The Open Web Application Security Project – also known as OWASP – is a non-profit organization dedicated to web application security. Each year they publish what’s called the “Top-10 List” that lists the current highest risks to web applications.
Please note, that this is a technical document intended for application developers. If you have in-house engineers, please be sure they’re familiar with the OWASP Top-10! The latest OWASP Top-10 can be downloaded here, and we’ll discuss them briefly below.
- Injection. Injection flaws occur when an application accepts user input without cleaning or sanitizing the input. This can result in the web application interpreting trusted input as code, rather than just data.
- Broken Authentication. Ensuring that authentication processes are working properly is critical. Session hijacking and other vulnerabilities are often exploited and fall into this category.
- Sensitive Data Exposure. Many web applications do not protect sensitive data properly. Examples include revealing the presence (or lack of) security software, embedded passwords, or file listings that should not be available (e.g. unprotected S3 Buckets).
- XML External Entities (XXE). It’s common for older XML engines to allow XML documents to request data from other files – including files on a system. In this attack, an attacker can upload an XML file that requests sensitive data on the target system.
- Broken Access Control. Separate from authentication, access control is what determines access levels in a system. Privilege escalation vulnerabilities and unauthorized access to developer consoles are examples of broken access control.
- Security Misconfiguration. Ensuring that your applications and servers are secured to best-practice is critical and upgraded in a timely fashion. Insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information are all common in this category.
- Cross-Site Scripting XSS. XSS vulnerabilities exist when an attacker is able to trick a web application into loading untrusted scripts. This can be accomplished by infecting upstream files, or by uploading files into the app itself (e.g. in comment forms). When done correctly, XSS attacks can be used to steal sessions, credentials, and other data from the web app users' browser.
- Insecure Deserialization. When data is serialized and deserialized from user input, it should still be treated as untrusted data. It’s common to inherently trust serialized data – or even execute scripts from that data. Doing so can lead to critical vulnerabilities that can escalate to remote code executions and other issues.
- Using Components with Known Vulnerabilities. Known vulnerabilities must be dealt with prior to launch. Many components and frameworks exist that contain flaws that, left unpatched, leave your web application vulnerable to compromise. Also, ensure you’re using the latest patched versions of all your components and ensure that you are monitoring the vendor sites for updates and critical alerts.
- Insufficient Logging & Monitoring. A lack of logging and monitoring is common across most organizations. If attacks are not detected, they can’t be stopped. Investing resources into the logging and monitoring of your web applications is critical for both short and long-term security.
For more information on this topic please reach out to us; we’re here to help!