Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • WAF Solutions against OWASP Top 10 Risks

    Home FortiWeb 7.6.3 WAF Solutions against OWASP Top 10 Risks
    7.6.3
    7.6.3

    WAF Solutions against OWASP Top 10 Risks

    WAF Solutions against OWASP Top 10 Risks

    Web application security is crucial for protecting websites and applications from various threats and vulnerabilities. Ignoring web application security can result in significant ramifications for your websites, customers, and business partners alike. The consequences of a web security breach can vary from financial losses to legal repercussions, operational disruptions, reputational damage, and more.

    To mitigate such risks, it's important to first understand the top threats you're facing. The OWASP Top 10 serves as an excellent reference, offering a consensus view on the most critical security risks to web applications. Compiled by security experts from around the globe, this list underscores the importance for organizations, especially those operating e-commerce platforms or banking systems, to be cognizant of these risks, as they pose a direct threat to the security and integrity of their operations and sensitive user data.

    Here's a summary of the OWASP Top 10 list.

    • Broken Access Control
      Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users' identities.

      Data indicates that on average, 3.81% of applications tested had one or more Common Weakness Enumerations (CWEs) with more than 318k occurrences of CWEs in this risk category. The 34 CWEs mapped to Broken Access Control had more occurrences in applications than any other category.

    • Cryptographic Failures
      As known as Sensitive Data Exposure. Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes.

    • Injection
      Injection is an attacker's attempt to send data to an application in a way that will change the meaning of commands being sent to an interpreter. For example, the most common example is SQL injection, where an attacker sends “101 OR 1=1” instead of just “101”.

      94% of the applications were tested for some form of injection.

    • Insecure Design
      It is a new category for 2021, with a focus on risks related to design flaws. If we genuinely want to "move left" as an industry, we need more threat modeling, secure design patterns and principles, and reference architectures. An insecure design cannot be fixed by a perfect implementation as by definition, needed security controls were never created to defend against specific attacks.

    • Security Misconfiguration
      Security misconfiguration is the most commonly seen issue. This can happen at any level of an application stack, including network services, platforms, web servers, database servers, and custom code. Regularly updating and patching systems, along with thorough configuration of a web application firewall, can mitigate such vulnerabilities.

    • Vulnerable and Outdated Components
      Components, such as libraries, frameworks, and other software modules, almost always run with full privileges. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Application security best practices, including regular scanning for vulnerabilities and patching, are critical here.

    • Identification and Authentication Failures
      Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as accessing other users' accounts, viewing sensitive files, modifying other users’ data, and changing access rights.

    • Software and Data Integrity Failures
      It is a new category for 2021, focusing on making assumptions related to software updates, critical data, and CI/CD pipelines without verifying integrity. One of the highest weighted impacts from Common Vulnerability and Exposures/Common Vulnerability Scoring System (CVE/CVSS) data mapped to the 10 CWEs in this category. A8:2017-Insecure Deserialization is now a part of this larger category.

    • Security Logging and Monitoring Failures
      Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data.

    • Server-Side Request Forgery
      SSRF flaws occur whenever a web application is fetching a remote resource without validating the user-supplied URL. It allows an attacker to coerce the application to send a crafted request to an unexpected destination, even when protected by a firewall, VPN, or another type of network access control list (ACL).
      As modern web applications provide end-users with convenient features, fetching a URL becomes a common scenario. As a result, the incidence of SSRF is increasing. Also, the severity of SSRF is becoming higher due to cloud services and the complexity of architectures.

    To mitigate these risks, organizations must adopt a proactive approach to web application security. This includes regular security assessments, adherence to security best practices, and the implementation of comprehensive security solutions like FortiWeb. FortiWeb Web Application Firewall (WAF) capabilities are specifically designed to protect against the OWASP Top 10 risks, among other threats, providing a critical layer of defense for web applications. Through features like advanced threat protection, intrusion prevention systems, and bot mitigation, FortiWeb helps ensure that web applications remain secure against evolving threats.

    In the subsequent sections, we'll explore the top 10 risks in detail and demonstrate how to mitigate them with FortiWeb. Each topic follows a consistent format: first, outlining the scenario to define the security challenge; next, presenting solutions by FortiWeb to address the issue; and finally, detailing the configuration steps on FortiWeb to implement the solution effectively. By following this structure, you can quickly understand the problem, explore FortiWeb’s capabilities, and apply the necessary configurations to enhance your web security.

    Previous
    Next

    WAF Solutions against OWASP Top 10 Risks

    WAF Solutions against OWASP Top 10 Risks

    Web application security is crucial for protecting websites and applications from various threats and vulnerabilities. Ignoring web application security can result in significant ramifications for your websites, customers, and business partners alike. The consequences of a web security breach can vary from financial losses to legal repercussions, operational disruptions, reputational damage, and more.

    To mitigate such risks, it's important to first understand the top threats you're facing. The OWASP Top 10 serves as an excellent reference, offering a consensus view on the most critical security risks to web applications. Compiled by security experts from around the globe, this list underscores the importance for organizations, especially those operating e-commerce platforms or banking systems, to be cognizant of these risks, as they pose a direct threat to the security and integrity of their operations and sensitive user data.

    Here's a summary of the OWASP Top 10 list.

    • Broken Access Control
      Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users' identities.

      Data indicates that on average, 3.81% of applications tested had one or more Common Weakness Enumerations (CWEs) with more than 318k occurrences of CWEs in this risk category. The 34 CWEs mapped to Broken Access Control had more occurrences in applications than any other category.

    • Cryptographic Failures
      As known as Sensitive Data Exposure. Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes.

    • Injection
      Injection is an attacker's attempt to send data to an application in a way that will change the meaning of commands being sent to an interpreter. For example, the most common example is SQL injection, where an attacker sends “101 OR 1=1” instead of just “101”.

      94% of the applications were tested for some form of injection.

    • Insecure Design
      It is a new category for 2021, with a focus on risks related to design flaws. If we genuinely want to "move left" as an industry, we need more threat modeling, secure design patterns and principles, and reference architectures. An insecure design cannot be fixed by a perfect implementation as by definition, needed security controls were never created to defend against specific attacks.

    • Security Misconfiguration
      Security misconfiguration is the most commonly seen issue. This can happen at any level of an application stack, including network services, platforms, web servers, database servers, and custom code. Regularly updating and patching systems, along with thorough configuration of a web application firewall, can mitigate such vulnerabilities.

    • Vulnerable and Outdated Components
      Components, such as libraries, frameworks, and other software modules, almost always run with full privileges. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Application security best practices, including regular scanning for vulnerabilities and patching, are critical here.

    • Identification and Authentication Failures
      Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as accessing other users' accounts, viewing sensitive files, modifying other users’ data, and changing access rights.

    • Software and Data Integrity Failures
      It is a new category for 2021, focusing on making assumptions related to software updates, critical data, and CI/CD pipelines without verifying integrity. One of the highest weighted impacts from Common Vulnerability and Exposures/Common Vulnerability Scoring System (CVE/CVSS) data mapped to the 10 CWEs in this category. A8:2017-Insecure Deserialization is now a part of this larger category.

    • Security Logging and Monitoring Failures
      Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data.

    • Server-Side Request Forgery
      SSRF flaws occur whenever a web application is fetching a remote resource without validating the user-supplied URL. It allows an attacker to coerce the application to send a crafted request to an unexpected destination, even when protected by a firewall, VPN, or another type of network access control list (ACL).
      As modern web applications provide end-users with convenient features, fetching a URL becomes a common scenario. As a result, the incidence of SSRF is increasing. Also, the severity of SSRF is becoming higher due to cloud services and the complexity of architectures.

    To mitigate these risks, organizations must adopt a proactive approach to web application security. This includes regular security assessments, adherence to security best practices, and the implementation of comprehensive security solutions like FortiWeb. FortiWeb Web Application Firewall (WAF) capabilities are specifically designed to protect against the OWASP Top 10 risks, among other threats, providing a critical layer of defense for web applications. Through features like advanced threat protection, intrusion prevention systems, and bot mitigation, FortiWeb helps ensure that web applications remain secure against evolving threats.

    In the subsequent sections, we'll explore the top 10 risks in detail and demonstrate how to mitigate them with FortiWeb. Each topic follows a consistent format: first, outlining the scenario to define the security challenge; next, presenting solutions by FortiWeb to address the issue; and finally, detailing the configuration steps on FortiWeb to implement the solution effectively. By following this structure, you can quickly understand the problem, explore FortiWeb’s capabilities, and apply the necessary configurations to enhance your web security.

    Previous
    Next