OWASP - Vulnerabilities in Web Applications

When talking about web applications or websites, the topic of security risks inevitably comes up. But questions quickly arise, such as: What actually is a security risk, what are the risks and how often do they occur?

What is a security risk?

A pair of security risk consists of two parts: On the one hand, the effects of an entering
event or circumstance and on the other hand from its probability of occurrence.
For example, an event could be finding a password for a user account.
Together with the probability of occurrence, this results in a certain security risk.

Which security risks are there and which occur most frequently:

There are lists that compare security risks and classify them according to certain criteria.
One such list is the “Top 10 Web Application Security Risks”OWASP Foundation".

OWASP stands for "Open Worldwide Application Security Project" and is a nonprofit foundation that
want to improve the security of software. The OWASP compiles a list of every four to five years
10 security risks that, from their point of view, are currently the most relevant. The latest version is from
2021.

When are security risks relevant and where does the data come from?
The OWASP used 2021 two categories of datato create their list.

The first category came from companies involved in their processes Vulnerabilities in web applications had found. In total, data from more than 228.000 applications were considered. This data was used to identify eight of the ten vulnerabilities on the list.

The second category was Survey determined. "Penetration testers" were asked what weaknesses and trends currently exist in web applications. This information was then used to identify two of the ten vulnerabilities on the list.

To determine the order of security risks, OWASP only looks at how many applications the vulnerability was found in, but not how critical it was.

OWASP Top 10 Web Application Security Risks 2021

Below we see a comparison of the two lists from 2017 and 2021.
Only three of the ten vulnerabilities were newly added to the list. This tells us that many security risks reappear in the latest version and therefore continue to play a major role in current ones web applications play.

Broken Access Control

This vulnerability landed in 2021st place in 1 because over 50% of the tested applications were affected by the risk.
In general, the security risk "Broken Access Control’ is about being able to see or use information or functions of a web application even though the current user does not have the rights to do so.

For example:
Let's imagine a web application as an example, on which we can log in and enter and save data such as name, address and telephone number. This information should only be visible to the registered user.
The URL to a user profile looks like this: "https://example.com/profil/User".

If User A now looks at his user profile, he sees the following URL: "https://example.com/profil/User_A". The current user is always added at the end of the URL.
If User A now wants to see User B's data, he can try to adjust the URL and replace his username with User B's. The URL then looks like this: "https://example.com/profil/User_B".

Since the sample web application does not check whether the user is authorized to call up this profile, all of User B's personal data is now displayed.
In order to prevent such scenarios, the user's rights must be checked not only when clicking buttons, but also when calling up URLs.

Conclusion

There are lists of security risks sorted by certain criteria. In the example of the top 10 OWASP security risks for web applications, you can see that they are only sorted according to frequency and not according to how dangerous they are.

They found that these security risks have been known for a long time and have not yet been fixed in every web application. For this reason, it is very important to check your own web application for these risks and to fix them.

In most cases, the gaps are easy to close - we are happy to support you!

Author 

Sven Kirchner
Advanced Software Developer & Security Expert