OWASP (abbreviation: Open Web Application Security Project) is an open-source community that aims to provide directions and mitigations to address web-related vulnerabilities. In today’s modern world, we could observe attackers taking advantage of application or software vulnerabilities, which leads to initial access within the organization’s environment. OWASP releases its vulnerabilities once every four years and lets us know of any updates or new additions in their subsequent versions. Ideally, as a blue teamer, we can configure certain use cases that could detect certain web application exploits about the OWASP top 10 vulnerabilities. Let’s explore each one of them in this article.<\/p>\n
Broken access control has obtained a top spot in the latest OWASP publication in the year 2021. Broken access control is ideally a flaw in the application that allows attackers to access sensitive data and simultaneously edit or delete sensitive data on the website.<\/p>\n
For example, in 2014, SnapChat’s broken access control vulnerability gave hackers access to their usernames, passwords, phone numbers, and locations, which they then leaked online.<\/p>\n
Broken access control can be prevented by the following methods:<\/p>\n
\n
\n
Previously named “Sensitive Data Exposure,” cryptographic failure is a failure to protect customer personal identifiable information, eventually leading to exposure online, such as on the dark web. It is a common vulnerability that has been exposed for quite some time, and it is still prevalent despite the latest developments in malware.<\/p>\n
\n
For example, if a bank website is compromised, credit card numbers, social security numbers, etc. will be exposed if attackers exploit the SQL injection vulnerability in the backend SQL server.<\/p>\n
\n
Cryptographic failures can be prevented by:<\/p>\n
\n
\n
Injection-based attacks are one of the oldest or most common attacks in the wild used by attackers. Attackers often rely on servers that store sensitive information and extract sensitive information from the servers. One of the most common yet popular injection attacks is SQL injection. SQL injection attacks work by injecting malicious code by the attacker, making the application or SQL server function in a way as per the intent of the attacker, and finally achieving their end goal objective.<\/p>\n
\n
For example, whenever a user enters their username and password to login to a website, the server must sanitize the input to avoid SQL injection that may compromise it. Let’s say that the SQL server is vulnerable to SQL injection now if the user’s password is “password.” Now the SQL server must understand the difference between zero and the alphabet ‘O’. If it is unable to identify the attacker, they can enter the password, like “password,” leading to a compromise and eventually carrying out malicious activities for the server on behalf of the user.<\/p>\n
\n
To prevent injection attacks:<\/p>\n
\n
\n
Insecure design is about poor planning in the initial phase of the software development cycle. It is about failure to consider attack vectors and risks and poor implementation of software. Insecure design of application paves way for attackers who can exploit and expose sensitive data of users.<\/p>\n
\n
Examples include ignorance of failed login attempts for admin accounts and the usage of the default admin URL, which allows attackers to attack and take control over admin accounts.<\/p>\n
\n
Prevention of insecure design can be attained in the following ways:<\/p>\n
\n
\n
\n
As the name suggests, the misconfiguration of security controls within organizations can lead to a potential compromise of organizational networks. The security misconfigurations include unpatched vulnerabilities, default configurations, unprotected files and directories, unnecessary services etc.<\/p>\n
\n
Examples include CMS applications that keep default CMS configurations, allowing attackers to target the application data. Most security misconfiguration attacks can be prevented by changing to custom settings from default settings. In some cases, there could be a direct traversal attack where the attacker can use ‘..\/’ to navigate to the home directory, take control of the application’s functionality, and download application-related packages. For example, https:\/\/example.com<\/a> ..\/..\/..\/ can take the application home directory or grant unauthorized access to attackers.<\/p>\n \n \n Prevention measures include:<\/p>\n \n \n Missing an important security update can wreak havoc on the organization. An application has backend code, front-end code, plugins, etc. that make it function as intended. Failure to update any one of these can lead to compromised user-related data.<\/p>\n \n Examples include the recent MoveIT transfer vulnerability, which put thousands of organizations at risk. Similarly, Outlook vulnerability 2023-23397 was the talk of the town in the cyber world this year, where an attacker can send specially crafted emails to activate SMB shares, which is possible without user interaction.<\/p>\n \n Prevention measures include:<\/p>\n \n \n \n Previously named “Broken Authentication,” the vulnerability can exploit any account and allow or pave the way for an attacker to penetrate the network. In an application or website, broken authentication refers to a bug in the application authentication mechanism leading to account compromise.<\/p>\n \n\n
Vulnerable and Outdated Components:<\/h3>\n
\n
Identification and Authentication Failures:<\/h3>\n