Security testing is becoming increasingly important nowadays with the advancement in technology. It is imperative to protect sensitive data so that it does not fall into the wrong hands. However, to safeguard such data, an application must have robust system and security measures. If security for your application is weak, an attacker can breach and break your application. To ensure that security testing is done for your application, probably the best resource to start learning would be OWASP top 10.
OWASP stands for the “Open Web Application Security Project.” It is a nonprofit organization that focuses on improving the security of software and web applications. OWASP provides a wealth of resources, tools, and knowledge to help individuals and organizations understand, identify, and address security risks and vulnerabilities in web applications.
Some of their most popular initiatives include OWASP Top 10, OWASP web security testing guide, and OWASP Zap among many others. For this blog, we will be focusing on OWASP Top 10 in detail.
What is OWASP’s Top 10?
The OWASP Top 10 regularly updates a list of the ten most critical web application security risks, which helps developers prioritize their security efforts. It provides guidance to developers, security professionals, and organizations on the most prevalent and dangerous vulnerabilities that can impact web applications. By understanding and addressing these vulnerabilities, developers can build more secure software.
The list was last updated in 2021 and their official website contains information on how to prevent such risks. We will cover all ten vulnerabilities in detail in this article as well.
Broken Access Control
Broken access control is the top priority on OWASP Top 10. It covers security vulnerability that occurs when the application fails to properly enforce restrictions on user access to certain resources.
- Policy refers to user access where a user should not be able to access resources outside of their permission.
- Bypassing the access control permissions by modifying URLs or other API parameters.
- Changing or using someone else’s account by using their private keys.
- CORS misconfiguration to access applications from untrusted sources.
- Users should be denied access to private resources unless they have specific access to check those resources.
- Creating a strong access control framework that is thoroughly tested and then reusing the same in your application.
- Adding a rate limit on API hits so automated attacks can be identified and reported.
- Web roots should not contain metadata files that can be accessed by any user.
Broken access control covers security vulnerability that occurs when the application fails to properly enforce restrictions on user access to certain resources.
- Sensitive data such as social security numbers, passwords, and credit card information if transmitted is transparent to any user.
- Weak cryptography algorithms are used to hide such sensitive data. Eg. MD5 or SHA-1 can result in cryptographic failure due to their susceptibility to collision attacks.
- Trust chain and server certificates are not validated properly.
- Poor key management practices, such as using weak encryption keys, not rotating keys regularly, or improper key storage.
- Choose well-established, widely recognized cryptographic algorithms that have withstood thorough scrutiny and testing.
- Use strong and unpredictable keys, regularly rotate keys, and ensure secure storage and distribution of keys. Avoid hard-coding keys in code or storing them in plain text files.
- Implement secure communication protocols that use encryption appropriately. Use protocols like TLS (Transport Layer Security) for securing data in transit and ensuring they are properly configured.
Third on the OWASP top 10, SQL injection is a vulnerability that occurs when an attacker manipulates SQL queries executed by the application’s database.
- Taking user input, such as search queries, login credentials, or form data, and using that input to construct SQL queries that interact with a database.
- An attacker submits specially crafted input that includes SQL code along with legitimate input data. This malicious SQL code is then executed by the application’s database.
- If the application does not properly validate or sanitize the input, the malicious SQL code is executed as part of the database query, potentially leading to unauthorized access or data manipulation.
- Validate and sanitize all user inputs before using them to construct SQL queries. Use parameterized queries or prepared statements to separate user input from the SQL code.
- Escape user input before including it in SQL queries. This involves encoding or escaping special characters to prevent them from being interpreted as part of the SQL code.
- Perform thorough security testing, including penetration testing and code reviews, to identify and fix SQL injection vulnerabilities.
- Train developers and testers about secure coding practices and the risks associated with SQL injection.
Insecure design refers to vulnerabilities that arise from fundamental flaws or weaknesses in the overall design or architecture of a software system.
- Inadequate separation of different components or user roles within the application, leading to unauthorized access to sensitive data or functionalities.
- Inadequate validation of user inputs can lead to various vulnerabilities, including injection attacks like SQL injection and cross-site scripting.
- Insufficient logging and monitoring mechanisms can hinder the detection of suspicious activities or unauthorized access.
- Storing sensitive information like passwords or API keys directly in the code can expose them to attackers who can decompile or reverse engineer the application.
- Displaying stack traces can expose internal system information that attackers can exploit.
- Conduct a comprehensive architectural review and design analysis to identify potential security weaknesses.
- Apply secure design principles such as the principle of least privilege, separation of concerns, and defence in depth.
- Ensure that developers and architects receive training in secure software design principles and best practices.
- Perform security assessments, including threat modelling and risk assessments, to identify potential insecure design elements.
- If significant insecure design issues are identified, consider redesigning or refactoring the application to address these vulnerabilities.
Security misconfiguration refers to the improper configuration or implementation of security controls, settings, or components within a software system or application.
- Failing to change default usernames and passwords for software, databases, or network devices, allows attackers to easily gain access.
- Leaving unnecessary files, directories, or ports open and accessible, providing attackers with potential entry points.
- Failing to update and patch software, operating systems, and applications, leaving known vulnerabilities unaddressed.
- Not configuring security headers (e.g., Content Security Policy, HTTP Strict Transport Security) correctly, or using insecure communication protocols.
- Follow vendor and industry best practices for securely configuring software, servers, and network devices.
- Implement system hardening practices to reduce the attack surface by disabling unnecessary services, ports, and features.
- Use automated security scanning tools to identify misconfigurations in your environment.
- Keep all software and systems up to date with the latest security patches and updates.
Vulnerable components refer to software or hardware components within a system or application that have known security vulnerabilities.
- Vulnerable components are software elements (libraries, modules, plugins, etc.) that contain security flaws or weaknesses that could be exploited by attackers.
- These flaws can include issues like buffer overflows, SQL injection vulnerabilities, cross-site scripting (XSS), or other security weaknesses that could allow an attacker to manipulate the behaviour of the software or gain unauthorized access.
- Developers no longer actively maintain or support outdated components. This can lead to security vulnerabilities because the component won’t receive patches for any new vulnerabilities discovered, leaving the software exposed to potential attacks.
- Maintain an inventory of all components and libraries used in your software, along with their versions.
- Regularly monitor security sources (such as the Common Vulnerabilities and Exposures database, or CVE) for information about vulnerabilities affecting the components you use.
- Apply security patches and updates provided by the component maintainers as soon as they become available to fix vulnerabilities.
- Use tools that help you track and manage components and their versions to ensure you’re using the most up-to-date and secure versions.
Identification And Authentication Failures
These cover vulnerabilities or weaknesses in the processes and mechanisms used to identify and authenticate users or entities within a system.
- An attacker can determine valid usernames by observing the system’s responses to different inputs during the login process.
- Inadequate protection against brute force attacks allows attackers to repeatedly guess passwords until they find the correct one.
- A lack of password complexity requirements or password length restrictions can make it easier for attackers to guess or crack passwords.
- Not implementing MFA allows attackers who have obtained credentials to easily access accounts.
- If authentication tokens are not properly protected or invalidated after use, attackers might steal or reuse them to gain unauthorized access.
- Implement proper input validation and output encoding to prevent attacks like username enumeration or injection.
- Enforce strong password requirements, encourage users to choose strong passwords, and use password hashing and salting.
- Implement MFA to add an extra layer of security beyond normally adding passwords to ensure login is safe
- Implement secure token handling and validation to prevent token-related vulnerabilities.
Data Integrity Failures
Data integrity failures include vulnerabilities or weaknesses that result in the compromise or unauthorized modification of data, leading to a loss of data integrity.
- Software integrity refers to the assurance that software has not been modified, tampered with, or compromised in an unauthorized or unintended manner.
- Software integrity failures occur when attackers manipulate the software code or its components to introduce malicious code, execute unauthorized actions, or bypass security controls.
- Data integrity involves ensuring that data remains accurate, consistent, and unaltered throughout its lifecycle.
- Data integrity failures occur when unauthorized or unintended changes are made to data, leading to incorrect or unreliable information.
- Conduct regular code reviews to identify and address vulnerabilities that could lead to software integrity failures. Use static analysis tools to detect potential security flaws in the code base.
- Implement robust input validation and output encoding to prevent injection attacks and other code tampering techniques.
- Use version control systems to track changes to software code and ensure that unauthorized modifications can be identified and reverted.
Security Logging And Monitoring
Security logging involves capturing and recording relevant events and activities within a system, while monitoring involves actively analyzing and reviewing the logged data to identify potential security incidents or anomalies.
- Logging involves the collection and recording of various events and activities that occur within a system or application.
- Security-related events, such as login attempts, system changes, and access to sensitive data, should be logged to provide an audit trail for forensic analysis and incident response.
- Monitoring involves actively reviewing and analyzing the logs generated by a system or application to detect abnormal or suspicious behaviour.
- Effective monitoring allows security teams to identify potential security incidents in real-time, enabling timely response and mitigation.
- Ensure that all relevant security-related events are logged with sufficient detail. Logs should include timestamps, source IP addresses, user identifiers, and descriptions of the events.
- Implement a centralized logging system to collect and store logs from various sources, making it easier to analyze and correlate events.
- Set up alerts to notify security teams when specific events or patterns indicative of a security incident occur.
- Develop a well-defined incident response plan that outlines procedures for responding to security incidents identified through logging and monitoring.
Server-Side Request Forgery
Our last vulnerability on OWASP top 10 list is Server-Side Request Forgery (SSRF). It is a security vulnerability that allows an attacker to manipulate the server-side components of a web application to make unauthorized requests to other internal or external resources.
- An attacker sends a malicious request to a vulnerable web application, typically using an input field that allows users to specify a URL.
- The web application processes the malicious request and sends a server-side request to the URL provided by the attacker. This request can target internal resources that the attacker is not supposed to access, such as local files, internal databases, or internal network services.
- If the web application’s server has access to internal resources, the attacker may be able to retrieve sensitive information or perform actions on those resources. The attacker can also redirect the request to external resources, potentially causing the server to interact with malicious or controlled external services.
- Validate and sanitize user inputs that are used to construct URLs or make requests. Implement input validation and whitelisting to ensure that only allowed domains or IP addresses can be used.
- Configure firewalls, network settings, and server permissions to limit the ability of the server to make requests to internal resources or external services.
- If SSRF-prone functionality is necessary, consider using safe APIs or libraries that allow controlled access to specific resources.
- When making requests to external resources, use non-sensitive protocols like HTTP GET to limit the potential impact of SSRF attacks.