OWASP Top 10 Vulnerabilities
Vulnerabilities are weaknesses in a system that gives threats the opportunity to compromise assets. All systems have vulnerabilities. Even though the technologies are improving but the number of vulnerabilities is increasing such as tens of millions of lines of code, many developers, human weaknesses, etc. Vulnerabilities mostly happened because of Hardware, Software, Network, and Procedural vulnerabilities.
Types of Vulnerabilities
Below is the list of most common types of vulnerabilites found these days.
1. Hardware Vulnerability: A hardware vulnerability is a weakness that can be used to attack the system hardware physically or remotely. For examples:
The old version of systems or devices
Unencrypted devices, etc.
2. Software Vulnerability: A software error that happens in development or configuration such as the execution of it can violate the security policy. For examples:
Lack of input validation
Unencrypted data, etc.
3. Network Vulnerability: A weakness happens in the network which can be hardware or software. For examples:
Malware or malicious software (e.g.:Viruses, Keyloggers, Worms, etc)
Social engineering attacks
4. Procedural Vulnerability: A weakness happens in an organization's operational methods. For examples:
Password procedure – Password should follow the standard password policy.
Training procedure – Employees must know which actions should be taken and what to do to handle the security. Employees must never be asked for user credentials online. Make the employees know about social engineering and phishing threats.
5. Web Vulnerability:
A website vulnerability is a weakness or misconfiguration in a website or web application code that allows an attacker to gain some level of control of the site, and possibly the hosting server. Most vulnerabilities are exploited through automated means, such as vulnerability scanners and botnets. Cybercriminals create specialized tools that scour the internet for certain platforms, like WordPress or Joomla, looking for common and publicized vulnerabilities. Once found, these vulnerabilities are then exploited to steal data, distribute malicious content, or inject defacement and spam content into the vulnerable site.
What is OWASP?
The Open Web Application Security Project (OWASP) is a non-profit foundation that works to improve the security of software. OWASP is an online community that produces freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security. OWASP is widely known for its OWASP Top 10.
What is OWASP Top 10?
The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications. The report is put together by a team of security experts from all over the world. Below is the list of current OWASP Top 10 Vulnerabilities.
OWASP Top 10 Vulnerabilities
Sensitive Data Exposure
XML External Entities
Broken Access Control
Using Components with Known Vulnerabilities
Insufficient Logging and Monitoring
So, what are the top 10 risks according to OWASP? We break down each item, its risk level, how to test for them, and how to resolve each.
Injection occurs when an attacker exploits insecure code to insert (or inject) their own code into a program. Because the program is unable to determine code inserted in this way from its own code, attackers are able to use injection attacks to access secure areas and confidential information as though they are trusted users. Examples of injections include SQL injections, command injections, CRLF injections, and LDAP injections. Application security testing can reveal injection flaws and suggest remediation techniques such as stripping special characters from user input or writing parameterized SQL queries.
2. Broken Authentication
Incorrectly implemented authentication and session management calls can be a huge security risk. If attackers notice these vulnerabilities, they may be able to easily assume legitimate users' identities.
Multifactor authentication is one way to mitigate broken authentication. Implement DAST and SCA scans to detect and remove issues with implementation errors before code is deployed.
3. Sensitive Data Exposure
APIs, which allow developers to connect their applications to third-party services like Google Maps, are great time-savers. However, some APIs rely on insecure data transmission methods, which attackers can exploit to gain access to usernames, passwords, and other sensitive information.
Data encryption, tokenization, proper key management, and disabling response caching can all help reduce the risk of sensitive data exposure.
4. XML External Entities
This risk occurs when attackers are able to upload or include hostile XML content due to insecure code, integrations, or dependencies. An SCA scan can find risks in third-party components with known vulnerabilities and will warn you about them. Disabling XML external entity processing also reduces the likelihood of an XML entity attack.
5. Broken Access Control
If authentication and access restriction are not properly implemented, it's easy for attackers to take whatever they want. With broken access control flaws, unauthenticated or unauthorized users may have access to sensitive files and systems, or even user privilege settings.
Configuration errors and insecure access control practices are hard to detect as automated processes cannot always test for them. Penetration testing can detect missing authentication, but other methods must be used to determine configuration problems. Weak access controls and issues with credentials management are preventable with secure coding practices, as well as preventative measures like locking down administrative accounts and controls and using multi-factor authentication.
6. Security Misconfiguration
Just like misconfigured access controls, more general security configuration errors are huge risks that give attackers quickly, easy access to sensitive data and site areas. Dynamic testing can help you discover misconfigured security in your application.
7. Cross-Site Scripting
With cross-site scripting, attackers take advantage of APIs and DOM manipulation to retrieve data from or send commands to your application. Cross-site scripting widens the attack surface for threat actors, enabling them to hijack user accounts, access browser histories, spread Trojans and worms, control browsers remotely, and more.
Training developers in best practices such as data encoding and input validation reduces the likelihood of this risk. Sanitize your data by validating that it’s the content you expect for that particular field, and by encoding it for the “endpoint” as an extra layer of protection.
8. Insecure Deserialization
Deserialization, or retrieving data and objects that have been written to disks or otherwise saved, can be used to remotely execute code in your application or as a door to further attacks. The format that an object is serialized into is either structured or binary text through common serialization systems like JSON and XML. This flaw occurs when an attacker uses untrusted data to manipulate an application, initiate a denial of service (DoS) attack, or execute unpredictable code to change the behavior of the application.
Although deserialization is difficult to exploit, penetration testing or the use of application security tools can reduce the risk further. Additionally, do not accept serialized objects from untrusted sources and do not use methods that only allow primitive data types.
9. Using Components with Known Vulnerabilities
No matter how secure your own code is, attackers can exploit APIs, dependencies, and other third-party components if they are not themselves secure. A static analysis accompanied by a software composition analysis can locate and help neutralize insecure components in your application. Veracode’s static code analysis tools can help developers find such insecure components in their code before they publish an application.
10. Insufficient Logging and Monitoring
Failing to log errors or attacks and poor monitoring practices can introduce a human element to security risks. Threat actors count on a lack of monitoring and slower remediation times so that they can carry out their attacks before you have time to notice or react. To prevent issues with insufficient logging and monitoring, make sure that all login failures, access control failures, and server-side input validation failures are logged with context so that you can identify suspicious activity. Penetration testing is a great way to find areas of your application with insufficient logging too. Establishing effective monitoring practices is also essential.
I hope that I have managed to tickle your mind a little bit with this post and to introduce a healthy dose of tech knowledge and vulnerability awareness. Please use this knowledge to secure yourself from cyber attacks.