What is OWASP?

The Open Worldwide Application Security Project® (OWASP) is an online community that produces freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security.
It is dedicated to improve the security of software by the following factors:

• Tools and Resources
• Community and Networking
• Education and Training
  

The Open Web Application Security Verification Standard (ASVS) provides developers with a list of requirements for secure development and it also guides testers to perform security tests for the mobile app (Mobile Application Security Verification Standard (MASVS)), web app and web services.
As such, these sets of guidelines can be implemented into your SDLC (Software Development Life Cycle) by using the OWASP Security Knowledge Framework (SKF).
Thus, developers can develop applications secured by design from the beginning and the OWASP test security standard can be followed at different stages of development testing.
Various types of testing tools are available to detect security vulnerabilities in web applications, including but not limited to:

• OWASP Zed Attack Proxy (ZAP)
  A full featured free and open source DAST (Dynamic application security testing) tool, but can also assist in manual web app pen testing that is ideal for developers and functional testers. It uses integrated penetration tests which simulate attacks against an organization’s network and its systems.
• Burp Proxy
  Burp Proxy is an intercepting proxy server for security testing of web applications, it allows Intercepting and modifying all HTTP(S) traffic passing in both directions, it can work with custom SSL certificates and non-proxy-aware clients.
• Web Developer Toolbar
  The Web Developer extension adds a toolbar button to the browser with various web developer tools. This is the official port of the Web Developer extension for Firefox.

What are the 10 most critical security concerns for web application security?

The Web Application Penetration Testing (WAPT) is made to discover the security gap and strengthen the defense mechanisms of application.
The OWASP TOP 10 for the year 2021 has three new categories, four categories with naming and scoping changes, and some consolidation in the Top 10 for 2021.
The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications.

• A01:2021-Broken Access Control
• A02:2021-Cryptographic Failures
• A03:2021-Injection
• A04:2021-Insecure Design
• A05:2021-Security Misconfiguration
• A06:2021-Vulnerable and Outdated Components
• A07:2021-Identification and Authentication Failures
• A08:2021-Software and Data Integrity Failures
• A09:2021-Security Logging and Monitoring Failures
• A10:2021-Server-Side Request Forgery

But I will only provide some details on Injection and Server-Side Request Forgery for now.

1. A03:2021-Injection

Attackers can inject unsafe user data into the web application as part of a command or query, usually a web query (a fragment of JavaScript prepared by the attacker).
Cross-site script (also known as XSS) is a type of security vulnerability that can be found in some web applications.

These 3 types of XSS are defined as follows:

• Stored XSS (AKA Persistent or Type I)
• Reflected XSS (AKA Non-Persistent or Type II)
• DOM (Document Object Model) Based XSS (AKA Type-0)

In order to address this, OWASP has many automated tools and defense techniques to detect and exploit all three forms of XSS.

How to Prevent?

Preventing XSS requires separation of untrusted data from active browser content. This can be achieved by:

• Using frameworks that automatically escape XSS by design.
• Escaping untrusted HTTP request data based on the context in the HTML output (body, attribute, JavaScript, CSS, or URL) will resolve Reflected and Stored XSS vulnerabilities.
• Applying context-sensitive encoding when modifying the browser document on the client side acts against DOM XSS.
• Enabling a Content Security Policy (CSP) as a defense-in-depth mitigating control against XSS.

2. A10:2021-Server-Side Request Forgery (SSRF)

What is SSRF?

Server-side request forgery (also known as SSRF) is a web security vulnerability that allows an attacker to induce the server-side application to make HTTP requests to an arbitrary domain of the attacker’s choosing, potentially leaking sensitive data such as authorization credentials.

Impact of SSRF attacks

A successful SSRF attack can often result in unauthorized actions or access to data within the organization, either in the vulnerable application itself or on other back-end systems that the application can communicate with.
In an SSRF attack against the server itself, the attacker induces the application to make an HTTP request back to the server that is hosting the application, via its loopback network interface.
For example, the request made to the server URL can be modified to the URL local to the server itself.
Therefore, administration files are accessed by attackers with full access privileges and it is exposed.

How to prevent?

This behavior together can be prevented:

• SSRF with blacklist-based input filters

1. Using an alternative IP representation.
2. Registering your own domain name that resolves to 127.0.0.1.
3. Obfuscating blocked strings using URL encoding or case variation.

• SSRF with whitelist-based input filters

Some applications only allow input that matches, begins with, or contains, a whitelist of permitted values. In this situation, you can sometimes circumvent the filter by exploiting inconsistencies in URL parsing.

• Blind SSRF vulnerabilities

Blind SSRF is generally harder to exploit but can sometimes lead to full remote code execution on the server or other back-end components.

• Some applications employ server-side analytics software that tracks visitors

• Advanced encoding techniques

With Big Data and the Internet of Things (IoT), the complexity and security needs of applications are becoming more and more difficult to handle.
In order to protect your digital resources and infrastructure from attackers, OWASP community and standards are best practices that can be instilled in your developers to play safely and watch out for vulnerabilities in advance by educating them with the right methodologies and tools.

Get control of your web apps now!

Find an end-to-end secure service that offers managed hosting that can care for the above vulnerabilities and prevent them from happening in your infrastructure arrangement by providing the company with the following services:

• Offering 24×7 Technical Support
• Flexibility
• Adapting to new technologies (Cloud Services)
• Continuous Testing
• Penetration testing
• Security Training
• Audit and certification
• Protect and Detect
• Managed Security Services
• MDR (Managed Detection and Response)
• EDR (Endpoint Detection and Response)

References

• https://owasp.org/
• https://www.nist.gov/cybersecurity