What is the Open Web Application Security Project (OWASP)

---

What is the OWASP Top 10 and How Does It Work?

OWASP is noted for its popular Top 10 list of the web application security vulnerabilities. The OWASP Top 10 is a regularly-updated report that outlines the security concerns for web application security, and focuses on the 10 most critical risks. The report is put together by a team of global application security experts. OWASP refers to the Top 10 as an ‘awareness document’ and recommend that all companies incorporate the report into their processes to minimize and/or mitigate security risks.

The first version of the OWASP Top 10 list was published in 2003. Updates followed in 2004, 2007, 2010, 2013 and 2017. The most recent update was published in 2021.

A01 Broken Access Control

Authenticated users with improperly configured or missing restrictions are able to access unauthorized functionality or data. Also, restrictions on what authenticated users are allowed to do are often not properly enforced.

A02 Cryptographic Failures

Cryptographic failures (formerly known as Sensitive Data Exposure) focus on cryptography-related failures, which often lead to sensitive-data exposure or system compromise.

Many web applications and APIs contain vulnerabilities due to coding, thereby exposing sensitive data such as financial, healthcare and personally identifiable information. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft or other crimes. Sensitive data that is without extra protection might be compromised, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser.

A03 Injection

Injection flaws, such as SQL, NoSQL, OS and Lightweight Directory Access Protocol (LDAP) injection, have been a perennial favorite among hackers for some time, so it’s no surprise that this threat is still at the top of the list. An injection flaw occurs when suspicious data is inserted into an application as a command or query. This hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.

The most common code injection is a SQL injection, which is an attack that is accomplished by sending malformed code to the database server. It’s a simple and quick attack type that almost anyone with internet access can accomplish, since SQL injection scripts are available for download and are easily acquirable.

Cross-site scripting (XSS) is now included as part of this category as well. XSS occurs whenever an application includes untrusted data in a new webpage without proper validation or updates an existing webpage with user-supplied data using a browser API that can create HTML or JavaScript. These flaws give attackers the capability to inject client-side scripts into the application to hijack user sessions, deface websites or redirect the user to malicious sites.

A04 Insecure Design

This category focuses on risks related to design flaws, which means using more threat modeling for secure design patterns and principles in the earlier stages of the application development cycle. It is a broad category that represents many different weaknesses. According to OWASP, “Secure design is a culture and methodology that constantly evaluates threats and ensures that code is robustly designed and tested to prevent known attack methods. Secure design requires a secure development lifecycle, some form of secure design pattern or paved road component library or tooling, and threat modeling.

A05 Security Misconfiguration

Security misconfiguration remains one of the most commonly seen web application security issues to this day. This risk refers to improper implementation of controls intended to keep application data safe, such as insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and perhaps most important, not patching or upgrading systems, frameworks, libraries, applications and components.

This OWASP category now includes XML external entities as well. Many older or poorly configured XML processors evaluate external entity references within XML documents. Attackers can use external entities for attacks, including remote code execution, and to disclose internal files and Server Message Block (SMB) file shares, conduct internal port scanning and launch denial-of-service attacks.

A06 Vulnerable and Outdated Components (formerly referred to as “Using Components with Known Vulnerabilities”)

Various components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Developers frequently don’t know which open source or third-party components are in their applications, making it difficult to update components when new vulnerabilities are discovered. These components can undermine application defenses and enable various attacks and impacts.

A07 Identification and Authentication Failures (formerly referred to as “Broken Authentication”)

When an application’s functions are not implemented correctly, the loopholes allow cybercriminals to break in. Such attackers can compromise passwords, keys, session tokens, and exploit other implementation flaws to assume other users’ identities, either temporarily or permanently. Every session should be unique to an individual user. Without any session management, an attacker can sneak in, disguised as a user, to access valuable data.

A08 Software and Data Integrity Failures

A new category for 2021, Software and Data Integrity Failures refers to code and infrastructure that fails to protect against integrity violations. This include software updates, critical data and CI/CD pipelines that are implemented without verification; for example, objects or data encoded or serialized into a structure that an attacker can modify, or an application that relies on plugins, libraries or modules from untrusted sources. Insecure CI/CD pipelines that can introduce the potential for unauthorized access, malicious code or system compromise also fit into this category. Last but not the least, applications with automatic update functionality, in which updates are downloaded without sufficient integrity verification and applied to a previously trusted application, are considered software and data integrity failures because attackers can possibly infiltrate the supply chain to distribute their own malicious updates.

Insecure deserialization is also now a part of this category. Insecure deserialization often leads to remote code execution to tamper with or delete serialized objects or elevate privileges. Even if deserialization flaws do not result in remote code execution, they can be used to perform attacks, including replay or injection attacks and privilege escalation.

A09 Security Logging and Monitoring Failures (formerly referred to as “Insufficient Logging and Monitoring”)

Security Logging and Monitoring Failures, coupled with missing or ineffective integration with incident response systems, is the bedrock for the majority of incidents, which allows cybercriminals to attack systems further and tamper, with the purpose of extracting or destroying data. Studies have shown that the time to detect such failures is measured in weeks or months, and is typically detected by external parties rather than the internal processes or monitoring. Typical attacks seeking to exploit these vulnerabilities include SQL injections, XSS, cross-site request forgery, server-side request forgery, cookie poisoning, and Brute Force attacks.

Attackers rely on the lack of monitoring and timely response to achieve their goals, without being detected. Most successful attacks start with vulnerability probing. Allowing such probes to continue can raise the likelihood of successful exploit to nearly 100%.

A10 Server-Side Request Forgery

Server-side request forgery (SSRF) occurs when a web application fetches a remote resource without validating the user-supplied URL. An attacker can coerce the application to send a crafted request to an unexpected destination, even when protected by a firewall, VPN or another type of network access control list. Though SSRF shows a relatively low incidence rate in the data that OWASP reviewed, this category was added based on the industry survey results. Users are concerned that SSRF attacks are becoming more prevalent and potentially more severe due to the increased use of cloud services and the complexity of architectures.

What is OWASP Top 21 and How Does it Work?

The OWASP Top 21 Automated Threats To Web Applications is an analysis of today’s entire range of bot attacks and classifies them into 21 separate types, along with a list of countermeasures and best practices to combat these threats.

OAT-01: Carding

Carding is an automated form of payment fraud in which fraudsters test a bulk list of credit/debit card data against a merchant’s payment processing system to verify the stolen card details. Such card details are stolen from different payment channels or other applications, or purchased from the dark web marketplaces. Hackers also apply card cracking (OWASP OAT-010) practices to obtain the credit card details.

OAT-02: Token Cracking

Token cracking is the process of gaining access to identification tokens, which are cryptographic keys that are generated by online services. Tokens are often sent to users via text message on their mobile devices.

Tokens may be used for multi-factor authentication (MFA), where an additional factor of authentication is required if the user wants to access data from an unknown device or location. This form of two-step verification is intended to prevent unauthorized access to sensitive data, but cybercriminals can gain access using Brute Force methods. This can result in identity theft and other types of fraud. If the token is compromised, the attacker gains complete control over the victim’s account and can track all the activity, and change or delete information.

OAT-03: Ad Fraud

Digital ad fraud refers to the deliberate act of misrepresenting or obfuscating ad engagement metrics. It is committed by fraudulent traffic (from bots as well as humans) that generates dummy impressions and adversely affects the click-through rate (CTR). The invalid activity from bots drains ad-serving resources and affects publishers’ efforts to build a premium ad inventory. Non-human traffic also distorts site analytics and affects marketing campaigns. In addition, invalid traffic hurts a publisher’s brand reputation, impacts ad verification reports, and harms quality scores. Currently, most security measures are ineffective in filtering human-like bot activity. Various types of ad fraud can include traffic sourcing, ghost sites, domain spoofing, ad stacking, pixel stuffing and ad injection.

OAT-04: Fingerprinting

With fingerprinting, specific requests are sent to the application eliciting information to profile the application. This probing typically examines HTTP header names and values, session identifier names and formats, contents of error page messages, URL-path case sensitivity, URL-path patterns, file extensions and if software specific files and directories exist.

Fingerprinting is often reliant on information leakage, and this profiling may also reveal some network architecture/topology. The fingerprinting may be undertaken without any direct usage of the application, that is, by querying a store of exposed application properties such as held in a search engine's index.

Symptoms can include single HTTP requests, often none, but possibly requests for a wide range of missing resources, and requests for resources that are rarely requested for.

OAT-05: Scalping

Scalping is an age-old practice that was carried out by scalpers and resellers buying event tickets and certain goods that were in high demand, and later selling them for a considerable profit.

Today, scalping has mostly moved online, so scalpers now use sophisticated “all-in-one” bots that are sold online and programmed to regularly scan e-commerce, ticketing, and other websites and applications to find and quickly buy large quantities of desired products (such as certain brands of sneakers and gaming consoles) before regular consumers even get a chance to log in to make their purchases. The scalped products are then quickly resold through sites like eBay and other portals that serve the secondary market.

Scalper bots are deployed to regularly visit popular e-commerce portals at frequent intervals to scan for product “drops” ─ launches of highly anticipated products such as sneakers or gaming consoles, event tickets and other products in limited supply.

The scalpers behind these bots first create user accounts at online stores under various identities, using different IP addresses, payment cards, shipping addresses, and combinations thereof, to evade fraud detection systems.

OAT-06: Expediting

Expediting is the process of using speed to violate explicit or implicit assumptions about the application’s normal use to achieve unfair individual gain, often associated with deceit and loss to some other party.

In contrast to OAT-016 skewing, which affects metrics, expediting is purely related to faster progression through a series of application processes. OAT-017 spamming is different from expediting, since the focus of spam is to add information and might not involve the concept of process progression.

A common symptom of expediting is uncharacteristically fast progress through multi-stage processes.

OAT-07: Credential Cracking

Credential Cracking, also known as “Brute Forcing”, is a way to identify valid credentials by trying different values for usernames and passwords (usually from lists of breached account credentials that were made public by malicious parties and hackers). Hackers deploy bots to hack into customers’ accounts using the Brute Force approach, dictionary attacks (inputting large numbers of words), and guessing attacks to identify valid login credentials. Brute force attack symptoms include a sudden increase in failed login attempts and high numbers of account hijacking complaints from customers.

OAT-08: Credential Stuffing

Credential stuffing exploits users’ propensity to use the same username and password at multiple websites. Hackers use bots to test lists of credentials obtained as a result of data dumps of breached credentials (or purchased from the dark web) against a range of websites, in the hope that a victim has used the same combination of credentials on multiple sites.

Unlike credential cracking, credential stuffing does not involve Brute Force or guessing of any values; instead, mass login attempts are used to verify the stolen username and password pairs. Credential stuffing symptoms include consecutive login attempts with different credentials from the same HTTP client.

OAT-09: CAPTCHA Defeat

While CAPTCHA is deployed to distinguish legitimate users from bots, threat actors use CAPTCHA-defeating bots to leverage automation, to analyze and determine the answers to visual and/ or aural CAPTCHA tests and related puzzles/challenges.

Common symptoms are high CAPTCHA solving success rates on fraudulent accounts, or suspiciously fast/fixed CAPTCHA solving times.

OAT-10: Card Cracking

Similar to carding (OAT-1), with card cracking, bots conduct fraudulent activity against credit cards and other payment methods, either by guessing or abusing the already known (usually stolen) payment details. Card cracking is a common example of web application abuse and leverages credit card data. Card cracking attempts to validate stolen payment card data.

Symptoms of card cracking are elevated basket abandonment, reduced average basket price, higher proportion of failed payments authorizations and include increased chargebacks.

OAT-11: Scraping

Content scraping (also referred to as web scraping or data scraping) includes lifting unique/ original content from other websites and publishing it elsewhere. Content scrapers, typically copy all content to pass it off as their own, including blogs, research, product reviews, financial information, etc.

Content scraping, on a basic level, can be accomplished by manual copy and paste. More sophisticated techniques involve bots that are used to crawl websites and copy thousands of pages within a matter of seconds.

Content scraping is a commonly practiced method by online publishing companies that rely on ad revenue to fuel their websites. Third-party scrapers crawl and copy high-quality and keyword dense content from other websites. Additionally, bloggers and media publishers are usually targeted to steal content from their websites.

OAT-12: Cashing Out

Cashing out is a process of obtaining currency or higher-value merchandise via the application using stolen, previously validated payment cards or other account login credentials. Sometimes cashing out may be undertaken in conjunction with product return fraud.

Common symptoms include increased chargebacks, increased usage of interlinked accounts and an increased demand for higher-value goods or services.

OAT-13: Sniping

Sniping is a last-minute bid or offer for a particular good or service. It is made at the last possible opportunity, leaving insufficient time for another user to bid/offer.

Sniping can also be the automated exploitation of system latencies in the form of timing attacks. Careful timing and prompt action are necessary parts. It is most well-known as auction sniping, but the same threat event can be used in other types of applications. Sniping normally leads to some dis-benefit for other users, and sometimes that might be considered a form of denial of service.

Common symptoms are increasing complaints from users about being unable to obtain goods or services, or some users having higher success rates than expected.

OAT-14: Vulnerability Scanning

Vulnerability scanning is scanning and crawling an application to identify weaknesses and possible vulnerabilities. It is a systemic enumeration and examination of identifiable, guessable and unknown content locations, paths, file names and parameters, in order to find weaknesses and points where a security vulnerability might exist. Vulnerability scanning includes both malicious scanning and friendly scanning by an authorized vulnerability scanning engine.

Symptoms include elevated occurrence of errors; extremely high application usage from a single IP address; a high ratio of GET/ POST to HEAD requests for a user, session or IP address; and multiple misuse attempts against application entry points.

OAT-15: Denial of Service

As a new version of a legacy attack vector, these bots target web/mobile applications and websites with the intention of making resources unavailable, thereby achieving denial of service (DoS). Ultimately, reduced website performance and service degradation are indications of a DoS attack on a website or web application. Application unavailability or a sudden increase in user account lockouts is also a giveaway.

OAT-16: Skewing

Bots can interfere with business analytic systems and processes, which include digital advertising, affiliate programs and pay per click (PPC), to eventually cause the victim to make incorrect decisions based on false reporting/data. Skewing, ad fraud and spamming are perfect examples of this category of application abuse, among others. Skewing and ad fraud revolve around click abuse to alter the web performance and advertising metrics, and as a result, the revenue. Both are highlighted by decreases in clicks/ impressions and conversions, in addition to highly skewed metrics that fall well outside of the typical thresholds.

OAT-17: Spamming

Spamming is the act of posting fake and questionable information on forums, comment sections, blogs, wiki webpages and public-facing webpages, and content contribution platforms.

OAT-18: Footprinting

Footprinting is an online security threat that involves gathering information with the objective of learning as much as possible about the composition, configuration and security mechanisms of the application. Unlike scraping, footprinting is an enumeration of the application itself, rather than the data. Footprinting is used to identify all the URL paths, values, parameters and ad-process sequences. As the application is explored, additional paths will be identified, which in turn need to be examined.

Footprinting can also include Brute Forcing and dictionary attack techniques. Fuzzing may also be used to identify further application resources and capabilities.

Common symptoms include an increase in system and application error codes, such as HTTP status codes 404 and 503, or user behavior that falls outside of typical user behavior.

OAT-19: Account

Account creation is a type of online security threat in which individuals or companies use an application’s account sign-up processes to create bulk accounts for subsequent misuse. Such misuse might include content spam, spreading malware, laundering cash and goods, causing mischief, affecting brand reputation, skewing SEO, reviews, and website analytics.

Symptoms can include higher-than average account creation rates, accounts with incomplete information relative to a typical account holder, and accounts created but not immediately used.

OAT-20: Account Aggregation

Account aggregation is a process that involves collecting information from different accounts, which may include credit card accounts, bank accounts investment and other business accounts, into a single place. This aggregation application may be used by a single user to combine information from multiple applications, or to combine information from various users of a single application.

Common symptoms include lack of end user engagement, account information access behavior patterns that do not match the user profile and elevated activity peaks.

OAT-21: Denial of Inventory

Denial of inventory means depleting goods or services without completing the purchase or committing to the transaction. This category of threats specializes in holding hostage the inventory of e-commerce sites, ticketing systems, airlines, etc. It accomplishes this by beginning the purchasing process without checking out and timely restarting the process whenever the time for closing elapses. Additional bots clear inventory instantaneously, so that cybercriminals can resell goods. See scalping (OAT-5). The result is a direct financial loss.