OWASP Top 10 Vulnerabilities

OWASP:

It stands for the Open Web Application Security Project, which produces articles, methodologies, documentation, tools, and technologies in the field of web application security. 

OWASP Core Purpose:

Be the thriving global community that drives visibility and evolution in the safety and security of the world’s software.  

OWASP Top 10 Vulnerabilities 2017

OWASP Top 10 Vulnerabilities for 2017 is based primarily on 40+ data submissions from firms that specialize in application security and an industry survey that was completed by 515 individuals. This data spans vulnerabilities gathered from hundreds of organizations and over 100,000 real-world applications and APIs.

The Top 10 items are selected and prioritized according to this prevalence data, in combination with consensus estimates of exploitability, detectability, and impact. 

What changed from 2013 to 2017?

Change has accelerated over the last four years, and the OWASP Top 10 Vulnerabilities needed to change. We’ve completely refactored the OWASP Top 10 Vulnerabilities, revamped the methodology, utilized a new data call process, worked with the community, re-ordered our risks, rewritten each risk from the ground up, and added references to frameworks and languages that are now commonly used. 

New issues, supported by data 

• A4:2017 XML External Entity (XXE) is a new category primarily supported by SAST data sets. New issues, supported by the community We asked the community to provide insight into two forward-looking weakness categories. After 516 peer submissions, and removing issues that were already supported by data (such as Sensitive Data Exposure and XXE), the two new issues are 
• A8:2017-Insecure Deserialization, responsible for one of the worst breaches of all time, and 
• A10:2017-Insufficient Logging and Monitoring, the lack of which can prevent or significantly delay malicious activity and breach detection, incident response, and digital forensics. Retired, but not forgotten 
• A4 Insecure direct object references and A7 Missing function level access control merged into A5:2017-Broken Access Control. 
• A8 CSRF. Less than 5% of the data set supports CSRF today, which places it around #13 
• A10 Unvalidated redirects and forwards. Less than 1% of the data set supports this issue today, as it’s now #25

OWASP Top 10 Vulnerabilities 2013

• A1 – Injection 
• A2 – Broken Authentication and Session Management
• A4 – Insecure Direct Object References [Merged+A7]
• A5 – Security Misconfiguration 
• A6 – Sensitive Data Exposure
• A7 – Missing Function Level Access Contr [Merged+A4]
• A8 – Cross-Site Request Forgery (CSRF)
• A9 – Using Components with Known Vulnerabilities
• A10 – Unvalidated Redirects and Forwards

OWASP Top 10 Vulnerabilities 2017

• A1:2017 – Injection
• A2 – Broken Authentication and Session Management
• A3:2013 – Sensitive Data Exposure
• A4:2017 – XML External Entity (XXE) [NEW] 
• A5:2017 – Broken Access Control [Merged]
• A6:2017 – Security Misconfiguration
• A7:2017 – Cross-Site Scripting (XSS) 
• A8:2017 – Insecure Deserialization [NEW, Community]
• A9:2017 – Using Components with Known Vulnerabilities 
• A10:2017 – Insufficient Logging & Monitoring [NEW, Comm.]

Application Security Risks:

Attackers can potentially use many different paths through your application to do harm to your business or organization. Each of these paths represents a risk that may, or may not, be serious enough to warrant attention.

Sometimes, these paths are trivial to find and exploit and sometimes they are extremely difficult. 

1. Injection 

An injection of code happens when an attacker sends invalid data to the web application with the intention to make it do something different from what the application was designed/programmed to do. 

Perhaps the most common example of this security vulnerability is the SQL query consuming untrusted data. You can see one of OWASP’s examples below:

 String query = “SELECT * FROM accounts WHEREcustID = ‘” + request.getParameter(“id”) + “’”;

This query can be exploited by calling up the web page executing it with the following URL: http://example.com/app/accountView?id=’ or ’1’=’1, causing the return of all the rows stored on the database table. 

Here is another example of an SQL injection that affected over half a million websites. This code is part of the function get_products(). If attackers set arbitrary values for the variable $limit they can modify the query in a way that can lead to a full compromise on some servers

If ( ! empty( $is_default ) ) {

if( ! empty( $user_id) ) {

$this->generate_defualt_wishlist( $user_iD );

}

$sql. = “ AND l. `is_default` = %d”;

}

 if (! empty( $id ) ) {

 $sql. = “ AND `i.ID` = %d”;

 $sql_args [] = $id;

 }

 $sql .= “GROUP BY i.prod_id, L.ID”;

 if (!empty ( $limit ) && isset ( $offset ) ) {

 $sql .= “ LIMIT “. $offset . “ , “. $limit;

}

$wishlist = $wpdb-> get_results ($wpdb<prepare ( $sql, $sql_args ), ARRAY_A );

}

2. Broken Authentication 

A broken authentication vulnerability can allow an attacker to use manual or automatic mediums to try to gain control over a user account – or even worse – to gain complete control over the system. 

Websites with broken authentication vulnerabilities are very common on the web. Broken Authentication usually refers to logic issues that occur on the application authentication’s mechanism, like bad session management prone to username enumeration.

 To avoid broken authentication, don’t leave the login page for admins publicly accessible to all visitors of the website:

/administrator on Joomla!, 

/wp-admin/ on WordPress,

/index.php/admin on Magento, 

/user/login on Drupal.

Types of Vulnerabilities 

However, broken authentication vulnerabilities can come in many forms. According to OWASP, a web application contains a broken authentication vulnerability if it:

• Permits automated attacks such as credential stuffing, where the attacker has a list of valid usernames and passwords.
• It Permits brute force or other automated attacks. 
• Permits default, weak, or well-known passwords, such as” Password1″ or “admin/admin“.
• Uses weak or ineffective credential recovery and forgot-password processes, such as “knowledge-based answers”, which cannot be made safe.
• Uses plain text, encrypted, or weakly hashed passwords.
• Has missing or ineffective multi-factor authentication. 
• Exposes Session IDs in the URL (e.g., URL rewriting).
• though Does not rotate Session IDs after successful login.
• Does not properly invalidate Session IDs. User sessions or authentication tokens (particularly single sign-on (SSO) tokens) aren’t properly invalidated during logout or a period of inactivity.

3. Sensitive Data Exposure 

Sensitive data exposure is one of the most widespread vulnerabilities. It consists of stolen PII (personally identifiable information) data that should have been protected. These are commonly known as data breaches.

Examples of Sensitive Data 

Some sensitive data that requires protection is: 

• Passwords
• Credit card numbers 
• Credentials 
• Social Security Numbers 
• Health information 
• Personally Identifiable Information 
• Other personal information

Protecting Data in Transit 

Both types of data should be protected. When thinking about data in transit, one way to protect it on a website is by having an SSL certificate. 

SSL is the common (but deprecated) name for the TLS protocol, used to establish an encrypted link between a web server and a browser.

 We have created a DIY guide to help every website owner install an SSL certificate to their website. You can check out How to Install an SSL Certificate.

4. XML External Entities (XXE) 

An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser.

 Most XML parsers are vulnerable to XXE attacks by default, and an XXE can occur in deeply nested dependencies. That is why the responsibility of ensuring the application does not have this vulnerability lies mostly on the developer.

Example of an XML External Entity Attack

According to OWASP, the easiest way to exploit an XXE is to upload a malicious XML file.

5. Broken Access Control 

In website security, the access control means to put a limit on what sections or pages visitors can reach, depending on their needs.

Examples of Access 

• Access to a hosting control / administrative panel 
• Access to a server via FTP / SFTP / SSH 
• also, Access to a website’s administrative panel 
• Access to other applications on your server 
• Access to a database

6. Security Misconfigurations

Hackers are always looking for ways to penetrate websites, and security misconfigurations can be an easy way in. Here are some examples of things that hackers usually try to exploit in order to gain unauthorized access:

• Unpatched flaws 
• Default configurations 
• Unused pages 
• Unprotected files and directories 
• Unnecessary services

One of the most common webmaster flaws is to keep the CMS default configurations

Where Can Security Misconfiguration Happen? 

Security misconfiguration can happen at any level of an application stack, including: 

• Network services, 
• Platform, 
• Web server,
• Application server, 
• Database, 
• Frameworks, 
• Custom code, 
• Pre-installed virtual machines, 
• Containers, 
• Storage.

7. Cross-Site Scripting (XSS) 

Cross-Site Scripting (XSS) is a widespread vulnerability that affects many web applications. XSS attacks consist of injecting malicious client-side scripts into a website and using the website as a propagation method. 

The danger behind XSS is that it allows an attacker to inject content into a website and modify how it is displayed, forcing a victim’s browser to execute the code provided by the attacker while loading the page.

Examples of XSS Vulnerabilities 

Imagine you are on your WordPress wp-admin panel adding a new post. If you are using a plugin with a stored XSS vulnerability that is exploited by a hacker, it can force the browser to create a new admin user while in the wp-admin panel or it can edit a post and perform other similar actions. 

An XSS vulnerability gives the attacker almost full control of the most important software of computers nowadays: the browsers.

Types of XSS 

According to OWASP,  there are three types of XSS:

8. Insecure Deserialization 

In computer science, an object is a data structure; in other words, a way to structure data. s Two key concepts make it easier to understand: 

• The process of serialization is converting objects to byte strings. 
• also, The process of deserialization is converting byte strings to objects.

9. Using Components with Known Vulnerabilities 

These days, even simple websites such as personal blogs have a lot of dependencies. 

We can all agree that failing to update every piece of software on the backend and frontend of a website will, without a doubt, introduce heavy security risks sooner rather than later.

Whatever the reason for running out-of-date software on your web application is, you can’t leave it unprotected. Both Sucuri and OWASP recommend virtual patching for the cases where patching is not possible. 

Virtual patching affords websites that are outdated (or with known vulnerabilities) to be protected from attacks by preventing the exploitation of these vulnerabilities on the fly. This is usually done by a firewall and an intrusion detection system.

10. Insufficient Logging and Monitoring 

The importance of securing a website cannot be understated. While 100% security is not a realistic goal, there are ways to keep your website monitored on a regular basis so you can take immediate action when something happens.

Keeping audit logs are vital to staying on top of any suspicious change to your website. An audit log is a document that records the events on a website so you can spot anomalies and confirm with the person in charge that the account hasn’t been compromised. 

We know that it may be hard for some users to perform audit logs manually. If you have a WordPress website, you can use our Free Security Plugin which can be downloaded from the official WordPress repository. 

The Sucuri Website Security Platform has a comprehensive monitoring solution that includes: 

1. Remote scanner 
2. Website blacklist scanner 
3. Server-side scanner 
4. DNS scanner 
5. SSL scanner 
6. Uptime scanner

Top 10 Risk Factor Summary

The following table presents a summary of the 2017 Top 10 Application Security Risks, and the risk factors we have assigned to each risk. These factors were determined based on the available statistics and the experience of the OWASP Top 10 team.

Article By: Sayan Chatterjee

If you are Interested In Machine Learning You Can Check Machine Learning Internship Program
Also Check Other Technical And Non Technical Internship Programs