What is Web Application Security?
Web application security is the process of protecting websites and online services against different security threats that exploit vulnerabilities in an application’s code.
Common targets for web application attacks are content management systems (e.g., WordPress),database administration tools (e.g., phpMyAdmin) and SaaS applications.
Common web app security vulnerabilities
1. Cross site scripting (XSS) – SS is an injection attack targeting users in order to access accounts, activate Trojans or modify page content. Stored XSS occurs when malicious code is injected directly into an application.
2. SQL injection – Occurs when a perpetrator uses malicious SQL code to manipulate a backend database,so it Reveals information. Consequences include the unauthorized viewing of lists, deletion oftables and unauthorized administrative access.
3. Remote File Inclusion – A hacker uses this type of attack to remotely inject a file onto a web application server.This can result in the execution of malicious scripts or code within the application,as well as data theft or manipulation.
4. Cross-site request forgery (CSRF) – Cross site request forgery involves tricking a victim into making a request that utilizes their authentication or authorization. By leveraging the account privileges of a user, an attacker is able to send a request masquerading as the user. Once a user’s account has been compromised, the attacker can exfiltrate, destroy or modify important information. Highly privileged accounts such as administrators or executives are commonly targeted.
What is OWASP?
The Open Web Application Security Project, or OWASP, is an international non-profit organization dedicated to web application security.
The Open Web Application Security Project (OWASP) is an online community that produces freely available articles, methodologies, documentation, tools, and technologies in the field of web application security.
What is the OWASP Top 10?
The OWASP Top 10 is a regularly updated report outlining security concerns for web application security, focusing on the 10 most critical risks.
The report is put together by a team of security experts from all over the world.
OWASP refers to the Top 10 as an ‘awareness document’ and they recommend that all companies incorporate the report into their processes in orderto minimize and/or mitigate security risks.
Below are the security risks reported in the 2021 report:
1.A01:2021-Broken Access Control:
Access control refers a system that controls access to information or functionality.
Broken access controls allow attackers to bypass authorization and perform tasks as
though they were privileged users such as administrators. For example, a web application
could allow a user to change which account they are logged in as simply by changing part
of a URL, without any other verification.
Access controls can be secured by ensuring that a web application uses authorization tokens*
and sets tight controls on them.
*Many services issue authorization tokens when users log in. Every privileged request that a
user makes will require that the authorization token be present. This is a secure way to ensure
that the user is who they say they are, without having to constantly enter their login credentials.
2.A02:2021-Cryptographic Failures:
If web applications don’t protect sensitive data such as financial information and passwords,
attackers can gain access to that data and seller utilize it for nefarious purposes.
One popular method for stealing sensitive information is using an on-path attack.
Data exposure risk can be minimized by encrypting all sensitive data as well as
disabling the caching* of any sensitive information. Additionally, web application developers
should take care to ensure that they are not unnecessarily storing any sensitive data.
*Caching is the practice of temporarily storing data for re-use. For example, web browsers will
often cache webpages so that if a user revisits those pages within a fixed time span, the browser
does not have to fetch the pages from the web.
3.A03:2021-Injection:
Injection attacks happen when untrusted data is sent to a code interpreter through a form input
or some other data submission to a web application. For example, an attacker could enter SQL
database code into a form that expects a plaintext username. If that form input is not properly
secured, this would result in that SQL code being executed. This is known as an SQL injection attack.
Injection attacks can be prevented by validating and/or sanitizing user-submitted data.
(Validation means rejecting suspicious-looking data, while sanitization refers to cleaning up the
suspicious-looking parts of the data.) In addition, a database admin can set controls to minimize
the amount of information an injection attack can expose.
4.A04:2021-Insecure Design:
This threat targets the many web applications which frequently serialize and deserialize data. Serialization means taking objects from the application code and converting them into a format that can be used for another purpose, such as storing the data to disk or streaming it. Deserialization is just the opposite: converting serialized data back into objects the application can use. Serialization is sort of like packing furniture away into boxes before a move, and deserialization is like unpacking the boxes and assembling the furniture after the move. An insecure deserialization attack is like having the movers tamper with the contents of the boxes before they are unpacked.
An insecure deserialization exploit is the result of deserializing data from untrusted sources and can result in serious consequences like DDoS attacks and remote code execution attacks. While steps can be taken to try and catch attackers, such as monitoring deserialization and implementing type checks, the only sure way to protect against insecure deserialization attacks is to prohibit the deserialization of data from untrusted sources.
5.A05:2021-Security Misconfiguration:
Security misconfiguration is the most common vulnerability on the list and is often the result of using default configurations or displaying excessively verbose errors. For instance, an application could show a user overly descriptive errors which may reveal vulnerabilities in the application. This can be mitigated by removing any unused features in the code and ensuring that error messages are more general.
6.A06:2021-Vulnerable and Outdated Components:
Many modern web developers use components such as libraries and frameworks in their web applications. These components are pieces of software that help developers avoid redundant work and provide needed functionality; common example include front-end frameworks like React and smaller libraries that used to add share icons or a/b testing. Some attackers look for vulnerabilities in these components which they can then use to orchestrate attacks. Some of the more popular components are used on hundreds of thousands of websites; an attacker finding a security hole in one of these components could leave hundreds of thousands of sites vulnerable to exploit.
Component developers often offer security patches and updates to plug up known vulnerabilities, but web application developers don’t always have the patched or most-recent versions of components running on their applications. To minimize the risk of running components with known vulnerabilities, developers should remove unused components from their projects, as well as ensuring that they are receiving components from a trusted source and ensuring they are up to date.
7.A07:2021-Identification and Authentication Failures:
Vulnerabilities in authentication (login) systems can give attackers access to user accounts and even the ability to compromise an entire system using an admin account. For example, an attacker can take a list containing thousands of known username/password combinations obtained during a data breach and use a script to try all those combinations on a login system to see if there are any that work.
Some strategies to mitigate authentication vulnerabilities are requiring two-factor authentication (2FA) as well as limiting or delaying repeated login attempts using rate limiting.
8.A08:2021-Software and Data Integrity Failures:
This threat targets the many web applications which frequently serialize and deserialize data. Serialization means taking objects from the application code and converting them into a format that can be used for another purpose, such as storing the data to disk or streaming it. Deserialization is just the opposite: converting serialized data back into objects the application can use. Serialization is sort of like packing furniture away into boxes before a move, and deserialization is like unpacking the boxes and assembling the furniture after the move. An insecure deserialization attack is like having the movers tamper with the contents of the boxes before they are unpacked.
An insecure deserialization exploit is the result of deserializing data from untrusted sources and can result in serious consequences like DDoS attacks and remote code execution attacks. While steps can be taken to try and catch attackers, such as monitoring deserialization and implementing type checks, the only sure way to protect against insecure deserialization attacks is to prohibit the deserialization of data from untrusted sources.
9.A09:2021-Security Logging and Monitoring Failures:
Many web applications are not taking enough steps to detect data breaches. The average discovery time for a breach is around 200 days after it has happened. This gives attackers a lot of time to cause damage before there is any response. OWASP recommends that web developers should implement logging and monitoring as well as incident response plans to ensure that they are made aware of attacks on their applications.
10.A10:2021-Server-Side Request Forgery:
Many modern web developers use components such as libraries and frameworks in their web applications. These components are pieces of software that help developers avoid redundant work and provide needed functionality; common example include front-end frameworks like React and smaller libraries that used to add share icons or a/b testing. Some attackers look for vulnerabilities in these components which they can then use to orchestrate attacks. Some of the more popular components are used on hundreds of thousands of websites; an attacker finding a security hole in one of these components could leave hundreds of thousands of sites vulnerable to exploit.
Component developers often offer security patches and updates to plug up known vulnerabilities, but web application developers don’t always have the patched or most-recent versions of components running on their applications. To minimize the risk of running components with known vulnerabilities, developers should remove unused components from their projects, as well as ensuring that they are receiving components from a trusted source and ensuring they are up to date.
