Top 5: Web Application Security Risk (OWASP – 2021)
In this blog, we are going to cover the top 5 security risks associated with the web application according to the OWASP(Open Web Application Security Project).
We will take a sneak look into these risks and will learn about OWASP also.
What is OWASP?
- OWASP stands for Open Web Application Security Project
- It is the community leadership team that works to improve software security
- It is a nonprofit-based foundation that acts as a source for developers and technologists to secure the web
OWASP Top 5: Web Application Security Risk
1. Broken Access Control
- According to OWASP, 94% of the applications were having this issue.
- Access control means that the user cannot access the application outside the rights provided to him.
- Broken access control means that the user can perform tasks that are not permitted to him.
- It includes breaching of the unauthorized information disclosure, modification, or destruction of all data, or performing a business function outside the user’s limits.
- This breach is mostly done by modifying the URL and bypassing the access control check.
- To prevent it, all the resources should be set to denied mode except for the public ones.
- Model access control is also very helpful in preventing it.
- The complete report about this and the prevention is mentioned here – Broken Access Control
2. Cryptographic Failures
- Cryptographic failures are associated with the breaching of data that falls under the privacy law.
- These data set includes, user passowrd, credit card details, personal information, business secrets and many more.
- The common cause of this failure are, CWE-259: Use of Hard-coded Password, CWE-327: Broken or Risky Crypto Algorithm, and CWE-331 Insufficient Entropy.
- Data protection is require at both the intransit and at rest.
- Cryptographic algorithm getting should also be checked time to time for better security.
- Receiving server certificate and trust chain should be properly validated and tested.
- Passwords being used as cryptographic keys in absence of a password base key derivation function.
- Sensitive data should not be store unnecessarily.
- The complete report about this and the prevention is mentioned here – Cryptographic Failures
- Injections attacks are mostly done when User-supplied data is not validated, filtered, or sanitized by the application.
- Dynamic queries or non-parameterized calls without context-aware escaping are used directly in the interpreter.
- Hostile data is used within object-relational mapping (ORM) search parameters to extract additional, sensitive records.
- Hostile data is directly used or concatenated.
- The SQL or command contains the structure and malicious data in dynamic queries, commands, or stored procedures.
- SQL, NoSQL, OS command, Object Relational Mapping (ORM), LDAP, and Expression Language (EL) or Object Graph Navigation Library (OGNL) are the most common injections.
- Automation testing of all the parameters should be done to prevent these kinds of attacks.
- APIs with ORM structure should be followed for better prevention.
- The complete report about this and the prevention is mentioned here – Injections
4. Insecure Design
- Insecure design are mostly caused by the flaws in the design, mostly missinng the control designs.
- Secure design is a culture and methodology that constantly evaluates threats and ensures that code is robustly designed and tested to prevent known attack methods.
- In the user story development determine the correct flow and failure states, ensure they are well understood and agreed upon by responsible and impacted parties.
- Analyze assumptions and conditions for expected and failure flows, ensure they are still accurate and desirable.
- Determine how to validate the assumptions and enforce conditions needed for proper behaviors.
- Ensuring the results are documented well in the user story.
- The complete report about this and the prevention is mentioned here – Insecure Design
5. Security Misconfiguration
- This risk is basically caused by missing appropriate security hardening across any part of the application stack or improperly configured permissions on cloud services.
- Error handling reveals stack traces or other overly informative error messages to users.
- Outdated softwares or packages getting used.
- The server does not send security headers or directives, or they are not set to secure values.
- To prevent this we can have review of configuration and updates time to time.
- Having automated process to verify the effectiveness of the configurations and settings in all environments.
- Software without any unnecessary features, components, documentation, and samples. Remove or do not install unused features and frameworks.
- The complete report about this and the prevention is mentioned here – Security Misconfiguration
- Security is one of the most important feature for any web application , and it cannot be ignored.
- OWASP have created the top 10 categories, from which we have picked up the top 5.
- The complete list of OWASP can be found here- OWASP Top 10
- All the references are taken from OWASP official website – OWASP
- For more blogs visit – Statusneo Blogs, Utkarsh Shukla