What is OWASP?
The Open Web Application Security Project (OWASP) is a nonprofit organization dedicated to improving software security.
The OWASP operates on a core principle that makes all of its material freely available and accessible on its website. This open community approach ensures that anyone and any organization can improve their web application security. The materials it supplies include documentation, events, forums, projects, tools, and videos, such as the OWASP Top 10, the OWASP CLASP web protocol, and OWASP ZAP, an open-source web application scanner.
The OWASP is important for organizations because its advice is held in high esteem by auditors, who consider businesses that fail to address the OWASP Top 10 list as falling short on compliance standards. Organizations therefore need to build the OWASP protection advice into their software development life-cycle and use it to shape their policies and best practices.
What Is the OWASP Top 10 and How Does It Work?
The OWASP Top 10 is a report, or “awareness document,” that outlines security concerns around web application security. It is regularly updated to ensure it constantly features the 10 most critical risks facing organizations. OWASP recommends all companies to incorporate the document’s findings into their corporate processes to ensure they minimize and mitigate the latest security risks.
The OWASP vulnerabilities report is formed on consensus from security experts all over the world. It ranks risks based on security defect frequency, vulnerability severity, and their potential impact. This provides developers and security professionals with insight into the most prominent risks and enables them to minimize the potential of the risks in their organizations’ security practices.
OWASP Top 10 Vulnerabilities
The latest OWASP report lists the top 10 vulnerabilities as the following:
- Broken authentication
- Sensitive data exposure
- XML external entities (XXE)
- Broken access control
- Security misconfigurations
- Cross-site scripting (XSS)
- Insecure deserialization
- Using components with known vulnerabilities
- Insufficient logging and monitoring
Injection attacks occur when untrusted data is injected through a form input or other types of data submission to web applications. A common type of injection attack is a Structured Query Language injection (SQLi), which occurs when cyber criminals inject SQL database code into an online form used for plaintext.
These types of attacks can be prevented by sanitizing and validating data submitted by users. Data validation ensures that suspicious data will be rejected, and data sanitization helps organizations clean data that looks suspicious. Database admins can also set controls that minimize how much information injection attacks can expose.
Authentication vulnerabilities can enable attackers to gain access to user accounts, including admin accounts that they could use to compromise and take full control of corporate systems.
Websites commonly suffer broken authentication, which typically occurs as a result of issues in the application’s authentication mechanism. This includes bad session management, which can be exploited by attackers using brute-force techniques to guess or confirm user accounts and login credentials.
The OWASP Top 10 provides a list of broken authentication vulnerabilities, which include web applications that:
- Permit attacks like credential stuffing
- Permit weak or default passwords
- Employ ineffective user credential and lost password processes
- Are missing or use ineffective multi-factor authentication (MFA)
- Expose session IDs in the Uniform Resource Locator (URL), do not rotate session IDs, and do not properly invalidate session IDs and authentication tokens after a period of inactivity
These vulnerabilities are typically caused by insecure software, which is often a result of inexperienced developers writing them, a lack of security testing, and rushed software releases.
Broken authentication vulnerabilities can be mitigated by deploying MFA methods, which offer greater certainty that a user is who they claim to be and prevent automated and brute-force attacks. These vulnerabilities can also be prevented by ensuring developers apply best practices to website security and are given an appropriate period of time to properly test codes before applications are put into production.
Other tactics include checking for weak passwords, ensuring users protect their accounts with strong, unique passwords, and using secure session managers.
Sensitive Data Exposure
Sensitive data exposure or data leakage is one of the most common forms of cyberattack. Sensitive data, like credit card information, medical details, Social Security numbers, and user passwords, can be exposed if a web application does not protect it effectively. Attackers who are able to access and steal this information can use it as part of wider attacks or sell it to third parties.
Protecting sensitive data is increasingly important given the stringent rules and punishments of data and privacy regulations, such as the European Union’s General Data Protection Regulation (GDPR). To do so, organizations must be able to protect data at rest and data in transit between servers and web browsers.
Data on a website can be protected using a secure sockets layer (SSL) certificate, which establishes an encrypted link between a web browser and a server. It also protects the integrity of data when in transit between a server or firewall and the web browser. Sensitive data exposure can also be prevented by encrypting data through secure encryption processes, protecting stored passwords with strong hashing functions, and ensuring that strong, updated algorithms, keys, and protocols are in place.
XML External Entities (XXE)
XXE attacks target web applications that parse the Extensible Markup Language (XML). They occur when an XML input that contains a reference to an external entity, such as a hard drive, is processed by an XML parser with weak configuration. XML parsers are often vulnerable to an XXE by default, which means developers must remove the vulnerability manually.
The OWASP Top 10 states that XXE attacks typically target vulnerable XML processors, vulnerable code, dependencies, and integrations.
Broken Access Control
Access control refers to the specific data, websites, databases, networks, or resources that users are allowed to visit or have access to. Broken access controls result in users having access to resources beyond what they require. This enables attackers to bypass access restrictions, gain unauthorized access to systems and sensitive data, and potentially gain access to admin and privileged user accounts.
The risk of broken access control can be reduced by deploying the concept of least privileged access, regularly auditing servers and websites, applying MFA, and removing inactive users and unnecessary services from servers. Organizations can also secure access controls by using authorization tokens when users log in to a web application and invalidating them after logout. Other recommendations include logging and reporting access failures and using rate limiting to minimize the damage caused by automated attacks.
Security misconfigurations are considered the most common vulnerability in the OWASP Top 10. They are most frequently caused by organizations using default website or content management system (CMS) configurations, which can inadvertently reveal application vulnerabilities. Common misconfigurations also include failing to patch software flaws, unused web pages, unprotected directories and files, default sharing permissions on cloud storage services, and unused or unnecessary services.
Security misconfiguration can occur throughout the application stack: application and web servers, databases, network services, custom code, frameworks, preinstalled virtual machines, and containers.
Security misconfigurations can be prevented by changing default webmaster or CMS settings, removing unused code features, and controlling user comments and user information visibility. Developers should also remove unnecessary documentation, features, frameworks, and samples, segment application architecture, and automate the effectiveness of web environment configurations and settings.
Cross-site Scripting (XSS)
Organizations can prevent XSS vulnerabilities by using a WAF to mitigate and block attacks, while developers can reduce the chances of XSS attacks by separating untrusted data from active browsers. This includes using frameworks that avoid XSS by design, deploying data sanitization and validation, avoiding untrusted Hypertext Transfer Protocol (HTTP) request data, and deploying a Content Security Policy (CSP).
In data storage and computer science terms, serialization means converting objects, or data structures, into byte strings. Deserialization means converting those byte strings into objects. Insecure deserialization involves attackers tampering with data before it has been deserialized.
OWASP protection advice regarding insecure deserialization revolves around super cookies that contain serialized information about users. If attackers can successfully deserialize an object, they may be able to give themselves an admin role, serialize the data, and compromise entire web applications.
This can be prevented by prohibiting serialized objects and prohibiting the deserialization of data that come from untrusted sources. OWASP also recommends monitoring deserialization activity, implementing integrity checks against any serialized objects to prevent data tampering, isolating deserialized code to low-privilege environments, ensuring all deserialization exceptions and failures are logged, and restricting and monitoring network connectivity from containers and servers that deserialize data.
Using Components with Known Vulnerabilities
Software components like frameworks and libraries are often used in web applications to provide specific functionalities, such as sharing icons and A/B testing. However, these components can often result in vulnerabilities that, unknown to the developers, provide a security hole for an attacker to launch a cyberattack.
This is often caused by developers not keeping applications up to date, legacy code not working on new updates, and webmasters either being concerned about updates breaking their websites or not having the expertise to apply updates. However, attackers are constantly on the lookout for potential vulnerabilities that have not been spotted by developers, commonly known as zero-day attacks, that they can exploit.
Organizations can avoid this through virtual patching, which protects outdated websites from having their vulnerabilities exploited by using firewalls, intrusion detection systems (IDS), and a WAF. Vulnerabilities can also be prevented by retaining an inventory of components and removing any unused or unmaintained components, only using components from trusted sources, and ensuring all components are patched and up to date at all times.
Insufficient Logging and Monitoring
Many web applications do not do enough to detect data breaches, which sees attackers not only gain unauthorized access to their systems but also enable them to linger for months and years. Organizations need to log and monitor their applications for unusual or malicious behavior to prevent their websites from being compromised.
Businesses should also keep audit logs that enable them to track any suspicious changes, record anomalous activity, and track unauthorized access or account compromises.
How Fortinet Can Help
The Fortinet FortiWeb WAF solution safeguards business-critical web applications from both known and unknown vulnerabilities. It evolves in line with organizations’ attack surfaces, which enables them to protect applications when they are updated, deploy new features, and expose new web APIs. FortiWeb uses an advanced multi-layered approach specifically designed to protect against the OWASP Top 10 and beyond. It uses machine learning to identify and block anomalous behavior and malicious activity.
Additionally, the Fortinet next-generation firewalls (NGFWs) protect businesses from internal and external threats by filtering network traffic. It combines crucial firewall features, such as packet filtering, Internet Protocol security (IPsec), and SSL virtual private network (VPN) support with deeper content inspection. This ensures organizations can identify and block malware and advanced attack vectors, as well as future-proof them against the evolving threat landscape.