The OWASP Top 10 is a list of the 10 most common web application security risks. By writing code and performing robust testing with these risks in mind, developers can create secure applications that keep their users’ confidential data safe from attackers.
What Is OWASP?
OWASP, or the Open Web Application Security Project, is a nonprofit organization focused on software security. Their projects include several open-source software development programs and toolkits, local chapters, and conferences, among other things. One of their projects is the maintenance of the OWASP Top 10, a list of the top 10 security risks faced by web applications.
A Guide to OWASP Top 10 Testing
Testing for OWASP vulnerabilities is a crucial part of secure application development. The sheer number of risks and potential fixes can seem overwhelming but are easy to manage if you follow a few simple steps:
- Build security into your development process, rather than making it an afterthought
- Test your code against security standards repeatedly throughout the development
- Use IDE and CI Pipeline integrations to automate testing
- Identify known vulnerabilities in third-party code to ensure your program does not rely on insecure dependencies
OWASP Top 10 Vulnerabilities
So, what are the top 10 risks according to OWASP? We break down each item, its risk level, how to test for them, and how to resolve each.
1. Broken Access Control
If authentication and access restriction are not properly implemented, it's easy for attackers to take whatever they want. With broken access control flaws, unauthenticated or unauthorized users may have access to sensitive files and systems or even user privilege settings.
Configuration errors and insecure access control practices are hard to detect as automated processes cannot always test for them. Weak access controls and issues with credentials management are preventable with secure coding practices, as well as preventative measures like locking down administrative accounts and controls and using multi-factor authentication.
Mitigating Broken Access Control
- Deny access by default, except for public resources
- Build strong access control mechanisms and reuse them across the application
- Disable server directory listing and do not store sensitive data in the root
- Rate limit API and controller access
- Validate JWT tokens after logout
- Always perform authorization checks on any operations that are only available to logged-in users. This includes the page (for example, allowing you to update details), as well as the destination of the form submitted.
- There are popular RBAC (Role-Based Access Control) packages that can be used with Laravel allowing you to manage user permissions and roles. You can also use Laravel’s built-in authorization services.
2. Cryptographic Failures
This is also known as information disclosure or information leakage. This usually occurs when an application or website unknowingly discloses sensitive data to users who do not have the privilege of view or access.
According to OWASP, these are some of the information that may get leaked to the public:
- Financial information
- Login credentials
- Commercial or business data
- Health record
- Technical details about the application or website.
Sensitive Data Exposure Mitigation:
- Always identify and classify which data is sensitive according to the privacy laws and the regulatory requirements.
- Immediately remove any data that is not needed to be stored. If you are going to store any sensitive data, make sure it is encrypted at rest. Instead, use Laravel’s built-in encryption functions that use OpenSSL to provide AES-256 and AES-128 encryption.
- Use proper key management.
- Make sure you encrypt all data in transit with security protocols such as TLS and SSL.
- You can enforce encryption on your application simply by using HTTP Strict Transport Security (HSTS).
- Do not cache and store sensitive data unnecessarily.
- Always store passwords with different encryption methods. Laravel supports both Bcrypt and Argon2 by default.
- Ensure you serve the entire application over HTTPS with a TLS certificate. If users try to access the HTTP equivalent, redirect them to the secure route instead and make use of HSTS headers.
Store image Mitigation:
- Never trust user-uploaded files. If these uploaded files are not validated or handled correctly, they can allow access to your entire system. The OWASP Unrestricted File Upload page includes several
- For files, use automatically generated file names or a hashed folder structure to prevent enumeration.
- Setting a minimum and maximum file upload size.
- Limiting the number of simultaneous file uploads.
- Only allow specific file types by checking their MIME.
- Rename all files upon upload.
- Upload files to a non-public directory or third-party object storage like AWS S3.
3. Injection
Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
Preventing Injection Attacks
- Use a safe API that avoids the use of the interpreter entirely
- Use positive or “whitelist” server-side input validation
- Escape special characters
- Making use of Stored Procedures.
- Make sure you are escaping all user-supplied input.
- Use LIMIT and other SQL controls within queries to prevent mass disclosure of records in case of SQL injection.
4. Insecure Design
Insecure Design is a category of weaknesses that originate from missing or ineffective security controls. Some applications are built without security in mind. Others do have a secure design but have implementation flaws that can lead to exploitable vulnerabilities.
By definition, an insecure design cannot be fixed by proper implementation or configuration. This is because it is lacking basic security controls that can effectively protect against important threats.
Preventing insecure design
- Establish a secure software development lifecycle (SSDLC)
- Leverage application security practices from the early stages of software development
- Create a library of secure design patterns, and use it to build new applications
- Leverage threat modeling to design critical features like authentication and access control
- Integrate security concerns and controls into all user stories
5. Security Misconfiguration
Security misconfigurations are security controls that are inaccurately configured or left insecure, putting your systems and data at risk. Any poorly documented configuration changes, default settings, or a technical issue across any component in your endpoints could lead to a misconfiguration.
Security misconfigurations can be prevented by changing default webmaster or CMS settings, removing unused code features, and controlling user comments and user information visibility. Developers should also remove unnecessary documentation, features, frameworks, and samples, segment application architecture, and automate the effectiveness of web environment configurations and settings.
How to Prevent
- Keep all server software and any dependencies in your web application up to date.
- Disable directory listing for your web server.
- Disable debugging on production servers. Even on staging servers, debugging can reveal sensitive server information by outputting all your environment variables. Make use of the debug_hide app configuration option in Laravel to prevent this.
6. Vulnerable and Outdated Components
This vulnerability results from a developer using a component, framework, library, or some dependencies that already have a known vulnerability that may compromise the entire system.
When such components are executed with full privileges and it’s vulnerable, this will make the exploitation from an intruder very easy, which may cause some serious data loss or server takeover.
Components with Known Vulnerability Mitigation:
- Always remove any unused dependencies, unnecessary features, components, and files. This will reduce the potential number of attack entry points
- Ensure you keep all dependencies up to date.
- Always obtain your application components from approved and official sources with secure links. This will reduce the chance of including any malicious component in your application.
- Always check and avoid frameworks, libraries, and components that are not maintained and do not have security patches for older versions.
- Always use library scanners to test for any vulnerabilities in the application packages you are using.
- Subscribe to security bulletins and include a security scanner (such as Snyk) as part of your CI/CD pipeline.
- Consider using an LTS (Long Term Support) version of Laravel rather than the latest version. LTS versions receive security fixes for three years rather than the one year for non-LTS releases.
7. Identification and Authentication Failures
Identification and Authentication Failures, previously known as Broken Authentication, this category now also includes security problems related to user identities. Confirming and verifying user identities, and establishing secure session management, is critical to protect against many types of exploits and attacks.
Mitigating Broken Authentication
- Implement multi-factor authentication to prevent brute-forcing and credential theft.
- Do not deploy systems with default credentials
- Check for a list of the top 10,000 worst passwords
- Harden all authentication-related processes like registration and credential recovery
- Limit or delay failed login attempts
- Make use of a captcha.
- Blocking multiple requests coming from the same IP.
- Making the admin login page inaccessible to the public.
- Never commit any default login details or sensitive API credentials to your code repository. Maintain these settings in the .env file in the project root.
- Configure sessions securely: they should be sent over HTTPS only and never display in your application. The secure setting can be enabled in the session.php config file of your Laravel application.
8. Software and Data Integrity Failures
Software and Data Integrity Failures involve code and infrastructure that are vulnerable to integrity violations. This includes software updates, modification of sensitive data, and CI/CD pipeline changes performed without validation. An insecure CI/CD pipeline can lead to unauthorized access, the introduction of malware, and other severe vulnerabilities.
There is a global concern around applications with automatic updates. In several cases, attackers broke into the supply chain and created their own malicious updates. Thousands of organizations were compromised by downloading updates and applying these malicious updates to previously trusted applications, without integrity validation.
Preventing software and data integrity failures
- Use digital signatures or similar mechanisms to verify software or data is from the expected source and has not been altered.
- Ensure libraries and dependencies, such as npm or maven, are pulling from trusted repositories
- Establish a review process for code and configuration changes
- Ensure that your CI/CD pipeline has proper configuration and access controls
9. Security Logging and Monitoring Failures
Security Logging and Monitoring Failures, previously named “Insufficient Logging and Monitoring”, involve weaknesses in an application’s ability to detect security risks and respond to them. Breaches cannot be detected without logging and monitoring. Failures in this category affect visibility, alerting, and forensics.
Preventing security logging and monitoring failures
- Ensure login, access control, and server-side input validation is logged
- Ensure logs contain enough context to identify suspicious behavior and enable in-depth forensic analysis.
- Ensure logs are in a format compatible with log management solutions
- Take measures to prevent attackers from tampering with log data
- When it comes to your application and server, log everything, including failed login attempts and password resets.
- Make sure the audit log does not store your password and any other sensitive content, as this is very risky.
10. Server-Side Request Forgery
SSRF flaws occur whenever a web application is fetching a remote resource without validating the user-supplied URL. It allows an attacker to coerce the application to send a crafted request to an unexpected destination, even when protected by a firewall, VPN, or another type of network access control list (ACL).
As modern web applications provide end-users with convenient features, fetching a URL becomes a common scenario. As a result, the incidence of SSRF is increasing. Also, the severity of SSRF is becoming higher due to cloud services and the complexity of architectures.
Mitigating Server-Side Request Forgery
- It is common to apply regular expressions and simple blacklists to user input, to mitigate SSRF and similar attacks. However, generally speaking, blacklists are an ineffective method of security control. Attackers can easily discover ways to get around them. For example, a cybercriminal may employ a wildcard DNS service, an HTTP redirect, or an alternate IP encoding.
- Whitelists and DNS Resolution
- Response Handling
- Disable Unused URL Schemas
- Authentication on Internal Services
- Imperva SSRF Protection
Wrapping Up:
Are you an entrepreneur or business owner and app/website security is your top concern? Look no further, you are at the right place, iRoid Solution is your one-stop solution for all your application development and security problems. Let's connect and discuss how we can develop your application/website with top security measures
Recent Blog Posts
Get in Touch With Us
If you are looking for a solid partner for your projects, send us an email. We'd love to talk to you!