What is OWASP? Top-10 vulnerabilities

In  this article we will look through the OWASP and define Top 10 of it’s vulnerabilities.

First of all, let us define OWASP.

Open Web Application Security Project (OWASP) is a non-profit organization that works to improve software security.

This fund was established in 2001, it became a non-profit charitable organization in the United States in 2004, and since June 2021, in Europe. The main goal of the foundation is to improve software security, and it is supported by open communities of developers, technologists, and enthusiasts around the world. The foundation has more than 250+ branches around the world and tens of thousands of members. Leading educational and training conferences are organized every year. The community provides an opportunity for organizations to create, develop, purchase, operate, and support applications that can be trusted. More importantly, all projects, tools, documents, and conferences are completely free and open to anyone interested in improving application security.

All the projects OWASP is working on are shown in the diagram: 

Let's get some details about some of the OWASP projects  

The OWASP Security Knowledge Framework (SKF) is an open-source security knowledge base. It provides guided projects with checklists and examples of leading-edge code in several programming languages. They are designed to help learn and integrate project security into the software development process and show how to prevent hacker access.

The OWASP Mobile Application Security Testing Guide (MASTG) is a comprehensive guide to mobile application security testing. It is a fundamental learning resource for both beginners and professionals, which covers a variety of topics from the internal functions of mobile OS to advanced techniques for reverse engineering.

The OWASP Web Security Testing Guide (WSTG) is a comprehensive cybersecurity testing guide for web application developers and security professionals. It was created by a collaborative effort of cybersecurity professionals and dedicated volunteers. The WSTG Guide is the basis of leading practices used by professionals in vulnerability testing and organizations around the world.

OWASP Defectdojo is a leading open-source tool for managing application vulnerabilities built for DevOps and continuous security integration.

OWASP Zed Attack Proxy (ZAP) is one of the most popular free security testing tools in the world supported by a dedicated international team of volunteers.

It is worth highlighting the OWASP Top Ten project

OWASP Top Ten is an information document for application security developers and testers. It contains detailed descriptions and solutions to the most critical risks to web application security. 

Presently, the most up-to-date document is OWASP Top-10 2021 (previously updated in 2017). In comparison with the previous version, 3 new categories were added to the Top-10 2021, 4 categories underwent changes in name and size, and there were some mergers. The 2021 Top 10 was based mainly on materials provided by companies that specialize in application security and on research from more than 500 independent industry surveys. These data cover vulnerabilities from hundreds of different organizations and more than 100,000 real-world applications and APIs. The Top 10 list is based on information about the prevalence, ease of exploitation, and difficulty of detecting vulnerabilities and preventing damage. 

The OWASP Top 10 is aimed at familiarizing developers, designers, architects, managers, and organizations with the consequences of the most common and critical web application security flaws.

Although the main goal of the OWASP Top 10 project was to draw the attention of developers and managers to security issues, the project has become the de facto standard for application security.

Vulnerability categories

A01:2021 - Broken Access Control

Most often, the actions permitted to authenticated users are not properly followed. It usually leads to unauthorized information disclosure, modification or destruction of all data, or execution of business functions exceeding the user's limits.

A02:2021 – Cryptographic Failures

Formerly, this type was called Sensitive Data Exposure. Nowadays, sensitive data exposure is a common symptom rather than a root cause, so now the focus is on failures related to cryptography (or the absence of it). First of all, you need to determine what data protection needs to be met during transmission and storage. For example, passwords, credit card numbers, medical records, personal information, and trade secrets require additional protection, especially if the data are subject to privacy laws.

A03:2021 – Injection 

Risks associated with the most common injections - SQL, NoSQL, OS commands, object-relational mapping (ORM), LDAP and EL (Expression Language) or OGNL (Object Graph Navigation Library) injections - occur when sending commands to the interpreter that may cause damage. These data trick the interpreter into executing unexpected commands or accessing data without proper authorization. Inspecting the source code is the best way to detect whether programs are vulnerable to injection.

A04:2021 – Insecure Design

A new category that focuses on the risks associated with design and architecture flaws, and calls for greater use of threat modeling, secure design patterns, and reference architectures. One of the factors that contributes to insecure design is the lack of business risk profiling of the software or system being developed, and therefore the inability to determine what level of design security is required.

A05:2021 – Security Misconfiguration 

This is one of the most common errors that results from insecure or incomplete default configurations, unnecessary features enabled or installed, open cloud storage, incorrect HTTP headers, detailed error messages, and outdated or vulnerable software. Applications are at greater risk without a consistent, repeatable security configuration process.

A06:2021 – Vulnerable and Outdated Components

The exploitation of a vulnerable component can lead to serious data loss or taking control of the server. Using applications and API components with well-known vulnerabilities puts application security at risk and makes various attacks and impacts possible. Among the risks are unknown versions of all the components used, unsupported or outdated software, failure to perform regular vulnerability scans and sign security bulletins, and lack of developer compatibility checks for updated or patched libraries.

A07:2021 – Identification and Authentication Failures

User authentication and session management are crucial when it comes to protecting against authentication-related attacks. Program functions related to identification and authentication are often implemented incorrectly, which allows attackers to compromise passwords, keys, and tokens so that they can identify themselves as users of the system. Sites with compromised authentication are very common on the Internet. These issues are usually related to logical problems in the application's authentication mechanism, such as poor session management during the username enumeration process. In this case, the attacker uses a brute-force approach to figure out the system's user credentials.

A08:2021 – Software and Data Integrity Failures

A new category focused on making assumptions related to software updates, critical data, and CI/CD pipelines without integrity checks. Software and data integrity failures refer to code and infrastructure that do not protect against integrity failures. For instance, when a program uses plug-ins, libraries, or modules from untrusted sources, repositories, and content delivery networks (CDNs). Attackers could potentially download their own updates for distribution and running on all installations.

A09:2021 – Security Logging and Monitoring Failures

This category is designed to help detect, disclose, and respond to active breaches. Without logging and monitoring, it is impossible to detect a breach. Logging and monitoring can be difficult in testing, as they often require surveys or questions regarding the detection of attacks during a  penetration test. Many studies reveal that the time to detect a breach is more than 200 days and usually these breaches are discovered by external parties rather than internal processes or monitoring. However, detecting these breaches can be significantly influential for incident alerting, visibility, accountability and forensics.

A10:2021 – Server-Side Request Forgery

The new category was introduced in 2021. Server-side request forgery (SSRF) issues occur whenever a web application accesses a remote resource without validating the URL provided by the user. This allows an attacker to force the program to send the created request to an unexpected recipient, even if it is protected by a firewall, VPN, or other type of network access control list (ACL). As modern web applications provide end-users with convenient functions, URL getting is becoming a common scenario, and as a result, the cases of SSRF are increasing. In addition, the severity of SSRF is becoming higher due to cloud services and architecture complexity.

The document includes a detailed description of each vulnerability with the criteria for categorizing it, ways to prevent those vulnerabilities, examples of attack scenarios, and recommendations on what to do next if a vulnerability is detected. Therefore, using the OWASP Top-10 is perhaps the most effective first step towards changing the culture of software development towards the creation of more secure code.