You may have seen the OWASP® Top 10 on our site or around the web and are wondering what it is.
Let’s start with what OWASP® is. It stands for the Open Web Application Security Project®. They are a nonprofit organization whose goal is to improve the security of software. They use community-led open source projects and local chapters with tens of thousands of members to help support training and education efforts through conferences and classes.
Consequently, OWASP® has provided guidance on what they believe are the best ways to ensure application security. This guidance is the OWASP® top 10.
What is on the OWASP® top 10 guide?
The OWASP® top 10 provides 10 of the most common security risks for applications. These include:
- Injection attacks – This occurs when an attacker sends bad data to an interpreter as part of a command or query and it tricks the interpreter into accessing data without the correct authentication or executing unintended commands. One potential outcome of such an attack is deleting an entire user database.
- Broken authentication – This refers to two weaknesses, session management and credential management. This can allow attackers to compromise passwords, keys, or session tokens. Attackers can also exploit other flaws allowing them to assume a users’ identity.
- Sensitive data exposure – Most people understand this is a big issue. If sensitive data such as Personally Identifiable Information (PII) or Protected Health Information (PHI) is exposed to the internet, there can be huge ramifications. An attacker can use the sensitive data for identity theft, credit card fraud, and other serious crimes.
- Extensible Markup Language (XML) external entities (XXE) – In web applications, XML is commonly used to transport data from one script to another, or from one application to another. An XML processor will perform actions such as updating databases, executing work processes, transforming content, and delivering content to users. An XML external entity is a type of custom XML entity whose defined values are loaded from outside of the document type definition, meaning they can be defined based on the contents of file path or URL. Essentially, it often allows an attacker to view files on the application server filesystem and to interact with back-end or external systems that the application can access.
- Broken access control – Attackers can exploit a vulnerability to simulate an authenticated user. Once they get access, they can mirror the same privilege levels as an administrative user. This can mean an attacker can access other user’s accounts, view sensitive files, change access rights, and modify users’ data.
- Security misconfiguration – This is typically an issue from insecure default configurations, open cloud storage, incomplete configurations, or verbose error messages containing sensitive information.
- Cross-site scripting – This occurs when an application includes untrusted data in a response to the client without proper validation, or when untrusted data is stored within the application for a client to view. The vulnerability can be used by attackers to bypass access controls such as the same-origin policy.
- Insecure deserialization – This can often lead to remote code execution but can also result in denial of service attacks or the bypassing of authentication methods. Often the goal is to run system commands.
- Using components with known vulnerabilities – Components like frameworks and libraries run with the same privileges as the application. If a component is vulnerable and exploited, it can cause serious data loss or a server takeover from an attacker. You may not realize the components are vulnerable, but attackers will, and they will exploit it.
- Insufficient logging and monitoring– similar to network monitoring and logging, if you don’t know what’s going on in your application, you can’t shut down the nefarious actors. This means attackers can maintain a presence for a long time, possibly biding their time and waiting for the perfect opportunity to strike. OWASP® reminds that “most breach studies show time to detect a breach is over 200 days.” Let that statement sink in for a moment… 200 days to allow an attacker to gain insight and data on your application you thought was secure.
Now that you are aware of some of the most common vulnerabilities and exploits in applications, you can think about the importance of having your application checked. That might be internally with your own employees, or through a third-party such as MainNerve. The benefit of a third-party testing company is that their testers perform these tests daily, so they are quick, efficient, and accurate. Additionally, MainNerve’s testers don’t eat, live, and breathe a customer’s applications, meaning they are less likely to overlook a key vulnerability.
MainNerve uses the top 10 to start with, but the testers use their vast knowledge and experience to continue navigating many other vulnerabilities that are not yet known to simple scans. If you are thinking about a web application penetration test, give MainNerve a call. We’ll answer questions and provide honest guidance. We’re your penetration testing partner that will provide transparency in cybersecurity.