The non-profit Open Web Application Security Project (OWASP – https://www.owasp.org/) provides a list of 10 Risks to Web Application Security to guide architects, developers and security practitioners on critical vulnerabilities commonly present in web applications which leave applications open to exploits. This list provides a valuable starting point when planning methods to keep web applications secure.
Injection Flaws
| Description | Injection flaws are the result of untrusted data “piggy-backing” off trusted data as part of a query or command. The most common type of injection is SQL injection, others are NoSQL queries, OS commands, PHP queries and LDAP queries. |
| Risk/Vulnerability | The system being attacked may be deceived into executing unintended commands or the attacker(s) may be able to accesses data without proper authorization. |
| Mitigation | Injection flaws may be detected by proper application security testing. Parameterized queries should be coded to prevent injection flaws. |
Authentication Issues
| Description | Session management and user authentication functions are implemented incorrectly. |
| Risk/Vulnerability | Attackers may be able to compromise keys, sessions, passwords or other flaws caused by weak implementations to take over user identities. |
| Mitigation | Implementation of multi-factor authentication methods reduces the likelihood of compromised user accounts. |
Exposing Sensitive or Personal Data
| Description | Some applications and APIs don’t properly protect sensitive data such as used id’s, financial data, health information and passwords. |
| Risk/Vulnerability | This could enable access to information to attackers allowing them to commit fraud or to steal identities. |
| Mitigation | Encrypting data both in transit and at rest. |
XML External Entities
| Description | XML processors that have not been correctly configured or implemented may evaluate external entity references within XML documents. |
| Risk/Vulnerability | This could allow attackers to use external entities for attacks which may include gaining of access to internal files and file shares, execution of remote code, scanning of internal network ports and DOS (Denial of Service attacks). |
| Mitigation | Using SAST (Static application security testing) for inspection of configurations and dependencies. |
Broken Access Control
| Description | Improper enforcement of user access permissions to data and non-functional system functionality. |
| Risk/Vulnerability | Users may be allowed to access unauthorized system functionality and/or data, this may allow for access to other accounts/data and unauthorized modification of these items. |
| Mitigation | System penetration testing will help to detect non-functional access controls. |
Misconfigured Security
| Description | Security misconfiguration as the result of insecure/add hoc default configurations, error messages displaying too much system related information, incorrect security headers, cloud storage left open to unauthorized access and systems/components improperly patched. |
| Risk/Vulnerability | Exploitation of misconfigured system by attackers. |
| Mitigation | DAST (Dynamic application security testing) will assist in the discovery of system misconfigurations. Proper management of system inventory will assist with keeping systems up to date with patches. |
Cross-Site Scripting (XSS)
| Description | Unintended inclusion of untrusted data in web pages without appropriate validation or escaping, or updates to current web pages with user-supplied data via web browser API’s creating JavaScript/HTML |
| Risk/Vulnerability | Attackers may gain the ability to inject client-side scripts into the web application. |
| Mitigation | Enforcement of coding practices such as input validation and encoding of data. |
Insecure Deserialization
| Description | Some applications persist data on the client-side via object serialization. |
| Risk/Vulnerability | Serialized data may be tampered with, potentially allowing the remote execution of code, tampering or removal of serialized object data, elevation of privileges or execution of injection attacks. |
| Mitigation | Usage of application security tools will assist with deserialization flaw detection. Penetration testing will validate issues. |
Insecure Themes, Plugins, and Other Components
| Description | Components that make up an application, such as software modules, frameworks and libraries execute within the application with the same level of access privileges as the application itself. Some of these components may be out of date with known vulnerabilities. |
| Risk/Vulnerability | Insecure components may be exploited by attackers to take control of systems or to steal sensitive data. |
| Mitigation | Use of SCA (Software Composition Analysis) tools will help to identify insecure versions of application components. |
Insufficient Logging and Monitoring
| Description | Attacks are frequently only notices after an incident occurred. This may be weeks or even months after the breach. Deficient system logging and lack of integration with response systems leads to lack of information about and slow reaction time to incidents. |
| Risk/Vulnerability | Slow response times and identification of breaches will allow attackers to extend their access to other systems and to maintain persistent threats within the target systems/network. |
| Mitigation | Penetration testing will assist in the identification of sufficiency of monitoring. Logs need to be examined after penetration testing to ensure that systems are logging attacks. Moving/replication of logs to other locations will assist breach analysis ensuring that logs being investigated have not been tampered with. |