Top 10 Web Application Security Risks

The primary purpose of OWASP Top Ten Risks is to train developers, designers, architects, managers, and business organizations to make them aware of the consequences of the most serious Web application security vulnerabilities.

A1—Injection: It means that the attacker enters malicious data to achieve the purpose of running arbitrary instructions in the Web server environment. The more famous ones are SQL, XML and LDAP injection. In the application, by escaping specific characters entered by the user, the injection of malicious data can be prevented.

A2—Cross-Site Scripting (XSS): It means that the application directly outputs these inputs to the web browser without correct verification of the user input, and once these inputs are executed by the browser, It may lead to session hijacking, cookie theft or contamination of Web site data. In applications, you can prevent cross-site scripting by escaping untrusted metacharacters in HTML, JavaScript, or CSS output.

A3—Broken Authentication and Session Management (Broken Authentication and Session Management): Using insecure authentication and session management procedures may result in hijacking of user accounts or predictable session tokens. Developing a robust authentication and session management program can prevent such attacks. We strongly recommend using encryption, hashing, and secure data connections based on SSL or TLS.

A4—Insecure Direct Object Reference: If the application provides direct references to its internal objects and it is not properly verified, it may cause attackers to manipulate these references and access unauthorized data. This internal object may be a parameter value, file name, or directory of the user account. Before the access control check is completed, restricting the internal objects that all users can access can ensure that every access to related objects is verified.

A5—Cross-Site Request Forgery (CSRF): Refers to forcing authenticated users to run forged HTTP requests in vulnerable web applications. These malicious requests are all executed in a legitimate user session and therefore cannot be detected. By generating an unpredictable token in every user session, and then binding this token every time an HTTP request is sent, the harm of CSRF attacks can be reduced.

A6—Security Misconfiguration: Sometimes, using the default security configuration may make the application vulnerable to multiple attacks. In the deployed applications, Web servers, database servers, operating systems, code bases, and all application-related components, it is important to use the best existing security configuration. Through continuous software updates, patching, and strict formulation of security rules in the application environment, secure application configuration can be achieved.

A7—Insecure Cryptographic Storage: Applications that do not use a password protection mechanism for sensitive data (such as medical insurance information, credit card transactions, personal information, authentication details, etc.) can be classified into this category. By using robust standard encryption algorithms or hashing algorithms, data security can be guaranteed.

A8—Failure to Restrict URL Access: If the Web application does not check the URL access, the attacker may be able to access unauthorized web pages. In order to solve this problem, it is necessary to use appropriate identity certification and authorization control mechanisms to restrict access to private URLs. At the same time, it is necessary to develop a set of appropriate access control strategies for special users and roles that can access highly sensitive data.

A9—Insufficient Transport Layer Protection: The use of low-strength encryption algorithms, invalid security certificates, and inappropriate identity certification control mechanisms will destroy the confidentiality and integrity of data. These application data may be subject to traffic eavesdropping and tampering attacks. This type of security problem can be solved by using the SSL protocol when transmitting all sensitive web pages and using legal digital certificates issued by authoritative certification bodies.

A10—Unvalidated Redirects and Forwards: Many web applications use dynamic parameters to redirect users or go to a specific URL. Attackers can use the same method to forge a malicious URL and redirect users to phishing or malicious sites. This attack method can also be used to forward requests to local unauthorized web pages. To avoid illegal redirection and forwarding, you only need to simply verify the parameters in the request and the access rights of the user making the request.