Blog Blog

OWASP Top 10 Vulnerabilities Detection through EASM

OWASP vulnerabilities

Threat actors strategically capitalize on their knowledge of existing vulnerabilities to target susceptible victims. They tend to exploit older vulnerabilities more frequently than newly published security flaws, often by targeting unpatched Internet-facing systems.

Regularly scanning external assets, particularly for the most common vulnerabilities outlined in resources like the OWASP Top 10, is a crucial defense mechanism.

What Are the OWASP Top 10 Vulnerabilities?

The OWASP Top 10 is a categorized list of the most severe web application security risks analyzed and maintained by the Open Worldwide Application Security Project (OWASP). Each category is named after the root cause of the security risk.

For example, “A05:2021-Security Misconfiguration” is a risk category associated with any misconfiguration that can make a system or an application vulnerable. In fact, the Capital One and Microsoft data breaches in 2019 and 2023, respectively, may have stemmed from accidental security misconfigurations. Both incidents resulted in massive sensitive data exposure.

Therefore, no organization is immune from the exploitation of these vulnerabilities. Detecting and prioritizing them enables developers and security professionals to reduce their attack surfaces significantly.

How Can Organizations Detect the OWASP Top 10 Vulnerabilities?

Each OWASP top 10 security risk has a list of known Common Weakness Enumerations (CWEs) mapped to it. While not all CWEs have existing exploits or related Common Vulnerabilities and Exposures (CVEs), scanning systems for the OWASP Top 10-mapped CWEs can significantly help minimize risks.

External attack surface management (EASM) solutions with advanced vulnerability scanning capabilities can help. Here are some examples of the security risks and their corresponding CWEs that can be detected and, therefore, addressed.

A01:2021-Broken Access Control

Broken Access Control has become the number 1 web application security risk, with more than 318,000 occurrences of CWEs mapped to it. Broken Access Control refers to weaknesses in how applications control access to data and functionality, which may allow malicious actors to gain unauthorized access to resources or perform unauthorized actions on a system. Below are some examples of weaknesses that EASM can detect.

  • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor: This general category encompasses any situation where sensitive information is revealed to someone who shouldn’t have access.
  • CWE-201: Exposure of Sensitive Information through Sent Data: This weakness focuses on vulnerabilities that allow sensitive information to be accidentally transmitted.
  • CWE-352: Cross-Site Request Forgery (CSRF): This refers to weaknesses in a website that allow it to be tricked into performing actions on a users’ behalf without their knowledge.
  • CWE-540: Inclusion of Sensitive Information in Source Code: This arises from embedding sensitive data like passwords, API keys, or encryption keys directly within the application’s source code. If not handled securely, this code can get exposed.
  • CWE-1275: Sensitive Cookie with Improper SameSite Attribute: This weakness is specific to cookies containing sensitive information, particularly when their “SameSite” attribute is improperly configured, allowing an attacker to steal a user’s cookies.

Detecting these CWEs is essential, especially since we have already seen examples of their exploitation. CVE-2022-0708 falls under the CWE-201 umbrella. This vulnerability in Mattermost, an open-source chat service, exposed the team creator’s email address.

Meanwhile, CVE-2022-24867 can result from CWE-540 exploitation, exposing the root password of GLPI users through the source code of the rendered page. GLPI is a free asset and IT management system.

A03:2021-Injection

A03:2021-Injection is a critical security risk related to vulnerabilities in web applications that allow attackers to inject malicious code. The application can then execute this code, potentially leading to devastating consequences.

The OWASP Top 10 maps several CWEs related to injection vulnerabilities. These CWEs highlight different aspects of how improper input handling can lead to risks. Here are a few examples.

  • CWE-20 Improper Input Validation: This occurs when an application fails to validate user inputs for unexpected characters or malicious code.
  • CWE-79 Improper Neutralization of Input during Web Page Generation (Cross-Site Scripting [XSS]): This specific type of injection allows attackers to inject scripts that run within a user’s browser, potentially stealing data or hijacking sessions.
  • CWE-94 Improper Control of Generation of Code (Code Injection): In this case, the attacker injects code that the application interprets and executes as its own, possibly granting the threat actor complete control.

Real-world exploitation illustrates the dangers of injection vulnerabilities. CVE-2021-44228 (Log4Shell) is a prime example of CWE-20 exploitation. This critical vulnerability allowed attackers to inject malicious code into applications using a popular logging library, potentially compromising entire systems. Similarly, CVE-2022-45918 (CWE-20) exposed a learning management system (LMS) to manipulation by attackers injecting malicious code into file paths.

A05:2021-Security Misconfiguration

As previously mentioned, A05:2021-Security Misconfiguration highlights a fundamental security risk—improperly configured systems and applications. The OWASP Top 10 maps several CWEs to security misconfiguration, showing different ways security settings can be misconfigured. We cited a few examples below.

  • CWE-942 Permissive Cross-Domain Policy with Untrusted Domains: This occurs when a system’s Cross-Origin Resource Sharing (CORS) policy allows unauthorized websites to access sensitive resources. CORS is a security mechanism that controls how web browsers handle requests from different domains. An overly permissive policy weakens this security measure. An example would be a vulnerability in Dell SupportAssist for Home PCs (CVE-2022-34366), where an insecure CORS policy may allow unauthorized data access.
  • CWE-614 Sensitive Cookie in HTTPS Session without “Secure” Attribute: This vulnerability arises when a website uses HTTPS (secure communication protocol) but fails to set the “Secure” attribute on cookies containing sensitive information. Without this attribute, cookies can be intercepted even during an HTTPS session, compromising confidentiality. An open-source application commonly used to create online FAQs suffered from this vulnerability (CVE-2023-5866), which potentially allowed attackers to intercept cookies from unencrypted connections.

Conclusion

While the OWASP Top 10 serves as a valuable foundation for addressing critical web application security risks, a comprehensive attack surface management strategy goes beyond this list. Advanced EASM capabilities enable security teams to:

  • Automatically detect other weaknesses and vulnerabilities outside the OWASP Top 10
  • Prioritize all detected security issues through accurate severity ratings
  • Gain instant insights into each security issue, including recommended mitigation actions and a list of affected assets
  • Accelerate remediation steps via integrations with ticketing and project management tools
  • Monitor the overall attack surface continuously

With more than 600 CWEs and thousands of CVEs, security teams need all the help they can get to scour their systems thoroughly for security issues.

Check your assets for the OWASP Top 10 and more. Start your free trial now to see how Attaxion can help.