OWASP

The Open Web Application Security Project (OWASP) Foundation is a nonprofit foundation focused on improving the security of software.

OWASP Web Security Testing Guide

The OWASP Web Security Testing Guide → applies to web application testing specifically. It focuses on design review, code reviews, data flow modelling, methods of testing weaknesses that are only found in application implementations, and security testing at all stages of the Software Development Life Cycle (SDLC).

Its sections include information gathering methods for web application security testing and testing of configuration and deployment management, identity management, authentication, authorisation, session management, input validation, error handling, weak cryptography, business logic, client-side issues, and application programming interfaces (APIs).

OWASP Top 10 2021

The OWASP Top 10 document lists the ten most common security flaws in web applications that may put an organisation at risk. Listed here with its notable CWE’s for quick references on low-hanging fruit.

Broken Access Control

Many web applications do not enforce restrictions on what an authenticated user can do within the application. An attacker that exploits this flaw can gain access to sensitive information or perform undesired actions. Notable Common Weakness Enumerations (CWEs) included are:

  • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

  • CWE-201: Insertion of Sensitive Information Into Sent Data

  • CWE-352: Cross-Site Request Forgery.

Cryptographic Failures

The third most common flaw in web applications is sensitive data exposure flaws that involve web applications or APIs not protecting sensitive data within the application. This could be financial data, healthcare data, or Personally Identifiable Information (PII) data. This could be due to a lack of encryption at rest and in transit, or other missing access control methods. Notable Common Weakness Enumerations (CWEs) included are:

  • CWE-259: Use of Hard-coded Password

  • CWE-327: Broken or Risky Crypto Algorithm

  • CWE-331: Insufficient Entropy

Injection

Injection flaws occur when data is input into an application but the input is not sanitised or validated by the developer of the application. Notable Common Weakness Enumerations (CWEs) included are:

  • CWE-79: Cross-site Scripting

  • CWE-89: SQL Injection

  • CWE-73: External Control of File Name or Path

Insecure Design

Insecure covers risk-related design flaws in applications. This new category looks to improve on the use of threat modeling and secure design patterns and principles during the development of the application. Notable Common Weakness Enumerations (CWEs) include:

  • CWE-209: Generation of Error Message Containing Sensitive Information

  • CWE-256: Unprotected Storage of Credentials, CWE-501: Trust Boundary Violation

  • CWE-522: Insufficiently Protected Credentials

Security Misconfiguration

Applications should have their default settings altered and security configuration settings reviewed as security misconfigurations is a common flaw in web applications. Notable CWEs included are:

  • CWE-16: Configuration

  • CWE-611: Improper Restriction of XML External Entity Reference

Vulnerable and Outdated Components

Components are libraries of code that an application may use. Development of an application may be following secure coding best practices, but once a third-party library is called, that component may be developed in an unsecure manner that exposes the application to security flaws.

Identification and Authentication Failures

Flaws in authentication or session management may allow attackers to access passwords, keys, or session tokens. Notable CWEs included are:

  • CWE-297: Improper Validation of Certificate with Host Mismatch

  • CWE-287: Improper Authentication

  • CWE-384: Session Fixation

Software and Data Integrity Failures

This flaw pertains to failures when verifying the integrity of components when applying software updates or updates to critical data. Insecure Deserialization from 2017 is included in this category. Insecure deserialization flaws may result in an attacker being able to perform remote code execution, replay attacks, injection attacks, and privilege escalation attacks. Notable Common Weakness Enumerations (CWEs) include:

  • CWE-829: Inclusion of Functionality from Untrusted Control Sphere

  • CWE-494: Download of Code Without Integrity Check

  • CWE-502: Deserialization of Untrusted Data

Security Logging and Monitoring Failures

Lack of logging and monitoring means that an application or system does not have the capabilities to detect and log breaches in security. Adequate logging and monitoring should be configured within an application or system to help determine the extent of a security breach during incident response. This category includes:

  • CWE-778: Insufficient Logging

  • CWE-117: Improper Output Neutralization for Logs

  • CWE-223: Omission of Security-relevant Information

  • CWE-532: Insertion of Sensitive Information into Log File.

Server-Side Request Forgery

This security flaw enables attackers to invoke requests from a vulnerable web application to another system. This category represents the scenario where the security community members are telling OWASP this is important, even though it’s not illustrated in the data yet.

Other projects

The OWASP Foundation has other projects as well, like OWASP Mobile Application Security.