TOP 10 OWASP ATTACKS
The Open Web Application Security Project, or OWASP, is an international non-profit organization dedicated to web application security.
The OWASP Top 10 is a regularly-updated report outlining security concerns for web application security, focusing on the 10 most critical risks.
For 2019 the OWASP Top 10 list consists of:
- Broken authentication
- Sensitive data exposure
- XML External Entities (XXE)
- Broken access control
- Security misconfigurations
- Cross-Site Scripting (XSS)
- Insecure deserialization
- Using components with known vulnerabilities
- Insufficient logging and monitoring
Injection attacks happen when untrusted data is sent to a code interpreter through a form input or some other data submission to a web application.
For example, an attacker could enter SQL database code into a form that expects a plaintext username.
If that form input is not properly secured, this would result in that SQL code being executed.
Injection attacks can be prevented by validating and/or sanitizing user-submitted data.
Vulnerabilities in authentication (login) systems can give attackers access to user accounts and even the ability to compromise an entire system using an admin account.
Some strategies to mitigate authentication vulnerabilities are requiring 2-factor authentication (2FA) as well as limiting or delaying repeated login attempts using rate limiting.
Sensitive data exposure
If web applications don’t protect sensitive data such as financial information and passwords, attackers can gain access to that data and sellor utilize it for nefarious purposes. One popular method for stealing sensitive information is using a man-in-the-middle attack. Data exposure risk can be minimized by encrypting all sensitive data.
XML External Entities (XXE)
This is an attack against a web application that parses XML* input. This input can reference an external entity, attempting to exploit a vulnerability in the parser.
An ‘external entity’ in this context refers to a storage unit, such as a hard drive. An XML parser can be duped into sending data to an unauthorized external entity, which can pass sensitive data directly to an attacker.
The best ways to prevent XEE attacks are to have web applications accept a less complex type of data.
Broken access control
Access control refers a system that controls access to information or functionality.
Broken access controls allow attackers to bypass authorization and perform tasks as though they were privileged users such as administrators.
Access controls can be secured by ensuring that a web application uses authorization tokens.
Security misconfiguration is the most common vulnerability on the list, and is often the result of using default configurations or displaying excessively verbose errors.
This can be mitigated by removing any unused features in the code and ensuring that error messages are more general.
Cross-Site Scripting (XSS)
Cross-site scripting vulnerabilities occur when web applications allow users to add custom code into an URL path.
This threat targets the many web applications which frequently serialize and deserialize data.
Serialization means taking objects from the application code and converting them into a format that can be used for another purpose, such as storing the data to disk or streaming it.
Deserialization is just the opposite.
An insecure deserialization exploit is the result of deserializing data from untrusted sources, and can result in serious consequences like DDoS attacks and remote code execution attacks.
Using components with known vulnerabilities
Many modern web developers use components such as libraries and frameworks in their web applications.
These components are pieces of software that help developers avoid redundant work and provide needed functionality.
To minimize the risk of running components with known vulnerabilities, developers should remove unused components from their projects, as well as ensuring that they are receiving components from a trusted source and ensuring they are up to date.
Insufficient logging and monitoring
Many web applications are not taking enough steps to detect data breaches.
The average discovery time for a breach is around 200 days after it has happened.
This gives attackers a lot of time to cause damage before there is any response.
OWASP recommends that web developers should implement logging and monitoring.