This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Top 10 2017-A7-Insufficient Attack Protection"
(Top 10 2017 RC1: A7 Insufficient Attack Protection) |
(Set parameters in Top_10:SummaryTableTemplate) |
||
Line 15: | Line 15: | ||
{{Top_10_2010:SummaryTableHeaderBeginTemplate|year=2017|language=en}} | {{Top_10_2010:SummaryTableHeaderBeginTemplate|year=2017|language=en}} | ||
− | {{Top_10:SummaryTableTemplate|exploitability= | + | {{Top_10:SummaryTableTemplate|exploitability=1|prevalence=2|detectability=2|impact=2|year=2017|language=en}} |
{{Top_10_2010:SummaryTableHeaderEndTemplate|year=2017}} | {{Top_10_2010:SummaryTableHeaderEndTemplate|year=2017}} | ||
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2017}}> | <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2017}}> |
Revision as of 21:08, 22 April 2017
Threat Agents / Attack Vectors | Security Weakness | Impacts | |||
---|---|---|---|---|---|
App Specific | Exploitability EASY |
Prevalence COMMON |
Detectability AVERAGE |
Impact MODERATE |
Business ? |
Consider anyone with network access can send your application a request. Does your application detect and respond to both manual and automated attacks? |
Attackers, known users or anonymous, send in attacks. Does the application or API detect the attack? How does it respond? Can it thwart attacks against known vulnerabilities? |
Applications and APIs are attacked all the time. Most applications and APIs detect invalid input, but simply reject it, letting the attacker attack again and again. Such attacks indicate a malicious or compromised user probing or exploiting vulnerabilities. Detecting and blocking both manual and automated attacks, is one of the most effective ways to increase security. How quickly can you patch a critical vulnerability you just discovered? |
Most successful attacks start with vulnerability probing. Allowing such probes to continue can raise the likelihood of successful exploit to 100%. Not quickly deploying patches aids attackers. |
Consider the impact of insufficient attack protection on the business. Successful attacks may not be prevented, go undiscovered for long periods of time, and expand far beyond their initial footprint. |
Am I Vulnerable To 'Cross-Site Scripting (XSS)'?
Detecting, responding to, and blocking attacks makes applications dramatically harder to exploit yet almost no applications or APIs have such protection. Critical vulnerabilities in both custom code and components are also discovered all the time, yet organizations frequently take weeks or even months to roll out new defenses. It should be very obvious if attack detection and response isn’t in place. Simply try manual attacks or run a scanner against the application. The application or API should identify the attacks, block any viable attacks, and provide details on the attacker and characteristics of the attack. If you can’t quickly roll out virtual and/or actual patches when a critical vulnerability is discovered, you are left exposed to attack. Be sure to understand what types of attacks are covered by attack protection. Is it only XSS and SQL Injection? You can use technologies like WAFs, RASP, and OWASP AppSensor to detect or block attacks, and/or virtually patch vulnerabilities. |
How Do I Prevent 'Cross-Site Scripting (XSS)'?
There are three primary goals for sufficient attack protection:
|
Example Attack Scenarios
Scenario #1: Attacker uses automated tool like OWASP ZAP or SQLMap to detect vulnerabilities and possibly exploit them. Attack detection should recognize the application is being targeted with unusual requests and high volume. Automated scans should be easy to distinguish from normal traffic. Scenario #2: A skilled human attacker carefully probes for potential vulnerabilities, eventually finding an obscure flaw. While more difficult to detect, this attack still involves requests that a normal user would never send, such as input not allowed by the UI. Tracking this attacker may require building a case over time that demonstrates malicious intent. Scenario #3: Attacker starts exploiting a vulnerability in your application that your current attack protection fails to block. How quickly can you deploy a real or virtual patch to block continued exploitation of this vulnerability? |
References
OWASP
External |