OWASP Top 10 — What Do They Mean?
I have been getting many questions lately from those who are rather curious about the OWASP Top 10 so I’ve decided to do a quick write-up about each of them. Enjoy !
Project OWASP or the Open Web Application Security Project was founded in 2001 by Mark Curphy. OWASP is a non-profit organization that is used to assist security professionals with addressing and preventing application security attacks. Supported by research done internationally, OWASP publishes a report (OWASP Top 10) detailing the highest security risks and what can be done to effectively mitigate them. Each risk is listed by level of severity.
A01:2021 Broken Access Control
Broken access control is when attackers are able to access information that they should not have access to. By doing this attackers are able to perform tasks as if they are administrators or other privileged users. This could lead to information being accessed, shared, altered or deleted by someone that is not authorized to do so.
An example of this would be a standard user altering the URL to a string that only users with admin credentials can access.
https://www.llamasareexamples.com/app/accounts — URL of an account of a non-privileged user
https://www.llamasareexamples.com/app/admin_accounts — URL of an account with admin access
In this example broken access would occur if the a normal user is able to access the admin page by editing the URL without additional authentication.
Types of Attacks: Vertical and Horizontal Access Control, Privilege Escalation, Parameter-Based Access Control, Unprotected Functionality, Insecure Direct Object Reference (IDOR), Directory Transversal, Cross Site Request Forgery (CSRF)
IDOR Explained:
CSRF Explained:
A02:2021 Cryptographic Failures
Previously known as Sensitive Data Exposure, Cryptographic Failures refers to how data is protected. Cryptosystems rely on random numbers that are randomly generated forming algorithms to secure systems. Whether the data is in transit or at rest it should be protected from those who intend to use it maliciously. If data is not encrypted properly the chances of it being exposed and misused become incredibly high. Just because these algorithms are formed randomly does not lessen the likelihood of exploitation by an attacker.
An example of this would be personal data that is stored and transmitted in clear text, server certificates that are not being validated properly or SHA1 being used as a hash function.
In 2017, Equifax experienced a breach. Attackers exploited a vulnerability where they were able to execute arbitrary commands in the Apache Struts Web Framework (CVE-2017–5638). This allowed them access to the sensitive data of over 100 million customers.
There are several regulations when it comes to the protection of data. The Gramm Leach Bliley Act (GLBA) imposes strict requirements on financial institutions when it comes to properly handling customer data and what needs to be done if information is exposed to unauthorized individuals. The Payment Card Industry Data Security Standard (PCI-SS) is a regulation that all businesses that offer payment processing must adhere to. The General Data Protection Regulation (GDPR) sets specific guidelines on personal information for those who reside in the UK.
Types of Attacks: Birthday Attacks, Chosen Plaintext Attack (KPA), Brute Force Attacks, Ciphertext Only Attacks (COA)
A03:2021 Injection
Injection occurs when an attacker relays malicious data to an interpreter leading the application to perform an action that it is not meant to. When an application does not validate or sanitize supplied data it could give attackers the ability to manipulate the application to their advantage by exposing data that they are not authorized to see.
An example of this would be SQL Injection (SQLi) which is an attack against applications that use SQL databases. Once a vulnerable app is located, attackers would manipulate queries to produce additional results.
txtUserId = getrequeststring(“UserId”);
txtSQL = “SELECT * FROM Users WHERE UserId = “ + txtUserId;
This would validate the user once a valid username is typed in the input field but this can be altered to display more information.
txtUserId = getrequeststring(“UserId”);
txtSQL = “SELECT * FROM Users WHERE UserId = “ 1=1;
The statement 1=1 is true right ? So the output from this statement would now display all usernames that are “TRUE” on the database which would be all of the usernames.
In 2015 Talk Talk, a telecommunications company, experienced an injection breach due in part to an outdated database. Attackers were able to exploit the database by entering malicious SQL statements which resulted in the attackers exposing and stealing sensitive data of thousands of customers.
Types of Attacks : SQLi, CCS Injection, LDAP Injection, Cross Site Scripting (XSS), Command Injection.
XSS Explained:
A04:2021 Insecure Design
Insecure Design attacks occur when an application does not implement effective security controls leaving the application vulnerable to various threats. When an application is designed security should be the main priority if not, disaster would be imminent.
An example of this issue would be a bot being used on sneaker websites making it almost impossible for individuals to purchase sneakers on release day. Bots are automated to run tasks on applications. They can be configured to check out continuously, clearing out any available stock. Bots have been an issue for both companies and consumers. It is almost impossible for an individual to successfully check out even once because bots are capable of performing the same actions thousands of times .. in seconds. As a result consumers often have to purchase from resellers and often pay well over MSRP. This is a flaw and to this day being battled by retailers..
A05:2021 Security Misconfiguration
Security misconfiguration refers to applications being vulnerable due to insecure configurations. If these issues are not addressed, attackers can exploit them and potentially create backdoors into applications to exploit even further.
Examples of this would be sample accounts using common credentials not being disabled when an application is pushed to production or hardware passwords not being changed from vendor default passwords. It takes only a second for an attacker to research default passwords which would allow them to gain access into anything still using them. Password policies not being enforced is another common example. If users are not required to use complex passwords it makes it easier for attackers to access their account.
In 2017, a ransomware attack better known as “WannaCry” leveraged the Eternal Blue exploit (CVE-2017–0144) and took advantage of unpatched systems that were using Microsoft Server Message Block v1 (SMBv1) protocol. Attackers were remotely able to connect to vulnerable systems and encrypt their data blocking all access. Once encrypted, attackers demanded ransom payments from the users.
It is important to implement policies that assist with keeping your systems secure. Thousands of attacks occur due to lax policies that result in lost data and millions in fines.
A06:2021 Vulnerable and Outdated Components
Nowadays there are thousands of applications supported by open source components. If these components are not kept up to date they can become a security risk. Using applications or hardware that is no longer supported creates a significant risk to those using them. If support is no longer offered, these systems become more vulnerable to attacks.
An example of this would be the Reuters breach in 2012. Attackers took advantage of the fact that they were using an outdated version of Wordpress as a blogging platform and posted a false interview involving a rebel leader. Reuters quickly corrected the issue but it could’ve been avoided altogether if they had kept everything up to date.
A07:2021 Identification and Authentication Failures
The Authentication, Authorization and Accounting (AAA) framework regulates access controls to resources and policies. This framework ensures that the right accounts have access to the right information.
What happens if this information gets into the wrong hands? Broken Authentication occurs when user controls are not properly documented leaving accounts vulnerable to attacks.
OWASP specifies three attack patterns that exploit authentication; session hijacking, brute force and credential stuffing.
- Session Hijacking occurs when an attacker obtains the session ID of a user who has authenticated into an application giving them the ability to perform actions “as the user”.
- A Brute Force attack is when an attacker uses lists of common known passwords with intent to gain access to the users account.
- Credential Stuffing is when attackers use automated tools to guess passwords of users. It is common for users to use the same passwords with multiple accounts which could be catastrophic in the hands of an attacker.
Types of Vulnerabilities: Weak Session IDs, Password Mismanagement.
A08:2021 Software and Data Integrity Failures
In the CIA triad integrity means data should be trusted and maintained in the correct state. We all use applications that seemingly make our lives easier but how many of these apps do you vet to ensure the data is legitimate?
An example of this would be the popular game Wordle where users are given 6 attempts to guess a word daily. If they are successful or if they fail they have to wait 24 hours before they are allowed to attempt a new word. When this game rose in popularity app stores were flooded with dupes. Some of the apps were legit while others were not. Many users unknowingly downloaded malicious versions to their devices.
Types of Vulnerabilities : Insecure Deserialization
Insecure Deserialization Explained:
A09:2021 Security Logging and Monitoring Failures
Baselines are important to not only enterprise systems but personal devices as well. It is important for users to understand what normal looks like on their system so that malicious activity can easily be spotted and addressed accordingly. Logs are very important when it comes to ensuring system safety. While there are thousands that are generated daily, it is always a safe practice to analyze them for anything that may be out of the ordinary. Systems need to be set up so that accurate logs are generated which also ties into accurate anomaly detection.
An example of this would be (CVE-1999–1029) where attackers were able to perform login attempts without setting off alerts in the logs. If set up properly, logs should record everything and be able to tie user actions to whomever performs them. Without this attackers can exploit systems without anyone knowing, giving them the ability to attempt again until they obtain the desired access.
Types of Vulnerabilities: Insufficient Logging, Information Loss or Omission.
A10:2021 Server Side Request Forgery
Server Side Request Forgery (SSRF) occurs when an attacker sends HTTP requests to a URL without proper validation. It is referred to as a forgery because the server believes that the request is being made from a server instead of a human. Unlike Cross Site Request Forgery attacks (CSRF) SSRF attacks require no user interaction. Instead the attacker usually targets the backend of applications to gain access to systems and data they are unauthorized to access.
An example of an SSRF attack would be the Capital One Breach in 2019 where the attacker (in conjunction with a misconfigured WAF) used an SSRF query that eventually exposed data of millions of customers. The query led the attacker to access temporary credentials which allowed access to a bucket containing credit application data.
Types of Attacks: Basic SSRF, Blind SSRF
SSRF Explained:
For further research and practice …
OWASP
PortSwigger
PortSwigger offers a free web security academy that dives deeper into various security threats. They offer courses on each topic supported by labs to give you hands-on experience exploiting each vulnerability.
Thank you so much for taking the time to read my blog and follow me on my security journey !
— @synackodes
Happy Hacking !!!!