Securing OWASP Top 10 Vulnerabilities

Believe it or not, web applications are such a large part of our life, whether we use them for personal, business, entertainment-related reasons. For instance, web applications you might use frequently are Microsoft Office, Facebook, YouTube, Google Docs, etc. Due to these platforms’ high volume and popularity, adversaries often seek ways to exploit web application vulnerabilities to ultimately tamper with the organization’s confidentiality, integrity, and/or availability.

Have you heard of the OWASP Top 10? It lists the top 10 critical risks pertaining to web applications created by OWASP, the Open Web Application Security Project. While there are thousands of risks associated with web apps, utilizing OWASP Top 10 will help both development and cybersecurity teams to focus on ones with the highest criticality, thus, offensively, and defensively mitigating existing web application security risks within their ecosystem.

1. Injection

What is Injection?

Code injection attacks often manipulate a code interpreter through input or data injection to a web application. Threat actors enter untrusted data that doesn’t match the expected input, which can do much damage like leaking, damaging data, or bypassing set security controls. SQL injections are regarded as one of the most frequent attack vectors, exploiting flaws within the form to extract PII (Personal Identifiable Information), user credentials, PCI (Payment Card Industry, and many more. SQL (Structured Query Language) injection attacks occur when threat actors enter SQL database code in an entry that expects a simple username. Therefore, if improperly secured, the SQL code can manipulate the backend database to perform actions not customarily executed.

How to Mitigate Injection?

· Input Validation verifies the legitimacy of an input based on certain factors like type, length, or format.

· Parametrized Queries, also known as prepared statements, are used as queries where literal values are substituted with parameters.

· Web Application Firewall will be used to monitor traffic traveling in and out of web servers. Providing a barrier between the web application and the internet can actively block malicious traffic based on strange behavior.

2. Broken Authentication

What is Broken Authentication?

Incorrectly implemented authentication methods can often enable attacks to compromise user passwords, keys, or session tokens. In environments with weak authentication implementation, attacks need to compromise one account to compromise the whole organization. For instance, if adversaries were to breach an admin account, they retain all admin privileges and access to various accounts, resulting in malicious behavior. Brute forcing and dictionary attacks are standard methods of exploiting broken authentication. Using open-source and automated methods like John the Ripper or Medusa tools can increase an attacker’s probability of cracking authentication.

How to Mitigate Broken Authentication?

· Multi-Factor Authentication should be implemented as an additional layer of security that verifies the user’s identity. Having secondary identity validation will prevent successful brute force or dictionary attacks.

· Password Checking is essential during a user’s password creation. Implementing checks and requiring increased complexity within a password, like using a passphrase, numbers, or special characters will eliminate weak or common passwords within the environment.

· Lock Outs based on repeated failed attempts will prevent attackers from carrying out brute force or credential stuffing attacks.

3. Sensitive Data Exposure

What is Sensitive Data Exposure?

Sensitive data exposure occurs when confidential data such as credit card numbers or business processes is compromised while in transit or user’s client. Attackers can exploit simple hash values that use weak cryptographic algorithms that store passwords or confidential data. According to the Pyramid of Pain, altering hash values from the attacker is categorized as “trivial.” Man-in-the-middle attacks are common since attackers listen to network traffic and hijack a session that enables access to sensitive data. Alternatively, weak or the absence of encryption within a web browser can result in attackers stealing sensitive data in cleartext.

How to Mitigate Sensitive Data Exposure?

· Encryption at rest and in transit should always be used to prevent attackers from stealing sensitive information in cleartext.

· Using robust hashing algorithms such as SHA-256 and SHA-3 will enable increased protection of passwords within password databases to be cracked and stolen.

4. XML External Entities (XXE)

What is XML External Entities (XXE)?

An attacker can efficiently deliver a denial-of-service attack or exfiltrate sensitive data by uploading a malicious XML file to an application that insecurely allows from untrusted sources. The utilization of SAML (Security Assertion Markup Language) can be vulnerable to this attack since SAML leverages XML for identity assertions.

How to Mitigate XXE?

· Utilizing less sophisticated data formats instead of XML while inevitability removes this vulnerability since XML is not used in the first place.

· SAST (Static Application Security Testing) is beneficial at detecting XXE that exists within source code.

5. Broken Access Control

What is Broken Access Control?

Breaching a user account or exploiting weak access control allows attackers to gain full access to a user account. Access control is used to provide a policy that ensures users are acting within the bounds of their role, nothing more and nothing less — however, adversaries abuse this vulnerability to access unauthorized functionality and data if improper access control is implemented. Attackers can scan for absent or weak access control via the HTTP method (GET vs. PUT) or alter the primary key to another user’s record to view and tamper with user permissions ultimately. Alternatively, attackers can manipulate metadata by replaying or tampering with a cookie to advance privileges.

How to Mitigate Broken Access Control?

· Conduct frequent penetration testing to search for access control flaws within web applications and make necessary adaptations based on pen testing findings.

· Alert on repeated failed access control attempts so that blacklisting or other measures to prevent future attempts

6. Security Misconfiguration

What is Security Misconfiguration?

Security misconfigurations occur when underlying weaknesses within a service, software, process, or database lead to exploitation. For instance, a Google search can quickly discover default credentials within a particular computing device still used from manufacturer settings. To make matters worse, default credentials used on admin-level accounts become incredibly harmful to organization-wide compromise. Alternatively, failure to update to the latest security configurations on software and frameworks may exploit those vulnerabilities.

How to Mitigate Security Misconfiguration?

· Identify and convert all default passwords to unique passwords aligned with the organization’s password policy.

· Automate continuous scanning to detect security misconfigurations in the environment

7. Cross-Site Scripting (XSS)

What is XSS?

Cross-Site Scripting is the second most common issue in the OWASP Top 10. Attackers exploit untrusted data found on a webpage and inject client-side scripts to steal a user session or gain unauthorized access to the system. Three common forms of XSS are (1) Reflected XSS, (2) Stored XSS, and (3) DOM XSS. Reflected XSS, also known as non-persistent attacks, occurs when a malicious script is executed through a link that sends a request to a vulnerable website to run the script. Stored XSS, also known as persistent XSS, occurs when attackers embed HTML tags within a vulnerable webpage’s comments section that automatically activates a separate JavaScript file every time that compromised webpage is visited. Therefore, attackers can leverage that JavaScript file to steal session cookies every time a user visits that site where the HTML tags were embedded. DOM XSS, also known as Document Object Model-based XSS) occurs when a DOM environment is modified in the victim’s browser where the client-side code runs maliciously.

How to Mitigate XSS?

· Input validation must be used to prevent unauthorized code execution and manipulation that results in data leakage.

· Sanitize data is a must to remove untrust data and characters such as HTML tags.

8. Insecure Deserialization

What is Insecure Deserialization?

Insecure deserialization occurs when malicious data is used to exploit the logic of an application. The severity of deserialization weaknesses can result in arbitrary remote code execution. Alternatively, adversaries can change the sterilized object within PHP to escalate privileges and ultimately make further malicious changes within the environment.

How to Mitigate Insecure Deserialization?

· Ensure the use of digital signatures to verify the integrity of any serialized objects

· Audit and monitor network connectivity that deserialize from containers or servers

9. Using Components with Known Vulnerabilities

What is Using Components with Known Vulnerabilities?

A web application is likely vulnerable to attacks and exploitations if existing software or processes have previously discovered flaws. For instance, if a particular CVE (Common Vulnerabilities and Exposures) is released on a high-profile piece of processor software, but the organization continuously uses it without persistent patching, it is highly vulnerable to attack. Additionally, the use of end-of-life products is particularly risky since no future software updates or patching will be pushed for those products.

How to Mitigate Using Components with Known Vulnerabilities?

· Remove unused and unnecessary components of a product to reduce the attack surface

· Verify the legitimacy of updates and patches to ensure the authenticity of the product. Confirming the existence of digital signatures will help.

· Actively use a vulnerability scanner to identify and remediate the most critical and urgent CVEs within your environment

10. Insufficient Logging and Monitoring

What is Insufficient Logging and Monitoring?

Weak threat detection and incident response efforts will inevitably pose inadequate proactive and reactive measures to malicious behavior within the environment. Without real-time logging and alerting on malicious behavior, attackers can quickly gain access undercover and cause significant damage before the security teams are made aware.

How to Mitigate Insufficient Logging and Monitoring?

· Establish precise threat detection and incident response playbooks to ensure clarity and decisiveness in the event of an alerted event

· Launch penetration testing efforts to test blue team’s current level of effectiveness in logging and monitoring, and make necessary improvements

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Eric Chow

An 3rd year undergrad student at Cal Poly SLO with an ambition to blog about the lessons I've learned in the realm of cybersecurity.