Application security

13 common web app vulnerabilities not included in the OWASP Top 10

Dan Virgillito
September 9, 2020 by
Dan Virgillito

Introduction

The OWASP Top 10, a widely referenced document that lists the key threats to modern web applications, hasn’t changed much in the past few years. Broken access controls, cross-site scripting, insecure configuration, broken authentication — these are some of the risks we’ve been constantly warned about since 2003. 

The issue with this is that it doesn’t highlight the many other vulnerabilities that could affect the security of a web application. Not included in the OWASP Top 10, the following risks are often seen and difficult to prevent, as organizations lack the knowledge that’s needed to know what to test.

13 critical web app vulnerabilities outside of OWASP’s list

Security shouldn’t start and end with the OWASP Top 10 list. Here’s a breakdown of other web application risks that you should consider and evaluate in your organization.

1. Buffer overflow

This vulnerability deals with memory allocations (or buffers) in applications that provide low-level access to read and write memory. A buffer overflow happens when a program attempts to fill a block of memory with more data than the buffer can accommodate. By injecting smartly-crafted user inputs into the vulnerable app, hackers can crash the web server or execute malicious code. 

The best way to protect your web apps from buffer overflows is to update them with the latest security patches.

2. Memory leak

Memory leaks occur when an application requests objects and strings but is unable to release them from memory. With too many memory leaks, the vulnerability can usurp the entire memory and bring the web app to a halt or increase its loading time. One way to avoid memory leaks is to clean up unmanaged objects — such as COM objects, file handles and so on — in your application. 

3. Process control 

Process control vulnerabilities allow adversaries to modify the command that an app executes. Alternatively, an attacker may use it to modify the environment in which the command runs. 

Process control risks typically arise when an untrusted source transfers data to the application. The data is then used as a part of a string serving as a command on behalf of the web app. To reduce your exposure to this vulnerability, avoid downloading app updates and other files from unknown sources.

4. Heartbleed bug

The Heartbleed bug is a critical vulnerability originating from the cryptographic software library of SSL. It allows spoofing the information protected by the SSL/TLS encryption. SSL/TLS ensures privacy and communication security for applications like web, email, IM and some VPNs. 

Upgrading to the latest version of OpenSSL is an effective way to address the Heartbleed vulnerability.

5. XML External Entity (XXE) processing

XXE processing involves attackers abusing a widely used feature in XML parsers to access local or remote files and cause DoS (Denial of Service). It can also be used to execute SSRF (Server-Side Request Forgery), forcing the web app to make external application requests. Besides, XXE may allow port scanning and the remote execution of malicious code. 

To protect against XXE vulnerabilities, make sure to disable DTD processing and XML external entities in all XML parsing. 

6. Privacy violation 

Privacy violation occurs when login details, passwords and other sensitive information enter the web app. This increases the risk of data being written to an external location, such as the file system, console or network. 

Proper encryption and masking of the data before it’s stored on the web server/database or the file system are keys to reducing this vulnerability. 

7. CRLF injection 

The CRLF injection vulnerability enables attackers to inject Carriage Return and Line Feed characters into a web application, usually through an HTTP request or a user input form. This allows for a wide range of malicious actions, including code execution, information disclosure and log file manipulation in an admin panel. 

Fortunately, web application users can avoid CRLF injections by rejecting user-supplied input from untrusted sources. Encoding the data that you pass into HTTP headers may also help.

8. Undefined behavior 

Web application developers sometimes rely on a specific compiler or implementation of undefined behavior, which may cause issues when the compiler is upgraded/replaced. Undefined behaviors may also increase security risks, especially in cases where an array out of bound isn’t inspected. 

To prevent these vulnerabilities from arising, avoiding writing and using any code that has undefined behavior.

9. Password plaintext storage

Storing passwords in plaintext means writing them a clear, readable format. Plaintext passwords are not encrypted and can be accessed by other humans. And if a hacker with unauthorized access to your device or account breaks into your database, they can gain access to everyone’s password. This means your colleagues who rely on the same password across websites are at risk of their sensitive data being stolen. 

Organizations should be salting and hashing passwords to protect users against the plaintext vulnerability.

10. Information exposure through query strings in URL

This vulnerability involves the passing of sensitive data to parameters in a URL. The process enables malicious actors to gather sensitive data such as password, database details, token and other critical information. Simply transferring the values over a secure connection does not fix this vulnerability. 

A way to prevent this is to transmit sensitive data as part of a form POST, rather than encoding it into the URL.

11. String termination error

A string termination error arises when data enters a program through a null-terminated string. In other words, the information is delivered to a function that requires a null terminate input. 

Hackers can exploit this vulnerability by injecting exceptionally large data into the web app. They’ll then give malicious input either by modifying configuration files or directly as input to the application. Watch out for null-terminated strings if you want to avoid string termination errors.

12. Catch NullPointerException

NullPointerException (a runtime exception) comes into play when a web program tries to leverage an object reference with a null value. This can involve throwing null, modifying a null’s object field or its slots and invoking a certain method from a null object. To prevent this runtime exception, you must initialize all objects correctly before you utilize them.

13. Insecure compiler optimization

Optimizing compilers are those that attempt to maximize some attributes for executable programs by sacrificing other attributes. But these other attributes may include sensitive data, resulting in a security compromise due to incorrect scrubbing. Insecure compiler optimization happens when secret data is kept in memory and scrubbed from it by content overwriting. 

To address this vulnerability, developers should analyze the nature of their code’s compilation, especially for sections that deal with critical data.

Conclusion

Testing against the OWASP Top 10 vulnerabilities can help you create a web application that works for your company. Developers and stakeholders shouldn’t restrict themselves to the list, however. By gaining knowledge of other important vulnerabilities like the ones above, the development team can conduct the tests required to harden the applications further. Consider the OWASP Top 10 as a starting point and complement it with practices tailored to your development practices. 

 

Sources

  1. The main ways applications are vulnerable, Sqreen
  2. Biggest Web Security Vulnerabilities Haven’t Changed Much – And That’s Not a Good Thing, DataCenter Knowledge
  3. Web Application Vulnerability Report 2019, Acunetix
Dan Virgillito
Dan Virgillito

Dan Virgillito is a blogger and content strategist with experience in cyber security, social media and tech news.