Alternative OWASP Top Ten Paths

This article describes our Alternative Top Ten Paths, provides lesson descriptions and what CWE Numbers they map to.

Rachel Yonan avatar
Written by Rachel Yonan
Updated over a week ago

HackEDU OWASP Top 10 2021 | Alt 1

The OWASP Top 10 2021 | Alt 1 path delivers comprehensive lessons aimed at deepening developers' understanding of critical security principles. Alongside the standard OWASP Top Ten list, this compilation introduces alternative lessons that address new Common Weakness Enumerations (such as use of hard coded credentials, over-reliance on cookies, authentication bypass by spoofing and others) and offers innovative solutions to strengthen applications against potential attackers.

To review and assign this path, you can find it under Admin > Paths & Quests > Default Paths > Hands On.

The following lessons are included in the OWASP Top 10 2021 | Alt 1 Path:

1. Cryptographic Failures | Use of Hard-coded Password (Part 1)

2. Cryptographic Failures | Use of Hard-coded Password (Part 2)

3. XML External Entities (XXE) | Improper Restriction of XML External Entity

4. Software and Data Integrity Failures | Over-reliance on Cookies

5. Insecure Design | Incorrect Privilege Assignment

6. Security Misconfigurations | Error Message Containing Sensitive Information

7. Injection | Command Injection

8. Server-Side Request Forgery | Regex Filtering

9. Security Logging and Monitoring Failures | Insufficient Logging

10. Identification and Authentication Failures | Authentication Bypass by Spoofing

11. Broken Access Control | Improper Access Control

12. Injection | SQL Injection

13. Cross-Site Scripting (Reflected XSS) | Improper Web Page Input Neutralization

14. Vulnerable and Outdated Components | Using Components with Known Vulnerabilities


Common Weakness Enumeration numbers & lesson descriptions included below:

Cryptographic Failures | Use of Hard-coded Password (Part 1)

CWE-259: Use of Hard-coded Password

Hard-coded passwords significantly increase security risks by making applications vulnerable to unauthorized access through code analysis or exposure. They hinder prompt password changes and encourage poor management practices, such as password reuse, compromising multiple systems with a single breach.

In this lesson we will walk through moving hard-coded database credentials from the application's source code to a secret management server (in this case, HashiCorp's Vault).

By the end of this lesson, learners will grasp the risks associated with hard-coded passwords and the rationale behind why it's considered a poor practice. They will learn different strategies to eliminate hard-coded passwords and gain the skills to configure and utilize a secrets management server for password storage.

Cryptographic Failures | Use of Hard-coded Password (Part 2)

CWE-259: Use of Hard-coded Password

Part one of Cryptographic Failures highlighted the dangers of embedding hard-coded passwords directly in source code, underscoring it as an insecure practice. While moving passwords to a secrets server enhances security, relying solely on static passwords—even in a secure environment—still poses significant security risks.

In this lesson we will show how to configure a secects server to dynamically rotate passwords allowing for improved security measures.

By the end of this lesson, learners will understand the advantages of utilizing ephemeral credentials and will master configuring a secrets server for dynamic credential management.

XML External Entities (XXE) | Improper Restriction of XML External Entity

CWE-611: Improper Restriction of XML External Entity Reference

XML External Entities (XXE) vulnerability occurs when an application processing XML input allows external entities to be specified by the user. This can lead to unauthorized access to internal files, server-side request forgery, and other security breaches if the XML parser is improperly configured to process external entity references. Exploiting XXE vulnerabilities can expose sensitive data, compromise servers, and perform remote code execution in some scenarios.

In this lesson we will see how crafting an XML payload can be used to enable data exfiltration. After exploiting the XEE vulnerability, we will patch the source code to eliminate the vulnerability.

At the conclusion of this lesson the learner will understand how the XEE vulnerability can occur, how an attacker can you use exploit to access sensitive data and the steps required to eliminate the vulnerability.

Software and Data Integrity Failures | Over-reliance on Cookies

CWE-565: Reliance on Cookies without Validation and Integrity Checking

Cookies are commonly utilized to facilitate the transfer of data between a user's system and the website they are interacting with. It's crucial to recognize that cookies, by their very nature, are not secure. Given that users can access and modify their cookies, there is a risk of tampering, leading to unexpected application behavior.

In this lesson, we'll explore the significant risks associated with using cookies for authorization and demonstrate how dependence on insecure cookies can enable unauthorized access to sensitive data. We'll illustrate strategies for securing data to neutralize the threat posed by cookie exploitation and guide you through updating application code to resolve these vulnerabilities effectively.

By the end of this lesson, learners will grasp the inherent security risks associated with using cookies, understand why cookies are vulnerable, and learn the importance of implementing secure, tamper-resistant cookies for authentication purposes.

Insecure Design | Incorrect Privilege Assignment

CWE-266: Incorrect Privilege Assignment

Insecure design can dramatically impact the security of an application. Take for example Incorrect Privilege Assignment; Incorrect Privilege Assignment occurs when a software product erroneously grants a privilege to an actor, inadvertently expanding their control beyond intended limits. This flaw can lead to unauthorized access or actions within the system, allowing actors to manipulate functionalities or data they should not access. Identifying and correcting such misconfigurations is crucial for maintaining the security and integrity of an application's access control mechanisms.

In this lesson we will see the impact Incorrect Privilege Assignment can have on an application, and how not following security principles can lead to disastrous results. We will then update the code to eliminate the vulnerability.

By the end of this lesson, learners will comprehend the intricacies of Insecure Design and be able to explain how it leads to vulnerabilities like Incorrect Privilege Assignment. They will gain insight into applying the secure design principle of least privilege to prevent such design flaws effectively.

Security Misconfigurations | Error Message Containing Sensitive Information

CWE-656: Reliance on Security Through Obscurity

Security Misconfiguration represents a category of vulnerabilities affecting application security. Within this category, the strategy of Reliance on Security Through Obscurity underscores the peril of relying solely on hiding the details of security mechanisms for protection. Such a strategy may invite vulnerabilities, especially if an attacker manages to reverse engineer the system. Although adding a layer of obscurity can enhance defense in depth by making an attacker's job harder, it becomes a significant liability if it serves as the primary defense strategy. Therefore, integrating obscurity with solid security practices is essential for achieving thorough protection.

In this lesson, we'll explore multiple instances of Security Misconfiguration, particularly focusing on an application's authentication processes. We'll demonstrate how disclosing excessive information to users can simplify the attackers' efforts and illustrate why assuming that application features cannot be inferred is a flawed design approach.

In this lesson the learner will see how an application, while attempting to be user-friendly, may reveal sensitive information that can be used to increase the ease of attacks. The learner will then update the code to mitigate the issue.

Injection | Command Injection

CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

Command Injection is a critical security vulnerability that occurs when an application passes unsafe user input to a system shell. This vulnerability allows attackers to execute arbitrary commands on the host operating system, potentially leading to full system compromise, data theft, or unauthorized access to sensitive information. It exploits the lack of proper input validation and sanitization by the application, enabling attackers to inject malicious commands that the application executes unwittingly. Understanding and mitigating command injection vulnerabilities is essential for securing applications against unauthorized command execution and safeguarding system integrity.

In this lesson the learner will be introduced to a type of command injection vulnerability that relies on unsanatized input that will be used in a system command. The learner will perform reconnaissance on the application to determine the vulnerability and then exploit the vulnerability using carefully crafted input. The learner will patch the vulnerability code to ensure the vulnerability is eliminated.

By the end of this lesson, learners will recognize the complexities and risks involved in executing OS commands that incorporate user input. They will be introduced to techniques for preventing command injection vulnerabilities and guided on how to revise vulnerable code to eliminate these security risks effectively.

Server-Side Request Forgery | Regex Filtering

CWE-918: Server-Side Request Forgery (SSRF)

Server-Side Request Forgery (SSRF) is a security vulnerability that allows an attacker to induce the server to make requests to internal or external resources on the attacker's behalf. This vulnerability exploits the trust a server has in the user or other servers, enabling attackers to bypass access controls, such as firewalls, and access sensitive information or exploit internal systems. SSRF can lead to significant breaches, including unauthorized access to application data, remote code execution, and internal network reconnaissance. Understanding and mitigating SSRF vulnerabilities are crucial for protecting web applications from these indirect attacks that exploit the server's functionality.

Applications frequently try to mitigate Server-Side Request Forgery (SSRF) risks by limiting user input, such as employing regular expressions to validate if a URL pertains to a specific hostname. However, applications may not fully anticipate the diverse formats URLs can take. In this lesson, learners will discover techniques for constructing URLs that can bypass such filters. Subsequently, they will learn to refine the code to comprehensively accommodate the various potential URL formats, enhancing the application's defense against SSRF attacks.

By the end of this lesson, learners will understand the critical importance of vigilance in guarding against Server-Side Request Forgery (SSRF) attacks. They will recognize the limitations of using regular expressions for URL filtering and identify potential oversights in such methods. Furthermore, participants will be equipped with the knowledge to enhance existing code, ensuring comprehensive protection against SSRF vulnerabilities.

Security Logging and Monitoring Failures | Insufficient Logging

CWE-778: Insufficient Logging

Security Logging and Monitoring Failures refer to inadequacies in an organization's ability to detect and respond to security incidents due to insufficient or ineffective logging and monitoring practices. This gap can leave systems vulnerable to undetected breaches, ongoing attacks, and unmonitored malicious activities, significantly increasing the risk of data loss and system compromise. Effective security logging and monitoring are essential for timely detection of threats and ensuring that appropriate measures can be quickly taken to mitigate potential damage.

In this lesson, we'll explore the consequences of inadequate user authentication logging, which can lead to attacks going unnoticed. By reviewing specific code examples, learners will gain insights into the importance of comprehensive logging. They will then be guided on how to enhance the code to include sufficient logging measures, ensuring that potential authentication attacks can be promptly detected and addressed.

By the end of this lesson, learners will appreciate the importance of implementing adequate logging as a fundamental requirement for maintaining a secure and robust application.

Identification and Authentication Failures | Authentication Bypass by Spoofing

CWE-290: Authentication Bypass by Spoofing

Identification and Authentication Failures occur when an application does not properly verify the identity of its users, allowing attackers to assume the identities of legitimate users. This vulnerability can lead to unauthorized access to sensitive data and systems, compromising the security and privacy of the application and its users. Effective identification and authentication mechanisms are crucial to prevent such breaches and ensure that only authorized users can access the application's resources.

In this lesson, we'll explore the vulnerabilities associated with relying on insecure authentication methods, such as using a user's IP address combined with an IP address safelist, and how these can be compromised through spoofing. Following that, we will

demonstrate how to strengthen the authentication process by integrating a more secure, multi-factor authentication system into the login function.

By the end of this lesson, learners will grasp the critical importance of securing their identification and authentication mechanisms within applications. They will gain insight into how Multi-Factor Authentication (MFA) serves as an effective defense against numerous credential-based attacks, ensuring a higher level of security for user data and access.

Broken Access Control | Improper Access Control

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

Broken Access Control is a critical security vulnerability that occurs when a user can access data or perform actions outside of their intended permissions. This flaw can lead to unauthorized access to sensitive information, modification of data, or execution of restricted functions. It underscores the need to implement robust access control mechanisms to ensure users can only interact with resources and perform tasks explicitly permitted to their role.

In this lesson, we'll explore how applications suffering from broken access control vulnerabilities can inadvertently grant users access to sensitive data belonging to others. We will examine strategies to enhance the application's security posture, ensuring that users can access only the data for which they have explicit authorization. Through practical examples, we'll learn how to implement robust access control measures to safeguard user data effectively.

By the end of this lesson, learners will understand the critical importance of ensuring an application restricts access strictly to data users are permitted to view. They will be guided through the process of revising the code, implementing necessary safeguards to rectify any broken access control vulnerabilities, thereby strengthening the application's overall security posture.

Injection | SQL Injection

CWE-89: Improper Neutralization of Special Elements used in an SQL Command

SQL Injection is a prevalent security vulnerability that occurs when an attacker manipulates a standard SQL query by injecting malicious SQL code through the application's input channels. This breach can allow attackers to gain unauthorized access to databases, retrieve sensitive information, modify database data, and even execute administrative operations on the database. It exploits weaknesses in input validation and represents a significant threat to any application that uses a SQL database, underscoring the need for rigorous input sanitation and validation techniques.

In this lesson, we explore the potential financial impact of an SQL Injection attack, specifically how it can enable attackers to unearth and exploit coupon codes that are not intended for public access, potentially costing a business thousands of dollars. We will then scrutinize the code to identify key indicators of susceptibility to SQL Injection attacks. To mitigate this risk, we'll demonstrate how to fortify the code by implementing parameterized queries, a proven method for preventing SQL Injection vulnerabilities.

By the conclusion of this lesson, learners will have enhanced their ability to detect code vulnerable to SQL Injection attacks. They will learn to pinpoint the specific segments of code that are susceptible and apply best-practice techniques, such as parameterized queries, to effectively neutralize the threat and secure the application against such vulnerabilities.

Cross-Site Scripting (Reflected XSS) | Improper Web Page Input Neutralization

CWE-79: Improper Neutralization of Input During Web Page Generation

Cross-Site Scripting (XSS) is a common web application vulnerability that allows attackers to inject malicious scripts into content that is then served to other users. This attack can lead to unauthorized access to user sessions, personal information theft, and manipulation of web content for malicious purposes. Understanding and mitigating XSS vulnerabilities are crucial for developers to protect their web applications from being exploited and to maintain the trust and safety of their users.

In this lesson, we will explore the importance of scrutinizing all user input that will be displayed on a webpage. It is crucial to sanitize user input to reduce the attack surface of your application. You will learn how to mitigate vulnerabilities by ensuring that only secure user data is reflected on the site.

At the conclusion of this lesson, you will understand how trusting user input can be detrimental to your application.

Vulnerable and Outdated Components | Using Components with Known Vulnerabilities

CWE-937: Using Components with Known Vulnerabilities

Vulnerable and Outdated Components refer to the use of third-party libraries, frameworks, and other software components that contain known security vulnerabilities due to being outdated or unmaintained. This issue exposes applications to potential attacks, as attackers can exploit these vulnerabilities to compromise the application or steal sensitive data. It underscores the importance of regularly updating and patching software components, conducting thorough security audits, and ensuring dependencies are securely managed throughout the software development lifecycle.

In this lesson, we will explore the process of identifying components with known vulnerabilities within a Python application. Using a specific example, we'll demonstrate how an application component susceptible to exploitation can compromise security. We'll employ a specialized tool to detect the vulnerable component and then guide you through the steps to update it, enhancing the application's overall security.

By the end of this lesson, participants will execute a hands-on demonstration showing how a vulnerable component can become a critical weak point, potentially leading to a security breach. Learners will gain practical insights on integrating security tools into the software development pipeline and learn strategies for strengthening applications by addressing vulnerabilities in their components.

Did this answer your question?