What is OWASP, and why is it important? | Software Testing

The Open Online Application Security Project, or OWASP, is a non-profit multinational organization focused on web application security. One of OWASP's key values is that all of their resources on their website be publicly available and easily accessible, allowing anybody to enhance their own online application security. Documentation, tools, movies, and forums are among the items available. The OWASP Top 10 is maybe their most well-known initiative.

What are the OWASP Top Ten?

The OWASP Top 10 is a frequently updated report that outlines web application security vulnerabilities, concentrating on the ten most important threats. A team of security specialists from around the world compiled the study. The Top 10 is referred to by OWASP as a "awareness document," and the organization recommends that all businesses incorporate the report into their procedures in order to avoid and/or mitigate security threats.

The following security threats were identified in the OWASP Top 10 2017 report:

1. Infusion

Injection attacks occur when untrusted data is submitted to a code interpreter via a form input or another data submission method to a web application. An attacker, for example, may put SQL database code into a form that requires a plaintext username. If the form input is not adequately protected, that SQL code will be run. This is referred to as a SQL injection attack.

By verifying and/or cleaning user-submitted data, injection attacks can be avoided. (Validation is the process of rejecting suspicious-looking data, whereas sanitization is the process of cleaning up the suspicious-looking sections of the data.) Furthermore, a database administrator can implement restrictions to limit the amount of information that an injection attack can disclose.

2. Invalid Authentication

Vulnerabilities in authentication (login) systems can allow attackers to gain access to user accounts and potentially compromise a whole system using an admin account. For example, an attacker can use a script to test a list of thousands of known username/password combinations obtained following a data breach.

Some authentication vulnerability mitigation solutions include demanding two-factor authentication (2FA) and restricting or postponing repeated login attempts using rate limiting.

3. Exposed Sensitive Data

Attackers can acquire access to sensitive data such as bank information and passwords if online apps do not safeguard it. An on-path assault is a popular way for stealing sensitive information.

Data exposure risk can be reduced by encrypting all sensitive data and eliminating any sensitive information's caching*. Furthermore, web application developers should exercise caution to avoid keeping sensitive data needlessly.

*Caching is the temporary storing of data in order to reuse it later. Web browsers, for example, frequently cache websites so that if a user returns to those pages within a certain time frame, the browser does not have to request the pages from the web.

4. External Entities in XML (XEE)

This is a web application exploit that parses XML* input. This input may relate to an external entity, attempting to exploit a parser weakness. In this sense, a 'external entity' is a storage device, such as a hard disk. An XML parser can be tricked into delivering sensitive data to an unauthorized external entity, which can then give it straight to an attacker.

The easiest solutions to prevent XEE attacks are to make web applications accept less complicated data types, such as JSON**, or, at the very least, tweak XML parsers and block the use of external entities in an XML application.

*XML (Extensible Markup Language) - markup language designed to be both human and machine accessible. Its use in many online applications is being phased out due to its complexity and security issues.

**JavaScript Object Notation (JSON) is a basic, human-readable notation that is often used to send data over the internet. Although it was designed for JavaScript, JSON is language-independent and can be understood by a wide range of computer languages.

5. Inadequate Access Control

A system that regulates access to information or functionality is referred to as access control. Access restrictions that are broken allow attackers to evade authorisation and conduct actions as privileged users such as administrators. An online application, for example, may let a user change the account they are signed in as just by altering a portion of a URL, with no extra verification required.

Access restrictions may be safeguarded by ensuring that a web application utilizes authorization tokens* and that they are tightly controlled.

*When users log in, many services generate authorization tokens. Every privileged request made by a user will necessitate the presence of the authorization token. This is a safe technique to guarantee that the user is who they say they are without having to submit their login credentials all the time.

6. Misconfiguration of Security

The most prevalent vulnerability on the list is security misconfiguration, which is frequently the result of utilizing default setups or giving too verbose errors. For example, an application may provide overly-descriptive errors to a user, revealing weaknesses in the program. This may be addressed by deleting any unneeded code features and making error messages more broad.

7. Site-to-Site Scripting

Cross-site scripting vulnerabilities occur when online programs allow users to insert custom code into url paths or onto websites that other users would see. This flaw can be used to execute malicious JavaScript code on a victim's browser. For example, an attacker may send a victim an email that looks to be from a trustworthy bank and includes a link to the bank's website. This link may include harmful JavaScript code at the end of the URL. If the bank's website is not adequately safeguarded against cross-site scripting, the malicious code will be executed in the victim's web browser when they click the link.

Cross-site scripting mitigation solutions include escaping untrusted HTTP requests and verifying and/or sanitizing user-generated information. Using current web development frameworks such as ReactJS and Ruby on Rails gives some cross-site scripting prevention as well.

8. Deserialization that is not secure

This attack is aimed at the numerous online applications that serialize and deserialize data on a regular basis. Serialization implies transforming items from the application code into a format that can be stored on disk or streamed. Deserialization is the inverse of serialization: it converts serialized data back into objects that the program can utilize. Serialization is analogous to putting furniture into boxes before a move, while deserialization is analogous to unpacking the boxes and reassembling the furniture after the move. An unsafe deserialization attack is analogous to movers tampering with the contents of boxes before they are unpacked.

Deserializing data from untrusted sources results in an unsecured deserialization exploit, which can have major repercussions such as DDoS assaults and remote code execution attacks. While actions such as monitoring deserialization and performing type checks can be done to try to identify attackers, the only definite approach to guard against insecure deserialization attacks is to restrict the deserialization of data from untrusted sources.

9. Making Use of Vulnerable Components

In their online projects, many current web developers employ components such as libraries and frameworks. These are bits of software that assist developers in avoiding duplicate labor and providing important functionality; prominent examples include front-end frameworks such as React and smaller libraries used to add share icons or a/b testing. Some attackers search for weaknesses in these components, which they can subsequently exploit to launch assaults. Some of the most popular components are utilized on hundreds of thousands of websites, thus a security flaw in one of them might expose hundreds of thousands of sites.

Security patches and upgrades are frequently provided by component developers to address known vulnerabilities, however web application developers do not always have the most recent or patched versions of components running on their apps. To reduce the risk of running components with known vulnerabilities, developers should remove unnecessary components from their projects while also verifying that components are received from a reliable source and are up to date.

10. Inadequate Logging And Monitoring

Many web apps do not take adequate precautions to identify data breaches. A breach is typically discovered approximately 200 days after it occurs. This provides attackers plenty of time to inflict harm before there is a reaction. To guarantee that they are made aware of assaults on their applications, OWASP advises that web developers incorporate logging and monitoring, as well as incident response strategies.

Additional topics you might be interested in: