OWASP Top 10 Vulnerabilities
Ways to Prevent XSS
1. Escaping untrusted HTTP request data based on the context in the HTML output (body, attribute, JavaScript, CSS, or URL) will resolve Reflected and Stored XSS vulnerabilities. 2. Never allow untrusted data to be inserted in div, script tags 3. Encode data inserted in html, css tags, and attributes 4. sanitization
Ways to Prevent XML External Entity Attacks
1. have web applications accept a less complex type of data, such as JSON** 2. at the very least to patch XML parsers and disable the use of external entities in an XML application.
Ways to Prevent Security Misconfigurations
A repeatable hardening process that makes it fast and easy to deploy another environment that is properly locked down. Development, QA, and production environments should all be configured identically, with different credentials used in each environment. Automate this process in order to minimize the effort required to set up a new secure environment.
Known Vulnerabilities
Attackers look for vulnerabilities in components that are pieces of software that help developers avoid redundant work and provide needed functionality
Ways to Prevent Broken Authentication
Implement multi-factor authentication (MFA), weak password checks, limit failed login attempts, and Ensure registration, credential recovery, and API pathways are hardened against account enumeration attacks by using the same messages for all outcomes.
Sensitive Data Exposure
It consists of compromising data that should have been protected such as passwords, credentials, and other personal information.
DOM XSS
JavaScript frameworks, single-page applications, and APIs that dynamically include attacker-controllable data to a page are vulnerable to DOM XSS. Ideally, the application would not send attacker-controllable data to unsafe JavaScript APIs. Includes attacks against the user's browser such as malicious software downloads, keylogging, and other client-side attacks.
Ways to Prevent Using Components with Known Vulnerabilities
Monitor sources like Common Vulnerabilities and Exposures (CVE) and National Vulnerability Database (NVD) for vulnerabilities in the components. Obtain components only from official sources. Use virtual patch
Ways to Prevent Insufficient Logging and Monitoring
OWASP recommends that web developers should implement logging and monitoring as well as incident response plans to ensure that they are made aware of attacks on their applications.
Ways to Prevent Sensitive Data Exposure
Obtain an SSL certificate to protect data in transit and encrypt all sensitive data to protect data at rest
Parameterization
Parameterized queries do proper substitution of arguments prior to running the SQL query. It completely removes the possibility of "dirty" input changing the meaning of your query. That is, if the input contains SQL, it can't become part of what is executed becase the SQL is never injected into the resulting statement. The sqlQuery is sent as a query, and the database knows exactly what this query will do, and only then will it insert the username and passwords merely as values. sqlQuery='SELECT * FROM custTable WHERE User=' + Username + ' AND Pass=' + password So in this case it would look for a username of "Nobody OR 1=1'--" and a blank password
Ways to Prevent Injection Flaws
Separation of data from the web application logic and settings to limit data exposure in case of successful injection attacks
Stored XSS
The application or API stores unsanitized user input that is viewed at a later time by another user or an administrator. Stored XSS is often considered high or critical risk.
Reflected XSS
The attacker includes HTML code within a link to a web address knowing the linked page will fail to sanitize the included HTML code, which is often seen on pages that display the query that a user entered.
Ways to Prevent Broken Access Control
Use deny by default, implement access control mechanisms more than once throughout the application (screens, read and write processes)
Insufficient Logging and Monitoring
Web applications are not taking enough steps to detect data breaches. The average discovery time for a breach is around 200 days after it has happened. This gives attackers a lot of time to cause damage before there is any response.
Ways to Prevent Insecure Deserializaton
While steps can be taken to try and catch attackers, such as monitoring deserialization and implementing type checks, the only sure way to protect against insecure deserialization attacks is to prohibit the deserialization of data from untrusted sources in your design.
XML External Entities (XXE)
a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. Can lead to: 1. disclosure of confidential data 2. denial of service, server side request forgery 3. port scanning from the perspective of the machine where the parser is located
Broken Access Control
allow attackers to bypass authorization and perform tasks as though they were privileged users such as administrators. For example a web application could allow a user to change which account they are logged in as simply by changing part of a url, without any other verification.
Broken Authentication
can allow an attacker to use manual and/or automatic mediums to try to gain control over any account he/she wants in a system - or even worse - to gain complete control over the system.
Cross-Site Scripting
occur when web applications allow users to add custom code into a url path or onto a website that will be seen by other users. This vulnerability can be exploited to run malicious JavaScript code on a victim's browser. For example, an attacker could send an email to a victim that appears to be from a trusted bank, with a link to that bank's website. This link could have some malicious JavaScript code tagged onto the end of the url. If the bank's site is not properly protected against cross-site scripting, then that malicious code will be run in the victim's web browser when they click on the link.
Sanitization
parse and clean HTML formatted text with an "allow list" approach with a library. All allowed tags and attributes can be configured.
Security Misconfigurations
the most common vulnerability on the list, and is often the result of using default configurations or displaying excessively verbose errors. For instance, an application could show a user overly-descriptive errors which may reveal vulnerabilities in the application. Or default accounts with default passwords can gain control of the system
Insecure Deserialization
the result of deserializing data from untrusted sources, and can result in serious consequences like DDoS attacks and remote code execution attacks and thus extortion or data leaks
keylogging
the use of a computer program to record every keystroke made by a computer user, especially in order to gain fraudulent access to passwords and other confidential information
Injection Flaw
when an attacker sends invalid data to the web application with the intention to make it do something different from what the application was designed/programmed to do.
