Security Risks & Vulnerabilities
What is OWASP?
OWASP stands for the Open Web Application Security Project, an online community that produces articles, methodologies, documentation, tools, and technologies in the field of web application security.
What is the OWASP Top 10?
OWASP Top 10 is the list of the 10 most common application vulnerabilities. It also shows their risks, impacts, and countermeasures. Updated every three to four years, the latest OWASP vulnerabilities list was released in 2018.
The Top 10 OWASP vulnerabilities in 2020
Injection
Injection flaws allow attackers to relay malicious code through an application to another system. These attacks include calls to the operating system via system calls, the use of external programs via shell commands, as well as calls to backend databases via SQL (i.e., SQL injection). Whole scripts written in Perl, Python, and other languages can be injected into poorly designed applications and executed. Any time an application uses an interpreter of any type there is a danger of introducing an injection vulnerability.
Broken Authentication
Broken authentication is an umbrella term for several vulnerabilities that attackers exploit to impersonate legitimate users online. Broadly, broken authentication refers to weaknesses in two areas: session management and credential management. Both are classified as broken authentication because attackers can use either avenue to masquerade as a user: hijacked session IDs or stolen login credentials.
Attackers employ a wide variety of strategies to take advantage of these weaknesses, ranging from huge credential stuffing attacks to highly targeted schemes aimed at gaining access to a specific person’s credentials.
Sensitive Data Exposure
Sensitive data exposure occurs when an application, company, or other entity inadvertently exposes personal data. Sensitive data exposure differs from a data breach, in which an attacker accesses and steals information.
Sensitive data exposure occurs as a result of not adequately protecting a database where information is stored. This might be a result of a multitude of things such as weak encryption, no encryption, software flaws, or when someone mistakenly uploads data to an incorrect database.
Different types of data can be exposed in a sensitive data exposure. Banking account numbers, credit card numbers, healthcare data, session tokens, Social Security number, home address, phone numbers, dates of birth, and user account information such as usernames and passwords are some of the types of information that can be left exposed.
XML External Entities (XXE)
XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application’s processing of XML data. It often allows an attacker to view files on the application server filesystem, and to interact with any back-end or external systems that the application itself can access.
In some situations, an attacker can escalate an XXE attack to compromise the underlying server or other back-end infrastructure, by leveraging the XXE vulnerability to perform server-side request forgery (SSRF) attacks.
Broken Access control
Access control enforces policy such that users cannot act outside of their intended permissions. Failures typically lead to unauthorized information disclosure, modification or destruction of all data, or performing a business function outside of the limits of the user. Common access control vulnerabilities include:
- Bypassing access control checks by modifying the URL, internal application state, or the HTML page, or simply using a custom API attack tool
- Allowing the primary key to be changed to another’s users record, permitting viewing or editing someone else’s account.
- Elevation of privilege. Acting as a user without being logged in, or acting as an admin when logged in as a user.
- Metadata manipulation, such as replaying or tampering with a JSON Web Token (JWT) access control token or a cookie or hidden field manipulated to elevate privileges, or abusing JWT invalidation
- CORS misconfiguration allows unauthorized API access.
- Force browsing to authenticated pages as an unauthenticated user or to privileged pages as a standard user. Accessing API with missing access controls for POST, PUT and DELETE.
Security misconfigurations
Security misconfigurations are security settings inappropriately configured or left insecure that put your systems and data at risk. Basically, any poorly documented configuration changes, default settings, or a technical issue across any component in your endpoints could lead to a misconfiguration.
isconfigurations can occur due to a myriad of reasons. Modern network infrastructures are highly complex; organizations often overlook crucial security settings, including new network equipment that might retain default configurations. A developer might write flexible firewall rules, and create network shares for his convenience while building software and leave them unchanged. Sometimes, administrators allow configuration changes for testing or troubleshooting purposes, and forget to revert to the original state resulting in a misconfiguration. Some common security misconfiguration vulnerabilities are logon security, user account management, password policy, browser hardening, and legacy protocols.
Cross Site Scripting (XSS)
Cross-site Scripting (XSS) is a client-side code injection attack. The attacker aims to execute malicious scripts in a web browser of the victim by including malicious code in a legitimate web page or web application. The actual attack occurs when the victim visits the web page or web application that executes the malicious code. The web page or web application becomes a vehicle to deliver the malicious script to the user’s browser. Vulnerable vehicles that are commonly used for Cross-site Scripting attacks are forums, message boards, and web pages that allow comments.
A web page or web application is vulnerable to XSS if it uses unsanitized user input in the output that it generates. This user input must then be parsed by the victim’s browser. XSS attacks are possible in VBScript, ActiveX, Flash, and even CSS. However, they are most common in JavaScript, primarily because JavaScript is fundamental to most browsing experiences.
Insecure Deserialization
Deserialization is the process of restoring this byte stream to a fully functional replica of the original object, in the exact state as when it was serialized. The website’s logic can then interact with this deserialized object, just like it would with any other object.
Serialization is the process of converting complex data structures, such as objects and their fields, into a “flatter” format that can be sent and received as a sequential stream of bytes. Serializing data makes it much simpler to:
- Write complex data to inter-process memory, a file, or a database
- Send complex data, for example, over a network, between different components of an application, or in an API call
Crucially, when serializing an object, its state is also persisted. In other words, the object’s attributes are preserved, along with their assigned values.
Using Components with known vulnerabilities
Known vulnerabilities are vulnerabilities that were discovered in open source components and published in the NVD, security advisories or issue trackers. From the moment of publication , a vulnerability can be exploited by hackers who find the documentation. According to OWASP, the problem of using components with known vulnerabilities is highly prevalent. Moreover, use of open source components is so widespread that many development leaders don’t even know what they have. The possible impact of open source vulnerabilities ranges from minor to some of the largest breaches known.
Insufficient logging and monitoring
When an organization has insufficient logging, detection, monitoring, and response, attackers rely on these weaknesses to achieve their goals without being detected. This lack of best practices includes things such as:
- Auditable events, such as logins, failed logins, and high-value transactions that are not logged.
- Warnings and errors that generate no, inadequate, or unclear log messages.
- Logs of applications and APIs that are not monitored for suspicious activity.
- Logs that are only stored locally.
- Appropriate alerting thresholds and response escalation processes not in place or effective.
- Penetration testing and scans by DAST tools that don’t trigger alerts.
- Applications that are unable to detect, escalate, or alert for active attacks in real time or near real time.
Hope you found this helpful. Do share with the people around you.
