top of page
This site was designed with the
.com
website builder. Create your website today.Start Now

Simple example to understand OWASP TOP 10 Application Security Risk 2017 II


A7 – Insufficient Attack Protection

This was a new added vulnerable. When attack was happened, how fast can your team react and roll out the patches to resolve the vulnerabilities? Is your system apply any monitoring tools to detect abnormal or unusual traffic requests? This can be an attacker are trying something malicious on your system.


Logs are critical to timely response. If you can't release the patch to block the vulnerability in a day, you may decide to block certain IP address, IP range. Your system must be able to detect, prevent and respond fast to the attacks.

A8 – Cross-Site Request Forgery (CSRF)

CSRF is an attack that force user to perform certain unwanted action on a web application in which he/she is currently authenticated.


So for this attack to be success, a victim have to logged into the system. An attacker can then forge a request in GET or POST and send to web server without your acknowledgement.


A simple example, an user logged into a system and there is an update account function for user to update email, address, contact and so on.


It is easy for an attacker to knows the request structure in GET or POST if they can register an account from the system or sniff the traffic. Now, let said the attacker able to know the update GET request structure example:

http://www.example.com/usermgt.php?email=hacked@hotmail.com&contact=111111


For POST request can do something in this:

<html>

<body onload='document.CSRF.submit()'>

<form action='http://tagetWebsite/Authenticate.jsp' method='POST' name='CSRF'>

<input type='hidden' name='email' value='hacked@hotmail.com'>

<input type='hidden' name='contact' value='111111'>

</form>http://www.example.com/usermgt.php

</body>

</html>


And somehow, the victim was tricked to visit a spoof website that attacker created. The page can be as simple as below, just an image will do.

<img src=”http://www.example.com/usermgt.php?email=hacked@hotmail.com&contact=11111111”> <img src=”http://www.example.com/logout.php”>


Once the victim access this page, the request will be send over to web server. Server received the request and verify the session was valid. So, the email and contact will be updated. Now attacker can go to forgot password function to reset the victim account password.


To avoid this developer can add a unique session token to the HTTP request to make it difficult for attacker to forge the request.

A9 – Using Components with Known Vulnerabilities

If a components (eg. framework libraries) was reported vulnerable, check through your application code. Most common attack on this vulnerable could be using compromised Cryptography algorithm to encrypt your credentials data. If your system was built using opensource eg. Wordpress, Joomla, remember to upgrade the version day to day.

A10 – Underprotected APIs

Another newly added vulnerable. If your application has a public API, anybody can send request to your through your API. An attacker can pass malicious input to your API. Remember A1 Injection example? SQL injection. Not only public API, developer tends to use API to get data in Javascript in many data formats eg. REST/JSON, SOAP/XML

A proper input validation is a must to prevent this. Ensure you have secured communication between client and APIs.

bottom of page