OWASP Top 10 Security Guidelines

We have heard of numerous cases of applications being hacked. If you develop web-based applications, there’s the strong possibility that your application is vulnerable to attack.

Attackers can be seeking to acquire greater security access, steal some or all, of your users’ access credentials or financial details. They may be looking for compromising information, or to steal business secrets.

Regardless of motivation, what’s important is that your application may be vulnerable. So, this post will help you get better prepared against these vulnerabilities.

There are a large number of web application weaknesses. But, the best source to turn to is the OWASP Top 10 (Open Web Application Security Project). Here are the top 10 guidelines provided by OWASP for preventing application vulnerabilities:

1. Injection

This is the most common and severe attack and is to do with the SQL injection. This is the art of being able to inject SQL code into a website and being able to retrieve data from a database such as username and password credentials, discovery and leakage of store information, or change sensitive data.

The primary cause of this type of attack is trusting user input. Data may be submitted via web-based forms and API requests. It can also come from internal users. Regardless, if the data come from anywhere outside of your application, it can never be trusted.

Survive The Deep End: PHP Security recommends the following measures for handling injection:

• Perform data filtering and validation
• Escape data
• Use parameterised queries
• Enforce the Principle of Least Privilege

2. Broken Authentication and Session Management

This vulnerability is in reference to a lot of things such as passwords not been stored hashed, session IDs been exposed in the URL, session IDs not timing out after successful login, credentials can be bypassed, guessed or overwritten through weak account management functions and Passwords, session IDs, and other credentials been sent over an unencrypted connection such as HTTP.

To mitigate this kind of attack:

• Implement strong password policies and storage mechanisms
• Implement timeout or rotation for session IDs
• Use credentials that cannot be fixated
• Use secure SSL connections

3. Cross-Site Scripting (XSS)

Essentially this is being able to run JavaScript on the website for example making pop-up boxes appear, a cookie stealer or in the case of the famous myspace, a self-replicating worm that spreads across the website. This occurs at the browser-level when user data is rendered without being escaped or validated.

With that in mind, Sitepoint recommends three key ways to prevent XSS attacks:

• Data validation
• Data sanitization
• Output escaping

4. Insecure Direct Object References

This is about the types of system data that is accessible by users, whether or not they have permissions. For instance, if the user logs into a web application with their ID being 4 in URL and if they change it to any other number lets say 1 and can see the data on that page for ID number 1 then thats the security risk. This is due to the fields in the database are used as query parameters or form field names.

To prevent this kind of attack, don’t directly reference an underlying object or resource. One of the simplest ways is to map what the user sees and can request, to the information which the application requires to access the requested resource.

Then, once a user has requested a given resource, be that a file on the filesystem, or a record in a database, have validation in place to ensure that they should be allowed to access it. This might be filtering records before or after they’ve been requested from a database or blocking access to requested file.

5. Security Misconfiguration

This is to do with software being out of date such as plugins, content management system, database management system etc as well as unnecessary features installed or enabled which could expose a potential weakness. This is a common security weakness which is easy to detect which is why keeping your software up-to-date and disabling any services that are not used is important.

To mitigate this kind of attack, for every part of your application, be that a server, language runtime, or operating system, ensure that it is suitably hardened, based on recommended best practices. If it is an external service, refer to their documentation and other material to ensure that they provide a secured service and stay up to date.

6. Sensitive Data Exposure

This is where an attacker can gain access to your sensitive data or backups of this data. This is both customer side and business side. This also has to do with the way you handle private information such as passwords, whether or not they are hashed and also if that hash algorithm is outdated or not, for example md5.

OWASP recommends 5 ways for protecting against this kind of attack:

• Make sure you encrypt all sensitive data at rest and in transit
• Don’t store sensitive data unnecessarily
• Ensure strong standard algorithms and strong keys are used, and proper key management is in place
• Ensure passwords are stored with an algorithm specifically designed for password protection, such as bcrypt, PBKDF2, or scrypt
• Disable autocomplete on forms collecting sensitive data and disable caching for pages that contain sensitive data

7. Missing Function Level Access Control

This is where an anonymous user can access private functionality or a regular user can carry out privileged user functionality.

Due to this vulnerability, users access the URL that are not meant for them. For example, if I browse to admin URL on a website when I’m logged in as a regular user, will I be kicked out or will I be able to see the admin page?

To protect against this type of attack, ensure that applications have a strong access control mechanism in place. Across most languages, there are mature implementations of Role-based access control (RBAC) and Access Control Lists (ACL). Make use of the one for your language, mapped out according to the needs of your application.

8. Cross Site Request Forgery (CSRF)

This is how an attacker can cause an user to change their password, change their username, email, send private messages from their account etc at a click of a link.

To protect against this type of vulnerability, it is strongly recommended to ensure that all form submissions contain a field with cryptic pseudo-random value. Then, the minimum requirement before a submission can be considered valid if that the pseudo-random value is validated as being correct. A working example of this is Rails Framework’s CSRF form field.

9. Using Components with Known Vulnerabilities

This is where an attacker can use things like framework libraries, plugins etc where an attacker can have an exploit over a particular component and gain an access to a website that way.

To protect against this kind of vulnerability:

• Always ensure that the components which you use are the most recent and from valid source
• Implement a security scanner which looks for known issues in your application and its related components

10. Unvalidated Redirects and Forwards

This involves users being tricked into making requests and in the process being either redirected or forwarded to somewhere else.

This could make it possible for an attacker to launch phishing scams and steal user credentials.

To protect against this vulnerability, OWASP recommends:

• Avoid using redirects and forwards
• If they’re used, don’t involve user parameters in calculating the destination
• If parameters are required, ensure that the supplied value is valid, and authorized for the user

Conclusion

That concludes our overview on the OWASP top 10 vulnerabilities and how we can protect our applications against each of them.

When it comes to application security there are many things to look for. However, knowledge about these 10 application vulnerabilites can be a starting ladder on maintaining application security.