OWASP Top 10 Security Risks
About 90% of applications have serious vulnerabilities. OWASP, which regularly analyzes weaknesses and attacks on Web applications, has compiled OWASP TOP-10 - the list of the most dangerous vulnerabilities.
What Is OWASP?
OWASP (Open Web Application Security Project) is an open source project. Its community includes large companies, variety of different organizations and just interested persons from the whole globe. This group of enthusiasts collaborate to develop free articles, tutorials, papers, technologies and instruments.
Want to have an in-depth understanding of all modern aspects of OWASP Top 10 Security Risks and Vulnerabilities? Read carefully this article and bookmark it to get back later, we regularly update this page.
What Is OWASP Top 10 Vulnerability List?
OWASP Top 10 is one of the organization's best-known projects. OWASP Top 10 is a ranking of the ten most dangerous information security risks for web applications, compiled by a community of industry experts. For each point of the rating, the risk is calculated by experts based on the OWASP Risk Rating Methodology and includes an assessment of Weakness Prevalence, Weakness Detectability and Exploitability, as well as the criticality of the consequences of their operation or Technical Impacts.
For obvious reasons, risk severity calculations do not take into account the business consequences of their implementation. Where possible, the names of the risks in the rating correspond to the names of the corresponding vulnerabilities in the Common Weakness Enumeration classification. It should be noted that, unlike the classifications, the OWASP Top 10 project does not claim to cover all the existing risks, but only represents the most relevant ones at the time of the rating release.
OWASP Top 10 is not an official standard, it is just a white paper that is widely used by many organizations, vulnerability bounty programs, and cybersecurity experts to classify the severity of weaknesses and security breaches.
The rating was compiled on the basis of user posts and open discussions. OWASP Top 10 list is based on eight databases from seven companies, including four consulting firms and three SaaS vendors. The general database contains over 500,000 vulnerabilities in hundreds of organizations and thousands of applications.
OWASP Top 10 Vulnerabilities in 2021 are:
- Broken Authentication
- Sensitive Data Exposure
- XML External Entities (XXE)
- Broken Access Control
- Security Misconfigurations
- Cross-Site Scripting (XSS)
- Insecure Deserialization
- Using Components with Known Vulnerabilities
- Insufficient Logging and Monitoring
All data, as a rule, is stored in special databases, the calls to which are built in the form of queries, most often written in a Structured Query Language - SQL. Applications use SQL queries in order to receive, add, change or remove data, for example, when the customer edits his personal data or completes a questionnaire on the webpage. In case of the user's information insufficiently checked, a hacker can put special code into the app's interface that contains the SQL query part.
This is a very insecure weakness that can give the access an intruder to database, as well as the ability to see, modify or delete data that is not intended for him. In such a way, attacker can turn someone else's account balance together with the first and last name or steal confidential personal data.
The weakness is aftermath of insufficient validation of user data, so that allows an intruder to put into web forms specially prepared requests that "trick" the app and allow reading or writing illegitimate data.
2. Broken Authentication
According to OWASP Top 10, this weakness is one of the most critical. If someone needs to distinguish another user, the web application applies session cookies. After entering login and password when the authorizing in app is successfully completed, a special identifier is saved in the specified storage, which the program subsequently sent to the server with every query for a page of the app. This is the way web application recognizes users.
In case identifier is stolen by a hacker, and IT structure did not implement checks, for instance, session's IP address, or checks for more than one connection in one session, the intruder gains the possibility to penetrate the system having rights of user's account. And if it is an Internet bank or a payment system cabinet, you can easily guess for yourself the consequences of such unauthorized access.
Read more about Broken Authentication.
3. Sensitive Data Exposure
The simplest way to illustrate OWASP Top 10 threats for sensitive data is its transmission over the HTTP protocol. The thing is that the information transmitted via the HTTP protocol is not cyphered in any way, and when sensitive information go to the Web server from the device of user, the data will go through a good many different nodes such an office router or home router, a provider's router, a router on a channel, a router in a data the center of the hosting provider server, etc. Each of these nodes can host malware, they call it sniffer, a program that reads all traffic and send it on to the intruder. So, a hacker looks at the received data for personal info and banking card information.
Also, the lack of encryption of such confidential information like user's password or bank card facts makes data vulnerable to theft. However, in case it is cyphered, then even if unallowed entry to the server is obtained, a hacker can't steal critical data. It is not impossible to decrypt the cipher code for passwords, in particular, an irreversible hash function must be applied. When the password was checked by generating a cipher is comparing with the code specified in the system.
Read more about Sensitive Data Exposure.
4. XML External Entities (XXE)
The biggest risk with XXE is the huge variety of ways in which it can be exploited. Whether simple or complex, if an external piece of code can make its way onto an XML document, the system has been compromised. XML's ubiquity means that applications making use of XML are likely to intersect with a lot of sensitive data.
The most widely-known form of XXE attack is known as the ‘Billion Laughs’ attack, or the ‘XML Bomb‘. This is a simple but effective denial of service attack used to overload and shut down a target server. By defining an entity – usually something small and nonsensical, like ‘lol’ or ‘haha’ – as a nested string of other entities, an attacker can quickly overload a system's resources.
Read more about XML External Entities (XXE).
5. Broken Access Control
The essence of this OWASP Top 10 vulnerability, as the name suggests, is the lack of verification of proper access to the requested object. Most web applications check permissions before displaying data in the user interface. However, applications must perform the same access control checks on the server when requesting any function. After all, there are many more auxiliary services requests, which are often sent asynchronously in the background using AJAX technology. If the request parameters are not carefully validated, attackers could spoof the request to access data without proper permission.
Read more about Broken Access Control.
6. Security Misconfigurations
Another illustration of a OWASP Top 10 weakness is default settings in database servers, like Redis, Memcached and so on. It relates as closed services that may become available on the public IP or passwords mounted by the manufacturer for default use. It makes possible for intruders to easily read and modify data, displayed to in user's browser. This also allows intruders an XSS invasion.
Also, the program and applications kit must be updated, as weaknesses come to light every day in a wide range of program components. Even if your app is commonly well protected, correctly written and carefully checks all incoming info, you still can't rely on that no weaknesses will be approach in the OS or Web server at any time.
Read more about Security Misconfigurations.
7. Cross-Site Scripting (XSS)
8. Insecure Deserialization
Serialization and deserialization are important concepts in object-oriented programming frameworks, such as Java and .Net; and are consequently common to many web applications.
An insecure deserialization vulnerability exists when an application doesn’t properly secure this process. If a deserialization implementation is left to its default settings, an application can have little to no control over what data is deserialized. In the most extreme cases, this can include any incoming serialized data from any source, with no verification or precautions.
Read more about Insecure Deserialization.
9. Using Components with Known Vulnerabilities
Often times, web applications are written using special libraries or "frameworks" that are provided by third parties. In most cases, these components are open source, which means that not only you, but also millions of people around the world who are studying their source code, including for vulnerabilities. And it should be noted that they do this by no means unsuccessfully. They are also looking for weaknesses in lower-level components of the system, like different servers or the components of the OS down to its kernel. It is very important to use the latest components and keep an eye on emerging known vulnerabilities.
Read more about Using Components with Known Vulnerabilities.
10. Insufficient Logging and Monitoring
The problem of insufficient logging and monitoring covers the entire IT infrastructure and not just the internet-facing web application – as does the solution. For that reason, we will not limit this discussion to just logging and monitoring web apps.
One of the primary problems is that there are so many logs – almost all contemporary systems generate their own logs. Log management thus becomes a major problem. By the time that all the different logs are gathered together and preferably collated, the sheer size of the data set becomes too large to effectively monitor manually.
Read more about Insufficient Logging and Monitoring.
How to Protect from OWASP Top 10 Vulnerabilities
Security of most web apps remains poor. Every second resource includes high-risk weaknesses from the OWASP Top 10. However, it is clear that every year the share of web applications comprising critical vulnerabilities is gradually decreasing. The next positive trend is that organizations are starting to take more earnestly the protection of their apps, and not only public ones, but also used for internal needs.
The number of invasions on web apps will that were completed with success decline if identified vulnerabilities are fixed as early as possible and processes are automated where possible.
Firstly, detect, test and scorecard your digital and IT assets with the help of ImmuniWeb Discovery.
In addition, to protect against attacks on web apps, we always recommend taking preventive security measures from all existing threats to your organization's information system at the application level by using our ImmuniWeb Continuous Application Penetration Testing.
Web applications are constantly being modernized, and along with new features, new vulnerabilities may appear in them, which may be included in the next update of the OWASP Top 10 vulnerability list. Using ImmuniWeb tools will reduce the corresponding risks. Cybersecurity protection services must not only detect and prevent known attacks at the applications, but also identify the exploitation of zero-day vulnerabilities, prevent attacks on users, analyze and correlate many events to identify attack chains.