What is OWASP? Top 10 Vulnerabilities?
The modern world carries thousands of threats and potential dangers at every step and every moment of time. The global network, which has become an integral part of our life, is no exception.
Cyber crime is now more developed than ever – after all, almost every company has its own website on the Internet, and an attacker on the network can easily remain completely anonymous.
At the same time, all companies that have a website on the Internet are divided into three types:
Those whose site is already broken; Those whose site has not yet broken; Those familiar with the main attack vectors and defended the application.
Representatives of the third category further presentation is unlikely to be very interesting. The remaining two categories should at least be aware of the main vectors of attacks on web applications and the possibilities of their practical application – after all, forewarned, it is almost protected.
The number of threats grows in proportion to business growth, but long-term practice has shown that 99% of attacks occur through a dozen standard errors in incoming data validation, or detected vulnerabilities in installed third-party software components, or trite, due to system administrators’ negligence using settings and passwords set default.
So what exactly does OWASP do? Within the framework of its competence, OWASP has two major tasks: to issue documentation and provide tools, and absolutely free of charge.
In this series of articles we will examine, perhaps, the most popular material of the OWASP TOP 10 Project. This is a document presenting a list of the most significant and critical risks of web applications. The decision to include vulnerabilities in this list is based on the expert opinion of information security specialists from all over the world (where to go without it), and by and large, understanding these vulnerabilities is the first step in order to change the software development culture.
The classification of attack and vulnerability vectors is carried out by the OWASP (Open Web Application Security Project) community.
OWASP has created a list of the 10 most dangerous attack vectors for Web applications, this list is called OWASP TOP-10 and it contains the most dangerous vulnerabilities that can cost some people a lot of money, or undermine their business reputation, or even lose their business.
In this introductory article, we will go over the list of OWASP TOP-10.
We will try to keep the presentation as accessible as possible, in order to convey information not only and not so much to technical specialists, but also to business owners and managers, who, sometimes, are in a happy ignorance until they are broken by attackers and are engaged in online business, not aware of the gravest danger hanging over them.
So let’s go.
It is necessary to clearly understand that the basis of all these vulnerabilities are, as a rule, not the errors of specific programmers or the vulnerability of the protocols themselves, but the architectural problems of software design. And for beginning pen-testers this list is strictly mandatory for studying!
Ten death spells
The list of vulnerabilities is constantly updated and for 2017 is as follows:
A1: 2017 – Injections, they are also “Code injection”.
This is about all types of injections: SQL, NoSQL, LDAP – anything. Code implementation becomes possible when unverified data is sent to the interpreter as part of a command or request. Such a “malicious” request is successfully executed and causes its damage. In 90% of cases, when you hear that you have accessed a closed database through the web, this is our A1.
A2: 2017 – Incorrect Authentication
Application functions that are responsible for authentication and session management are often misused, which leads to compromise of passwords, keys, session tokens, and even the ability to completely intercept a user session. When you sit in a public wifi and suddenly discover that some actions are being performed on your behalf on public web resources, this is A2.
A3: 2017 – Disclosure of sensitive information
Many web applications and APIs may incorrectly store and process important information, such as personal data. Attackers can steal or change such information, which can be the basis for serious financial or reputational losses. Sensitive information must be stored properly and must also be protected during transmission over communication channels.
A4: 2017 – Implementing External XML Entities (XXE)
Many older or crookedly configured XML processors can use external data from links in XML files. Such external data may contain malicious code that allows you to execute almost any extraneous code on the target machine.
A5: 2017 – Disrupted access control. The access
matrix, which was so good on paper, may be incorrectly applied to a specific system, so that illegitimate users easily access restricted areas of sites or have the opportunity to change the rights to resources at their discretion.
A6: 2017-Security Misconfiguration – Errors in configuration
Here we are talking about a few more global things, such as the lack of timely updating of server and application software, the presence of important information in error messages or even in HTTP headers. The application can be almost perfect, but if the web server on which it is running has problems with the basic configuration, then everything is useless.
A7: 2017 – Cross-site scripting (XSS)
XSS occurs when an application includes untrusted data without proper verification. For example, the program code of an advertising banner may contain a script for intercepting user data, site defaults, or even transparent redirection to other sites.
A8: 2017 – Unsafe deserialization
Unsafe deserialization, as a rule, leads to remote code execution. The bottom line is that untrusted data can destroy the logic of your application as soon as it is deserialized. This vulnerability is quite exotic at first glance, but takes its place of honor in the list.
A9: 2017 – Using components with known vulnerabilities
Libraries, frameworks, operating systems and other components of information systems need to be updated in a timely manner. Otherwise, a known vulnerability in one library could jeopardize a large service that even uses one function from the vulnerable library.
A10: 2017 – Insufficient logging and monitoring
Everything is simple – you have built a wonderful system, but you forgot to fasten monitoring tools. It’s not even about the connected SIEM-system, but simply about the banal logging of the main server events. Unfortunately, it is not uncommon when a hacking system is noticed six months after the actual hacking itself, and this is learned not from logs, but from external observers.
In the next article, we will begin in order to analyze each of these vulnerabilities in more detail. We will arm with the necessary tools and see how these vulnerabilities are implemented in practice.