OWASP Top 10: Web App Discussion

Today I want to talk about web application vulnerabilities and specifically, the OWASP Top 10 most common web application vulnerabilities. OWASP stands for Open-Source Web Application Security Project and is a non-profit organization with a focus on web application security and their list shows the most common vulnerabilities and assists in overcoming these vulnerabilities. I will talk about them in the current order that they are listed, and then talk about what that means based on my current understanding. My goal is to not be overly technical in my discussion as to not alienate anyone, and also to deepen my understanding of each of these vulnerabilities as I research them more. The current version of this list is 2021 and is being used until the next version is published.

1. Broken access control

Broken access control occurs when websites allow users access to pages or information without verifying authorization. For example, this website shows the user ID number in the URL:

https://examplewebsite.com/user?userid=6

https://examplewebsite.com/user?userid=7

https://examplewebsite.com/user?userid=8

Just by changing the “userid” number to any other number could allow access to a different user’s account. This would be an example of broken access control. Another example would be if a standard user account could access an administrator account. Each of these vulnerabilities could lead to a data breach.

2. Cryptographic failures

Cryptographic failures involve using methods of encryption which are either weak or determined to be insecure. Simply encrypting data does not make it safe. It should be a current secure standard and using minimum recommended encryption key length. Similarly, the uses of hashes to obfuscate passwords, for example, should be using currently secure hashing algorithms. Or else these hashes could be cracked with the right tools and skills. It also refers to the security of the data that is sent from the client and to the server. Sensitive personal information being sent in the clear, such as HIPAA information or PII (personally identifiable information, can lead to interception by an attacker who is utilizing tools such as Wireshark to monitor and intercept packets.

3. Injection

Injection vulnerabilities occur when a user is able to control a web server or database through command inputs. This could occur in the web address box as an addition to the website’s address, or in a location where user input is enabled. This is known as command injection. Instead of being confined to the use of the application, the attacker is able to interact with and manipulate the server upon which the application is running, again able to access information without authorization. In cross-site scripting (XSS), for example, malicious JavaScript code is injected and accepted by the web app server as a normal part of the web page code, achieving an attacker’s desired result. In SQLi (Simple Query Language injection), a misconfiguration enables an attacker to input database queries to return information that shouldn’t be accessible. SQL software discovery can be done during enumeration of web server ports and services, causing failures that result in the server disclosing information it shouldn’t, and even through testing timing queries. Then the attacker can attempt a valid query that could leak sensitive data.

4. Insecure design

Insecure design is a broad category that I will attempt to explain simply. The data that your web application is managing cannot be secure if there aren't security-focused design elements present. If we refer to the CIA triad in cybersecurity, we are trying to achieve confidentiality, integrity, and availability. In our design, we must apply the technical controls that ensure that information is safe from unauthorized eyes through means such as encryption and access control to ensure confidentiality. For integrity, we must ensure that our technical controls ensure the accuracy (not tampered with) of the information our web application maintains. For availability, we use the technical controls that ensure authorized users are able to access the information they need. Perfect security would lock data in a vault without the ability to access data, but that is not realistic in a web application environment. So we must design the system in a way that keeps sensitive data secure, unaltered, and available to those who are authorized and have need.

5. Security misconfiguration

Security misconfigurations occur due to human error. For example, leaving default login credentials on a web application. Default password lists are an easy Google search. Brute-forcing password tools are powerful and fast and break passwords quickly. Change your default passwords immediately. Then, change the password settings to disallow countless password attempts. This is the most basic security measure.

In the case of SQLi, if an error returns the type of SQL database that is being used, that is a security misconfiguration. If unused ports and services are available on a server, those can be found with enumeration tools and potentially exploited. Provide users only what is necessary; do not add to the attack surface of your web application. Allowing the use of unnecessary HTTP method capabilities is another security misconfiguration. These are just a few of the many.

Default password lists

https://cirt.net/passwords

6. Vulnerable and outdated components

This is often fixed using regular vulnerability scanning along with maintaining equipment inventories so that you know what components and versions there are in your management. Staying on top of updates, preferably those signed and proven to be authentic, is another method of maintaining security, especially when there is a known vulnerability in a current system. A common area where vulnerable and outdated components exist, though not likely used in a web server application, would be in industrial control systems. It is also likely found in medical equipment. For example, a necessary piece of equipment runs on Windows 7 and attempting to upgrade to a supported operating system may take that piece of equipment out of commission for a long time or worse, may make it no longer function, stalling business operations. Though not a likely scenario, you could keep those outdated systems that can’t be updated due to no longer being supported by the manufacturers by incorporating compensating controls such as network segmentation through VLANs.

7. Identification and authentication failures

This one is kind of a broad security vulnerability that encompasses things I discussed in previous web application vulnerabilities. For example, in number 5, security misconfiguration, I mentioned changing the login settings to prevent countless login attempts (brute-forcing) and changing default passwords. But what about setting minimum password lengths and complexity requirements too? On top of that, not using multifactor authentication means that an attacker with the correct user login credentials may still access a system without authorization. Note: using multifactor authentication doesn't 100% prevent unauthorized access, but it makes it harder for an attacker. Another possibility involves the way you can reset a forgotten password. An insecure system would not make it easy for an attacker with the correct username to change the password and gain access such as through the use of simple security questions. Another possibility that could fall into this is allowing the use of special characters that could enable commands, scripts, or database queries to be executed. Examples include, but aren’t limited to: ‘ “ ; & $ ! |

8. Software and data integrity failures

This type of vulnerability revolves around the authenticity (integrity of CIA) of software and data. For example, only using software and updates that have the correct digital signature ensures authenticity and that the software was not tampered with by a malicious party. Another aspect would be dependencies in certain aspects of software and the use of trusted repositories and code libraries. We only want to use trusted software and code, otherwise we may be installing an update that has a back door added by an attacker.

9. Security logging and monitoring failures

If you have a security system such as an IPS or IDS (intrusion protection/detection system), what good is it if it isn’t correctly logging unusual events or detecting attacks? An IPS, unlike an IDS, can stop an attack, but it must be logging the event correctly. An IDS can detect and alert to an attack. This vulnerability is related to security misconfigurations. This can be a balancing act of tuning the sensitivity of these systems to find a point where it is logging what is malicious and not sending countless false positives. If an attacker is performing a port/service scan, the monitoring software should be able to log it. If someone is repeatedly trying many passwords or countless requests are being sent (in the case of a denial of service attack), the monitoring software should log it.

10. Server-side request forgery

As with all of the previous vulnerabilities, this one is related to many of the previously discussed vulnerabilities. SSRF occurs because of security misconfiguration through authentication on the server of the web application which enables modification of requests. This vulnerability exploits an authenticated request flaw that enables an accepted modified web application request to a page or data that was not originally intended. In this case, the server is not validating the user-supplied input and enabling unauthorized access to other pages/areas of a web application. Input validation would not allow command-line control, SQL queries, or other unauthorized access.

An example of SSRF would be clicking a button in the web application that led to something. Whatever it does originally is authorized. So then an attacker modifies the request using a tool like Burpsuite or the web browser Developer Tools (by pressing F12 in web browser). Instead of going to the original destination, the attacker performs directory traversal through the server to the etc/passwd.

…original destination

/../../../../../../etc/passwd (Modified destination)

Thank you for reading!

For more information, go to the OWASP website.

https://owasp.org/www-project-top-ten/