Are you vulnerable to OWASP Top 10?

 
Have you hear about OWASP Top 10? OWASP stands for Open Web Application Security Project which is an organization to dedicate to develop and maintain applications. OWASP announces stop 10 security issues that we should concern as priority application threats.
There are top 10 security issue of application as follows;
1. Injection
Injection flaws such as SQL, OS, LDAP, Xpath or NoSQL occur when an application sends untrusted data to interpreter as part of a command or query. The attacker sends simple text-based attacks that exploit the syntax of interpreter and trick the interpreter into accessing protected data without authorization and executing unintended commands. Injection impact to loss data and deny the service.
2. Broken Authentication and Session Management
As authentication and session management are often not implemented correctly, attacker impersonates users’ identities by exploiting password, keys and session ID. Once account is attacked successful, the attacker can do anything with authentication.
3. Cross-site Scripting (XSS)
Cross-site scripting flaws occur when an application takes untrusted data and sends it to web browser without properly validating or escaping. There are three types of Cross-site scripting as follows; stored, reflected, and DOM based XSS. The attacker can execute scripts in browser to hijack user sessions, insert hostile contents and deface website.
4. Insecure Direct Object References
A direct object reference flaws occur when user exposes a reference to internal implementation object such as file, directory or DB key. As an application does not always verify that the user is authorized, direct object reference becomes insecure and attacker access unauthorized data by manipulating exposed reference.
5. Security Misconfiguration
To be secure an application, security configuration should be defined and developed for application server, application frameworks, web server and DB server and software should be kept up to date. This flaw allow attacker to access system data or functionality.
6. Sensitive Data Expose
Sensitive data is not properly protected and encrypted. The attacker steal or modify sensitive data to conduct credit card fraud, identity theft or other crimes. Sensitive data includes such as health records, social number, credit card number and personal data and it should deserves special precautions and encryption for extra protection when exchanged with the browser.  
7. Missing Function Level Access Control
Function level protection is managed via configuration and most application verify function level access right properly. The attacker can forge requests to access functionality without proper access right when requests are not verified. Administrative functions are frequently targeted and this flaws allow attackers to access unauthorized functionality.
8. Cross-Site Request Forgery
Cross-site request forgery attack forces a logged-on browsers to send a forged HTTP request, including session cookies and credentials automatically. The attackers can create malicious web pages to generate forged requests that are legitimate request from victim.
9. Using Components with Known Vulnerability
Vulnerable components such as libraries, frameworks and other software modules run with full privileges but it can be exploited by using scanning or manual analysis and customizing attack code. Application with vulnerable components can be undermined defense and enable to expand a range of possible attacks and impacts.
10. Unvalidated Redirects and Forwards
Application frequently redirects and forwards users to other pages and uses untrusted data to determine the destination pages. The attacker can trick users to submit a request to websites and links to unvailidated redirect and tricks victims into clicking it. Also, the attacker can use forwards to access unauthorized pages to install malware or leak sensitive data.
 
Until now, we reviewed OWASP Top 10. Should it be hard to protect your website from these latest security threat?
AIONCLOUD provides strong security and protects your website from OWASP Top 10. AIONCLOUD makes your website to be secure with simple policy setting. To be secure your website, please take simple steps to apply free service; 
AIONCLOUD Free Service

댓글

댓글 쓰기

이 블로그의 인기 게시물

How cloud-based WAF can improve web security?

이미지
Web vulnerabilities and exploits have become more risky to enterprises that are accessible on the internet. Web Application Firewall is required to mitigate various threats, however historically enterprises bear expensive hardware on-premises to protect web server from web attacks. Why cloud-based WAF? There are acquisitions occurring that certain web servers are not protected. This is because protected targets are not being on the same premises as the physical WAF. The enterprises are moving their operations to the cloud. The boundaries of physical WAF’s protection are limited to cover all users in today’s modern network environment. Cloud-based WAF enables enterprises to protect web servers across a broad spectrum regardless of locations. Cloud-based WAF performs the filtering before the traffic reaches to web server. Web servers are protected by cloud-based WAF to change DNS records directed toward cloud-based WAF address. All traffic is diverted to the cloud-based WAF, filter
자세한 내용 보기