OWASP Top 10

-

OWASP Top 10 is an awareness document mentioning top 10 most critical risks in web application security which is regularly updated by an international non-profit organization called Open Web Application Security Project, dedicated to web application security.

1. Broken Access Control

Broken access control vulnerability allows attackers to read / view sensitive data and carry out actions that they are not authorized to carry out.

As an illustration, consider a website allows only admin users to view its admin pages and protected from regular users. If access control is compromised, an unauthorized user can read private data belonging to other users, gain access to admin and carry out actions that they are not intended to. Example of such type of vulnerability is Insecure Direct Object References (IDOR).

Consider a user on a website uses following URL to access his / her account:

https://xyz.com/user_acct?user_num=123

Using the URL, user retrieving his information from the database in the backend as the customer number is unique user_num value 123 representing record index in the query performed in back-end database.

Now due to lack of access controls, an attacker can simply modify the user_num value and can view the records of any customer.  

2. Cryptographic Failures

Cryptographic failure leads to sensitive data exposure & identity theft, arises due to absence of strong hashing algorithm / encryption in sensitive information(name, date of birth, financial data like credit card numbers, username, password). 

The communication between client and server should be encrypted otherwise an attacker can capture network packets and recover the content of sensitive information. Encrypting network traffic between client and server referred as encrypting data in transit.

Example of such vulnerability is Man in The Middle (MITM) Attack where an attacker force client connection through a device, control and take advantage of  weak encryption on transmitted data to access or tempered with the intercepted information.

The data stored at server is managed by service provider, should be encrypted so that provider can not read client data which is referred as encrypting data at rest.

Other examples are sensitive data transmitted (via HTTP, FTP, SMTP) or stored in clear-text in database & file, use of old or weak cryptographic (hashing) algorithms and use of weak or default encryption keys or re-use of compromised keys. 

3. Injection

Injection happens when user-supplied data is not validated, filtered or sanitized by the application. An attacker attempts to inject untrusted data (malicious code) into command (to change it's meaning) being sent to interpreter. 

Injection lead to data loss, data breaches, sensitive data exposure, data editing & deletion and unauthorised admin access of database.

For example SQL injection in which an attacker modifies the SQL queries running against the database, extract sensitive information like database structures, tables, columns, data set, editing & deleting the data even database also.

Cross-Site Scripting (XSS) allows attacker to injects a malicious script into URL and run it into the user's browser against that web application. 

4. Insecure Design

Insecure design vulnerability refers to flaw inherited in application design & architecture. It is regarding the wrong idea behind the application which is flawed from the start, occurs due to threat modelling is not used for critical authentication, access control, business logic, data flows etc. during planning phases of application till final, not using secure development life cycle (SDLC), secure design patterns and reference architecture.

For example consider a website where at admin login, limit of unsuccessful login attempts is not set, allow attackers to attempt brute force attack. To mitigate vulnerability, installation of third-party security extensions will be needed.

5. Security Misconfiguration

A security misconfiguration is an imperfection or vulnerability in a system or application that results from incorrect setup, carelessness in upholding strong security procedures, or inadvertent mistake during the configuration process. Unauthorized access, data breaches, and other security issues may result from these setup errors. 

Security misconfiguration occurs when in a application or system there are default credentials with unchanged password, poorly configured permissions on cloud services like cloud storage S3 bucket is open to access publicly leads to data leaks, HTTP security headers not used and excess permissions of services, pages, accounts & privileges not required are enabled, use of unpatched system or software (older version is running) and unnecessary firewall port is open. 

6. Vulnerable and Outdated Components

Attackers can obtain sensitive data or the system as a whole by taking advantage of security flaws in vulnerable components. Although there may be many components in a complicated application stack, the most frequently targeted cyberattacks affect web servers, databases, and operating systems.

However, the vendor no longer supports outdated components. Because they don't have security patches to fix discovered vulnerabilities, these components are easy targets for attack campaigns. Such components may have vulnerabilities that go undiscovered, unfixed, or unreported for a number of years. There are situations where a vulnerability is exploited before it is even discovered. 

7. Identification and Authentication Failures

Identification is an ability of a web application by which it identifies a unique user with unique user name or ID.

Authentication is the process of verifying user's identity (authenticity) with the help of password or verifying.

Identification and authentication failures occur when a application fails to identify or authenticate a user correctly which allow attackers to gain unauthorized access to application.

Other vulnerabilities include presence of weak password causing brute-force attack or lack of Multi-Factor Authentication (MFA) making easier for attacker to gain access. 

8. Software and Data Integrity Failures

To build, manage or deploy software the tools may required pulling them from third party repositories. These tools are the common vectors of attack for the attackers. In addition with that a CI/CD pipeline which builds, test and deploys software can be used to inject malicious code or libraries, create insecure deployments and can steal sensitive information.

These vulnerabilities in software or infrastructure allow an attacker to modify or delete data in an unauthorized manner, gain access to sensitive information or cause damage to the system, inject malicious code into the database and alters financial records for personal gain. 

For mitigation against these threats, ensure security during processes and pulling third party libraries or components in building software, scan the codes or implement secure coding practices as well as analyse software components used into a CI/CD pipeline to identify malicious code or libraries and conduct regular vulnerability assessments and penetration testing.

9. Security Logging & Monitoring Failures

Security logging & monitoring of users of web application is required to detect, escalate, alerting and respond to breaches. 

In web applications every action performed by the user should be logged. In event of an incident, the attackers activities can be traced, risk and impact can be determined. Monitoring should be in place to detect any suspicious activity. The aim of detecting suspicious activity is to either stop the attacker completely or reduce the impact they’ve made if their presence has been detected much later than anticipated. Suspicious activities needs to be rated according to the impact level. For example, certain actions will have a higher impact than others. These higher-impact actions need to be responded to sooner; thus, they should raise alarms to get the relevant parties’ attention.

Few examples of suspicious activities are multiple unauthorised attempts for a particular action (usually authentication attempts or access to unauthorised resources, e.g. admin pages), requests from anomalous IP addresses or locations and common payloads.

The information stored in logs of user's activity at least should contain HTTP status codes, time stamp, usernames, API endpoints/page location and IP addresses etc.

10. Server-Side Request Forgery (SSRF)

Server-side request forgery is a vulnerability that allows an attacker to coerce the server-side application to send requests on his behalf to an unintended destination while having control of the contents of the request himself. Such vulnerabilities often arise from implementations where web application needs to use third-party services.

SSRF attacks to target internal systems that are behind firewalls and are not accessible from the external network. An attacker may also leverage SSRF to access services available through the loopback interface (127.0.0.1) of the exploited server.

SSRF vulnerabilities occur when an attacker has full or partial control of the request sent by the web application.

For example an attacker can control the third-party service URL to which the web application makes a request.

Mitigating SSRF attacks include sanitizing user input, using explicit allow lists, and inspecting request responses before they are returned to clients.


Comments

Post a Comment

Popular posts from this blog

TCP/IP Model

-
Image
TCP/IP stands for Transmission Control Protocol/Internet Protocol and is a standard protocol suite used to facilitate communication between network devices over the internet which consists of two components TCP and IP. TCP/IP is a compact form of OSI model. Unlike the OSI model, which has seven layers, it has four layers. The data is divided into packets by the TCP/IP Model at the sender's end, and in order to preserve data correctness, the same packets must be reassembled at the recipient's end. The data is divided into four layers by the TCP/IP paradigm, which arranges the data in a sequential fashion at the sender's end and reorders it at the recipient's end. Network Access Layer: A combination of Physical layer & Data Link layer defined in OSI model, responsible for the transmission of the data between two devices over network. Ethernet protocol is used by this layer. Network Layer / Internet Layer: It is responsible to send the packets from a network to the des
Read more

AAA

-
Image
AAA stands for Authentication, Authorization & Accounting. AAA is an information security framework used for controlling access to computer resources, enforcing policies & tracking for auditing usage of resources required for billing of resources.                           AAA used to control which user is allowed to access the network resources by comparing user's login credentials (user id & password) with AAA server's database (Active Directory) stored user credential data called Authentication, authorize that user for performing a pre-defined task as per roles & responsibilities set in the database (enforcing policies) called Authorization and tracking the actions performed while accessing the network called Accounting. Here AAA server acts as an Identity & Access Management Tool. For example, administrator can access a network device by using console normally.  In case of accessing network device remotely, it can happen only by using IP address. But the
Read more