A brief overview of OWASP top 10 risks and what it takes to minimize them in java.(Part -I)

4 min readSep 9, 2015

The Open Web Application Security Project (OWASP) is a worldwide not-for-profit charitable organization focused on improving the security of software.

The OWASP Top Ten is a powerful awareness document for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are.

This document urges companies to adopt this document and make sure the applications they build do not have these flaws.

It’s About Risks, Not Weaknesses — The owasp focus on risks rather than vulnerabilities Also it focuses on generalization rather than application specific vulnerabilities.
OWASP top ten is published once every three years and this document refers to the top ten declared in the 2013.

The risk rating methodology includes three likelihood factors for each weakness (prevalence, detectability, and ease of exploit) and one impact factor (technical impact).

The OWASP Top 10–2013 is as follows:

A1 Injection
A2 Broken Authentication and Session Management
A3 Cross-Site Scripting (XSS)
A4 Insecure Direct Object References
A5 Security Misconfiguration
A6 Sensitive Data Exposure
A7 Missing Function Level Access Control
A8 Cross-Site Request Forgery (CSRF)
A9 Using Components with Known Vulnerabilities
A10 Unvalidated Redirects and Forwards

1.Injection

Injection is the main type of attack technique used in web application domain. It is a simple and effective way of compromising valuable information. There are many types of injection attacks and out of those the most common and popular type of attack is SQL injection attacks.

Mounting an attack can be done by carefully injecting a piece of statement through various means starting from the input itself to the modification of request and changing the meaning of the statement so that the request will expose data which are not supposed to be exposed.

Typically by an attack like this can be used to expose sensitive data like passwords or credit card information.

Implementing controls like having a white-list for the untrusted data (controlling the input by introducing proper validations) can be used as a defense against injection.
Separating the input data from the queries can also be applied as a prevention practice against injection.
Type casing the parameterized output will help in validating the inputs and will prevent the attackers exploiting the queries to force data out of systems.
Designing databases with the principle of least privileges to ensure that sensitive data is accessible to the people who absolutely need it but not to others.

*Do not implement queries such as ,

*Java EE — use strongly typed Prepared Statements, or ORMs such as Hibernate or Spring

*Use the OWASP Enterprise Security API classes Encoder and Validator

1.Java Prepared statement example

2. Java stored procedures example

2.Broken Authentication and Session Management

This risk leads to an attacker hijacking authenticated request and start making impersonated requests.

Auth cookie theft:

If an attacker is able to obtain the auth cookie for a particular website then the session can be hijacked. Obtaining the cookie can be done in multiple ways like by an xss attack, by sniffing over an insecure connection.

Account Management attacks:

The attacker can exploit several weaknesses in account management. Few examples are

poor password reset mechanisms

application timeouts not having being set properly
not having passwords hashed properly
Brute force attacks on password using a known username field (eg: email address)
Using frameworks which are already available like Spring and Apache Shiro
Protecting connections with authentication data using ssl/tls

The following code explains a poor way of authenticating users.