Custom Knowledge Source Security OWASP Best Practices
You are developing an application and want to ensure the best security practices are followed. To achieve this, you can create a custom Knowledge Source in StackSpot AI to store and share OWASP-based security best practices with your team. This Knowledge Source can be used for:
- Code Review
- Code Refactoring
- Security Vulnerability Analysis
- Clarifying doubts about best practices
- Creating security agents
Steps to create the Knowledge Source
Step 1. Access the StackSpot AI Portal
- Access the StackSpot AI Portal;
- Log in with your account;
Step 2. Create a New Knowledge Source
- In the main menu, click on ‘Contents > Knowledge Sources’;
- Click the ‘Create’ button to add a new Knowledge Source;
- Select the ‘Custom’ option to create a custom Knowledge Source;
Step 3. Fill in the Knowledge Source information
- Name: Add a descriptive name, such as "Angular Best Practices".
- Identification (Slug): Define a unique slug, such as "owasp-best-practices"
You cannot change the slug later.
- Description: Add a clear description, such as:
"This Knowledge Source contains security best practices based on OWASP, focusing on access control, vulnerability prevention, and examples of attack scenarios."
- Click ‘Save’.
Step 4. Add the Best Practices Content
- In the ‘Knowledge Objects’ tab, click on ‘Add File’;
- Choose the ‘Manually’ option to copy and paste the content directly. Paste the following Security OWASP best practices content:
# A01:2021 – Broken Access Control
## Factors
- **Mapped CWEs:** 34
- **Maximum Incidence Rate:** 55.97%
- **Average Incidence Rate:** 3.81%
- **Weighted Average Exportability:** 6.92
- **Weighted Average Impact:** 5.93
- **Maximum Coverage:** 94.55%
- **Average Coverage:** 47.72%
- **Total Occurrences:** 318,487
- **Total CVEs:** 19,013
### **Overview**
Rising from the fifth position, 94% of applications were tested for some type of broken access control, with an average incidence rate of 3.81%, and it has the highest number of occurrences in the contributed dataset, with over 318k. Notable Common Weakness Enumerations (CWEs) included are:
- **CWE-200:** Exposure of Sensitive Information to an Unauthorized Actor
- **CWE-201:** Insertion of Sensitive Information into Sent Data
- **CWE-352:** Cross-Site Request Forgery
### **Description**
Access control enforces policies to ensure users cannot act outside their intended permissions. Failures often lead to unauthorized information disclosure, modification or destruction of data, or execution of business functions outside the user's limits. Common access control vulnerabilities include:
- Violation of the principle of least privilege or deny-by-default, where access should only be granted to specific capabilities, roles, or users but is available to anyone.
- Bypassing access control checks by modifying the URL (parameter tampering or forced browsing), application state, or HTML page, or using an attack tool to modify API requests.
- Allowing viewing or editing of another user's account by providing their unique identifier (insecure direct object references).
- Accessing APIs without access controls for POST, PUT, and DELETE.
- Privilege escalation. Acting as a user without being logged in or acting as an administrator while logged in as a user.
- Metadata manipulation, such as replaying or tampering with a JWT (JSON Web Token) access control token, or a cookie or hidden field manipulated to elevate privileges or abuse JWT invalidation.
- Misconfigured CORS allowing API access from unauthorized/untrusted origins.
- Forced browsing to authenticated pages as an unauthenticated user or to privileged pages as a standard user.
### **How to Prevent**
- Access control is only effective in trusted server-side code or serverless APIs, where the attacker cannot modify the access control check or metadata.
- Except for public resources, deny by default.
- Implement access control mechanisms once and reuse them throughout the application, including minimizing the use of Cross-Origin Resource Sharing (CORS).
- Model access controls should enforce record ownership rather than accepting that the user can create, read, update, or delete any record.
- Unique business limit requirements should be enforced by domain models.
- Disable directory listing on the web server and ensure file metadata (e.g., .git) and backup files are not present in web roots.
- Log access control failures and alert administrators when appropriate (e.g., repeated failures).
- Limit API and controller access rates to minimize damage from automated attack tools.
- Stateful session identifiers should be invalidated on the server after logout. Stateless JWTs should be short-lived to minimize the attacker's window of opportunity. For long-lived JWTs, it is highly recommended to follow OAuth standards to revoke access.
### **Attack Scenario Examples**
- **Scenario #1:** The application uses unverified data in an SQL call that accesses account information:
```java
pstmt.setString(1, request.getParameter("acct"));
ResultSet results = pstmt.executeQuery();
An attacker simply modifies the 'acct' parameter in the browser to send any account number they want. If not properly verified, the attacker can access any user's account.
https://example.com/app/accountInfo?acct=notmyacct
Scenario #2: An attacker simply forces browsing to target URLs. Admin rights are required to access the admin page. https://example.com/app/getappInfo
https://example.com/app/admin_getappInfo
If an unauthenticated user can access any of the pages, it is a failure. If a non-admin can access the admin page, it is a failure.
- After pasting the content, click ‘Save’.
Step 5. Share the Knowledge Source
- After saving the Knowledge Source, you can share it with other team members.
- In the sharing tab, add the team members' emails and set the permissions (read or write).
- Click ‘Share’..
Now you have a Custom Knowledge Source featuring OWASP security best practices for the entire team. This resource makes consulting easier and ensures everyone adheres to the best security practices, ultimately improving code quality and security.