Professional Documents
Culture Documents
REPORT
REPORT
BACHELOR OF TECHNOLOGY
In
Submitted by
1
AURORA’S TECHNOLOGICAL AND RESEARCH INSTITUTE
CERTIFICATE
Ms. Rajashree
SEMINAR GUIDE
Department of CSE
2
ACKNOWLEDGEMENT
I take this opportunity to express my deepest sense of gratitude and sincere thanks to
everyone who helped me to complete this work successfully. I express my sincere
thanks to Ms A Durga Pavani, Head of Department, Computer Science and
Engineering, Aurora’s Technological and Research Institute, Hyderabad for providing
me with all the necessary facilities and support.
Finally, I would like to thank my friends who helped me to make my work more
organized and well-stacked till the end.
3
ABSTRACT
The OWASP Top 10 is a list that is published by the Open Web Application Security
Project (OWASP).Website security is a major concern for large organizations as well
as individual developers, the rarer the technology used the harder it becomes to come
up with secure practices for developing a website. Vulnerabilities that are not fixed
during development, and are deployed as such become easy targets for hackers. This
could cause the company or the individual to lose a lot of money. It is not just the
developers who are affected, end users who end up on vulnerable websites may get
exposed to XSS attack which could compromise their system or an unsecured
configuration of database system could lead to a potential data leak and hence the
password of every registered user on the website is compromised, users who use the
same password on multiple websites are affected the most The motivation for this paper
comes from the fact that there is an overwhelming number of vulnerabilities in any
application under development and every developer, experienced or not needs a starting
point to patch these vulnerabilities that might have occurred in their application, this
research provides the most common vulnerabilities which should be taken care of in
any application and thus provide the much-needed starting point for developers. The
objective is to design and develop a secure web application according to Open Web
Application Security Project (OWASP) guidelines. This highlights the mitigation of
vulnerabilities in the web application using configuration changes, coding and applying
patches. The vulnerabilities like SQL injection, Broken authentication, Sensitive data
exposure, Broken Access Control, and XML external entities discussed in this report
are listed under the OWASP top 10 vulnerabilities. The security of the web application
is tested and proved to have defense mechanism implemented for the mentioned
vulnerabilities. It compares how many of those weakness as described in the top ten list
are actually reported invulnerabilities listed in the National Vulnerability
Database(NVD).
4
TABLE OF CONTENTS
SL NO INDEX PAGE NO
6.
CATEGORIES OVERLAPS IN OWASP TOP-10
7. METHODOLOGY
9 CONCLUSION
10 REFERENCE
5
LIST OF FIGURES
LIST OF TABLES
6
1. INTRODUCTION
Every application developer, regardless of experience level, must make the effort to
understand code security vulnerabilities in order to avoid frustrating and often costly
application security failures.
OWASP has recently shared the 2021 OWASP Top 10 where there are three new
categories, four categories with naming and scoping changes, and some consolidation
within the Top 10.
The OWASP Top 10 is largely intended to raise awareness. However, since its debut
in 2003, enterprises have used it as a de facto industry AppSec standard. If we look at
the document closely, it specifically calls out the number of CWE’s (Common
Weakness Enumeration) attached with it.
7
weaknesses, how they can be exploited by attackers, and suggested methods that reduce
or eliminate application exposure.
1 .4 H O W S H OUL D T H E O WA SP T O P 1 0 B E U SE D ?
OWASP’s top 10 list offers a tool for developers and security teams to evaluate
development practices and provide thought related to website application security.
While it is by no means all-inclusive of web application vulnerabilities, it provides a
benchmark that promotes visibility of security considerations.
1 .5 H O W C AN O W A SP T O P 1 0 V U LN ER A BI L IT I E S B E
T E S T E D?
OWASP provides an in-depth testing guide that offers test cases for a multitude of test
scenarios. Many development teams have adopted a more automated solution by
utilizing software to scan code for vulnerabilities with automated warnings and
consistent application of best practices
8
2. THE OWASP TOP 10 VULNERABILITIES IN 2017
XSS allows attackers to execute scripts in the victim’s browser which can hijack user
sessions, deface web sites, or redirect the user to malicious sites. XSS vulnerabilities
occur whenever an application allows you to include untrusted scripts on a web page
without proper validation.
Restrictions on what authenticated users can do are not properly enforced. Attackers
can exploit these vulnerabilities to access unauthorized data and features, such as other
users ‘accounts, view sensitive files, modify other users’ data, change access rights, and
so on.
Good security requires having a secure configuration defined and implemented for the
application, frameworks, application server, web server, database server, platform,
etc. Secure configurations must be defined, implemented, and maintained, since
standards are often unsafe. In addition, the software must be kept up to date.
9
2.6 A06:2017 SENSITIVE DATA EXPOSURE
Many web applications and APIs do not adequately protect confidential / sensitive
data. Attackers may steal or modify such weakly protected data to perform credit card
fraud, identity theft, or other crimes. Sensitive data deserves additional protection, such
as strong encryption whether at rest or in transit, as well as special precautions when
exchanged with the browser.
Most applications and APIs do not have the basic ability to detect, prevent and respond
to manual and automated attacks. Attack protection goes far beyond basic input
validation and involves detection, logging / logging, response, and even blocking of
intrusion attempts. Application owners also need to be able to quickly deploy patches /
patches to protect against attacks
A CSRF attack forces the logged-in victim’s browser to send a forged / spoofed HTTP
request, including the victim’s session cookie and any other automatically-entered
authentication information for a vulnerable web application. Such an attack allows the
attacker to force the victim’s browser to generate requests that the vulnerable
application believes are legitimate requests.
Components such as libraries, frameworks and other software modules run with the
same privileges as the application. If a vulnerable component is exploited, such an
attack can cause data loss or server acquisition by the attackers. Applications and APIs
that use components with known vulnerabilities can undermine application defenses
and allow for multiple attacks and impacts.
10
3. THE OWASP TOP 10 VULNERABILITIES IN 2021
3.1 A01:2021-BROKEN ACCESS CONTRO
OWASP Team listed a Broken access control vulnerability in the #1 position, and it has
moved from the 5th position at the OWASP TOP 10 2017 list. To assign this position,
OWASP Team has tested 94% of applications with some soft of Broken Authentication
and also mapped 34 CWEs in it.
Websites with broken authentication vulnerabilities are very common on the web.
Broken authentication usually refers to logic issues that occur on the application
authentication’s mechanism, like bad session management prone to username
enumeration – when a malicious actor uses brute-force techniques to either guess or
confirm valid users in a system.
To minimize broken authentication risks avoid leaving the login page for admins
publicly accessible to all visitors of the website:
• /administrator on Joomla!,
• /wp-admin/ on WordPress,
• /index.php/admin on Magento,
• /user/login on Drupal.
The second most common form of this flaw is allowing users to Brute
Force username/password combination against those pages.
• Adopt a least privileged approach so that each role is granted the lowest level of access
• Audit activity on servers and websites so that you are aware of who is doing what
(and when).
11
• If there are multiple access points, disable the ones that are not required at that
moment.
Cryptographic Failures has been assigned in the #2 position, and it has moved from #3
in the 2017 list where was list as “Sensitive Data Exposure”, and it has been assigned
by considering the “symptom”. Since the currently renewed list focused on the Root
cause, cryptography is a major concern to leak sensitive data.
Data in transit and at rest — such as passwords, credit card numbers, health records,
personal information, and business secrets — require extra protection due to the
potential for cryptographic failures (sensitive data exposures). This is especially true if
the data falls under any of the privacy laws such as GDPR, CCPA, and others. Is any
data is sent in plain text? Are there any outdated or insecure cryptographic algorithms
or protocols in use by default or in older code? Is it possible that default crypto keys
are being utilized, that weak crypto keys are being generated and re-used, or that proper
key management and rotation are being overlooked? Is it possible to check crypto keys
into source code repositories? Is encryption not enforced, and is the received data
encrypted?
• Use Strong adaptive and salted hashing functions when saving passwords.
3.3 A03:2021-INJECTION
Injection attacks are down to the #3 position in this OWASP TOP 10 2021 from the #1
position in the 2017 list. Under this Injection attack category, there are 33 CWEs
12
mapped, including the Cross-site Scripting (XSS) bug that was in the #7 position in the
previous list.
Injection vulnerabilities can occur when a query or command is used to insert untrusted
data into the interpreter via SQL, OS, NoSQL, or LDAP injection. The hostile data
injected through this attack vector tricks the interpreter to make the application do
something it was not designed for, such as generating unintended commands or
accessing data without proper authentication.
Any application that accepts parameters as input can be susceptible to injection attacks.
The level of the threat is highly correlated with the thoroughness of the application’s
input validation measures.
• Segregate commands from data to avoid exposure to attacks that replace data with
unintended command execution.
• Code SQL queries with parameters rather than structuring the command from user
input content only. These are called parameterized queries or prepared statements.
Insecure design is a new category added in the OWASP TOP 10 2021 list and listed in
the #4 position. Insecure design vulnerability focused on risks related to design flaws.
Insecure design is a wide term that encompasses a variety of flaws and is defined as
“missing or poor control design.” Threat modeling, secure design patterns, and
reference architectures are among the new categories for 2021, with a demand for
increasing the usage of threat modeling, safe design patterns, and reference
architectures. As a community, we must move beyond “shift left” coding to pre-code
tasks that are important to the Secure by Design principles.
13
3.4.1 Insecure Design Remediation
• To help analyze and build security and privacy-related measures, establish and use a
safe development lifecycle with AppSec professionals.
• Create and use a library of secure design patterns or components that are ready to
use.
• Use threat modeling for crucial authentication, access control, business logic, and
key flows.
• Integrate plausibility checks into your application at each level (from frontend to
backend).
• To ensure that all important flows are resistant to the threat model, write unit and
integration tests. Make a list of use-cases and misuse-cases for each tier of your
app.
• Depending on the exposure and protection requirements, divide tier tiers on the
system and network layers.
Gartner estimates that up to 95% of cloud breaches are the result of human errors.
Security setting misconfigurations are one of the prime drivers of that statistic, with
OWASP noting that, of the top ten, this vulnerability is the most common. There are
many types of misconfiguration that expose the company to cybersecurity risk,
including:
• Incomplete configurations
14
• Misconfigured HTTP headers
• Use templates to deploy development, test, and production environments that are
preconfigured to meet the organization’s security policies.
This is an alternative title of “Using Components with Known Vulnerabilities” that has
been listed in the #9th position in the 2017 list. Now it is moved up to the #6 position.
OWASP Team said that It is the only category not to have any CVEs mapped to the
included CWE, instead, default exploits and impact weights of 5.0 were considered to
map this position.
Modern distributed web applications often incorporate open source components such
as libraries and frameworks. Any component with a known vulnerability becomes a
weak link that can impact the security of the entire application.
Although the use of open source components with known vulnerabilities ranks low in
terms of security problem severity, it is #1 when ranking the OWASP Top 10 by how
often a vulnerability was the root cause of an actual data breach.
15
vulnerability is detected. There are a number of best practices that enhance the
effectiveness of this line of defense:
• The patch management workflows for identifying, testing, and deploying the right
patch should be as automated as possible in order to reduce to a minimum the
operational risk associated with patching.
It was previously known as Broken Authentication that was list in the #2 position and
moved into the #7 position. This category is still an integral part of the Top 10, but the
increased availability of standardized frameworks seems to be helping. OWASP Said.
• Do not deploy with default credentials, especially for users with admin privileges.
16
• Use a secure session manager that generates random, time-limited session IDs. Never
Code and infrastructure that do not guard against integrity violations are referred to as
software and data integrity failures. A program that uses plugins, libraries, or modules
from untrusted sources, repositories, or content delivery networks (CDNs) is an
example of this. Unauthorized access, malicious code, or system compromise can all
be risks of an unsecured CI/CD pipeline. Finally, many programs now have auto-update
capabilities that allow updates to be obtained without necessary integrity checks and
applied to previously trusted applications. Attackers could potentially distribute and run
their own updates across all systems with this functionality.
• To reduce the risk of harmful code or configuration being introduced into your
development pipeline, make sure there is a review procedure in place for code and
configuration modifications.
• Ascertain that libraries and dependencies, such as npm or Maven, use trusted
repositories. Consider hosting an internal, approved known-good repository if you
have a higher risk profile.
• To protect the integrity of the code going through the build and deploy processes,
make sure your CI/CD pipeline includes adequate segregation, configuration, and
access control.
17
3.9 A09:2021-SECURITY LOGGING AND MONITORING
FAILURES
It was previously known as Insufficient monitoring & monitoring, which was list in the
#10 position and moved up to the #9 position. Failure of fixing this vulnerability will
lead to impact visibility, incident alerting, and forensics.
Studies indicate that the time from attack to detection can take up to 200 days, and often
longer. This window gives cyber thieves plenty of time to tamper with servers, corrupt
databases, steal confidential information, and plant malicious code.
3.9.1 Remediation
Implement readily available logging and audit software to quickly detect suspicious
activities and unauthorized access attempts. Even if a detected attack has failed, logging
and monitoring provide invaluable tools for analyzing the source and vector of the
attack and learning how security policies and controls can be hardened to prevent
intrusions.
SSRF is listed in the #10 position with the help of an industrial survey. The data shows
a relatively low incidence rate with above average testing coverage, along with above-
average ratings for Exploit and Impact potential. OWASP said.
Server-side request forgery (also termed as SSRF) is a web security flaw that allows an
attacker to force a server-side application to send HTTP requests to any domain the
attacker chooses.
When a web application fetches a remote resource without validating the user-supplied
URL, an SSRF fault occurs. Even if the program is secured by a firewall, VPN, or
another sort of network access control list, an attacker can force it to send a forged
request to an unexpected location.
3.10.1 Remediation
• Implement input validation.
18
• To compare against the allow list, use the method/output library’s value as the IP
address.
19
4. THE DIFFERENCE BETWEEN OWASP TOP 10
VULNERABILITIES IN 2017 TO 2021
There are three new categories, four categories with naming and scoping changes, and
some consolidation in the Top 10 for 2021.
20
5.OWASP TOP-10 2021 STATISTICS-BASED PROPOSAL.
Everybody knows the OWASP Top-10 as well as the fact that it gets updated only every
other 3-4 years. With the last update published in 2017, it’s no surprise that a new
version is coming this year. During my application security career, I saw OWASP Top-
10 at least in 2003, 2004, 2007, 2010, 2013, and 2017.
Since the OWASP creation process is not documented well, it seems reasonable to build
an open and transparent rating for the same categories based on a large number of
security reports.
The purpose of this work is to make an OWASP Top-10 2021 predictions calculated by
understandable metrics, make everyone able to reproduce the results, and present to an
entire community for the feedback. The following work is based on an analysis of 2
million of security reports from 144 public sources including CVE bulletins, bug bounty
reports, and vendor security bulletins.
21
6. CATEGORIES OVERLAPS IN OWASP TOP-10
The first thing that I should mention about OWASP Top-10 is that it’s not a
vulnerability classification and not even the classification at any point, since categories
overlap. I am referring to the security boulevard article and our blog post that describes
the interference presented at the following diagram:
To sum up: OWASP Top-10 IS NOT a vulnerability classification, but rather the list of
the risks that have been revealed during the last period of time. That’s why to predict
the next OWASP Top-10 2021 list, we have to analyze threats to the targeted web assets
for the last four years. So, here we go.
6.2 METHODOLOGY
To find the statistical data, we used the Vulners.com which is an aggregated database
that includes more than 4 million bulletins from 144 vendors, including bug bounty
programs like HackerOne.
The total amount of bulletins used to build this list is 2 168 521 (search query:
“published:[2018-01-01 TO 2020-12-31]”).
To split data by the categories, we built vulners search queries for all the ten OWASP
categories. Even though the full-text search is not the most accurate solution to classify
data, I think I can rely on this particular task. The point is that all the OWASP categories
could be found in security bulletins by searching for acronyms and abbreviations like
XSS, XXE, SQL, RCE, etc.
The category “Known Vulnerabilities” is out of the full-text search query. The total
number of web-related security reports were taken as a total amount of CVE numbers
assigned for the last three years.
It’s not a joke, but according to the Vulners statistics, XSS takes 20% of ALL the
security bulletins for the last three years. It’s almost 10x more than all the CVEs
issued in the last three years. Since many of XSS doesn’t have a CVSS score (meaning
zero), an average score for that many of them is still 0.1. That fact, however, doesn’t
stop XSS from hitting the Top-3 in a chart. Again, because it’s as many of them as each
fifth bulletin was found in the last three years.
The following queries to validate, modify, or make your own analysis:
NEW: SSRF
SSRF OR “server side request forgery”
As you can see, my strong opinion is that the OWASP community will add the new
category SSRF and merge “A4. XXE – XML External Entity” and “A8. Insecure
Deserialization” in the upcoming OWASP
In spite of this, please allow me to mention just the four most powerful facts related to
SSRF:
• Amazon took it seriously and patched in for EC2 meta-data services at the end of
2019: https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-
reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service/
• SSRF caused a lot of high-risk security problems, including the most famous Capital
One hack with a WAF bypass, explained in details by Krebs on
Security https://krebsonsecurity.com/2019/08/what-we-can-learn-from-the-capital-
one-hack/
• According to the global stats collected by Vulners, SSRF mentioned in 912 bulletins
last three years, almost the same amount of times as OWASP Top-10 2017 A4 / XXE
(1000 results) and 2.5x more often than security misconfiguration (A6 / 481 results).
To sum up, SSRF is a critical issue that causes cloud takeovers, remote code execution,
data breaches, and other information security risks. It’s impossible to fix SSRF by input
filtration and other data validation mechanisms. Amazon and other cloud providers take
it seriously and apply changes to their infrastructures to mitigate these threats. SSRF
issues mentioned in almost the same amount of security bulletins as XXE in the last
three years. That’s why I’m sure nobody will blame me for adding it to the OWASP
Top-10 2021.
In a few words, to sort OWASP categories, the following formula was applied:
As mentioned above, I used an aggregated data from 144 data sources such as security
bulletins that Vulners.com indexed. This approach allows to count not only CVE data
but all the reports, including bug bounties, exploits, and scanner detects that rely on the
real state of information security. If we will count only CVEs, the results will be
dramatically different, since the category “Known vulnerabilities” will be technically
equal in a count to all the other categories in a sum.
So, here is the fairest way of building OWASP Top-10, look at that!
#OWASP Top-10 2021 Vulners search Avg. #of Over all
query CVSS bullet score
ins
A1 Injections injection OR 4.83 34061 164514.63
traversal OR lfi OR
“os command” OR
SSTI OR RCE OR
“remote code
By design, the OWASP Top 10 is innately limited to the ten most significant risks.
Every OWASP Top 10 has “on the cusp” risks considered at length for inclusion, but
in the end, they didn’t make it. No matter how we tried to interpret or twist the data, the
other risks were more prevalent and impactful. Securing your modern apps against
today’s most dangerous vulnerabilities doesn’t have to be complicated, but it does
require some care.
2) Denial of Service
10.3 https://owasp.org/www-project-top-ten/
10.4 https://www.veracode.com/security/owasp-top-10