OWASP Top 10 (Open Web Application Security Project)

we will discuss about OWASP Top 10 (Open Web Application Security Project). Let's start with What is OWASP and what is the OWASP top 10?

In this article, we will discuss OWASP Top 10 (Open Web Application Security Project). Let’s start with What is OWASP and what is in the OWASP top 10?

What is OWASP?

The Open Web Application Security Project (OWASP) is a community that works to improve the security of software. OWASP builds articles, documentation, tools, methods, and techniques to improve security.

It was founded in 2001 by Mark Curfew.

What is the OWASP Top 10?

OWASP Top 10 is a document designed with developers and web application security in mind.

It provides a comprehensive overview of the most important security risks for web applications.

1. Injection

Injection errors are very prevalent, especially in legacy codes. Injections are found in SQL, LDAP, XPath, NoSQL queries, OS commands, and ORM queries.

The injection can lead to loss of data, disclosure of unauthorized parties, loss of liability, or denial of access.

Learn More: https://owasp.org/www-community/Injection_Flaws

2. Broken Authentication

Attackers have access to millions of valid username and password combinations.

The attacks of session management are well understood, especially in relation to unexpired session tokens.

Learn More: https://owasp.org/www-project-top-ten/2017/A2_2017-Broken_Authentication

3. Sensitive Data Exposure

Many applications and web APIs do not properly protect sensitive data.

In transit data, finding server-side vulnerabilities is primarily easy, but difficult for the rest of the data.

There are many ways to prevent attacks. Apply restrictions according to classification. Do not store sensitive data unnecessarily.

Be sure to encrypt all remaining sensitive data.

Learn More: https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure

4. XML External Entities (XXE)

Attackers can exploit sensitive XML processors. Manual testers need to be trained on how to test for XXE.

SAST tools can detect this issue by observing dependencies and configuration.

DAST tools require additional manual steps to detect and exploit this issue.

Learn More: https://portswigger.net/web-security/xxe

5. Broken Access Control

Weaknesses in access control are common due to the lack of automatic detection.

Lack of effective functional testing by application developers. Ways to prevent attacks.

JWT token must be invalid on the server after logout. Rate limit API.

Learn More: https://hdivsecurity.com/owasp-broken-access-control

6. Security Misconfiguration

Attackers will try to gain system access, default accounts, unused pages, insecure files, or directories.

Incorrect Security configuration can occur at any level of the application stack.

Learn More: https://www.guardicore.com/2019/03/understanding-and-avoiding-security-misconfiguration/

7. Cross-Site Scripting (XSS)

XSS is the second most prevalent issue in the OWASP Top 10.

It is found in about two-thirds of all applications. Automated tools can detect some XSS problems automatically.

This can be achieved by: Applying context-sensitive encoding. Enabling a Content Security Policy.

Learn More: https://en.wikipedia.org/wiki/Cross-site_scripting

8. Insecure Deserialization

Insecure Deserialization flaws cannot be magnified by the effect of errors.

These errors can lead to remote code execution attacks and one of the most serious attacks possible.

Learn More: https://cwe.mitre.org/data/definitions/502.html

9. Using Components with Known Vulnerabilities

The scope of this issue is very broad. Some scanners, such as Retire.js, help with the search. There should be a patch management process.

Remove unused dependencies, files, components. Use software analysis tools to automate the process.

Learn More: https://owasp.org/www-project-top-ten/2017/A9_2017-Using_Components_with_Known_Vulnerabilities

10. Insufficient Logging & Monitoring

One strategy to determine if you have adequate monitoring is to check the logs after the penetration test.

To prevent an attack: Establish effective monitoring and alerting. 

Learn More: https://cwe.mitre.org/data/definitions/778.html

Conclusion

Now you know the OWASP Top 10 (Open Web Application Security Project).

Every points should be taken care of if you are creating software or application.

Jay Hind.

Leave a Comment

Your email address will not be published. Required fields are marked *