OWASP Top 10 Vulnerabilities
Ways to Prevent Security Misconfigurations
A repeatable hardening process that makes it fast and easy to deploy another environment that is properly locked down. Development, QA, and production environments should all be configured identically, with different credentials used in each environment. Automate this process in order to minimize the effort required to set up a new secure environment.
Known Vulnerabilities
Attackers look for vulnerabilities in components that are pieces of software that help developers avoid redundant work and provide needed functionality
Ways to Prevent XSS
Escaping untrusted HTTP request data based on the context in the HTML output (body, attribute, JavaScript, CSS, or URL) will resolve Reflected and Stored XSS vulnerabilities. The OWASP Cheat Sheet 'XSS Prevention' has details on the required data escaping techniques.
Ways to Prevent Broken Authentication
Implement multi-factor authentication (MFA), weak password checks, limit failed login attempts, and Ensure registration, credential recovery, and API pathways are hardened against account enumeration attacks by using the same messages for all outcomes.
Sensitive Data Exposure
It consists of compromising data that should have been protected such as passwords, credentials, and other personal information.
DOM XSS
JavaScript frameworks, single-page applications, and APIs that dynamically include attacker-controllable data to a page are vulnerable to DOM XSS. Ideally, the application would not send attacker-controllable data to unsafe JavaScript APIs. Includes attacks against the user's browser such as malicious software downloads, keylogging, and other client-side attacks.
Ways to Prevent Using Components with Known Vulnerabilities
Monitor sources like Common Vulnerabilities and Exposures (CVE) and National Vulnerability Database (NVD) for vulnerabilities in the components. Obtain components only from official sources. Use virtual patch
Ways to Prevent Insufficient Logging and Monitoring
OWASP recommends that web developers should implement logging and monitoring as well as incident response plans to ensure that they are made aware of attacks on their applications.
Ways to Prevent Sensitive Data Exposure
Obtain an SSL certificate to protect data in transit and encrypt all sensitive data to protect data at rest
Ways to Prevent Injection Flaws
Separation of data from the web application logic and settings to limit data exposure in case of successful injection attacks
Stored XSS
The application or API stores unsanitized user input that is viewed at a later time by another user or an administrator. Stored XSS is often considered high or critical risk.
Reflected XSS
The attacker includes HTML code within a link to a web address knowing the linked page will fail to sanitize the included HTML code, which is often seen on pages that display the query that a user entered.
Ways to Prevent Broken Access Control
Use deny by default, implement access control mechanisms more than once throughout the application,
Insufficient Logging and Monitoring
Web applications are not taking enough steps to detect data breaches. The average discovery time for a breach is around 200 days after it has happened. This gives attackers a lot of time to cause damage before there is any response.
XML External Entities (XXE)
a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser.
Broken Authentication
can allow an attacker to use manual and/or automatic mediums to try to gain control over any account he/she wants in a system - or even worse - to gain complete control over the system.
Cross-Site Scripting
occur when web applications allow users to add custom code into a url path or onto a website that will be seen by other users. This vulnerability can be exploited to run malicious JavaScript code on a victim's browser. For example, an attacker could send an email to a victim that appears to be from a trusted bank, with a link to that bank's website. This link could have some malicious JavaScript code tagged onto the end of the url. If the bank's site is not properly protected against cross-site scripting, then that malicious code will be run in the victim's web browser when they click on the link.
Insecure Deserialization
the result of deserializing data from untrusted sources, and can result in serious consequences like DDoS attacks and remote code execution attacks.
Ways to Prevent Insecure Deserializaton
While steps can be taken to try and catch attackers, such as monitoring deserialization and implementing type checks, the only sure way to protect against insecure deserialization attacks is to prohibit the deserialization of data from untrusted sources.
Broken Access Control
allow attackers to bypass authorization and perform tasks as though they were privileged users such as administrators. For example a web application could allow a user to change which account they are logged in as simply by changing part of a url, without any other verification.
Ways to Prevent XML External Entity Attacks
have web applications accept a less complex type of data, such as JSON**, or at the very least to patch XML parsers and disable the use of external entities in an XML application.
Security Misconfigurations
the most common vulnerability on the list, and is often the result of using default configurations or displaying excessively verbose errors. For instance, an application could show a user overly-descriptive errors which may reveal vulnerabilities in the application.
Injection Flaw
when an attacker sends invalid data to the web application with the intention to make it do something different from what the application was designed/programmed to do.