OWASP Vulnerabilities: Broken Authentication, Security Misconfiguration, Insufficient Logging & Monitoring
VerifiedAdded on 2022/12/16
|10
|2534
|1
AI Summary
This article discusses the three OWASP vulnerabilities: Broken Authentication, Security Misconfiguration, and Insufficient Logging & Monitoring. It explains the vulnerabilities, their impact, and provides mitigation strategies to address them.
Contribute Materials
Your contribution can guide someone’s learning journey. Share your
documents today.
CASE STUDY WEB
APPLICATION
APPLICATION
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
Table of Contents
INTRODUCTION...........................................................................................................................1
MAIN BODY...................................................................................................................................1
OWASP Vulnerability one
: Broken Authentication..............................................................................................................1
Vulnerability
................................................................................................................................................1
Mitigation
................................................................................................................................................2
OWASP Vulnerability Two
: Security Misconfiguration.........................................................................................................3
Vulnerability
................................................................................................................................................3
Mitigation
................................................................................................................................................4
OWASP Vulnerability Three
: Insufficient logging & Monitoring............................................................................................4
Vulnerability
................................................................................................................................................5
Mitigation...............................................................................................................................5
CONCLUSION................................................................................................................................6
References:.......................................................................................................................................7
INTRODUCTION...........................................................................................................................1
MAIN BODY...................................................................................................................................1
OWASP Vulnerability one
: Broken Authentication..............................................................................................................1
Vulnerability
................................................................................................................................................1
Mitigation
................................................................................................................................................2
OWASP Vulnerability Two
: Security Misconfiguration.........................................................................................................3
Vulnerability
................................................................................................................................................3
Mitigation
................................................................................................................................................4
OWASP Vulnerability Three
: Insufficient logging & Monitoring............................................................................................4
Vulnerability
................................................................................................................................................5
Mitigation...............................................................................................................................5
CONCLUSION................................................................................................................................6
References:.......................................................................................................................................7
INTRODUCTION
OWASP stands for Open Web Application Security Project which is defined as the web
application which provides the freely available articles, tools, documentations, methodologies
and technology in the domain of security in web application. It is managed by the online
community that generates all such facilities to the technical as well as non technical people also.
It is founded in 2nd December, 2001 in United states which mainly focuses on web security,
application security and vulnerability assessment. They adopts the methods such as industry
standards, conferences and workshops (OWASP, 2019). Therefore, it is necessary to learn about
all such technical issues in order to apply such studies in the real world organizations hence, the
following discussion is made on the basic three OWASP vulnerabilities that are broken
authentication, security misconfiguration and insufficient logging and monitoring followed by
their vulnerability and mitigation associated with them with proper findings and conclusion.
MAIN BODY
OWASP Vulnerability one
: Broken Authentication
It is one of the OWASP vulnerability that is the broken authentication which means in the
source code of web application, authentication required is not strong by the administrator or the
owner of the website. Consequences of not setting up strong authentication is that any hacker can
break such authentication and can use or misuse the source code of the web application against
the administrator which is ethically or legally wrong (Hassan, Nipa, Akter and Sharif,
2018). These are often in an incorrect form of implementation of the web application which
permits the attackers to compromise the session tokens, keys and passwords and they perform
such unethical in nature to exploit the some other flaws at the time of implementation in order to
assume identities of the user either temporarily or permanently. Attackers gains the specialised
skill in hacking the web application therefore they know that how to gain access to the many of
the valid usernames and passwords in order to credential stuffing, account lists, default
administrative, dictionary attack tools and many more.
1
OWASP stands for Open Web Application Security Project which is defined as the web
application which provides the freely available articles, tools, documentations, methodologies
and technology in the domain of security in web application. It is managed by the online
community that generates all such facilities to the technical as well as non technical people also.
It is founded in 2nd December, 2001 in United states which mainly focuses on web security,
application security and vulnerability assessment. They adopts the methods such as industry
standards, conferences and workshops (OWASP, 2019). Therefore, it is necessary to learn about
all such technical issues in order to apply such studies in the real world organizations hence, the
following discussion is made on the basic three OWASP vulnerabilities that are broken
authentication, security misconfiguration and insufficient logging and monitoring followed by
their vulnerability and mitigation associated with them with proper findings and conclusion.
MAIN BODY
OWASP Vulnerability one
: Broken Authentication
It is one of the OWASP vulnerability that is the broken authentication which means in the
source code of web application, authentication required is not strong by the administrator or the
owner of the website. Consequences of not setting up strong authentication is that any hacker can
break such authentication and can use or misuse the source code of the web application against
the administrator which is ethically or legally wrong (Hassan, Nipa, Akter and Sharif,
2018). These are often in an incorrect form of implementation of the web application which
permits the attackers to compromise the session tokens, keys and passwords and they perform
such unethical in nature to exploit the some other flaws at the time of implementation in order to
assume identities of the user either temporarily or permanently. Attackers gains the specialised
skill in hacking the web application therefore they know that how to gain access to the many of
the valid usernames and passwords in order to credential stuffing, account lists, default
administrative, dictionary attack tools and many more.
1
Vulnerability
There are some critical points to protect which are against the authentication related
attacks such as identity of the user's confirmation, session management and authentication.
Reason behind the authentication weaknesses if the application allows automated attacks for
example, credential stuffing in which attackers finds out the valid usernames and passwords of
the many users (Nadar, Chatterjee and Jacob, 2018). When it allows brute force or an another
automated attacks, when it allows default, well known or weak passwords for example, admin or
password 123 and many more. When it uses ineffective or weak recovery credentials and
processes of forgot password for example, knowledge based answers which are not considered
safe. When it uses plain text, weakly hashed passwords, encrypted text and many more. When
they miss the multi factor authentication, when they do not rotate the Ids of session after login
successfully and when they do not invalidate Ids session in an appropriate manner which exposes
session Ids in the uniform resource locator for example URL rewriting this is because of the user
session and authentication tokens are not invalidated in a proper manner at the time of log out or
at the time of inactivity.
2
There are some critical points to protect which are against the authentication related
attacks such as identity of the user's confirmation, session management and authentication.
Reason behind the authentication weaknesses if the application allows automated attacks for
example, credential stuffing in which attackers finds out the valid usernames and passwords of
the many users (Nadar, Chatterjee and Jacob, 2018). When it allows brute force or an another
automated attacks, when it allows default, well known or weak passwords for example, admin or
password 123 and many more. When it uses ineffective or weak recovery credentials and
processes of forgot password for example, knowledge based answers which are not considered
safe. When it uses plain text, weakly hashed passwords, encrypted text and many more. When
they miss the multi factor authentication, when they do not rotate the Ids of session after login
successfully and when they do not invalidate Ids session in an appropriate manner which exposes
session Ids in the uniform resource locator for example URL rewriting this is because of the user
session and authentication tokens are not invalidated in a proper manner at the time of log out or
at the time of inactivity.
2
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
Mitigation
Prevention from all such kinds of vulnerabilities are as follows such as that where ever
possible, it is necessary to implement the multi factor authentication in order to prevent
credential stuffing, automated, stolen credential re-use and brute force attacks (Poston, 2020). It
is essential to ensure that shipment and deployment with any of the credential which is default
specifically for users and admin must be avoided. Implementation of the weak password
checking is also the mitigation such as testing changed and new passwords against the list of the
highest 10,000 bad passwords. Alignment of length of the passwords, rotation policies and
complexities as per the NIST 800-63 B's guideline in section 5.1.1 for memorised secrets or any
other evidence dependent policies of the passwords. It must be taken care that registration,
recovery of credential and pathways of API should be toughest against the enumeration attacks
of accounts by utilizing the similar messages to all results. It must be avoided to increase the
attempts of login fails again and again and log out if attacks are detected immediately and
moreover, session Ids must not be in the URL and should be invalidated after log out and
absolute timeouts.
OWASP Vulnerability Two
: Security Misconfiguration
It is an another OWASP vulnerability that is the security misconfiguration which means
that at the time of the development of the web application, it is important to configure its security
system in a proper manner so that any problem cannot occur in future (Cuppens, Cuppens-
Boulahia and Garcia-Alfaro, 2019). It is considered as the most common issue seen now a days
because this is the consequence of insecurity of default configurations, ad hoc or incomplete
configurations, misconfigured HTTP headers, open cloud storage and verbose error messages
which consists information which are mainly sensitive in nature. Although it is not compulsory
that all operating systems, libraries, frameworks and applications must be configured in a
secured manner but it should be upgraded or patched on a frequent basis or in a timely manner
because attackers usually tries to exploit flaws which are unpatched or default accounts which
3
Prevention from all such kinds of vulnerabilities are as follows such as that where ever
possible, it is necessary to implement the multi factor authentication in order to prevent
credential stuffing, automated, stolen credential re-use and brute force attacks (Poston, 2020). It
is essential to ensure that shipment and deployment with any of the credential which is default
specifically for users and admin must be avoided. Implementation of the weak password
checking is also the mitigation such as testing changed and new passwords against the list of the
highest 10,000 bad passwords. Alignment of length of the passwords, rotation policies and
complexities as per the NIST 800-63 B's guideline in section 5.1.1 for memorised secrets or any
other evidence dependent policies of the passwords. It must be taken care that registration,
recovery of credential and pathways of API should be toughest against the enumeration attacks
of accounts by utilizing the similar messages to all results. It must be avoided to increase the
attempts of login fails again and again and log out if attacks are detected immediately and
moreover, session Ids must not be in the URL and should be invalidated after log out and
absolute timeouts.
OWASP Vulnerability Two
: Security Misconfiguration
It is an another OWASP vulnerability that is the security misconfiguration which means
that at the time of the development of the web application, it is important to configure its security
system in a proper manner so that any problem cannot occur in future (Cuppens, Cuppens-
Boulahia and Garcia-Alfaro, 2019). It is considered as the most common issue seen now a days
because this is the consequence of insecurity of default configurations, ad hoc or incomplete
configurations, misconfigured HTTP headers, open cloud storage and verbose error messages
which consists information which are mainly sensitive in nature. Although it is not compulsory
that all operating systems, libraries, frameworks and applications must be configured in a
secured manner but it should be upgraded or patched on a frequent basis or in a timely manner
because attackers usually tries to exploit flaws which are unpatched or default accounts which
3
are accessed, pages which are unused and unprotected directories and files and many more in
order to gain access which are unauthorised in nature or in a system knowledge as well.
Vulnerability
Reason behind the vulnerability of the web application is when application is lacking the
proper hardening of the security across any portion of the web application stack and an
inappropriate permissions for configurations on cloud services (Poptani and Gatty, 2018). Due to
the unimportant features are installed or enabled at the time of development such as unnecessary
ports, accounts, services, privileges and pages. Because of the accounts which are default and
their passwords are still unchanged or enabled. Mainly for the upgraded or updated latest
systems, advanced features of the security are disabled or not perform its configuration in a
secure manner. There are a lot of setting related to the security in the application servers and
application frameworks for example, struts, spring, ASP.NET and many more, libraries and
databases are not configured to the secure values. Servers are unable to send security headers and
directives as they are not set to the values which are secure. Outdated software is an another
reason for the major vulnerability of the web application because without the repeatable and
concerted application security process of configuration, systems will be at a most high risk.
Mitigation
There are various prevention methods to avoid vulnerabilities such as implementation
process must be secure which mainly includes that the process should be automated in nature to
reduce the requirement of the efforts to set up the new environment which is secure and this is
done by hardening the procedure which makes it accelerated and comfortable to deploy any other
environment which is an appropriately locked down (Chlosta, Rupprecht, Holz and Pöpper,
2019). QA, production environments and development must all be configured in a similar
manner but with assorted credentials used in each of the environment. Web application must be
the platform without any unnecessary features, documentation, samples and components for less
complications in its security, thus it is suggested that do not install or remove the unused features
4
order to gain access which are unauthorised in nature or in a system knowledge as well.
Vulnerability
Reason behind the vulnerability of the web application is when application is lacking the
proper hardening of the security across any portion of the web application stack and an
inappropriate permissions for configurations on cloud services (Poptani and Gatty, 2018). Due to
the unimportant features are installed or enabled at the time of development such as unnecessary
ports, accounts, services, privileges and pages. Because of the accounts which are default and
their passwords are still unchanged or enabled. Mainly for the upgraded or updated latest
systems, advanced features of the security are disabled or not perform its configuration in a
secure manner. There are a lot of setting related to the security in the application servers and
application frameworks for example, struts, spring, ASP.NET and many more, libraries and
databases are not configured to the secure values. Servers are unable to send security headers and
directives as they are not set to the values which are secure. Outdated software is an another
reason for the major vulnerability of the web application because without the repeatable and
concerted application security process of configuration, systems will be at a most high risk.
Mitigation
There are various prevention methods to avoid vulnerabilities such as implementation
process must be secure which mainly includes that the process should be automated in nature to
reduce the requirement of the efforts to set up the new environment which is secure and this is
done by hardening the procedure which makes it accelerated and comfortable to deploy any other
environment which is an appropriately locked down (Chlosta, Rupprecht, Holz and Pöpper,
2019). QA, production environments and development must all be configured in a similar
manner but with assorted credentials used in each of the environment. Web application must be
the platform without any unnecessary features, documentation, samples and components for less
complications in its security, thus it is suggested that do not install or remove the unused features
4
and frameworks. It is necessary to review the cloud storage allowances because a task which is
reviewed and updated the configuration must be proper to all notes of security, patches and
updates are a portion of process of patch management. It is essential to send security directives
to the clients and a process of automation to better verify the configuration and settings
effectiveness in all environments.
OWASP Vulnerability Three
: Insufficient logging & Monitoring
It is also the one of the OWASP vulnerability that is the insufficient logging and
monitoring which means that sufficiency of logging and monitoring is lacking at the time of
development of the web application and also while implementing and using the same for updates
(Uddin, Islam and Al-Nemrat, 2019). it is coupled with ineffectiveness and missing integration
with responsive incident which permits attackers to furthermore attack the system that holds
back the persistence and pivot to another systems which can tamper, destroy and extract data.
Most of the breaches which are related to this type of vulnerabilities shows the time to figure out
the breach in approximately 200 days which are typically find out by the external parties instead
of internal monitoring or processes. Attackers are mainly rely on the timely revert and
monitoring to accomplish their unethical targets without being caught or detected. Therefore,
insufficiency in logging and monitoring exploits the security of the web application.
Vulnerability
Insufficient logging, active revert, monitoring and detection can occur any time such as
auditable events for example, failed logins and not logged transactions which are high valued in
nature (Leite and Albuquerque, 2018). There are many generations of errors and warnings such
as inadequate or log messages which are usually unclear. Application logs and APIs are not
logged or monitored for the activity which are suspicious in nature as they are only captured
locally. There are not a proper alerting thresholds and processes which are responsive escalation
either in place or ineffective. Testing and scans via penetration with the help of DAST for
example OWASP ZAP don't trigger alerts. Due to which, it is difficult for the web application to
detect, alert or escalate the attacks which are active, immediate or instant in a real time world or
5
reviewed and updated the configuration must be proper to all notes of security, patches and
updates are a portion of process of patch management. It is essential to send security directives
to the clients and a process of automation to better verify the configuration and settings
effectiveness in all environments.
OWASP Vulnerability Three
: Insufficient logging & Monitoring
It is also the one of the OWASP vulnerability that is the insufficient logging and
monitoring which means that sufficiency of logging and monitoring is lacking at the time of
development of the web application and also while implementing and using the same for updates
(Uddin, Islam and Al-Nemrat, 2019). it is coupled with ineffectiveness and missing integration
with responsive incident which permits attackers to furthermore attack the system that holds
back the persistence and pivot to another systems which can tamper, destroy and extract data.
Most of the breaches which are related to this type of vulnerabilities shows the time to figure out
the breach in approximately 200 days which are typically find out by the external parties instead
of internal monitoring or processes. Attackers are mainly rely on the timely revert and
monitoring to accomplish their unethical targets without being caught or detected. Therefore,
insufficiency in logging and monitoring exploits the security of the web application.
Vulnerability
Insufficient logging, active revert, monitoring and detection can occur any time such as
auditable events for example, failed logins and not logged transactions which are high valued in
nature (Leite and Albuquerque, 2018). There are many generations of errors and warnings such
as inadequate or log messages which are usually unclear. Application logs and APIs are not
logged or monitored for the activity which are suspicious in nature as they are only captured
locally. There are not a proper alerting thresholds and processes which are responsive escalation
either in place or ineffective. Testing and scans via penetration with the help of DAST for
example OWASP ZAP don't trigger alerts. Due to which, it is difficult for the web application to
detect, alert or escalate the attacks which are active, immediate or instant in a real time world or
5
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
nearly. If logging and alerting events are visible to the attacker, they will definitely prove
vulnerability for the same.
Mitigation
There are various methods for prevention such as taking care of all the login, failures of
access control and failures of server side input validation must be monitored and logged with the
user which is sufficient in context to recognise the malicious and suspicious accounts and
allowing sufficient time instance to permit forensic analysis which is delayed (Al-Qassim and
Al-Hemiary, 2018). Centralised log management solutions can easily get access to the logs
which generated in the format which ensures transactions that are high valued in nature.
Developing effective alerting and monitoring so that suspicious activities can be detected easily
and reverted in a timely manner. It is necessary to adopt the recovery plan and incident response
for example NIST 800-61 rev 2. There are many software available for the sufficient logging and
monitoring such as web application firewalls which consists ModSecurity and log correlation
software.
CONCLUSION
It is concluded that Open Web Application Security Project is an important concept to
study and learn in order to use the free source code for own projects or for practical learning by
students and in an organizations well. It helps in producing high profile website with proper
development, testing and maintenance of it with the help of specialised high skilled technical
people involved in the project. It can be used personal as well as for the professional use also.
Moreover, it must be taken care that they contains several vulnerabilities and it is difficult to
handle but mitigation is also available for each of the vulnerabilities so that it can be sorted out
and smooth functioning of the web application can be performed by the administrator. Therefore,
it is significant to analyse and examine the basic three OWASP vulnerabilities that are broken
authentication, security misconfiguration and insufficient logging and monitoring followed by
their vulnerability and mitigation associated with them. Hence, this report covers all such areas
to better understand the conception of open web application security project.
6
vulnerability for the same.
Mitigation
There are various methods for prevention such as taking care of all the login, failures of
access control and failures of server side input validation must be monitored and logged with the
user which is sufficient in context to recognise the malicious and suspicious accounts and
allowing sufficient time instance to permit forensic analysis which is delayed (Al-Qassim and
Al-Hemiary, 2018). Centralised log management solutions can easily get access to the logs
which generated in the format which ensures transactions that are high valued in nature.
Developing effective alerting and monitoring so that suspicious activities can be detected easily
and reverted in a timely manner. It is necessary to adopt the recovery plan and incident response
for example NIST 800-61 rev 2. There are many software available for the sufficient logging and
monitoring such as web application firewalls which consists ModSecurity and log correlation
software.
CONCLUSION
It is concluded that Open Web Application Security Project is an important concept to
study and learn in order to use the free source code for own projects or for practical learning by
students and in an organizations well. It helps in producing high profile website with proper
development, testing and maintenance of it with the help of specialised high skilled technical
people involved in the project. It can be used personal as well as for the professional use also.
Moreover, it must be taken care that they contains several vulnerabilities and it is difficult to
handle but mitigation is also available for each of the vulnerabilities so that it can be sorted out
and smooth functioning of the web application can be performed by the administrator. Therefore,
it is significant to analyse and examine the basic three OWASP vulnerabilities that are broken
authentication, security misconfiguration and insufficient logging and monitoring followed by
their vulnerability and mitigation associated with them. Hence, this report covers all such areas
to better understand the conception of open web application security project.
6
References:
Books and Journals
Al-Qassim, M.A. and Al-Hemiary, E.H., 2018. Network Perimeter Defenses Using Open-Source
Software. Iraqi Journal of Information & Communications Technology. 1(2). pp.41-51.
Chlosta, M., Rupprecht, D., Holz, T. and Pöpper, C., 2019, May. LTE security disabled:
misconfiguration in commercial networks. In Proceedings of the 12th conference on
security and privacy in wireless and mobile networks (pp. 261-266).
Cuppens, F., Cuppens-Boulahia, N. and Garcia-Alfaro, J., 2019. Misconfiguration management
of network security components. arXiv preprint arXiv:1912.07283.
Hassan, M.M., Nipa, S.S., Akter, M. and Sharif, M.H., 2018. Broken authentication and session
management vulnerability: a case study of web application. International Journal of
Simulation Systems, Science & Technology. 19(2). pp.6-1.
Leite, G.S. and Albuquerque, A.B., 2018, September. An Approach for Reduce Vulnerabilities in
Web Information Systems. In Proceedings of the Computational Methods in Systems
and Software (pp. 86-99). Springer, Cham.
Nadar, V.M., Chatterjee, M. and Jacob, L., 2018. A Defensive Approach for CSRF and Broken
Authentication and Session Management Attack. In Ambient Communications and
Computer Systems (pp. 577-588). Springer, Singapore.
OWASP, T., 2019. Top 10-2017 The Ten Most Critical Web Application Security Risks.
Accessed: Nov. 5, 2019.
Poptani, R. and Gatty, M.V., 2018. Security Misconfiguration. Security Misconfiguration. 7(1).
pp.3-3.
7
Books and Journals
Al-Qassim, M.A. and Al-Hemiary, E.H., 2018. Network Perimeter Defenses Using Open-Source
Software. Iraqi Journal of Information & Communications Technology. 1(2). pp.41-51.
Chlosta, M., Rupprecht, D., Holz, T. and Pöpper, C., 2019, May. LTE security disabled:
misconfiguration in commercial networks. In Proceedings of the 12th conference on
security and privacy in wireless and mobile networks (pp. 261-266).
Cuppens, F., Cuppens-Boulahia, N. and Garcia-Alfaro, J., 2019. Misconfiguration management
of network security components. arXiv preprint arXiv:1912.07283.
Hassan, M.M., Nipa, S.S., Akter, M. and Sharif, M.H., 2018. Broken authentication and session
management vulnerability: a case study of web application. International Journal of
Simulation Systems, Science & Technology. 19(2). pp.6-1.
Leite, G.S. and Albuquerque, A.B., 2018, September. An Approach for Reduce Vulnerabilities in
Web Information Systems. In Proceedings of the Computational Methods in Systems
and Software (pp. 86-99). Springer, Cham.
Nadar, V.M., Chatterjee, M. and Jacob, L., 2018. A Defensive Approach for CSRF and Broken
Authentication and Session Management Attack. In Ambient Communications and
Computer Systems (pp. 577-588). Springer, Singapore.
OWASP, T., 2019. Top 10-2017 The Ten Most Critical Web Application Security Risks.
Accessed: Nov. 5, 2019.
Poptani, R. and Gatty, M.V., 2018. Security Misconfiguration. Security Misconfiguration. 7(1).
pp.3-3.
7
Poston, H., 2020. Mapping the OWASP Top Ten to Blockchain. Procedia Computer
Science, 177, pp.613-617.
Uddin, M., Islam, S. and Al-Nemrat, A., 2019. A dynamic access control model using
authorising workflow and task-role-based access control. IEEE Access, 7, pp.166676-
166689.
8
Science, 177, pp.613-617.
Uddin, M., Islam, S. and Al-Nemrat, A., 2019. A dynamic access control model using
authorising workflow and task-role-based access control. IEEE Access, 7, pp.166676-
166689.
8
1 out of 10
Related Documents
![[object Object]](/_next/image/?url=%2F_next%2Fstatic%2Fmedia%2Flogo.6d15ce61.png&w=640&q=75){kind=small}
Your All-in-One AI-Powered Toolkit for Academic Success.
+13062052269
info@desklib.com
Available 24*7 on WhatsApp / Email
![[object Object]](/_next/static/media/star-bottom.7253800d.svg)
Unlock your academic potential
© 2024 | Zucol Services PVT LTD | All rights reserved.