Post

Sws101_owasp_top_10

Posted Updated
By your_full_name 8 min read

OWASP TOP 10

Day 1: Introduction to OWASP Top 10 2021

Today I began my work on the OWASP Top 10 2021 room of TryHackMe, which is based on the list of most critical security risks to web applications according to the Open Web Application Security Project . The OWASP Top 10 2021 is the de facto standard in the field of web application security and it is important not only for developers and information security specialists, but for other computing professionals as well. The OWASP Top 10 2021 vulnerabilities are as follows: Broken Access Control, Cryptographic Failures, Injection, Insecure Design, Security Misconfiguration, Vulnerable and Outdated Components, Identification and Authentication Failures, Software and Data Integrity Failures, Security Logging and Monitoring Failures.

The OWASP Top 10 2021 lists the following vulnerabilities:

  1. Broken Access Control
  2. Cryptographic Failures
  3. Injection
  4. Insecure Design
  5. Security Misconfiguration
  6. Vulnerable and Outdated Components
  7. Identification and Authentication Failures
  8. Software and Data Integrity Failures
  9. Security Logging and Monitoring Failures
  10. Server-Side Request Forgery (SSRF)

In the room, I expect to learn about each of these vulnerabilities in detail, including their root causes, potential impacts, and mitigation techniques.

Day 2: Broken Access Control

Today, I looked into one of the OWASP Top 10 2021 list vulnerabilities: Broken Access Control. This results from weak access control, where an application uses weak access control policies to allow the wrong users access to either sensitive data or functionality.

As evidenced in the room, the access control flaws include the following:

  • Missing or ineffective access control mechanisms
  • Insecure direct object references (IDOR)
  • Horizontal and vertical privilege escalation vulnerabilities

Today, I looked into one of the OWASP Top 10 2021 list vulnerabilities: Broken Access Control. This results from weak access control, where an application uses weak access control policies to allow the wrong users access to either sensitive data or functionality.

Mitigation techniques covered included:

  • Implementing centralized access control mechanisms
  • Enforcing the principle of least privilege
  • Performing proper authorization checks
  • Avoiding exposure of sensitive data or functionality through insecure direct object references

Day 3: Cryptographic Failures

Today’s focus was on the second vulnerability in the OWASP Top 10 2021: Within this category falls cryptographic failures, that is when the cryptographic keys become compromised or the algorithms are subject to attacks. Such a vulnerability will come when applications are not good enough so as not to adequately shield data that is sensitive through the use of advanced cryptographic measures.

The room covered various cryptographic failures, including:The room covered various cryptographic failures, including:

  • Insecure encryption algorithms

  • If there is any situation that the cryptographic keys in use are weak or are not up to date they can be compromised.

  • Improper key management

  • Insecure data transmission

Maybe one of the most important lessons that I learnt is the need for a strong and high-grade algorithm in encryption, a good key management system and an effective data communication channel via the presumption of protocol which is TLS.

Mitigation techniques included:

  • Using any set of encryption algorithms which are utilitarian and currently strong across the industry.

  • Adequate key management rules are thus a top priority.

  • Adopting safe data transport protocols (e.g., A TLS) will ensure that highly confidential information is transmitted efficiently.

  • Use of carefully tested and upgraded cryptographic algorithms and protocols is extremely important.

Day 4: Injection

The title of the talk was Injection vulnerabilities, the flaw that happens when a non-trusted information is sent to an interpreter either a query or a command leading to unauthorized execution or modification of date.

The room covered various types of injection flaws, including:The room covered various types of injection flaws, including:

  • SQL Injection

  • NoSQL Injection

  • OS Command Injection

  • XXE Injection is a case when an application uses XML as a data exchange format and the attacker sends crafted XML entities to cause denial of service or to escalate the privileges.

I got to know what dangers carried over with vulnerabilities, for example data leaking, storing data, and system takeover are the main threats. In addition to that, injection risks were also discussed through an advisory that outlined the necessary measures to be taken as follows:In addition to that, injection risks were also discussed through an advisory that outlined the necessary measures to be taken as follows:

  • A process of input validating and sanitizing is vital.

  • Parameterized queries

  • Least privilege principle

  • Disabling non-essential features (like the XML external entity processing for instance) will improve the general system security.

Day 5: Insecure Design

Now, we will learn about Insecure Design, which is a type of error that is caused by designers during software development when they unintentionally leave security loopholes, making the software vulnerable to security attacks.

What is demonstrated at the training room is the basis of it; the details of the designing and creation of programs and coding as well as the use of a number of security principles, including least privilege, defense in depth, and secure defaults, all show that security should be considered from the start.

Mitigation techniques covered included:

  • One of the best practices in cybersecurity is threat modeling and secure design.

  • Secure coding principles

  • Compliance with security policies (least privilege, defense in depth, secure choice of defaults)

  • Secure SDLC which involves collection of input and feedback from all stakeholders is necessary.

Day 6: Security Misconfiguration

Security Misconfiguration deals with the situation, where someone could not configure an application, a server, or a database properly, which allows unnecessary access to any unauthorized person.

  • Insecure default configurations

  • Unused attributes or elements with little assistance from the supplier.

  • Insecure file permissions

  • the absence of security headers

Mitigation techniques included:

  • Thorough and sound installation and configuration procedures

  • Disabling unessential functionality as well as the availability of different services.

  • Maintain proper file permissions and access controls.

  • Implementing security headers

Day 7: Risky and Lagging Parts

We used this discussion as a platform to tackle the issue of Vulnerable and Outdated Components. It is a term referring to the Adoption of old and fragile software packages used by applications.

The section gave examples of making software components regular updates such as patches and managing dependencies in third-party libraries.

Mitigation techniques covered included:

  • The software and dependency management procedures thus devised.

  • Frequent backing up makes it easy in case the data is lost.

  • Authenticity guaranteeing programs in the software supply chain safety practices.

  • Upgrading and changing all vulnerable parts.

Day 8: Identification And Authentication Fallibilities

Auth Failure & Authentication Failures symbolize the vulnerabilities of an application’s authentication and session management techniques that may result in account abuse or hijacking.

The room covered various authentication vulnerabilities, such as:

  • Weak or default credentials are one of many exploitable points for cybercriminals.

  • Weak password recovery option.

  • Insecure session management

  • The fact of deficiency of multi-factor authentication

Mitigation techniques included:

  • Firstly, strong and secure password policies, and secondly, password hashing.

  • Multi-factor authentication

  • Secure session management

  • Secure recovery mechanisms for a password

Today the macro benevolence which focuses on Software and Data Integrity Deficiencies revealed the deficiencies which bring the entire software or data browning down.

The chamber discussed various flaws in integrity, including:

  • Unprotected roads for implementing or rolling-out of the code.

  • Lack of code integrity !=

  • Data obstruction or reconfiguration.

Countermeasures embraced:

  • Secure procedures for code deployment and updates through a reviewed process will be established.

  • The use of digital endorsements and the signing of codes offers the same function as codes of verification of the purity of the code.

  • Verifying devices and controls to check data truthfulness are the most critical ones of them all.

Day 10: Security Logging and Monitoring Lapse Lead to Vulnerability

Frailty in OWASP Top 10 2021 was addressed with the Security Logging and Watching Weaknesses version which in practice means not implementing full logging and monitoring in applications dedicated to logs and watches.

The emphasis was on logging and the monitoring of events to speed up the detection, investigation, and the mitigation of security incidents as well as to be compliant and in line with auditing policies.

Mitigation techniques covered included:

  • The application of installing extensive logging and tracking systems is advisable.

  • Secured log storage and shielding from destruction

  • The availability of accurate log analysis and well-established incident response processes will be the focus.

  • IoT devices need to be provided with mechanisms to monitor for security events and network behaviors that deviate from the norm.

Day 11: Server-Side Request Forgery (SSRF)

is an attack where a malicious user exploits a security vulnerability to trick a server into performing unauthorized actions.

The SSRF which was the last topic in the room was a vulnerability that allows a threat actor to force the server to make requests to arbitrary systems or resources that could enable the attacker to undermine the defense system or even get access to the sensitive information of the internal system.

The room covered the risks associated with SSRF vulnerabilities, such as:

  • Sensitive data from internal systems are threatened with exposure due to an act of hacking.
  • After getting inside the network, the malicious actors can still move laterally.
  • Denial of Service(DoS) attack.

Mitigation techniques included:

  • Input validation and sanitization of data

  • Having whitelisting means that URLs or IP addresses are just listed.

  • Ill constitution of excessive URL redirection capabilities.

  • Obstructing the outgoing traffic to the only trusted sites.

It should be said that by completing the OWASP Top 10 2021 room on the THM platform, I got the most comprehensive information about the severest hazards that the web application security faces. This way, security may only be strengthened by means of secure coding principles, proper configuration and security measures that will be applied.

SWS101, Journal 3
SWS101
This post is licensed under CC BY 4.0 by the author.