OWASP, or Open Web Application Security Project is a non-profit dedicated to spreading information on application security. Their goal is to make software security visible so the public can make informed decisions when it comes to security. Every now and then OWASP constructs a list of the top ten most critical application security risks. But, this list isn’t just constructed by them. The whole web community is encouraged to contribute. Their most recent list was published in 2013, with a newer version expected to be published later this year.
In a recent webinar, WP Engine’s Security Engineer Justin Dailey, and Security Architect Will West talked through this list. Read below for a recap of OWASP’s top 10 security risks and what you can do to further harden the security of your WordPress site.
1. Injection
“There’s a lot of different kinds of injections, targeted at different kinds of subsystems. The essential thing they let you do is they let you bypass protections and do unintended things and access data you weren’t intended to access,” said West.
The way you can protect yourself from this is to enforce input type and length, ensure special characters are escaped, validate all input fields and use and input validation whitelist, and avoid dynamic queries or commands.
2. Weak Authentication and Session Management
This is when attacks take advantage of improper authentication or session management practices and can lead to revealing sensitive information like passwords.
This is why user management and authentication is important. You should perform user and role validation on all actions and use secure session cookie flags as well as CSRF tokens with forms.
3. Cross Site Scripting (XSS)
“Cross-site scripting is one of the most entertaining issues to find on a web page. One of the easiest ways for it to pop up is to have a JavaScript alert. It makes it so that someone who isn’t supposed to put scripts on a page can’t put scripts on a page,” said West.
An unwanted script can lead to compromised credentials and sessions, site defacement, or redirection to malicious sites. To mitigate this you should sanitize input, output encodes all user data during upon rendering, and have positive output validation using a correct character set.
4. Insecure Direct Object References
It’s scary when your files are exposed. Insecure direct object references lead to unauthorized data access. The most common that most people have heard of is called Local File Inclusion. This is where a secure file shows up on the front end of a web page.
You can ensure access control checks when using direct object references and use reference maps instead of direct references.
5. Security Misconfiguration
If your security configuration is outdated, or not set up properly this can lead to unintended access to data or application functions.
The easiest way to fight against a bad security configuration is a repeatable and testable hardening process and regular updating and patching processes. If you’re diligent about security, you are way less likely to be hacked.
6. Sensitive Data Exposure
This is caused by improper encryption of sensitive data like payment credentials or personal information. This can lead to fraud or a company being victim to a PR scandal.
To fix this you should encrypt data and avoid storing sensitive data.
7. Missing Function Level Access Control
“Missing Function Level Access Control is one of my favorites to find because you are using the application and the JavaScript says ‘no, you can’t do this,’ and then you can just go do it if you bypass the JavaScript on the application,” said West.
Bypassing this protection allows access to unauthorized functions and data, using explicit grants and deny by default. Also, performing validations on client side and server side will protect you more thoroughly.
8. Cross Site Request Forgery
When this happens, the attack forces a logged in victim’s browser to send a forged HTTP request that can include local session information. These requests target sites that do not have proper request validation.
If you want to avoid this, include an unpredictable CSFR token in each HTTP request.
9. Using Components with Known Vulnerabilities
This is pretty self-explanatory and probably the easiest thing to avoid. Hackers can bypass old security measures easily. Simply, keep track of the software versions your application is using and monitor the security of the components through public notifications like mailing lists. Lastly, remember to follow the policies which software components are acceptable. Two common software applications that have been exposed when it comes to WordPress are Tin Thumb and Rev Slider.
10. Unvalidated Redirects and Forwards
If your site gets hacked, the hackers can redirect users visiting your site to malicious sites. Also, it can trick you to think the malicious site is your site. If you can, you should avoid redirects and forwards altogether. If you have to use them, do not include dynamic parameters for the destination.
Final Thoughts
In regards to WP Engine, we supply a variety of platform protections. We conduct periodic security audits and real-time threat detection. WP Engine does automatic backups as well to make it near impossible to lose data. See here for what other WordPress security features we offer.
I was excited to see a title with “WordPress” & “Top 10 Critical Security Risks” hoping for an in-depth article, but it turns out this is just click bait with no real information minus some generic terms in header tags.