When developing a website, the web security part of the site is often forgotten or not the most crucial consideration. But in today’s society where everyone is on the internet surfing and sharing their personal information everywhere. Web security should be considered the number one priority.
To make a more secure web a list of the most common web vulnerbiliteis exsists. The Open Web Application Security Project helps you discover vulnerabilities and preventing them.
What is The Open Web Application Security Project
In September 2001, Mark Curphey started a non-profit organisation called The Open Web Application Security Project (OWASP), OWASP was a spin-off of the “webappsec” mailing list (Huseby, 2004). OWASP goal was to document and share knowledge and tools on web application security to help developers secure their web application against common security flaws. OWASP’s core values are to be open, innovative, global and have Integrity in the community (OWASP, n.d. B). All of the content from OWASP is freely and easily accessible from the OWASP website(OWASP, n.d. B).
OWASP provides many types of tools for testing the security of web applications, for example, OWASP Zed Attack Proxy (ZAP). ZAP is an open-source project that can help to find security vulnerabilities automatically. OWASP also provides lists of the top security vulnerabilities that exist on the web, the most known List from OWASP is the OWASP Top 10 Web Application Security Risks. They also provide a Top 10 API vulnerabilities list.
OWASP top 10 Web Application Security Risks is a list of the top 10 security concerns that is a common threat to web applications in the last few years (Cloudflare, n.d. A). This report is updated by a team of security expert from all over the world every few years (Cloudflare, n.d. A). OWASP claims on their site that implementing the OWASP top 10 is the most effective step toward changing the development culture in an organisation to produce more secure code (OWASP, n.d. A).
This OWASP list is from the top 10 from 2017
OWASP TOP 10
- Broken Authentication
- Sensitive Data Exposure
- XML External Entities (XXE)
- Broken Access Control
- Security Misconfiguration
- Cross-Site Scripting (XSS)
- Insecure deserialisation
- Using components with known vulnerabilities
- Insufficient logging and monitoring
Stuttard (2011) claims in his book “The web application hacker’s handbook” that every web site he have tested between 2007 and 2011 was vulnerable to some of these. As high as 94% was susceptible to XSS, 78% had Sensitive Data Exposure, 62% had broken authentication, and 32% was vulnerable to SQL injection.
Injection vulnerability is the number one biggest problem on the web; injection is when untrusted data is sent via a form or other data submission, and then this data goes to a code interpreter. The most know injection form is SQL injection, SQL injection happens when someone sends specially crafted data to a format that expects a plaintext string to send through a SQL quarry to evaluate to return the desired data (OWASP, n.d. A).
To prevent Injection attacks, all input on a site must be validating the input and rejecting suspicious data and then sanitisation of the data by cleaning it for symbols that could potentially lead to injections (Cloudflare, n.d. A).
Login and authentication system that is implemented incorrectly could potentially have critical vulnerabilities that make it possible to gain access to someone else’s account and potentially compromise the whole system via an admin account (OWASP, n.d. A). Some example of broken authentication could be credential stuffing attack which means automatic injecting username/password pairs from earlier web site breaches (OWASP, n.d. C). The username/password pair list is then automatically entered into the site to check if one hacked account from another site is the same on other websites.
To reduce the attack factor for authentication vulnerabilities, a 2-factor authenticator should be implemented as it limits the ways that an attacker could access the system (Cloudflare, n.d. A). The authentication system should also be limited to how many times someone can try to login with the use of rate-limiting.
A web application that exposes sensitive information either via not adequately protected API’s and websites. The data can be stolen either by just being exposed without proper authentication or via a man in the middle attack (MITM). MITM is when someone is listening in on the traffic that is exchanged via a client and a server (Cloudflare, n.d. B).
To minimise the data exposure, all data that contains sensitive information must be encrypted both when the data is in rest and when in transit, and the web application should only store essential sensitive data.
Extensible Markup Language (XML) is a human and machine-readable markup language. The XML is processed by an XML parser if the parser is poorly configured, the input can reference external entities like a file URI and then sending the data to an attacker.
Due to the complexity and many security vulnerabilities that exist in XML parsers, XML should be phased out with a more straightforward data format or patch the XML parser and turn off the external entities.
An access control system should enforce what a user is allowed to do on a system, when this is not adequately enforced, or the system is broken, users can have access to data and functions that they should not be able to access (OWASP, n.d. A).
Broken Access Control can be secured by using Authorisation tokens on the web application (Cloudflare, n.d. A). Authorisation tokens is a token that is sent with each request to check that the request comes from the right person. The token should be checked for each request for what it is allowed to do.
Misconfiguration is when a system is not configured correctly, incomplete or by using default configuration that leads to displaying verbose error messages, that can contain sensitive data either about users or about the system which could lead to revealing vulnerabilities in the application (OWASP, n.d. A).
Misconfiguration can be mitigated by removing unused code from the code base and make the configuration less complicated and also check that the production code is not giving out debug messages and making error messages more general (Cloudflare, n.d. A).
Like Injection, XSS vulnerabilities can be mitigated by validating and sanitise every input fields that users can write content (Cloudflare, n.d. A). Every HTTP request also needs to escape all data that is sent via URLs. Modern web development frameworks often provide build-in cross-site scripting protection (Cloudflare, n.d. A).
Serialisation is a concept of taking one object and turning it into a format that is more fitting to other tasks, like storing it on disk or in a database or for sending the data over a network (OWASP, n.d. A). Deserialisation is when a serialised object is converted back to its original form that can be easier for software to work with (OWASP, n.d. A). When deserialisation is not done correctly, it can lead to remote code execution, replay attacks, injection attacks and even privilege escalation attacks.
Deserialisation vulnerabilities are not easy to mitigate. However, there are some ways of preventing it from happening, like implementing strong type checking and monitoring the deserialisation process (Cloudflare, n.d. A). However, the only way to be sure that it is not exploited is to not deserialisation untrusted data streams.
Modern Web applications today are not coded 100% at the company, external components and libraries are often used to make the process faster to build as it helps the developer reduce to code needed to be written (Cloudflare, n.d. A). Some example libraries are the widely used front-end framework like Angular.js and Vue.js or backend frameworks like express.js. Thousands of websites are built on top of these frameworks, and often have multiple different types of libraries. If a vulnerability is found in a library that is popular potentially, several hundred thousand webpages are vulnerable to exploit (OWASP, n.d. A).
Update all library often with the latest security fixes and stay up-to-date on what libraries that have vulnerabilities in them (Cloudflare, n.d. A). Go over the web application often and reconsider every single library used and remove libraries that are not used or not actively maintained.
A data breach on average take up to 200 days from the attack happened to it get discovered (Cloudflare, n.d. A), which gives an attacker a lot of time to find the data they want and take over other systems on the network. When it is discovered the logs can be erased or not be complete enough even to investigate what happened.
Logs need to be stored multiple places, and on remote servers, the logging service needs to be an append-only database mode so no one can overwrite the logs that exist (Cloudflare, n.d. A),. There should be integrity control on every record that is written, so no log files can be tampered with. Every action taken on the site needs to be logged, access control failures to server-side input validation must be logged with enough context to help identify the suspicious users. Have a system for monitoring and alerting with suspicious action taken on the website.
Cloudflare (n.d.) What is OWASP? What Are The OWASP Top 10? [Online]. Available at https://web.archive.org/web/20200415144356/https://www.cloudflare.com/learning/security/threats/owasp-top-10/.
Cloudflare (n.d.) What is a Man-In-The-Middle Attack? [Online]. Available at https://web.archive.org/web/20200601203050/https://www.cloudflare.com/learning/security/threats/man-in-the-middle-attack/ (Accessed 1 June 2020b).
Huseby, S. H. (2004) Innocent Code, Wiley.
OWASP (n.d.) OWASP Top Ten [Online]. Available at https://web.archive.org/web/20200415144820/https://owasp.org/www-project-top-ten/.
OWASP (n.d.) About Us | The OWASP Foundation [Online]. Available at https://web.archive.org/web/20200601173110/https://owasp.org/about/.
OWASP (n.d.) Credential Stuffing Software Attack [Online]. Available at https://web.archive.org/web/20200601201728/https://owasp.org/www-community/attacks/Credential_stuffing.
Stuttard, D. (2011) The web application hacker’s handbook, Indianapolis, John Wiley & Sons.