OWASP TOP 10 Most Critical Security Risks

Donghyun Shin·2022년 12월 29일

1. Injection

What is it? - Untrusted user input is interpreted by server and executed.
What is the impact? - Data can be stolen, modified or deleted.
How to prevent?
- Reject untrusted/invalid input data
- Use latest frameworks
- Typically found by penetration testers/secure code review

Just inserting invalid data/command can make huge impact only by executing. So sanitizing the data/command always need to prevent.

What is it? - Incorrectly build auth and session man. Scheme that allows an attacker to impersonate another user.
What is the impact? - Attacker can take identity of victim.
How to prevent?
- Don't develop your own authentication schemes.(내머리로 불가)
- Use open source frameworks that are actively maintained by community.
- Use string passwords
- Require current credential when sensitive information is requested or changed.
- Multi-factor authentication
- Log out or expire session after X amout of time.
- Be careful with 'remember me'funcionality.

What is it? - Restrictions on what authenticated users are allowed to do are not properly enforced.
What is the impact? - Attackers can assess data, view sensitive files and modify data
How to prevent?
- Application should not solely rely on user input; check access rights on UI level and server level for requests to resources (e.g. data)
- Deny access by default

What is it? - Human mistake of misconfigurating the system.
What is the impact? - Depends on the misconfiguration. Worst misconfiguration could result in loss of the system.
How to prevent?
Force change of default credentials
Least privilege: turn everything off by default
Static tools that scan code for default settings
Keep patching, updating and testing the system
Regularly audit system deployment in production

6. Sensitive Data Exposure
What is it? - Sensitive data is exposed, e.g. social security numbers, passwords, health records.
What is the impact? - Data that are lost, exposed or corrupted can have severe impact on business continuity.
How to prevent?
- Always obscure data
- Update cryptographic algorithm
- Use salted encryption on storage of passwords

What is it? - Applications that are attacked but do not recognize it as an attack, letting the attacker attack again and again
What is the impact? - Leak of data, decrease application availability
How to prevent?
Detect and log normal and abnormal use of application
Respond by automatically blocking abnormal users or range of IP addresses
Patch abnormal use quickly

8. Cross-site request forgery
What is it? An attack that forces a victim to execute unwanted actions on a web application in which they're currently authenticated.
What is the impact? - Victim unknowingly executes transactions.
How to prevent?
- Reauthenticate of rall critical actions
- Include hidden token in request
- Most web frameworks have built-in CSRF protection, but isn't enabled by default

What is it? - Third-party components that the focal system uses
What is the impact? - Depending on the vulnerability it could range from subtle to seriously bad
How to prevent?
- Always stay current with third-party components
- If possible, follow best practice of virtual patching

What is it? - Applications expose rich connectivity options through APIs, in the browser to a user. These APIs are often unprotected and contain numerous vulnerabilities.
What is the impact? - Data theft, corruption, unauthorized access, etc
How to prevent?
- Ensure secure communication between client browser and server API
- Reject untrusted/invalid input data
- Use latest framework
- Vulnerabilities are typically found by penetration testers and secure code reviewers

논리적인 개발자가 되고 싶습니다