Web security vulnerabilities are among the trickiest problems tackled by cybersecurity professionals. The Open Web Application Security Project (OWASP) maintains a list of the top ten web security vulnerabilities that cybersecurity experts should understand and defend against to maintain secure web services. In this video, learn about the top ten vulnerabilities on the current OWASP list.
- Web security vulnerabilities are among the trickiest problems tackled by cybersecurity professionals. The Open Web Application Security Project or (OWASP), maintains a list of the top 10 web security vulnerabilities that cybersecurity experts should understand and defend against to maintain secure web services. The current version of the OWASP top 10 was developed in 2013 and is currently undergoing revision with a new release expected sometime in 2017.
According to OWASP, the top 10 web security issues are: injection attacks, broken authentication and session management, cross-site scripting, insecure direct object references, security misconfigurations, sensitive data exposure, missing function level access controls, cross-site request forgery attacks, using components with known vulnerabilities, and unvalidated redirects and forwards.
Injection flaws occur, when an attacker is able to insert code into a request sent to a website and then trick that website into passing the code along to a back-end server where it is executed. The most common example of injection attack, is the sequel injection attack against databases. I cover that more in the next video. Broken authentication and session management occurs when websites require that users authenticate, but then have flaws in the mechanisms that provide that authentication.
I talk about how attackers might exploit this using an attack called session hijacking in a video later in this course. Cross-site scripting is an attack where the attacker embeds scripts in third-party websites, that may then execute in the browsers of victims. I have an entire video in this course covering cross-site scripting in more detail. Insecure direct object references occur, when a developer exposes some details of how an underlying application functions, and then doesn't perform proper security checks to prevent unauthorized use of the application.
For example, imagine a website URL like this one, that has a users account number embedded in the request. An attacker might try to simply change the account number, to access a different account. If the web application doesn't check to make sure that the user is authorized to access that account, the attacker may gain unauthorized access. Security misconfigurations occur because web applications depend upon a large number of complex systems. These include web servers, application servers, database servers, firewalls, routers, and other components.
Each one of these components has its own security settings, and an error anywhere in those settings, could jeopardize the security of the entire system. Sensitive data exposure occurs when an insecure web application accidentally exposes sensitive information to eavesdroppers. This may be as simple as accidentally placing a customer file on a publicly accessible portion of a website. Or sensitive data exposure may occur when web server administrators fail to implement the HTTPS protocol to encrypt information sent over the Internet.
Missing function level access control occurs when developers fail to check on the back-end whether a user is authorized to access a particular function of an application. Users with knowledge of the application may send requests directly to the server bypassing the security controls that are built in to the user interface. Cross-site request forgery exploits the fact that users often have more than one website open at the same time. I have an entire video dedicated to cross-site request forgery later in this course.
Web developers must be very cautious about the components that they use to build their applications. As many of these components have known vulnerabilities. If a web application is built using a vulnerable component, attackers may exploit that component to attack the application itself. Administrators must be sure to monitor their environment regularly, and apply security patches to components as soon as they are available. Unvalidated redirects and forwards occur when a website allows external links to other websites using the organizations URL.
For example, a URL like this one might redirect users from the IRS site to a third-party website. Developers creating forwarding capabilities, should ensure that any redirects appear on an approved list, before allowing them to go through. Otherwise, an attacker could use URLs like this one, to hide the real identity of a malicious site behind the domain name of a trusted organization.
Find the companion study books at the Sybex test prep site and review the complete CISSP Body of Knowledge at https://www.isc2.org/cissp-domains/default.aspx. You can also join Mike's free study group at certmike.com.
Note: This course is part of a series releasing throughout 2018. A completed Learning Path of the series will be available once all the courses are released.
- Understanding security design principles and models
- Cloud computing and virtualization
- Hardware security
- Client and server vulnerabilities
- Web security vulnerabilities
- Securing mobile devices and smart devices
- Understanding encryption
- Symmetric and asymmetric cryptography
- Key management and public key infrastructure
- Physical security