image

OWASP Top 10
2017
Playbook

Why Should You Read This Guide?
 
Website vulnerabilities and getting hacked due to them have become a security nightmare for businesses. Whether you're an entrepreneur, an IT manager, an established business owner, a CIO, a CISO, a director of security, or a CTO, understanding and evaluating your online risks is critical. Our new playbook will serve as a practical guide to understanding OWASP Top 10 vulnerabilities and preparing a response plan to counter these vulnerabilities.

A1 Injection

WHAT IS IT? 
Imagine a hacker coming to your account login page and entering a string of code. The command gets accepted and allows them to login without even a valid account or password. This is an injection attack. Websites that do not filter inputs and accept everything a user enters, are at huge risk. Hackers can use commands to enter through this weakness and access server files. Injection attacks can happen from any input field, including the comments section.
IMPACT 
image
WHAT IS IT? 
Imagine a hacker coming to your account login page and entering a string of code. The command gets accepted and allows them to login without even a valid account or password. This is an injection attack. Websites that do not filter inputs and accept everything a user enters, are at huge risk. Hackers can use commands to enter through this weakness and access server files. Injection attacks can happen from any input field, including the comments section.

A2 Broken Authentication & Session Management

WHAT IS IT? 

"Incorrect Password" error messages are a classic example of this type of vulnerability. If a hacker tries a random combination of Username-Password and an error message tells them that the password is incorrect, he knows that at least the username is correct. A brute force attacker now knows that an account exists and he only needs the right password. There are dozens of automated tools from the dark web that can try millions of password combinations for a hacker. Improper sessions management is also a severe risk. Think of an online bank account that keeps you logged in even after closing the browser.

IMPACT 
image
WHAT IS IT? 

Such vulnerabilities allow attackers to earn complete account access. In severe cases, hackers have stolen database records and sold them on the underground black market.

A3 Cross-Site Scripting (XSS)

WHAT IS IT? 

An attacker can inject malicious scripts into trusted websites and use this code to hijack browser sessions from users to initiate a man-in-the-middle attack.

 

The attacker can send anything to your server now while simultaneously redirecting users to dark parts of the web without them knowing about it. Such attacks can trouble your customers and business equally.

IMPACT 
image
WHAT IS IT? 

Hackers can deface your website, inject malware, phishing links and hijack user accounts.

A4 Broken Access Control

WHAT IS IT? 

In the latest version of OWASP Top 10, A4 represents two vulnerabilities from the previous list (2003 A4 & A7) combined into one.  Here's the how it is exploited. You are logged into an ecommerce portal and the URL shows the User ID like the illustration below.



Now if you change the digits '2340' to another set of digits allows you to view the account of another user, it's a huge opportunity for hackers.

The threat also arises when non-privileged users have access to admin privileges. After all, a junior-level developer should not be able to gain admin access to the server. Unfortunately, most companies do not bother ensuring that only authorized accounts access privileged information.

IMPACT 
image
WHAT IS IT? 

Such vulnerabilities lead to loss of data, ghost account creation and admin account hijacking.

A5 Security Misconfiguration

WHAT IS IT? 

Old sample apps, expired yet active features, default system passwords... hackers love all the additional information they can get.  This vulnerability is about all of these loopholes.

Attackers look for small issues, combine them, and try to make something big out of them. They use default accounts, unused pages, unpatched flaws, unprotected files and directories, etc. to gain unauthorized access to or knowledge of the system.

IMPACT 
image
WHAT IS IT? 

A5 can lead to complete loss of data through alteration, deletion and theft. Recovery is costly and highly unreliable, especially if the data gets encrypted.


A6 Sensitive Data Exposure

WHAT IS IT? 

If somehow your application is breached, how easy is it for hackers to find the data that they want? Consider database files, backups, financial transaction details, employment history and every piece of internal and external information. Don't store sensitive data unnecessarily and Discard it as soon as possible. If you have something, keep it encrypted.

IMPACT 
image
WHAT IS IT? 

Consider everything that comes with the loss of sensitive data. Loss of passwords, credit card information, addresses and bank statements bring serious repercussions in real-world scenarios.


A7 Insufficient Attack Protection (New)

WHAT IS IT? 

This newest addition to this year's OWASP 10 asks a powerful question; Does your application detect and respond to both manual and automated attacks? Can it patch itself to ward off attackers in real-time? Your applications and APIs might be sanitizing inputs or rejecting wrong passwords, but can they reject automated inputs? If there is a critical vulnerability discovered, how soon can you patch it?

IMPACT 
image
WHAT IS IT? 

Attackers can use automated tools to send botnet and find out types of vulnerabilities in an application. Successful attempts lead to Injection and XSS exploits.


A8 Cross-Site Request Forgery (CSRF)

WHAT IS IT? 

A compromised browser session is hijacked by a hacker to run rogue commands in a web application using CSRF. With a little help from phishing techniques (email or chat links), hackers trick users into changing email addresses, wiring money, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application. 

IMPACT 
image
WHAT IS IT? 

Rogue requests, fraudulent purchases, and money transfers - you will never be sure if it's a genuine request and customers will gradually lose trust in your website and brand.


A9 Using Components with Known Vulnerabilities

WHAT IS IT? 

Unknown chunks of code breed mysterious vulnerabilities. Developers use open source projects and often they don't even know what code library it came from where and with what vulnerability. Such components can weaken any application. 

IMPACT 
image
WHAT IS IT? 

Unknown application codes bring unknown risks. XSS, injection risks, and business logic loopholes are just some of the examples. Such vulnerabilities might cause data breach, access control, defacement, and theft.


A10 Underprotected API's

WHAT IS IT? 

Most browser web applications are written in JavaScript and use APIs to get data but these APIs often contain numerous vulnerabilities. Attackers can reverse engineer the code or monitor the communication between browser and API with a tool to find vulnerabilities and to exploit them. Moreover, the architecture of most APIs is so complex that they require continuous automated testing and thorough penetration testing to find deep-seeded vulnerabilities.

IMPACT 
image
WHAT IS IT? 

The compromise risks everything an exploited API accesses. This type of attack can be used to steal information, send phishing emails, delete data, and so forth.


Checklist
Stop Hackers from Exploiting OWASP Vulnerabilities

Find Vulnerabilities

  • Get an automated vulnerability detection tool.
  • Perform thorough penetration testing on all critical apps.
  • Look at vulnerabilities based on their impact severity.

 

Patch Vulnerabilities 

  • Can you patch application code quickly? If not, deploy protection like Web Application Firewall (WAF) that offers custom rule creation.
  • Use WAF to gather analytics on attack techniques and patterns.
  • Use analytics frequently to define stronger protection policies.
Checklist
Find the Right Security Vendor

Does the scanning solution include penetration testing without additional cost?

  • Is the WAF more than a closed box? Does it offer custom policies for advanced threats?
  • Am I getting botnet and DDoS protection?
  • Do I get visibility into what the vendor is doing?
  • Are there any infrastructure limitations?
Still got questions?
About Indusface
Indusface is an award-winning application security leader protecting 900+ customers across 17 countries. Our security products have been mentioned in the Gartner Magic Quadrants for Application Security Testing and Web Application Firewall, and have won all major startup awards in the last 12 months. Indusface TAS is available On-premise, As A Service and through the AWS Marketplace.
 
Learn more at www.indusface.com

Get your Free Forever OWASP Security Scan

Start Now