Technical Thursday

Security testing and the OWASP Top 10

02 Dec

Posted by: Eva

Category: security testing

Previously on

In a previous blog post, we already talked briefly about security, more specifically the OWASP Foundation, which stands for the Open Web Application Security Project. About every three to four years since 2003, the foundation has released a Top 10 of the most critical security risks to web applications. This list of common vulnerabilities is a living set of documentation, which is maintained regularly and is updated according to current practices and prevalence of specific types of weaknesses. They can be tightly related to databases with CWE – Common Weakness Enumeration, types of software vulnerabilities – and CVE – Common Vulnerabilities and Exposures, specific occurrences of CWE in certain software products.

In this episode

We look at some vulnerabilities from the OWASP Top 10 in more detail and list some tools that can be used for testing these vulnerabilities. Some of these weaknesses reoccur consistently in almost every version of the top 10. One of the best examples that was also shown in our previous blogpost, is injection, which has been number 1 since 2010, but has been overthrown this year by Broken Access Control and Cryptographic Failures.

Injection deals with attacks like command injection or SQL injection, probably the most widely known type of weakness. Broken Access Control describes issues with authorization and permissions, where users can see and manipulate information that they are not allowed to, for example a regular user who can access administrator sections of the application. This is not to be confused with authentication (logging in to an application and thus authenticating the user), which has a category of its own. Cryptographic Failures was previously known as Sensitive Data Exposure, now with more focus on cryptographic shortcomings leading to data exposure. An important new category in 2021 is Insecure Design, which indicates a shift-left movement that can be found in software testing in general. It should be noted that testing the vulnerabilities might sometimes overlap, for example you could use injection to retrieve sensitive information.

Tooling

When it comes to tools for testing security weaknesses, there are many options on the market. One of the most known solutions is Kali Linux, which provides several mostly command-line applications for penetration testing. An alternative to this is Metasploit, a framework that allows for scanning and assessing applications, and performing manual penetration testing. But one of our favorite tools by far is Burp Suite by PortSwigger.

Our favorite

Next to a free Community Edition, they provide a Professional Edition for vulnerability scanning and manual penetration testing, and an Enterprise Edition that is mainly meant for continuous and scheduled testing, based on the vulnerability scanner that can also be found in the Professional Edition. A considerable advantage of Burp Suite is its extensive documentation and free online academy, where you can learn all the ins and outs of the application, get a thorough understanding of common vulnerabilities, and track your progress by solving labs. This academy is not specifically aligned with the OWASP Top 10, but you can find topics for all 10 and more in the courses.

Coming up

At Brightest, we cannot ignore the need for testing the security of applications and keeping track of best security practices for developers. Keep an eye on our solutions page for more updates on this, as we continue to expand our services in this subject matter.

Written by Bart Taelemans