The OWASP TOP 10 provides companies with a simple overview of relevant security vulnerabilities of the year. It is compiled each year by the Open Web Application Security Project to provide companies with a basis for planning and implementing adequate security measures. The OWASP is a non-profit organisation with the goal of improving the security of web applications.
The OWASP Top 10 at a Glance
Injection has been one of the most important security vulnerabilities for decades. Many major corporate data leaks in the past were based on SQL injections. An injection involves abusing a regular user-controlled data transfer to gain access to the database. An injection vulnerability occurs when data submitted by a user is not validated by the system. Attack points are detected and closed within the scope of a code analysis.
At number 2 on the OWASP top 10 biggest security vulnerabilities, is the gateway itself. A flawed authentication system allows attackers to gain access to the system through the front door. A typical mistake, for example, is not using two-factor authentication. If this additional barrier is missing, the system is only as secure as the access data of the most negligent user. If systems for generating user names are also used (e.g. firstname.lastname@example.org ), attackers can guess passwords by brute force attack.
Web applications rely on communication. Sensitive data such as private data, passwords or account information is also exchanged in the process. In a man-in-the-middle attack, the attacker interposes himself between the two communicating systems and reads the exchanged data. In doing so, he pretends to the system that he is the correct target for the data. The best way to prevent the reading of exchanged data is to encrypt the data exchange. Without a suitable key, attackers can no longer disguise themselves as legitimate recipients.
XML is a markup language that has long been used to convey data that is both human and machine readable. XML files are used almost everywhere in the IT world. Each .doc file consists of several XML files in a container. Web applications also rely on XML. Because of its complexity, however, there are often security gaps. Attackers can, for example, fool the XML parser and make it send sensitive data to external entities like a hard disk. XML is therefore increasingly less used. The best protection against these attacks is to switch to a simpler format like JSON, which is also readable by humans and machines and can be processed in almost any programming language.
Lacky Access Control
Whereas in an authentication attack the attacker comes through the front door, in a faulty access control attack the attacker climbs through the open window right next to the front door. A simple example of this would be an unprotected subfolder. If a user tries to access unternehmen.de/mitglieder via the main page, they will be directed to the log-in page, but if they simply enter unternehmen.de/mitglieder/sensibledaten into the browser, authorisation will not be checked. Companies can improve their access control through authorisation tokens. Each user receives a token after logging in. With each request, the system then asks the user for a token. This way, every single access is controlled without disrupting the user experience with constant password requests.
Misconfigurations occur, for example, when the default configuration is taken over unchanged. This becomes security-relevant when the default configuration leaves gaps or provides for unusable error messages that are too detailed and thus leave important errors undetected.
Serialisation anD derealisation are gaining relevance with the growing popularity of video streaming and cloud applications. Serialisation refers to the conversion of objects into a different format for a different purpose. Derealisation transforms these objects back into usable formats for the application. Here, attackers potentially have the opportunity to smuggle malicious data into the object and thus the application. This enables a variety of attacks from DDos attacks to remote code execution.
The security gap in derealisation cannot be fundamentally closed. The conversion of data is in the nature of the process. Only prohibiting derealisation from trusted sources completely closes this loophole. If the application relies on derealisation, the only option is to monitor the process to identify potential attackers.
Old Code, Libraries and More
Modern web development works with a high degree of division of labour: to develop applications, developers do not feel the wheel every time. Instead, they fall back on libraries, frameworks and modules from other developers. Attackers take advantage of this by systematically examining the components used for vulnerabilities. This is particularly worthwhile for attackers because some components are used on millions of websites. Finding a vulnerability thus potentially gives attackers access to a large arsenal of websites. In the modern environment, doing without external components is not an option. Instead, the components used should be removed as soon as they are no longer used. This at least minimises the attack surface.
Inadequate Logging and Monitoring
In addition to gaps that allow direct access to the system, monitoring and logging measures are often inadequate when an attack occurs. As a result, a lot of time passes before an attack is detected. This gives the attacker more time to cause damage. In order to detect attacks quickly and minimise damage, monitoring measures should therefore be implemented from the very beginning.
Include OWASP TOP 10 from the Beginning and improve Application Security
The OWASP Top 10 are a useful tool in development that should be considered from the planning stage. This way, certain security gaps can already be closed in the architecture. This makes the application more secure and the implementation cheaper.