OWASP Top 10

What is OWASP and the OWASP Top 10?

The Open Web Application Security Project (OWASP) is a worldwide, nonprofit organization focused on improving the security of software. It functions as an online community that creates freely available articles, methodologies, documentation, tools, and technologies.

The OWASP Top 10 is a powerful awareness document for web application security. It represents a broad consensus about the most critical security risks to web applications. Project members include a variety of security experts from around the world who have shared their expertise to produce this list.

Covered OWASP Top 10 risks

OWASP covered
A1 Injection covered
A2 Broken Authentication and Session Management covered
A3 Cross-Site Scripting (XSS) covered
A4 Insecure Direct Object References covered
A5 Security Misconfiguration Partially
A6 Sensitive Data Exposure Partially
A7 Missing Function Level Access Control covered
A8 Cross-Site Request Forgery (CSRF) covered
A9 Using Components with Known Vulnerabilities covered
A10 Unvalidated Redirects and Forwards covered
PROTECTION LEVEL 90%

I want to see it for myself

A1

Injection

The source of the problem of SQL injection risk is based on SQL queries which have not been parametrized (without PreparedStatement in Java environments). First of all Hdiv minimizes the existence of untrusted data, due to the web information flow control system avoiding the manipulation of data generated by the server side. This architecture only minimizes the risk to new data generated legally from editable form elements. It is important to note that even using a PreparedStatement, if the query is based on untrusted data generated previously at the server side (e.g. ID of an item within a list) an SQL injection risk is possible.

In addition Hdiv implements an internal system that detects SQL Injection risks within source code.

covered RISK COVERED

A2

Broken Authentication and Session Management

Hdiv detects the use of hardcoded keys and passwords within the code, too long session timeouts, session and URL rewriting, weak passwords, if HttpOnly flag is being used to session handling header, plus others; and protects applications against brute force login attacks and does not allow access to unauthorized resources thanks to its information flow control.

covered RISK COVERED

A3

XSS

The source of the problem of XSS risks is based on the generation of HTML output that uses non-escaped untrusted data. First of all, Hdiv minimizes the existence of untrusted data, thanks to the web information flow control system it implements. This minimizes the risk to new data generated legally from editable form elements.

In addition, Hdiv implements an internal system that detects XSS risks within source code.

covered RISK COVERED

A4

Insecure Direct Object References

The source of this risk comes from the manipulation or updating of data generated previously at the server side. For instance, a list is sent to the client with an ID for each item. The client manipulates the ID and tries to access a forbidden ID. Hdiv checks all the data generated at the server side ensuring its integrity. There is also an option to ensure the confidentiality of data generated at the server side avoiding the display of critical information (credit cards, etc.).

covered RISK COVERED

A5

Security Misconfiguration

Current application security architectures do not follow security by default. On the contrary, programmers must apply security measures to avoid access to private or confidential resources. The information flow control system implemented by Hdiv allows control of the resources (links and forms) exposed by the application, and prevents breaking the original contract from the server. In other words, even when the programmer does not use access control systems or ACL (Java EE or Spring Security) Hdiv is able to know which resource is legally accessible by each user.

covered RISK PARTIALLY COVERED

A6

Sensitive Data Exposure

Hdiv offers several features to minimize sensitive data exposure. Our products include confidentiality to all data generated at the server side. That is to say, Hdiv replaces original parameter values generated on the server side by relative values (0,1,2,4, etc.) to avoid exposing critical data to the client. Additionally, Hdiv is able to hide (partially o completely) sensitive data depending on the user profile while keeping track of the usage of each user and to detect vulnerabilities, such as sending plain text creditcard numbers or similar errors.

covered RISK PARTIALLY COVERED

A7

Missing Function Level Access Control

Current application security architectures do not follow security by default. On the contrary, programmers must apply security measures to avoid access to private or confidential resources. The information flow control system implemented by Hdiv allows control of the resources (links and forms) exposed by the application, and prevents breaking the original contract from the server. In other words, even when the programmer does not use access control systems or ACL (Java EE or Spring Security) Hdiv is able to know which resource is legally accessible by each user.

covered RISK COVERED

A8

CSRF

Hdiv adds random tokens to each link or form in the application, making it extremely difficult to implement a CSRF attack because the attacker does not know what the value is. In order to offer a high level of security Hdiv does not use a random token per session but creates a new token for each requested page instead. Even tokens used by links and forms within the same page are different, preventing reuse of link tokens to exploit a web form. One token is created for data retrieval requests (GET, HEAD, TRACE and OPTIONS HTTP methods) and another for data modification (POST, PATCH, PUT and DELETE methods).

covered RISK COVERED

A9

Using Components with Known Vulnerabilities

Although Hdiv can not update out of date versions of software used by the web applications, the web information flow control system impedes the exploitation of known and unknown vulnerabilities within the software. In many cases (see: Struts cancel vulnerability) risks are based on an unexpected use of a web application. Hdiv does not allow the original contract to be broken and so it is more difficult to exploit existing risks.

covered RISK COVERED

A10

Unvalidated Redirects and Forwards

This vulnerability is mainly related to the manipulation of data generated previously at the server side. Hdiv controls all the data from the server, preventing redirection to malicious websites.

covered RISK COVERED

Resources

VIDEO

Securing Android and iOS applications

Watch

VIDEO

Hdiv Protection (RASP) in the Production environment

Watch

VIDEO

OWASP WebGoat and Hdiv Protection (RASP)

Watch

VIDEO

Hdiv RASP protecting Spring REST APIs

Watch