Over the last few years, more than 10,000 Open Web Application Security Project (OWASP) vulnerabilities have been reported into the Common Vulnerabilities and Exposures (CVE®) database each year. This is a list of common identifiers for publicly known cybersecurity vulnerabilities. Currently, CVE has close to 130,000 vulnerabilities as of January 2020. You might be wondering whether we need more than 100,000 test cases to see that our application is secure. We need to evaluate cost and schedule impact for testing all possible test cases.

The cost of a data breach has risen 12% over the past 5 years and now costs $3.92 million on average as per IBM Security report. Verizon data breach report findings include interesting facts about software security attacks. It says more than 70% of breaches were carried out by outsiders. 76% of breaches were financially motivated. Nearly 68% of cases, It took months to find them.

Source: Cost of a Data Breach: 2014 – 2019 from IBM Study

Risk-based security claims that more than 4 billion records got exposed due to data breaches in 2019. It’s not going to be surprising news to see more reports of its kind due to lapse in software security and lack of awareness about security.

It is not going to be a pleasant experience when our company name appears in news for the wrong reasons. We tend to think about whether we can prevent our company name from appearing in headlines for failing to protect customer data. We don’t have much idea about security flaws and vulnerabilities in a typical web application. We might plan to test all possible scenarios with respect to security before releasing web applications to public usage.

I used to work as part of a customer acceptance software testing team. We used to get tested software from vendors who had tested the software for multiple weeks. We had to test the software for a couple of days before deciding to push the software into the live environment. That’s the time we could afford for testing.

My manager used to follow a simple method. He used to get first-hand information about the quality of software within ten minutes by testing five to ten test cases. I wish I knew all aspects of web application security issues faced by every project so I could choose a few test cases for a preliminary check of my web application security.

What is OWASP?

Open Web Application Security Project (OWASP) is an open community dedicated to raising awareness about security. OWASP created the top 10 lists for various categories in security. We are going to see OWASP standard awareness document to identify top OWASP vulnerabilities in web application security.OWASP published a list of Top 10 web application risks in 2003.

This list is getting updated regularly based on inputs received from companies, independent security consultants and community. OWASP Top 10 current version is from 2017. Though we can’t detect all issues in our application, we can minimize the impact due to security flaws significantly by following guidelines such as OWASP.

Using the OWASP vulnerabilities top 10 is taking perhaps the most effective first step towards changing the software development culture within your organization into one that produces more secure code.

Top 10 OWASP vulnerabilities

Source: The Ten Most Critical Web Application Security Risks from OWASP

We will see the description for each OWASP vulnerability with an example scenario and prevention mechanisms. The OWASP vulnerabilities top 10 list consists of the 10 most seen application vulnerabilities.

1. Injection

Attacker can provide hostile data as input into applications. Applications will process the data without realizing the hidden agenda. This will result in executing unintended commands or accessing data without proper authorization.

SQL injection, LDAP injection are well-known attacks.

Example

In a web application, the following SQL statement is used to get a record that belongs to a particular user.  Let us assume the user would enter user id and password in the login screen.

String query = “SELECT * FROM Users

WHERE UseID = ’ ” + request.getParameter(“id”) +” ’ ”;

This query is supposed to return the record that belongs to a particular user.

Suppose the user enters 2’ or 1 = 1’ as id then query will be modified into

String query = “SELECT * FROM Users WHERE UseID = ’ 2’ or 1 = 1 ”;

In the above case, this query would return all records in the table instead of a particular user. Hence you would get access to other personal data.

How to prevent

Use server-side validation.

2. Broken authentication

Application functions related to authentication and session management are often implemented incorrectly so they allow anyone to assume other users’ identities temporarily or permanently.

Attackers could compromise passwords, keys, or session tokens.

Example

Applications session timeout is not handled properly. A user is doing some activity in an online banking application. Then the user closes the browser tab instead of doing “log out” and moves out of the place.  If someone else opens the same browser after some time then they will have access to the previous user bank account.

How to prevent

Use a server-side, secure built-in session manager that invalidates session ID after idle and timeouts.

3. Sensitive data exposure

Security precautions should be given to data in rest as well as data in transit. Data can be seen when it’s stored in hard disk or when it’s sent over the network as well. Many web applications do not protect the data properly. Attackers expose the weekly protected data using simple methods.

Attackers could steal sensitive data such as credit cards, passwords, etc.

Example

A simple example is Password is sent as plain text format in the network. Attackers can monitor the network and intercept the traffic using tools if required to get the details.

How to prevent

Apply security controls based on security standards such as PCI-DSS

4. XML External Entities (XXE)

Many old or poorly configured XML processors take XML file as an input. Attackers can include hostile content in the XML file so that they can extract data or execute commands.

Example

POST http://example.com/xml HTTP/1.1

<?xml version="1.0" encoding="ISO-8859-1"?>

<!DOCTYPE foo [

<!ELEMENT foo ANY>

<!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>

<foo> &xxe; </foo>

This XML file will get a password file from the server.

How to prevent

Upgrade all XML processors

5. Broken access control

Web applications support multiple roles in the operation. For example, there would be roles such as admin, regular user, manager, etc. Attackers can exploit flaws in implementation so that they can gain privileges to access data and perform operations where they don’t have authorization.

Example

An attacker can simply try to browse different URLs.

http://www.example.com/app/getappinfo

The next URL can be accessed by admin only.

http://www.example.com/app/admin_getappinfo

If attacker doesn’t have admin privilege but he is able to access admin privileged pages then there is a security flaw.

How to prevent

Public pages can be accessible to everyone. Access to other pages should be prevented by default.

Disable webserver directory listing

6. Security misconfiguration

Security misconfiguration is the most commonly seen issue. When we install new software users don’t change the default user account username and password. Sometimes users don’t update recent patches for security flaws.

Example

The application server comes with example applications. They are not uninstalled from the production server. Attackers can use known security flaws in the application to gain control of the production server.

How to prevent

Remove or do not install unused features and frameworks. Use a minimum platform without samples, documentation in the server. Please ensure that the default password is changed when you started to use the application.

7. Cross-Site Scripting (XSS)

XSS attack allows attackers to run javascript code into victim’s browser

Example

Attackers could send an email to a victim that appears to be from a trusted company. The link could contain malicious javascript code. When a victim clicks this link, the javascript code collects information from the victim and sends data to the attacker website in the background. The victim will not be aware of the activity.

How to prevent

Escaping untrusted HTTP requests and validating user-generated content.

 8. Insecure deserialization

Serialization is the process of converting an object into a stream of bytes so that it can be restored later. As part of deserialization, the object can be restored into its original state. Therefore, neutralizing the OWASP vulnerability.

Example

Suppose we store user id, password, and role for the given user in a cookie. This cookie can be serialized as an object. Attacker could change serialized objects and put the attacker’s role as an admin user. In this case when object is deserialized the attacker would get admin privileges.

How to prevent

Not to accept serialized objects from untrusted sources. If this is not possible, then implement integrity checks such as digital signatures on any serialized objects.

9. Using components with known vulnerabilities

Each application is made of multiple components such as libraries, software modules, and other frameworks. These components run with the same privileges as the application. If a component has known vulnerability then attackers can exploit the component first then the entire application.

Example

There are automated software tools available that will find the systems that are not patched and misconfigured.

How to prevent

Only obtain components from official sources over secure links

 10. Insufficient logging & monitoring

Insufficient logging and monitoring allow hackers to experiment with hacking activities without being detected for a long time.

Example

A major US retailer reported that their internal malware analysis sandbox software had detected potentially unwanted sandbox software but no one responded to this detection. The sandbox was producing warnings for some time before the breach.

How to prevent

Establish or adopt an incident response and recovery plan.

As we have seen a quick overview of the top ten vulnerabilities, Let me provide one more perspective to see the need for security awareness irrespective of your current role in your organization.

Demand for cybersecurity skills

The current trend of bringing more people into the internet fuels sales of millions of consumer devices and establishing connectivity to different software applications. This trend results in challenges to scale applications to cater to thousands of users in addition to keeping robustness of software and adding more features to applications.

Every year there are new software tools and frameworks get introduced in industry to meet the needs of software development and maintenance. Security is often ignored in the development process as it involves additional cost and schedule impact. Insecure software may result in loss of goodwill and brand value for a company

In the past companies released software to live environments without any planned proactive effort.  Most of the time hackers exploit the vulnerabilities in the software and make use of them for their benefits. Sometimes security flaws are exposed by users accidentally.

Over a period of time companies learned to handle things proactively and make sure that most of the security-related issues are addressed before releasing into the live environment. Companies use Ethical hacking and penetration testing activities to identify security flaws in their software before it goes to the public. This approach saves time and costs to solve the issues. Companies started to integrate security into DevOps activities and bring DecSecOps based activities into action.

If you are new to web application security then the Top 10 guidelines on OWASP vulnerabilities should be your first step. If you are experienced, please ensure that you don’t skip the first step in your application with the assumption that your team would have taken care of OWASP Top 10 by default.  As per Burning Glass study, there is an increasing demand for cybersecurity professionals as shown below.

Source: The state of Cybersecurity Hiring from Burning-glass