Waf Charm

Blog

AWS for beginners

OWASP Top 10 for beginners

【Table of contents】

  1. 1. Introduction
  2. 2. Specifics of OWASP
  3. 3. Using OWASP TOP 10
  4. 4. Conclusion
  • 1. Introduction

    OWASP TOP 10 is a very important word in the security of web applications, and if you are in charge of security, you will want to know about it.

    • a) What is OWASP?

      OWASP TOP 10 is a security report issued by an organization called "OWASP". So, what is OWASP? We will explain it in detail.

      OWASP (Open Web Application Security Project) is a security organization in which web security professionals work as volunteers. Founded in 2001, the organization is now active worldwide, conducting security surveys, publishing the results, and raising awareness.
       

    • b) What is OWASP TOP 10?

      OWASP TOP 10 is a web security report published by OWASP on a regular basis. This is a list of the TOP 10 items that you need to be on guard against as web security, especially if they are prevalent or causing major damage one after another. It has been published regularly since 2004 and is now up to date with the November 2017 publication. Specific reports can be obtained at the following sites

      ※Original report of OWASP TOP10
      https://owasp.org/www-project-top-ten/
       

  • 2. Specifics of OWASP

    Here's a brief description of the original content. The latest OWASP TOP 10, released in November 2017, looks like this.

    • ・Injection
      Injection is when an attacker injects an attack string into an application. For example, it refers to the act of injecting server commands or SQL, a database operating language, into the login input screen of a web application.
       
    • ・Broken Authentication
      Authentication is "the ability of someone with the right access rights to get the right access". Authentication is the like the act of logging in to a web application. Failure to authenticate is the inability to properly verify your identity and allow unauthorized access. For example, it refers to a case where a third party logs in to a web application with a compromised password.
       
    • ・Sensitive Data Exposure
      It refers to unintentionally allowing important data to be seen by third parties. For example, important personal information such as credit card numbers can be seen by a third party if it is eavesdropped on the Internet unencrypted. In addition, there are cases where data stored in the cloud is unintentionally disclosed to third parties, such as cloud storage.
       
    • ・XML External Entity (XXE) Processing
      This is an attack that takes advantage of the characteristics of XML files, which are widely used in Web applications, etc. Web applications are built by programming, but long programs are difficult to create, so it is called "entity reference", which is a mechanism that allows repetition. However, this attack can be made by exploiting this mechanism to bring in external programs or sensitive information that is not publicly available.
       
    • ・Broken Access Control
      A lack of access control refers to a state in which a user has more privileges than he or she has been given. For example, this "lack of access control" is when a lay employee of a company has the authority to see and manipulate files that only an executive level employee of the company can see.
       
    • ・Security Misconfiguration
      This is a case of so-called setup errors or inadequate setup due to lack of knowledge. A misconfiguration can itself become a vulnerability in a web application, making it an easy target for security attacks.
       
    • ・Cross-Site Scripting (XSS)
      Cross-site scripting is an attack that traps a web application and directs web application users to a fake web application to plant a computer virus or steal login information. In general, it is an attack that causes a lot of damage to web application users.
       
    • ・Insecure Deserialization
      Deserialization is a data transformation. For example, in a web application, data written in JSON format may be converted to run Java Script, a programming language, to make use of the movement. This transformation is called "serialization" or "deserialization". If this is not done securely, an attacker could be able to execute a malicious program or extract data.
       
    • ・Using Components with Known Vulnerabilities
      The programming languages, frameworks, servers, and other components that make web applications work are exposed to updates and patches every time a vulnerability, a security hole, is discovered. Continuing to run applications with vulnerabilities without applying patches can be dangerous as it can make you a target for security attacks.
       
    • ・Insufficient logging and monitoring
      Even in the unlikely event of an attack, if properly monitored, early detection of an attack can minimize the damage. Keeping a good log can also be used as evidence to file a lawsuit against an attacker. It is very important to have adequate logging and monitoring mechanisms in place just in case.
       
  • 3. Using OWASP TOP 10

    We have looked at the specific content of the OWASP TOP 10. So, how can we make the most of them? Based on the above knowledge, you can perform a security audit of the web application you are running and prevent any serious accidents from occurring. Also, the OWASP TOP 10 is just the top 10 items, and there are important items that are not announced here. If you're thinking about strong security, look not only at the latest OWASP TOP 10 in 2017, but also the OWASP TOP 10 published in 2013.

    In addition, there are companies that perform security audits based on the OWASP TOP 10. Let's make use of them together.
     

  • 4. Conclusion

    The OWASP TOP 10 is an important report that security professionals need to be aware of in order to protect their web applications, so let's use it to enhance the security of your web applications and prevent them from falling victim to security attacks.