How to Secure and Protect Your Website?

OWASP Top 10 Compliance with RidgeBot 3.6

What is OWASP Top 10?

 

Security breaches and attacks have become so prevalent that only the very largest ones now make the headlines. But attacks against organizations of all sizes have never been so rife or so sophisticated, making it all the more critical that you do everything you can to protect your organization’s digital assets.

The Open Web Application Security Project (OWASP) is a non-profit organization that works toward raising awareness, improving, and managing web application security risks. Virtually all businesses and other public/private organizations in today ’s digital economy maintain web applications and servers to advertise, buy, sell, inform, and serve their customers or members in countless ways. By definition, a web application is public-facing: this makes it especially vulnerable to exploits from anywhere at any time. To protect your organization against security attacks and breaches, it is imperative to closely manage the vulnerabilities in web application software interactions.

OWASP evaluates the most prevalent and critical web application vulnerabilities to produce a Top 10 list that is updated every 3-4 years. The most recent report was published in 2017. The OWASP Top 10 project uses broad industry consensus to determine the 10 most critical web application security risk categories. Well-known industry CWEs (Common Weakness Enumerations) are mapped into the Top 10 categories. The CWEs in turn draw on a larger database of CVEs (Common Vulnerabilities and Exposures) maintained in the National Vulnerability Database (NVD) under the direction of the U.S. National Institute of Standards and Technology (NIST) Cybersecurity Framework.

Understanding the OWASP Top 10 Categories

The 2017 Top 10 OWASP vulnerabilities are:

A1:2017 Injection: Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query.

A2:2017 Broken Authentication: Authentication and session management functions implemented incorrectly, allow attackers to compromise passwords, keys, or session tokens to exploit user identities.

A3:2017 Sensitive Data Exposure: Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and personally identifiable information (PII), allowing attackers to steal or modify such data to conduct fraud, identity theft, or other crimes.

A4:2017 XML External Entities (XXE): Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to perpetrate other data, crimes and attacks.

A5:2017 Broken Access Control: Improper enforcement of restrictions on what authenticated users are allowed to do, enables attackers to exploit access to unauthorized functionality and/or data.

A6:2017 Security Misconfigurations: Security misconfiguration is the most commonly seen issue, including insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information.

A7:2017 Cross-Site Scripting (XSS): XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user supplied data using a browser API that can create HTML or JavaScript.

A8:2017 Insecure Deserialization: Insecure deserialization often leads to remote code execution, or can be used to perform replay attacks, injection attacks, and privilege escalation attacks.

A9:2017 Using Components with Known Vulnerabilities: Exploiting a vulnerable component—such as libraries, frameworks, and other software modules that run with the same privileges as the application—can lead to serious data loss or server takeover.

A.10:2017 Insufficient Logging and Monitoring: Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper with, extract, or destroy data.

Ridge Security’s CWE to OWASP Top 10 Mapping

The OWASP Top 10 categories provide an easy, clear at-a-glance summary of the ten most critical web application security risks. To protect your organization’s web applications and servers, you must understand which specific vulnerabilities (CWEs) are included in each of the OWASP Top 10 categories.

While there is broad industry agreement on mapping CWEs to OWASP categories, there are differences in the specific implementations by different security mitigation vendors’ products. These details matter to the breadth of coverage and protection you get from using a specific vendor’s product to pentest your web applications. RidgeBot covers a comprehensive list of CWEs in each OWASP Top 10 category, providing you with the highest confidence that RidgeBot ’s pentest and exploitation capabilities result in thorough protection of your organization’s web application and servers.

 

A1:2017 Injection

  • CWE 74—Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’)
  • CWE 93—Improper Neutralization of CRLF Sequences (‘CRLF Injection’)

 

  • CWE 77—Improper Neutralization of Special Elements used in a Command (‘Command Injection’)
  • CWE 94—Improper Control of Generation of Code (‘Code Injection’)

 

  • CWE 78—Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
  • CWE 98—Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’)
  • CWE 88—Improper Neutralization of Argument Delimiters in a Command (‘Argument Injection’)
  • CWE 290—Authentication Bypass by Spoofing
  • CWE 89—Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
  • CWE 434—Unrestricted Upload of File with Dangerous Type
  • CWE 564—SQL Injection: Hibernate
  • CWE 90—Improper Neutralization of Special Elements used in an LDAP Query (‘LDAP Injection’)
  • CWE 917—Improper Neutralization of Special Elements used in an Expression Language Statement (‘Expression Language Injection’)
  • CWE 91—XML Injection (aka Blind XPath Injection)
  • CWE 943—Improper Neutralization of Special Elements in Data Query Logic

 

A2:2017 Broken Authentication

  • CWE 203—Observable Discrepancy
  • CWE 428—Unquoted Search Path or
    Element 
  • CWE 256—Plaintext Storage of a
    Password
  • CWE 444—Inconsistent Interpretation
    of HTTP Requests (‘HTTP Request
    Smuggling’) 
  • CWE 287—Improper Authentication
  • CWE 521—Weak Password Requirements
  • CWE 294—Authentication Bypass by
    Capture-replay
  • CWE 522—Insufficiently Protected
    Credentials
  • CWE 306—Missing Authentication for
    Critical Function
  • CWE 523—Unprotected Transport of
    Credentials
  • CWE 307—Improper Restriction of
    Excessive Authentication Attempts
  • CWE 552—Files or Directories Accessible
    to External Parties
  • CWE 308—Use of Single-factor
    Authentication
  • CWE 613—Insufficient Session Expiration
  • CWE 384—Session Fixation
  • CWE 620—Unverified Password Change
  • CWE 400—Uncontrolled Resource
    Consumption
  • CWE 640—Weak Password Recovery Mechanism for Forgotten Password
  • CWE 425—Direct Request (‘Forced
    Browsing’)
  • CWE 798—Use of Hard-coded
    Credentials
  • CWE 426—Untrusted Search Path
  • CWE 862—Missing Authorization
  • CWE 427—Uncontrolled Search Path
    Element
  • CWE 863—Incorrect Authorization

 

 

A3:2017 Sensitive Data Exposure

  • CWE 199—Information Management
    Errors
  • CWE 325—Missing Cryptographic Step
  • CWE 220—Storage of File with Sensitive
    Data Under FTP Root
  • CWE 326—Inadequate Encryption
    Strength
  • CWE 295—Improper Certificate Validation
  • CWE 327—Use of a Broken or Risky
    Cryptographic Algorithm
  • CWE 310—Cryptographic Issues
  • CWE 328—Reversible One-Way Hash
  • CWE 311—Missing Encryption of
    Sensitive Data
  • CWE 359—Exposure of Private Personal
    Information to an Unauthorized Actor
  • CWE 312—Cleartext Storage of Sensitive
    Information
  • CWE 538—Insertion of Sensitive
    Information into Externally-Accessible File
    or Directory
  • CWE 319—Cleartext Transmission of
    Sensitive Information
  • CWE 541—Inclusion of Sensitive
    Information in an Include File
  • CWE 320—Key Management Errors –
    (320)
  • CWE 668—Exposure of Resource to
    Wrong Sphere

 

A4:2017 XML External Entities (XXE)

  • CWE 611—Improper Restriction of XML
    External Entity Reference
  • CWE 776—Improper Restriction of
    Recursive Entity References in DTDs
    (‘XML Entity Expansion’)

 

A5:2017 Broken Access Control

  • CWE 22—Improper Limitation of a
    Pathname to a Restricted Directory (‘Path
    Traversal’)
  • CWE 284—Improper Access Control
  • CWE 118—Incorrect Access of Indexable
    Resource (‘Range Error’)
  • CWE 285—Improper Authorization
  • CWE 200—Exposure of Sensitive
    Information to an Unauthorized Actor
  • CWE 346—Origin Validation Error
  • CWE 254—7PK – Security Features
  • CWE 352—Cross-Site Request Forgery
    (CSRF)
  • CWE 264—Permissions, Privileges, and
    Access Controls
  • CWE 425—Direct Request (‘Forced
    Browsing’)
  • CWE 269—Improper Privilege
    Management
  • CWE 497—Exposure of Sensitive System
    Information to an Unauthorized Control
    Sphere
  • CWE 273—Improper Check for Dropped
    Privileges
  • CWE 639—Authorization Bypass Through
    User-Controlled Key
  • CWE 275—Permission Issues
  • CWE 732—Incorrect Permission
    Assignment for Critical Resource
  • CWE 276—Incorrect Default Permissions
  • CWE 915—Improperly Controlled
    Modification of Dynamically-Determined
    Object Attributes

 

A6:2017 Security Misconfigurations

  • CWE 16—Configuration
  • CWE 345—Insufficient Verification of Data Authenticity
  • CWE 23—Relative Path Traversal
  • CWE 347—Improper Verification of
    Cryptographic Signature
  • CWE 30—Path Traversal: ‘\dir\..\filename’
  • CWE 358—Improperly Implemented
    Security Check for Standard
  • CWE 209—Generation of Error Message
    Containing Sensitive Information
  • CWE 399—Resource Management Errors
  • CWE 297—Improper Validation of
    Certificate with Host Mismatch
  • CWE 407—Inefficient Algorithmic
    Complexity
  • CWE 298—Improper Validation of
    Certificate Expiration
  • CWE 601—URL Redirection to Untrusted
    Site (‘Open Redirect’)
  • CWE 331—Insufficient Entropy
  • CWE 693—Protection Mechanism Failure
  • CWE 332—Insufficient Entropy in PRNG
  • CWE 829—Inclusion of Functionality from
    Untrusted Control Sphere
  • CWE 338—Use of Cryptographically
    Weak Pseudo-Random Number Generator
    (PRNG)
  • CWE 918—Server-Side Request Forgery
    (SSRF)

 

A7:2017 Cross-Site Scripting (XSS)

  • CWE 79—Improper Neutralization of Input
    During Web Page Generation (‘Cross-site Scripting’)

 

A8:2017 Insecure Deserialization

  • CWE 113—Improper Neutralization of
    CRLF Sequences in HTTP Headers (‘HTTP
    Response Splitting’
  • CWE 134—Use of Externally-Controlled
    Format String
  • CWE 116—Improper Encoding or
    Escaping of Output
  • CWE 502—Deserialization of Untrusted
    Data

 

A9:2017 Using Components with Known Vulnerabilities

  • CWE 17—Code
  • CWE 193—Off-by-one Error
  • CWE 18—Source Code
  • CWE 252—Unchecked Return Value
  • CWE 19—Data Processing Errors
  • CWE 330—Use of Insufficiently Random
    Values
  • CWE 20—Improper Input Validation
  • CWE 361—7PK – Time and State
  • CWE 59—Improper Link Resolution
    Before File Access (‘Link Following’)
  • CWE 362—Concurrent Execution
    using Shared Resource with Improper
    Synchronization (‘Race Condition’)
  • CWE 119—Improper Restriction of
    Operations within the Bounds of a
    Memory Buffer
  • CWE 367—Time-of-check Time-of-use
    (TOCTOU) Race Condition
  • CWE 120—Buffer Copy without Checking
    Size of Input (‘Classic Buffer Overflow’)
  • CWE 369—Divide by Zero
  • CWE 121—Stack-based Buffer Overflow
  • CWE 415—Double Free
  • CWE 122—Heap-based Buffer Overflow
  • CWE 416—Use After Free
  • CWE 125—Out-of-bounds Read
  • CWE 476—NULL Pointer Dereference
  • CWE 129—Improper Validation of Array
    Index
  • CWE 617—Reachable Assertion
  • CWE 185—Incorrect Regular Expression
  • CWE 787—Out-of-bounds Write
  • CWE 189—Numeric Errors
  • CWE 824—Access of Uninitialized Pointer
  • CWE 190—Integer Overflow or
    Wraparound
  • CWE 843—Access of Resource Using
    Incompatible Type (‘Type Confusion’)
  • CWE 191—Integer Underflow (Wrap or
    Wraparound)

 

A.10:2017 Insufficient Logging and Monitoring

  • CWE 223—Omission of Security-relevant
    Information
  • CWE 681—Incorrect Conversion between
    Numeric Types
  • CWE 255—Credentials Management
    Errors
  • CWE 682—Incorrect Calculation
  • CWE 388—7PK – Errors
  • CWE 697—Incorrect Comparison
  • CWE 404—Improper Resource Shutdown
    or Release
  • CWE 704—Incorrect Type Conversion or
    Cast
  • CWE 417—Communication Channel
    Errors
  • CWE 754—Improper Check for Unusual
    or Exceptional Conditions
  • CWE 459—Incomplete Cleanup
  • CWE 755—Improper Handling of
    Exceptional Conditions
  • CWE 507—Trojan Horse
  • CWE 769—Uncontrolled File Descriptor
    Consumption
  • CWE 532—Insertion of Sensitive
    Information into Log File
  • CWE 770—Allocation of Resources
    Without Limits or Throttling
  • CWE 534—Information Exposure Through
    Debug Log Files
  • CWE 772—Missing Release of Resource
    after Effective Lifetime
  • CWE 665—Improper Initialization
  • CWE 778—Insufficient Logging
  • CWE 669—Incorrect Resource Transfer
    Between Spheres
  • CWE 834—Excessive Iteration
  • CWE 674—Uncontrolled Recursion
  • CWE 835—Loop with Unreachable Exit
    Condition (‘Infinite Loop’)

 

How a RidgeBot OWASP Top 10 Report Helps with Security Audits

Because the CWE to OWASP TOP 10 mappings vary among vendor implementations, the statement that your organization is “OWASP Top 10” compliant remains ambiguous. During an audit you may have to provide detailed evidence of protection for each of the specific CWEs that you, or the auditor, believe makes you OWASP compliant.

 

 

RidgeBot’s comprehensive built-in OWASP report streamlines providing evidence to management or auditors that all your web applications are OWASP Top 10 compliant.

The header of the RidgeBot OWASP Top 10 report gives an executive summary of all the vulnerabilities found—classified into appropriate levels of severity—as well as those that were successfully exploited (red arrow). Further down (green arrow), the report provides detailed compliance information for each of the OWASP Top 10 categories and for the exact CWEs tested in each category.

For each of the servers you subjected to RidgeBot web penetration testing and exploitation, the body of the report indicates the compliance status of each of the OWASP Top 10 categories. This information gives you an instant roadmap to patch, upgrade or replace your applications to become compliant. It also gives you ready evidence to present to an auditor that your applications and servers are compliant.

The Benefits of Using RidgeBot to Maintain Protection Against OWASP Top 10

The OWASP community provides helpful information and tools to address web application security risks. While the Top 10 list is an extremely helpful and broad industry benchmark, it does not ease the burden of implementing a strategy to know how your web applications measure up, or how to fix lingering vulnerabilities. The Top 10 list also does not provide specifics of which exact CWEs your applications are protected against.

A RidgeBot pen-testing and exploitation run targets a comprehensive and industry- superior set of CWE vulnerabilities in each Top 10 category. The built-in report provides exact details of every Top 10 category and CWE tested and/or exploited. With a periodic—the frequency of your choosing—RidgeBot test-exploit against your web servers and applications, you can always rest assured that your organization’s digital assets are as secure as possible from reigning web-based attacks. You can provide on-demand information and evidence to management or auditors about the state of compliance of your organization’s web-based activities. The report also includes detailed steps for resolving any vulnerabilities found—and the relative priority of each—that can guide staff on the specific actions to take to become or maintain 100% compliance.