The OWASP Top 10

A couple of weeks back, we discussed the OWASP Mobile Top 10, which covers the most common security issues in mobile applications. This week, we’re covering another OWASP Top 10 that focuses on web application security. This OWASP list was last updated in 2021, but the risks it covers are still incredibly relevant to the security of web apps. The top ten web app security risks are:

1. Broken Access Control

When access control is broken, it can result in unauthorized access to both systems and data. This can lead to information being disclosed, modified or destroyed without permission. Common access control failures include:

• Ignoring the principles of least privilege and deny by default. Ignoring these principles results in users having access to resources that they do not need, which ultimately increases the risks to the organization while providing no benefit.
• Having insecure direct object references. This issue allows users to view or edit another person’s account by providing the identifier.
• Lack of access controls for POST, PUT and DELETE, which can allow API access.

Common mitigation techniques include:

• Following the principle of least privilege and deny by default.
• Taking logs of failed sign-in attempts and sending alerts after a suspicious number of failures.
• Applying rate limiting to controller and API access, which hampers automated exploitation tools.

2. Cryptographic failures

If cryptographic protections fail, it can impact the confidentiality, integrity, availability and non-repudiation of data. Ultimately, improper cryptography can result in data breaches, data tampering, and a range of other issues. This can lead to regulatory violations and the heavy costs associated with them.

Appropriate algorithms need to be implemented correctly in order to protect data. This applies when sensitive data is in motion, at rest, and sometimes even when data is in use. Best practices to prevent cryptographic failures include:

• Using secure protocols like HTTPS.
• Only using up-to-date cryptographic algorithms and ensuring that they are implemented correctly.
• Using strong keys and managing them securely.

3. Injection

Injections can occur when user inputs aren’t sanitized or validated. One of the most common types is SQL injection, but there are other forms as well. Injection vulnerabilities can be detected by reviewing the source code and using automated testing on inputs. Sanitization and validation must be employed correctly to prevent attackers from being able to send through malicious inputs.

4. Insecure Design

5. Security misconfiguration

There are a wide range of security misconfigurations. These include:

• Unnecessary accounts, privileges, services, pages, ports and other features. Each unnecessary feature increases the attack surface area.
• Using default accounts and passwords.
• Lack of security hardening and improperly configured permissions.
• Outdated software.

Due to the varied nature of security misconfigurations, there is a wide range of different mitigation techniques. These include hardening and implementing strong security baselines, keeping software up-to-date, as well as using strong and unique passwords.

6. Vulnerable and outdated components

Common problems include:

• Using unsupported, out of date, or vulnerable software.
• Not being aware of the latest security issues for the components your organization uses. This can be mitigated by subscribing to security bulletins for your components, and scanning for vulnerabilities.
• Vulnerabilities caused by updated or patched libraries that have not been properly tested.
• If patches aren’t applied in a timely and risk-based fashion.

7. Identification and authentication failures

We must have appropriate mechanisms in place to authenticate user identity and manage their sessions securely. Vulnerabilities in this area can lead to unauthorized access to our systems and data. Common issues include:

• Using weak passwords.
• Not hashing and storing passwords securely.
• Lack of multi-factor authentication.
• Allowing unlimited login attempts, which permits brute-forcing passwords and other attacks.
• Using vulnerable processes for account recovery.

8. Software and data integrity failures

If we want to be confident in our software’s security, we must be able to verify its integrity. One of the major issues involves using modules, libraries or plugins that come from untrusted sources. If our software relies on components that we can’t trust, then it opens up the door for unauthorized access and system compromise. We should use and verify digital signatures to ensure that our software is legitimate and was developed by trusted sources. Another option is to use a software supply chain security tool.

9. Security logging and monitoring failures

Monitoring and logging are critical for detecting and responding to security incidents. Ideal monitoring and logging practices vary between organizations and situations. The best approach is to conduct a risk assessment and use it to decide where and in which circumstances activity should be monitored and logged. Common monitoring and logging issues include:

• Not logging failed login attempts or sending alerts after a suspicious number of attempts.
• Not backing up logs.
• Poorly tuned monitoring tools. If the tools send out too many false positives, the security team may become fatigued and ignore an alert that turns out to be a true positive. On the opposite side of the spectrum, monitoring tools that aren’t sensitive enough could miss an ongoing attack.

10. Server-side request forgery (SSRF)

Server-side request forgery (SSRF) involves an attacker crafting a request to an unexpected destination, allowing them to bypass protections. SSRF occurs when user-supplied URLs aren’t sanitized and validated appropriately. Other solutions include following deny-by-default firewall policies and disabling HTTP redirections.