Application Security: OWASP top 10

Application Security: OWASP top 10

By: Avinash K Tiwari

The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software. The OWASP community includes corporations, educational organizations, and individuals from around the world. This community works to create freely-available articles, methodologies, documentation, tools, and technologies. Purpose of OWASP is working for finding and fighting the causes of insecure software.

Official web site: www.owasp.org

OWASP’s most successful projects include the book-length OWASP Guide and the widely adopted OWASP Top 10 awareness document.

In this post, I am going to focus on “What OWASP Top Ten” is all about.

The Open Web Application Security Project (OWASP) Top Ten Project provides a minimum standard for web application security. It lists the top ten most critical web application security vulnerabilities, representing a broad concensus. Project members include a variety of security experts from around the world who have shared their expertise to produce this list. You should consider adopting security standards and begin assessing that your web applications do not contain these security flaws. Addressing the OWASP Top Ten is an effective first step towards changing your software development culture into one that produces secure code for your web applications.

Following are the OWASP top 10 vulnerabilities with a brief description

Cross-site scripting (XSS) flaws:
Hackers can impersonate legitimate users, and control their accounts.
Impact : Identity Theft, Sensitive Information Leakage, …

Injection flaws:
Hackers can access backend database information, alter it or steal it.
Impact: Attacker can manipulate queries to the DB / LDAP / Other system

Malicious File Execution
Execute shell commands on server, up to full control
Impact: Site modified to transfer all interactions to the hacker.

Broken authentication and session management:
Session tokens not guarded or invalidated properly
Impact : Hacker can “force” session token on victim; session tokens can be stolen after logout

Cross-Site Request Forgery
Attacker can invoke “blind” actions on web applications, impersonating as a trusted user
Impact : Blind requests to bank account transfer money to hacker

Information Leakage and Improper Error Handling
Attackers can gain detailed system information
Malicious system inFORMATION may assist in developing further attacks

Insecure storage
Weak encryption techniques may lead to broken encryption
Impact: Confidential information (SSN, Credit Cards) can be decrypted by malicious users

Insecure Communication:
Sensitive info sent unencrypted over insecure channel
Impact: Unencrypted credentials “sniffed” and used by hacker to impersonate user

Failure to Restrict URL Access
Hacker can forcefully browse and access a page past the login page
Impact : Hacker can access unauthorized resources

Insecure Direct Object Reference
Web application returns contents of sensitive file (instead of harmless one)
Impact: Attacker can access sensitive files and resources

We will be discussing each one the vulnaribilities in detail in the coming posts.

Moreover, more information about the following critical web application security vulnerabilities is on the OWASP website: http://www.owasp.org/index.php/OWASP_Top_Ten_Project

(Copyrighted by CresTech Software Systems Pvt. Ltd.)

Your Testing Partner


http://www.qacampus.com
http://www.crestech.in
http://www.crestechsoftware.com.au