• 10 hours
  • Medium

Free online content available in this course.

course.header.alt.is_video

course.header.alt.is_certifying

Got it!

Last updated on 4/2/20

Discover the Open Web Application Security Project (OWASP)

What Are Application Attacks?

Is that bandit in my web app?
Is that bandit in my web app?

A few types of attacks that can compromise a system are network, social engineering, and application. In this course, we will focus on web application attacks and how to secure them.

Web application attacks take advantage of security holes in your web applications. These holes are called vulnerabilities, and the OWASP Top Ten defines them as commonly abused by malicious users. The OWASP Top Ten categorizes top ten distinct attacks from the most common being ranked as number one.

It is common knowledge that most software designs were not created with security in mind, and developers are not required to add security features when implementing them.

This happens when the business goal is the function and requirements of the application. Meeting deadlines with only basic functionality leave little room to maintain integrity in secure coding.

This often results in more expenses as changes are made after testing or patching is required after going into production. 😳

History Behind the OWASP Standard

The Open Web Application Security Project (OWASP) is a non-profit organization founded in 2004 to proactively prevent common application attacks. It was the first effort at standardizing secure coding practices as application attacks on old, unsecured code increased. The neutral organization takes a risk-based approach to security and is designed to avoid influence from any specific company.

In 2001, OWASP was not an official organization but rather a collective to advocate secure programming practices. At this point, they were not a non-profit organization; however, its influence gained traction, and in 2004 it became the OWASP foundation with an ethical standard to maintain open neutrality and freedom from commercial pressure.

Because OWASP is not regulated by any business, its neutral standardization can be used to accredit applications and monitor new vulnerabilities. This helps businesses integrate security into development, verification, and maintenance to guarantee secure web applications. The organization is open to ensure the diversity of information and global neutrality.

How Is the OWASP Top Ten Used in Businesses?

As the internet era evolves, it can be certain that the largest businesses have a significant web presence, which requires them to provide and maintain web applications.

Most internal business processes also use web applications. Any application that handles sensitive data is at risk of an attack and requires standardized security. For example, an e-commerce site manages customer PII and financial information. An unauthorized user would gain financially from a malicious attack which would cause great loss for the business and customer.

Other businesses that may not handle sensitive data but require a web platform to do business are also at risk of an attack.

For example, a business that provides information, such as a news site, may not require customer PII but requires the availability of that website.

If an attack brought the site down, it would also affect the revenue of the business. The OWASP Top Ten provides a baseline with a checklist to mitigate the most common security risks. This baseline is also used to meet stronger regulatory standards, such as HIPAA and GDPR, which place an additional set of rules on software design and greater weight on specific security principles. 

Define the OWASP Top Ten

As you read through each attack, remember that they are ranked by importance starting from the beginning.  Make sure you understand each attack as to how it would relate to your web application. These vulnerabilities exist in web applications of all languages and frameworks.  There is no such thing as a language or framework that is free of vulnerabilities. Remember, if it seems like there are no vulnerabilities in the web application, a hacker will find a way to break it.  That’s just what they do.

OWASP Top Ten 2017
OWASP Top Ten 2017

Understand the Top Ten Attacks on Web Applications

1 - Injection

Let's go back to the Yahoo SQL injection attack that caused the loss of customer private data. This attack is as common as the applications that connect to a database. More web apps requiring user input to a database means this type of attack will continue. There are tools and techniques in place to lessen these attacks, which are done with SQL, noSQL, OS, and LDAP injection.

A SQL query commonly hijacked
A SQL query commonly hijacked

2 - Broken Authentication

A lot of software applications require a user to log in to get into pages that only you have access to. The software is open to an attack if the malicious user can gain unauthorized access to passwords, keys, and tokens to hijack another user’s session.

3 - Sensitive Data Exposure

Sensitive data can be at rest or in transit.

Attackers go for the jackpot: the database - which saves PII, credit card data, usernames, and passwords. This is data at rest, and thieves rely on access to it for success. Data stored in plaintext is not secure. Using encryption and proper security practices in database configuration can alleviate common attacks.

A safe coding practice would be to encrypt user information as it is transmitted within a site. This sensitive data in transit can be hacked if written in plaintext.

4 - XML External Entities (XXE)

Applications that accept XML, XML based web services, and XML parsers are vulnerable to attacks directed at XML documents using malicious code. XML external entities are documents, images or file paths that are embedded in XML code. They are vulnerable to attacks when malicious characters can replace external entities with more sensitive items.

5 - Broken Access Control

This attack is directed at web application features that require access control. Therefore, all access controls need to be in place for each page. In this situation, hackers use the URL to bypass authentication. They use knowledge of format and patterns to write the URL for unsecured privileged pages.

A malicious user has techniques to access a lot of the hard coding in a web application. Some of this code can reveal how a database is organized with regard to formatting and pattern. Providing a few pieces of the puzzle can allow an unauthorized user to use their knowledge to expose information for further probing.

6 - Security Misconfiguration

Security misconfiguration is most commonly seen in HTTP headers that are not written carefully or use default exception handling. Error codes and common exceptions can give an attacker insight into the application that can increase its vulnerability.

7 - Cross-Site Scripting (XSS)

Cross-Site Scripting attacks can occur on software and on hardware devices that are connected to the software. When a web application is not securely coded, it is left open to malicious users hijacking the functionality of the site or software interface. Some examples would include an attacker creating a script to gain elevated access to the site to make changes or to gain user credentials. Such a script can also be used to gain access to unauthorized data due to an inconsistency in access control between web pages.  Cross-Site Request Forgery (CSRF) can make use of stolen credentials and make transactions unbeknownst to the user!

8 - Insecure Deserialization

An exploit of deserialization allows a malicious user to gain access and change the functionality of the targeted program. Remote code execution and interprocess communication are also possible if a hacker can remove the serialization and gain access to a file after it is converted to a bit stream for network transmission.

9 - Using Components With Known Vulnerabilities

Even if your software is secure, you must ensure that the framework, libraries, API calls, and platform are not vulnerable. While there may not have been a vulnerability in one of your components when you made your web application, pay attention if one arises. Usually, when a new vulnerability comes to light, the manufacturer creates a patch which you will use to prevent future attacks!

10 - Insufficient Logging and Monitoring

Logs and events should be maintained and monitored diligently. Filtering reports, understanding trends and a possible probing of vulnerabilities can be indicative of an impending or ongoing attack.

Is it possible to secure code from all of these attacks in the OWASP Top Ten?

Absolutely!

If you use secure coding practices and are aware of all these exploits, you are one step ahead of the game!

Remember, 80% of production software has common vulnerabilities as outlined in OWASP. Learning about them and using simple secure coding techniques that we will talk about in this course will help you create quality code that you can be proud of!

So let’s put our thinking caps on and I’ll see you in the next part where we will learn secure coding practices that frustrate those cyberbullies that want to ruin your app!

Frustrate those hackers!
Frustrate those cyberbullies!

Let’s Recap!

As you can see, there are ten types of attacks that are specified in OWASP.  Make sure that you understand the difference between these ten attack types and how they may relate to your web application.

After a brief quiz,  I will show you how to implement secure coding practices from the OWASP Top Ten to ensure a secure and high-quality web application that will make you a marketable and skilled web developer!

Example of certificate of achievement
Example of certificate of achievement