Continue from my previous Post : Threats and Risks
The Open Web Application Security Project (OWASP) is non profit charitable community focused on improving the web application security. OWASP is not associated with any commercial organization , to provide impartial, practical information about AppSec to individuals, corporations, universities, government agencies and other organizations worldwide
OWASP has identified following top 10 Web Application Threats :
- Cross Site Scripting (XSS)
- Injection Flaws
- Malicious File Execution (remote file inclusion)
- Insecure Direct Object Reference
- Cross Site Request Forgery (CSRF)
- Information leakage and Improper Error Handling
- Broken Authentication and Session Management
- Insecure Cryptographic Storage
- Insecure Communications
- Failure to Restrict URL Access
Cross-site scripting (XSS)
Cross-site scripting attack, commonly known as XSS, are a script injection into the web applications. It’s generally browser side script. An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and pass on the same to attacker.
Injection flaws allow hackers to attack vulnerable website to relay malicious code and run harmful scripts to affect network and other systems. SQL Injection is most common , particularly widespread and dangerous form of injection. The consequences can be devastating for database and enable attacker to obtain full access to database objects corrupt/destroy database contents. We shall talk about one entire post on SQL Injections with examples and protection procedures.
Malicious File Execution
Many Applications allow users to upload files to the server, trusting the uploaded file and concatenate the content. Hackers take advantage of this vulnerability and insert malicious script/codes hidden inside the uploaded file.
Insecure Direct Object Reference
The threat of insecure direct object reference flaws exposes vulnerability when a developer exposes a reference to an internal implementation object, such as a file, directory or database key, without applying necessary protection. An attackers can manipulate these references to access unauthorized data.
Cross Site Request Forgery (CSRF)
Cross-site request forgery (CSRF) are commonly known as one-click attack or session riding , sometime links provided on vulnerable site will not exactly perform the same task. for example , below link can take you download a torrent from a mallacious site and even change password of your torrent application.
Forced Download of a Torrent File
change password of your torrent application.
Information leakage and Improper Error Handling
Information leakage happens when information passed on the users are not dully handled. For example during any application crash, if error messages are not handled properly, it will expose entire SQL to the users, which will enable hackers to identify SQL Injection areas.
Broken Authentication and Session Management
Broken authentication or sharing session Ids in URLs can enable hackers to take control and spoofing the cookies and manipulate the application flow. Developers are advised to implement strong authentication and session management controls that meets all the authentication and session management requirements defined in OWASP’s Application Security Verification Standards
Insecure Cryptographic Storage
Most web applications shares information across multiple pages. All information should be encrypted using stable public cryptographic algorithm such as AES, RSA public key cryptography, and SHA-256 or better for hashing. Developers should avoid storing unnecessary data on user cookies or disk. Always follow strong encryption algorithm .
Encryption (usually SSL) must be used for all authenticated connections, especially Internet-accessible web pages, but backend connections as well.Failure to encrypt sensitive communications means that an attacker who can sniff traffic from the network will be able to access the conversation, including any credentials or sensitive information transmitted.
Failure to Restrict URL Access
Preventing unauthorized URL access requires selecting an approach for requiring proper authentication and proper authorization for each page. Frequently, such protection is provided by one or more components external to the application code. If your application fails to appropriately restrict URL access, security can be compromised through a technique called forced browsing. Forced browsing can be a very serious problem if an attacker tries to gather sensitive data through a web browser by requesting specific pages, or data files.
Hope I was able to explain above top 10 Web Application Threats. In fact there may be many more threats, you need to constantly visit Open Web Application Security Project (OWASP) website and various other security forums and follow developers journals to identify risks and mitigate them.
Keep reading and visiting, do not forget to share the article.