(Part of the Indusface OWASP vulnerability educative series on web and mobile applications.)

With this OWASP educative series on web and mobile applications, we aim to break down vulnerabilities and simplify them to the basic level of their nature and implications with examples and illustrations.

In the first of this four-part series, we are going to take first five of OWASP Top 10 web application vulnerabilities.

OWASP Top 10

Once there was a small fishing business run by Frank Fantastic in the great city of Randomland. He happily named it the Fishery of Randomland. After years of struggle, it grew more than he could imagine and then he decided to come up with a website and mobile app.

OWASP Top 10 Attacks on Your Website

Wasn’t it the best of ideas? His customers could just order fish from anywhere. They didn’t even need to visit the store anymore. Frank was happy until he discovered something fishy. His money was evaporating from the website. Every day, there were unexplained transactions and charges.

“How is this happening,” he asked few of his employees who had no clue about it. They just noticed fraudulent transactions and data being stolen from computers.

Frank was furious but couldn’t just shut the website down as it was now the source of most of their operations. Losing money was not an option either.

Scan website security issues free here

So, one fine day Frank decided to hire a security expert from the suburbs of the Randomland. His name was ‘Ralph’ and he ran a web security firm in the town. Here’s what Ralph told Frank about the website that Fishery of Randomland should have known earlier.

OWASP Top 10 Attacks on Your Website

A1- Injection

“It is the most serious weakness that is compromising your data and overall security,” said Ralph to Frank. He pulled out the account login page and entered a string of code.

Apparently, the command was accepted and allowed him to login without even a valid account or password.

OWASP Top 10 Attacks on Your Website

This is an injection attack.

Simply put, if you are not filtering user inputs correctly, hackers can use commands to enter through this hole and claim legitimate access. Surprisingly, they can use anything from sign-in forms to comments box and send commands to the server.

Business Risks: Think of the unlimited possibilities when hackers have direct way of interacting with your server. They can steal data, change it, delete it, deny access, and do much more. In fact, injection attacks such as SQL Injection are allegedly responsible for major data breaches at Ashley Madison and Sony.

A2- Broken Authentication and Session Management

Once Frank and his team understood the Injection risks, Ralph moved on to a different method of bypassing security on Fishery of Randomland. He asked for a valid account ID and tried to log in it with random password.

“Why does the message say that password is incorrect and not the ID,” he asked Frank.

“We want to help customers know that they have used a wrong password,” he answered hesitantly.

“And you are also helping a brute force attacker know that an account does exist. He only needs the right password,” said Ralph.

He went on to explain how negligence in customer accounts, password recovery and even sessions can lead to increased security risks. Surprisingly, when he closed the browser window and reopened it again, the website still allowed him to continue using the account. Ralph suggested using web application scanning to keep an eye on such vulnerabilities.

It all falls under broken authentication and session management.

Business Risks: Such vulnerabilities allow attacker to claim complete account access. In severe cases of the attack, hackers have stolen database records and sold them to underground black market.

A3- Cross-Site Scripting

Apparently it is the most common vulnerability and Fishery of Randomland’s website had this one too. With this Cross-Site Scripting weakness or XSS, attackers could use web applications to send malicious script to a user’s browser. This is what makes XSS even more dreadful; it poses threat to both users and website. Hackers basically intercept communication between server and browser to inject malicious codes at both ends.

“If you are not separating trusted data from untrusted data, you deserve to be hacked,” Ralph got serious on finding multiple vulnerabilities.

He emphasized on the fact that XSS not only harms the website but also allows attacks to redirect users on any other URL. Think of it this way, a customer uses link for Fishery of Randomland’s website to purchase fish but instead of their actual site, hackers sends them to Fishery of Fraudland. Now this website might look and feel real but all the data exchanged is going to the hacker. If a customer is cheated this way, he will blame Frank for the rest of his life and badmouth about it too.

“They come on your website thinking that it’s a safe world, they get redirected and hacked, they never trust you again. What’s bad is that they talk about it with everyone,” he concluded XSS.

Business Risks: Hackers can change the homepage of website and write something like ‘Hacked by XYZ group’. They can even inject malware on the site that usually leads to getting blocked by search engines and browsers.

Scan + Block Hackers- Try it for free

A4- Insecure Direct Object References

“Here’s a trick now,” Ralph said to Frank while changing a few numbers in the URL carefully and pressed enter.

Apparently Fishery of Randomland was showing internal account IDs, which were their parameters to recognize different accounts. Ralph simply changed the last digit there and website took him to the transactions page for another account.

OWASP Top 10 Attacks on Your Website

That’s Insecure Direct Object Reference vulnerability and it allowed Ralph to access unprivileged data because the numbers were predictable. It’s not just account numbers. Actually there can be multiple predictable patterns that will allow hackers to get into database and access restricted data.

Business Risks: Though there are not many changes an attacker can make, there is a lot that he can access and expose. Attackers can view credit card details, address and phone numbers for other customers, and even previous transactions.

A5- Security Misconfiguration

Misconfigured security is a tough vulnerability to handle as it takes into account all security lapses at every level of the application. Fishery of Randomland had to have this vulnerability given their scarce security knowledge and Ralph wasn’t surprised at this one.

“Old sample apps, unnecessary features, default system passwords, hackers love all the additional information they can get. And you have plenty of it,” he said.

Ralph was right. Most system admins ignore changing their passwords or even disabling ports and accounts they do not use anymore. Attackers look for such small lapses, combine them, and try to make something big out of it.

Business Risks: If used cleverly, security misconfiguration can lead to complete loss of data through alteration, deletion and theft. Attackers can use one vulnerability after the other to access database.

Are you also dealing with such weaknesses within your website’s framework? Talk to us on finding them and keeping hackers at bay without application code changes.

Founder & Chief Marketing Officer, Indusface

Venky has played multiple roles within Indusface for the past 6 years. Prior to this, as the CTO @indusface, Venky built the product/service offering and technology team from scratch, and grew it from ideation to getting initial customers with a proven/validated business model poised for scale. Before joining Indusface, Venky had 10+ years of experience in security industry and had held various mgmt/leadership roles in Product Development, Professional Services and Sales @Entrust.