OWASP 开放Web应用程序安全项目（The Open Worldwide Application Security Project）

OWASP : The Open Worldwide Application Security Project Top 10, 2021

Broken Access Control

broken access control – a weakness that allows an attacker to gain access to user account.

The attacker in this context can function as a user or as an administrator in the system.

Example

An application allows a primary key to be changed, and when this key is changed to another user’s record, that user’s account can be viewed or modified.

Solution

An IAST (interactive application security testing) solution, such as Seeker, can help you effortlessly detect cross-site request forgery or insecure storage of your sensitive data. It also pinpoints any bad or missing logic being used to handle JSON Web Tokens. Penetration testing can serve as a manual supplement to IAST activities, helping to detect unintended access controls. Changes in architecture and design may be warranted to vreste trust boundaries for data access.

Cryptographic Failure

It is formerly known as Sensitive Data Exposure, this entry was renamed as cryptographic failures to accurately portray it as a root cause, rather than a symptom. Cryptographic failures occur when important stored or transmitted data (such as a social security number) is compromised.

• Not encrypting sensitive information
• Using downgraded cryptographic algorithms
• Using cryptographic primitives insecurely
• Random numbers that are not that random
• …

Example

A financial institution fails to adequately protect its sensitive data and becomes an easy target for credit card fraud and identity theft.

Solution

Seeker’s checkers can scan for both inadequate encryption strength and weak or hardcoded cryptographic keys, and then identify any broken or risky cryptographic algorithms. The Black Duck® cryptography module surfaces the cryptographic methods used in open source software(OSS) so they can be further evaluated for strength. Both  Coverity® static application security testing (SAST) and Black Duck software composition analysis (SCA) have checkers that can provide a “point in time” snapshot at the code and component levels. However, supplementing with IAST is critical for providing continuous monitoring and verification to ensure that sensitive data isn’t leaked during integrated testing with other internal and external software components.

• Fix at design time
• Threat modeling
• Add security controls

Injection

include Injection and Cross-site Scripting(XSS). Essentially, a code injection occurs when invalid data is sent by an attacker into a web application in order to make the application do something it was not designed to do.

Example

An application uses untrusted data when constructing a vulnerable SQL call.

Solution

• Do not directly include user input in programs that will be run or interpreted elsewhere
• Specify what valid input looks like
• Flitter user input

Including SAST and IAST tools in your continuous integration / continuous delivery (CI/CD) pipeline helps identify injection flaws both at the static code level and dynamically during application runtime testing. Modern application security testing (AST) tools such as Seeker can help secure the software application during the various test stages and check for a variety of injection attacks (in addition to SQL injections). For example, it can identify NoSQL injections, command injections, LDAP injections, template injections, and log injections. Seeker is the first tool to provide a new, dedicated checker designed to specifically detect Log4Shell vulnerabilities, determine how Log4J is configured, test how it actually behaves, and validate (or invalidate) those findings with its patented Active Verification engine.

Insecure design

It’s a new category that focuses on risks related to design flaws. As organizations continue to “shift left”, threat modeling, secure design patterns and principles, and reference architectures are not enough.

Ways to mitigate insecure design

• Fix in design phase

• Threat modeling

• Implement security controls

  • Passwords
  • Two Factor Authentication

Example

A movie theater chain that allows group booking discounts requires a deposit for groups of more than 15 people. Attackers threat model this flow to see if they can book hundreds of seats across various theaters in the chain, thereby causing thousands of dollars in lost income.

Solution

Use Seeker Tools to find out the weakness.

Seeker IAST detects vulnerabilities and exposes all the inbound and outbound API, services, and function calls in highly complex web, cloud, and microservices-based applications. By providing a visual map of the data flow and endpoints involved, any weaknesses in the design of the app design are made clear, aiding in pen testing(penetration testing) and threat modeling efforts.

Security Misconfiguration

include XML External Entities(XEE) and security misconfiguration. Security misconfiguration are design or configuration weakness that result from a configuration error or shortcoming.

Example

A website is in http instead of https might has following scenarios:

Best Practices

• Perform threat modeling
• Apply appropriate security controls
• Document application controls to minimize errors
• Make security a part of every phase of development, especially design, deployment, and maintenance
• Emphasize process and automation

Example:

A default account and its original password are still enabled, making the system vulnerable to exploit.

Solution:

Solutions like Coverity SAST include a checker that identifies the information exposure available through an error message. Dynamic tools like Seeker IAST can detect information disclosure and inappropriate HTTP header configurations during application runtime testing.

Vulnerable and outdated Components

it’s using components with known vulnerabilities. Due to the volume of components used in development, a development team might not know or understand all the components used in their application, and some of those components might be out-of-date and therefore vulnerable to attack.

How to handle components security

• You need to know which components you’ve used
• You need to be aware of component vulnerabilities
• You need to process for keeping components up-to-date
• Use a Software Composition Analysis (SCA) tool, such as Black Duck

Solution for component security

• Using SCA as part of your build pipelines
• Knowing what’s in your application is the first step
• Responding quickly when vulnerabilities are published

Identification and Authentication Failures

Previously known as broken authentication and includes CWEs related to identification failures.

Specifically, functions related to authentication and session management, when implemented incorrectly, allow attackers to compromise passwords, keywords, and sessions, which can lead to stolen user identity and more.

Example:

A web application allows the use of weak or easy-to-guess passwords (i.e., “password1”).

Solution:

Multi Factor authentication can help reduce the risk of compromised accounts, and automated static analysis is highly useful in finding such flaws, while manual static analysis can add strength when evaluating custom authentication schemes. Coverity SAST includes a checker that specifically identifies broken authentication vulnerabilities. Seeker IAST can detect hardcoded passwords and credentials, as well improper authentication or missing critical steps in authentication.

Identification and Authentication Errors

• Creating users with preset default password
• Storing passwords in plain text
• Not mitigating against brute force attacks
• Failing to validate certificates
• Not implementing multi factor authentication correctly

Secure Authentication Practices includes

• Logging repeated login attempts
• Implement lengthening login delays
• Enforcing lockout after failed login attempts

How to Implement Authentication

• Perform threat modeling
• Perform plenty of testing
• Perform penetration testing on finished product

Software and Data Integrity Failures

Key words: Insecure deserialization.

This is a new category for 2021 that focuses on software updates, critical data, and CI/CD pipelines used without verifying integrity. Also now included in this entry, insecure deserialization is a deserialization flaw that allows an attacker to remotely execute code in the system.

Example

An application deserializes attacker-supplied hostile objects, opening itself to vulnerability.

Solution

Application security tools help detect deserialization flaws, and penetration testing can validate the problem. Seeker IAST can also check for unsafe deserialization and help detect insecure redirects or any tampering with token access algorithms.

Protect against Data Integrity Failures

• No input can be trusted
• Threat modeling can help identify how application can be attacked and appropriate security controls
• Careful implementation and testing will minimize code vulnerabilities

Security Logging and Monitoring Failures

Key words: Insufficient logging and monitoring. It is all about to make sure somebody knows when application is under attack. The application has some situational awareness and is able either notify someone or at least send useful information to logs for examnization

Formerly known as insufficient logging and monitoring, this entry has moved up from number 10 and has been expanded to include more types of failures. Logging and monitoring are activities that should be performed on a website frequently—failure to do so leaves a site vulnerable to more severe compromising activities.

Example

Events that can be audited, like logins, failed logins, and other important activities, are not logged, leading to a vulnerable application.

Solution

After performing penetration testing, developers can study test logs to identify possible shortcomings and vulnerabilities. Coverity SAST and Seeker IAST can help identify unlogged security exceptions.

Logging Failure Example

• Writing sensitive information into application logs

  • Writing user password into logs
  • Writing API token in log messages

Developers need to do

• Ensure that the application logs the failure when something wrong happens
• Ensure that the application notifies a human about a log failure when needed

How to respond to different attacks

• Brute force or credential stuffing a login page

  • Have the application notify someone
  • Implement account locking
  • Enforce rate limiting

• Port scanning of a deployment system

  • The event should be logged
  • IP address should be added to a deny list

Direct action

• Be careful writing application logs
• Make sure you are not writing out sensitive information

Server-side Request Forgery

SSRF, a server-side request forgery (SSRF) can happen when a web application fetches a remote resource without validating the user-supplied URL. This allows an attacker to make the application send a crafted request to an unexpected destination, even when the system is protected by a firewall, VPN, or additional network access control list. The severity and incidence of SSRF attacks are increasing due to cloud services and the increased complexity of architectures.

Example

If a network architecture is unsegmented, attackers can use connection results or elapsed time to connect or reject SSRF payload connections to map out internal networks and determine if ports are open or closed on internal servers.

Solution

Seeker is one of the modern AST tools that can track, monitor, and detect SSRF without the need for additional scanning and triaging. Due to its advanced instrumentation and agent-based technology, Seeker can pick up any potential exploits from SSRF as well.

How attackers exploit SSRF

• An attacker can trick the application into connecting to any network endpoint
• An SSRF vulnerability can be exploited to reveal files or perform port scanning

Developer advice for SSRF

• Do not trust input
• Define allowed input and reject nonconforming values