these activities, on the other hand, would surely make it difficult to detect targeted attacks, mitigate them or assess their damage.
Is OWASP for Everyone?
Practically speaking, any organization which prioritizes security needs to focus on the vulnerabilities listed by OWASP. Most of these security issues are interdependent and if one is not taken care of, it might lead to the other. So, it becomes essential that you carefully determine which of these OWASP Top 10 risks your organization needs to work on and develop a thorough action plan to keep your security infrastructure up to date.
Our next article in this series is about the top 10 mobile security risks as defined by the OWASP Top 10 Project for Mobile. In case you are wondering how to secure mobile applications from these risks, here's our exhaustive list of 10 measures to meet OWASP security guidelines.