OWASP

Open Web Application Security Project (OWASP) is a non-profit organization that provides unbiased, practical information about application security. The OWASP Top 10 is a list of the 10 most critical web application security risks.

In 2021 (the latest version) the top 10 vulnerability types are:

  1. Broken Access Control
  2. Cryptographic Failures
  3. Injection
  4. Insecure Design
  5. Security Misconfiguration
  6. Vulnerable and Outdated Components
  7. Identification and Authentication Failures
  8. Software and Data Integrity Failures
  9. Security Logging and Monitoring Failures
  10. Server-Side Request Forgery

Broken Access Control

Access control is the process of granting or denying specific requests from users, applications, or devices to access resources. Broken access control occurs when restrictions on what authenticated users are allowed to do are not properly enforced. This can lead to unauthorized access or modification to sensitive data or functionality.

Cryptographic Failures

Cryptographic failures occur when cryptographic functions are misused or implemented incorrectly. This can lead to sensitive data being exposed.

Injection

Injection flaws occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.

Insecure Design

Insecure design occurs when the design of a system does not take security into account.

Security Misconfiguration

Security misconfiguration occurs when security settings are defined, implemented, and maintained as defaults.

Vulnerable and Outdated Components

Vulnerable and outdated components occur when components are not kept up to date with the latest security patches.

Cross-Site Scripting (XSS)

Cross-Site Scripting (XSS) is a client-side code injection attack. The attacker aims to execute malicious scripts in a web browser of the victim by including malicious code in a legitimate web page or web application. The actual attack occurs when the victim visits the web page or web application that executes the malicious code.

Malicious code can be uploaded to the server in different ways. For example, by writing a comment on a blog which contains JavaScript that is executed on page load. Or, by uploading an image (e.g. WEBP) that contains malicious code that is executed on the server.

Cross-Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request.

Brute Force Attacks

Brute force attacks are attacks where the attacker tries to guess the correct password by trying different passwords. There are different types of brute force attacks:

  • pure brute force: try all possible combinations
  • dictionary attack: try all words in a dictionary
  • credential stuffing: try leaked passwords from other websites

Attacks can be made from different locations:

  • local: attacker has access to the server or to leaked password hashes
  • remote: automated attack from a client
  • distributed: multiple clients try to guess the password (e.g. botnet)

Countermeasures

  • reputation systems: block IP addresses that try to login too often
  • rate limiting: limit the number of login attempts per time period
  • MFA: multi-factor authentication
  • CAPTCHA: completely automated public Turing test to tell computers and humans apart