This one has to do with authentication and session management. The attacker’s goal is to compromise passwords, keys and session tokens as well as to exploit app errors in order to take over accounts of other users.

Common methods used to achieve it are brute force attacks and exploiting various weaknesses within the system such as poor password policy and management or weak session cookies. When the attack succeeds, the implications can be quite far-reaching, including leaking of personal data. The best ways to prevent it involve setting strong passwords, implementing multi-factor authentication, blocking users that fail to log in properly in a given number of attempts, session management testing/debugging, best by a dedicated Quality Assurance team.

Nowadays it’s extremely important to take care of the user’s personal and financial data. Otherwise, Sensitive Data Exposure may happen and not only will you stand to compromise the application, but earn yourself a hefty fine in the process (read more about the GDPR). The Sensitive Data Exposure vulnerability is becoming increasingly relevant to the everyday reality of each online business.

This category refers to abusing features of XML parsers. Such vulnerabilities may also cause Denial of Service (DoS) or Server Side Request Forgery (SSRF) attacks, which can in turn force your application to send requests to other applications.

The 5th vulnerability of the OWASP TOP 10 2017 is unauthorized access to functions and data – Broken Access Control. It can be done by using the regular user’s account to access the privileges of the admin account. That way, for example, the attacker could be able to access the medical documents of all clients registered in the application. Broken Access Control remains one of the most prevalent issues in the OWASP TOP 10 lists.

If authentication and access restriction are not properly implemented, it’s easy for attackers to take whatever they want. With broken access control flaws, unauthenticated or unauthorized users may have access to sensitive files and systems, or even user privilege settings.

Configuration errors and insecure access control practices are hard to detect as automated processes cannot always test for them. Penetration testing can detect missing authentication, but other methods must be used to determine configuration problems. Weak access controls and issues with credentials management are preventable with secure coding practices, as well as preventative measures like locking down administrative accounts and controls and using multi-factor authentication.

Misconfigured security measures are very common in web applications. Some of them include:

• poorly configured cloud permission settings (e.g. S3 buckets),
• default and test accounts with generic passwords that found their way to the production environment,
• too detailed error messages,
• no HTTP Security headers.

This vulnerability is often just a prelude to many of the other, even more, serious ones, such as XXE or command injections.

One of the most popular and talked about vulnerabilities, widely known even outside of the cybersecurity crowd. This time, it ranked 7th and I believe that it’s going to return in the 2020 edition as well. I still find this vulnerability often in the applications I test, despite all the security measures employed in modern-day frameworks. XSS involves injecting malicious scripts and executing them on the computer of the victim.

The official definition describes this vulnerability as a situation in which “untrusted data is used to abuse the logic of an application”. In other words, the app replaces the proper set of data with malicious code, allowing for DoS, RCE and other types of attacks. This code leverages the legitimate serialization and deserialization process recognized by your web app.

Deserialization, or retrieving data and objects that have been written to disks or otherwise saved, can be used to remotely execute code in your application or as a door to further attacks. The format that an object is serialized into is either structured or binary text through common serialization systems like JSON and XML. This flaw occurs when an attacker uses untrusted data to manipulate an application, initiate a denial of service (DoS) attack, or execute unpredictable code to change the behavior of the application.

Although deserialization is difficult to exploit, penetration testing or the use of application security tools can reduce the risk further. Additionally, do not accept serialized objects from untrusted sources and do not use methods that only allow primitive data types.

Ensuring that your libraries, frameworks and components are up-to-date goes a long way in making your app more secure. Otherwise, the practice ufo using components with known vulnerabilities may make your app prone to a variety of problems typically caused by outdated software. Therefore, make sure that your content management system, analytics software and libraries are all regularly updated, even after they are released to the production environment!

The last position is not really a typical vulnerability, but an example of oversight on the part of cybersecurity specialists. It has to do with insufficient logging and monitoring of error and inadequate reaction to various incidents. It may result in a variety of attacks, damages and exploits.

To combat such threats, you should definitely store information such as HTTP code statuses, timestamps, API endpoint users, page locations or IP addresses in your logs. Of course, they need to be stored in a secure location, as they contain a lot of sensitive information.

You should also pay special attention to suspicious actions, such as multiple login attempts, script injection attempts, requests made by unusual IPs and locations, the usage of automated tools and more. Other than monitoring and logging, you should also actually act on your findings, for example by blocking users that display this suspicious behavior.