Secure Dose

Wednesday, 15 July 2015

The Famous Top 10!

The title says it all.
This is a list which has world top 10 vulnerabilities being found on web application.
Every person from the InfoSec community knows about it but as a beginner you should know about it.
In this post we'll check out what are this top 10 list and what is owasp.

OWASP(Open Web Application Security Project) is an open community where security researchers, professionals and security enthusiast from around the globe work together and build an Open Source security tools and project.
Anybody can contribute to it and anybody can create their own projects.
They even have an owasp slack team, where you can ask, join, chat and share files. Join the team
and you can check out it's wiki to

 These are the list of vulnerabilities defined and regularly updated. This is the list you must always have in priority while you test a web application. You can even consider this as a check list to have a eye or decide your vulnerability testing priorities. 

I was speaker at a local security meetup last to last month, where I represented and explained these lists and demonstrated XSS and Injection category. You can find the PDF from the resource section with the title "Breaking Web Application" and here is official list with description - [OWASP TOP 10].  

1. Injection:
Injection is the 1st category of Top OWASP List. Injection are the malicious codes written in between the original code.
Now the question arise, But we don't have access to the code then how it is possible to write such codes?
Answer to this is very simple. You don't need to have any kind of access to the original code. A simple typical way to write code in between the original code is to write where the user inputs are provided but it's not always necessary that only user inputs are the ways to inject malicious codes. There are several other ways like writing the code in the URL itself, into http request headers, into a crafted file which executes as soon it is uploaded, etc. 
There are so many method to inject as mentioned above. We will understand this briefly in later posts.

2. Session Management & Broken Authentication:  
The session management includes the maintenance of the state of entity communicating with it and Authentication is an act to confirm that something communicating with the system is the one who they claim they are.

3. Cross-Site-Scripting
Cross-site-scripting is also known as XSS. This is a generally used as a client side attack which affects the clients visiting the infected websites. This vulnerability can do lot of harm to users like and eventually harm to the site visitors. This actually loads javascript the victims browser which can cause stealing of credentials and identity and much more.

4. Insecure Direct Object reference:
It occurs when a  reference is being unknowingly left open which gives direct access to the internal implementation object. This includes directory access, config files access, etc where an attacker can take advantage of this and can further exploit the system and gain deep access.

5. Security Misconfiguration:
A good security is defined when configuring the firewall, web application, framework, database and servers in a secured manner. For example default configuration and default users and passwords and
Directory listing, extra information exposed, etc. also falls in this category.

6 Sensitive Data Exposure: 
This is a flaw where many of the web applications are vulnerable to. Sensitive data like configuration files, Exposure of internal files sharing in a company or at an enterprise level, and similar scenario. Taking advantage of these sensitive data can cause tragedy to the system.

7. Missing Functional Level Access:
What if you get access to a privilege without being asked? It is like being a student you can still perform actions of your HOD or Principle. Similar there is a website and you know the admin page, now as you visit the page you directly get access to it. This is A7.

8. Cross Site Request Forgery:
Cross Site Request Forgery can be "csrf" too. This is a kind of an attack which uses a web page. When an authenticated user of a vulnerable web application visit the malicious site, an action is automatically performed which is being executed on the user's browser and which act on the vulnerable website. This can change the password of that user. It'll work as if the user itself changed it own settings.

9. Using components with known vulnerabilities: 
The developers when not knowing what libraries, components or packages or plugin they are using, when they get outdated and vulnerable, the developers do not know as they are not "Security freak" as you. ;) They are unaware and bang!!! Somebody takes the advantage who knows the plugin is vulnerable and the developer is pwned. This is where some web apps are compromised.

10. Unvalidated redirects and forwards:
An unintended and unexpected(Developer's perspective) redirect the user to any or similar looking website(probably malicious{phishing page,drive by downloads, etc}). In a nutshell, it uses a parameter to redirect the website to something else. As provided in the sweety curl braces above are the attacks can be exploited. 

The famous top 10 are one of the most important parameters to have a closer look as they can be considered as a check list while conducting Vulnerability Assessment and Penetration testing.

Secure Dose

Author & Editor

The Blog is completly related to websec and sometimes other branches of Information Security. It focus on theory and practical both with some resource section provided where I share my presentation pdf where I recently give my talk. Have a good read and suggestions are always welcome.


Post a Comment