OWASP Top 10: Why Compliance to OWASP Matters

During a recent web application penetration test, my Compass IT Compliance colleague Jesse Roberts was quickly able to identify and exploit a coding vulnerability on a client’s public facing web portal. As part of the engagement, Jesse was initially granted “standard user” access to the site, with only limited permissions, views, and access to data. While reviewing the publicly accessible site’s source code, Jesse determined that by simply modifying the web request and changing his “role” to “admin”, he was able to log out, log back in, and was welcomed back with open arms and full administrative rights to the site, the ability to view customer data, payment info, and other protected information. This finding is a direct violation of the Open Web Application Security Project (OWASP) compliance and could cause the enterprise to fail a future audit, or even worse, be susceptible to a breach if gone unnoticed or unpatched. OWASP is an open community dedicated to enabling organizations to develop, purchase, and maintain applications and APIs that can be trusted. Adhering to the OWASP Top 10 has become customary practice in today’s security landscape. Many organizations attempt to adhere to these controls through training, internal audits, penetration tests, and the like.

This client has gone through multiple risk assessments, compliance audits, etc. However, even with the countless thorough interviews, observations, and review of evidence, this vulnerability was not caught until the penetration test (utilizing the OWASP standard) was conducted. This finding is especially concerning as it did not require a phishing attack, internal threat, or focused attack to exploit. All it took was standard access and knowledge of source code modification. This finding is a direct violation of OWASP A01:2021: Broken Access Control:

Description: Access control enforces policy such that users cannot act outside of their intended permissions. Failures typically lead to unauthorized information disclosure, modification, or destruction of all data or performing a business function outside the user's limits. Common access control vulnerabilities include:

• Violation of the principle of least privilege or deny by default, where access should only be granted for particular capabilities, roles, or users, but is available to anyone.
• Bypassing access control checks by modifying the URL (parameter tampering or force browsing), internal application state, or the HTML page, or by using an attack tool modifying API requests.
• Elevation of privilege. Acting as a user without being logged in or acting as an admin when logged in as a user.
• Force browsing to authenticated pages as an unauthenticated user or to privileged pages as a standard user.

How to Prevent: Access control is only effective in trusted server-side code or server-less API, where the attacker cannot modify the access control check or metadata.

• Except for public resources, deny by default.
• Implement access control mechanisms once and re-use them throughout the application, including minimizing Cross-Origin Resource Sharing (CORS) usage.
• Model access controls should enforce record ownership rather than accepting that the user can create, read, update, or delete any record.
• Unique application business limit requirements should be enforced by domain models.
• Disable web server directory listing and ensure file metadata (e.g., .git) and backup files are not present within web roots.
• Log access control failures, alert admins when appropriate (e.g., repeated failures).
• Rate limit API and controller access to minimize the harm from automated attack tooling.
• Stateful session identifiers should be invalidated on the server after logout. Stateless JWT tokens should rather be short-lived so that the window of opportunity for an attacker is minimized. For longer lived JWTs it's highly recommended to follow the OAuth standards to revoke access.

Web applications offer hackers an attack vector and a potentially dangerous entry point to your organization. Web application holes have resulted in the theft of millions of credit cards, major monetary loss, and damaged reputations for hundreds of enterprises. The number of computers compromised by visiting web sites altered by attackers is too high to count.

Why are web application risk assessments, scanning, and penetration tests so important? Without them, this vulnerability may have gone unnoticed by employees, assessors, and auditors. But recent attacks show that eventually, the “bad guys” would have noticed and exploited this vulnerability, potentially resulting in a serious breach of customer and client personally identifiable information (PII). Web application scanning allows you to identify potential vulnerabilities in your web applications and provide a prioritized remediation strategy to secure your web applications and close any loopholes that could be exploited. This allows you to identify the most critical flaws first, strengthening your security posture faster. Web application scanning will identify vulnerabilities such as:

• Injection
• Broken Authentication
• Sensitive Data Exposure
• XML External Entities (XXE)
• Broken Access Control
• Security Misconfiguration
• Cross-Site Scripting (XSS)
• Insecure Deserialization
• Using Components with Known Vulnerabilities
• Insufficient Logging and Monitoring

Unfortunately, the client example mentioned at the start of this blog is not entirely unique in nature. Everyday, malicious actors exploit these same vulnerabilities to wreak havoc, extract data, and lock systems. To combat this rising risk, it is strongly recommended that organizations regularly conduct web application risk assessments, scanning, and penetration testing based on the OWASP standard. Compass IT Compliance offers these services (both authenticated and unauthenticated) to assist organizations with understanding their vulnerabilities and providing them with a detailed remediation plan to mitigate their risks while taking business interests into account. Contact us today to discuss your unique web application challenges!