Product

OWASP Top 10 Compliance with RidgeBot 3.6 What is OWASP Top 10? Security breaches and attacks have become so prevalent that only the very largest ones now make the But attacks against organizations of all sizes have never been so rife or so sophisticated, making it all the more critical that you do everything […]

OWASP Top 10 Compliance with RidgeBot 3.6

CONTACT SALES

Overview
Models
Specifications
Resources

OWASP Top 10 Compliance with RidgeBot 3.6

What is OWASP Top 10?

Security breaches and attacks have become so prevalent that only the very largest ones now make the But attacks against organizations of all sizes have never been so rife or so sophisticated, making it all the more critical that you do everything you can to protect your organization’s digital assets.

The Open Web Application Security Project (OWASP) is a non-profit organization that works towards raising awareness, improving, and managing web application security Virtually all businesses and other public/private organizations in today ’s digital economy maintain web applications and servers to advertise, buy, sell, inform, and serve their customers or members in countless ways. By definition, a web application is public-facing: this makes it especially vulnerable to exploits from anywhere at any time. To protect your organization against security attacks and breaches, it is imperative to manage closely the vulnerabilities in web application software interactions. OWASP evaluates the most prevalent and critical web application vulnerabilities to produce a Top 10 list that is updated every 3-4 years. The most recent report was published in 2017. The OWASP Top 10 project uses broad industry consensus to determine the 10 most critical web application security risk categories. Well-known industry CWEs (Common Weakness Enumeration) are mapped into the Top 10 categories. The CWEs in turn draw on a larger database of CVEs (Common Vulnerabilities and Exposures) maintained in the National Vulnerability Database (NVD) under the direction of the U.S. National Institute of Standards and Technology (NIST) Cybersecurity Framework.

Understanding the OWASP Top 10 Categories

The 2017 Top 10 OWASP vulnerabilities are:

A1:2017 Injection: Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. A2:2017 Broken Authentication: Authentication and session management functions implemented incorrectly allow attackers to compromise passwords, keys, or session tokens to exploit user identities.

A3:2017 Sensitive Data Exposure: Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and personally identifiable information (PII), allowing attackers to steal or modify such data to conduct fraud, identity theft, or other crimes.

A4:2017 XML External Entities (XXE): Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to perpetrate other data, crimes and attacks.

A5:2017 Broken Access Control: Improper enforcement of restrictions on what authenticated users are allowed to do enable attackers to exploit access to unauthorized functionality and/or data.

A6:2017 Security Misconfigurations: Security misconfiguration is the most commonly seen issue, including insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information.

A7:2017 Cross-Site Scripting (XSS): XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user supplied data using a browser API that can create HTML or JavaScript.

A8:2017 Insecure Deserialization: Insecure deserialization often leads to remote code execution, or can be used to perform replay attacks, injection attacks, and privilege escalation attacks.

A9:2017 Using Components with Known Vulnerabilities: Exploiting a vulnerable component—such as libraries, frameworks, and other software modules that run with the same privileges as the application—can lead to serious data loss or server takeover.

A.10:2017 Insufficient Logging and Monitoring: Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data.

Ridge Security’s CWE to OWASP Top 10 Mapping

The OWASP Top 10 categories provide an easy, clear at-a-glance summary of the ten most critical web application security risks. To protect your organization’s web applications and servers, you must understand which specific vulnerabilities (CWEs) are included in each of the OWASP Top 10 categories.

While there is broad industry agreement on mapping CWEs to OWASP categories, there are differences in the specific implementations by different security mitigation vendors’ products. These details matter to the breadth of coverage and protection you get from using a specific vendor’s product to pentest your web applications. RidgeBot covers a comprehensive list of CWEs in each OWASP Top 10 category, providing you with the highest confidence that RidgeBot ’s pentest and exploitation capabilities result in thorough protection of your organization’s web application and servers.

A1:2017 Injection

CWE 74—Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’)	CWE 93—Improper Neutralization of CRLF Sequences (‘CRLF Injection’)
CWE 77—Improper Neutralization of Special Elements used in a Command (‘Command Injection’)	CWE 94—Improper Control of Generation of Code (‘Code Injection’)
CWE 78—Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)	CWE 98—Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’)
CWE 88—Improper Neutralization of Argument Delimiters in a Command (‘Argument Injection’)	CWE 290—Authentication Bypass by Spoofing
CWE 89—Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)	CWE 434—Unrestricted Upload of File with Dangerous Type CWE 564—SQL Injection: Hibernate
CWE 90—Improper Neutralization of Special Elements used in an LDAP Query (‘LDAP Injection’)	CWE 917—Improper Neutralization of Special Elements used in an Expression Language Statement (‘Expression Language Injection’)
CWE 91—XML Injection (aka Blind XPath Injection)	CWE 943—Improper Neutralization of Special Elements in Data Query Logic

A2:2017 Broken Authentication

CWE 203—Observable Discrepancy	CWE 428—Unquoted Search Path or Element
CWE 256—Plaintext Storage of a Password	CWE 444—Inconsistent Interpretation of HTTP Requests (‘HTTP Request Smuggling’)
CWE 287—Improper Authentication	CWE 521—Weak Password Requirements
CWE 294—Authentication Bypass by Capture-replay	CWE 522—Insufficiently Protected Credentials
CWE 306—Missing Authentication for Critical Function	CWE 523—Unprotected Transport of Credentials
CWE 307—Improper Restriction of Excessive Authentication Attempts	CWE 552—Files or Directories Accessible to External Parties
CWE 308—Use of Single-factor Authentication	CWE 613—Insufficient Session Expiration
CWE 384—Session Fixation	CWE 620—Unverified Password Change
CWE 400—Uncontrolled Resource Consumption	CWE 640—Weak Password Recovery Mechanism for Forgotten Password
CWE 425—Direct Request (‘Forced Browsing’)	CWE 798—Use of Hard-coded Credentials
CWE 426—Untrusted Search Path	CWE 862—Missing Authorization
CWE 427—Uncontrolled Search Path Element	CWE 863—Incorrect Authorization

A3:2017 Sensitive Data Exposure

CWE 199—Information Management Errors	CWE 325—Missing Cryptographic Step
CWE 220—Storage of File with Sensitive Data Under FTP Root	CWE 326—Inadequate Encryption Strength
CWE 295—Improper Certificate Validation	CWE 327—Use of a Broken or Risky Cryptographic Algorithm
CWE 310—Cryptographic Issues	CWE 328—Reversible One-Way Hash
CWE 311—Missing Encryption of Sensitive Data	CWE 359—Exposure of Private Personal Information to an Unauthorized Actor
CWE 312—Cleartext Storage of Sensitive Information	CWE 538—Insertion of Sensitive Information into Externally-Accessible File or Directory
CWE 319—Cleartext Transmission of Sensitive Information	CWE 541—Inclusion of Sensitive Information in an Include File
CWE 320—Key Management Errors – (320)	CWE 668—Exposure of Resource to Wrong Sphere

A4:2017 XML External Entities (XXE)

CWE 611—Improper Restriction of XML
External Entity Reference

CWE 776—Improper Restriction of
Recursive Entity References in DTDs
(‘XML Entity Expansion’)

A5:2017 Broken Access Control

CWE 22—Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)	CWE 284—Improper Access Control
CWE 118—Incorrect Access of Indexable Resource (‘Range Error’)	CWE 285—Improper Authorization
CWE 200—Exposure of Sensitive Information to an Unauthorized Actor	CWE 346—Origin Validation Error
CWE 254—7PK – Security Features	CWE 352—Cross-Site Request Forgery (CSRF)
CWE 264—Permissions, Privileges, and Access Controls	CWE 425—Direct Request (‘Forced Browsing’)
CWE 269—Improper Privilege Management	CWE 497—Exposure of Sensitive System Information to an Unauthorized Control Sphere
CWE 273—Improper Check for Dropped Privileges	CWE 639—Authorization Bypass Through User-Controlled Key
CWE 275—Permission Issues	CWE 732—Incorrect Permission Assignment for Critical Resource
CWE 276—Incorrect Default Permissions	CWE 915—Improperly Controlled Modification of Dynamically-Determined Object Attributes

A6:2017 Security Misconfigurations

CWE 16—Configuration	CWE 345—Insufficient Verification of Data Authenticity
CWE 23—Relative Path Traversal	CWE 347—Improper Verification of Cryptographic Signature
CWE 30—Path Traversal: ‘\dir\..\filename’	CWE 358—Improperly Implemented Security Check for Standard
CWE 209—Generation of Error Message Containing Sensitive Information	CWE 399—Resource Management Errors
CWE 297—Improper Validation of Certificate with Host Mismatch	CWE 407—Inefficient Algorithmic Complexity
CWE 298—Improper Validation of Certificate Expiration	CWE 601—URL Redirection to Untrusted Site (‘Open Redirect’)
CWE 331—Insufficient Entropy	CWE 693—Protection Mechanism Failure
CWE 332—Insufficient Entropy in PRNG	CWE 829—Inclusion of Functionality from Untrusted Control Sphere
CWE 338—Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)	CWE 918—Server-Side Request Forgery (SSRF)

A7:2017 Cross-Site Scripting (XSS)

CWE 79—Improper Neutralization of Input
During Web Page Generation (‘Cross-site Scripting’)

A8:2017 Insecure Deserialization

CWE 113—Improper Neutralization of CRLF Sequences in HTTP Headers (‘HTTP Response Splitting’	CWE 134—Use of Externally-Controlled Format String
CWE 116—Improper Encoding or Escaping of Output	CWE 502—Deserialization of Untrusted Data

A9:2017 Using Components with Known Vulnerabilities

CWE 17—Code	CWE 193—Off-by-one Error
CWE 18—Source Code	CWE 252—Unchecked Return Value
CWE 19—Data Processing Errors	CWE 330—Use of Insufficiently Random Values
CWE 20—Improper Input Validation	CWE 361—7PK – Time and State
CWE 59—Improper Link Resolution Before File Access (‘Link Following’)	CWE 362—Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’)
CWE 119—Improper Restriction of Operations within the Bounds of a Memory Buffer	CWE 367—Time-of-check Time-of-use (TOCTOU) Race Condition
CWE 120—Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)	CWE 369—Divide by Zero
CWE 121—Stack-based Buffer Overflow	CWE 415—Double Free
CWE 122—Heap-based Buffer Overflow	CWE 416—Use After Free
CWE 125—Out-of-bounds Read	CWE 476—NULL Pointer Dereference
CWE 129—Improper Validation of Array Index	CWE 617—Reachable Assertion
CWE 185—Incorrect Regular Expression	CWE 787—Out-of-bounds Write
CWE 189—Numeric Errors	CWE 824—Access of Uninitialized Pointer
CWE 190—Integer Overflow or Wraparound	CWE 843—Access of Resource Using Incompatible Type (‘Type Confusion’)
CWE 191—Integer Underflow (Wrap or Wraparound)

A.10:2017 Insufficient Logging and Monitoring

CWE 223—Omission of Security-relevant Information	CWE 681—Incorrect Conversion between Numeric Types
CWE 255—Credentials Management Errors	CWE 682—Incorrect Calculation
CWE 388—7PK – Errors	CWE 697—Incorrect Comparison
CWE 404—Improper Resource Shutdown or Release	CWE 704—Incorrect Type Conversion or Cast
CWE 417—Communication Channel Errors	CWE 754—Improper Check for Unusual or Exceptional Conditions
CWE 459—Incomplete Cleanup	CWE 755—Improper Handling of Exceptional Conditions
CWE 507—Trojan Horse	CWE 769—Uncontrolled File Descriptor Consumption
CWE 532—Insertion of Sensitive Information into Log File	CWE 770—Allocation of Resources Without Limits or Throttling
CWE 534—Information Exposure Through Debug Log Files	CWE 772—Missing Release of Resource after Effective Lifetime
CWE 665—Improper Initialization	CWE 778—Insufficient Logging
CWE 669—Incorrect Resource Transfer Between Spheres	CWE 834—Excessive Iteration
CWE 674—Uncontrolled Recursion	CWE 835—Loop with Unreachable Exit Condition (‘Infinite Loop’)

How a RidgeBot OWASP Top 10 Report Helps with Security Audits

Because the CWE to OWASP TOP 10 mappings vary among vendor implementations, the statement that your organization is “OWASP Top 10” compliant remains ambiguous. During an audit you may have to provide detailed evidence of protection for each of the specific CWEs that you, or the auditor, believe makes you OWASP compliant.

RidgeBot ’s comprehensive built-in OWASP report streamlines providing evidence to management or auditors that all your web applications are OWASP Top 10 compliant.

The header of the RidgeBot OWASP Top 10 report gives an executive summary of all the vulnerabilities found—classified into appropriate levels of severity—as well as those that were successfully exploited (red arrow). Further down (green arrow), the report provides detailed compliance information for each of the OWASP Top 10 categories and for the exact CWEs tested in each category.

For each of the servers you subjected to RidegBot web penetration testing and exploitation, the body of the report indicates the compliance status of each of the OWASP Top 10 categories. This information gives you an instant roadmap to patch, upgrade or replace your applications to become compliant. It also gives you ready evidence to present to an auditor that your applications and servers are compliant.

The Benefits of Using RidgeBot to Maintain Protection Against OWASP Top 10

The OWASP community provides helpful information and tools to address web application security risks. While the Top 10 list is an extremely helpful and broad industry benchmark, it does not ease the burden of implementing a strategy to know how your web applications measure up, or how to fix lingering vulnerabilities. The Top 10 list also does not provide specifics of which exact CWEs your applications are protected against.

A RidgeBot pen-testing and exploitation run targets a comprehensive and industry- superior set of CWE vulnerabilities in each Top 10 category. The built-in report provides exact details of every Top 10 category and CWE tested and/or exploited. With a periodic—the frequency of your choosing—RidgeBot test-exploit against your web servers and applications you can always rest assured that your organization’s digital assets are as secure as possible from reigning web-based attacks. You can provide on-demand information and evidence to management or auditors about the state of compliance of your organization’s web-based activities. The report also includes detailed steps for resolving any vulnerabilities found—and the relative priority of each—that can guide staff on the specific actions to take to become or maintain 100% compliance.

Source: ridgesecurity.ai

View more products: nessar.net

Technical Contact:

Mr.Công: 0889221188

Technical Contact:

Mr.Hiệp: 0886221166

Sale-channel Contact:

Mr.Long: 0916581818