OWASP, also known as Open Web Application Security Project just released the OWASP Top 10 for 2013. The OWASP Top 10 is a list of most common web application vulnerabilities and flaws found in today’s web applications. The list of security flaws is based on several datasets from different firms specializing in web application security and is aimed to help businesses who own websites and web applications simplify the process of securing web applications.
The OWASP Top 10 list has been released once every 3 years since 2004.. For more details about all the changes between OWASP Top 10 of 2010 and 2013 refer to What is New and What Changed in OWASP Top 10 2013. Below is the new list for 2013.
A1 - Injection
LDAP Query Injection, OS Command Injection and SQL Injection are all different type of injection flaws. An injection occurs when a malicious hacker takes advantage of insecure web application coding and manages to inject commands into forms such as a login form from where he or she then gain access to sensitive data stored in the web application backend database. Details about a real life example of an SQL injection attack and the dangerous repercussions it leaves can be found in the blog post Details of South African Whistleblowers Exposed via SQL Injection.
A2 - Broken Authentication and Session Management
Authentication in web applications is mostly used to grant or prohibit access to specific information to a particular user and session management is the management of already logged in users. Most common security risks related to authentication and session management are stealing of passwords or session tokens and impersonating legitimate users. Authentication and session management related flaws are typically identified in password reset functionality, by tampering cookies or session ID’s etc.
A3 - Cross-Site Scripting
A cross-site scripting (XSS) vulnerability allows a malicious hacker to inject malicious client-side script in a website or web application which is later executed by the victims. Typically, cross-site scripting attacks are used to bypass access controls and to impersonate legitimate users, such as the web application administrator. Some years ago a cross-site scripting vulnerability was used with other vulnerabilities to gain root access on the Apache Foundation servers. For more detailed information about this attack, refer to the blog post XSS to Root in Apache Jira Incident.
A4 - Insecure Direct Object References
Insecure direct object references is a flaw in the design of the web application where access to a sensitive object, such as a directory, a particular record or a database is not fully protected and the object is exposed by the application. A typical example would be when a customer accesses his bank accounts via e-banking and because of a flaw in the web application he is able to see someone else’s account as well.
A5 - Security Misconfiguration
Web application security is not just about secure web application coding. To ensure the security of a web application it is important to also secure the configuration of the web server, secure the operating system of the web server and ensure that it is always updated with the latest security patches. The same applies for the web frameworks being used, such as PHP, .NET etc and any other software being used on the web server.
A6 - Sensitive Data Exposure
Sensitive data stored in databases or any other object should be well protected. Credit card details, social security numbers and other sensitive customer details should be encrypted when stored in a database, even if they are not directly accessible via the web application. The same applies for sensitive data being transmitted to and from the web application, such as credentials or payment details. Such information should be transmitted over a secure and encrypted layer.
A7 - Missing Function Level Access Control
An attacker can exploit this type of security flaw by changing the URL in the browser when accessing a web application to try and access a function he does not have access to. If the web application fails to perform proper access control checks specifically for that particular object, the attacker is able to access the function he should not have access to.
A8 - Cross-site Request Forgery (CSRF)
A cross-site request forgery, also referred to as CSRF is widely popular with scammers and spammers because when exploited, the attacker can force a victim’s web browser to send a forged HTTP request to a vulnerable web application. Such forged HTTP request would typically contain logged in information such as the cookie details and other authentication related information which are later used to force the victim’s browser to send requests to the vulnerable web application while thinking that they are being sent to a legitimate web application.
A9 - Using Components with Known Vulnerabilities
It is quite surprising that this class of vulnerabilities is in 9th place, considering that most of today’s successful attacks happen because the attacker exploited a known vulnerability. The main reason malicious hackers are still able to exploit known vulnerabilities is because outdated software is still being used; administrators fail to update all of the software being used on web servers and by the web applications to the latest secure and most stable version on time.
A10 - Unvalidated Redirects and Forwards
Website visitors are frequently redirected and forwarded to different pages and even other third party websites depending on the visitor location, type of browser being used and several other factors. If the functions analysing such data does not properly validate the data, a malicious hackers can exploit such functions and use the legitimate website to redirect its visitors to a phishing website or any other type of malicious website.
Use the OWASP Top 10 in your Web Applications SDLC
There are several long term benefits your business will benefit from when you use and refer to the OWASP Top 10 list in your web application software development life cycle, such as ensuring that your web applications are not vulnerable and also train web developers to write secure code in future development projects.
How to Find OWASP Top 10 Vulnerabilities in Your Web Applications
You can find most of the web application security problems and vulnerabilities listed in the OWASP Top 10 by scanning your web applications with an automated web application security scanner at any stage of the development life cycle.
Netsparker, is a false positive free web application security scanner that automatically scans your website and identifies web application security vulnerabilities that could leave your sensitive data dangerously exposed to malicious hacking attack. Download the Trial Edition of Netsparker to check if your websites and web applications are vulnerable to any of the OWASP Top 10 vulnerabilities.