OWASP Top 10 - 2013 | Shivang Desai

An abstract to OWASP TOP 10 (2013).

Nowadays I am on an urge to give a kick start to my Information Security Career and I have just started with web application security.

On the note to web application security, the best way to start is OWASP.  You can start with www.owasp.org and get a complete inside of what and how to perform web application security.

OWASP – Open Web Application Security Project.

OWASP categorizes web application vulnerabilities and rank them in order according to the impact that particular vulnerability can cause.

OWASP has categorized top 10 vulnerabilities of 2013 and the list is as mentioned below.

Number	TOP-10	AttackVector (Exploitability)	SecurityWeakness Prevalence(P), Detectability(D)	Technical Impact
A1	Injection	Easy	P-Common, D-Average	Severe
A2	Broken Authentication and Session Mngmt.	Average	P-Widespread, D-Average	Severe
A3	Cross Site Scripting	Average	P- Widespread, D-Easy	Moderate
A4	Insecure Direct Object Reference	Easy	P- Common, D-Easy	Moderate
A5	Security Misconfiguration	Easy	P- Widespread, D-Easy	Moderate
A6	Sensitive Data Exposure	Difficult	P- Uncommon, D-Average	Severe
A7	Missing function Level Access Control	Easy	P- Common, D-Average	Moderate
A8	Cross Site Request Forgery (CSRF)	Average	P- Common, D-Easy	Moderate
A9	Using Components with Known Vulnerabilities	Average	P- Widespread, D-Difficult	Moderate
A10	Unvalidated Redirects and Forwards.	Average	P- Uncommon, D-Easy	Moderate

Let’s see abstract of vulnerabilities.

 1.   Injection

At first instance, a newbie may think of SQL-Injection but this first category of OWASP is not only about SQL-Injection but it is not the case. Injection may be found in SQL, LDAP or XPath queries, OS Commands, Program arguments, XML parsers etc. The injection found in SQL is considered is SQL-Injection.
https://www.owasp.org/index.php/Top_10_2013-A1

2.  Broken Authentication and Session Management

Developers always build authentication and session management schemes but building it correctly is difficult and as a result, these custom schemes have flaws in them.

Major flaws can be found in areas such as “logout”, “password management”, “remember me”, “timeouts”, “secret questions”, “account update”, etc. These flaws can even be exploited using XSS, which is the next attack according to OWASP top 10.
https://www.owasp.org/index.php/Top_10_2013-Broken_Authentication_and_Session_Management

3.  Cross Site Scripting (XSS)

XSS is considered as a serious flaw and has numbered third in OWASP top 10 list, which was formerly at second rank.

XSS flaws occur when an application includes user supplied data in a page sent to the browser without properly validating or escaping that content.

There are three main types of XSS.
-Stored XSS (also called Persistent XSS).
-Reflected XSS.
-DOM based XSS.
https://www.owasp.org/index.php/Top_10_2013-Cross-Site_Scripting_(XSS)

4. Insecure Direct Object References.

Applications frequently use the actual name or key of an object when generating web pages. Applications don’t always verify the user is authorized for the target object. This results in an insecure direct object reference flaw.
https://www.owasp.org/index.php/Top_10_2013-Insecure_Direct_Object_References

5.  Security Misconfigurations.

Security misconfiguration can cause at complete application stack including platform, web server, application server, framework and custom code.
Occasionally this flaw leads to complete system compromise.
https://www.owasp.org/index.php/Top_10_2013-Security_Misconfiguration

6.  Sensitive Data Exposure.

The name itself explains the meaning of this attack. In this attack, the sensitive data of the client and company can be exposed. The sensitive data may consist of login credentials as well as credit card numbers.

This attack may be performed by any individual who have access to sensitive data or the back up of that data. The attacker may even exploit this vulnerability if the encryption is weak.

The external attacker may have trouble to perform this attack due to limited access.
https://www.owasp.org/index.php/Top_10_2013-Sensitive_Data_Exposure

7.  Missing function level Access Control

Applications do not always protect application’s functions properly and this becomes the attack vector for the attackers.

Such flaws allow attackers to access unauthorized functionality. Administrative functions are key targets for this type of attack.
https://www.owasp.org/index.php/Top_10_2013-Missing_Function_Level_Access_Control

8. Cross Site Request Forgery ( CSRF )

CSRF is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. With a little help of social engineering (like sending a link via email/chat), an attacker may force the users of a web application to execute actions of the attacker's choosing. A successful CSRF exploit can compromise end user data and operation in case of normal user. If the targeted end user is the administrator account, this can compromise the entire web application.
https://www.owasp.org/index.php/Top_10_2013-Cross-Site_Request_Forgery_(CSRF)

9. Using Components with known vulnerabilities.

Most of the times it happens that the vulnerabilities are patched but few components, say for example a particular router or a particular framework, still consist of vulnerabilities. Developers are not aware about the vulnerabilities in the components they are using. Due to this scenario, the component consisting of vulnerability is focused to outside world and this increases the risk for a particular web application.
https://www.owasp.org/index.php/Top_10_2013-Using_Components_with_Known_Vulnerabilities

10. Unvalidated Redirects and Forwards.

Applications frequently redirect users to other pages, or use internal forwards in a similar manner. Sometimes the target page is specified in an unvalidated parameter, allowing attackers to choose the destination page.
https://www.owasp.org/index.php/Top_10_2013-Unvalidated_Redirects_and_Forwards