OWASP Top 10 - 2013
In Top 10 OWASP Vulnerabilities (Part 1), we covered how the Open Web Application Security Project positively impacts our technological community, and the top 5 web vulnerabilities to prepare for. This continuation of the piece covers top 6-10 vulnerabilities, and explains how you can create long lasting benefits for your organization.
6) Sensitive Data Exposure
A strong majority of web applications do not correctly protect sensitive data. This can range from credit cards, tax IDs to authentication credentials. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other unlawful activities. Sensitive data deserves extra protection such as encryption at rest or in transit, as well as taking special precautions when exchanging with the browser.
7) Missing Function Level Access Control
Almost all web applications verify function level access rights before making that functionality becomes visible in the user interface. However, applications need to perform similar access control checks on the server when each function is accessed. If requests are not verified, attackers can forge requests in order to access functionality without appropriate authorization.
8) Cross-Site Request Forgery
A Cross-Site Request Forgery, or CSRF, attack services a logged-on victim’s browser to send a bogus HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. This gives the attacker the ability to force the victim’s browser to generate requests that the vulnerable application thinks are legitimate.
9) Using Components with Known Vulnerabilities
Components, such as libraries, frameworks, and other software modules, almost always run with full privileges. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications using components with known vulnerabilities may undermine application defenses and enable a range of possible attacks and impacts.
10) Invalidated Redirects and Forwards
Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages.
Clarity Solves Vulnerabilities
At Clarity, we have helped over 600+ projects in all of their web application needs. Our team, ranging from expert developers to industry veterans, works hand in hand in solving any and all of your web vulnerabilities. Want to ensure that your organization is secure? Please have a free discussion with one of our seasoned consultants.