Introducing OWASP Top 10 vulnerabilities
OWASP abbreviation for Open Web Application Security Project is an online community. It provides information in the field of web application security. As a result, you can find articles, documentation, methodologies, tools, and technologies on application security here.
The OWASP Top 10 is a comprehensive report on the top 10 application security issues. This consensus-based report show risks, impacts, and countermeasures on these application vulnerabilities. And, its prime goals are:
- To give detailed-oriented information to organizations & business about application security issues
- To ensure enterprises put in place effective practices & programs to reduce security risks
Have a look:
OWASP Top 10 Vulnerabilities
| Security Risk | _What Attackers Does? _ | _What Attackers Does? _ | | ———- | ———- | ———- | | Injection Flaws | Attackers send untrusted, text-based data through: OS Commands, SMTP headers, XML parsers, Expression languages and SQL, LDAP, XPath, or NoSQL queries This exploits targeted interpreter syntax | Data Loss, Access Denial, Data Corruption, Host Takeover | | Broken Authentication and Session Management | Attackers make use of flaws or leaks during session or authentication. This includes: Exposed, Accounts, Exposed Passwords, Exposed Session IDs | Authorized User Credentials Hijacking, Authorized User Impersonate | | Cross-Site Scripting | Attackers send untrusted text-based scripts using user-supplied input. These are auto-added to HTML output, and the victim unknowingly uses it in the browser (in scenarios when HTML uses context-sensitive escaping). | User Session Hijacking, Browser Hijacking, Website Deface, Malicious Content Insertion on Sites, User Continuous Redirection to Malicious Websites | | Broken Access Control | Attackers change a parameter value to a resource for which the desired user does not have access | Data Exfiltration, Data Compromise, Accessed Functionality Compromise | | Security Misconfiguration | Attackers can access the following: Unpatched Flaws, Default Acoounts, Unused Pages, Unprotected files, Unprotected Directories | Data Compromise as well as Unauthorized Access Accessed Functionality Compromise or Unauthorized Access | | Sensitive Data Exposure | Attackers perform the following actions: Steal Credentials of Authorized user, Run Man-in-the-middle attacks, Takes Away Clear-Text Data Off Server from User’s Browser or in Transit | Sensitive Data Privacy Compromise, Integrity Compromise | | Insufficient Attack Protection | Attackers do the following actions: Scan & probe for both detection prevention weaknesses in APIs & applications, Exploits discovered Weakness | Data Compromise, Functionality Compromise | | Cross-Site Request Forgery | Attackers do two things: Create forged HTTP Requests, Trick User to Submit them using techniques like Image Tags, iframes, Cross-Scripting, etc. | Trick Users make State Changes like: Data Modification, Makes Purchases 3 Update Accounts | | Using Components with Known Vulnerabilities | Attackers run multiple actions: Scan & probe weak components, Abuses Open Weakness | Exposure of Sensitive Data, Cross-Scripting, Broken Access Control | | Under Protected APIs | Attackers reverse APIs by monitoring communications and examining client code | Data Theft, Data Destruction, Data Compromise, Host Takeover, Illegal Access |
The afore-stated OWASP Top 10 vulnerabilities are because of the following reasons:
- Attack Vectors Evolution
- Automated Software Development Processes
- Third-party Frameworks & Libraries Proliferation
- Rapid Adoption of New Technologies (APIs, Cloud, Containers)
How to Deal with OWASP Top 10 Vulnerabilities?
Now, that you know most seen OWASP Top 10 vulnerabilities, it’s time to learn about the solution to discover as well as eliminate OWASP-identified security issues.
Stay Tuned for Part 2: How to deal with OWASP Top 10 vulnerabilities?. It will give you a deep understanding of how to handle these vulnerabilities.