Defending Against OWASP Top 10 Vulnerabilities

Websites are everywhere. There are an estimated 12-24 million eCommerce sites across the planet. So it is only logical that you take your business online. But with the rising popularity of web markets, governments are paying more attention to them, enacting various rules and regulations to better protect consumer privacy.

To ensure consumer privacy protection, fines have been set as high as €50 million under the EU’s GDPR (General Data Protection Regulation) and DPA (Data Protection Act). This makes the task of securing one’s websites more critical.

Websites generally act as an entry point as well as the face of the company. Moreover, web security is essential for keeping cyber criminals away from organization’s and their consumers’ private data.

How to Secure a Website?

To better protect your website from cyber criminals, it is essential to understand how attackers can attack your website. Just like technology keeps evolving, hackers also constantly research to develop new attack methods and techniques. So, there’s no one-shot method that you need to counter. Also, you need to keep an eye on new attack methods and constantly upgrade your defenses. This makes the task of securing the perimeter more tedious. 

The best way to keep track of popular techniques attackers use is to consult the OWASP Top 10 Project. The OWASP (Open Web Application Security Project) is a nonprofit organization geared towards educating software development teams to secure their applications. The OWASP Top 10 is the most well-known resource produced by the OWASP, and it is updated annually. This top 10 list features the 10 most critical web application risks. 

How to Protect against OWASP Top 10 Web Attacks?

In the rest of the article, we will briefly go over solutions that can be implemented to protect against the attacks listed on the OWASP Top 10.

  1. Injection Attacks

Injection attacks are at the top of the list for a reason. Almost any source of data can be an injection vector. Injection attacks occur when attackers send hostile data to be directly interpreted.

The motto to keep in mind when protecting against injection attacks is this—user-supplied data should be kept separate from commands and queries. Use a safe API that sanitizes the user input before passing it for execution.

Injection vulnerabilities are easy to spot while examining source code. So, performing source code audits and using automated scanners and fuzzers is highly encouraged to prevent injection attacks.

  1. Broken Authentication

In the broken authentication class of vulnerabilities, applications are improperly designed and perform authentication checks insecurely. In a broken authentication attack, attackers are able to either capture authentication credentials or bypass the authentication altogether.

Broken authentication is rather trivial to prevent. Still, there are a ton of applications that do not perform authentication properly.

Wherever possible, multi-factor authentication should be implemented and rate limiters used to prevent brute force attacks. In addition, weak password checks should be done when creating a user account, and the application should not be shipped with default credentials.

  1. Sensitive Data Exposure

Sensitive data exposure typically means a data breach, where attackers can get the personal data of an organization or their consumers from websites that do not implement proper encryption.

Sensitive data stored on the server should be classified according to criticality, and proper controls should be applied as per those classifications.

Unnecessary data should be immediately discarded, and the rest of the data should be stored in encrypted form only. Similarly, while in transit, data should be transmitted using secure protocols such as TLS (Transport Layer Security).

  1. XML External Entity Attack (XXE)

It is common for older XML processors to allow the specification of an external entity. That entity is dereferenced and evaluated during XML processing. Attackers leverage these specifics to execute their malicious entity and compromise the security.

A sure-shot solution to XXE attacks is patching or upgrading all XML processors and libraries used by the application or underlying operating system. Also, XML entity and DTD (Document Type Definition) processing should be enabled if needed.

  1. Broken Access Control

In broken access control, access control is not properly implemented, and attackers can access data they are not supposed to access.

Broken access control is difficult to detect with automated detection. If proper manual testing is not done, broken access control can go undetected.

The API should be properly limited to eliminate automated attacks.

Access control mechanisms should be implemented and used throughout the application to minimize possible points of mistake.

  1. Security Misconfiguration

If known vulnerabilities and flaws of the underlying system or application are not patched, attackers can exploit those flaws to get unauthorized access to the system.

Secure installation and regular audits should be done to find unpatched flaws and vulnerabilities.

  1. Cross-Site Scripting (XSS)

Most XSS attacks result in theft of user sessions, account takeover, defacement, or attacks against browser sessions. To prevent XSS, untrusted data should be separated from active browser content. 

One way of achieving that separation would be to escape untrusted HTTP request data based on the context in the HTML output. Also, context-sensitive encoding must be applied when modifying the browser document on the client side.

  1. Insecure Deserialization

Applications and APIs are vulnerable if they deserialize modified objects that might have been supplied by an attacker. Deserializing vulnerabilities typically results in remote code execution.

There is only one solution to prevent deserialization: serialized objects should never be accepted from untrusted sources. Additionally, integrity checks should be implemented to prevent object tampering.

  1. Using Components with Known Vulnerabilities

In many development contexts, it is hard to audit all the components that will be integrated into the application. Even if one of the components has known vulnerabilities, it results in making the application insecure.

To prevent this vulnerability, there should be a proper patch management process in place that automatically checks every component against a vulnerability database and suggests the patches to be made

  1. Insufficient Logging and Monitoring

If there is insufficient logging, attackers can easily exploit the system without being detected, and it becomes even harder to respond to the attacks in a timely manner.

Make sure that all login, access control, and server-side input validation failures are logged with user context so that they can be used to identify suspicious activity.

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.