What is OWASP ?

OWASP TOP 10 SECURITY RISKS — WEB & MOBILE | SERVERLESS GOAT.

According to OWASP, it is a nonprofit foundation that works to improve the security of software.

Simply, OWASP provides standard Top 10 security risk documentation which tells about the most critical web application security risks. Using this document, to ensure that the companies adopt and defend from the security risks. Also, if you are reporting any bugs to a company they will consider this document for vulnerability scope.

Top 10 Web Application Security Risks:

1. Injection,
2. Broken Authentication,
3. Sensitive Data Exposure,
4. XML External Entities (XXE),
5. Broken Access Control,
6. Security Misconfiguration,
7. Cross-Site Scripting XSS,
8. Insecure Deserialization,
9. Using Components with Known Vulnerabilities,
10. Insufficient Logging & Monitoring.

To defend and prevent from the above security risks, most of the company recruits pentester or give their program details like In-Scope and Out-Scope domains and vulnerabilities, bounty or points for listed vulnerabilities in cybersecurity crowdsourced platform or Responsible Vulnerability Disclosure program (RVDP).

OWASP Mobile Top 10

As per 2016 Top Ten Mobile Security risks.

1. Improper Platform Usage,
2. Insecure Data Storage,
3. Insecure Communication,
4. Insecure Authentication,
5. Insufficient Cryptography,
6. Insecure Authorization,
7. Client Code Quality,
8. Code Tampering,
9. Reverse Engineering,
10. Extraneous Functionality.

For defending mobile security risk, bug hunting is applicable.

Why do we need OWASP?

We have some knowledge about vulnerabilities then why we need this standards.

Because we need the most common and important attacks or weakness to protect against them. To know about that we first need to know what are they and their consequences, entry point of the weakness and prevention procedures.

You think we created the code by analyzing customer requirements but why we need testing part.

Once in a four years OWASP will qualify the top 10 list.

Serverless Goat

OWASP (Open Web Application Security Project) launched a project called WebGoat which is a simulator for learning web application security. In order to contribute as serverless they introduced Serverless Goat. To deploy the Serverless Goat application, AWS Lambda is used.

The Serverless Goat application is based entirely on AWS Lambda. After the deployment, Website URL is generated which is a HTML page that contains the MS-Word Document.

Serverless Goat application helps to learn serverless top 10 security risks(SAS-1 to SAS-10).

1) SAS-1: Function Event Data Injection.

2) SAS-2: Broken Authentication.

3) SAS-3: Insecure Serverless Deployment Configuration.

4) SAS-4: Over-Privileged Function Permissions & Roles.

5) SAS-5: Inadequate Function Monitoring and Logging.

6) SAS-6: Insecure 3rd Party Dependencies.

7) SAS-7: Insecure Application Secrets Storage.

8) SAS-8: Denial of Service & Financial Resource Exhaustion.

9) SAS-9: Serverless Function Execution Flow Manipulation.

10) SAS-10: Improper Exception Handling and Verbose Error Messages.

Vulnerabilities in Serverless Goat:

Serverless makes the applications to deploy on cloud but does not think about the infrastructure it is running on. There are enormous of attacks possible against serverless infrastructure.

SAS-1: Function Event Data Injection

Injecting malicious inputs into input fields to gain information about the application when it executed. In serverless architecture, these malicious inputs trigger the execution of the application when input from API call or direct user input.

Common type of injections :

1. SQL injection,

2. Code injection,

3. OS command injection,

4. Runtime code (Node.js, JS,php,Java),

5. XML External Entity (XXE),

6. Server-Request Forgery (SSRF).

SAS-2: Broken Authentication

Microservice-like system in serverless applications has many distinct serverless functions. In order to provide proper access control they need relevant functions / events / triggers. When user inputs are not properly authenticated then the risk of bypassing the application logic/entrypoint may happens.

Common type of Broken Authentication:

1. Exposing unauthenticated Entrypoint via S3 Bucket with Public access

2. Improper Authentication

3. Authentication exploit using CSRF token without proper validation.

SAS-3: Insecure Serverless Deployment Configuration

Serverless architecture provides configuration settings to avoid data expose, unauthorized access.

Misconfigured authentication is a common weakness which affects the application.

SAS-4: Over-Privileged Function Permissions and Roles

Serverless functions are implemented via microservices which need privileges to admin the functions like granting, secure, access, event by trigger and so on. So serverless functions should be provided with essential privileges alone which would perform intended logic.

Providing same over-Privileged Function Permissions and Roles to the other functions can able to escalate the function or abused to perform unintended operations.

SAS-5: Inadequate Function Monitoring and Logging

Serverless applications should maintain logs for capturing the events happened in the cloud environment and need to monitor the logs to prevent intruder.

As per SANS, critical log information recommends to collect log report includes:

1. Authentication and authorization reports

2. Change reports

3. Network activity reports

4. Resource access reports

5. Malware activity reports

6. Critical errors and failures reports

SAS-6:Insecure 3rd Party Dependencies

Serverless applications which is deployed in cloud environment may requires relevant software packages, dependencies, code imports for templates and so on. These may be consumed from third party which may become vulnerable.

Keeping unnecessary dependencies or packages which are not updated are the most common vulnerability.

SAS-7: Insecure Application Secrets Storage

Storing secret data like API keys, User credentials, Database credentials, Token details, Encryption details in public repositories like GitHub or in plain text are the common vulnerable.

Since, Serverless functions are microservice like in which data need to persist as long as its utilization so they are stored as environmental variables. To make easy access these variables are made public which may get leaked by pentesting.

SAS-8: Denial of Service & Financial Resource Exhaustion

Denial of Service attacks causes the resources to be unavail and financial disaster. In order to overcome this attack, serverless application deployments need some limitations on memory allocations, disk capacity, process and threads, concurrent execution, payload size and execution duration.

SAS-9: Serverless Functions Execution Flow Manipulation

Serverless application follow microservice functions to perform the task or execute the function.This design seems to be a chained function and architecture provides loosely coupled services which invokes specific function when that specific function is triggered.

Most of the applications uses flag to keep the order of invocations to couple together and this flag can be bypassed or some issues happen to make unavail to achieve desired logic is the common vulnerability.

SAS 10: Improper Exception Handling and Verbose Error Messages

Error based attacks are common in cloud environment since Verbose (using more words than necessary) error messages like syntax error, stack traces, stack status are exposed to end user for better debugging in serverless function.

Due to this exposure of details, intruder can learn from the error message and exceptions thrown and reveal the sensitive data.

Leakage of credentials, flaws using improper exception handling and verbose error message are the common vulnerability.

Happy Learning !

Do know about OWASP API SECURITY TOP 10.