2. The Open Web Application Security Project (OWASP) is an open-
source application security project.
OWASP is an open community dedicated to enabling
organizations to conceive, develop, acquire, operate, and
maintain applications that can be trusted.
OWASP TOP 10 lists the most prevalent attacks in a generic
order
3. OWASP Top 10 Web Application Vulnerabilities
Injection Flaws
Broken Authentication and Session Management
Cross Site Scripting (XSS)
Insecure Direct Object References
Security Mis-configuration
Sensitive Data Exposure
Missing Function Level Action Control
Cross Site Request Forgery (CSRF)
Using Known Vulnerable Components
Unvalidated Redirects and Forwards
4. Injection Flaws
Injection flaws such as SQL, Command occur when untrusted data is
sent to the application as a part of user input.
Types of Injection flaws
• Command Injection
Targets under lying Operating System of the Web Server
(Ex: Password field contains : “somepassword; rm –rf /” )
• Code Injection
Targets Application/ Web Broswer
(Ex: <script>alert(“your are hacked”); </script>)
• SQL Injection
Targets backend Database of the Web Application.
(Ex: SELECT * FROM users WHERE name = '' OR '1'='1' -- '; )
5. Do rigorous input data validation
Do server-side validation
Each parameter should be checked against a white list that
specifies exactly what input will be allowed
Validation Criteria
Data type (string, integer, real, etc…)
Allowed character set or numeric range
Minimum and maximum length
Whether null is allowed
Whether duplicates are allowed
6. Application functions related to authentication and session
management are often not implemented correctly, allowing attackers
to compromise passwords, keys, session tokens, or exploit other
implementation flaws to assume other user’s identity.
Commonly flawed credential management functions include
password change, forgot my password, accounts update and other
related functions.
Typical Impact
User accounts compromised or user sessions hijacked
8. Cross-Site Scripting attacks are a type of injection problem, in
which malicious scripts are injected into the otherwise benign and
trusted web sites.
It involves tricking the browser into executing code. The browser
believes that the code is part of the site runs it in that context.
As a result the malicious script can access any cookies, session
tokens, or other sensitive information retained by your browser
and used with that site.
Typical Impact
Steal sensitive data, rewrite web page, redirect user to phishing or
malware site
9. Use HTML Encoding
<script>XSS example</script> gets encoded as
<script>XSS example</script>
Use URL encoding
<script>XSS example</script> gets encoded as
%3Cscript%3EXSS%20example%3C%2Fscript%3E
Filter input for any special characters
Use tools such as XSS Me for Firefox or XSS Rays for Chrome to
test your website for any XSS vulnerability
10. A direct object reference occurs when a developer exposes a
reference to an internal implementation object, such as a file,
directory, database record, or key, as a URL or form
parameter.
An attacker can manipulate direct object references to access
other users without authorization.
Typical Impact
Sensitive information disclosure
11. Avoid exposing your private object references to
users whenever possible
Minimize user ability to predict object IDs/Names
Verify user authorization each time sensitive
objects/files/contents are accessed
Use an indirect reference map to create alternative ID/Name for
server side object/data so that exact ID/Name of object/data is
not exposed
12. Some common server configuration problems that can plague the
security of a site include
Unpatched security flaws in the server software
Improper file and directory permissions
Unnecessary services enabled, including content
management and remote administration
Default accounts with default passwords
Overly informative error messages
Typical Impact
Server or application compromise
13. Configuring all security mechanisms
Turning off all unused services
Setting up roles, permissions, and accounts, including disabling
all default accounts or changing their passwords
Logging and alerts
Applying the latest security patches (OS, DBMS, Web server and
code libraries)
Regular vulnerability scanning from both internal and external
perspectives
14. Sensitive data like passwords and credit cards information
deserves extra protection such as encryption at rest or in transit.
Common problems leading to Sensitive data exposure :
Not encrypting sensitive data
Insecure use of strong algorithms
Continued use of proven weak algorithms
Improper key management
Typical Impact
Sensitive information disclosure
15. Ensure that critical data is encrypted everywhere it is stored
long term, including backups of this data
Strong encryption algorithms are used for encryption
Strong keys are generated, and proper key management is in
place
16. Access Control is a mechanism of authorizing requests to a system
resource or determining if that functionality should be granted or
denied.
Attacks on Access Control can be
Vertical
Horizontal
Typical Impact
Elevation of privileges and disclosure of confidential data
17. Implement role based access control to assign permissions to
application users for vertical access control
Implement data-contextual access control to assign
permissions to application users in the context of specific data
items for horizontal access control
Where possible restrict administrator access to machines
located on the local area network (i.e. it’s best to avoid remote
administrator access from public facing access points)
18. Cross-Site Request Forgery (CSRF) is an attack that tricks the
victim into loading a page that contains a malicious request to
perform an action on victim’s behalf.
For example, using CSRF, an attacker makes the victim perform
actions that they didn't intend to, such as logout, purchase
item, change account information, or any other function
provided by the vulnerable website.
Typical Impact
Attackers can persuade victims to perform any function on the
web application in which the user is currently authenticated
19. • Secret (non predictable) Validation Token
• Referrer Validation
• User re-authentication for any account related tasks (password
change)
• Use of two factor authentication for any sensitive tasks (online
payment)
20. Vulnerable software components can be identified and exploited by
attackers via automated tools and vulnerability databases.
Typical Impact
The full range of weaknesses is possible, including injection,
broken access control, XSS, etc.
21. Identify the components and their versions you are using,
including all dependencies. (e.g., the versions plugin)
Monitor the security of these components in public databases,
project mailing lists, and security mailing lists, and keep them
up-to-date
22. Unvalidated redirects and forwards are possible when a web
application accepts untrusted input that could cause the web
application to redirect the request to a URL contained within
untrusted input.
Typical Impact
Redirect victim to phishing or malware site or bypass security
checks to perform unauthorized function or data access
http://mytrustedsite.com/Redirect.aspx?Url=http://myuntrustedsit
e.com
Malicious
Redirection
23. Simply avoid using redirects and forwards
Spider the site to see if it generates any redirects (check for
HTTP response codes)
All input must be validated against a whitelist of acceptable
value ranges