The OWASP Top 10 and its impact on web development in 2022
The OWASP Foundation exists to improve software security worldwide. Every four years, their global community publishes a list of the most dangerous security threats in the world. As a developer, I knew some of them already, however in this article I would like to walk you through each security threat that made it onto the OWASP Top 10 vulnerabilities 2022 list.
Table of contents
1. Broken Access Control
There are a lot of things to take care of when creating websites: data validation, variable types, events and many others, including access control. With time, when the application gets more and more different features, it also gains numerous endpoints with complex roles and logic related to users. This leads to increased time pressure for delivery and may result in some fallout for the application’s security.
Broken Access Control describes a scenario where the user can perform unauthorized actions without correct permissions, misconfiguration of CORS (Cross-Origin Resource Sharing) and manipulation of JWT (JSON Web Token) metadata. I’ll explain it with an example.
Suppose the application is a toy store, with shops all over the world and has many customers in several countries. There is an endpoint to update a toy item in stock that can be used by the administrator or warehouse manager. A random, newly-created user can create new store locations that do not exist. This can cause supply problems due to creating non-existing warehouse capacity. Additionally, regular customers can start buying toys from non-existent warehouses via online stores. This causes a lot of trouble and extra time to complete.
Your other options are removing toys from the offer or even purchasing them. Remember that unauthorized activity on your app may be a security leak and should be taken seriously.
2. Cryptographic Failures
Cryptographic failures describe every threat that can arise as a result of not using recommended cryptographics or poor use of algorithms. Do you use encrypted connections to your application such as HTTPS, SSH, SFTP to carry out any configuration changes or code changes? Establishment of secure and verified connections is a crucial thing for data transfers. It prevents others from reading your data. Make sure your passwords are stored with the recommended hashing algorithms whether the application uses deprecated old MD5 or SHA1.
Confidential encryption data can prevent database leaks. But first, it’s a good idea to think about privacy laws and regulatory requirements, like the GDPR in the EU. If you examine your sensitive personal data more closely, you may find that you don’t need to store it at all. Try to store and process it in one place with less privileges - it will minimize the probability of a leak.
3. Injection
This category of threat deals with both XSS and SQL injection. They are fairly well known because they should be protected by filtering and validating input. Both rely on injecting dangerous code to conduct malicious operations on the client or server side.
In web applications, raw queries are most often used to improve performance when executing queries, but escaping queries are essential for development. Using the PDO-ready method already protects us from this, because we map the values to the prepared instructions. XSS itself is more complicated.
From a backend perspective, you should take care of persistent XSS. The compliance is saved in the database and is executed during data presentation. To protect against this, you should use the PHP “htmlspecialchars” function which converts HTML entities into decoded HTML codes that web browsers will not execute. XSS mainly depends on the use of the characters “<” and “>”, and their conversion is of no use.
To illustrate how serious of a threat this can be, let me tell you that in 2019 XSS vulnerability was detected on the main Google search page. CSP could work as a protection against it, but in large applications it would require a lot of work and proper implementation. Injection attacks are still a threat and need to be addressed, ideally by hiring a security specialist.
4. Insecure Design
Improving security often comes down to adding security specialists to your website development. Looking closer at a few things related to secure design could be a great idea. Developers can take a broader perspective on the project to improve security. Unfortunately, design development has no business value and costs money, so it’s often outside of the budget for many start-ups.
One of the key aspects of preventing insecure design is to put a strong emphasis on creating a secure connection between the frontend and backend of the site, and being on the lookout for any misuse. You should consider what if some people use the app in an unusual way? Suppose a toy store has only two items in stock. What if someone asynchronously completes 10 purchase requests in a single second? Does your app accept all 10 purchases? Questions like these are a way to combine business with an approach to security.
5. Security Misconfiguration
This topic is related to the security aspect of configuration. Apps are constantly evolving, and some of them change rapidly to suit business needs. Sometimes, we turn on a lot of things at once, or set up a completely new server in a rush to present a demo to the client. After the presentation, we don’t ever look into the new server, but does it have the appropriate security configuration? In many cases, the answer is no. You should always change the default password for any installed services. Be sure to conduct an overview of the services you are using and make some minor security checks during your code audits. Error messages should also be considered. Maybe some of them should not be visible to the end user?
6. Vulnerable and Outdated Components
Security is improving every day. Sometimes, there can be a bug in a package or application and it is a good practice to keep them updated. GitHub already does that, as it scans project component version dependencies and sends a reminder that an upgrade is required. Symfony includes a package to check the security of your dependencies - it’s worth taking advantage of.
In web development, it is good practice to remove any dead code or unused components to keep the design in good condition. It doesn’t make sense to keep an inactive service or website with older code.
For the sake of security, tweaking existing code is important, even though developers try to avoid it as much as possible, fearing that they will break something. In this case, an old website can be a target because you haven’t upgraded the framework to the current version or because multiple packages are outdated. Each version of software releases a lot of improvements, but some of them are outdated, so you need to adapt it. Keep this in mind and always update your software and clean up the application. Don’t be afraid to upgrade your system as well.
7. Identification and Authentication Failures
In 2017, it was a common problem on the web. Many APIs had not been properly protected and authentication did not work properly. A lot has changed since then and nowadays many applications use two-factor authentication. Now, we should be more aware of attacks that rely on database user leaks as a brute force.
Regarding identification, it is imperative to have a strong password. When implementing authentication or any SSO, make sure that the user logs out correctly and runs integration tests. But most of all - limit the number of login attempts. This can reduce the number of attacks based on database leaks.
8. Software and Data Integrity Failures
It is important to verify the installed packages on your system. Many existing solutions already do this on their own, for example: Linux-based systems verify package providers with GPG keys.
Some software vendors upload a checksum of their software to verify the authenticity of downloaded files. For the sake of security, you should verify them yourself as there is a possibility that an attacker could alter the file with a virus or malware. Also verify your packages against security repositories and make sure that CI / CD is properly configured.
Some attackers focus on the deployment flow as it is easy to access other services from there. Examine the data integrity with the customer and make sure there is no data manipulation between them. This could be a gateway for further attacks.
9. Security Logging and Monitoring
Service monitoring is related to maintenance. Viewing the logs is important as you can act immediately as soon as you see potentially dangerous activity. Let me tell you about my experience. An SQL injection was found on a legacy site and an attack was launched. I noticed an increased load and started analyzing the traffic. It turned out that the attack was based on some sort of automated SQL hacking tool. The threat was defeated straight away, but only because of immediate action.
Analyze your application, traffic and load, and then set up alerts for unusual activities in a monitoring tool. You should also create incorrect attempts, transaction monitoring, or core services depending on the application. A flow of emergency incidents, security processes, or backup plans could also be useful. In the case of an attack, time is of the essence and you need to act quickly.
10. Server-Side Request Forgery
To protect your application against SSRF, you should always check the data entered. Each URL scheme should be checked against the allowed list. Don’t use regular expressions to reject lists as most attackers are able to break it with one of the tools available on the web.
If possible, use network encryption as a VPN. Don’t use HTTP redirection based on request parameters as it can be bypassed and an unauthorized operation can be performed. Set the firewall to “decline by default” and adapt it to your needs. From time to time, check your firewall logs to make sure no one is analyzing your infrastructure or looking for any blindspots.
OWASP Top 10 2022 - Summary
We don’t live in a perfect world, so let’s be honest: the top 10 OWASP vulnerabilities 2022 list is quite long. It should be used as a guide to creating safer software.
You can also look at CWE’s list of the top 25 most dangerous software weaknesses to find out what else you should pay attention to (source).
Security is like building a wall for protection. No matter how big the wall is, there will always be someone who will try to jump over it. Whether you’re a major corporation with expensive assets or a small business with a restricted security budget, you cannot be protected from every attack. All you can do is to make it harder, or impossible, for the attacker to break in. And you should never give up the fight.
Share this article: