The digital landscape that connects you to your customers and users also exposes you to potential threats from various attack vectors.
Web application security focuses on attack points surrounding websites, web applications, and web services, such as APIs. And to identify weak security points and close them before a bad actor can do damage, you need visibility into the most important web application risks.
Many developers and security practitioners use the “OWASP Top 10” to ensure they address the top web application security risks. This framework describes the most-common web application threats—and the steps organizations should take to mitigate them.
What Is the OWASP Top 10?
The OWASP Top 10 is a project of the Open Web Application Security Project (OWASP), a nonprofit foundation with a mission to improve software security. The grass-roots organization, which has tens of thousands of members globally, undertakes a variety of community-led, open-source projects. It also provides free education and training resources, along with events hosted by many of its hundreds of chapters worldwide.
OWASP released its first Top 10 version in 2003. Since then, it has updated the list several times to reflect the evolution of web application technologies and architectures. The current version is based on a revamped methodology, and reflects changes in microservices, JavaScript, and other developments. This version of OWASP 10, released after extensive feedback from the OWASP community, includes several new and merged categories, while other categories were dropped altogether.
OWASP based its new version on data from more than 40 firms that specialize in application security, as well as a survey of more than 500 industry professionals. It gathered data from more than 100,000 APIs and real-world applications and from hundreds of organizations.
According to OWASP, while the original goal of the project was to raise awareness among developers and managers, the list has become “the de factor application security standard.” For organizations that want to improve their web application security, the OWASP 10 is a great place to start.
What You Should Know About the OWASP 10
The OWASP model considers the following five threat agents when classifying risks:
- Exploitability
- Weakness prevalence
- Weakness detectability
- Technical impacts
- Business impacts
Each of these components is ranked from 1 to 3, with 3 indicating the highest risk—meaning the threat is widespread, weaknesses easy to detect and exploit, and technical impacts are severe.
10 Risks From the Most Recent OWASP List
1. Injection Flaws
Injection flaws occur when untrusted data is sent to an interpreter as part of a command or query. injection weaknesses are highly detectable and exploitable, and can come from almost any data source, including web services and users. Examples of injections with possible flaws include SQL, NoSQL, OS, and LDAP injections.
Injection flaws are especially prevalent in legacy code that’s often unsupported. In a SQL injection (a common tactic), an attacker could change parameter values in the browser to return all records in a table, or to modify or delete data.
The best way to detect an injection is to review the source code, as well as conduct automated tests of all parameters. You can also prevent an injection by using a safe API or another means to separate the data from the commands and the queries.
2. Broken Authentication
Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or enabling them to exploit other implementation flaws to assume other users’ identities, temporarily or permanently.
This weakness has a technical impact of 3, or severe, because attackers can obtain hundreds of millions of compromised credentials to perform brute force attacks, credential stuffing, and other authentication-related attacks. And all it takes is access to a few compromised accounts for attackers to work their way through the entire system.
You can mitigate broken authentication risks by implementing multi-factor authentication, adopting password management best practices, and using a server-side secure session manager.
3. Sensitive Data Exposure
Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and personally identifiable information (PII). Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser.
Sensitive data exposure is highly prevalent, and typically involves a manual attack or some form of human action. One common scenario is when an attacker leverages weak encryption or lack of TLS enforcement to monitor network traffic, intercept a connection, steal the session cookie, and then use the authenticated session to steal data or alter a transaction.
You can prevent sensitive data exposure with strategies that involve strong encryption protocols for data at rest and in transmission, and disabling caching of sensitive data.
4. XML External Entities (XXE)
Older or poorly configured XML processors evaluate external entity references within XML documents.
An attacker can use an XXE flaw for executing remote server requests, exfiltrating data, launching a denial-of-service attack, and more. Applications or XML-based services that could be vulnerable include those that use SAML for identity management, as well as older versions of SOAP.
To prevent these types of attacks, it’s imperative to use controls such as patching and web application firewalls.
5. Broken Access Control
Restrictions on privileges granted to authenticated users are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and data. They can access other users’ accounts, view sensitive files, modify other users’ data, and change access rights.
This is a common risk because many organizations don’t use automated detection of access control vulnerabilities. An attacker could, for example, bypass authorization and obtain privileged access by forcing a browser to go to a slightly altered target URL.
6. Security Misconfiguration
Security misconfiguration is the most commonly seen issue of all, and can occur at any level of the application stack. This is usually a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information.
A security misconfiguration could be caused internally, by a directory listing that’s not disabled on the server, for example. Or it could occur externally, like a cloud service provider that unwittingly leaves sharing permissions open by default to other users.
Not only do you need to securely configure all operating systems, frameworks, libraries, and applications, but you must also patch and upgrade them in a timely fashion.
For more, see Top 20 Security Controls
7. Cross-Site Scripting (XSS)
XSS allows attackers to execute scripts in the victim’s browser, which can hijack user sessions, deface websites, or redirect the user to malicious sites. Threat actors have plenty of tools at their disposal to automate these attacks, which is one of the reasons this is the second most prevalent issue on the OWASP list. About two-thirds of all applications have this weakness, according to OWASP.
An attacker can hijack a user’s online session by using untrusted data in the application and sending the session ID to the attacker’s site. You can use automated tools to detect some XSS issues. Developers can also refer to OWASP’s cheat sheet, which provides strategies for preventing XSS.
8. Insecure Deserialization
These flaws can lead to remote code execution attacks—which are among the most serious. Although this weakness is very difficult to exploit, the industry survey that informed the most recent OWASP 10 release ranked it so high that the risk was included in the latest framework.
A vulnerability can result when an attacker supplies altered or hostile objects that the application or the API deserializes, which allows for actions such as modifying the application logic. Application security tools, such as those for penetration testing, are among the ways to defend against such attacks. Others include implementing digital signatures and similar integrity checks.
9. Using Components With Known Vulnerabilities
Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts. This is a widespread issue that has resulted in many large data breaches.
Attackers often exploit vulnerabilities in unsupported operating systems and vulnerable applications. The best defense is to implement an ongoing vulnerability management program that includes regular patching, monitoring security bulletins, and upgrading legacy systems.
10. Insufficient Logging And Monitoring
Insufficient logging and monitoring, coupled with ineffective—or a lack of—integration with incident response, allows bad actors to further attack systems, maintain persistence, pivot to additional systems, and tamper, extract, or destroy data. Almost every major incident is the result of this weakness, according to OWAPS, because it allows attackers to fly under the radar.
In a typical attack, threat actors first probe the application for vulnerabilities. This might involve a simple scan to find accounts with commonly used passwords to take over those accounts. These scans would log a failed login attempt, and auditing would reveal multiple false logins. If you’re not monitoring and auditing events, you’re giving attackers a big window to achieve their objectives.
How Arctic Wolf Can Help with OWASP
Unlike product-based alternatives that license web application scanning separately, OWASP top 10 web application security scanning is embedded within Arctic Wolf’s core security operations capabilities. This provides another layer of insight into your overall security posture, while enhancing the Arctic Wolf Concierge Security® Team’s ability to advance your security outcomes.
Our solutions include external scans against the OWASP web application security risks. We continuously scan your external web servers to detect and mitigate threats based on the OWASP top 10. Arctic Wolf shares the results of these scans with your through executive summaries, external vulnerability reports, and charts and graphs displayed in your dashboard.
Web application security continues to evolve. In 2020, OWASP collected new data for 2017-2019, and the data analysis will likely lead to an updated top 10 list. The Arctic Wolf team keeps abreast of these developments and we’ll continue to evolve our practices to ensure we address the latest standards.
For more information on Arctic Wolf security operations solutions, visit arcticwolf.com.
