We use web applications for so many things in everyday life. Thus, several times a day, we find ourselves inputting sensitive information into many different types of online channels.

As developers, we face a lot of challenges, of which security is both important and often underrated. Because of that, we should be dedicated to making more of an effort at protecting and securing those applications.

To this day, no web technology was proven to be invulnerable. Most of the cyberattacks in past years have been performed using software vulnerabilities. Such programming mistakes leave web applications, web servers, and websites exposed.

There are several rules developers have to follow in the process of developing modern web applications, in order to achieve a high level of security.

What is OWASP?

The Open Web Application Security Project (OWASP) is a non-profit foundation dedicated to improving the security of software.

OWASP operates via an open community model, where anyone can participate in, and contribute to, projects, events, online chats, and more. A guiding principle of OWASP is that all materials and information are free and easily accessed on their website. It offers everything-- from tools, videos, forums, projects, to events. In short, it's a repository of all things web-application-security, backed by the extensive knowledge and experience of its open community contributors.

What is the OWASP Top 10?

The OWASP Top 10 is a document prepared by OWASP that provides a ranking of the top 10 most critical risks. It also offers the solutions for avoiding them.

The risks are ranked based on the frequency of discovered security defects, the severity of the vulnerabilities, and the magnitude of their potential impacts. The purpose of the document is to offer developers and web application security professionals insight into the most prevalent security risks.

This allows us to incorporate the report’s findings and recommendations into our security practices, thereby minimizing the presence of these known risks in our applications. Let's cover them.

1. Injection. A code injection occurs when invalid data is sent by an attacker to a web application. The attacker’s intent in doing so is to make the application do something it was not designed to do. There are many types of injections, and they are mostly done from the application's input forms.

• Example: SQL injection is one of the most common injection flaws found in applications. SQL injection flaws can be caused by use of untrusted data by an application when constructing a vulnerable SQL call. For example, if someone used the string ’” + uname + “’ AND password=’” + pwd + “’” as a username, you'd form:

1SELECT * FROM users WHERE user_name = ’” + uname + “’ AND password=’” + pwd + “’”

• Solution: Use a safe API, which avoids the use of the interpreter entirely and provides a parameterized interface. Otherwise, migrate to use Object Relational Mapping Tools (ORMs). Sanitize user input, and use positive or “whitelist” server-side input validation.

2. Broken Authentication. Functions related to authentication and session management, when implemented incorrectly, allow attackers to compromise passwords, keywords, and sessions. This can lead to stolen user identity, data, and more.

• Example: A web application allows the use of weak or well-known passwords (i.e. “password1”).
• Solution: Multi-factor authentication can help reduce the risk of compromised accounts. Implement password weakness check, regular password changes, and use a server-side, secure, built-in session manager that generates a new random session ID.

3. Sensitive Data Exposure. Sensitive data exposure is when important stored or transmitted data (such as credit cards) is compromised.

• Example: Companies that fail to adequately protect their sensitive data can be easy targets for credit card fraud and identity theft.
• Solution: Classify and identify which data is sensitive according to privacy laws, regulatory requirements, or business needs, and apply adequate controls. Do not store sensitive data if not necessary. Encrypt all data in transit with security protocols such as TLS with perfect forward secrecy (PFS) ciphers.

4. XML External Entities (XXE). Attackers are able to take advantage of web applications that use vulnerable component processing XML’s. Attackers are able to upload XML or include hostile commands or content within an XML document.

• Example: An application allows untrusted sources to perform XML uploads.
• Solution: Use less complex data formats such as JSON and avoiding serialization of sensitive data. Implement positive (“whitelisting”) server-side input validation. Verify that XML or XSL file upload functionality validates incoming XML using XSD validation or similar

5. Broken Access Control. Broken access control is when an attacker is able to get access to user accounts. The attacker is able to operate as the user or as an administrator in the system.

• Example: An application allows a primary key to be changed. When the key is changed to another user’s record, that user’s account can be viewed or modified.
• Solution: Implement access control mechanisms once and re-use them throughout the application, including minimizing CORS usage. Rate limit API and controller access to minimize the harm from automated attack tooling. JWT tokens should be invalidated on the server after logout.

6. Security Misconfiguration. Security misconfigurations are when design or configuration weaknesses result from a configuration error or shortcoming.

• Example: A default account and its original password are still enabled, making the system vulnerable to exploit.
• Solution: Remove or do not install unused features and frameworks. Development, QA, and production environments should all be configured identically, with different credentials used in each environment.

7. Cross-Site Scripting (XSS). XSS attacks occur when an application includes untrusted data on a webpage. Attackers inject client-side scripts into this webpage.

• Example: Untrusted data in an application allow for an attacker to ‘steal a user session’ and gain access to the system.
• Solution: Use frameworks that automatically escape XSS by design, such as the latest Ruby on Rails, React JS. Escape untrusted HTTP request data based on the context in the HTML output. Enable a Content Security Policy (CSP) as a defense-in-depth mitigating control against XSS.

8. Insecure Deserialization. Insecure Deserialization is a vulnerability where deserialization flaws allow an attacker to remotely execute code in the system.

• Example: An application is vulnerable because it deserializes hostile objects that were supplied by an attacker.
• Solution: Implement integrity checks such as digital signatures on any serialized objects to prevent hostile object creation or data tampering. Log deserialization exceptions and failures. Restrict incoming and outgoing network connectivity from containers or servers that deserialize.

9. Using Components With Known Vulnerabilities. This vulnerability’s title states its nature; it describes when applications are built and run using components that contain known vulnerabilities.

• Example: Due to the volume of components used in development, a development team may not even know or understand the components used in their application. This can result in them being out-of-date and thus vulnerable to attack.
• Solution: Remove unused dependencies, unnecessary features, components, files, and documentation.Continuously inventory the versions of both client-side and server-side components.

10. Insufficient Logging And Monitoring. Logging and monitoring are activities that should be performed to an application frequently, to guarantee it is secure, and working as it should. Failure to adequately log and monitor a site leaves it vulnerable to more severe compromising activities.

• Example: Events that can be audited, like logins, failed logins, and other important activities, are not logged, leading to a vulnerable application, and developers not able to detect those vulnerabilities.
• Solution: Ensure all failures can be logged with sufficient user context to identify suspicious or malicious accounts. Establish effective monitoring and alerting such that suspicious activities are detected and responded to in a timely fashion. Ensure that logs are generated in a format that can be easily consumed by a centralized log management solutions.

One Pager Cheat Sheet

• As developers, we should make more of an effort to protect and secure our web applications by following various rules, such as those prescribed by the Open Web Application Security Project (OWASP) and its OWASP Top 10, which outlines the top 10 most critical security risks and how to avoid them.
• SQL injection is a security flaw in web applications that attackers exploit to gain direct access to the database, with the goal of making the application do something it was not designed to do.
• XXE issues can be prevented by classifying and identifying sensitive data according to privacy laws, regulatory requirements, or business needs, and applying adequate controls, such as using less complex data formats, avoiding serialization of sensitive data, and implementing multi-factor authentication and positive ("whitelisting") server-side input validation.
• By using JSON instead of XML, implementing positive input validation and XSD validation, the risk of an XML External Entities (XXE) attack can be reduced.
• Common attacks and their respective solutions are broken access control, security misconfiguration, Cross-Site Scripting (XSS), and insecure deserialization, which can be mitigated by implementing access control mechanisms, removing/not installing unused features and frameworks, escaping XSS and HTTP requests, and ensuring integrity of serialized objects.
• XSS is a type of attack where an attacker injects malicious code into a website in order to steal session cookies and gain unauthorized access to a user's account.
• Applications are vulnerable to attack when they are built and run with known vulnerable components and insufficient logging and monitoring, requiring removal of unused dependencies and continuous inventorying of components, as well as establishing effective monitoring, alerting, and log generation.
• Logging and monitoring are essential to properly secure an application, providing visibility into events and behaviors to help detect and respond to malicious activities quickly.