OWASP Top 10 Vulnerabilities And Preventions 2020

OWASP Top 10, OWASP which stands for Open Web Application Project is an organization that provides information about computer and internet applications that are totally unbiased, practically tested and cost-efficient for the users.

It is an online community that produces free articles, documents, tools, and technologies in the field of web security. It is an open-source and becomes an integral part of software development. Here are OWASP Top 10 vulnerabilities.

OWASP Top 10 Vulnerabilities are:

1. Injection Vulnerability
2. Broken Authentication
3. Sensitive data exposure
4. Broken Access Control
5. XML external entities
6. Security Misconfiguration
7. Cross-site Scripting (XSS attack)
8. Insecure Deserialization
9. Using Components with known vulnerabilities
10. Insufficient logging and monitoring

1. Injection Vulnerability

The most common and well-known injection is SQL injection. An SQL injection attack happens when the attacker tries to inject a bit code to an application and try to perform unintended actions in that application.

Any source of data can be an injection vector, variables and parameters and all types of users. SQL Injection occurs when an attacker can send data to an interpreter. These are easy to discover when we try to examine the code. Scanners and buzzers can help attackers find injection flaws. Also, it was one of the most critical vulnerabilities in OWASP top 10 2019 year.

Example – An application uses untrusted data in the construction, using this taking advantage of this the attacker modifies the parameter value in the browser to send. This changes the meaning of both queries to return all records from the account table.

Injection attack prevention

1. It is preferred to use safer API which avoids the use of the interpreter entirely.
2. Use of positive server-side input validation. 
3. Using the specific escape syntax for the interpreter.
4. Use LIMIT and other SQL controls within queries to prevent mass disclosure of records in case of SQL injection

Read this article:- Best practices for preventing SQL Injection attack

2. Broken Authentication

Attackers have access to many valid id and password. So these attackers take the help of session management and try to access data from the unexpired session tokens. Attackers can detect broken authentication using manual means and tries to exploit them with the tools they have. They perform attacks such as dictionary attacks.

They gain access to the account from which they can access data, try fraud activities and disclose private information.

Example – If the user utilizes a public computer to access a site and he forgets to logout and closes it directly and walks away. Then the attacker uses the same browser and the browser is still authenticated.

Broken Authentication prevention

1. User credentials should be protected.
2. Do not expose session id in URL.
3. There should be a timeout in session ID.
4. Passwords should not be sent over unencrypted connections.

3. Sensitive data exposure

It occurs when an application or any other entity exposes personal data. Sensitive data exposure differs from a data breach, in which attacker accesses and steals information.

When databases are not protected adequately sensitive data exposure can occur. Different types of data can be exposed such as bank account details, session IDs, Card details, user account information.

Example – An application encrypts card numbers in a database by automatic database encryption and we decrypt this data automatically when retrieved. Allowing a SQL injection flaw to retrieve data.

Sensitive data exposure prevention

1. Use unique and strong passwords.
2. Keep track of your bank accounts and card transactions.
3. Use secure URLs
4. Take action as soon as possible if any suspicious detected.

4. Broken Access Control

Broken access control is a failure in access control of any user. Access control is the policy that users cannot use access other than for which they have been provided permission. Failure in this can lead to loss of information.

This happens due to weaknesses provided by the application developers. By manual testing, we can detect ineffective access control.

Example – Admin rights are required for access to the admin page. If an unauthorized user can access this page then it is a flaw.

Broken Access Control prevention

1. Deny using default.
2. Implement access control mechanisms.
3. Enforce ownerships to access control.
4. Log access control failures.

5. XML external entities

XML processors are used to configure and to load the contents of external files in an XML document. So hackers can upload harmful and malicious XML codes and steal user cookies. Gain session ID and use XML code to find the server password of the user.

He can get access to the server directory also. An attacker is able to cause DoS and remote access to content and services. It is of two types in-band and out-band. Since it is a very popular data format it is used in everything from web services.

Example – The attacker attempts to extract data from the server or attempts DoS attack by including potentially endless files.

XML external entities prevention

1. Try to use less complex formats such as JSON.
2. Upgrade all XML processors and libraries.
3. SAST tools help to detect XXE in source code.

6. Security Misconfiguration

Hackers always keep track of the configuration of the security. So, they always try new ways to enter websites. Misconfiguration in the system can lead to an easy way to enter their websites. Since developers work on the functionality of websites, not on security.

Configurations are done application server, database server proxy, and other devices that need to be in line to provide security requirements.

Example – We most of the time use sample products which have most of the well down security flaws and attacks can also use it to get inside your server.

Security Misconfiguration prevention

1. Disable the use of default passwords.
2. Configure the server on your own.
3. Disable administration interfaces.
4. Disable debugging

7. Cross-site Scripting (XSS attack)

XSS is a web security vulnerability that allows a hacker to do interactions that users have the application. Since it allows an attacker to masquerade as a victim user and can perform any actions that a user can perform. 

If the user which is attacked has full access to the application the hacker is able to gain full access over the application’s functions and data. Also considered very critical in OWASP top 10.

Example -The attacker injects a payload into the website by submitting a vulnerable form with malicious JavaScript content.

Cross-site Scripting (XSS attack) prevention

1. Use appropriate response headers.
2. You must sanitize the input and encode the output.
3. Don’t trust any user input.
4. Use the content security policy.

8. Insecure Deserialization

Insecure Deserialization leads to remote code execution or they can be used to attack including replay attacks, injection attacks, and privilege escalation attacks. so It is also known as untrusted deserialization.

Thus this is a serious application security issue that affects most of the modern systems. The impact of deserialization flaws cannot be overstated.

Example – A PHP forum uses PHP object serialization to save a cookie containing the user ID, password hash

Insecure Deserialization prevention

1. Implement integrity checks such as digital signatures.
2. Enforce strict constraints.
3. Restricting and monitoring incoming and outgoing network connectivity.
4. Isolating and running code that deserializes in low privilege environments.

Do check our article on:- 7 Ideas for your website security.

9. Using Components with known vulnerabilities

There are many software components available to developers and most of them are open source and freely available. So, they take advantage of this and try to build applications filled with many features using these third party components. 

Example -Components typically run with the same privileges as the application itself, so flaws in any component can result in serious impact. Such flaws can be accidental or intentional.

Prevention

1. Only obtain components from official sources.
2. Remove unused dependencies and documentation.
3. Monitor libraries and components that are unmaintained.

10. Insufficient logging and monitoring

Many of the time you may have noticed that you have been redirected to different and malicious websites without any proper validation. They check user failure and put firewall checks on all login attempts. So it is the bedrock of every major incident. Hackers rely on the lack of monitoring and timely response to achieve their goals without being detected.

Example – An attacker uses scans for users using a common password. Thus they can take over all accounts using this password. For all other users, this scan leaves only one false login behind. After some days, this may be repeated with a different password.

Insufficient logging and monitoring prevention

1. Ensure that logs are generated in a format that is easy to understand.
2. Establish an incident response and recovery plan.
3. Establish effective monitoring and alerting.

I hope you liked our article on OWASP Top 10 2020 Vulnerabilities And Preventions. So, please click “Add Your Comment” below. If you’d like to contact cybercrip’s editors directly, send us a message.