WHAT IS “OWASP”?
OWASP stands for the Open Web Application Security Project, an online community that produces articles, methodologies, documentation, tools, and technologies in the field of web application security.
WHAT IS THE OWASP TOP 10?
OWASP Top 10 is the list of the 10 most common application vulnerabilities. It also shows their risks, impacts, and countermeasures. Updated every three to four years, the latest OWASP vulnerabilities list was released in 2018. Let’s dive into it!
THE TOP 10 OWASP VULNERABILITIES IN 2020 ARE:
• Injection
• Broken Authentication
• Sensitive Data Exposure
• XML External Entities (XXE)
• Broken Access control
• Security misconfigurations
• Cross Site Scripting (XSS)
• Insecure Deserialization
• Using Components with known vulnerabilities
• Insufficient logging and monitoring
Injection
A code injection happens when an attacker sends invalid data to the web application with the intention to make it do something that the application was not designed/programmed to do. Perhaps the most common example around this security vulnerability is the SQL query consuming untrusted data.
Broken Authentication
A broken authentication vulnerability can allow an attacker to use manual and/or automatic methods to try to gain control over any account they want in a system – or even worse – to gain complete control over the system.
Sensitive Data Exposure
Sensitive data exposure is one of the most widespread vulnerabilities on the OWASP list. It consists of compromising data that should have been protected. It is vital for any organization to understand the importance of protecting users’ information and privacy. All companies should comply with their local privacy laws.
XML External Entities (XXE)
According to Wikipedia, an XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser.
Broken Access Control
In website security, access control means putting a limit on what sections or pages visitors can reach, depending on their needs. For example, if you own an ecommerce store, you probably need access to the admin panel in order to add new products or to set up a promotion for the upcoming holidays. However, hardly anybody else would need it. Allowing the rest of your website’s visitors to reach your login page only opens up your ecommerce store to attacks.
Security Misconfigurations
At its core, brute force is the act of trying many possible combinations, but there are many variants of this attack to increase its success rate.
Cross-Site Scripting (XSS)
Cross Site Scripting (XSS) is a widespread vulnerability that affects many web applications. XSS attacks consist of injecting malicious client-side scripts into a website and using the website as a propagation method.
Insecure Deserialization
Every web developer needs to make peace with the fact that attackers/security researchers are going to try to play with everything that interacts with their application–from the URLs to serialized objects.
Using Components with Known Vulnerabilities
These days, even simple websites such as personal blogs have a lot of dependencies.
We can all agree that failing to update every piece of software on the backend and frontend of a website will, without a doubt, introduce heavy security risks sooner rather than later.
Insufficient Logging and Monitoring
The importance of securing a website cannot be understated. While 100% security is not a realistic goal, there are ways to keep your website monitored on a regular basis so you can take immediate action when something happens.
Not having an efficient logging and monitoring process in place can increase the damage of a website compromise.
Top comments (0)