2.2.11 Lab – Investigating OWASP
Objectives
- Part 1: OWASP Top 10
- Part 2: OWASP Community Pages
Background / Scenario
Open Web ApplicationSecurity Project (OWASP) is a non-profit organization that is dedicated to web application security. OWASP publishes a list of the Top 10 most critical web security concerns facing organizations about every three years. The objective of this report is to raise awareness regarding web application security and to help organizations incorporate this information into their process to minimize and mitigate security risks.
OWASP also accepts community contributions for security related content. The OWASP CommunityPages provides list of attacks and vulnerabilities reported by the communities.
In this lab, you will explore the OWASP Top 10 from 2021 and a few of the attacks and vulnerabilities reported by community contributors.
Required Resources
- Internet access
Instructions
Part 1: OWASP Top 10
a. Navigate to the OWASP Top 10 (https://owasp.org/Top10).
b. At the time of this writing, the draft of latest list of Top 10 was published in 2021.
Review the Top 10 categories. Pick 3 categories out of the Top 10. In the table below, list your chosen categories. Then briefly describe the category and some of the ways to prevent attacks in the category.
Top 10 Category | Description | Prevention |
Example Broken Access Control | Access control failure allows unauthorized access to data and perform business functions. | The attacker should not be able to access or modify access control check or metadata or elevate the privilege. |
Part 2: OWASP Community Pages
The OWASP Community Pages allows security-related contributions from the community. In this part, you will review the Vulnerabilities pages to investigate the attack techniques reported by the contributors.
a. Navigate to the OWASP Community Page for Vulnerabilities. (https://owasp.org/www-community/vulnerabilities/).
OWASP defines a vulnerability as flaw in the application that a threat actor can exploit.
Review the List of Vulnerabilities and pick 3. In the table below, list your chosen vulnerabilities. Briefly describe the vulnerability and some of the ways to prevent exploitation.
Vulnerabilities | Description | Prevention |
Example Allowing Domains or Accounts to Expire | Expired domain purchased by attackers can gather personal information. Email server hosted on domains owned by defunct companies. | Do not allow domain to expire and monitor companies that are hosting the servers |
b. Navigate to the OWASP Community Page for Attacks. ((https://owasp.org/www-community/attacks).
According to OWASP, an attack is a technique used to exploit application vulnerabilities.
Review the List of Attacks and pick 3. In the table below, list your chosen attacks. Then briefly describe the attack and some of the ways to prevent it.
Attacks | Description | Prevention |
Example Cross Site Scripting (XSS) | Malicious scripts are injected into trusted web sites via web request | The web server should be configured to validate incoming data. |