Scribd
Upload
199 views

OWASP Top Ten Vulnerabilities

This document summarizes the top 10 web application security risks as defined by OWASP and discusses their status in the Laravel framework. It outlines that Laravel provides protections against injection flaws through parameter binding, supports rate limiting and session management for authentication, uses secure hashing techniques to protect sensitive data, and has built-in protections against XSS attacks through automatic data escaping. It recommends authorization checks, keeping dependencies updated, enabling logging, and other best practices to help secure applications built with Laravel against these common risks.

Uploaded by

yahovi163
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
199 views

OWASP Top Ten Vulnerabilities

This document summarizes the top 10 web application security risks as defined by OWASP and discusses their status in the Laravel framework. It outlines that Laravel provides protections against injection flaws through parameter binding, supports rate limiting and session management for authentication, uses secure hashing techniques to protect sensitive data, and has built-in protections against XSS attacks through automatic data escaping. It recommends authorization checks, keeping dependencies updated, enabling logging, and other best practices to help secure applications built with Laravel against these common risks.

Uploaded by

yahovi163
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 12

OWASP Top Ten Web

Application Security Risks

And their status in Laravel.


1. Injection
Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when
untrusted data is sent to an entry field for execution.

The Laravel query builder uses PDO parameter binding to protect your application
against SQL injection attacks.

Raw statements will be injected into the query as strings, so you should be
extremely careful to not create SQL injection vulnerabilities.
2. Broken Authentication
Broken authentication refers to weakness in session management and credentials
management.

Laravel has rate limiting that can be applied to limit the access to the routes. This
can be applied through throttle middleware.

Laravel also has session management facility.


3. Sensitive Data Exposure
Many web applications and APIs do not properly protect sensitive data, such as financial,
healthcare, and PII. Weak password hashes and less secure encryption techniques are
the main causes for this vulnerability.

Laravel uses Bcrypt and Argon2 for hashing.

Moreover, sensitive information should not be stored randomly and should be disposed
immediately after using. Also validate everything that a user uploads.
4. XML External Entities (XXE)
Many older or poorly configured XML processors evaluate external entity references
within XML documents. External entities can be used to disclose internal files using the
file URI handler, internal file shares, internal port scanning, remote code execution, and
denial of service attacks.

In PHP, the following should be set when using the default PHP XML parser in order to
prevent XXE: libxml_set_external_entity_loader(null);

:Depreciated after introduction of JSON.


5. Broken Access Control
Restrictions on what authenticated users are allowed to do are often not properly
enforced. Attackers can exploit these flaws to access unauthorized functionality and/or
data.

Laravel has RBAC (Role-Based Access Control) packages that helps to manage user
permissions and roles. Laravel also has built-in authorisation services.

We need to perform authorization check on operations available for logged-in users like
control the pages for updating details and form submissions.
6. Security Misconfiguration
Security misconfiguration is commonly a result of insecure default configurations,
incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers,
and verbose error messages containing sensitive information.

In laravel, APP_DEBUG environmental value should be false and the production value
should be true. This prevents the exposure of sensitive information to the end user after
deployment.

Besides, we need to keep all the services that we use update and disable the services we
do not use.
7. Cross Site Scripting XSS
XSS flaws occur whenever an application includes untrusted data in a new web page
without proper validation or escaping, or updates an existing web page with user-
supplied data using a browser API that can create HTML or JavaScript.

Laravel’s template engine, Blade, automatically escapes content rendered using the
default {{ $var }} syntax.

Besides this, we should not render user-given data without escaping the data. We can
also use packages for securing the XSS attack.
8. Insecure Deserialization
An application is vulnerable to insecure deserialization if they accept untrusted user input
in the form of a serialized object and then deserialize it in an unsafe way.

A malicious user can edit a cookie in their browser and use this as an attack vector
against your application.By default, all cookies created by Laravel are encrypted and
signed.

We need to safely deserialize the user-given serialized objects. Use JSON or XML. If not,
use a very secure and less vulnerable serialization libraries.
9. Using Components With Known
Vulnerabilities
Components, such as libraries, frameworks, and other software modules, run with the
same privileges as the application. If a vulnerable component is exploited, such an attack
can facilitate serious data loss or server takeover.

We need to update the dependencies used in laravel project and get rid of all the
dependencies that are not in use.
10. Insufficient Logging and Monitoring
Lack of logs and monitoring, coupled with missing or ineffective integration with incident
response, allows attackers to further attack systems.

Laravel comes with Monolog out of the box. You can even integrate it with a third party
logging services and receive alerts for specific log events.

When it comes to your application and server, log everything, including failed login
attempts and password resets.
Thank You
Any Questions?

You might also like