OPEN WEB APPLICATION SECURITY PROJECT (OWASP)
Description:
OWASP produces free-to-read articles, methodologies, documentation, tools and technologies in the area of web application security. The OWASP Foundation leads the effort. Research based on the OWASP Top 10 – 2021 has been published on information collected from over 40 partners.
The list of Top 10 Vulnerabilities for 2021:
What does Vulnerability mean?
Vulnerability is nothing but the ability of being infected or attacked easily.
1. Broken Access Control.
What is Broken Access Control ?
Attackers are able to access, modify, delete or perform any kind of actions that are not allowed by an application or system due to broken access control.
Access Controls are now the most serious web application security risk; the contributed data shows that, on average, 3.81% of the application tested contained one or more Common Weakness Enumeration (CWEs), totaling CWEs than any other category in applications.
Example of this Attack & How to Prevent it
Using an SQL call that contains unverified data, the application accesses account information.
pstmt.setString(1, request.getParameter("acct")); ResultSet results = pstmt.executeQuery( );
- In order to enforce ownership of records, model access controls should enforce that a user cannot copy, create, read, update or delete.
2.Cryptographic Failures.
What are Cryptographic Failures ?
When you fail to protect sensitive data, such as passwords, credit card numbers, and personal information, attackers often target them. The main cause of data exposure is a failure to encrypt the data.
As a result, Cryptographic Failures jump to #2, replacing Sensitive Data Exposure, which was a symptom rather than a root cause. As implicitly before, the renewed name focuses on cryptography failures. A breach of this type can expose sensitive information or compromise systems.
Example of this Attack & How to Prevent it
Using automatic database encryption, credit card numbers are encrypted in a database. Due to this Automatic Decryption, a SQL injection flaw can be used to retrieve credit card numbers in clear text.
- Always use authenticated encryption instead of just encryption.
3. Injection.
What is Injection ?
In an injection attack, the attacker injects malicious content into a web application. Because of the malicious input, the application behaves unexpectedly. The server or client might be harmed by exposing information that shouldn’t be releaved, giving the user permissions they shouldn’t have, or running harmful code.
The injection is now in its third position. With 94% of the applications tested, an average of 3.37% of injections were detected, with a maximum rate of 19%. The 33 CWEs mapped into this category have the second most occurrences in applications with 274k occurrences. The category now includes cross-site scripting.
Example of this Attack & How to Prevent it
The following SQL call is vulnerable because it uses untrusted data.
String query = "SELECT \* FROM accounts WHERE custID='" + request.getParameter("id") + "'";
- If a SQL injection occurs, use LIMIT and other SQL controls to prevent the disclosure of large amounts of data.
4. Insecure Design
What is Insecure Design ?
This is an area that focuses on flaws in design and architecture. The article addresses threats modeling, design patterns, and principles. Implementations cannot fix flaws in insecure designs.
Introducing Insecure Design for 2021, a category focusing on risks associated with design flaws. If we’re truly committed to moving left as an industry, we need threat modeling, secure design patterns, and guidelines. As the design is insecure, it cannot be fixed merely by implementing the required security controls, as they were never created specifically to counter specific hacks.
Example of this Attack & How to Prevent it
There is a cinema chain that offers group booking discounts and requires a deposit after fifteen attendees. A cyber-attacker could threaten to model this flow and test if they could book six hundred seats and all cinemas at once, causing a massive loss of revenue.
- Limit the amount of resources consumed by users or services.
5. Security Misconfiguration
What is Security Misconfiguration ?
A misconfigured or insecure configuration option can make a piece of software vulnerable to attack and create a security vulnerability.
The security controls on your system may be incorrectly configured or not properly protected, increasing the risk to your data. You can come across misconfigurations as a result of poorly documented configuration changes, default options, or technical issues in your endpoints. This category now includes the previous XML External Entities (XXE) risk category.
Example of this Attack & How to Prevent it
Sample applications are not removed from the production server when the application server is installed. There are known security flaws in these sample applications that attackers can exploit to compromise the server. Assume one of these applications is the admin console, and the default accounts have not been changed. In that case, the attacker logs in using default passwords and takes over the account.
- It is a minimal platform without any unnecessary features, components, documentation, or samples. Deleting or uninstalling unused features and frameworks is recommended.
6. Vulnerable and Outdated Components
What does Vulnerable and Outdated Components mean ?
This kind of threat occurs when the components such as libraries and frameworks used within the app almost always execute with full privileges.
About Vulnerable and Outdated Components
Software components are parts of a system or application that add functionality to it, such as a module, software package, or API. When a software component is unsupported, out-of-date, or vulnerable to a known exploit, component-based vulnerabilities arise. If a vulnerable component is exploited, it makes it easy for the attacker to cause a serious data loss.
Example of this Attack & How to Prevent it
There are few automated tools with help the attacker find misconfigured systems.
For Eg: Shodan search engine
- Remove unused dependencies, unnecessary features, files and documentation.
7. Identification and Authentication Failures
What is Identification and Authentication Failures ?
This type of threat occurs when a user’s identity or authentication are not implemented correctly or not protected by an application.
About Identification and Authentication Failures
Previously Broken Authentication, Idnetification and Authentication Failures has slipped from the second spot and now includes CWEs that are more related to identification failures. the availability of standardized frameworks seems to be helping this category remain a part of the Top 10.
Example of this Attack & How to Prevent it
Passwords are the only factor used in most authentication attacks. The rotatino and complexity requirements of passwords, once considered best practices, encourage uesrs to reuse weak passwords. These practices should be stopped and multi-factor authentication should be used instead.
- To prevent authentication-related attacks, it is critical to confirm the user’s identity, authenticate them, and manage their sessions.
8. Software and Data Integrity Failures
What are Software and Data Integrity Failures ?
This is a scenario where hackers could potentially upload their own updates their own updates to run on all installations.
About Software and Data Integrity Failures
Data and software integrity failures occur when code and infrastructure do not protect against integrity violations.
Example of this Attack & How to Prevent it
The firmware of many home routers, set-top boxes, and other devices does not verify updates via signed firmware. Attackers are increasingly targeting unsigned firmware, and this trend is expected to continue. As a result, there is often no way to fix this other than to wait for a future version to be released and fix the problem.
- We must ensure that a software chain security tool such as OWASP Dependency Check, is used to verify that components do not contain known vulnerabilities.
9. Security Logging and Monitoring Failures
What is Security Logging and Monitoring Failures ?
It fails to perform by examining electronic audit logs for indications that unauthorized security-related activities have been attempted on a system that transmits / stores confidential information.
About Security Logging and Monitoring Failures
This category helps to detect and respond to active breaches. Without logging and monitoring, breaches cannot be detected.
Example of this Attack & How to Prevent it
A major Indian airline had a data breach involving more than ten years’ worth of personal data of millions of passengers, including passport and credit card data. The data breach occurred at a third-party cloud hosting provider, who notified the airline of the breach after sometime.
- We must ensure that the log data is encoded correctly to prevent injections or any kind of attacks on the logging or monitoring systems.
10. Server-Side Request Forgery
What is Server-Side Request Forgery ?
In this type of attack, the attacker use the server functionality brutally to access or modify resources.
About Server-Side Request Forgery
It allows an attacker to threaten the application to send a crafted request to an unexpected destination, even though it is protected by a firewall or a VPN.
Example of this Attack & How to Prevent it
Attackers can easily access local files to gain sensitive information such as file:///etc/passwd</span> and http://localhost:28017/.
Most cloud providers have metadata storage such as https://169.254.169.254/. An attacker can easily read the metadata to gain sensitive information.
- Disable HTTP redirections.
- Do not send raw responses to clients.
Conclusion:
The Open Web Application Security Project (OWASP) provides us with guidance on how to develop and secure software applications.
Considering the possible risks we get to a conclusion that web applications cannot be protected by only one technique.
Vulnerabilities in the platform, such as HTTP are simply as ruinous to the security. Each one has his/her role in protecting applications and one’s critical data. Hence, it is important to note that a complete technique requires collaboration throughout network, safety, operations and development teams.