The In-Depth Guide to OWASP's Top 10 Vulnerabilities

The In-Depth Guide to OWASP's Top 10 Vulnerabilities

Most of us don't know we're harboring vulnerabilities in plain sight. During 2020 and 2021, there were an average of 15 vulnerabilities per site, and two out of these fifteen vulnerabilities were of high severity.

How secure are your apps? What about your digital assets? These things are all part of the compendium that is your company's investments and digital real estate. But unlike the physical world, the digital world is more complex. 

To protect against vulnerabilities, you first need to be aware of them. That’s where OWASP’s Top 10 list comes in handy. Despite having launched close to 20 years ago, this list has been constantly maintained and refreshed to reflect current vulnerabilities. This article walks you through the latest OWASP’s top 10 list of vulnerabilities and how to prevent them. 

What is OWASP?

The Open Web Application Security Project (OWASP) is a non-profit organization aiming to improve software security, and in 2021 celebrated 20 years of excellent work. OWASP, driven by community contributors and maintainers, produces widely adopted open-source tools & resources, the most popular being its long-standing list of the top ten most critical web application security risks, updated annually. 

Some of the tools and technologies that OWASP has created to help developers secure their applications include the OWASP Dependency Check, a tool that helps developers find vulnerabilities within a project’s dependencies, and the OWASP ZAP Proxy, which can test web applications for vulnerabilities. 

Jit enables you to integrate OWASP ZAP and other open-source security tools out of the box. As Simon Bennetts, founder of OWASP ZAP, stated, “The Jit platform complements ZAP in many ways, allowing developers to programmatically leverage ZAP across applications in a streamlined manner as part of their broader security plans.”

What is the OWASP's Top 10?

The OWASP Top 10 is published every four years and is based on data from the previous four years. The list is not structured around how severe each vulnerability is. Instead, it compiles vulnerabilities based on how common they are. OWASP Top 10 is a starting point for organizations to improve their software security.

OWASP’s Top 10 2017 vs. 2021

Cyber vulnerabilities continuously change, and OWASP’s Top 10 list adapts to reflect that. Since the last list was released in 2017, quite a lot has been modified. Three new categories were added: Insecure Design, Software and Data Integrity Failures, and Server-Side Request Forgery (SSRF). 

Some of the vulnerabilities published on OWASP’s Top 10 2017 have also changed name or scope to adapt to market changes; such is the case of Insufficient Logging and Monitoring, which is now called Security Logging and Monitoring Failures. While some vulnerabilities have remained unaltered, they have moved spots. For instance, Broken Access Control is now considered the most common vulnerability, taking the number one spot. Below we will look at each vulnerability from the latest OWASP’s Top 10 list in detail.

OWASP's Top 10 Vulnerabilities

As the world of web application security threats continues to evolve, the OWASP Top 10 provides a robust framework for developers and security professionals to identify and mitigate the most common attacks. Here are OWASP's top 10 vulnerabilities and tips on how to prevent them.

1. Broken Access Control

In a nutshell, broken access control means that an attacker can access resources or data they should not have access to. This can be done in many ways, but typically it's done by exploiting flaws in how the system controls access to those resources.

61% of all breaches involve broken access control.

There are many ways to exploit broken access control, but the result is always the same: the attacker gains access to data or resources they should not have access to.

Preventing broken access control

Access control is a security measure that is implemented to protect resources from unauthorized access. There are many different ways to achieve this, but one common method is to use a whitelist. A whitelist is a list of authorized users that are allowed to access a particular resource. This list can be maintained manually or can be generated automatically based on user credentials.

A white list can be implemented by creating a list of approved websites or IP addresses and then comparing any incoming requests against that list. If the request is not on the list, it can be blocked.

One way to create a whitelist on AWS is through an IAM policy that allows access only to the specific IP addresses or CIDR ranges that you wish to allow access to, and configuring your security groups to only allow traffic from those IP addresses or CIDR ranges.

2. Cryptographic failures

Insecure communications constitute a significant problem on the internet today. Unencrypted or weakly encrypted communications can be intercepted and read by anyone with the right tools. This can lead to disclosing sensitive information, like passwords, financial data, and personal information. In September 2022 alone, there were 35.6 million records breached, and the average cost of a data breach sits at around $4.24 million.

Preventing cryptographic failures

When data is sent over the internet using HTTPS, it is encrypted using a cryptographic algorithm, which makes it difficult for attackers to read or tamper with the data.

To implement HTTPS in Nginx, you will need to purchase and install an SSL certificate. Once you have your certificate, you will need to edit your Nginx configuration file to enable SSL. The specific directives you will need to edit will depend on your configuration, but they will typically be something like:

ssl_certificate /path/to/your/certificate.crt;

ssl_certificate_key /path/to/your/certificate.key;

After you have edited your configuration file, you will need to restart Nginx for the changes to take effect.

3. Injections

Injections are one of the most common web application vulnerabilities. They occur when user input is not properly sanitized before being used in an SQL query or other operation.This can allow attackers to execute their SQL code, potentially resulting in data loss or corruption. In some cases, it may also allow attackers to access sensitive information such as passwords or credit card numbers. There are many different types of SQL injection attacks, but they all exploit the same basic vulnerability.

Preventing injections

Sanitizing user input is important because it helps to prevent cross-site scripting (XSS) attacks. XSS attacks occur when a malicious user injects code into a web page that is then executed by other users who visit the page. This can lead to the theft of sensitive information or the execution of unwanted code on the user's machine.

There are a few ways to sanitize user input in React, Vue, and Angular.

  • In React, you can use the DOMPurify library to sanitize user input. DOMPurify will parse and sanitize HTML, making it safe to render on your page.
  • In Vue, you can use the v-html directive to render HTML safely. The v-html directive will ensure that any HTML code passed to it is properly encoded and escaped, making it safe to render.
  • In Angular, you can use the DomSanitizer service to sanitize user input. DomSanitizer will help you to prevent XSS attacks by sanitizing untrusted values that are passed into your application.

4. Insecure design

Insecure design refers to security flaws introduced during software development's design phase. Design flaws can lead to a wide range of security vulnerabilities, including:

Injection flaws: Injection flaws occur when user input is not properly sanitized before being used by the application. They can allow attackers to inject malicious code executed by the application, resulting in data loss or corruption, Denial of Service (DoS) attacks, or even executing arbitrary code.

Cross-site scripting (XSS) flaws: XSS flaws occur when user input is not correctly escaped or sanitized before being displayed by the application. These flaws can allow attackers to inject malicious code that is executed by unsuspecting users who visit the compromised page.

Broken authentication and session management: Broken authentication and session management refer to a wide range of security issues that can occur when authentication and session management mechanisms are not correctly implemented. This can allow attackers to access sensitive data, hijack user sessions, or perform other malicious actions.

Insecure communications: Insecure communications refer to the use of insecure protocols or encryption algorithms that allow attackers to eavesdrop on communications or tamper with data.

Preventing insecure design

One way to prevent cross-site scripting is to implement a content security policy (CSP). A CSP is a list of directives that specify what resources are allowed to be loaded on a page. These directives can be used to restrict the sources of content that can be loaded on a page and can be implemented in the <meta> tag of an HTML document or in the HTTP headers of a server.

Here is an example of a content security policy implemented in the <meta> tag of an HTML document:

<meta http-equiv="Content-Security-Policy" content="default-src 'self'; img-src https://example.com;">

This policy will allow content from the same origin (self) to be loaded by default and will allow images from https://example.com to be loaded.

Here is an example of a content security policy implemented in the HTTP headers of a server:

Content-Security-Policy: default-src 'self'; img-src https://example.com;

This policy will have the same effect as the policy above.

5. Security misconfigurations

Security misconfiguration is a broad category of issues that can arise when an application or server is not configured correctly. Incorrectly configured systems can be more vulnerable to attack, allow unauthorized access to sensitive data, and provide misleading information to users.

All too often, systems are not adequately configured because administrators don't have the time or knowledge to do so correctly, which can leave systems open to attack.

In some cases, even when administrators are aware of the importance of proper configuration, they may not be able to do so due to corporate policies or other restrictions.

Some common security misconfiguration issues include:

  • leaving the default administrator account active and using easily guessed passwords
  • not disabling directory listing
  • not requiring SSL/TLS for sensitive communications
  • not properly restricting access to files and directories
  • not properly securing database passwords and other sensitive data

Preventing security misconfigurations

One way to make SSL/TLS compulsory is to use a web server that requires it for all connections. For example, the Apache web server can be configured to require SSL/TLS by adding the following directive to the server configuration:

SSLRequireSSL

Another way to make SSL/TLS compulsory is to use a load balancer or proxy server that supports SSL/TLS and requires it for all connections. For example, the Nginx web server can be configured as a proxy server to require SSL/TLS by adding the following directive to the server configuration:

proxy_ssl_session_reuse on;

proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

proxy_ssl_ciphers HIGH:!aNULL:!MD5;

6. Vulnerable and outdated components

Vulnerable and outdated components are often the Achilles' heel of an organization's security posture. A vulnerable component is one with known security flaws that can be exploited to gain unauthorized access or cause other harm. An outdated component is one for which security patches or updates are no longer available from the vendor, making it more susceptible to attack.

Preventing vulnerable and outdated components

7. Identification and authentication failures

An identification and authentication failure occurs when a system fails to correctly identify and/or authenticate a user. This can happen for various reasons, but typically it is due to weak or easily guessed passwords, lack of strong password policies, or lack of two-factor authentication.

Organizations are vulnerable to approximately $1.76 million in business costs when a Zero Trust authentication system is not implemented.

Preventing identification and authentication failures

There are many ways to implement 2-factor authentication (2FA) with AWS. One way to do it is to use AWS Identity and Access Management (IAM) with multi-factor authentication (MFA). 

IAM is a web service that helps you securely control access to AWS resources. MFA adds an extra layer of security by requiring a second factor, such as a code from a hardware device or a mobile app, in addition to your username and password.

To set up MFA, you first need to create an IAM user and then attach an MFA device to that user. You can use any type of MFA device that is compatible with AWS, such as a hardware device or virtual device.

Once you have an IAM user with an MFA device attached, you can enable MFA for that user. To do this, you need to create an IAM policy that requires MFA. You can then attach this policy to the IAM user.  Here is an example of an IAM policy that requires MFA:

This policy denies all access to all resources unless the user has an MFA device attached.

Once you have created this policy, you must attach it to the IAM user. You can do this via the AWS Management Console or the AWS Command Line Interface (CLI).

Once the policy is attached, the user will be required to use MFA when accessing AWS resources.

8. Software and data integrity failures

Data integrity failures are a type of security vulnerability that can occur when data is modified or destroyed without authorization. This can happen either through malicious attacks or accidental mistakes. Data integrity failures can have serious consequences, such as financial losses or the exposure of confidential information.

There are several ways to protect data from integrity failures. One is to use cryptographic methods, such as digital signatures or hashes, to verify that data has not been changed. Another is to store data in multiple locations so that if one copy is destroyed, others can be used to reconstruct it. Data can be backed up regularly to ensure a copy is always available in case of an integrity failure.

Preventing software and data integrity failures

  • Regularly backing up data and software
  • Keep software and data secure
  • Ensure data and software integrity
  • Monitor systems for changes
  • Detect and respond to changes quickly

9. Security logging and monitoring failures

In the world of information security, logging and monitoring failures are too common. Security logging is tracking events that occur on a computer or network. This data can be used to identify attacks, monitor system activity, and track user behavior. However, if this data is not secured correctly, attackers can compromise it.

Failures can have severe consequences for an organization. The average life cycle of a breach is 200 days, which translates to $4.87 million in costs. Data integrity failures can lead to data loss or corruption, while monitoring failures can allow attackers to operate undetected.

Preventing security logging and monitoring failures

  • Ensure that all logging and monitoring tools are correctly configured and tested
  • Establish clear and concise logging and monitoring policies and procedures
  • Educate all staff on the proper handling of sensitive information
  • Regularly review logs and monitor activity for unusual or suspicious activity
  • Investigate and resolve any issues identified through logging and monitoring

10. Server-side request forgery (SSRF)

Server-side request forgery (SSRF) is an attack in which the attacker tricks a server into requesting on their behalf. SSRF can be done by specifying a malicious URL in a parameter or embedding an HTTP request in an XML document. If the server does not properly validate the request, it will send the request to the attacker-specified URL.

SSRF can be used to attack internal systems that are generally not accessible from the outside. For example, an attacker could use SSRF to access a server's internal network or to read sensitive files on the server.

Preventing server-side request forgery (SSRF)

  • Ensure that user input is validated and sanitized
  • Restrict user access to only the resources that they need
  • Implement a whitelist approach to input validation
  • Monitor server access logs for suspicious activity
  • Keep all server software up to date with the latest security patches

Protect your applications against OWASP’s Top 10 risks

Malicious users never rest, and neither should your security postures. Jit enables you to effortlessly implement continuous security to protect your applications against OWASP’s Top 10 vulnerabilities while causing no friction to your software engineering team.

Use Jit to access all the security tools and controls you need to protect your applications, including OWASP ZAP, OWASP Dependency Check, and much more. Ready to give us a try? Get started for free

Instantly achieve continuous product security, from day 0