OWASP
The Open Web Application Security Project (OWASP) is a worldwide not-for-profit charitable organisation focused on improving the security of software. OWASP has been releasing the OWASP Top 10 list every three/four years.

The list consists of the top biggest Application Security Risks according to OWASP. The list is compiled with the latest vulnerabilities, threats and attacks, as well as detection tactics and remediation. OWASP Top 10 project members create the list by analysing the occurrence rates and the general severity of each threat facing our rapidly evolving application world.

Major Update

This major update adds several new issues, including two issues selected by the community - A8:2017-Insecure Deserialisation and A10:2017-Insufficient Logging and Monitoring. Two key differentiators from previous OWASP Top 10 releases are the substantial community feedback and extensive data assembled from dozens of organisations, possibly the largest amount of data ever assembled in the preparation of an application security standard.




The 2017 OWASP Top 10 list has recently been re-released to the public. It contains three large-scale vulnerability updates and updated attack scenarios.

Let’s take a closer look at the list as a whole and what key changes were made in OWASP Top 10 Application Security Risks 2017.


OWASP Top 10 Application Security Risks - 2017

A1-Injection

Injection flaws occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorisation.




Server Side JS Injection
When eval(), setTimeout(), setInterval(), Function() are used to process user provided inputs, it can be exploited by an attacker to inject and execute malicious JavaScript code on server.

Web applications using the JavaScript eval() function to parse the incoming data without any type of input validation are vulnerable to this attack. An attacker can inject arbitrary JavaScript code to be executed on the server. Similarly setTimeout(), and setInterval()functions can take code in string format as a first argument causing same issues as eval().

This vulnerability can be very critical and damaging by allowing attacker to send various types of commands.

SQL and NoSQL Injection
SQL and NoSQL injections enable an attacker to inject code into the query that would be executed by the database. These flaws are introduced when software developers create dynamic database queries that include user supplied input.

Broken Authentication

Attackers have access to hundreds of millions of valid username and password combinations for credential stuffing, default administrative account lists, automated brute force, and dictionary attack tools. Session management attacks are well understood, particularly in relation to unexpired session tokens.

Session management is a critical piece of application security. It is broader risk, and requires developers take care of protecting session id, user credential secure storage, session duration, and protecting critical session data in transit.

The attacker can exploit Password Guessing Attack vulnerability by brute force password guessing, more likely using tools that generate random passwords.

Sensitive Data Exposure

Rather than directly attacking crypto, attackers steal keys, execute man-in-the-middle attacks, or steal clear text data off the server, while in transit, or from the user’s client, e.g. browser. A manual attack is generally required. Previously retrieved password databases could be brute forced by Graphics Processing Units (GPUs).

XML External Entities (XXE)

Attackers can exploit vulnerable XML processors if they can upload XML or include hostile content in an XML document, exploiting vulnerable code, dependencies or integrations.




These flaws can be used to extract data, execute a remote request from the server, scan internal systems, perform a denial-of-service attack, as well as execute other attacks.


Broken Access Control

Exploitation of access control is a core skill of attackers. SAST and DAST tools can detect the absence of access control but cannot verify if it is functional when it is present. Access control is detectable using manual means, or possibly through automation for the absence of access controls in certain frameworks.

Access control weaknesses are common due to the lack of automated detection, and lack of effective functional testing by application developers. The technical impact is attackers acting as users or administrators, or users using privileged functions, or creating, accessing, updating or deleting every record.

Security Misconfiguration

Security Misconfiguration arises when Security settings are defined, implemented, and maintained as defaults. Good security requires a secure configuration defined and deployed for the application, web server, database server, and platform. It is equally important to have the software up to date.

Security misconfiguration can happen at any level of an application stack, including the network services, platform, web server, application server, database, frameworks, custom code, and pre-installed virtual machines, containers, or storage. Automated scanners are useful for detecting misconfigurations, use of default accounts or configurations, unnecessary services, legacy options, etc.

Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.



An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.

For more details on the different types of XSS flaws, Types of Cross-Site Scripting.

Insecure Deserialisation

Insecure Deserialisation is a vulnerability which occurs when untrusted data is used to abuse the logic of an application, inflict a denial of service (DoS) attack, or even execute arbitrary code upon it being deserialised.

Exploitation of deserialisation is somewhat difficult, as off the shelf exploits rarely work without changes or tweaks to the underlying exploit code.

Using Components with Known Vulnerabilities

It is very common for web services to include a component with a known security vulnerability. When that happens it falls under this category, independently of what kind of component is vulnerable, making this a very frequent finding.

The component with a known vulnerability could be the operating system itself, the CMS used, the web server, some plugin installed or even a library used by one of these plugins.

The potential impact is impossible to grade for this as it completely depends on the vulnerable component and what vulnerability it suffers from. The vulnerability could be an XSS on some unimportant subdomain, but it could just as well lead to a full system takeover.

Insufficient Logging & Monitoring

Exploitation of insufficient logging and monitoring is the bedrock of nearly every major incident. Attackers rely on the lack of monitoring and timely response to achieve their goals without being detected. Logging on its own is not enough.

Only a complete logging, monitoring & incident response solution will keep you abreast of what is happening on your websites, and allow you to thwart possible malicious attacks before they actually happen.

















Comments

Post a Comment

Popular posts from this blog

Internal Vulnerability Assessment using Nessus

Image
Nessus Nessus is an network vulnerability scanner that uses the Common Vulnerabilities and Exposures architecture for easy cross-linking between compliant security tools. Nessus employs the Nessus Attack Scripting Language (NASL), a simple language that describes individual threats and potential attacks. Nessus has a modular architecture consisting of centralised servers that conduct scanning, and remote clients that allow for administrator interaction. Administrators can include NASL descriptions of all suspected vulnerabilities to develop customised scans.  Nessus allows scans for the following types of vulnerabilities: Vulnerabilities that allow a remote hacker to control or access sensitive data on a system. Misconfiguration (e.g. open mail relay, missing patches, etc.). Default passwords, a few common passwords, and blank/absent passwords on some system accounts. Denials of service against the TCP/IP stack by using malformed packets Preparation for PCI DSS audit...
Read more

Reconnaissance

Reconnaissance Reconnaissance is the technique used for gathering information about computer systems and the entities they belong to. To get this information, a hacker might use various tools and technologies. This information is very useful to a hacker who is trying to crack a whole system. It allows a hacker to gain information about the target system. This information can be used to carry out further attacks on the system. That is the reason by which it may be named a Pre-Attack, since all the information is reviewed in order to get a complete and successful resolution of the attack. Reconnaissance is basically the first step where hacker gathers as much information as possible to find ways to intrude into a target system or at least decide what type of attacks will be more suitable for the target. This is also a very important step for ethical hacker; he can find possible attacks, vulnerabilities and patch that. The Objective of Reconnaissance are collecting Network Informa...
Read more