Enhancing Web App Security with OWASP Top 10 (Part 1)
As a web developer, I’m not only concerned about stability and performance, but also about the security of my web app.
However, as a developer, I find it challenging to know which common security vulnerabilities to even look out for. The Open Web App Security Project (OWASP for short) helps with this. The OWASP Top 10 is a standard document for developer awareness and web app security.
It represents a broad consensus on the most important security risks for web applications.
Meet the Team
The OWASP Top 10 was created by the Open Web Application Security Project Foundation — a non-profit organisation dedicated to improving software security.
OWASP regularly produces freely available materials on web application security. The Top 10 Web Application Security Risks were re-ranked in 2021. These categories are sorted by the frequency of their occurrence.
- Broken Access Control
- Cryptographic Failures
- Injection
- Insecure Design
- Security Misconfiguration
- Vulnerable and Outdated Components
- Identification and Authentication Failures
- Software and Data Integrity Failures
- Security Logging and Monitoring Failures
- Server-Side Request Forgery (SSRF)
In this article we take a closer look at the first five.
Broken Access Control
This is a very broadly decorated category.
In general, it is about users seeing/doing more than they should. The root of this evil comes from too much trust in users. A good example of Broken Access Control is Insecure Direct Object Reference (IDOR for short).
IDOR is present when an app is unable to secure access beyond the scope of a user.
Example: Reading the account data of another user based on the ID number in the URL.
Cryptographic Failures
Any misuse — or lack of cryptographic security solutions fall into this category.
This item used to be known as “Sensitive Data Exposure”, but this name was not quite accurate as it described a symptom and an effect rather than a cause. Cryptographic failure can and often lead to data exposure. This type of failure concerns the protection and secrecy of data in transit and at rest.
This data typically includes authentication data such as usernames and passwords, but also includes personal data such as personal and financial information, health data, trade secrets and more.
Example: Use of outdated or weak cryptographic algorithms and protocols.
Injection
An injection attack refers to untrusted data in an application that forces it to execute commands.
Such data or malicious code is inserted by an attacker and can compromise data or the entire application. The most common injection attacks are SQL injection, cross-site scripting (XSS) or command injection.
An application is vulnerable to an injection attack if one or more of the following conditions exist:
- User-supplied data is not validated, filtered or sanitised.
- The interpreter directly uses dynamic queries or non-parameterised calls without contextual escaping.
- Dangerous data is used directly, concatenated or used in object-relational mapping (ORM) search parameters to extract additional sensitive records.
Example: As a user, I can set HTML tags (e.g. <script>) in an input field, which are then executed.
Insecure Design
This category of vulnerabilities focuses on the risks associated with deficiencies in design and architecture.
As explained by OWASP, these are different from the risks associated with flaws in implementation. Even a well-implemented insecure design is vulnerable to attack. Insecure design refers in part to the lack of security controls and business risk profiling in the development of software, and thus the lack of an adequate determination of the required level of security design.
These categories cover a wide range of attack possibilities, one example being Cross-Site Request Fogery (CSRF).
Example: The application allows CRUD requests from origins that do not originate from the same host.
Security Misconfiguration
The term may seem ambiguous, as security misconfiguration can occur in a variety of scenarios.
Essentially, a misconfiguration is present when the responsible party does not follow the recommended procedures when setting up an asset, such as an operating system, web server or software on a computer. It is important to note that security misconfigurations are not limited to web assets. Any component that requires configuration is vulnerable to this vulnerability.
Consequently, network devices, hardware, email services and other systems can also be affected by this problem.
Example: With many web frameworks, there is a debug mode that you have for the development environment. There are sites out there that are live and in debug mode and thus release data such as API keys, DB passwords.
Conclusion
As a developer, it is difficult enough to cope with the new tools, frameworks and updates.
To have a free head to test the security of the web application is unreasonable. The OWASP Top 10 helps developers to identify common security vulnerabilities in web applications and what to focus on. I hope you learned a lot from this article and are ready to test your software for the above issues.
Follow Geek Talk and turn on the notification so you don’t miss the second part of this series.
