OWASP top 10 is a document that prioritized vulnerabilities, provided by the Open Web Application Security Project (OWASP) organization. OWASP is a non-profit dedicated to improving software security.
To achieve this goal, OWASP provides free resources, which are geared to educate and help anyone interested in software security. This article explains in detail five critical vulnerabilities—injection, broken authentication, sensitive data exposure, XML XEE, and broken access controls.
What Is OWASP?
The Open Web Application Security Project (OWASP) is a non-profit organization devoted to improving software security. It is supported by an open-source community and works to provide tooling, training, and informational resources to developer communities. OWASP also encourages community collaboration and networking to improve the understanding and adoption of security best practices.
Some of OWASP’s biggest contributions include several tools designed to help teams identify and eliminate vulnerabilities. For example, you can use the OWASP Dependency Check to identify whether dependencies in your project contain known vulnerabilities. Or, Zed Attack Proxy, which is a runtime scanner you can use to find vulnerabilities in web applications.
OWASP also provides a variety of guidelines and models that you can apply to development and testing processes. For example, the Security Knowledge Framework, which includes a knowledge base with training projects to teach developers secure coding. Or, the OWASP Top 10, which you can learn about below.
What Is the OWASP Top Ten?
The OWASP Top Ten is a document that outlines the 10 most critical security risks for web applications and how to mitigate those risks. It is based on a worldwide community of security knowledge and experience and is meant to help standardize awareness of common vulnerabilities.
The last Top Ten list was released in 2017 and another is planned for development in 2020. This update will review and incorporate changing rates of frequency of vulnerabilities in applications. It will also draw from Common Weakness Enumeration (CWE) reports that have occurred in the three years since the previous update. These reports represent known vulnerabilities and are tracked by the National Vulnerability Database (NVD) as well as many other databases.
Understanding and Preventing Common OWASP Attacks
Below you can learn about the five most common vulnerabilities and how to prevent these issues. For a full list and access to supporting documentation, you can see the OWASP Top 10 here.
Injection attacks involve attackers submitting code to an interpreter which then runs that code, performing the attacker’s intended action. This is often done via forms or input fields by either submitting code as is or appending it to the end of “valid” data. These attacks rely on a lack of input validation in the target application.
Some examples of injection attacks include:
- Vulnerable SQL calls—enable attackers to enter whatever they want as a customer ID and have it appended to the query.
String query = "SELECT * FROM accounts WHERE custID='" + request.getParameter("id") + "'";
- URL manipulation—causes the query to return all the records from the account table, exposing usernames and possibly sensitive personal details.
http://example.com/app/accountView?id=' or '1'='1
Preventing injection attacks
To prevent injection attacks, you should consider adopting the following precautions:
- Use APIs which bypass interpreters
- Implement server-side input validation with whitelisting
- Escape special characters and standardize inputs before use
- Use SQL controls like LIMIT in queries to prevent mass lookups
2. Broken Authentication
Broken authentication attacks occur when attackers can compromise passwords, session tokens, or encryption keys. These attacks may also occur if you hardcoded credentials or misconfigured authentication measures, such as leaving default passwords.
Some examples of broken authentication attacks include:
- Credential stuffing—abuses permissive retry limits to systematically work through lists of known passwords until one that works is found.
- Exposed session ID—session IDs are used in raw form in URLs. Attackers can manually change this ID to access information from another user’s session.
Mitigating broken authentication
To mitigate broken authentication attacks, you should consider adopting the following precautions:
- Enforce multi-factor authentication (MFA)
- Replace default credentials
- Set password complexity requirements and force password rotation
- Set log-in and session limits
3. Sensitive Data Exposure
Sensitive data exposure is not a single attack in itself, rather it is the result that can occur from a variety of attacks. Commonly, these include man in the middle (MitM) attacks, brute force password attacks, theft of encryption keys, or theft of clear text data from web servers or clients.
Examples of sensitive data exposure include:
- Lack of encryption—not using a secure connection with SSL/TLS encryption enables attackers to intercept or modify request data. For example, an attacker could intercept a bank transfer and steal or alter account details before allowing the request to continue.
- Unsalted hashes—unsalted hashes are encrypted credentials that use a basic algorithm. This is in contrast to salted hashes which include random data in the input to make encryption more secure. If unsalted hashes are used, an attacker can use precomputed hash tables to break the encryption and steal data.
Mitigating Sensitive Data Exposure
To mitigate sensitive data exposure, you should consider adopting the following precautions:
- Isolate sensitive data and limit access to one or only a few channels
- Truncate, tokenize, or anonymize data whenever possible
- Encrypt data at-rest and in-transit
- Disable data caching for sensitive data
4. XML External Entities (XEE)
Extensible Markup Language (XML) is a markup language used to make documents both human and machine-readable. It is used to share structured data online. To use XML, web applications must use a parser which manages the communication of data between client and server. XEE attacks leverage vulnerabilities in parsers to retrieve sensitive information, execute remote requests, or scan systems.
Examples of XEE attacks include:
- Denial of service (DoS)—attackers can provide an endless or corrupt file that causes an infinite loop or requires excessive resources, blocking legitimate requests.
- Extracting data —attackers change XML entity lines to spoof credentials and gain access to server data.
Preventing XML External Entities (XEE) attacks
To prevent XEE attacks, you should consider adopting the following precautions:
- Patch XML parsers and libraries
- Implement server-side validation with whitelisting
5. Broken Access Control
Access controls are what determine whether users or applications are allowed to access data and in what capacity. Broken access controls allow excessive or unauthorized access to data and systems. These vulnerabilities can occur due to flaws in hosting services, misconfigurations of servers, or when access controls are not properly enforced.
Examples of broken access control attacks include:
- URL manipulation—an attacker accesses specific URLs to access information or systems. These often include subpages on which controls may be overlooked.
- Accepting unverified data—SQL calls accept unverified data that enables attackers to submit data freely and leverage injection vulnerabilities.
Mitigating broken access controls
To mitigate broken access control attacks, you should consider adopting the following precautions:
- Manage controls with an Identity and Access Management (IAM) system
- Limit the rate of controller or API access
- Deny access by default.
OWASP top ten is a highly regarded documentation, which software developers, security professionals, and IT administrators can use to ensure and improve software security. However, it’s important to remember that the prioritization, as well as the proposed prevention techniques, offered by OWASP, are guidelines.
You should certainly learn and consider these techniques, but your top priority should always be to ensure that you are using the right security practices for your project and your organization. If some OWASP practices do not suit your needs, you should strive to find an alternative that secures your software.
About the Author: Ilai Bavati
I'm a technology writer and editor based in Tel Aviv. I cover topics ranging from machine learning and cybersecurity to cloud computing and the Internet of Things. I'm interested in the real-world application of emerging technologies, and I see our increasingly connected reality as both disruptive and potentially life-saving.