OWASP Top 10
Top 10 / 6 Security Misconfiguration / Describe
- *most common vulnerability* on this list - often the result of using default configurations - or displaying excessively verbose errors
Top 10 / 5 Broken Access Control / How to prevent?
- Access controls can be secured by ensuring that a web application uses authorization tokens* and sets tight controls on them - Every privileged request that a user makes should require the authorization token
Top 10 / 4 XML External Entities (XEE) / Describe XML
- Extensible Markup Language - intended to be both human and machine readable - now being phased out due to security vulnerabilities and complexity
Top 10 / 3 Sensitive Data Exposure/ Describe
- If web applications don't protect sensitive data such as financial information and passwords, attackers can gain access to that data and use it for nefarious purposes
Top 10 / 4 XML External Entities (XEE) / Describe JSON
- JavaScript Object Notation (JSON) - type of simple, human-readable notation often used to transmit data over the internet. - can be used by many different programming languages
Top 10 / 9 Using Components With Known Vulnerabilities / Describe
- Many modern web developers use components such as libraries and frameworks in their web applications. - Some attackers look for vulnerabilities in these components which they can then use to orchestrate attacks.
What is OWASP?
- Open Web Application Security Project - international non-profit org dedicated to web application security - all of their materials be freely available and easily accessible on their website
Top 10 / 2 Broken Authentication / What is rate limiting?
- Protects against DoS attacks, brute-force login attempts, and other types of abusive behavior targeting the application layer
What is *Access Control*?
- Refers to a system that controls access to information or functionality
Top 10 / 9 Using Components with known Vulnerabilities / What are libraries and frameworks?
- These components are pieces of software that help developers avoid redundant work and provide needed functionality
Top 10 / 4 XML External Entities (XEE) / Describe
- This is an attack against a web application that parses XML** input - The XML parser can be duped into sending data to an unauthorized external entity, which can pass sensitive data directly to an attacker. - This input can reference an *external entity* (storage unit / HD), attempting to exploit a vulnerability in the parser
What is the OWASP Top 10?
- a regularly-updated report outlining security concerns for web application security, focusing on the 10 most critical risks. - an awareness document
Top 10 / 5 Broken Access Control / Describe
- allow attackers to bypass authorization and perform tasks as though they were privileged users such as administrators
Top 10 / 6 Security Misconfiguration / Give an example
- an application could show a user overly-descriptive errors which may reveal vulnerabilities in the application
Top 10 / 7 Cross-site scripting / Give an example
- an attacker could send an email to a victim that appears to be from a trusted bank, with a link to that bank's website. - This link could have some malicious JavaScript code tagged onto the end of the url - If the bank's site is not properly protected against CSS, then that malicious code will be run in the victim's browser when they click on the link.
Top 10 / 3 Sensitive Data Exposure / How can this be minimized?
- by encrypting all sensitive data as well as disabling the caching* of any sensitive information - Additionally, web application developers should take care to ensure that they are not unnecessarily storing any sensitive data
Top 10 / 1 Injection / How Prevent?
- by validating or sanitizing user-submitted data
Top 10 / 6 Security Misconfiguration / How prevent?
- can be mitigated by removing any unused features in the code and ensuring that error messages are more general
Top 10 / 7 Cross-Site Scripting / How to prevent?
- escaping untrusted HTTP requests - validating and/or sanitizing user-generated content - Using modern web development frameworks like ReactJS and Ruby on Rails also provides some built-in cross-site scripting protection.
Top 10 / 9 Using Components With Known Vulnerabilities / What are common libraries or frameworks?
- front end frameworks like React and smaller libraries that used to add share icons or a/b testing
Top 10 / 1 Injection / Describe
- happens when untrusted data is sent to a code interpreter through a form input or some other data submission to a web application - Ex: an attacker could enter SQL database code into a form that expects a plaintext username (SQL injection attack)
Top 10 / 4 XML External Entities (XEE) / Best way to prevent?
- have web applications accept a less complex type of data, such as JSON**, - or at the very least to patch XML parsers and disable the use of external entities in an XML application.
Top 10 / 8 Insecure Deserialization / Is the result of what?
- is the result of deserializing data from untrusted sources - and can result in serious consequences like DDoS attacks and remote code execution attacks
What is *deserialization*?
- just the opposite of serialization: converting serialized data back into objects the application can use - like unpacking the boxes and assembling the furniture after the move
Top 10 / 10 Insufficient Logging and Monitoring / Describe
- many applications don't take enough steps to detect data breaches - average discovery time for a breach is around 200 days after it has happened
Top 10 / 9 Using Components with Known Vulnerabilities / How to prevent?
- need to patch these components - web application developers don't always have the patched or most-recent versions of components running on their applications - developers should remove unused components from their projects - ensure components are being received from a trusted source and up to date
Top 10 / 7 Cross-Site Scripting / Describe
- occur when web applications allow users to add custom code into a url path or onto a website that will be seen by other users - can be exploited to run malicious JavaScript code on a victim's browser
What is *serialization*?
- taking objects from the application code and converting them into a format that can be used for another purpose - such as storing the data to disk or streaming it. - sort of like packing furniture away into boxes before a move
Top 10 / 8 Insecure Deserialization / Describe
- targets the many web applications which frequently serialize and deserialize data - An insecure deserialization attack is like having the movers tamper with the contents of the boxes before they are unpacked.
Top 10 / 10 Insufficient Logging and Monitoring / How to prevent?
- web developers should implement logging and monitoring as well as incident response plans to ensure that they are made aware of attacks on their applications.
What are the OWASP Top 10 (1-5) ?
1) Injection 2) Broken Authentication 3) Sensitive Data Exposure 4) XML External Entities (XEE) 5) Broken Access Control
What are the OWASP Top 10 (6-10) ?
6) Security Misconfiguration 7) Cross-Site Scripting 8) Insecure Deserialization 9) Using Components With Known Vulnerabilities 10) Insufficient Logging and Monitoring
Top 10 / 3 Sensitive Data Exposure / What is a popular way of stealing this?
Man-in-the-middle attack
Top 10 / 1 Injection / What is Validating Data?
Rejecting suspicious-looking data
Top 10 / 2 Broken Authentication / Ways to mitigate?
Requiring 2-factor authentication (2FA) as well as limiting or delaying repeated login attempts using rate limiting
Top 10 / 2 Broken Authentication / Describe
Vulnerabilities in authentication (login) systems can give attackers access to user accounts and even the ability to compromise an entire system using an admin account.
Top 10 / 8 Insecure Deserialization / How to prevent?
While steps can be taken to try and catch attackers, such as monitoring deserialization and implementing type checks, the only sure way to protect against insecure deserialization attacks is to prohibit the deserialization of data from untrusted sources.
Top 10 / 5 Broken Access Control / Give an example
a web application could allow a user to change which account they are logged in as simply by changing part of a url, without any other verification.
Top 10 / 2 Broken Authentication / Give an example
an attacker can take a list containing thousands of known username/password combinations obtained during a data breach and use a script to try all those combinations on a login system to see if there are any that work.
Top 10 / 1 Injection / What is Sanitizing Data?
cleaning up the suspicious-looking parts data