OWASP

Using Xcalscan for The OWASP Top 10

Web applications have their own critical vulnerabilities. OWASP (The Open Web Application Security Project) has defined a top ten list of issues. All developers and security professionals should ensure they are familiar with this list and how to use it effectively.

Xcalscan identifies issues that fall into the OWASP list and provides guidance on remediation.

What are the Top Ten OWASP vulnerabilities?

INJECTION

Flaws that lead to improper or malicious injection of data occur through SQL, NoSQL, OS or LDAP. These flaws appear when untrusted data is passed into a web application through an input method. This can lead to the extraction of sensitive data, modification, destruction, placement of malicious code or the incorrect functioning of your program.

Broken Authentication

Broken Authentication refers to the situation created by the prevalence of publicly available default username/password lists. These are often used to crack systems with direct attacks. In addition, any leakage of username/password data on the internet could bring risks to the accounts created by the same user on other sites. Despite password attacks, there are many other forms of attack that are related to session management utilities, which are also more difficult to identify and could introduce a higher level of threat.

Sensitive Data Exposure

Sensitive data exposure occurs when private customer data or confidential company information is inadvertently exposed due to inadequate protection. This differs from a data breach where there is malicious intent. Anyone can access the Web System and extract vital information that could include passwords, administrator credentials, transaction information, phone numbers, credit card information and contact information. Sometimes data exposure can occur from something as simple as storing sensitive information in an unencrypted plain text file.

XML External Entities (XXE)

XML is ubiquitously used in server configurations and software management tools. When using XML libraries that are not the most updated, they may lack proper security fixes, it is often dangerous to directly parse the XML entities especially those with external sources. Including files from your own filesystem is often dangerous as a malicious hacker could first control some external XML source files whose access controls are misconfigured and then jeopardize the whole system.

Broken Access Control

Broken Access Control refers to vulnerabilities that occurs when a software system grants unintended access, usually related to improper control of administrative rights. In other words, where a user can access data and functions beyond their privilege level. Many modern day hacks require the root user rights, which has led to many access level elevation techniques being developed to aid hackers in gaining admin rights from basic user logins.

Security Misconfiguration

Security misconfiguration can be quite diverse. It could be a password for a system left unchanged after installation or a debug channel left open without applying proper access control. Many misconfigurations are exploitable to gain access to internal networks and systems. Many programs have security features but they are often used incorrectly. To resolve these issues, careful design is necessary. Security features should not be activated after manual operation, they should be enabled by-default and put it in place in a way that prevents others from using them insecurely.

Cross Site Scripting (XSS)

Cross site scripting occurs when an attacker’s malicious content is directly published to other users through a website. The attacker input/content often includes executable code wrapped in tags embedded into what are normally text or images. This new content is combined with a website’s content arriving in the user’s web browser from what appears to be a trusted website. This poses a significant threat to users as it may cause user authentication credentials to be leaked, session cookies to be accessed and personal computers to be hacked.

Insecure Deserialization

To understand deserialization, we must first understand serialization. Serialization is a method of converting an object into a stream of bytes for transfer from one system to another. Examples of this include JSON, XML or YAML files. This is a common method when using system architectures that include APIs or micro-services. Deserialization is the process of converting the information from the simple data format, back into binary. Insecure deserialization occurs when a program deserializes data transferred via the Internet or external storage which has had untrusted data injected into it by an attacker. This form of attack can lead to damage through remote code execution or remote command execution.

Using Components with Known Vulnerabilities

Thousands of critical vulnerabilities are reported annually and many belong to widely used libraries. Using outdated libraries can cause your application to be affected by vulnerabilities. This is very common when developers are not tracking the latest status of their libraries or performing routine audits for updated information or patch management.

Insufficient Logging and Monitoring

New kinds of cyberattacks are emerging daily, at a frequency never seen before and basic security against known issues is simply not enough. In order to continuously combat hackers, we need to use logging and monitoring to find traces of any intruder and learn about their presence and techniques.

Xcalibyte has some simple steps for recognizing and avoiding these vulnerabilities.

DOWNLOAD THE OWASP DATASHEET

70%

of companies either have a digital transformation strategy in place or are working on one. This includes web applications.

Tech Pro Research

The OWASP 2017 Benchmark test is an open source Java test suite that allows you to evaluate the accuracy and speed of SAST tools. It’s an open source project that tests against thousands of vulnerabilities such as injections, weak encryption, cross site scripting and more.

The tests contain code with true positives and false positives to provide a true comparison between tools.

This graph compares Xcalscan with two open source tools – Spotbugs and Sonarqube. Xcalscan performs significantly higher at 95% for the true positive rate.

The static code analysis provided by Xcalscan allows development teams to identify OWASP vulnerabilities. But defect classification is not limited to OWASP as Xcalscan also identifies vulnerabilities though its own proprietary rule set as well as CWE.