Website\/Web app Security<\/span><\/a><\/p>\n Mark Curphey started OWASP on September 9, 2001.\u00a0Jeff Williams served as the volunteer Chair of OWASP from late 2003 until September 2011. As of 2015, Matt Konda chaired the Board.<\/p>\n The OWASP Foundation, a 501(c) (3) non-profit organization (in the USA) established in 2004, supports the OWASP infrastructure and projects. Since 2011, OWASP is also registered as a non-profit organization in Belgium under the name of OWASP Europe VZW.<\/p>\n The Open Web Application Security Project (OWASP) is a\u00a0501(c) (3)\u00a0worldwide not-for-profit charitable organization focused on improving the security of software. Our mission is to make software security\u00a0visible<\/a>\u00a0so that\u00a0individuals and organizations<\/a>\u00a0can make informed decisions. OWASP is in a unique position to provide impartial, practical information about AppSec to individuals, corporations, universities, government agencies, and other organizations worldwide. Operating as a community of like-minded professionals, OWASP issues software tools and knowledge-based documentation on application security.<\/p>\n Everyone is free to participate in OWASP and\u00a0all of our materials<\/u>\u00a0are available under a free and open software license. You’ll find everything\u00a0about OWASP<\/a><\/strong>\u00a0here on or linked from our wiki and current information on our\u00a0OWASP Blog<\/a>. OWASP\u00a0does not endorse or recommend commercial products or services<\/strong>, allowing our community to remain vendor neutral with the collective wisdom of the best minds in software security worldwide.<\/p>\n We ask that the community look out for\u00a0inappropriate<\/a> uses of the OWASP brand including the use of our name, logos, project names, and other trademark issues.<\/p>\n To bring awareness to what threatens the integrity of websites, we are continuing a series of posts on the\u00a0OWASP top 10 security risks<\/strong>.<\/p>\n Injection flaws result from a classic failure to filter untrusted input. It can happen when you pass unfiltered data to the SQL server (SQL injection), to the browser (XSS \u2013 we\u2019ll talk about this\u00a0later), to the LDAP server (LDAP injection), or anywhere else. The problem here is that the attacker can inject commands to these entities, resulting in loss of data and hijacking clients\u2019 browsers.<\/p>\n OWASP defines\u00a0Broken Authentication<\/strong>\u00a0and Session Management as:<\/p>\n Application functions related to authentication<\/strong> and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities.<\/p><\/blockquote>\n In other words, an attacker can get unauthorized access to a user’s data due to flaws in the implementation. Before exploiting this vulnerability you need to know a few concepts:<\/p>\n This vulnerability allows an attacker to access sensitive data such as credit cards, tax IDs, authentication credentials, etc. to conduct credit card fraud, identity theft, or other crimes. Losing such data can cause severe business impact and damage to the reputation. Sensitive data deserves extra protection such as encryption at rest or in transit, as well as special precautions when exchanged with the browser.<\/p>\n XML External Entity (XXE) refers to a specific type of\u00a0Server-Side Request Forgery (SSRF)<\/a>\u00a0attack, whereby an attacker can cause Denial of Service (DoS) and access local or remote files and services, by abusing a widely available, rarely used feature in XML parsers.<\/p>\n XML is a vastly used data format found in everything from web services (XML-RPC, SOAP, REST, etc.) to documents (XML, HTML, DOCX) and image files (SVG, EXIF data, etc.) use XML. Naturally, where there is XML, there is an XML parser \u2013 hold onto that thought, we\u2019ll be coming back to it shortly.<\/p>\n Access control enforces policy such that users cannot act outside of their intended permissions. Failures typically lead to unauthorized information disclosure, modification or destruction of all data, or performing a business function outside of the limits of the user. Common access control vulnerabilities include:<\/p>\n Security Misconfiguration arises when Security settings are defined, implemented, and maintained as defaults. Good security requires a secure configuration defined and deployed for the application, web server, database server, and platform. It is equally important to have the software up to date.<\/p>\n Improper server or web application configuration leading to various flaws:<\/p>\n All of your data could be stolen or modified slowly over time.<\/p>\n Current application security architectures do not follow security by default. On the contrary, programmers must apply security measures to avoid access to private or confidential resources.<\/p>\n Cross-site Scripting (XSS) is a client-side code\u00a0injection attack<\/a>. An attacker aims to execute malicious scripts in a web browser of the victim by including malicious code in a legitimate web page or web application. The actual attack occurs when the victim visits the web page or web application that executes the malicious code. The web page or web application becomes a vehicle to deliver the malicious script to the user\u2019s browser. Vulnerable vehicles that are commonly used for Cross-site Scripting attacks are forums, message boards, and web pages that allow comments.<\/p>\n A web page or web application is vulnerable to XSS if it uses unsanitized user input in the output that it generates. This user input must then be parsed by the victim\u2019s browser. XSS attacks are possible in VBScript, ActiveX, Flash, and even CSS. However, they are most common in JavaScript, primarily because JavaScript is fundamental to most browsing experiences.<\/p>\n Most Critical Web Application Security Risks is\u00a0Insecure Deserialization<\/strong>. This vulnerability occurs when untrusted data is used to abuse the logic of an application or application program interface (API).<\/p>\n For example, an attacker may go after an object or data structure, intending to manipulate it for malicious intent. OWASP\u00a0 listed the primary attack types as denial-of-service (DoS) attacks, authentication bypasses and remote code\/command execution attacks, where attackers manipulate arbitrary code upon it being deserialized.<\/p>\n To fully understand insecure deserialization is we must understand both what serialization and deserialization are first. This blog will illustrate what both are in detail, as well as what insecure deserialization means, the impact of it on applications, and best practices to prevent it. We\u2019ll then cover some solutions for preventing insecure deserialization.<\/p>\n These days, even simple websites such as personal blogs have a lot of\u00a0dependencies<\/em>.<\/p>\n We can all agree that failing to update every piece of software on the backend and frontend of a website will, without a doubt, introduce heavy security risks sooner rather than later.<\/p>\n For example, our\u00a0hacked website report for 2017<\/a>\u00a0has a dedicated section around outdated CMSs. This report shows that at the time of the infection:<\/p>\n The question is, why aren\u2019t we updating our software on time? Why is this still such a huge problem today?<\/p>\n There are some possibilities, such as:<\/p>\n This might be a little too dramatic, but every time you disregard an update warning, you might be allowing a now known vulnerability to survive in your system. Trust me, cybercriminals are quick to investigate software and update changelogs.<\/p>\n Whatever the reason for running out-of-date software on your web application is, you can\u2019t leave it unprotected. Both Sucuri and OWASP recommend\u00a0virtual patching<\/a>\u00a0for the cases where patching is not possible.<\/p>\n Virtual patching affords websites that are outdated (or with known vulnerabilities) to be protected from attacks by preventing the exploitation of these vulnerabilities on the fly. This is usually done by a\u00a0firewall<\/a>\u00a0and an intrusion detection system.<\/p>\n Logging and monitoring go hand in hand. There is little point in having adequate logs if they are not adequately monitored.<\/p>\n The problem of insufficient logging and monitoring covers the entire IT infrastructure and not just the internet-facing web application \u2013 as does the solution. For that reason, we will not limit this discussion to just logging and monitoring web apps.<\/p>\n One of the primary problems is that there are so many logs \u2013 almost all contemporary systems generate their logs. Log management thus becomes a major problem. By the time that all the different logs are gathered together and preferably collated, the sheer size of the data set becomes too large to effectively monitor manually.<\/p>\n The solution is in increased automation of the process. For example, some access control systems can be given their own monitoring rules. Log-on rules can be set to allow a predefined number of log-on attempts per session. The system logs the attempts, and then blocks access from that IP, either for a predefined period or indefinitely. Such systems will also likely alert the security team that something not right is happening.<\/p>\n Open Web Application Security (OWASP) is a non-profit organization but a global goal for software security. The objective is to inform individuals and companies related to the security of information systems. The organization operates as a community of like-minded professionals. Everyone is free to join the community, which today has more than 45,000 members.\u00a0 Each year OWASP publishes a ranking that identifies the most critical security vulnerabilities.OWASP provides a tremendous number of free resources dedicated to improving organizations\u2019 application security posture. One of their best-known projects is the OWASP Top 10 project, which provides consensus guidance on what are considered to be the ten most significant application security risks. The OWASP Top 10 is available at https:\/\/www.owasp.org\/index.php\/Category:OWASP_Top_Ten_Project<\/a><\/p>\n OWASP offers a development guide for Web applications, which contains the best practices to adopt during the development phase of a Web project. Tools are also made available to users to perform audits of their site.<\/p>\n OWSAP Org<\/span><\/a><\/p>\n IEEE related paper<\/span><\/a><\/p>\n Elsevier CISSP guide<\/span><\/a><\/p>\nWHAT IS THE OWASP?<\/h2>\n
THE OWASP TOP 10 LIST CONSISTS OF THE 10 MOST SEEN APPLICATION VULNERABILITIES:<\/h3>\n
1-SQL Injection<\/h4>\n
![\"owasp](\"https:\/\/portswigger.net\/web-security\/images\/sql-injection.svg\")
<\/p>\n2-BROKEN AUTHENTICATION<\/h4>\n
\n
![\"owasp](\"https:\/\/image.slidesharecdn.com\/14-owasptop10-a2-brokenauthenticationandsessionmanagement-151110152317-lva1-app6892\/95\/14-owasp-top-10-a2broken-authentication-and-session-management-2-638.jpg?cb=1447169416\")
<\/p>\n3-SENSITIVE DATA EXPOSURE<\/h4>\n
![\"owasp](\"https:\/\/miro.medium.com\/max\/1105\/1*74LLez2daWXSvhSR0encrQ.jpeg\")
4-XML EXTERNAL ENTITIES (XXE)<\/u><\/h4>\n
![\"XML](\"https:\/\/3.bp.blogspot.com\/-uxiNV_sv-0U\/V920efobZOI\/AAAAAAAAFnE\/eYC8jc7lqtsuBSPmARxNEq33-Lhagc34QCLcB\/s1600\/XXE.png\")
<\/p>\n5-Broken Access control<\/h4>\n
\n
\n
\n
\n
\n
![\"Broken](\"https:\/\/3.bp.blogspot.com\/-mq2e4PZxafw\/XGmJclHh3VI\/AAAAAAAAAWs\/1fgQN8sGb9wuYuYuA4wgDEKS6_t3gsdhACLcBGAs\/w1200-h630-p-k-no-nu\/A5%2B%25E2%2580%2593%2BBroken%2BAccess%2BControl.png\")
6-Security misconfigurations<\/h4>\n
\n
\n
\n
\n
![\"Security](\"https:\/\/i.ytimg.com\/vi\/iSYD7vOlSJs\/maxresdefault.jpg\")
<\/p>\n7-Cross-Site Scripting (XSS)<\/h4>\n
![\"Cross-Site](\"https:\/\/portswigger.net\/web-security\/images\/cross-site-scripting.svg\")
<\/p>\n8-Insecure Deserialization<\/h4>\n
9-Using Components with known vulnerabilities<\/h4>\n
\n
\n
![\"using](\"https:\/\/i0.wp.com\/gbhackers.com\/wp-content\/uploads\/2017\/01\/owsap.png?resize=515%2C327&ssl=1\")
10-Insufficient logging and monitoring<\/h4>\n
conclusion:<\/h2>\n