How to Block the Latest OWASP Top 10 Vulnerabilities on Heroku

What’s the OWASP Top Ten?

The Open Web Application Security Project (OWASP) is a non-profit organization dedicated to improving the overall application security of the world’s computer systems.

They annually survey their membership, do research, and develop a list of the Top 10 most common security vulnerabilities affecting web applications.

Categories of Vulnerabilities, Not Implementations

OWASP’s list specifically doesn’t list specific flaws in web frameworks but instead focuses on the categories of attacks that are more likely to hit your application. This can make it difficult to sort out how you would Expedited WAF to lower your overall application risk.

To help overcome this, below, we’ve mapped the vulnerabilities list to the Expedited WAF features that

The ten vulnerabilities for 2018 (2019 is not yet released) are listed below.

1. Injection

Attacks performed by sending malformed or corrupted data into your application to execute later. Examples: SQL Injection, XSS

How Expedited WAF Helps

Automatic blocking of SQL Injection, XSS and CSRF attacks.

2. Broken Authentication

Authentication endpoints of web applications are commonly attacked.

How Expedited WAF Helps

Use Expedited WAF to add additional layers of security to sensitive endpoints like /admin or /login by setting IP, User Agent or Country blocks on requests.

3. Sensitive data exposure

Most often attackers are not arbitrarily attacking a web application, they are after the sensitive data that it contains.

How Expedited WAF Helps

Expedited WAF is currently protecting your data in transit by enforcing the strictest TLS requirements available. Setting HTTP security headers in responses to prevent TLS stripping and other downgrade attacks.

4. XML External Entities (XXE)

Exploitation of application XML parsing via injection of additional entities which break the XML parser.

How Expedited WAF Helps

By blocking injection attempts Expedited WAF stops XXE attacks from occurring.

5. Broken Access controls

Users should only have access to areas they need access to; for example a normal user shouldn't be able to access another's data without permission or sensitive areas such as /admin pages.

How Expedited WAF Helps

Use Expedited WAF to implement a least privilege security model adding additional restrictions to sensitive areas.

6. Security misconfigurations

As the complexity of modern web stacks has exploded there is a parallel rise in security breaches caused by misconfigured or poorly configured systems.

How Expedited WAF Helps

To the greatest extent possible Expedited WAF has been made to work "out of the box" for you so that there is little opportunity to misconfigure access.

By enacting site wide, continuously updated security controls on inbound web requests to your application many attacks are blocked that would otherwise filter through.

7. Cross Site Scripting (XSS)

Cross Site Scripting attacks use your web application as a vector to spread maliciously injected scripts.

How Expedited WAF Helps

While modern web frameworks often have XSS mitigation features built into them, you still need have a 100% success rate in implementing them correctly. A slightly tweaked form input validation could accidently give near complete control of your site to an attacker.

Expedited WAF puts a second, global, always on, continuous protection for XSS shield around your application.

8. Insecure Deserialization

Transforming data structures from one form to another is a core aspect of nearly any web interaction (ex: form/url parameters to hashes or dictionaries).

But despite how common an activity it is, the serialization/deserialization process can still be fraught with danger. Attackers can sneak in characters that break serialization in particular ways granting them further access outside the bounds of normal program execution.

How Expedited WAF Helps

By pre-filtering all web requests, Expedited WAF is able to block requests with anomalous characters before they connect to your app for serialization.

9. Using Components with known vulnerabilities

No matter what web application framework you're using two things are guaranteed:

1. New security issues are continually discovered
2. Updates are necessary to patch and reduce the risk from vulnerable components and dependencies.

How Expedited WAF Helps

Expedited WAF doesn't remove the need to update your applications, but it can give you some breathing room and additional protection while it occurs.

Consider a SQL Injection attack that affects a particular feature route within your web stack. Expedited WAF will block that attack on the basis of having SQL Injection traits in the request itself before it can reach your application.

We refer to this as "virtual patching".

10. Insufficient logging and monitoring

By default Heroku logs are ephermeral, even with a logging solution you still need to put in serious work to get signal from the noise and identify what is happening.

How Expedited WAF Helps

Expedited WAF logs every attack blocked, keeping track of not just what time and requests but detailed context for you to better make decisions on, data like attack category, country of origin, or if it's part of a larger pattern of attacks.