StatusNeo

Top 5: Web Application Security Risk (OWASP – 2021)

Introduction

In this blog, we are going to cover the top 5 security risks associated with the web application according to the OWASP(Open Web Application Security Project).

We will take a sneak look into these risks and will learn about OWASP also.

What is OWASP?

• OWASP stands for Open Web Application Security Project
• It is the community leadership team that works to improve software security
• It is a nonprofit-based foundation that acts as a source for developers and technologists to secure the web

OWASP Top 5: Web Application Security Risk

1. Broken Access Control

• According to OWASP, 94% of the applications were having this issue.
• Access control means that the user cannot access the application outside the rights provided to him.
• Broken access control means that the user can perform tasks that are not permitted to him.
• It includes breaching of the unauthorized information disclosure, modification, or destruction of all data, or performing a business function outside the user’s limits.
• This breach is mostly done by modifying the URL and bypassing the access control check.
• To prevent it, all the resources should be set to denied mode except for the public ones.
• Model access control is also very helpful in preventing it.
• The complete report about this and the prevention is mentioned here – Broken Access Control

2. Cryptographic Failures

• Cryptographic failures are associated with the breaching of data that falls under the privacy law.
• These data set includes, user passowrd, credit card details, personal information, business secrets and many more.
• The common cause of this failure are, CWE-259: Use of Hard-coded Password, CWE-327: Broken or Risky Crypto Algorithm, and CWE-331 Insufficient Entropy.
• Data protection is require at both the intransit and at rest.
• Cryptographic algorithm getting should also be checked time to time for better security.
• Receiving server certificate and trust chain should be properly validated and tested.
• Passwords being used as cryptographic keys in absence of a password base key derivation function.
• Sensitive data should not be store unnecessarily.
• The complete report about this and the prevention is mentioned here – Cryptographic Failures

3. Injections

• Injections attacks are mostly done when User-supplied data is not validated, filtered, or sanitized by the application.
• Dynamic queries or non-parameterized calls without context-aware escaping are used directly in the interpreter.
• Hostile data is used within object-relational mapping (ORM) search parameters to extract additional, sensitive records.
• Hostile data is directly used or concatenated.
• The SQL or command contains the structure and malicious data in dynamic queries, commands, or stored procedures.
•  SQL, NoSQL, OS command, Object Relational Mapping (ORM), LDAP, and Expression Language (EL) or Object Graph Navigation Library (OGNL)  are the most common injections.
• Automation testing of all the parameters should be done to prevent these kinds of attacks.
• APIs with ORM structure should be followed for better prevention.
• The complete report about this and the prevention is mentioned here – Injections

4. Insecure Design

• Insecure design are mostly caused by the flaws in the design, mostly missinng the control designs.
• Secure design is a culture and methodology that constantly evaluates threats and ensures that code is robustly designed and tested to prevent known attack methods.
• In the user story development determine the correct flow and failure states, ensure they are well understood and agreed upon by responsible and impacted parties.
•  Analyze assumptions and conditions for expected and failure flows, ensure they are still accurate and desirable. 
• Determine how to validate the assumptions and enforce conditions needed for proper behaviors. 
• Ensuring the results are documented well in the user story.
• The complete report about this and the prevention is mentioned here – Insecure Design

5. Security Misconfiguration

• This risk is basically caused by missing appropriate security hardening across any part of the application stack or improperly configured permissions on cloud services.
• Error handling reveals stack traces or other overly informative error messages to users.
• Outdated softwares or packages getting used.
• The server does not send security headers or directives, or they are not set to secure values.
• To prevent this we can have review of configuration and updates time to time.
• Having automated process to verify the effectiveness of the configurations and settings in all environments.
• Software without any unnecessary features, components, documentation, and samples. Remove or do not install unused features and frameworks.
• The complete report about this and the prevention is mentioned here – Security Misconfiguration

Conclusion

• Security is one of the most important feature for any web application , and it cannot be ignored.
• OWASP have created the top 10 categories, from which we have picked up the top 5.
• The complete list of OWASP can be found here- OWASP Top 10
• All the references are taken from OWASP official website – OWASP
• For more blogs visit – Statusneo Blogs, Utkarsh Shukla