The Open Web Application Security Project (OWASP) is a non-profit organization dedicated to proving unbiased, practical information about application security. The OWASP top 10 represents the most critical web application security flaws. These vulnerabilities occur frequently in web application and they are dangerous because they will allow attackers to take over your system and steal sensitive data. Security breaches continue to proliferate through web application layer and enterprise and organization will need a new approach to security. AIONCLOUD provides complete protection against OWASP top 10. Here is short description of top 10 vulnerabilities and how AIONCLOUD protect them. 1. Injection Injection flaws such as SQL, OS, LDAP, Xpath or NoSQL occur when an application sends untrusted data to interpreter as part of a command or query. The attacker sends simple text-based attacks that exploit the syntax of interpreter and trick the interpreter into accessing protected data without authorization and executing unintended commands. Injection impact to loss data and deny the service. AIONCLOUD is able to protect against injection by using two security policies. - SQL Injection Detection : Detect SQL injection attacks by checking HTTP request data - Command Injection Detection : Inspect HTTP request data to steal information of web server by using major system command or detect command injection attack that causes service failure 2. Broken Authentication and Session Management As authentication and session management are often not implemented correctly, attacker impersonates users’ identities by exploiting password, keys and session ID. Once account is attacked successful, the attacker can do anything with authentication. AIONCLOUD responds to this vulnerability through cookie forgery detection. - Cookie Forgery Detection : Detect attackers who attack web server by using another cookie 3. Cross-site Scripting (XSS) Cross-site scripting flaws occur when an application takes untrusted data and sends it to web browser without properly validating or escaping. There are three types of Cross-site scripting as follows; stored, reflected, and DOM based XSS. The attacker can execute scripts in browser to hijack user sessions, insert hostile contents and deface website. AIONCLOUD provides protection against XSS - XSS Detection : Detection of XSS attack by checking HTTP request data 4. Insecure Direct Object References A direct object reference flaws occur when user exposes a reference to internal implementation object such as file, directory or DB key. As an application does not always verify that the user is authorized, direct object reference becomes insecure and attacker access unauthorized data by manipulating exposed reference. AIONCLOUD protects against directory-based access control and application exploits. - Directory Access Detection : Prevent leakage/ forgery of information and access to direct directory using wrong server setting or location error of important file 5. Security Misconfiguration To be secure an application, security configuration should be defined and developed for application server, application frameworks, web server and DB server and software should be kept up to date. This flaw allow attacker to access system data or functionality. AIONCLOUD responds to security configuration errors through 4 policies. - Directory Listing : Block vulnerability in which all directory and file information on the web server is exposed to user due to incorrect settings of the web server - Error Page Cloaking : Redirect to specified page if an error page is sent due to an internal error of the web server, or if the response code of the web server is the specified error code - Malicious File Upload Detection : Block malicious file execution to attack web server if there is no regulation on file upload - Default Page Access Detection : Checking HTTP request data to detect access to installation / sample / library files used by the application 6. Sensitive Data Expose Sensitive data is not properly protected and encrypted. The attacker steals or modifies sensitive data to conduct credit card fraud, identity theft or other crimes. Sensitive data includes such as health records, social number, credit card number and personal data and it should deserves special precautions and encryption for extra protection when exchanged with the browser. AIONCLOUD can prevent exposure of sensitive data. - SSL Termination : Block and detect HTTPS attack through encryption / decryption of HTTPS transmission - Inflow / outflow Personal Information Detection : Check HTTP response data to block the incoming / outgoing data and masking of data corresponding to social number or card number, rules set by the user 7. Missing Function Level Access Control Function level protection is managed via configuration and most application verify function level access right properly. The attacker can forge requests to access functionality without proper access right when requests are not verified. Administrative functions are frequently targeted and these flaws allow attackers to access unauthorized functionality. AIONCLOUD can respond to this vulnerability with two policies. - Forced Browsing : Detect if the number of abnormal responses to HTTP requests in the past 1 minute exceeds the set threshold and adds the list to the Blacklist. - URL Access Control : Control access to important URLs such as admin pages 8. Cross-Site Request Forgery Cross-site request forgery attack forces a logged-on browser to send a forged HTTP request, including session cookies and credentials automatically. The attackers can create malicious web pages to generate forged requests that are legitimate request from victim. AIONCLOUD can defend against CSRF vulnerability. - CSRF Detection: Block CSRF attacks by checking HTTP request data 9. Using Components with Known Vulnerability Vulnerable components such as libraries, frameworks and other software modules run with full privileges but it can be exploited by using scanning or manual analysis and customizing attack code. Application with vulnerable components can be undermined defense and enable to expand a range of possible attacks and impacts. AIONCLOUD can respond through application vulnerability detection. - Application Vulnerability Detection : Detect attacks targeting Web application vulnerabilities by checking HTTP request data 10. Unvalidated Redirects and Forwards Application frequently redirects and forwards users to other pages and uses untrusted data to determine the destination pages. The attacker can trick users to submit a request to websites and links to unvailidated redirect and tricks victims into clicking it. Also, the attacker can use forwards to access unauthorized pages to install malware or leak sensitive data. AIONCLOUD respond through this policy. - Unverified Redirect Detection : Detects if the web attacker's page is tricked into accessing a normal page by checking the HTTP redirect / forward response header and request header Until now, we reviewed OWASP Top 10 and how AIONCLOUD protect your website against OWASP Top 10 vulnerabilities. It is simple to protect your website from these latest security threats. AIONCLOUD provides strong security and protects your website from OWASP Top 10. AIONCLOUD makes your website to be secure with simple policy setting. To be secure your website, please take simple steps to apply free service.