What is OWASP Top 10
The OWASP Top 10 is a periodically updated report outlining the ten most critical security concerns for web applications. It is widely regarded as an essential guide for developers and security professionals, helping them to identify and mitigate the most prevalent and dangerous vulnerabilities. The latest edition, updated in 2021, reflects the evolving landscape of web security.
Whether you are developing new web applications or managing existing ones, the OWASP Top 10 serves as an essential touchstone for enhancing security protocols, fostering a deeper understanding of web security, and staying ahead of potential threats.
A01:2021-Broken Access Control
Broken access control occurs when users can act outside of their intended permissions, leading to unauthorized information disclosure, modification, or destruction of data.
An application might allow users to modify their account details by accessing a URL ‘/user/update?user_id=123‘. If an attacker changes the user_id parameter to another user’s ID, they could potentially alter that user’s details.
How to know if you application is affected, according to OWASP (This is not extensive!):
1. Excessive Permissions
Access should be restricted to specific roles or users implementing the principle of least privilege. If anyone can access more than they should, your application might be granting excessive permissions.
2. URL Manipulation
If users can access restricted areas by changing the URL, parameters, or using tools to modify API requests, your application may be vulnerable to parameter tampering.
3. Insecure Direct Object References
Allowing users to view or edit other users’ accounts by simply changing a unique identifier indicates weak access controls.
4. API Access Control Issues
If your APIs lack access controls for critical operations like POST, PUT, and DELETE, they may be susceptible to unauthorized access.
5. Privilege Escalation
If users can perform actions without proper login credentials or escalate their privileges to act as admins, your application may be at risk.
6. Metadata Manipulation
Vulnerabilities exist if attackers can tamper with tokens, cookies, or hidden fields to gain unauthorized access or elevate privileges.
7. CORS Misconfiguration
If your CORS settings allow access from unauthorized origins, your application could be exposed to cross-site attacks.
8. Forceful Browsing
If unauthenticated users can access restricted pages, or standard users can access admin pages by simply navigating to them, your application may have weak access controls.
What is the best way to protect against this?
- Implement robust access control mechanisms.
- Use secure, server-side enforcement of permissions.
- Employ role-based access control (RBAC) and principle of least privilege.
A02:2021-Cryptographic Failures
Cryptographic failures, previously known as “Sensitive Data Exposure,” occur when sensitive data is not adequately protected, leading to breaches.
Storing sensitive data such as passwords or credit card numbers in plaintext or using outdated cryptographic algorithms like MD5 or SHA-1.
Here are the top things to look out for if you are transmitting sensitive data across your network:
1. Clear Text Data Transmission
Check if any data is transmitted without encryption, especially over protocols like HTTP, SMTP, and FTP. Ensure all traffic, including internal traffic between servers, uses secure protocols like HTTPS or secure versions with TLS.
2. Weak Cryptographic Algorithms
Identify if your application uses outdated or weak cryptographic algorithms or protocols, either by default or in older code. Modern standards should be implemented.
3. Key Management Issues
Verify if default cryptographic keys are used, weak keys are generated, keys are reused, or if key management practices are inadequate. Ensure keys are not stored in source code repositories.
4. Missing Encryption Enforcement
Ensure encryption is enforced by checking if any security directives or HTTP headers, such as Content Security Policy (CSP) or HTTP Strict Transport Security (HSTS), are missing.
5. Certificate Validation
Ensure that the server certificate and trust chain are properly validated. This includes checking for expired or self-signed certificates.
6. Initialization Vectors
Check if initialization vectors (IVs) are securely generated, not reused, and appropriate for the cryptographic mode of operation. Avoid insecure modes like ECB.
7. Passwords as Cryptographic Keys
Ensure that passwords are not used directly as cryptographic keys. Instead, use key derivation functions designed for this purpose.
8. Randomness for Cryptography
Verify that randomness used for cryptographic purposes meets cryptographic requirements. Avoid weak seeding methods and ensure sufficient entropy.
9. Deprecated Hash Functions
Identify if deprecated hash functions like MD5 or SHA1 are in use, and replace them with secure cryptographic hash functions.
10. Cryptographic Padding Methods
Ensure that deprecated cryptographic padding methods, such as PKCS number 1 v1.5, are not in use.
11. Exploitable Error Messages
Check if cryptographic error messages or side-channel information could be exploited, such as in padding oracle attacks. Ensure error messages do not leak sensitive information.
What is the best way to protect against this?
- Use strong cryptographic algorithms and protocols.
- Encrypt data both at rest and in transit.
- Implement proper key management practices.
A03:2021-Injection
Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query, tricking the interpreter into executing unintended commands.
An application might allow users to enter their username and password, which are then directly concatenated into a SQL query: SELECT * FROM users WHERE username = 'user' AND password = 'pass';
. An attacker could exploit this by entering user' OR '1'='1
as the username, resulting in SELECT * FROM users WHERE username = 'user' OR '1'='1' AND password = 'pass';
, which would grant access.
The following would highlight an application that would be vulnerable:
1. Lack of Input Validation
Ensure all user-supplied data is validated, filtered, or sanitized before use. Verify that inputs meet expected formats and constraints.
2. Use of Dynamic Queries
Avoid using dynamic queries or non-parameterized calls. Ensure queries are parameterized to prevent SQL injection attacks.
3. ORM Search Parameters
Ensure that object-relational mapping (ORM) search parameters do not use malicious user data that could extract sensitive records. Validate all data used in ORM queries.
4. Direct Use of Hostile Data
Avoid directly using or concatenating user-supplied data in SQL commands, dynamic queries, or stored procedures. Use prepared statements and context-aware escaping to separate data from command structure.
What is the best way to protect against this?
- Use parameterized queries and prepared statements.
- Validate and sanitize all user inputs.
- Employ ORM (Object-Relational Mapping) libraries.
A04:2021-Insecure Design
Insecure design involves the lack of security controls or design flaws in software architecture, leading to vulnerabilities.
Secure design is crucial because it addresses potential security weaknesses at their root, before they can be exploited. It involves anticipating potential threats and designing systems that can defend against them. Secure design is not just about writing secure code; it’s about creating an architecture that minimizes risk and maximizes resilience against attacks.
Key Principles of Secure Design
Least Privilege
- Ensure that each component of the system has only the permissions it needs to perform its function and no more. This minimizes the potential damage if a component is compromised.
Defense in Depth
- Implement multiple layers of security controls throughout the system. This way, even if one layer is breached, additional layers provide further protection.
Fail Securely
- Design systems to fail in a secure manner. Ensure that if an application encounters an error, it does not inadvertently grant unauthorized access or leak sensitive information.
Secure Defaults
- Configure systems with the most secure settings by default. Users should have to deliberately opt out of security features rather than opt in.
Separation of Duties
- Divide critical tasks and responsibilities among different users or systems to reduce the risk of fraud or error.
What is the best way to protect against this?
- Implement security by design principles.
- Conduct threat modeling during the development phase.
- Regularly update and patch systems.
A05:2021-Security Misconfiguration
Security misconfiguration is the most common issue and often results from insecure default configurations, incomplete configurations, or ad-hoc configurations.
Leaving default admin passwords unchanged or having unnecessary services enabled, which can be exploited by attackers.
What is the best way to protect against this?
- Implement secure configurations for all components.
- Perform regular audits and reviews of configurations.
- Use automated tools to verify the configurations.
A06:2021-Vulnerable and Outdated Components
Using components with known vulnerabilities can undermine application defenses, leading to exploits.
An application using an outdated version of a library with known vulnerabilities, such as an old version of jQuery.
Here are some common indicators your application may be vulnerable:
-
Insufficient Security Hardening
- Your application may be vulnerable if it lacks adequate security measures across any part of the application stack, or if permissions on cloud services are improperly configured.
-
Unnecessary Features Activated
- The presence of enabled but unnecessary features, such as ports, services, pages, accounts, or privileges, can increase the risk of security breaches.
-
Default Accounts Unchanged
- Vulnerabilities may arise if default user accounts and their passwords remain enabled and unchanged, presenting easy targets for attackers.
-
Insecure Error Handling
- If error handling within the application reveals stack traces or other overly detailed error messages to users, it can provide attackers with valuable information about the underlying system.
-
Disabled Security Features in Upgrades
- For systems that have been upgraded, a common vulnerability occurs when the latest security features are disabled or not configured securely.
-
Insecure Application Settings
- Vulnerabilities are likely if the security settings in application servers, frameworks (such as Struts, Spring, ASP.NET), libraries, and databases are not set to secure values.
-
Lack of Security Headers
- If the server fails to send necessary security headers or directives, or if they are not set to secure values, it exposes the application to various cyber threats.
-
Outdated or Vulnerable Software
- Using software that is out of date or known to be vulnerable (as highlighted in OWASP’s A06:2021-Vulnerable and Outdated Components) can significantly compromise the security of your application.
What is the best way to protect against this?
- Keep all software components up-to-date.
- Regularly monitor for announcements of vulnerabilities in used components.
- Use dependency management tools.
A07:2021-Identification and Authentication Failures
Failures related to identification and authentication can lead to unauthorized access and account compromise.
An application allowing weak passwords or not implementing multi-factor authentication (MFA).
Her are some common things to look out for within your web application:
Automated Attack Vulnerability
- If your application is prone to credential stuffing or brute force attacks, it needs better protective mechanisms like rate limiting or account lockout features.
Usage of Weak Passwords
- Allowing default or commonly used weak passwords such as “Password1” or “admin/admin” increases the risk of breaches.
Flawed Credential Recovery
- Vulnerabilities may exist if your application relies on easily guessable security questions for password recovery.
Insecure Password Storage
- Storing passwords in plain text or using weak encryption methods can lead to security compromises.
Absence of Multi-Factor Authentication
- Not implementing multi-factor authentication can leave your application open to attacks that could be prevented with an additional layer of security.
Session Management Issues
- If session identifiers are visible in URLs or if session IDs are reused after login, your application’s session management might be compromised.
Improper Session Invalidations
- Failing to properly invalidate session IDs after logout or after a period of inactivity can keep sessions open to unauthorized use, especially with SSO tokens.
What is the best way to protect against this?
- Implement strong password policies.
- Use MFA wherever possible.
- Protect against brute force attacks using CAPTCHA or rate limiting.
A08:2021-Software and Data Integrity Failures
These failures occur when software updates, critical data, or CI/CD pipelines are not protected against integrity violations.
An attacker compromising the CI/CD pipeline to inject malicious code into a software build.
While this is more difficult to check, here are a few things to look out for:
Use of Untrusted Components
- If your application relies on plugins, libraries, or modules from sources that aren’t verified as secure, it may be vulnerable.
Vulnerabilities in CI/CD Pipeline
- A CI/CD pipeline without strong security measures can lead to the introduction of unauthorized or malicious changes.
Unverified Auto-Updates
- Auto-update features that don’t check update integrity can allow attackers to deploy harmful updates widely.
Risks from Insecure Deserialization
- Applications that deserialize data without thorough integrity checks can be manipulated through altered serialized objects.
What is the best way to protect against this?
- Use digital signatures to verify software integrity.
- Secure the CI/CD pipeline.
- Monitor and log all changes to software and data.
A09:2021-Security Logging and Monitoring Failures
Lack of proper logging and monitoring can lead to undetected security breaches and delayed incident response.
Not logging failed login attempts, making it harder to detect malicious attacks.
This is often overlooked, so here is a list of things to look out for and make sure you have implemented:
Lack of Essential Logs
- If events like logins, failed logins, and high-value transactions aren’t logged, it’s harder to track and analyze user activities and potential security breaches.
Inadequate Log Messages
- Warnings and errors that generate no, unclear, or insufficient log messages can prevent effective troubleshooting and security monitoring.
Unmonitored Logs
- Logs that are not regularly monitored for suspicious activity miss the opportunity to catch and respond to threats early.
Local Log Storage
- Storing logs only locally increases the risk of data loss and makes it difficult to conduct comprehensive security analyses across systems.
Ineffective Alerting Systems
- Without proper alerting thresholds and response escalation processes, significant security incidents may go unnoticed or unaddressed.
Non-responsive Penetration Testing
- If penetration testing and scans by tools like OWASP ZAP do not trigger alerts, the system may not be effectively detecting intrusion attempts.
Lack of Real-Time Detection
- An application that cannot detect, escalate, or alert on active attacks in real-time or near real-time is at a higher risk of damage from ongoing security breaches.
What is the best way to protect against this?
- Implement comprehensive logging for all critical actions.
- Regularly review logs for suspicious activities.
- Use automated monitoring tools to detect anomalies.
A10:2021-Server-Side Request Forgery (SSRF)
SSRF occurs when an attacker can make the server-side application send HTTP requests to an unintended location, potentially leading to data exposure or manipulation.
An application that fetches data from a URL specified by the user without proper validation, allowing an attacker to direct the request to an internal system.
Here are some things to look out for:
Unvalidated External Requests
- If your application makes requests to external resources based on URLs provided by users without adequate validation, it may be vulnerable to SSRF. This allows attackers to manipulate these requests to access unauthorized resources.
Access to Internal Systems
- SSRF can be particularly dangerous because it may allow attackers to bypass firewalls, VPNs, or network ACLs, accessing internal systems that should not be exposed to the external network.
Features Involving URL Fetching
- Common features that involve fetching URLs, such as image or data import from external sites, can be potential points of vulnerability if not properly secured.
Increased Exposure in Cloud Environments
- The severity of SSRF is often higher in cloud environments due to the interconnected nature of cloud services and the potential access to sensitive cloud-based resources.
What is the best way to protect against this?
- Validate and sanitize all user inputs that control URL requests.
- Implement network segmentation and firewall rules to restrict internal network access.
- Use allowlists for permitted URLs.
Conclusion
Understanding the OWASP Top 10 is essential for anyone involved in web application development or security. This list not only highlights the most critical security threats that applications face today but also serves as a guide for effectively mitigating these risks. By integrating the OWASP Top 10 into your security practices, you ensure that your applications are defended against the most prevalent and impactful vulnerabilities.
Actively incorporating the OWASP Top 10 into your security assessments and development processes is not just about preventing security breaches—it’s about fostering a culture of proactive security within your organization. Regularly revisiting and updating your security measures in line with the OWASP Top 10 helps maintain a robust defense against evolving threats.