OWASP Top 10 Security Risks
About 90% of applications have serious vulnerabilities. OWASP, which regularly analyzes weaknesses and attacks on Web applications, has compiled OWASP TOP-10 - the list of the most dangerous vulnerabilities.
What Is OWASP?
OWASP (Open Web Application Security Project) is an open source project. Its community includes large companies, variety of different organizations and just interested persons from the whole globe. This group of enthusiasts collaborate to develop free articles, tutorials, papers, technologies, and instruments.
Want to have an in-depth understanding of all modern aspects of OWASP Top 10 Security Risks and Vulnerabilities? Read carefully this article and bookmark it to get back later, we regularly update this page.
What Is OWASP Top 10 Vulnerability List?
OWASP Top 10 is one of the organization's best-known projects. OWASP Top 10 is a ranking of the ten most dangerous information security risks for web applications, compiled by a community of industry experts. For each point of the rating, the risk is calculated by experts based on the OWASP Risk Rating Methodology and includes an assessment of Weakness Prevalence, Weakness Detectability and Exploitability, as well as the criticality of the consequences of their operation or Technical Impacts.
For obvious reasons, risk severity assessments do not take into account the business consequences of their implementation. Where possible, the names of the risks in the rating correspond to the names of the similar vulnerabilities in the Common Weakness Enumeration (CWE) classification. It should be noted that, unlike the classifications, the OWASP Top 10 project does not claim to cover all the existing risks, but only represents the most relevant ones at the time of the rating release.
OWASP Top 10 is not an official standard, it is just a white paper that is widely used by many organizations, vulnerability bounty programs, and cybersecurity experts to classify the severity of weaknesses and security breaches.
The rating was compiled on the basis of user posts and open discussions. OWASP Top 10 list is based on eight databases from seven companies, including four consulting firms and three SaaS vendors. The general database contains over 500,000 vulnerabilities in hundreds of organizations and thousands of applications.
OWASP Top 10 Vulnerabilities in 2021 are:
- Broken Authentication
- Sensitive Data Exposure
- XML External Entities (XXE)
- Broken Access Control
- Security Misconfigurations
- Cross-Site Scripting (XSS)
- Insecure Deserialization
- Using Components with Known Vulnerabilities
- Insufficient Logging and Monitoring
All data, as a rule, is stored in special databases, the requests to which are built in the form of queries, most often written in a Structured Query Language - SQL. Applications use SQL queries in order to receive, add, change or remove data, for example, when the customer edits his personal data or completes a questionnaire on the webpage. In case of the user's information insufficiently checked, a hacker can change the app's code that contains the SQL query part.
This is a very insecure weakness that can give an intruder access to the database, as well as the ability to see, modify or delete data. In such a way, the hacker can steal confidential personal data.
The weakness is the aftermath of insufficient validation of user data, so that allows an intruder to put into web forms specially prepared requests that "trick" the app and allow reading or writing illegitimate data.
2. Broken Authentication
According to OWASP Top 10, this weakness is one of the most critical. If someone needs to distinguish another user, the web application applies session cookies. After entering login and password when the authorization in the application is successfully completed, a special identifier is saved in the specified storage, which the program subsequently sends to the server with every query for a page of the app. This is the way web application recognizes users.
In case of this identifier is stolen by a hacker, and the IT structure did not implement checks, for instance, session's IP address, or checks for more than one connection in one session, the intruder gains the possibility to get into the system with the user's account. And if it is an Internet bank or a payment system cabinet, you can easily guess for yourself the consequences of such unauthorized access.
Read more about Broken Authentication.
3. Sensitive Data Exposure
The thing is that the information transmitted via the HTTP protocol is not cyphered in any way, and when sensitive information goes to the Web server from the device of the user, the data will go through a good many different nodes such as an office router or home router, a provider's router, a router on a channel, a router in a data center or the hosting provider server, etc. Each of these nodes can contain malware, called 'sniffer', a program that reads all traffic and sends it on to the hacker. So, the hacker looks at the received data for personal info and banking card information.
Also, the lack of encryption of such confidential information like user's password or bank card details makes data vulnerable to theft. However, in case it is cyphered, then even if unallowed entry to the server is obtained, a hacker can't steal critical data.
Read more about Sensitive Data Exposure.
4. XML External Entities (XXE)
The biggest risk with XXE is the huge variety of ways in which it can be exploited. Whether simple or complex, if an external piece of code can make its way onto an XML document, this means that the system has been compromised. XML's ubiquity means that applications making use of XML are likely to intersect with a lot of sensitive data.
The most widely-known form of XXE attack is known as the ‘Billion Laughs’ attack or the ‘XML Bomb‘. This is a simple but effective denial of service attack used to overload and shut down a target server. By defining an entity – usually something small and nonsensical, like ‘lol’ or ‘haha’ – as a nested string of other entities, an attacker can quickly overload the system's resources.
Read more about XML External Entities (XXE).
5. Broken Access Control
The essence of this OWASP Top 10 vulnerability, as the name suggests, is the lack of verification of proper access to the requested object. Most web applications check permissions before displaying data in the user interface. However, applications must perform the same access control checks on the server when requesting any function. After all, there are many more auxiliary service requests, which are often sent asynchronously in the background using AJAX technology. If the request parameters are not carefully validated, attackers could spoof the request to access data without proper permission.
Read more about Broken Access Control.
6. Security Misconfigurations
Another illustration of this OWASP Top 10 weakness is default settings in database servers, like Redis, Memcached, and so on. It relates to private services that may become available on the public IP or passwords mounted by the manufacturer for default use. It makes it possible for intruders to easily read and modify data. This also allows hackers to make an XSS invasion.
Also, the program and applications must be updated, as weaknesses appear every day in a wide range of program components. Even if your app is commonly well protected, correctly written, and carefully checks all incoming data, you still can't guarantee that no weaknesses will be found in the OS or Web server at any time.
Read more about Security Misconfigurations.
7. Cross-Site Scripting (XSS)
8. Insecure Deserialization
Serialization and deserialization are important concepts in object-oriented programming frameworks, such as Java and .Net; and are consequently common to many web applications.
An insecure deserialization vulnerability exists when an application doesn’t properly secure this process. If a deserialization implementation is left to its default settings, an application can have little to no control over what data is deserialized. In the most extreme cases, this can include any incoming serialized data from any source, with no verification or precautions.
Read more about Insecure Deserialization.
9. Using Components with Known Vulnerabilities
Oftentimes, web applications are developed using special libraries or "frameworks" that are provided by third parties. In most cases, these components are open source, which means that not only you but also millions of people around the world are studying their source code, and for vulnerabilities too. They are also looking for weaknesses in lower-level components of the system, like different servers or the components of the OS down to its kernel. It is very important to use the latest components and keep an eye on emerging known vulnerabilities.
Read more about Using Components with Known Vulnerabilities.
10. Insufficient Logging and Monitoring
The problem of insufficient logging and monitoring covers the entire IT infrastructure and not just the internet-facing web application – as does the solution. For that reason, we will not limit this discussion to just logging and monitoring web apps.
One of the primary problems is that there are so many logs – almost all contemporary systems generate their own logs. Log management thus becomes a major problem. By the time that all the different logs are gathered together and preferably collated, the sheer size of the data set becomes too large to effectively monitor manually.
Read more about Insufficient Logging and Monitoring.
How to Protect from OWASP Top 10 Vulnerabilities
Security of most web apps remains poor. Every second resource has high-risk weaknesses from the OWASP Top 10 list. However, it is clear that the share of web applications comprising critical vulnerabilities is gradually decreasing. The next positive trend is that organizations are starting to pay more attention to the protection of their apps, and not only public ones, but also used for internal needs.
The number of hacks of web apps will decline if identified vulnerabilities are fixed as early as possible and processes are automated where possible.
Firstly, detect, test and scorecard your digital and IT assets with the help of ImmuniWeb Discovery.
In addition, to protect against hacks, we always recommend ImmuniWeb Continuous Application Penetration Testing.
Web applications are constantly updated, and along with new features new vulnerabilities may appear and then further included in the next OWASP Top 10 vulnerability list update. Using ImmuniWeb tools will reduce the corresponding risks. Cybersecurity protection services must not only detect and prevent known attacks at the applications but also identify the exploitation of zero-day vulnerabilities, prevent attacks on users, analyze and correlate events to monitor attack chains.