The Open Web Application Security Project (OWASP) Top Ten is a standard for evaluating the most critical security risks to web applications. This list, updated periodically, outlines the primary vulnerabilities that have been identified through a consensus among security experts from around the world, reflecting the evolving landscape of web security threats.
The table below showcases how Edgewatch aligns with the OWASP Top Ten, detailing the methods and technologies Edgewatch employs to identify, address, and mitigate these prevalent vulnerabilities. This alignment ensures that users of Edgewatch are equipped to effectively confront and reduce the risks associated with the current most significant web application security flaws.
Category | Description | Edgewatch Coverage |
---|---|---|
A01 Broken Access Control | Broken Access Control rule highlights failures in enforcing user permissions, leading to unauthorized data disclosure, alteration, or destruction. Common issues include not adhering to the least privilege principle, bypassing checks via URL manipulation or internal state changes, insecure direct object references allowing unauthorized account access, and insufficient access controls on API methods like POST, PUT, and DELETE. Other vulnerabilities include elevation of privilege, metadata manipulation through token or cookie tampering, Cross-Origin Resource Sharing (CORS) misconfigurations allowing access from untrusted origins, and force browsing to access restricted areas without proper authentication. | Edgewatch explores all pathways identified during its scanning process, testing both as an authorized and unauthorized user, and provides detailed reports on the findings. It assesses access control systems by attempting to reach components that should be restricted or require prior authentication but are inadequately protected. The tool also detects insecure or superficial access controls that may hide components without properly securing them. However, given the unique nature of each application, Edgewatch cannot definitively determine whether an instance of forced browsing is intentional or an accidental vulnerability due to the lack of context. Nonetheless, it includes these findings in its report for further review. |
A02 Cryptographic Failures | Cryptographic Failures addresses the need to secure sensitive data, particularly under regulations like GDPR and PCI DSS. It emphasizes avoiding clear-text data transmission, using strong cryptographic algorithms, and ensuring proper key management and rotation. Issues include using default or weak keys, insufficient validation of server certificates, inadequate initialization vectors, incorrect cryptographic modes like ECB, misuse of passwords as keys without secure derivation, and reliance on inadequate randomness sources. Additionally, it warns against outdated hash functions, improper cryptographic padding, and exploitable cryptographic error messages, underscoring the importance of comprehensive security measures for data in transit and at rest. | Edgewatch proficiently identifies and elucidates a broad range of cryptographic challenges, including vulnerabilities related to weak passwords, utilization of unencrypted protocols for data transit (such as opting for HTTP instead of HTTPS), and deployment of outdated or insufficient encryption algorithms within HTTPS services. Additionally, it examines the security of cryptographic key management and the strength of implemented ciphers. These identified issues typically necessitate a thorough manual review to ascertain whether encryption is essential for safeguarding data during transmission or while at rest. In scenarios where data is designed for public view, the necessity of strong encryption might be reconsidered. However, Edgewatch’s detailed assessments ensure users are informed and can make educated decisions regarding their cryptographic security posture. |
A03 Injection | OWASP A03: Injection vulnerabilities arise when user data is not properly validated or sanitized, leading to the use of hostile data in dynamic queries, ORM search parameters, or directly in the code. Common types include SQL, NoSQL, OS command, ORM, LDAP, and EL/OGNL injections, posing identical risks across different systems. Effective defenses include rigorous source code reviews and automated testing of all user inputs, such as parameters, headers, and cookies. Implementing static (SAST), dynamic (DAST), and interactive (IAST) security testing tools within the CI/CD pipeline is crucial for detecting and mitigating injection flaws prior to production. | Edgewatch offers a comprehensive approach to identifying and mitigating a wide array of injection threats, including but not limited to SQL, NoSQL, XSS, XPath, Code, Command, LDAP, and various Language Injections. In its detailed reporting, Edgewatch not only identifies each vulnerability but also provides an extensive analysis, outlining the specific detection methods employed, in-depth technical insights, and safe exploitation examples to illustrate potential security impacts. This thorough evaluation helps users understand the severity and implications of each threat, guiding them towards effective remediation strategies and reinforcing their application’s defense mechanisms against sophisticated injection attacks. |
A04 Insecure Design | Insecure design is a broad category representing different weaknesses, expressed as “missing or ineffective control design.” Insecure design is not the source for all other Top 10 risk categories. There is a difference between insecure design and insecure implementation. We differentiate between design flaws and implementation defects for a reason, they have different root causes and remediation. A secure design can still have implementation defects leading to vulnerabilities that may be exploited. An insecure design cannot be fixed by a perfect implementation as by definition, needed security controls were never created to defend against specific attacks. One of the factors that contribute to insecure design is the lack of business risk profiling inherent in the software or system being developed, and thus the failure to determine what level of security design is required. | Edgewatch meticulously addresses these vulnerabilities, focusing on areas such as the inadvertent exposure of sensitive information via error messages, insufficient encryption measures, and security flaws that permit unauthorized file name or path manipulation. Moreover, Edgewatch extends its coverage to include inadequate authentication checks, misconfigured security settings, and improper data protection practices. By analyzing these diverse aspects, Edgewatch aids in identifying and mitigating design-related security weaknesses, enhancing the overall security posture of applications by promoting a more secure design framework and ensuring that security considerations are integrated from the earliest stages of development. |
A05 Security Misconfiguration | Security Misconfiguration rule warns that applications are at risk due to inadequate security measures, such as missing hardening, improper configurations, unnecessary features, unchanged default credentials, and revealing error messages. It highlights issues like disabled or misconfigured security features post-upgrade, insecure settings in servers, frameworks, and libraries, missing security headers, and outdated software. A lack of systematic security configuration increases vulnerability to attacks. | Edgewatch maintains a comprehensive database of widespread configuration errors, outdated frameworks, and unpatched systems, identifying and flagging any such issues when found. Additionally, it examines a variety of other problem types resulting from improper configurations, such as unchanged default passwords, verbose error messages, sensitive cookies lacking the “http only” attribute, excessively lenient cross-domain whitelists, and poorly configured ciphers. Edgewatch also reviews for XML External Entity (XXE) problems, which are now included in this category. If set up accordingly, Edgewatch will conduct a thorough infrastructure evaluation covering all IP addresses and web applications specified within the defined scope. |
A06:2021 – Vulnerable and Outdated Components | Vulnerable and Outdated Components rule indicates vulnerability from using outdated or unsupported software components, including operating systems, servers, databases, APIs, and libraries. Risks arise from not knowing component versions, failing to regularly scan for vulnerabilities, neglecting timely updates or patches, and inadequate testing for compatibility post-update. Additionally, insecure component configurations further increase exposure. Regular updates, security checks, and ensuring component security are essential to mitigate these risks. | Edgewatch features an up-to-date database with thousands of documented vulnerabilities affecting content management systems, application frameworks, and both server and client-side components. Additionally, Edgewatch offers specialized assessment modules for various platforms and technologies, including CMS Build reviews for Umbraco, WordPress, Drupal, Magento, Joomla, and DNN.Web Server & Proxy vulnerability assessments for nginx, Apache, IIS, Tomcat, Struts, and F5 Load balancers, among others.Checks for known server-side script vulnerabilities.Evaluations of Client-Side JavaScript libraries to pinpoint vulnerable or unsupported components. |
A07 Identification and Authentication Failures | Identification and Authentication Failures rule stresses the importance of secure user identification, authentication, and session management to prevent attacks. Vulnerabilities include allowing automated credential stuffing, brute force attacks, use of default or weak passwords, ineffective password recovery methods, insecure storage of password data, lack of multi-factor authentication, exposure of session identifiers in URLs, session identifier reuse after login, and improper invalidation of session IDs or authentication tokens after logout or during inactivity. These weaknesses can significantly compromise application security. | During its application scanning process, Edgewatch assesses session management for potential vulnerabilities by initiating numerous sessions and inspecting their tokens. It identifies poorly implemented authentication measures, notably long 302 redirects, where restricted content is initially loaded before a redirect is executed. Edgewatch is equipped with adjustable modules for password testing, aimed at uncovering weak credentials across different systems. It performs detailed examinations for prevalent default or hardcoded vendor passwords in hardware and services, scrutinizes the inclusion of session IDs in URLs, evaluates the security of password transmission during user registration, investigates flaws in the password reset mechanisms, and identifies methods for bypassing authentication. |
A08 Software and Data Integrity Failures | Software and data integrity failures relate to code and infrastructure that does not protect against integrity violations. An example of this is where an application relies upon plugins, libraries, or modules from untrusted sources, repositories, and content delivery networks (CDNs). An insecure CI/CD pipeline can introduce the potential for unauthorized access, malicious code, or system compromise. Lastly, many applications now include auto-update functionality, where updates are downloaded without sufficient integrity verification and applied to the previously trusted application. Attackers could potentially upload their own updates to be distributed and run on all installations. Another example is where objects or data are encoded or serialized into a structure that an attacker can see and modify is vulnerable to insecure deserialization. | In its approach to addressing Rule A08: Software and Data Integrity Failures, Edgewatch extends its capabilities beyond injection vulnerability assessments. It aims to uncover and exploit a wide array of both general and specific deserialization vulnerabilities across multiple frameworks and libraries, reflecting a deep commitment to comprehensive security analysis. Furthermore, Edgewatch leverages specialized plugins to detect and address dependency confusion problems, a critical aspect that could adversely affect the application’s build process. This is achieved by scrutinizing the libraries in use within the application to ensure data and software integrity. By doing so, Edgewatch helps safeguard against unauthorized code and data manipulation, ensuring a robust defense against integrity breaches in software applications and associated data. |
A09 Security Logging and Monitoring Failures | Security Logging and Monitoring Failures category emphasizes the necessity of adequate logging and monitoring to identify and respond to breaches. Vulnerabilities include the failure to log important events, produce meaningful error messages, monitor logs for suspicious activities, store logs properly, establish effective alerting and response processes, and trigger alerts during security testing. Additionally, real-time detection of active attacks and the prevention of information leakage are crucial. Insufficient logging and monitoring leave organizations blind to ongoing attacks and breaches. | Assessing security logging and monitoring is complex due to inaccessible logs, preventing verification of event logging and alert processes. Typically, this requires coordination with security operations or during scan detections. Edgewatch addresses this by integrating external XDR solutions and creating realistic attack scenarios to test system robustness and identify gaps. However, this method still needs manual review by the client’s security teams. Edgewatch’s experts provide guidance to ensure practices align with A09:2021 standards, emphasizing a balanced approach between automated tools and manual oversight in security logging and monitoring. |
A10 Server Side Request Forgery (SSRF) | SSRF flaws occur whenever a web application is fetching a remote resource without validating the user-supplied URL. It allows an attacker to coerce the application to send a crafted request to an unexpected destination, even when protected by a firewall, VPN, or another type of network access control list (ACL). As modern web applications provide end-users with convenient features, fetching a URL becomes a common scenario. As a result, the incidence of SSRF is increasing. Also, the severity of SSRF is becoming higher due to cloud services and the complexity of architectures. | Edgewatch conducts extensive testing across a wide spectrum of web application vulnerabilities, including Server-Side Request Forgery (SSRF). It employs multiple strategies for SSRF detection, such as an out-of-band monitoring system to observe DNS and HTTP responses from the application to injected payloads. Additionally, it demonstrates proof of concept exploitation in cloud settings, targeting services that are not internet-facing. Edgewatch also utilizes a comprehensive database of documented and published Common Vulnerabilities and Exposures (CVEs) to identify known SSRF vulnerabilities in third-party software. |