The Open Web Application Security Project (OWASP) is a non-profit organization producing freely available articles and other information on web application security.
What is OWASP?
The Open Web Application Foundation is dedicated to creating a safer web application environment. It offers articles, tools, technologies and forums for free to empower every developer to create secure code. Amongst other projects, one of the most well known projects of OWASP is the OWASP Top 10.
What is OWASP Top 10?
OWASP Top 10 is a publicly shared list of the 10 most critical web application vulnerabilities according to the Open Web Application Security Project. The list is developed by web application security experts from around the world and is regularly updated. The OWASP Top 10 aims to educate companies on what vulnerabilities they need to mitigate to secure their web application.
This list is also under development for mobile applications.
Next to the Top 10 list, OWASP also publishes and maintains the following resources:
- OWASP Testing Guide: "Best Practices" for application testing
- OWASP Juice Shop: An intentionally insecure web application for security trainings
The OWASP Top 10
1. Injection Attacks
SQL Injection refers to the exploitation of a SQL database vulnerability caused by the lack of masking or validation of meta-characters in user input. The attacker attempts to inject his own database commands through the application which has access to the database. As the request is not validated correctly, the inserted code changes the original SQL commands and therefore alters the results in favor of the attacker. With a successful attack, the attacker is able to spy on data, modify it or delete it altogether, and gain control over the server. For this to work, the attacker has different ways to breach the system. For example it is possible to find a way into the system via response time or error messages.
2. Broken Authentication
Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users' identities temporarily or permanently. Abusing such vulnerability, an attacker may be able to hijack user sessions and access or modify information for which he has no permission.
3. Sensitive Data Exposure
Fuzzing is a technique where invalid, random or unexpected data is used to produce either unexpected states or gain access to hidden features. There are multiple types of fuzzing:
- Fuzzing based on observed data
- Fuzzing without previous knowledge
4. XML External Entities (XXE)
Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks. An attacker may use an XXE vulnerability to access secret files of the machine running the XML processor.
5. Broken Access Control
Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users' accounts, view sensitive files, modify other users’ data, change access rights, etc.
6. Security Misconfiguration
Security misconfiguration is a common issue opening attack surfaces. This commonly is a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers or encryption, and verbose error messages containing sensitive information. Not only must all operating systems, frameworks, libraries, and applications be securely configured, but they must be patched/upgraded in a timely fashion.
7. Cross-Site Scripting (XSS)
Cross-site scripting is the injection of client-side scripts into web applications, which is enabled by a lack of validating and correctly encoding user input. The malicious scripts are executed within the browser of the end users and enable a variety of attacks from stealing the end users session to monitoring and altering all actions performed by the end users on the affected website. There are different types of cross-site scripting attacks, which distinguish if the malicious scripts could be injected in a non-persistent or persistent fashion. Furthermore there is differentiation made between the vulnerability being caused by a flawed input validation on the client- or server-side.
8. Insecure Deserialization
Insecure Deserialization is an attack where a manipulated object is injected into the context of the web application. If the application is vulnerable, the object is deserialized and executed, which can result in SQL Injection, Path Traversal, Application Denial of Service and Remote Code Execution.
9. Using Components With Known Vulnerabilities
Components, such as libraries, frameworks, and other software modules, run with the same privileges as an application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defences and enable various attacks and impacts.
To help you assess whether you are using components with known vulnerabilities, fingerprinting scanners try to detect any web server or web application frameworks and associated versions running on the server,
10. Insufficient Logging And Monitoring
Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data. Most breach studies show time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.