What is OWASP?
OWASP stands for Open Web Application Security Project a community completely dedicated to web application security. OWASP works with a single mission of making web applications on internet more secure and help businesses and individuals to know what exactly software security risk is.
What is OWASP Top 10?
OWASP releases 10 of the most dangerous current web applications security flaws along with methods to patch those flaws. Companies adopting OWASP Top Ten helps developer to create secure software code and minimize the flaws which otherwise is overlooked or go unnoticed.
How uKnowva Tackles OWASP Top 10?
uKnowva is an Enterprise Collaboration Platform that helps business to achieve higher productivity, and accelerated growth through the use of integrated or customized tools like knowledge management, document management, project management, CRM, HRM etc.
uKnowva is offered as
In both cases it is important to look for security flaws and make uKnowva free from all vulnerabilities and security threats.
OWASP Top 10 2013 & How uKnowva overcomes these. 1. OWASP Vulnerability No.1 Injection
Most of the time web request is not authenticated before being used by web applications. The hostile attacker can used this vulnerability or flaw to infect the backend components through web applications. This refers to SQL, OS, LDAP injection etc.
How uKnowva overcomes Injection (Unvalidated input)
To do SQL injection kind of attack one need to know query and database table. In uKnowva the tables begin with random prefixes these random prefixes are set during installation and are known only to the user who has access to the database. So it becomes a herculean task for anyone who doesn’t know anything about query or have access to database to initiate an attack. Most of the time hackers become successful on application which does not properly parse's request and DB queries before firing them onto the database.
uKnowva's JRequest class parses all requests and removes such request forgeries and the JDatabase / JDatabaseMysql class' query function parses the complete SQL query for any such injection and removes them. Similarly, uKnowva handles ldap queries, and other commands triggered from its PHP code.
2. OWASP Vulnerability No.2 Broken Authentication and Session Management
When application function related to authentication and session management are not properly protected then attackers can compromise on confidential information like passwords, keys, session cookies, or other tokens and bypass the authentication restrictions to assume other users' identities.
How uKnowva overcomes Broken Authentication and Session Management
uKnowva handles both Authentication and Session Management separately. The authentication of a username and password is taken care by authentication plugins which could be LDAP, EMail or default authentication mechanism, etc. Session management is done by the JSession and JApplication class which can work with different handlers like Database based session handling wherein the session is actually stored in a DB table named #__session or file based session handling where in sessions are stored in a physical directory which is not accessible from a URL
Most of the time to initiate such an attack hackers usually tries to trick the authentication process by tricking the login forms, etc.
However to deal with this in uKnowva, the login form's request variables are completely parsed to remove any request forgery also the authentication and session management mechanisms are completely independent of each other, hence it becomes very difficult to trick the complete authentication and session management process. Thus uKnowva is immune and secure to any kind of broken authentication / session management attack.
3.OWASP Vulnerability No.3 Cross Site Scripting (XSS) Attacks
At times web applications can be used as a vector to carry out attack on end user’s web browser. This happens when application sends data which are not validated to a web browser. If the attack is successful then user’s confidential information like session token is exposed and hackers can use this to gain control over the session and deface web sites, or redirect the user to malicious sites.
How uKnowva overcomes Cross Site Scripting (XSS) Attacks
The main cause for XSS attacks is non-parsing of request variables. The JRequest class of uKnowva does this by default. Moreover the .htaccess file kills such requests at the apache level itself and the request does not even reach the PHP pages. This way, uKnowva is highly immune to any kind of Cross site scripting (XSS) attacks.
4. OWASP Vulnerability No.4 Insecure Direct Object Reference
A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data.
How uKnowva overcomes Insecure Direct Object References
Let us understand this through an example:
uKnowva’s Documents section allows you to create folders with different access levels. Let us take some possibilities to understand this better let us say user A creates a folder F1 and gives access only to himself and a user B. Now if another user C logs in goes to Documents section, then he will not see folder F1 created by user A in the list. Suppose the direct link for that folder is: smthing.uknowva.com/documents#123, if C tries to access this directly through a link, he shall see an error message saying "You do not have required permissions to access this resource", which proves this test.
The documents views always call a model function to get the information based on the URL the model then parses the request and checks the current logged-in user's permissions and only then provides information or else user sees an error message. This is how uKnowva offers protection from insecure direct object references attacks.
5. OWASP Vulnerability No.5 Security Misconfiguration
Secure configuration which are defined and deployed for the application, frameworks, application server, web server, database server, and platform are essential and critical. The defaults setting or configuration are vulnerable and often insecure hence it is important to have well defined secure settings which are implemented and maintained. In addition to that software need to be kept updated.
How uKnowva overcomes Security Misconfiguration
If one is using on-premise version of uknowva then it is taken care by server management team but in case of cloud based version where uKnowva is running on our infrastructure then it is managed by our team. We maintain latest updated version of OS, web server and database servers. To make the process more secure we have crons setup on servers which runs and scans files with any kind of vulnerability. This way we manage Security misconfiguration in uknowva on our infrastructure.
6. OWASP Vulnerability No.6 Sensitive Data Exposure
Many web applications at times fail to protect sensitive data, such as credit cards details, tax IDs, and authentication credentials. When these crucial data are not protected hackers exploit them steal or modify them and use it to for anti-social or criminal activities like credit card fraud, identity theft, or other crimes. Sensitive data needs additional protection such as encryption at rest or in transit or taking some precaution when data are exchanged with the browser.
How uKnowva handles Sensitive Data Exposure
uKnowva’s configuration and user’s passwords are encrypted and stored on the filesystem. Passwords are protected through strong mechanism through one way hash and cannot be decrypted back. Every uKnowva has a secret key which is used to encrypt any important information like cookies, preferences, etc. This makes the storing of sensitive data highly secure. In addition to that before showing the configuration information in a web browser uKnowva does some preliminary checks. Admins have rights to view a part of configuration from uKnowva configuration however important database details remains hidden and are never passed to any browser they can be accessed by uKnowva class.
Moreover, running uKnowva over HTTPS through an SSL connection adds more security on the network layer as well, such that all information passed over the network is encrypted.
This way, uKnowva is protected from sensitive data exposure.
7. OWASP Vulnerability No.7 Missing Function Level Access Control
Before making any functionality visible in the UI most of the web applications verify function level access rights. The application need to perform the same access control checks on the server when each function is accessed. If requests are not verified, hackers will be able to forge requests in order to access functionality without proper authorization.
How uKnowva overcomes Missing Function Level Access Control
uKnowva classes have clearly defined public, protected and private access methods. uKnowva follows MVC architecture and every function in controllers does an access check wherever required before proceeding further and calling the model's functions and initializing the views. On top of that uKnowva's URLs i.e. Menu's also have access control. This way, uKnowva take care of Missing function level access control
8. OWASP Vulnerability No.8 Cross Site Request Forgery (CSRF) Attacks
Whenever a CSRF attack takes place it forces a logged-on victim’s browser to send a forged HTTP request that includes victim’s session cookie and other authentication information, to a vulnerable web application. When attacker force victim’s browser to generate requests the vulnerable application thinks it is a legitimate requests from the victim.
How uKnowva overcomes Cross Site Request Forgery (CSRF) Attacks
To handle CSRF attacks, uKnowva attaches a randomly generated session token in the form of a hidden element to each form. This way, uKnowva's session based form tokens make it highly immune to Cross site request forgery (CSRF) attacks
9. OWASP Vulnerability No.9 Using Components with Known Vulnerabilities
Components, such as libraries, frameworks, modules run with full privileges. If any vulnerable component is attacked, it can cause serious data loss or server takeover. Applications that are using components with known vulnerabilities may compromise attacks and impacts the web applications.
How uKnowva overcomes using Components with Known Vulnerabilities
uKnowva uses many open source libraries and frameworks that are listed here: docs.uknowva.com/about-uknowva/uknowva-architecture
These libraries and frameworks used are secure any known vulnerability in these libraries/frameworks is fixed by our team, in addition to that we keep scanning them for any vulnerabilities and proactively fix them. We keep upgrading these libraries as to keep the complete uKnowva framework highly secure and robust. This way, uKnowva makes sure none of its components have any known vulnerability
10. OWASP Vulnerability No. 10 Unvalidated Redirects and Forwards
Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages.
How uKnowva overcomes Unvalidated Redirects and Forwards
uKnowva's login mechanism is controlled through user’s controller. This controller function accepts return request variables in an encrypted format only, plus it parses all the return request variables and makes sure they are internal URLs only, any external URL as a return link is discarded at that moment itself.