The Open Web Application Security Project (OWASP) is a non-profit organisation founded on the motive of improving software security. OWASP WAF which is the ModSecurity core ruleset is provided to help improve application security through a web application firewall.
The OWASP Foundation is the source for developers and technologists to safeguard the web through community-led open-source software projects, hundreds of local chapters globally, tens of thousands of members, and leading educational and training conferences.
- Resources and Tools
- Networking and Community
- Training & Education
OWASP TOP 10
The OWASP Top 10 is a book/reference document that summarises the top ten security concerns for web applications. The report is put together by a group of security specialists from across the world, and the data is gathered from a variety of sources before being analysed.
The Top 10 is described by OWASP as an “awareness document,” and it is recommended that all organisations implement the report into their procedures to reduce security risks. One thing to keep in mind is that this is not a standard.
Organisations can customise the matrix to fit their own needs. Top10 is defined by OWASP, which collects data from a large number of people and organisations and then makes it available for us to comment on.
OWASP Top 10 vulnerabilities
Based on the level of damage the vulnerabilities have caused, OWASP has derived a list of top 10 threats. Listed from A1 to A10, A1 being the most severe and A10 being the least.
- A1:2021: Broken Access Control
- A2:2021: Cryptographic failures (sensitive data exposure)
- A3:2021: Injection
- A4:2021: Insecure Design
- A5:2021: Security Misconfiguration
- A6:2021: Vulnerable and outdated components
- A7:2021: Identification and Authentication Failures
- A8:2021: Software and Data Integrity Failures
- A9 2021: Security Logging and Monitoring Failures
- A10:2021: Server-side request forgery
A1:2021:Broken Access Control
- The failure of the system to validate the user even after the user authentication is called Broken Access Control.
- This may allow the user to bypass the basic access controls without proper validation. It leads to admin-level data exposure, which in turn may lead to several other complications.
A2:2021: Cryptographic failures (sensitive data exposure)
- Sensitive data is important information or an asset to be protected. It includes personally identifiable information (PII), banking information, login credentials, etc.
- Cryptographic failures occur when the data is unencrypted in the database or server and can be easily accessed by everyone. It is the consequence of inadequate protection of the database.
A3:2021 – Injection
- An injection is a broad class of attack vectors. This flaw allows the malefactors to execute a discrete code on the host operating system through a vulnerability exploit.
- The attacker provides an altered input to a program. As this input gets executed as a part of a command or a query, the result gets altered. It could lead to data loss, data corruption, and loss of credibility.
A4:2021 – Insecure Design
- Insecure Design is a flaw in the design of the system. In other words, insecure or missing design is where control is absent.
- It may be on the server side or the application side, or the user side. By using this flaw, the malefactors can get hold of system assets.
A5:2021 – Security Misconfiguration
- Misconfiguration occurs whenever the system fails to meet the security framework standards.
- It can occur at the application server-side, web server-side, application stack level, or on the network side.
- Non-identification of these flaws may sabotage and compromise the entire system.
A6:2021 – Vulnerable and Outdated Components
- Usage of third-party software components in the development process may make your system vulnerable to attacks.
- Third-party application frameworks, libraries, technologies may have exposure to vulnerabilities.
- Using outdated components in nested dependencies, client-side and server-side failing to check the compatibility of updated library patches, may help the threat vectors to breach the system.
A7:2021 – Identification and Authentication Failures
- It is the theft of user credentials, session tokens, keys, etc.. to gain unauthorised privilege. Attackers try authentication failures manually and attack them by using password lists and automated tools.
- Based on the domain, this may lead to money laundering, identity theft, social security fraud, and sensitive information disclosure.
A8:2021:Software and Data Integrity Failures
- Software and data integrity failures relate to code and infrastructure that does not protect against integrity violations.
- Usage of critical data and their applications without validating might lead the system to open to these types of threats.
A9:2021:Security Logging and Monitoring Failures
- Lack of logging and monitoring the threats to the application from time to time causes these types of attacks.
- It may lead to compromising the entire system and an untraceable attack.
A10:2021:Server Side Forgery Request (SSRF)
- Web applications can trigger requests in between HTTP servers. These are typically used to fetch remote resources such as software updates or import metadata from a URL or another web application.
- The attacker induces the server to make a connection to internal-only services within the organisation’s infrastructure. It disrupts the request process, exposing the system to vulnerability.
ModSecurity, often known as Modsec, is a free web application firewall (WAF). Originally designed as a module for the Apache HTTP Server.
It has evolved to provide a variety of HTTP request and response filtering capabilities, as well as other security features, across a variety of platforms, including Apache HTTP Server, Microsoft IIS, and Nginx.  It’s open-source software licenced under the Apache 2.0 licence.
The platform includes a ‘SecRules’ rule configuration language for real-time monitoring, logging, and filtering of Hypertext Transfer Protocol conversations using user-defined rules.
ModSecurity Core Ruleset – OWASP WAF
The 1st Line of Defence Against Web Application Attacks is the OWASP ModSecurity Core Rule Set.
The OWASP ModSecurity Core Rule Set (CRS) is a collection of attack detection rules that may be used with ModSecurity or other compatible web application firewalls.
With a minimum of false warnings, the CRS tries to protect online applications from a wide range of assaults, including the OWASP Top Ten.
SQL Injection, Cross-Site Scripting, Local File Inclusion, and other typical attack categories are all protected by the CRS.