All developers and web application development companies with cybersecurity knowledge should be aware of OWASP. It is above all a community whose primary vocation is to help improve the security of software and web applications. Optimum Circle takes a look back at OWASP’s “Top 10” project, the cybersecurity score ranking for your business.
Founded in September 2001, this cybersecurity community is working on several projects. It aims to offer tools and methods for Internet users and developers as well as companies. Its purpose is to control and help decision-making regarding the security of Web products. The Open Web Application Security Project (OWASP) Foundation is globally recognized for its work and recommendations for more secure coding. It even aims to change the culture of organizations in terms of software development and safer products. Its philosophy being based on Open Source, its contributions are free and open to all. Among the various projects supported by the Foundation, we are interested in this article in the OWASP “Top 10” project. Behind this name is a standard on developer awareness of the top ten web application security risks.
It is important to mention that the last Top10 ranking dates from 2017. 2020 is a bit special for this project because an update is in progress. A global contribution was opened between May 2020 and November 30. The goal is to collect the most complete set of data related to application vulnerabilities. This collection must make it possible, after validation, standardization and analysis of the data provided, to update this classification. It is looking for more precise and representative statistics of the vulnerabilities observed between 2017 and today.
Pending the future ranking in 2021, Optimum circle returns for you to the 10 cybersecurity vulnerabilities.
Code Injection Flaws
First, injection flaws occur when an application sends untrusted data to an interpreter. The data has not been previously validated, filtered or cleaned. Almost any data source can be an injection vector. And it must be taken into account that anyone can send harmful data to the system (users or administrators).
Very often you can find them in SQL queries, LDAP, XPath, noSQL, OS commands, XML parsers, program arguments, etc.
In conclusion, an injection of malicious code can result in data loss or corruption. It may also amount to disclosure to unauthorized third parties, loss of rights, or denial of access. This can even go to the takeover of the server by the attacker.
Bypassed authentication (major problem in cybersecurity)
Namely, if the functions related to authentication and session management are not implemented correctly, the attacker can potentially steal identities. This opens up possibilities for social security fraud, money laundering or the disclosure of very sensitive information.
Exposure of sensitive data
Indeed, so-called sensitive data requires special measures to guarantee their protection. Examples include payment card numbers, passwords or confidential health-related data. Usual precautions, such as the use of encryption to store and exchange this information, are mandatory to avoid any compromise.
XML External Entities (XXE)
It is true that the use of old XML processors can allow a hacker to send XML. It is thus possible to inject malicious code into an XML document. These flaws can then be used to extract data, execute remote queries or analyze internal systems. In addition, it is also possible to perform a denial of service (DoS) attack, or execute other attacks.
Access control bypassed
First, it should be noted that access controls are used to apply a policy ensuring that users respect the rights and permissions granted to them. A poor implementation of these controls can result in the attacker obtaining rights from another user or even an administrator. As a result, they can potentially access unauthorized features or data. The hacker can thus consult sensitive data, modify data of other users or alter access rights.
Misconfigurations of security
First of all, the misconfiguration of security is the most frequently observed error. One can list insecure default configurations and accounts, incomplete or ad-hoc configurations. Open cloud storages, misconfigured HTTP headers or verbose error messages also contain sensitive information. This concerns the operating systems, frameworks, libraries and applications used, which must be correctly configured. You have to have a careful policy of patches and updates.
Finally, such cybersecurity flaws or vulnerabilities often provide hackers with unauthorized access to certain system data. This can go as far as functionalities or even sometimes lead to a complete compromise of the system.
Cross-Site scripting (XSS)
To date, XSS flaws occur when an application includes untrusted data without validation or checking for special characters. An attacker can then arbitrarily execute HTML code or JavaScript scripts in the victim’s browser. It can thus hijack user sessions, disfigure websites or redirect the user to malicious sites.
Insecure deserialization
Serialization/deserialization consists of encoding/decoding information in the form of a sequence of smaller information for its backup, transport or standardized exchanges with other applications. Insecure deserialization of information often leads to remote code execution or distributed denial of service (DDoS). These cybersecurity flaws can also be used to perform replay, code injection, or privilege escalation attacks.
Use of components with known cybersecurity vulnerabilities
Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs using components with known vulnerabilities can weaken defenses and cause various attacks and impacts.
Insufficient cybersecurity monitoring (logging, monitoring)
To begin with, measures should be put in place to detect attacks that the web application may be subject to. Exploitation of supervision and logging deficiencies are at the root of almost all major incidents. These deficiencies in supervising and managing quick and adequate responses allow hackers to achieve their objectives undetected. The hacker can then maintain persistence, pivot to more systems, or even compromise, extract, or destroy data. Most studies on breaches show that the time required for their detection is more than 200 days. Moreover, they are usually discovered by external parties rather than by internal processes or monitoring.
For each of these risks, leads are offered on the Foundation’s website to help determine whether the application may be vulnerable. It also offers recommendations to protect against it and illustrate with relevant attack scenarios. Among other OWASP projects, “WebGoat” offers a training platform on the most common web vulnerabilities.
For more information on cybersecurity and securing your websites, Optimum Circle has made available white papers to enlighten you. Do you want to know more about everything related to web security? Do not hesitate to contact us now!
Three ideas to remember
What is OWASP?
Founded in September 2001, the OWASP (Open Web Application Security Project) aims to offer tools and methods for Internet users and developers as well as companies. Its purpose is to control and help decision-making regarding the security of Web products. The foundation is globally recognized for its work and recommendations for more secure coding.
What is the OWASP Top 10 Project?
As its name suggests, the OWASP Top 10 Project is a project of the OWASP Foundation. a standard on developer awareness of the top 10 web application security risks. The goal is to collect the most complete set of data related to application vulnerabilities. The last ranking dates from 2017, the next update should arrive for 2021.
What are the 10 cybersecurity vulnerabilities?
In this ranking of the 10 cybersecurity vulnerabilities, we find code injection flaws, bypassed authentication, exposure of sensitive data, XML External Entities (XXE) processes, bypassed access control, bad security configurations, Cross-Site scripting (XSS) vulnerabilities, insecure deserialization, use of components with known vulnerabilities, and insufficient cybersecurity monitoring.