Most Common Web Security Vulnerabilities
Exploitability –
What is needed to exploit the security vulnerability? Highest exploitability when the attack needs only web browser and lowest being advanced programming and tools.
Detectability –
How easy is it to detect the threat? Highest being the information displayed on URL, Form or Error message and lowest being source code.
Impact or Damage –
How much damage will be done if the security vulnerability is exposed or attacked? Highest being complete system crash and lowest being nothing at all.
The main aim of OWASP Top 10 is to educate the developers, designers, managers, architects and organizations about the most important security vulnerabilities.
Implication
· An attacker can inject malicious content into the vulnerable fields.
· Sensitive data like User Names, Passwords, etc. can be read from the database.
· Database data can be modified (Insert/Update/ Delete).
· Administration Operations can be executed on the database
Vulnerable Objects
· Input Fields
· URLs interacting with the database.
Examples:
· SQL injection on the Login Page
Logging into an application without having valid credentials.
Valid userName is available, and password is not available.
User Name: sjones
Password: 1=1' or pass123
SQL query created and sent to Interpreter as below
SELECT * FROM Users WHERE User_Name =sjones AND Password = 1=1' or pass123;
Recommendations
1. White listing the input fields
2. Avoid displaying detailed error messages that are useful to an attacker.