Web security vulnerabilities are among the trickiest problems tackled by cybersecurity professionals. The Open Web Application Security Project (OWASP) maintains a list of the top ten web security vulnerabilities that cybersecurity experts should understand and defend against to maintain secure web services. In this video, learn about the top ten vulnerabilities on the current OWASP list.
- [Instructor] Web security vulnerabilities are among the trickiest problems trickiest problems tackled by tackled by cybersecurity professionals. cybersecurity professionals. The Open Web Application Security Project or OWASP The Open Web Application Security Project or (OWASP), maintains a list of the top 10 maintains a list of the top 10 web security vulnerabilities web security vulnerabilities that cybersecurity that cybersecurity analysts should understand experts should understand and defend against and defend against to maintain secure web services. to maintain secure web services. The current version of the OWASP Top 10 list The current version of the OWASP top 10 developed in 2017. was developed in 2013 and is currently According to OWASP, the top 10 web security issues are: undergoing revision with a new release expected sometime in 2017. injection attacks, broken authentication, According to OWASP, the top 10 web security sensitive data exposure, XML external entities attacks, issues are: injection attacks, broken authentication and session management, broken access control, security misconfiguration, cross-site scripting, insecure direct object cross-site scripting vulnerabilities, references, security misconfigurations, insecure deserialization, sensitive data exposure, missing function level using components with known vulnerabilities, access controls, cross-site request and insufficient logging and monitoring. We'll take a little deeper look forgery attacks, using components with at each one of these issues in this video known vulnerabilities, and unvalidated redirects and then we'll use individual videos to dive into even more detail on some of the more complicated challenges. Injection flaws occur, when an attacker Injection flaws occur when an attacker is able to insert code into a request is able to insert code into a request sent to a website sent to a website and then trick that website and then trick that website into passing the code along into passing the code along to a back-end server to a backend server where it is executed. where it is executed.
The most common example of injection attack, The most common example of this is the SQL Injection attack is the sequel injection attack against databases. against databases which I'll cover in the next video. I cover that more in the next video. Broken authentication occurs when websites Broken authentication and session management require that users authenticate but then have flaws occurs when websites require that in the mechanisms that provide that authentication. in the mechanisms that provide Session hijacking attacks can exploit that authentication. broken authentication vulnerabilities. exploit this using an attack called Sensitive data exposure occurs session hijacking in a video later when an insecure web application in this course. accidentally exposes sensitive information to eavesdroppers. Cross-site scripting is an attack where the attacker embeds scripts in third-party websites, that may then This may be as simply as accidentally placing a customer file execute in the browsers of victims.
on a publicly accessible portion of a website, I have an entire video in this course or it may occur when web server administrators covering cross-site scripting in more detail. fail to implement the HTTPS Protocol Insecure direct object references occur, to encrypt information that's sent over the internet. when a developer exposes some details of how an underlying application functions, XML external entity attacks can be used by attackers and then doesn't perform proper security checks to gain sensitive internal information to prevent unauthorized use of the application. from a poorly configured XML processor. For example, imagine a website URL like this one, In the worst case, these vulnerabilities may even allow remote code execution that has a users account number embedded in the request. or denial of service attacks. An attacker might try to simply change Broken access control occurs when developers the account number, to access fail to check on the backend whether a user is authorized If the web application doesn't check to access a particular function of an application. to access that account, the attacker may gain Users with knowledge of the application unauthorized access.
may send requests directly to the server, Security misconfigurations occur bypassing the security of controls because web applications depend upon a large built into the user interface. number of complex systems. This category of attacks also include These include web servers, application servers, something called insecure direct object references. database servers, firewalls, routers, These attacks occurs when a developer exposes some details and other components. of how an underlying application functions Each one of these components has its own and then doesn't perform proper security checks security settings, and an error anywhere in those settings, could jeopardize to prevent unauthorized use of the application. the security of the entire system. For example, imagine a website URL like this one Sensitive data exposure occurs when an insecure that has a user's account number embedded in the request. web application accidentally exposes An attacker might try to simply change the account number sensitive information to eavesdroppers.
to access a different account. This may be as simple as accidentally placing If the web application doesn't check to make sure a customer file on a publicly accessible portion that the user is authorized to access that account, of a website. the attacker may gain unauthorized access. web server administrators fail to implement Security misconfigurations occur because web applications the HTTPS protocol to encrypt information depend upon a large number of complex systems sent over the Internet. including web servers, application servers, Missing function level access control occurs when developers fail to check on the back-end database servers, firewalls, routers, and other components. whether a user is authorized to access a particular function of an application. Each of these components has its own security settings Users with knowledge of the application and an error anywhere in those settings may send requests directly to the server could jeopardize the security of the entire infrastructure. bypassing the security controls that are built in to the user interface.
Cross-site scripting is an attack when the attacker embeds scripts in third-party websites Cross-site request forgery exploits the fact that that may then execute in the browsers of victims. users often have more than one website open at the same time. I have an entire video on this course I have an entire video dedicated to cross-site covering cross-site scripting in more detail request forgery later in this course. and another covering a related attack called cross-site request forgery. Web developers must be very cautious about the components that they use Insecure deserialization is a complex security issue to build their applications. As many of these components that involves a way that applications or APIs have known vulnerabilities. If a web application is built using a vulnerable handle objects provided by web users. component, attackers may exploit that component If the process isn't designed securely, attackers may be able to perform to attack the application itself.
remote code execution attacks. Administrators must be sure to monitor Web developers must be very cautious about the components their environment regularly, and apply security patches to components that they use to build their application as soon as they are available. as many of these components have known vulnerabilities. Unvalidated redirects and forwards If a web application is built using a vulnerable component, occur when a website allows external links attackers may exploit that component to other websites using the organizations URL. to attack the application itself or the underlying server. For example, a URL like this one Administrators must be sure to monitor might redirect users from the IRS site their environment regularly and apply security patches to a third-party website. to components as soon as they are available. Developers creating forwarding capabilities, should ensure that any redirects And finally, insufficient logging and monitoring occurs appear on an approved list, when applications don't create the detailed log records before allowing them to go through.
Otherwise, an attacker could use URLs that contain crucial information for security investigations like this one, to hide the real identity and troubleshooting efforts. of a malicious site behind the domain name OWASP isn't the only organization of a trusted organization. that provides secure coding best practices. The SANS Institute provides a similar list of common programming errors that they call the Top 25 Most Dangerous Software Errors. Another website that you may wish to visit is the Center for Internet Security. The Center provides the cybersecurity community with system design recommendations as well as a comprehensive series of security benchmarks that describe the secure configuration of a wide variety of operating systems, server, software, mobile devices, development environments, and other applications.
Find the companion study books at the Sybex test prep site and review the complete CISSP Body of Knowledge at https://www.isc2.org/cissp-domains/default.aspx. You can also join Mike's free study group at certmike.com.
- Understanding security design principles and models
- Cloud computing and virtualization
- Hardware security
- Client and server vulnerabilities
- Web security vulnerabilities
- Securing mobile devices and smart devices
- Understanding encryption
- Symmetric and asymmetric cryptography
- Key management and public key infrastructure
- Physical security