In this article, we will discuss OWASP Top 10 (Open Web Application Security Project). Let’s start with What is OWASP and what is in the OWASP top 10?
What is OWASP?
The Open Web Application Security Project (OWASP) is a community that works to improve the security of software. OWASP builds articles, documentation, tools, methods, and techniques to improve security.
It was founded in 2001 by Mark Curfew.
What is the OWASP Top 10?
OWASP Top 10 is a document designed with developers and web application security in mind.
It provides a comprehensive overview of the most important security risks for web applications.
Injection errors are very prevalent, especially in legacy codes. Injections are found in SQL, LDAP, XPath, NoSQL queries, OS commands, and ORM queries.
The injection can lead to loss of data, disclosure of unauthorized parties, loss of liability, or denial of access.
Learn More: https://owasp.org/www-community/Injection_Flaws
2. Broken Authentication
Attackers have access to millions of valid username and password combinations.
The attacks of session management are well understood, especially in relation to unexpired session tokens.
3. Sensitive Data Exposure
Many applications and web APIs do not properly protect sensitive data.
In transit data, finding server-side vulnerabilities is primarily easy, but difficult for the rest of the data.
There are many ways to prevent attacks. Apply restrictions according to classification. Do not store sensitive data unnecessarily.
Be sure to encrypt all remaining sensitive data.
4. XML External Entities (XXE)
Attackers can exploit sensitive XML processors. Manual testers need to be trained on how to test for XXE.
SAST tools can detect this issue by observing dependencies and configuration.
DAST tools require additional manual steps to detect and exploit this issue.
Learn More: https://portswigger.net/web-security/xxe
5. Broken Access Control
Weaknesses in access control are common due to the lack of automatic detection.
Lack of effective functional testing by application developers. Ways to prevent attacks.
JWT token must be invalid on the server after logout. Rate limit API.
6. Security Misconfiguration
Attackers will try to gain system access, default accounts, unused pages, insecure files, or directories.
Incorrect Security configuration can occur at any level of the application stack.
7. Cross-Site Scripting (XSS)
XSS is the second most prevalent issue in the OWASP Top 10.
It is found in about two-thirds of all applications. Automated tools can detect some XSS problems automatically.
This can be achieved by: Applying context-sensitive encoding. Enabling a Content Security Policy.
8. Insecure Deserialization
Insecure Deserialization flaws cannot be magnified by the effect of errors.
These errors can lead to remote code execution attacks and one of the most serious attacks possible.
Learn More: https://cwe.mitre.org/data/definitions/502.html
9. Using Components with Known Vulnerabilities
The scope of this issue is very broad. Some scanners, such as Retire.js, help with the search. There should be a patch management process.
Remove unused dependencies, files, components. Use software analysis tools to automate the process.
10. Insufficient Logging & Monitoring
One strategy to determine if you have adequate monitoring is to check the logs after the penetration test.
To prevent an attack: Establish effective monitoring and alerting.
Learn More: https://cwe.mitre.org/data/definitions/778.html
Now you know the OWASP Top 10 (Open Web Application Security Project).
Every points should be taken care of if you are creating software or application.