OWASP (abbreviation: Open Web Application Security Project) is an open-source community that aims to provide directions and mitigations to address web-related vulnerabilities. In today’s modern world, we could observe attackers taking advantage of application or software vulnerabilities, which leads to initial access within the organization’s environment. OWASP releases its vulnerabilities once every four years and lets us know of any updates or new additions in their subsequent versions. Ideally, as a blue teamer, we can configure certain use cases that could detect certain web application exploits about the OWASP top 10 vulnerabilities. Let’s explore each one of them in this article.
Broken Access Control:
Broken access control has obtained a top spot in the latest OWASP publication in the year 2021. Broken access control is ideally a flaw in the application that allows attackers to access sensitive data and simultaneously edit or delete sensitive data on the website.
For example, in 2014, SnapChat’s broken access control vulnerability gave hackers access to their usernames, passwords, phone numbers, and locations, which they then leaked online.
Broken access control can be prevented by the following methods:
- The principle of least privilege
- Implementation of role-based access controls
- Auditing web servers for any unauthorized access
- Apply MFA to users across organizations.
Cryptographic Failures:
Previously named “Sensitive Data Exposure,” cryptographic failure is a failure to protect customer personal identifiable information, eventually leading to exposure online, such as on the dark web. It is a common vulnerability that has been exposed for quite some time, and it is still prevalent despite the latest developments in malware.
For example, if a bank website is compromised, credit card numbers, social security numbers, etc. will be exposed if attackers exploit the SQL injection vulnerability in the backend SQL server.
Cryptographic failures can be prevented by:
- SSL certificate installation to protect sensitive dayta exposure in transit.
- Avoid storing sensitive data and make classifications of data.
- Encryption of sensitive data at transit and rest.
- Storing passwords in the form of a hash. Use salting as an additional measure against password-based attacks.
Injection:
Injection-based attacks are one of the oldest or most common attacks in the wild used by attackers. Attackers often rely on servers that store sensitive information and extract sensitive information from the servers. One of the most common yet popular injection attacks is SQL injection. SQL injection attacks work by injecting malicious code by the attacker, making the application or SQL server function in a way as per the intent of the attacker, and finally achieving their end goal objective.
For example, whenever a user enters their username and password to login to a website, the server must sanitize the input to avoid SQL injection that may compromise it. Let’s say that the SQL server is vulnerable to SQL injection now if the user’s password is “password.” Now the SQL server must understand the difference between zero and the alphabet ‘O’. If it is unable to identify the attacker, they can enter the password, like “password,” leading to a compromise and eventually carrying out malicious activities for the server on behalf of the user.
To prevent injection attacks:
- Usage of a safe API.
- Applying server-side validation of inputs to prevent unauthorized access
- patching of servers and ensuring they keep up-to-date with the latest patch.
- usage of LIMIT to prevent huge data exposure.
- Sanitation of user-supplied inputs and blocking execution if found suspicious.
Insecure Design:
Insecure design is about poor planning in the initial phase of the software development cycle. It is about failure to consider attack vectors and risks and poor implementation of software. Insecure design of application paves way for attackers who can exploit and expose sensitive data of users.
Examples include ignorance of failed login attempts for admin accounts and the usage of the default admin URL, which allows attackers to attack and take control over admin accounts.
Prevention of insecure design can be attained in the following ways:
- Planning during the initial phase of the software development cycle.
- Use of threat modeling to ensure all web application attacks are addressed and mitigated.
- Consider potential application risks and vectors depending on the functionality of the application.
Security Misconfigurations:
As the name suggests, the misconfiguration of security controls within organizations can lead to a potential compromise of organizational networks. The security misconfigurations include unpatched vulnerabilities, default configurations, unprotected files and directories, unnecessary services etc.
Examples include CMS applications that keep default CMS configurations, allowing attackers to target the application data. Most security misconfiguration attacks can be prevented by changing to custom settings from default settings. In some cases, there could be a direct traversal attack where the attacker can use ‘../’ to navigate to the home directory, take control of the application’s functionality, and download application-related packages. For example, https://example.com ../../../ can take the application home directory or grant unauthorized access to attackers.
Prevention measures include:
- Adopting an automatic process to verify any default configuration settings.
- By not over-posting content related to unnecessary features, updates, etc. on the website.
- An architecture that includes a separation between components and containerization.
- Update applications to the latest version and audit storage permissions periodically.
Vulnerable and Outdated Components:
Missing an important security update can wreak havoc on the organization. An application has backend code, front-end code, plugins, etc. that make it function as intended. Failure to update any one of these can lead to compromised user-related data.
Examples include the recent MoveIT transfer vulnerability, which put thousands of organizations at risk. Similarly, Outlook vulnerability 2023-23397 was the talk of the town in the cyber world this year, where an attacker can send specially crafted emails to activate SMB shares, which is possible without user interaction.
Prevention measures include:
- Organizations can lend these services to third-party vendors who can handle the tasks and update or patch the latest vulnerabilities according to industry standards.
- Monitor the National Vulnerability Database and Common Vulnerability Exposure to keep track of the latest vulnerabilities and fixes.
- Always procure components from trusted sources.
- Delete the components that are not required.
Identification and Authentication Failures:
Previously named “Broken Authentication,” the vulnerability can exploit any account and allow or pave the way for an attacker to penetrate the network. In an application or website, broken authentication refers to a bug in the application authentication mechanism leading to account compromise.
For example, say an admin can access the webpage with the URL abc-admin/, which is visible to all the users. Now, a hacker who knows the admin URL of webpage abc.com can ideally try brute force attempts to get access to the admin page of the website and can carry out malicious tasks like dumping usernames and passwords, hacking the backend server, and penetrating inside the organization for lateral movements.
Prevention Measures:
- Implement MFA for all users across the organization.
- Use a strong password instead of using a default password like “Password1.”
- Avoid exposing session IDs in the URL.
- Implement privilege levels for admins for the tasks they are intended to do.
Software and Data Integrity Failures:
This is a new addition to the latest OWASP Top 10 vulnerabilities. It highlights the inability of an organization to verify its authenticity, ultimately leading to compromise. Many factors include downloading plugins from untrusted sources, using code that does not verify the integrity of the source, etc.
Examples include the 2021 SolarWinds attack, where the attackers were able to deliver thousands of hacked SolarWinds softwares that ultimately led to the compromise of several organization systems.
Prevention Measures:
- Always use software that is signed by a trusted authority.
- use repositories or utilize third-party vendors who can verify the legitimacy of repositories.
- Verify the hashes of the files that are being downloaded.
- Proper access control is needed to ensure data integrity.
Security Monitoring and Logging Features:
Protecting organizational data is a critical part of any organization’s goals. Although not for every vulnerability there could be immediate patches, organizations can still understand an ongoing attack, if any, by reviewing or monitoring the logs from various log sources.
Organizations must ensure that proper logging is put in place so that any traces of compromise can be detected via configuring an alert that helps prevent the attack. Make sure no one is tampering with the logs or log storage medium.
Server-Side Request Forgery:
It occurs when the server fetches the resource from a web server without validating the user-supplied URLs. Attackers can make use of these vulnerabilities and even attempt SQL injection-based attacks, even though they are protected by firewalls, VPNs, etc. as a security layer.
For example, a hacker can use SQL injection like “https://abc.com/admin/’1’=’1 The term ” ‘1’=’1 ” is used to dump all the information for that website.
Preventive Measures:
- Sanitize user input.
- Disable unencrypted HTTP directions.
- Use the access-allow list to specify the request format and filter out malicious requests.
Conclusion:
In this article, we have seen the OWASP Top 10 vulnerabilities in detail and with examples along with preventive measures. Organizations often do not have visibility into these web application vulnerabilities and their potential impact. Although some of the attacks can be detected and prevented by using the SIEM and web application firewall, it is a tedious process to configure the rules. Instead, organizations can make use of third-party vendors or service providers who often provide services like “Unified Vulnerability Management Solutions, blue team services, and red team services, which, in cohesion, can prevent, detect, and respond to attacks and make sure the vulnerabilities are updated at a faster pace and stay ahead of attackers. Organizations can make use of these services to mitigate not only web-related attacks but also sophisticated attacks as third-party service providers take care of deployment, configuration, and mitigation of vulnerabilities within budget and with agility.