What is OWASP Top- 10?
-Open web application security project.
-World wide non-profit organization founded in 2001.
-Mission is to make the software security visible.
-Recent OWASP top-10 published in 2021.
-Ten most critical web application security flaws.
1
�OWASP – Top 10 2021
•A01 - Broken access control.
•A02 - Cryptographic failures.
•A03 - Injection.
•A04 - Insecure Design.
•A05 - Security Misconfiguration.
•A06 -Vulnerable and outdated components.
•A07 - Identification and Authentication failures.
•A08 - Software and Data integrity failures.
•A09 - Security logging and monitoring failures.
•A10 - Server side request forgery ( SSRF)
2
�A01 – Broken Access control
•Elevation of privilege or privilege escalation.
- Acting as a admin when logged in as a user.
- Acting as a user without being logged in.
•Viewing or editing someone else’s account.
•Cross origin resource sharing (CORS) misconfiguration.
- Allows API access from unauthorized/untrusted origins.
3
�A01 – How to prevent
•Implement access control mechanisms
- on the server side.
•Minimize CORS usage.
4
�A02 – Cryptographic Failures
•Sensitive data is stored or transmitted in clear text.
•Deprecated or weak cryptographic algorithms in use.
•Default crypto keys in use.
- proper key management or rotation is missing.
5
�A02 – How to prevent
•Encrypt all sensitive data at rest.
•Encrypt all data in transit
- use TLS 1.2 or above
- use HTTP strict transport Security (HSTS)
•Use up-to data and strong standard algorithms and protocols.
6
�A03 - Injection
•User input is not validated ,filtered or sanitized by the application.
•User input is directly used or concatenated.
- SQL injection
- Command injection.
7
�A03 – How to prevent
•Do not pass user input directly to executable statements.
•Prepared statements
- Parameterized Queries.
•Proper patching or updating of database.
8
�A04 – Insecure Design
•A secure design still have insecure implementation
•An insecure design cannot be fixed by an implementation.
9
�A04 – How to implement
•Secure Development Lifecycle (SDL)
•Threat modeling manifesto.
10
�A05 – Security Misconfiguration
• Missing security hardening
•Unnecessary features are enabled or installed
- Unnecessary ports
- Services
- Accounts
•Default accounts
•Default passwords
11
�A05 – How to prevent
•Apply security hardening
•Close unnecessary ports
•Disable unnecessary services
•Remove default accounts
•Change default passwords
12
�A06 – Vulnerable or Outdated components
•Software is vulnerable , unsupported or outdated
- Apache Log4j(Log4shell) vulnerabilities.
13
�A06 – How to prevent
•Update software periodically
•Use software composition Analysis (SCA) tools.
14
�A07 – Identification and Authentication failures
•Missing brute force protection
•Missing Multi- factor authentication
•Using default ,weak or well known passwords.
•Reusing session identifier after successful login
15
�A07 – How to prevent
•Implement brute force protection
•Implement multi factor authentication
•Change default credentials
•Implement password complexity
•Rotate Session IDs after successful login
16
�A08 – Software and Data Integrity failures
•Software and data integrity failures that does not protect against integrity
violations
- Solarwinds 2020 attack
17
�A08 – How to prevent
•Use digital signatures to verify passwords
•Ensure you consume trusted repositories
18
�A09 – Security Logging and Monitoring Failures
•Insufficient logging
- Logins
- Failed Logins
- High value transactions
•Logs are only stored locally
19
�A09 - how to prevent
•Log important events with sufficient user content
- username
- Client IP
- Time
20
�A10 – Server Side Request Forgery (SSRF)
•A web application is fetching a remote resource without validating the user
supplied URL
21
�A10 – How to prevent
•Sanitize and validate all client supplied input data
•Validate URL components.
- URL schema , port and destination
•Do not send Raw responses to client
22
