Introduction
Internet penetration is increasing continually with a very vast step, from only 16 million users on 1995 to 304 million on the early 2000 and to 3.36 billion on 2015 [1] [2]. The increased number of internet users, also reflected in an increased usage of the World Wide Web (simply known as the Web), as one of the most used service on the internet [3]. By the year 2000, the Web became very attractive and popular to both everyday users and businesses, especially when the E-Commerce started to thrive [4].
Seeing the web advancement from the security point of view, we also notice an increased number of cyber-attacks, each time evolving to more sophisticated versions [5]. From the networking perspective, the Web is positioned in “front line”, as being the first entity that internet users face publicly as a representation of an organization [6]. Therefore, many cyber incidents and data breaches may arise from insecure Web. This is possible mostly due to the lack of standards, and improper usage of technologies, without excluding the absence of knowledge on security especially for the new trends [7]. Many of the attacks are in a type of command injection, improper input sanitization, and erroneous authentication implementation [7] [8]. Considering the development of e-commerce, the early 2000 was a turning point for the rise of the web. At that time, a lot of new companies embraced the world of the web which were not much aware of security protection concepts. In this manner, a lot of sensitive data, including personal and financial information were being distributed along web applications in a non-secure way. Hence, there was shown a need for an open awareness, guidelines, and tools for Web security.
There were already some initiatives taken by ENISA, SANS and other organizations with the intention of helping other institutions to build applications that can be trusted. Still, by December 2001, the Open Web Application Security Project (OWASP) was founded as an open organization with the same goal [9]. Since there was shown a great need for security experts, most of their projects try to resolve this lack of by providing appropriate education. Amongst many projects, OWASP developed the famous Top 10 vulnerabilities project. This consists of a list of the most critical vulnerabilities that applications are suffering and it is constantly being updated [10]. The Top 10 project it is considered a very strong reference from many security vendors [7]. They stand firm to follow it and the OWASP guidelines to protect applications from vulnerabilities [7].
OWASP
Open Web Application Security Project (OWASP) is a not-for-profit international organization founded by Mark Curphey in December 2001. This organization operates as an open community, dedicated to empowering other organizations to have a concept of security and to develop, operate and maintain applications that can be trusted. One of their core values is being open globally, so all of the projects and tools are distributed openly and freely to anyone who expresses interest in application security. Another core value of theirs is being innovative. They constantly encourage and support experimental solutions to software security. This probably played a big role to make OWASP very successful in their projects. [9]
There are many projects developed already on OWASP, all of them started from different people, from different countries. All of the projects are related to application security, either by being in a category of a tool, document specification or a guideline. Furthermore, there are many project categories which cover a wide range of different technologies and industry standards. Project categories also include technologies with recently grown security issues like the cloud, big data, and the internet of things. Anyhow, some projects are more acclaimed amongst companies in industry. As the most well-known project is considered to be the OWASP Top 10 vulnerabilities. [11]
Top 10 Vulnerabilities
The OWASP Top 10 is an awareness project for web application security. It consists of a list of top 10 most critical web security flaws. OWASP urges the companies to embrace this document and to make sure that their web applications do not suffer from these vulnerabilities. They also translated this project in 12 languages by using volunteers. Consequently, this is the most well-known project for web application security. [10]
The list gets updated regularly with latest security issues. For each security issue, they include a description, example of the vulnerability, example of attack, recommendation on how to avoid it, and more references about that issue [10]. The following list is the latest version of the OWASP Top 10:
- A1 – Injection
- A2 – Broken Authentication and Session Management
- A3 – Cross-Site Scripting (XSS)
- A4 – Insecure Direct Object References
- A5 – Security Misconfiguration
- A6 – Sensitive Data Exposure
- A7 – Missing Function Level Access Control
- A8 – Cross-Site Request Forgery (CSRF)
- A9 – Using Components with Known Vulnerabilities
- A10 – Unvalidated Redirects and Forwards
In the next posts I will present all ten vulnerabilities one-by-one starting with Code Injection (focusing on SQL Injection and Cross-Site Scripting XSS). This is decided since Code Injection is considered as the most frequent vulnerability in web applications by OWASP. In the posts to come we will discuss these vulnerabilities by descibing how they can be exploited, what are their impact, and what are the countermeasures.
References
| [1] | Miniwatts Marketing Group, “Internet World Stats,” 2001. [Online]. Available: http://www.internetworldstats.com/emarketing.htm. [Accessed April 2016]. |
| [2] | The Evolution of the Web, “The Evolution of the Web,” [Online]. Available: http://www.evolutionoftheweb.com/#/growth/day. [Accessed April 2016]. |
| [3] | Info Please, “Most Popular Internet Activities,” 22 July 2008. [Online]. Available: http://www.infoplease.com/ipa/A0921862.html. |
| [4] | S.-C. Chu, L. C. Leung and W. Cheung, “Evolution of e-commerce Web sites: A conceptual framework and a longitudinal study,” Information & Management, vol. 44, p. 154–164, 2007. |
| [5] | Identity Theft Resource Center, “ITRC Breach Statistics,” 2016. [Online]. Available: http://www.idtheftcenter.org/images/breach/2005to2015multiyear.pdf. [Accessed April 2016]. |
| [6] | SANS Institute, “Designing a DMZ,” Information Security Reading Room, 2003. |
| [7] | SANS Institute, “Web Based Attacks,” Information Security Reading Room, 2007. |
| [8] | hpenterprisesecurity, “Defending Against Increasingly Sophisticated Cyber Attacks,” Frost & Sullivan, 2014. |
| [9] | OWASP, “About The Open Web Application Security Project,” 1 February 2016. [Online]. Available: https://www.owasp.org/index.php/About_The_Open_Web_Application_Security_Project. |
| [10] | OWASP, “Top Ten Most Critical Web Application Security Risks,” 2013. [Online]. Available: http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf. |
| [11] | OWASP, “OWASP Projects,” 15 April 2016. [Online]. Available: https://www.owasp.org/index.php/Category:OWASP_Project. |