The OWASP Top 10 is a list of the most common vulnerabilities found in web applications. It provides software development and application delivery guidelines on how to protect against these vulnerabilities. The list is not focused on any specific product or application, but recommends generic best practices for DevOps around key areas such as role validation and application security. A web application firewall provides a key component for protection against the vulnerabilities identified in the OWASP Top 10 when implemented as part of a wider application security project. The KEMP Web Application Firewall Pack (AFP) provides protection beyond these core vulnerabilities by offering a subscription to a continuously updated set of rules that not only address the OWASP Top 10, but also offers protection for application specific vulnerabilities. The use of a subscription ensures that protection is automatically provided against the latest vulnerabilities for the widest possible number of applications. The KEMP AFP also plays into the defense in-depth approach to information security by providing a layer of application security to complement the built-in IPS (intrusion protection) and TLS (SSL) offload services.
The vulnerabilities identified in the OWASP Top 10 are as follows:
A1: Injection – This is when an attacker sends rogue content to a web application interpreter causing the interpreter to execute authorized commands.
A2: Broken Authentication & Session Management – Incorrect implementation of authentication schemes and session management can allow unauthorized users to assume the identities of valid users.
A3: Cross Site Scripting (XSS) – This is when a browser unknowingly executes scripts to hijack sessions or redirect to a rogue site.
A4: Insecure Direct Object References – An attacker can access a reference to a file or directory and manipulate that reference to gain unauthorized access to other objects.
A5: Security Misconfiguration – This is a very wide catch-all section that covers a variety of scenarios, including the application of latest security patches, default enablement of unnecessary features and the use of default accounts.
A6: Sensitive Data Exposure – Sensitive data such as credit card numbers and tax ID must be protected both in-transit and at rest.
A7: Missing Function Level Access Control - Preventing access to an application function in a browser is not sufficient and authorization checks should also be applied at the server.
A8: Cross Site Request Forgery (CSRF) – This attack sends forged requests to the vulnerable application from the authenticated client browser.
A9: Use of Components with Known Vulnerabilities – Third-party libraries and frameworks used in application development may have known vulnerabilities that compromise the overall application security.
A10: Unvalidated Redirects and Forwards – Without proper validation, users may be redirected to malicious websites.