logo-StatusNeo
d

WE ARE EXPERTS IN TECHNOLOGY

Let’s Work Together

Image Alt

StatusNeo

Utkarsh Shukla blogs

Top 5: Web Application Security Risk (OWASP – 2021)

Introduction

In this blog, we are going to cover the top 5 security risks associated with the web application according to the OWASP(Open Web Application Security Project).

We will take a sneak look into these risks and will learn about OWASP also.

What is OWASP?

  • OWASP stands for Open Web Application Security Project
  • It is the community leadership team that works to improve software security
  • It is a nonprofit-based foundation that acts as a source for developers and technologists to secure the web

OWASP Top 5: Web Application Security Risk

1. Broken Access Control

  • According to OWASP, 94% of the applications were having this issue.
  • Access control means that the user cannot access the application outside the rights provided to him.
  • Broken access control means that the user can perform tasks that are not permitted to him.
  • It includes breaching of the unauthorized information disclosure, modification, or destruction of all data, or performing a business function outside the user’s limits.
  • This breach is mostly done by modifying the URL and bypassing the access control check.
  • To prevent it, all the resources should be set to denied mode except for the public ones.
  • Model access control is also very helpful in preventing it.
  • The complete report about this and the prevention is mentioned here – Broken Access Control

2. Cryptographic Failures

  • Cryptographic failures are associated with the breaching of data that falls under the privacy law.
  • These data set includes, user passowrd, credit card details, personal information, business secrets and many more.
  • The common cause of this failure are, CWE-259: Use of Hard-coded Password, CWE-327: Broken or Risky Crypto Algorithm, and CWE-331 Insufficient Entropy.
  • Data protection is require at both the intransit and at rest.
  • Cryptographic algorithm getting should also be checked time to time for better security.
  • Receiving server certificate and trust chain should be properly validated and tested.
  • Passwords being used as cryptographic keys in absence of a password base key derivation function.
  • Sensitive data should not be store unnecessarily.
  • The complete report about this and the prevention is mentioned here – Cryptographic Failures

3. Injections

  • Injections attacks are mostly done when User-supplied data is not validated, filtered, or sanitized by the application.
  • Dynamic queries or non-parameterized calls without context-aware escaping are used directly in the interpreter.
  • Hostile data is used within object-relational mapping (ORM) search parameters to extract additional, sensitive records.
  • Hostile data is directly used or concatenated.
  • The SQL or command contains the structure and malicious data in dynamic queries, commands, or stored procedures.
  •  SQL, NoSQL, OS command, Object Relational Mapping (ORM), LDAP, and Expression Language (EL) or Object Graph Navigation Library (OGNL)  are the most common injections.
  • Automation testing of all the parameters should be done to prevent these kinds of attacks.
  • APIs with ORM structure should be followed for better prevention.
  • The complete report about this and the prevention is mentioned here – Injections

4. Insecure Design

  • Insecure design are mostly caused by the flaws in the design, mostly missinng the control designs.
  • Secure design is a culture and methodology that constantly evaluates threats and ensures that code is robustly designed and tested to prevent known attack methods.
  • In the user story development determine the correct flow and failure states, ensure they are well understood and agreed upon by responsible and impacted parties.
  •  Analyze assumptions and conditions for expected and failure flows, ensure they are still accurate and desirable. 
  • Determine how to validate the assumptions and enforce conditions needed for proper behaviors. 
  • Ensuring the results are documented well in the user story.
  • The complete report about this and the prevention is mentioned here – Insecure Design

5. Security Misconfiguration

Utkarsh Shukla blogs
  • This risk is basically caused by missing appropriate security hardening across any part of the application stack or improperly configured permissions on cloud services.
  • Error handling reveals stack traces or other overly informative error messages to users.
  • Outdated softwares or packages getting used.
  • The server does not send security headers or directives, or they are not set to secure values.
  • To prevent this we can have review of configuration and updates time to time.
  • Having automated process to verify the effectiveness of the configurations and settings in all environments.
  • Software without any unnecessary features, components, documentation, and samples. Remove or do not install unused features and frameworks.
  • The complete report about this and the prevention is mentioned here – Security Misconfiguration

Conclusion

  • Security is one of the most important feature for any web application , and it cannot be ignored.
  • OWASP have created the top 10 categories, from which we have picked up the top 5.
  • The complete list of OWASP can be found here- OWASP Top 10
  • All the references are taken from OWASP official website – OWASP
  • For more blogs visit – Statusneo Blogs, Utkarsh Shukla

An optimistic Engineer passionate about technology, science, astrology, and photography. Visit this to know more- https://utkarshshukla.herokuapp.com/

Add Comment