Saturday, May 4, 2013

OWASP Top 10 - 2013 | Shivang Desai


An abstract to OWASP TOP 10 (2013).
Nowadays I am on an urge to give a kick start to my Information Security Career and I have just started with web application security.
On the note to web application security, the best way to start is OWASP.  You can start with www.owasp.org and get a complete inside of what and how to perform web application security.
OWASP – Open Web Application Security Project.
OWASP categorizes web application vulnerabilities and rank them in order according to the impact that particular vulnerability can cause.
OWASP has categorized top 10 vulnerabilities of 2013 and the list is as mentioned below.

Number
TOP-10
AttackVector
(Exploitability)
SecurityWeakness
Prevalence(P), Detectability(D)
Technical Impact
A1
Injection
Easy
P-Common,
D-Average
Severe
A2
Broken Authentication and Session Mngmt.
Average
P-Widespread,
D-Average
Severe
A3
Cross Site Scripting
Average
P- Widespread,
D-Easy
Moderate
A4
Insecure Direct Object Reference
Easy
P- Common,
D-Easy
Moderate
A5
Security Misconfiguration
Easy
P- Widespread,
D-Easy
Moderate
A6
Sensitive Data Exposure
Difficult
P- Uncommon,
D-Average
Severe
A7
Missing function Level Access Control
Easy
P- Common,
D-Average
Moderate
A8
Cross Site Request Forgery (CSRF)
Average
P- Common,
D-Easy
Moderate
A9
Using Components with Known Vulnerabilities
Average
P- Widespread,
D-Difficult
Moderate
A10
Unvalidated Redirects and Forwards.
Average
P- Uncommon,
D-Easy
Moderate

Let’s see abstract of vulnerabilities.

 1.   Injection
At first instance, a newbie may think of SQL-Injection but this first category of OWASP is not only about SQL-Injection but it is not the case. Injection may be found in SQL, LDAP or XPath queries, OS Commands, Program arguments, XML parsers etc. The injection found in SQL is considered is SQL-Injection.
https://www.owasp.org/index.php/Top_10_2013-A1


2.  Broken Authentication and Session Management
Developers always build authentication and session management schemes but building it correctly is difficult and as a result, these custom schemes have flaws in them.
Major flaws can be found in areas such as “logout”, “password management”, “remember me”, “timeouts”, “secret questions”, “account update”, etc. These flaws can even be exploited using XSS, which is the next attack according to OWASP top 10.
https://www.owasp.org/index.php/Top_10_2013-Broken_Authentication_and_Session_Management


3.  Cross Site Scripting (XSS)
XSS is considered as a serious flaw and has numbered third in OWASP top 10 list, which was formerly at second rank.
XSS flaws occur when an application includes user supplied data in a page sent to the browser without properly validating or escaping that content.
There are three main types of XSS.
-Stored XSS (also called Persistent XSS).
-Reflected XSS.
-DOM based XSS.
https://www.owasp.org/index.php/Top_10_2013-Cross-Site_Scripting_(XSS)


4. Insecure Direct Object References.
Applications frequently use the actual name or key of an object when generating web pages. Applications don’t always verify the user is authorized for the target object. This results in an insecure direct object reference flaw.
https://www.owasp.org/index.php/Top_10_2013-Insecure_Direct_Object_References


5.  Security Misconfigurations.
Security misconfiguration can cause at complete application stack including platform, web server, application server, framework and custom code.
Occasionally this flaw leads to complete system compromise.
https://www.owasp.org/index.php/Top_10_2013-Security_Misconfiguration


6.  Sensitive Data Exposure.
The name itself explains the meaning of this attack. In this attack, the sensitive data of the client and company can be exposed. The sensitive data may consist of login credentials as well as credit card numbers.
This attack may be performed by any individual who have access to sensitive data or the back up of that data. The attacker may even exploit this vulnerability if the encryption is weak.
The external attacker may have trouble to perform this attack due to limited access.
https://www.owasp.org/index.php/Top_10_2013-Sensitive_Data_Exposure


7.  Missing function level Access Control
Applications do not always protect application’s functions properly and this becomes the attack vector for the attackers.
Such flaws allow attackers to access unauthorized functionality. Administrative functions are key targets for this type of attack.
https://www.owasp.org/index.php/Top_10_2013-Missing_Function_Level_Access_Control


8. Cross Site Request Forgery ( CSRF )
CSRF is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. With a little help of social engineering (like sending a link via email/chat), an attacker may force the users of a web application to execute actions of the attacker's choosing. A successful CSRF exploit can compromise end user data and operation in case of normal user. If the targeted end user is the administrator account, this can compromise the entire web application.
https://www.owasp.org/index.php/Top_10_2013-Cross-Site_Request_Forgery_(CSRF)


9. Using Components with known vulnerabilities.
Most of the times it happens that the vulnerabilities are patched but few components, say for example a particular router or a particular framework, still consist of vulnerabilities. Developers are not aware about the vulnerabilities in the components they are using. Due to this scenario, the component consisting of vulnerability is focused to outside world and this increases the risk for a particular web application.
https://www.owasp.org/index.php/Top_10_2013-Using_Components_with_Known_Vulnerabilities


10. Unvalidated Redirects and Forwards.
Applications frequently redirect users to other pages, or use internal forwards in a similar manner. Sometimes the target page is specified in an unvalidated parameter, allowing attackers to choose the destination page.
https://www.owasp.org/index.php/Top_10_2013-Unvalidated_Redirects_and_Forwards