Top 10 web security vulnerabilities according to OWASP 2020 announcement

OWASP stands for Open Web Application Security Project, an online community dedicated to producing articles, methods, documents, tools and technologies in the field of web application security. Every 3.4 years or annually OWASP publishes a list of common and dangerous vulnerabilities encountered. Here is a list of 10 vulnerabilities 2020

What is the OWASP Top 10?

The OWASP Top 10 is a list of the 10 most common web vulnerabilities. It also shows the risks, impacts and countermeasures of these vulnerabilities. Updated every three to four years, Latest OWASP vulnerability list released in 2018.

OWASP Top 10 Vulnerabilities in 2020

Injection

Injection allowing attackers to pump malicious code through one application to another. These attacks exploit the operating system through system calls, the use of external programs via shell commands, as well as calls to the sub-database via SQL (i.e. SQL Injection). ). Entire scripts can be written in Perl, Python, and other languages ​​that attack poorly designed applications. Anytime an application uses an interpreter of any kind there is a risk of creating a security hole. Injection was ranked 1st in OWASP in 2018.

Broken Authentication

Broken authentication is a protective term for a number of vulnerabilities that attackers exploit to impersonate users to blatantly gain access to the system. It is roughly understood as impersonating the user’s identity. In general, broken authentication refers to weaknesses in two areas: session management and credential management. Both are classified as broken authentication because attackers use one of two ways to impersonate users: compromised session IDs or stolen credentials.

Attackers use a variety of strategies to take advantage of these weaknesses, ranging from massive credential stuffing attacks to highly targeted conspiracies to gain access to sensitive information. login credentials of a specific person.

Sensitive Data Exposure

Sensitive Data Exposure occurs when an application, company or organization inadvertently exposes personal data. SDE (Sensitive Data Exposure) is different from a data breach, in that an attacker will access and steal your information.

The loss of sensitive data occurs due to inadequate protection of the database where the information is stored. This can be the result of many reasons such as weak coding, no encryption, software bugs, or when someone mistakenly uploads data to the wrong database.

Different types of data may be displayed in some sensitive data. Bank account number, credit card number, healthcare data, session key, home address, phone number, date of birth and user account information such as username and password are one number of types of information that may be exposed. Although the disclosure is by the user, it is still on the OWASP list.

XML External Entities (XXE)

XML External Entities (also known as XXE) is a security vulnerability that allows an attacker to interfere with an application’s processing of XML data. It typically allows an attacker to view files on the application server’s file system and interact with any third-party back-end or external systems that the application can access.

In some situations, an attacker can escalate a XXE attack to compromise the underlying server or other backend infrastructure, by taking advantage of the XXE vulnerability to perform request spoofing attacks. server-side request (SSRF).

Broken Access control

Access control enforces the policy so that users cannot act outside of their authority. Errors often lead to unauthorized disclosure of information, modification or destruction of all data, or performance of features beyond the user’s limits. Common access control vulnerabilities include:

• Bypass checks access by modifying URLs, internal application state, or HTML pages, or simply using a custom API hack.
• Allows to change the primary key to another user’s record, allows viewing or editing of other people’s accounts.
• Enhanced privileges. Act as a user without logging in or act as an administrator when logged in as a user.
• Manipulating metadata, such as replaying or forging a JSON Web Token (JWT) access control token, or hidden cookies or fields, manipulated to elevate privileges or to abuse JWT disabling.
• CORS misconfiguration allows unauthorized API access.
• Force browsing to pages authenticated as user or to privileged pages as standard user. API access with missing access controls for POST, PUT, and DELETE.

Wrong security configuration

The following security configurations are improperly or unsafely configured security settings that put your system and data at risk. Essentially, any well-documented configuration changes, default settings, or technical problems on any component of your endpoint lead to misconfiguration.

Misconfiguration can happen due to a multitude of reasons. Modern network infrastructures are so complex that organizations often overlook important security settings, including new network equipment that is still configured by default. A developer can write flexible firewall rules and create network shares for his convenience while building software. Sometimes administrators allow configuration changes for testing or troubleshooting purposes and forget to return the original state resulting in misconfiguration. Some common security misconfiguration vulnerabilities are login security, user account management, password policy, and legacy protocols.

Cross Site Scripting (XSS)

Cross-site Scripting (XSS) is a client-side code injection attack. The attacker aims to execute malicious scripts in the victim’s web browser by injecting malicious code into a legitimate website or web application. The actual attack occurs when the victim visits a website or web application that executes malicious code. The website or web application becomes a vehicle for delivering malicious scripts to the user’s browser. Commonly used vulnerable targets for Cross-site Scripting attacks are forums, message boards, and comment-enabled websites.

A website or web application is vulnerable to XSS attacks if it uses unfiltered user input. User input must be parsed by the browser. XSS attacks can happen in VBScript, ActiveX, Flash, and even CSS. However, they are most common in JavaScript, mainly because JavaScript is the foundation for most browsing experiences. Almost everyone who learns about OWASP knows about this vulnerability.

Insecure Deserialization

Deserialization is the process of restoring this stream of bytes into a fully functional copy of the original object, in the exact state when it was serialized. The web logic can then interact with this object, just like any other object.

Serialization (serialization) is the process of converting complex data structures, such as objects and their fields, into a “flatter” format that can be sent and received as a sequential stream of bytes. The ordering of data lies in the purpose of:

• Write complex data to inter-process memory, files, or databases.
• Send complex data, such as over a network, between different components of an application or within an API call.

Importantly, when serializing an object, its state is also maintained. In other words, the properties of the object are preserved, along with their specified values.

Using components with known vulnerabilities

Known vulnerabilities are those that have been discovered in open source components and published in the NVD, security advisor, or issue tracker. As of the time of publication, a security hole can be exploited by hackers who find documentation related to them. According to OWASP, the problem of using vulnerable components is very common. Furthermore, the use of open source components is so widespread that many development leaders don’t even know what they’ve accomplished.

Inadequate logging and monitoring

When an organization does not have sufficient logging, detection, monitoring and response capabilities, attackers will rely on these weaknesses to achieve their goals undetected. The lack of these methods includes things like:

• Auditable events, such as logins, failed logins, and high value transactions are not logged.
• Warnings and errors produce incomplete or ambiguous log messages.
• Logs of unmonitored applications and APIs for suspicious activity.
• Logs are stored locally only.
• Appropriate alarm thresholds and out-of-place or ineffective feedback reporting procedures.
• Penetration testing and scanning with DAST tools did not trigger warnings.
• Applications cannot detect, report, or warn about active attacks in real time or near real time.

Above is a list of Top 10 OWASP Vulnerabilities in 2020.