I written around 7 web security and cyber
security related articles, in this article i will summarize latest version
OWSAP top 10 critical security risks.
What is OWASP?
The Open Web Application Security Project
(OWASP), an online community, produces freely-available articles,
methodologies, documentation, tools, and technologies in the field of Web application security.
How OWASP decides top 10 risks?
Top 10 focuses on identifying the most serious web application
and risks for a different types companies and organizations.
risks OWASP team provides generic information about likelihood and technical
impact using simple rating scheme, based in OWASP Risk RatingMethodology
version of the 2017 OWASP Top 10 was released on November 21, 2017 according to
OWASP team following are the ten most
critical web application security risks presently.
OWASP Top 10 year 2017
A2: Broken Authentication
A3: Sensitive Data Exposure
A4: XML External Entities (XXE) [NEW]
A5: Broken Access Control [Merged]
Components with Known Vulnerabilities
Logging & Monitoring [NEW]
introduced three new critical security risks in 2017 version release I will
explain those in short.
A4: XML External Entities (XXE)
or poorly configured XML processors evaluate external entity references within
entities can be used to disclose internal files using the file URI handler,
file shares, internal port scanning, remote code execution, and denial of
a. In must require case only use complex data formats
such as JSON and serialization and deserialization else avoid it.
b. Upgrade XML dll, libraries those used like XML processors
Update SOAP to latest version.
c. User server side while list approach for input validation,
data sanitization, for xml document, headers and xml nodes.
d. Validate all external XML/XSL files.
e. Use tools like SAST to detect XXE and perform manual
d. According to OWASP the safest way to prevent XXE is
always to disable DTDs (External Entities) completely.
details use OWASP prevention cheat sheet
A8: Insecure Deserialization
What is serialization and deserialization
To store and
use for communication convert data into stream of bytes, deserialization is
deserialization often leads to remote code execution. Even if deserialization
flaws do not result in remote code execution, they can be used to perform attacks,
including replay attacks, injection attacks, and privilege escalation attacks.
a. Safest way is to avoid serialized data from untrusted users and untrusted sources.
b. Implement integral check such as digital signature
c. use strict type constraint when deserialization and serialization,
for example allow only defined classes
d. code that prevents deserialization and serialization
in low privileges environment
e. Log deserialization and serialization failures, exceptions
and monitoring incoming and outgoing connectivity from containers and servers
that deserialize and monitoring deserialization.
f. There are some language specific Guidelines and
proper coding techniques for developers that prevent from this attack, I suggest
developers and programmers to refer following cheat sheet documents from OWASP.
A10: Insufficient Logging & Monitoring
logging and monitoring, coupled with missing or ineffective integration with
incident response, allows attackers to further attack systems, maintain persistence,
pivot to more systems, and tamper, extract, or destroy data.
a. Log all login, access, validation failures
with sufficient details, that details you can use to track identify suspicious
or malicious accounts.
To maintain logs,
use standard centralized log management system.
b. Implement effective monitoring and alerting
such that suspicious activities are detected and responded in timely fashion.
audit and monitoring on high value transaction.
d. Adopt incident/failure
plan and recovery plan for system.
e. Use proper
notification and alerts for suspicious activities.
धन्यवाद मित्रो !!