Thursday November 26, 2020
Came across the name OWASP many a time but do not know what is OWASP? Every 3-4 years, OWASP Top 10 Security Vulnerabilities release help businesses/web applications that are commonly exploited by hackers and offer recommendations for tackling these attacks.
As a security professional or a business owner, you would want to look into this list as it acts as an awareness document to better understand your current security approach and posture to become better equipped to determine and mitigate these security threats.
The latest edition of Top 10 Security Vulnerabilities by OWASP was released in 2017. Therefore, one can expect the new edition to be released sometime next year in 2021.
But what does the 2021 version hold? What security threats one can expect in the future for their web applications? Let’s discuss the top 10 security vulnerabilities of 2021.
What is OWASP? what does owasp stand for
(OWASP) The Open Web Application Security Project it’s a nonprofit organization that is in pursuit of a noble deed to protect web-related applications from cyber attacks. They have strong community support to facilitate such a tedious task. Through conferences, online newsletters, journals, etc. they are also educating people on how to keep people their business secure.
#1 Broken Authentication
Under OWASP’s Broken Authentication category, it focuses on default or weak passwords. This has always been a major problem for all types of web applications. It is believed that weak passwords are still going to be a significant security vulnerability in 2021.
Hackers have got their hands on advanced GPU technologies, which allows them to easily break weak passwords, even if the passwords use strong ciphers. They use brute-force attacks nowadays to break passwords.
It is also found that administrators aren’t really vigilant about teaching users password best practices. Many enterprises are following the worst policies and systems for password selection. They only focus on uppercase and lowercase, special characters, and numbers, and not on password length itself.
On the other hand, users are often forced to change their passwords frequently by the administrators, which causes them to use insecure passwords. All they do in the name of changing passwords is adding a predictable number or character at the end of the previous password.
So, it is extremely important to follow good password habits in order to secure web applications in an organization.
Injection flaws are another great security vulnerability that might continue in 2021. They can lead to disastrous and undesirable results. Injection flaws may include file system injections, LDAP injections, SQL injections, and many more. Some of these flaws are so severe that they can even lead to remote code execution.
Injection flaws happen when web applications take in users-supplied data in the form of a search or field query and pass it onto the server or backend database without a thorough input validation check.
Thus, it becomes easy for the hackers to craft a string in an attempt to exploit the web application. The sad part is that without sufficient input sanitization, the query is executed on the server.
Organizations need to use tried and tested remediation techniques like using a combination of output escaping, stored procedures, parameterized queries, and whitelists for server-side input validation.
Another measure they can take is to use database controls like LIMIT for preventing mass disclosure in the event of a well-executed injection attack.
#3 XML External Entities (XXE)
XML External Entities is a type of attack that takes advantage of the XML parsers in a web application that might execute and process some payload like an external reference in the XML document.
It was a new type of attack that web applications experienced and surfaced 6-7 years back. According to OWASP, XXE replaced CSRF (Cross-Site Request Forgery), which was present in the 2010 and 2013 editions of the report.
Over the years, it has been observed that XXE vulnerability in XML processing is steadily increasing its traction. As a result, it has become more severe for web applications.
In case if a hacker modifies or adds these external entities in an XML file, pointing them to a malicious source, it can lead to an SSRF attack or a denial of service (DoS) attack. The worst part is that these flaws can scan internal systems, extract data, and run port scans, among other malicious activities.
#4 Sensitive Data Exposure
Sensitive Data Exposure is still going to be a big web application vulnerability in 2021. Sensitive data, such as user credentials, health records, and financial information, among other things, have never been safe. They are the primary target of hackers.
Thus, they should be kept hidden in visible as plaintext or should be encrypted. If not, attackers could easily gain access to confidential information by deploying man-in-the-middle (MitM) attacks for stealing the data in transit.
In the last couple of years, exposure to sensitive data/information has become increasingly common. As a result, there has been a significant rise in data breaches. In the majority of cases, the information in these exposed databases was not encrypted.
This is a big worry for organizations because finding exposed databases is not a big deal for professional web application vulnerability scanners. According to security experts, one way to tackle this issue in the future is to enforce encryption and use standard algorithms and proper key management.
#5 Security Misconfiguration
This type of security vulnerability applies to all security risk factors that are not triggered by a programming error but a configuration error. Under Security Misconfiguration, there lies a wide range of potential security issues, such as outdated software and lack of operating system hardening. The worst part is that these issues extend to the webserver.
While security misconfigurations can be easily spotted using a web application vulnerability scanner, dealing with it can be a lot tougher. Using default configurations, neglecting to upgrade or patch systems, overlooking verbose error messages leaking confidential data, and misconfiguring security headers can all increase the risk of this vulnerability.
According to experts, security misconfiguration can also be a part of network security. So, it can pose a major threat to web applications in 2021 if overlooked. Thus, it is important that organizations update configurations, review all permissions, and install patches.
Also Read: How Much Does Penetration testing cost?
#6 Broken Access Control
Under OWASP’s Broken Access Control category, it covers situations leading to issues like insecure direct object references and forced browsing. The sad news is this type of vulnerability cannot be identified by any kind of automated tool. Therefore, this could be one of the biggest security vulnerabilities of 2021.
An automated tool can detect the lack of proper authorization; however, one cannot guess whether certain unauthorized functionality is made available to the user or whether the account of a specific user should have access to certain resources. This is because the vulnerabilities can only be judged by a human.
These vulnerabilities can go unnoticed until manual penetration tests are performed. Thus, organizations need to re-use and implement access control checks throughout their web applications.
#7 Insecure Deserialization
Insecure Deserialization was only added to OWASP Top Security Vulnerabilities in the 2017 edition. So, this is relatively a new type of security threat that organizations are still getting accustomed to.
Insecure deserialization occurs in specific cases and refers to the conversion of serialized information back into objects usable by the web application. It is a type of attack on web applications where the data objects are tampered with, causing serious consequences like a remote code execution or a denial of service (DoS).
The best way to prevent this issue is to stop accepting serialized objects from malicious or untrusted sources.
#8 Cross-Site Scripting (XSS)
Cross-Site Scripting or XSS is one of the most common vulnerabilities affecting web applications. It works in a way that the hacker injects a script into the page output of a web application. This tricks the web browser into believing that it is part of the page and ultimately runs the script.
The attacker executes this attack by sending an email to the user with a malicious link, making it seem like the email is coming from a trusted source. Once the user clicks to open the link, the script is executed in the user’s web browser. This way, the attacker can easily steal confidential data, including user credentials, session cookies, and even deliver malware.
The best way to counter this issue is by using frameworks like the latest Ruby on Rails that helps in filtering out XSS by design.
#9 Insufficient Logging and Monitoring
Organizations fail to log events that are of interest to them regarding their web applications. This leads to data breaches. Insufficient logging and monitoring is a security vulnerability because it gives hackers plenty of time to wreak havoc on your web applications.
For organizations, it is important that they ensure all suspicious activities like input validation failures, access control failures, failed logins, etc., are addressed and logged to determine malicious accounts.
#10 Using Components with Known Vulnerabilities
This is a type of vulnerability that OWASP defines as putting too much trust in 3rd-party codes. The libraries of that code can be rigged, causing serious issues in your web application.
Thus, organizations need to constantly scrutinize sources like CVE in the components. Also, it is important to monitor patches and version updates for both server and client-side components along with their dependencies.
These vulnerabilities have always been there. It is up to the organization how they deal with such issues to protect their web applications. Knowing these flaws ahead can give you an opportunity to prevent any severe disaster.