- Listen to our monthly AppSec Stats Flash podcast
- LEARN MORE
Frequently Asked Questions
The Open Web Application Security Project (OWASP) is a non-profit foundation that works to improve the security of software. OWASP is an online community that produces freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security. OWASP is widely known for their OWASP Top 10.
The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications. The report is put together by a team of security experts from all over the world. Below is the current OWASP Top 10 Vulnerabilities 2020.
Injection vulnerabilities occur when untrusted user input issent to an interpreter as part of a command or query. This can then result in unintended queries or commands being run by a user resulting in accessing data without proper authorization. Such injections can include SQL, NoSQL, OS, and LDAP injection.
To remedy the vulnerability you have to make sure all user input is validated and sanitized. This will mean certain user data will no longer be accepted by an application, usually preventing an attacker from using required input to perform injection attacks.
To validate a user most sites will require a user to authenticate (login) to the application however weaknesses withauthentication and session management can result in attackers gaining access to user accounts, this can be made worse if the account has admin privileges.
To prevent this applications are now using two-factor authentication as well as ensuring there is some sort of limit the user has when attempting to login with an incorrect password.
Within an application a user can store a lot of sensitive data like SSN, financial (Credit Card information) and passwords but if the application is not protecting this data correctly an attacker can gain access to it and use the data for their own benefit like identity theft.
This is why it is important to have extra protection in place like encrypting all sensitive data as well as ensuring caching is disabled on all sensitive data.
Applications that parses XML input can be found to be vulnerable to this attack.This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parserand can lead to things like disclosure of confidential data, denial of service and server side request forgery.
To fix the vulnerability ensure whenever possible, use less complex formats such as JSON, and avoiding serialization of sensitive data. Also, patch or upgrade all XML processors and libraries in use by the application or on the operating system.
When a user authenticates to the application they should only be allowed to access content/functionality for their user level, for example a normal user should never be able to access admin functionality. However, these restrictions are not always enforced which allows normal users to use functionality/view content as if they were a privileged user.
To remedy this you have to ensure access controls are in place that ensure the user can only see content appropriate for them, this is usually done on the server side to ensure the user can’t alter their status.
One of the most common vulnerabilities on the list, Security Misconfiguration can be a result of insecure default configuration, misconfigured HTTP headers and verbose error messages containing sensitive information.
Each application should ensure it is securely configured and updated regularly as well as ensuring error messages are general and disclose no sensitive information.
This is why it is important to be validating and/or sanitizing user input to ensure it isn’t possible to inject malicious code into the application.
Insecure deserialization is when user-controllable data is deserialized by a website. This potentially enables an attacker to manipulate serialized objects in order to pass harmful data into the application code. This can lead to things like remote code execution, injection attacks andprivilege escalation attacks.
The best way to remedy this sort of attack isto ensure to prohibit the deserialization of data from untrusted sources.
Applications can use many components likelibraries, frameworks, and other software modules that run within the application. However, should these components become vulnerable it can affect the whole application and result in things like data loss or server takeover.
To remedy ensure any components no longer used within an application are removed while also ensuring ones in use come from a trusted sources and are updated regularly.
Insufficient Logging and Monitoring allows an attack to perform a prolonged attack without there actions being known. Most breach studies show time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.
WhiteHat Top 40 refers to the list of 40 most common and prevalent vulnerabilities list found in applications scanned by the WhiteHat Sentinel platform, using both static and dynamic analysis.
The vulnerabilities on this list occur most frequently, and are often easy to exploit, allowing the hackers to breach your applications, steal your data, and cause business and reputation damage.
This list also includes the OWASP Top 10 vulnerabilities.
To learn more about these vulnerabilities, check out our application security terminology glossary.
Web application attacks represent the greatest threat to a business, thus using both dynamic analysis and static analysis in tandem is essential for application security effectiveness. The best practice to avoid application vulnerabilities is to avoid creating them in the first place by utilizing secure coding training and monitoring applications for security flaws, as developers are creating code.