What is OWASP? Top-10 vulnerabilities

In  this article we will look through the OWASP and define Top 10 of it’s vulnerabilities.

First of all, let us define OWASP.

Open Web Application Security Project (OWASP) is a non-commercial foundation that works on software security improvements.

This foundation was founded in 2001 and in 2004 it became a non-profit charitable organization of the USA. The main task of the foundation is to improve the security of software, in this it is helped by open communities of developers, technologists, and just enthusiasts around the world. The fund includes more than 275 branches around the world and tens of thousands of participants. In-depth educational and training conferences are held every year. The most important thing is that all projects, tools, documents, and conferences are absolutely free and open to everyone who is interested in improving application security.

Some projects OWASP works on

OWASP Security Knowledge Framework (SKF) is an open source security knowledge base. It includes guided projects with checklists and advanced code examples in multiple programming languages that show how to prevent hackers from accessing and running exploits in your application.

OWASP Mobile Security Testing Guide (MSTG)  is a comprehensive guide to mobile app security testing and reverse engineering for iOS and Android mobile security testers.

OWASP Web Security Testing Guide (WSTG)  is a comprehensive guide to testing the security of web applications and web services. Created by a collaborative effort of cybersecurity professionals and dedicated volunteers, the WSTG Guide is a foundation of best practices used by penetration testing professionals and organizations around the world.

OWASP Zed Attack Proxy (ZAP)  is one of the most popular free security testing tools in the world. It is also actively supported by a specialized international team.

And of course, 

OWASP Top Ten  is an informational document for application security developers and testers. It is a large document that describes and addresses the most serious web application security threats.

At the moment, the most relevant document is «OWASP Top 10 2017». The Top 10 2017 was based mainly on materials provided by companies specializing in application security and on the study of more than 500 independent industry surveys. This data covers vulnerabilities from hundreds of different organizations and more than 100,000 real-world applications and APIs. The Top 10 list is based on data on the prevalence, ease of exploitation, as well as the difficulty of detecting vulnerabilities and the potential for harm.

The primary goal of the OWASP Top 10 is to educate developers, designers, architects, managers, and organizations about the implications of the most common and critical web application security vulnerabilities.

Although the main goal of the OWASP Top 10 project was to draw the attention of developers and managers to the problems that exist in security, the project has become a de facto standard for application security.

Types of vulnerabilities

A1:2017 – Injections. 

Risks associated with SQL, NoSQL, OS and LDAP input occur when sending commands to the interpreter that can harm. This data tricks the interpreter into executing unintended commands or accessing data without proper authorization.

A2:2017 – Disadvantages of the authentication function.

Application functions that interface with session management and authentication can often be implemented with errors, which can allow attackers to compromise passwords, keys, or session tokens. Also use the errors made to assign (temporary or permanent) user account parameters.

A3:2017 – Disclosure of confidential data.

Some web applications and APIs do not protect sensitive data such as financial, medical or personal information. In this case, attackers have the opportunity to steal or change this data in order to commit fraudulent actions with it (with credit cards or personal data). Additional protections must be applied to sensitive data, such as encryption during storage or transmission, as well as special precautions when exchanging data with the browser.

A4:2017 – XML External Entities (XXE).

References to external entities in XML documents are handled by old or poorly configured XML processors. These entities can be used to expose internal files using a file URI processor and access public folders, as well as for port scanning, remote code execution, and denial-of-service attacks.

A5:2017 – Disadvantages of access control.

Often the actions that are allowed for authenticated users are not properly enforced. These flaws are used by attackers who will be able to gain access to the accounts of other users or their confidential information, as a result of which user data or access rights may be changed.

A6:2017 – Incorrect security settings.

This is one of the most common errors, resulting from unsafe or incomplete default configurations, exposed cloud storage, incorrect HTTP headers, and verbose error messages. They may contain confidential information. All OS, frameworks, libraries and applications must not only be reliably configured, but also updated and adjusted in a timely manner.

A7:2017 – Cross-Site Scripting (XSS).

XSS attacks often occur when data is added to a new page without proper validation or transformation, or when, using the data you provide, updates an open web page through a browser API that can generate HTML or JavaScript. XSS allows attackers to execute scripts in the victim's browser that allow them to intercept user sessions, change site pages, and redirect the user to malicious sites.

A8:2017 – Dangerous deserialization.

Unsafe deserialization often results in remote code execution. Deserialization errors that do not lead to remote code execution can be used to perform replay attacks, injection attacks, and privilege escalation attacks.

A9:2017 – Using components with known vulnerabilities.

Libraries, frameworks and software modules work with the same privileges as the application. Exploitation of the vulnerable component could lead to serious data loss or server takeover. Using applications and component APIs with known vulnerabilities compromises application security and enables various attacks and impacts.

A10:2017 – Disadvantages of logging and monitoring.

Weaknesses in logging and monitoring, as well as the absence or ineffective use of an incident response system, all allow attackers to breach systems, conceal their presence and infiltrate other systems, and tamper with, extract, or destroy data. Many studies show that the time to detect a breach is over 200 days, and usually these breaches are detected by external parties rather than internal processes or monitoring.

In the document itself, you can find basic methods to protect against these main risks, as well as recommendations on what to do next if a vulnerability is discovered.