OWASP Top10 security 2023

Introduction

The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications.

1. Broken Access control

(Unauthorized Access) Wrong authen or authorized data, Fix; Login flow and authorized

2. Cyptographic Failure

(Wrong Encryption , AES, DES) Sensitive data Keep Credit card No. with DES and hard coded,

Solutions

Key management (Valult), Rotate key

3. Injection: Inject malicious script or context (e.g SQL Injection)

Solutions

Validation form, field any, ORM

4. Insecure Design: Vulnerability Architecture

Open port, uses default port (8081,3000), use default password( password:12345, root),

Solutions

Security principles, use principles practice

5. Secure Misconfiguration

S3 set public bucket !

Solutions

Scanning tools, auditor, avoid default config

6. Vulnerable and Outdated components

Risk of outdated technologies

Solutions

monthly update packages, (github dependabot)

7. Identication and Authentication Failures:

Broken authentication, case: Anyone can reset password,

Solutions

Authentication is correct, Check public api is ok

8. Software and Data Integrity Failures

can changes data of others users,

Solutions:

Check authentication, add cryptography (like Broken Access Control), Notify users when data was changed

9. Security logging and Monitoring Failures

design logging can track or trace-route, of data flow,

Solutions:

Access log, Action log, Service log, Application logging
Monitoring log, tranfrom log data
Secure log, keep logging with persistent volume
Firebase cloud functions

10. SSRF (Server-Side Request Forgery)

Change safe http request to unsafe http request, e.g. change change url image or image name with GET Method, cookie, public cloud bucke(s3 public)

Solutions:

strict url filters

More info: https://owasp.org/API-Security/editions/2023/en/0x00-header/