The OWASP Top 10

The non-profit Open Web Application Security Project (OWASP – https://www.owasp.org/) provides a list of 10 Risks to Web Application Security to guide architects, developers and security practitioners on critical vulnerabilities commonly present in web applications which leave applications open to exploits. This list provides a valuable starting point when planning methods to keep web applications secure.

Injection Flaws

Description Injection flaws are the result of untrusted data “piggy-backing” off trusted data as part of a query or command. The most common type of injection is SQL injection, others are NoSQL queries, OS commands, PHP queries and LDAP queries.
Risk/Vulnerability The system being attacked may be deceived into executing unintended commands or the attacker(s) may be able to accesses data without proper authorization.
Mitigation Injection flaws may be detected by proper application security testing. Parameterized queries should be coded to prevent injection flaws.

Authentication Issues

Description Session management and user authentication functions are implemented incorrectly.
Risk/Vulnerability Attackers may be able to compromise keys, sessions, passwords or other flaws caused by weak implementations to take over user identities.
Mitigation Implementation of multi-factor authentication methods reduces the likelihood of compromised user accounts.

Exposing Sensitive or Personal Data

Description Some applications and APIs don’t properly protect sensitive data such as used id’s, financial data, health information and passwords.
Risk/Vulnerability This could enable access to information to attackers allowing them to commit fraud or to steal identities.
Mitigation Encrypting data both in transit and at rest.

XML External Entities

Description XML processors that have not been correctly configured or implemented may evaluate external entity references within XML documents.
Risk/Vulnerability This could allow attackers to use external entities for attacks which may include gaining of access to internal files and file shares, execution of remote code, scanning of internal network ports and DOS (Denial of Service attacks).
Mitigation Using SAST (Static application security testing) for inspection of configurations and dependencies.

Broken Access Control

Description Improper enforcement of user access permissions to data and non-functional system functionality.
Risk/Vulnerability Users may be allowed to access unauthorized system functionality and/or data, this may allow for access to other accounts/data and unauthorized modification of these items.
Mitigation System penetration testing will help to detect non-functional access controls.

Misconfigured Security

Description Security misconfiguration as the result of insecure/add hoc default configurations, error messages displaying too much system related information, incorrect security headers, cloud storage left open to unauthorized access and systems/components improperly patched.
Risk/Vulnerability Exploitation of misconfigured system by attackers.
Mitigation DAST (Dynamic application security testing) will assist in the discovery of system misconfigurations. Proper management of system inventory will assist with keeping systems up to date with patches.

Cross-Site Scripting (XSS)

Description Unintended inclusion of untrusted data in web pages without appropriate validation or escaping, or updates to current web pages with user-supplied data via web browser API’s creating JavaScript/HTML
Risk/Vulnerability Attackers may gain the ability to inject client-side scripts into the web application.
Mitigation Enforcement of coding practices such as input validation and encoding of data.

Insecure Deserialization

Description Some applications persist data on the client-side via object serialization.
Risk/Vulnerability Serialized data may be tampered with, potentially allowing the remote execution of code, tampering or removal of serialized object data, elevation of privileges or execution of injection attacks.
Mitigation Usage of application security tools will assist with deserialization flaw detection. Penetration testing will validate issues.

Insecure Themes, Plugins, and Other Components

Description Components that make up an application, such as software modules, frameworks and libraries execute within the application with the same level of access privileges as the application itself. Some of these components may be out of date with known vulnerabilities.
Risk/Vulnerability Insecure components may be exploited by attackers to take control of systems or to steal sensitive data.
Mitigation Use of SCA (Software Composition Analysis) tools will help to identify insecure versions of application components.

Insufficient Logging and Monitoring

Description Attacks are frequently only notices after an incident occurred. This may be weeks or even months after the breach. Deficient system logging and lack of integration with response systems leads to lack of information about and slow reaction time to incidents.
Risk/Vulnerability Slow response times and identification of breaches will allow attackers to extend their access to other systems and to maintain persistent threats within the target systems/network.
Mitigation Penetration testing will assist in the identification of sufficiency of monitoring. Logs need to be examined after penetration testing to ensure that systems are logging attacks. Moving/replication of logs to other locations will assist breach analysis ensuring that logs being investigated have not been tampered with.