UNIT-3
Open Web Application Security Project (OWASP)
I) what is OWASP:
The Open Web Application Security Project (OWASP) is a non-profit organization
founded in 2001, with the goal of helping website owners and security experts protect web
applications from cyber attacks. OWASP has 32,000 volunteers around the world who perform
security assessments and research.
The OWASP Top 10 is a standard awareness document for developers and web
application security. The primary aim of the OWASP Top 10 is to educate developers,
designers, architects and organizations about the consequences of the most common web
application security vulnerabilities. The Top 10 provides basic methods to protect against these
vulnerabilities.
The Following are the OWASP Top 10 vulnerabilities:
1) Injection: Injection occurs when an attacker exploits insecure code to insert (or inject) their
own code into a program. Examples of injection include SQL injections, command injections,
CRLF injections, and LDAP injections.
2) Broken Authentication: Incorrectly implemented authentication and session management
calls can be a huge security risk.
3) Sensitive Data Exposure: APIs, which allow developers to connect their application to
third-party services. However, some APIs rely on insecure data transmission methods, which
attackers can exploit to gain access to usernames, passwords, and other sensitive information.
4) XML External Entities: This risk occurs when attackers are able to upload or include
hostile XML content due to insecure code, integrations, or dependencies.
5) Broke Access Control: If authentication and access restriction are not properly
implemented, it's easy for attackers to take whatever they want. Unauthorized users may have
access to sensitive files and systems, or even user privilege settings.
6) Security misconfiguration: are security controls that are inaccurately configured or left
insecure, putting your systems and data at risk. Basically, any poorly documented configuration
changes, default settings, or a technical issue across any component in your endpoints could
lead to a misconfiguration.
7) Cross-site Scripting (XSS) : is a client-side code injection attack. The attacker aims to
execute malicious scripts in a web browser of the victim by including malicious code in a
legitimate web page or web application.
8) Insecure Deserialization Insecure deserialization is when user-controllable data is
deserialized by a website. This potentially enables an attacker to manipulate serialized objects
in order to pass harmful data into the application code.
Prepared by ULN KUMAR, ASCS, KAKINADA
, 9) Using Components with Known Vulnerabilities: Using Components with Known
Vulnerabilities. Components such as libraries, frameworks, and other software modules run
with the same privileges as the application. If a vulnerable component is exploited, an attack
can facilitate severe data loss or server takeover.
10) Insufficient Logging and Monitoring: Insufficient logging and monitoring
vulnerability occur when the security-critical event is not logged off properly, and the system is
not monitored.
II) OWASP Top 10 Vulnerabilities:
i) Injection Flaw: Injection flaws occur when an attacker can send hostile data to an
interpreter. Injection flaws are very, particularly in legacy code. Injection vulnerabilities are
often found in SQL, LDAP, prevalent XPath, or NoSQL queries, OS commands, XML parsers,
SMTP headers, expression languages, and ORM queries.
An application is vulnerable to attack when:
• User-supplied data is not validated, filtered, or sanitized by the application.
• Dynamic queries or non-parameterized calls without context aware escaping are
used directly in the interpreter.
• Hostile data is used within object-relational mapping (ORM) search parameters to
extract additional, sensitive records.
• Hostile data is directly used or concatenated, such that the SQL or command
contains both structure and hostile data in dynamic queries, commands, or stored
procedures.
Example Attack Scenarios:
Scenario #1: An application uses untrusted data in the construction of the following vulnerable
SQL call:
String query = "SELECT * FROM accounts WHERE custID='" + request.getParameter("id") + "' ";
Scenario #2: Similarly, an application’s blind trust in frameworks may result in queries that
are still vulnerable, (e.g. Hibernate Query Language (HQL)):
Query HQLQuery = session.createQuery("FROM accounts WHERE custID='" +
request.getParameter("id") + "'");
In both cases, the attacker modifies the ‘id’ parameter value in their browser to send.
This changes the meaning of both queries to return all the records from the accounts table.
More dangerous attacks could modify or delete data.
How to Prevent:
• The preferred option is to use a safe API, which avoids the use of the interpreter
entirely or provides a parameterized interface, or migrate to use Object Relational
Mapping Tools (ORMs).
Prepared by ULN KUMAR, ASCS, KAKINADA
Open Web Application Security Project (OWASP)
I) what is OWASP:
The Open Web Application Security Project (OWASP) is a non-profit organization
founded in 2001, with the goal of helping website owners and security experts protect web
applications from cyber attacks. OWASP has 32,000 volunteers around the world who perform
security assessments and research.
The OWASP Top 10 is a standard awareness document for developers and web
application security. The primary aim of the OWASP Top 10 is to educate developers,
designers, architects and organizations about the consequences of the most common web
application security vulnerabilities. The Top 10 provides basic methods to protect against these
vulnerabilities.
The Following are the OWASP Top 10 vulnerabilities:
1) Injection: Injection occurs when an attacker exploits insecure code to insert (or inject) their
own code into a program. Examples of injection include SQL injections, command injections,
CRLF injections, and LDAP injections.
2) Broken Authentication: Incorrectly implemented authentication and session management
calls can be a huge security risk.
3) Sensitive Data Exposure: APIs, which allow developers to connect their application to
third-party services. However, some APIs rely on insecure data transmission methods, which
attackers can exploit to gain access to usernames, passwords, and other sensitive information.
4) XML External Entities: This risk occurs when attackers are able to upload or include
hostile XML content due to insecure code, integrations, or dependencies.
5) Broke Access Control: If authentication and access restriction are not properly
implemented, it's easy for attackers to take whatever they want. Unauthorized users may have
access to sensitive files and systems, or even user privilege settings.
6) Security misconfiguration: are security controls that are inaccurately configured or left
insecure, putting your systems and data at risk. Basically, any poorly documented configuration
changes, default settings, or a technical issue across any component in your endpoints could
lead to a misconfiguration.
7) Cross-site Scripting (XSS) : is a client-side code injection attack. The attacker aims to
execute malicious scripts in a web browser of the victim by including malicious code in a
legitimate web page or web application.
8) Insecure Deserialization Insecure deserialization is when user-controllable data is
deserialized by a website. This potentially enables an attacker to manipulate serialized objects
in order to pass harmful data into the application code.
Prepared by ULN KUMAR, ASCS, KAKINADA
, 9) Using Components with Known Vulnerabilities: Using Components with Known
Vulnerabilities. Components such as libraries, frameworks, and other software modules run
with the same privileges as the application. If a vulnerable component is exploited, an attack
can facilitate severe data loss or server takeover.
10) Insufficient Logging and Monitoring: Insufficient logging and monitoring
vulnerability occur when the security-critical event is not logged off properly, and the system is
not monitored.
II) OWASP Top 10 Vulnerabilities:
i) Injection Flaw: Injection flaws occur when an attacker can send hostile data to an
interpreter. Injection flaws are very, particularly in legacy code. Injection vulnerabilities are
often found in SQL, LDAP, prevalent XPath, or NoSQL queries, OS commands, XML parsers,
SMTP headers, expression languages, and ORM queries.
An application is vulnerable to attack when:
• User-supplied data is not validated, filtered, or sanitized by the application.
• Dynamic queries or non-parameterized calls without context aware escaping are
used directly in the interpreter.
• Hostile data is used within object-relational mapping (ORM) search parameters to
extract additional, sensitive records.
• Hostile data is directly used or concatenated, such that the SQL or command
contains both structure and hostile data in dynamic queries, commands, or stored
procedures.
Example Attack Scenarios:
Scenario #1: An application uses untrusted data in the construction of the following vulnerable
SQL call:
String query = "SELECT * FROM accounts WHERE custID='" + request.getParameter("id") + "' ";
Scenario #2: Similarly, an application’s blind trust in frameworks may result in queries that
are still vulnerable, (e.g. Hibernate Query Language (HQL)):
Query HQLQuery = session.createQuery("FROM accounts WHERE custID='" +
request.getParameter("id") + "'");
In both cases, the attacker modifies the ‘id’ parameter value in their browser to send.
This changes the meaning of both queries to return all the records from the accounts table.
More dangerous attacks could modify or delete data.
How to Prevent:
• The preferred option is to use a safe API, which avoids the use of the interpreter
entirely or provides a parameterized interface, or migrate to use Object Relational
Mapping Tools (ORMs).
Prepared by ULN KUMAR, ASCS, KAKINADA
