OWASP Top 10 Vulnerabilities

Over the last few years, more than 10,000 Open Web Application Security Project (OWASP) vulnerabilities have been reported into the Common Vulnerabilities and Exposures (CVE®) database each year. This is a list of common identifiers for publicly known cybersecurity vulnerabilities. Currently, CVE has close to 130,000 vulnerabilities as of January 2020. You might be wondering whether we need more than 100,000 test cases to see that our application is secure. We need to evaluate cost and schedule impact for testing all possible test cases.

To dive deeper into OWASP, check out Cloud Academy’s OWASP & Application Security where you learn more on OWASP vulnerabilities and application security outlined in the OWASP top ten list. Cloud Academy also has numerous OWASP exercises that allow you to practice our skills in a live environment with hands-on labs.

OWASP & Severless Application Security

The cost of a data breach has risen 12% over the past 5 years and now costs $3.92 million on average as per IBM Security report. Verizon data breach report findings include interesting facts about software security attacks. It says more than 70% of breaches were carried out by outsiders. 76% of breaches were financially motivated. Nearly 68% of cases, It took months to find them.

2019 Cost of a Data Breach Report

Source: Cost of a Data Breach: 2014 – 2019 from IBM Study

Risk-based security claims that more than 4 billion records got exposed due to data breaches in 2019. It’s not going to be surprising news to see more reports of its kind due to lapse in software security and lack of awareness about security.

It is not going to be a pleasant experience when our company name appears in news for the wrong reasons. We tend to think about whether we can prevent our company name from appearing in headlines for failing to protect customer data. We don’t have much idea about security flaws and vulnerabilities in a typical web application. We might plan to test all possible scenarios with respect to security before releasing web applications to public usage.

I used to work as part of a customer acceptance software testing team. We used to get tested software from vendors who had tested the software for multiple weeks. We had to test the software for a couple of days before deciding to push the software into the live environment. That’s the time we could afford for testing.

My manager used to follow a simple method. He used to get first-hand information about the quality of software within ten minutes by testing five to ten test cases. I wish I knew all aspects of web application security issues faced by every project so I could choose a few test cases for a preliminary check of my web application security.

What is OWASP?

Open Web Application Security Project (OWASP) is an open community dedicated to raising awareness about security. OWASP created the top 10 lists for various categories in security. We are going to see OWASP standard awareness document to identify top OWASP vulnerabilities in web application security.OWASP published a list of Top 10 web application risks in 2003.

This list is getting updated regularly based on inputs received from companies, independent security consultants and community. OWASP Top 10 current version is from 2017. Though we can’t detect all issues in our application, we can minimize the impact due to security flaws significantly by following guidelines such as OWASP.

Using the OWASP vulnerabilities top 10 is taking perhaps the most effective first step towards changing the software development culture within your organization into one that produces more secure code.

Top 10 OWASP vulnerabilities

OWASP Vulnerabilities Top Ten

Source: The Ten Most Critical Web Application Security Risks from OWASP

We will see the description for each OWASP vulnerability with an example scenario and prevention mechanisms. The OWASP vulnerabilities top 10 list consists of the 10 most seen application vulnerabilities.

1. Injection

Attacker can provide hostile data as input into applications. Applications will process the data without realizing the hidden agenda. This will result in executing unintended commands or accessing data without proper authorization.

SQL injection, LDAP injection are well-known attacks.

Example

In a web application, the following SQL statement is used to get a record that belongs to a particular user.  Let us assume the user would enter user id and password in the login screen.

String query = “SELECT * FROM Users

WHERE UseID = ’ ” + request.getParameter(“id”) +” ’ ”;

This query is supposed to return the record that belongs to a particular user.

Suppose the user enters 2’ or 1 = 1’ as id then query will be modified into

String query = “SELECT * FROM Users WHERE UseID = ’ 2’ or 1 = 1 ”;

In the above case, this query would return all records in the table instead of a particular user. Hence you would get access to other personal data.

How to prevent

Use server-side validation.

2. Broken authentication

Application functions related to authentication and session management are often implemented incorrectly so they allow anyone to assume other users’ identities temporarily or permanently.

Attackers could compromise passwords, keys, or session tokens.

Example

Applications session timeout is not handled properly. A user is doing some activity in an online banking application. Then the user closes the browser tab instead of doing “log out” and moves out of the place.  If someone else opens the same browser after some time then they will have access to the previous user bank account.

How to prevent

Use a server-side, secure built-in session manager that invalidates session ID after idle and timeouts.

3. Sensitive data exposure

Security precautions should be given to data in rest as well as data in transit. Data can be seen when it’s stored in hard disk or when it’s sent over the network as well. Many web applications do not protect the data properly. Attackers expose the weekly protected data using simple methods.

Attackers could steal sensitive data such as credit cards, passwords, etc.

Example

A simple example is Password is sent as plain text format in the network. Attackers can monitor the network and intercept the traffic using tools if required to get the details.

How to prevent

Apply security controls based on security standards such as PCI-DSS

4. XML External Entities (XXE)

Many old or poorly configured XML processors take XML file as an input. Attackers can include hostile content in the XML file so that they can extract data or execute commands.

Example

POST http://example.com/xml HTTP/1.1

<?xml version="1.0" encoding="ISO-8859-1"?>

<!DOCTYPE foo [

<!ELEMENT foo ANY>

<!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>

<foo> &xxe; </foo>

This XML file will get a password file from the server.

How to prevent

Upgrade all XML processors

5. Broken access control

Web applications support multiple roles in the operation. For example, there would be roles such as admin, regular user, manager, etc. Attackers can exploit flaws in implementation so that they can gain privileges to access data and perform operations where they don’t have authorization.

Example

An attacker can simply try to browse different URLs.

http://www.example.com/app/getappinfo

The next URL can be accessed by admin only.

http://www.example.com/app/admin_getappinfo

If attacker doesn’t have admin privilege but he is able to access admin privileged pages then there is a security flaw.

How to prevent

Public pages can be accessible to everyone. Access to other pages should be prevented by default.

Disable webserver directory listing

6. Security misconfiguration

Security misconfiguration is the most commonly seen issue. When we install new software users don’t change the default user account username and password. Sometimes users don’t update recent patches for security flaws.

Example

The application server comes with example applications. They are not uninstalled from the production server. Attackers can use known security flaws in the application to gain control of the production server.

How to prevent

Remove or do not install unused features and frameworks. Use a minimum platform without samples, documentation in the server. Please ensure that the default password is changed when you started to use the application.

7. Cross-Site Scripting (XSS)

XSS attack allows attackers to run javascript code into victim’s browser

Example

Attackers could send an email to a victim that appears to be from a trusted company. The link could contain malicious javascript code. When a victim clicks this link, the javascript code collects information from the victim and sends data to the attacker website in the background. The victim will not be aware of the activity.

How to prevent

Escaping untrusted HTTP requests and validating user-generated content.

 8. Insecure deserialization

Serialization is the process of converting an object into a stream of bytes so that it can be restored later. As part of deserialization, the object can be restored into its original state. Therefore, neutralizing the OWASP vulnerability.

Example

Suppose we store user id, password, and role for the given user in a cookie. This cookie can be serialized as an object. Attacker could change serialized objects and put the attacker’s role as an admin user. In this case when object is deserialized the attacker would get admin privileges.

How to prevent

Not to accept serialized objects from untrusted sources. If this is not possible, then implement integrity checks such as digital signatures on any serialized objects.

9. Using components with known vulnerabilities

Each application is made of multiple components such as libraries, software modules, and other frameworks. These components run with the same privileges as the application. If a component has known vulnerability then attackers can exploit the component first then the entire application.

Example

There are automated software tools available that will find the systems that are not patched and misconfigured.

How to prevent

Only obtain components from official sources over secure links

 10. Insufficient logging & monitoring

Insufficient logging and monitoring allow hackers to experiment with hacking activities without being detected for a long time.

Example

A major US retailer reported that their internal malware analysis sandbox software had detected potentially unwanted sandbox software but no one responded to this detection. The sandbox was producing warnings for some time before the breach.

How to prevent

Establish or adopt an incident response and recovery plan.

As we have seen a quick overview of the top ten vulnerabilities, Let me provide one more perspective to see the need for security awareness irrespective of your current role in your organization.

Demand for cybersecurity skills

The current trend of bringing more people into the internet fuels sales of millions of consumer devices and establishing connectivity to different software applications. This trend results in challenges to scale applications to cater to thousands of users in addition to keeping robustness of software and adding more features to applications.

Every year there are new software tools and frameworks get introduced in industry to meet the needs of software development and maintenance. Security is often ignored in the development process as it involves additional cost and schedule impact. Insecure software may result in loss of goodwill and brand value for a company

In the past companies released software to live environments without any planned proactive effort.  Most of the time hackers exploit the vulnerabilities in the software and make use of them for their benefits. Sometimes security flaws are exposed by users accidentally.

Over a period of time companies learned to handle things proactively and make sure that most of the security-related issues are addressed before releasing into the live environment. Companies use Ethical hacking and penetration testing activities to identify security flaws in their software before it goes to the public. This approach saves time and costs to solve the issues. Companies started to integrate security into DevOps activities and bring DecSecOps based activities into action.

If you are new to web application security then the Top 10 guidelines on OWASP vulnerabilities should be your first step. If you are experienced, please ensure that you don’t skip the first step in your application with the assumption that your team would have taken care of OWASP Top 10 by default.  As per Burning Glass study, there is an increasing demand for cybersecurity professionals as shown below.

Project Demand For Cybersecurity Skills

Source: The state of Cybersecurity Hiring from Burning-glass

There are so many courses and tutorials available to enhance your understanding of web application security beyond the top 10 OWASP vulnerabilities . If you are willing to spend a few more hours to get more exposure in security-related courses and certifications, your profile value is going to be improved drastically and securely!!

Vijayakumar Athithan

Written by

Vijayakumar Athithan

Vijay is the founder of Margazhi System Networks LLP that provides consultancy in the network security R&D. He also teaches classes on various subjects especially on programming, Linux, cloud, and network security in the capacity of guest faculty during weekends. Prior to that, he gained a decade of experience in different roles in reputed IT service companies across the globe. He has earned the following certifications: SCJP, SCBCD, PMP, ITIL, Exin-Cloud, and CEH.


Related Posts

Alisha Reyes
Alisha Reyes
— August 5, 2020

New Content: Alibaba, Azure AZ-303 and AZ-304, Site Reliability Engineering (SRE) Foundation, Python 3 Programming, 16 Hands-on Labs, and Much More

This month our Content Team did an amazing job at publishing and updating a ton of new content. Not only did our experts release the brand new AZ-303 and AZ-304 Certification Learning Paths, but they also created 16 new hands-on labs — and so much more! New content on Cloud Academy At...

Read more
  • AWS
  • Azure
  • DevOps
  • Google Cloud Platform
  • Machine Learning
  • programming
Alisha Reyes
Alisha Reyes
— July 2, 2020

New Content: AWS, Azure, Typescript, Java, Docker, 13 New Labs, and Much More

This month, our Content Team released a whopping 13 new labs in real cloud environments! If you haven't tried out our labs, you might not understand why we think that number is so impressive. Our labs are not “simulated” experiences — they are real cloud environments using accounts on A...

Read more
  • AWS
  • Azure
  • DevOps
  • Google Cloud Platform
  • Machine Learning
  • programming
Alisha Reyes
Alisha Reyes
— June 11, 2020

New Content: AZ-500 and AZ-400 Updates, 3 Google Professional Exam Preps, Practical ML Learning Path, C# Programming, and More

This month, our Content Team released tons of new content and labs in real cloud environments. Not only that, but we introduced our very first highly interactive "Office Hours" webinar. This webinar, Acing the AWS Solutions Architect Associate Certification, started with a quick overvie...

Read more
  • AWS
  • Azure
  • DevOps
  • Google Cloud Platform
  • Machine Learning
  • programming
Alice Jones
Alice Jones
— February 28, 2020

AI and Machine Learning: How They Are Changing the Content Industry

Machine learning falls under an array of artificial intelligence (AI) technologies that learn how to do certain tasks with the intention of automating them. These systems use historical data to predict future patterns and execute their tasks according to accurate data gathered. The more...

Read more
  • AI
  • Artificial Intelligence
  • content marketing
  • Machine Learning
  • ML
Avatar
Andrew Larkin
— February 13, 2020

Cloud Academy Content Roadmap Updates

Welcome to our Q1 2020 roadmap. This is the content we plan to build over the next three months, between February 1 - and April 30, 2020. Let's look at some of our roadmap highlights. Atlassian Bamboo for CI/CD We had a lot of requests for practical guides on how to apply DevOps tool...

Read more
  • Artificial Intelligence
  • AWS
  • Azure
  • Docker
  • Google Cloud Platform
  • Kubernetes
  • Machine Learning
Avatar
Stuart Scott
— July 2, 2019

AWS Machine Learning Services

The speed at which machine learning (ML) is evolving within the cloud industry is exponentially growing, and public cloud providers such as AWS are releasing more and more services and feature updates to run in parallel with the trend and demand of this technology within organizations t...

Read more
  • Amazon Machine Learning
  • AWS
  • AWS re:Invent
  • Machine Learning
Francesco Mosconi
Francesco Mosconi
— May 27, 2019

What is Deep Learning and Does Your Enterprise Need It?

What is Deep Learning? The most frequent question asked by my students is: Do I need to learn deep learning? Beyond the buzzwords bounced back and forth in blog posts and news articles, deep learning is probably the most revolutionary technology of the last century. Discovered in the ...

Read more
  • Machine Learning
Luca Casartelli
Luca Casartelli
— April 19, 2019

4 Key Takeaways from Google Cloud Next ’19

Google Cloud Next ’19 was the flagship Google Cloud Platform developers conference, held in San Francisco’s Moscone Center. I was lucky enough to attend it with Cloud Academy, and got the chance to check out tons of breakout sessions and get great insight firsthand.   Next ’19 was my...

Read more
  • Google Cloud Platform
  • Kubernetes
  • Machine Learning
Avatar
David Santucci
— February 14, 2019

How to Build an Intelligent Chatbot with Python and Dialogflow

Chatbots are a powerful example of artificial intelligence (AI) in use today. Just think about Google Assistant and how intelligent the platform became thanks to machine learning. But, what is a chatbot? How do you create a custom bot for your website? Which technologies can you use to ...

Read more
  • Machine Learning
  • Python
Avatar
Dwayne Monroe
— January 8, 2019

What is Azure Machine Learning

The meal was fantastic, the service was friendly and professional, the setting was cozy, and the company was engaging. As the evening ended, however, there was a slight hiccup as my credit card was declined. There was more than enough money in my account to cover the cost of the (very d...

Read more
  • Machine Learning
Albert Qian
Albert Qian
— September 25, 2018

Microsoft Ignites Cloud Industry With Nadella Keynote

On Monday, Microsoft kicked off its Ignite conference, an annual gathering of developers and IT professionals. Over the next week, attendees will learn about upcoming Microsoft innovations in IoT, artificial intelligence, machine learning, and cloud (all while getting some good networki...

Read more
  • Events
  • IoT
  • Machine Learning
  • Security
Avatar
Guy Hummel and Jeremy Cook
— August 23, 2018

What are the Benefits of Machine Learning in the Cloud?

A Comparison of Machine Learning Services on AWS, Azure, and Google Cloud Artificial intelligence and machine learning are steadily making their way into enterprise applications in areas such as customer support, fraud detection, and business intelligence. There is every reason to beli...

Read more
  • AWS
  • Azure
  • Google Cloud Platform
  • Machine Learning