Posted on March 8, 2018
OWASP zeroes in on major issues that leave websites open to attackers
According to the Open Web Application Security Project (OWASP), a worldwide not-for-profit organization focused on improving the security of software, there are a number of security issues that threaten websites today – with the Top 10 listed below:
1. Injection flaws, such as SQL, NoSQL, OS, and LDAP injection – These occur when an attacker sends untrusted data to an interpreter as part of a command or query, tricking the interpreter into executing unintended commands or accessing data without proper authorization.
2. Broken Authentication – Items related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities temporarily or permanently. 3. Sensitive Data Exposure – When web applications and APIs fail to protect sensitive data, such as financial, healthcare, and PII, attackers may steal or modify that data to conduct credit card fraud, identity theft, or other crimes. 4. External Entities (XXE) – When older or poorly configured XML processors are used to evaluate external entity references within XML documents, external entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks. 5. Broken Access Control – Restrictions on what users are allowed to do are often not properly enforced, allowing attackers to exploit these flaws to access unauthorized functionality and/or data. 6. Security Misconfiguration – The most commonly seen issue, this is often a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. 7. Cross Site Scripting (XSS) – When XSS flaws occur, attackers are able to execute scripts in the victim’s browser, which can hijack user sessions, deface web sites, or redirect the user to malicious sites. 8. Insecure Deserialization – These flaws can be used to perform replay attacks, injection attacks, and privilege escalation attacks, among others, and are sometimes executed remotely. 9. Using Components with Known Vulnerabilities – If a vulnerable component – such as a library, framework, or other software module, is exploited, such an attack can facilitate serious data loss or server takeover. 10. Insufficient Logging and Monitoring – This, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data. At Korcomptenz, we will work with your company to install the proper safeguards that address these security issues and minimize exposure. KORCOMPTENZ can help you put programs in place that address both the most common and obscure threats that leave companies at the mercy of attackers, leaving you less vulnerable to fraud, data loss and other crippling issues.