New Top 10 OWASP: Incorrect Access Restrictions Are The Biggest Threat To Web Applications

According to the Open Web Application Security Project (OWASP), a nonprofit organization of web developers dedicated to addressing network security vulnerabilities, insufficient access restrictions are currently the biggest threat to web applications. . This emerges from a draft for the Top 10 OWASP for 2021, which has now been submitted to developers interested in the project. The last OWASP Top 10 was in 2017 – at that time (as in 2013) injection shortcomings were at the top of the list. Incorrect access restrictions were already in second place in 2017 and 2013.

OWASP is viewed by web developers and software project managers as a good source of information about security issues in web applications and how to avoid them. The project is committed to improving developers’ understanding of security vulnerabilities and thereby increasing the basic quality of software on the Internet. The data on which the Top 10 list is based comes from information on security vulnerabilities found in public web software and reported through relevant industry channels. OWASP also conducts regular surveys of experts who need to deal directly with such shortcomings. The organization regularly points out that their information is primarily based on issues that can be detected with automated processes, which means the top 10 tend to lag behind the latest Infosec trends for some time.

Interestingly, injection loopholes – for a long time the bread and butter of anyone dealing with securing web applications – have slipped to second place in the new list and have been replaced at once. by incorrect access restrictions and cryptographic errors. This coincides with the evaluation of the Common Weakness Enumeration (CWE) project, which no longer has code injection gaps in its current top 25 list. So the trend is not just affecting software on the Internet.

The OWASP understands that improper access restrictions are any type of security hole in which login information is not requested at all or is requested in a way that can be circumvented or deceived. For cases where the user is incorrectly identified, there is a separate category (7th place on the list). OWASP previously referred to the category of cryptographic errors as “sensitive data disclosure” and now covers a broader area. All types of cryptographic failures are targeted, from poorly implemented or carelessly done cryptography, to errors in the generation of pseudo-random data, to – an eternal classic – insecure passwords that are permanently installed. in systems.

Cross-Site Scripting (XSS) shortcomings, in the previous list at number 7, are now combined with the injection shortcomings at number 3. This year, Server Side Request Forgery (SSRF) joins the list for the first time at the 10th place. Two other new additions are the “Insecure Design” and “Software or Data Integrity Errors” categories. The final category relates to the uncertain assumptions developers make when entering critical data, software updates, or the workflow of developing and releasing their software.

Rang Top 10 OWASP 2021 2017

1

Broken access controls

5

2

Cryptographic failures

3

3

Injection

1

4

Insecure design

Newcomer

5

Incorrect security configuration

6

6

Vulnerable and obsolete components

9

7

Identification and authentication failures

2

8

Software and data integrity failures

Newcomer

9

Security logging and monitoring failures

ten

ten

Server-side request forgery (SSRF)

Newcomer

While the OWASP Top 10 for 2021 is not yet official, it will likely take a few more months to release, so it’s worth taking a look now. the full list. Given the pervasive security holes in web applications, developers and project managers can never be sufficiently aware of these vulnerabilities. However, be aware that information from OWASP can only provide a rough guide. Most importantly, they serve to educate IT experts about issues that arise frequently. Software that is regularly checked for the top ten issues may be more secure, but that doesn’t mean it’s free of vulnerabilities. OWASP repeatedly warns against misusing the top 10 as a simple checklist – which has probably happened over and over again in the past, especially in middle management circles in the past. large organizations.

If you would like more in-depth information on the details of security vulnerabilities in the Top 10 OWASP, please heise Events online workshop by Tobias Glemser on September 22 and 23 suggested. The workshop is limited to 20 people in order to leave enough room for questions from participants. Glemser is a BSI certified penetration tester and managing director of security company secuvera and, as the leader of the German chapter of the Open Web Application Security Project (OWASP), co-translator of the Top 10 OWASP.


(Great)

Disclaimer: This article is generated from the feed and is not edited by our team.


Source link

How to turn your favorite web apps into desktop apps

As you can have noticed, we now do most of our calculations through web browsers. Websites and web apps can take care of everything from watching movies to creating spreadsheets to checking emails.

If you think about the desktop programs that you use regularly, for many people it will probably be limited to an image editor, a web browser, and maybe a desktop application. Working in the cloud is now the norm and the trend is only going one way. (Microsoft even lets you stream windows via a web browser now.)

As the distinction between online applications and desktop programs becomes increasingly blurred, it is now possible to configure some of the most well-known web applications on your Windows, macOS, or Chrome OS desktop. This uses what’s called Progressive Web Applications, or PWAs, and we’ll walk you through everything you need to know.

Progressive web apps explained

Progressive web applications are special types of web applications. Not all apps that you can run on the web are PWAs. For an online application to be eligible, it must be designed in a particular way by its developer and use a particular set of coding standards that allow it to stand as a desktop program.

Some of the best known examples of PWA are Twitter, Spotify, Google Chat, and Uber, but more are added all the time. Google (naturally) and Microsoft both champion the idea that PWAs are part of the desktop ecosystem. That’s why the easiest option to configure them is to use Google Chrome or Microsoft Edge browsers.

Chrome OS can put entries for web applications in its main launcher.

Chrome OS via David Nield

When you switch from using a site like Twitter in the browser to using it in a PWA, you won’t see a huge difference right away. PWAs are basically websites that run in a desktop program wrapper, so most of the functionality is the same. However, you will be able to treat them like desktop applications, which brings a number of advantages.

This means that you can manage these apps more easily from the taskbar (Windows), dock (macOS), or shelf (Chrome OS). Installing PWA also means that notifications from these apps can be managed at the operating system level and handled differently from notifications from your browser. They are found in the main list of apps and you don’t need to open your browser to use them.



Source link

Microsoft Edge gets better support for web apps and PDFs

Microsoft released version 94 of its Chromium-based Edge browser on the Dev Channel, bringing new features to PWA – browser applications that behave like native applications.

As Neowin noted, this version of the Dev Channel marks the first time Microsoft has released a new version of Edge in accordance with Google’s shorter four-week update cycle.

The Edge preview version 94.0.992.1 is the latest version of version 94 and supports download pop-ups in PWAs and websites installed as apps.

see also

The best browsers for privacy

If you’re like most people, you’re probably using Google Chrome as your default browser. It’s hard to fault Google’s record on security and patches, but privacy is another matter for the online advertising giant.

Read more

Edge users can also open local HTML or web files on iPhones and iPads, and there is a new interface for WebView2 to launch the browser task manager and listen to browser output. WebView2 helps developers integrate HTML, CSS, and JavaScript web code into native apps, and is part of Microsoft’s effort to unify Win32 and UWP apps with its WinUI 3 user interface framework.

Other updates in Edge 94 include a management policy to control the setting for Web RTC to adhere to the operating system routing table when it is enabled. It also brings back URL suggestions to error pages resulting from incorrectly entered web addresses.

Edge 94 also includes a number of fixes for annoying issues, including some antivirus products that prevent Edge from opening. Windows 10 automatically launches Edge, but users can stop this behavior in Windows settings.

It also includes a fix for Edge on Windows 11 where windows are sometimes blank or white, and searching for settings causes the browser to go blank.

In Edge 94, users should find that Efficiency Mode actually works, and spell checking is on when it should. Microsoft has also faced issues importing passwords from other browsers, as well as errors in Edge on Android and iOS, and login issues for some websites.

Microsoft highlights a old bug Edge and YouTube this is due to the activation of the Adblock extension in Edge, preventing the browser from paying for YouTube content.

“Users of some ad blocking extensions may experience playback errors on Youtube. As a workaround, temporarily disabling the extension should allow playback to continue,” Microsoft notes.

Microsoft also advises Kaspersky Antivirus users to update their software if they cannot access Gmail through Edge.

“Kaspersky Internet Suite users who have installed the associated extension may sometimes see web pages such as Gmail not loading. This failure is caused by the main Kaspersky software being out of date and therefore resolved by ensuring that the latest version is installed. “

According to Windows LatestMicrosoft Edge version 94 also allows users to add text to PDF documents opened in the browser. This feature eliminates the need to install PDF software such as Adobe Acrobat Reader.

Besides a few fixes, version 94 is almost complete and users can expect it to hit the beta channel soon.


Source link

Microsoft wants Chrome OS users to run Office web apps, not Android apps

Starting September 18, Microsoft will end support for Android Office and Outlook apps on Chrome OS and start pushing Chromebook users to its web apps instead, according to a statement he gave About Chromebooks. No later than July 31, Microsoft Support Documents recommended to install Android versions of Office, Outlook, OneNote, and OneDrive, but now these documents say that apps are not supported for Chrome OS users.

As About ChromebooksHowever, Kevin Tofel points out that the switch to web apps is making it harder for Office users to go offline. While some Office web applications, like Outlook, have a dedicated offline mode, Tofel reports that it is unable to open existing documents using Microsoft’s progressive web app for Chrome OS in offline mode. While Chrome OS offer some offline editing capabilities for native Office files, it does not provide the true Office experience like android apps did while being disconnected from the Internet.

Microsoft was not immediately available to answer questions about the offline features offered by the Office web experience for Chrome OS, or if it would make improvements before the September switchover.

For those who are still online, however, the switch from Android to a web app may not make too much of a difference. For the most part, the web version of Office offers a lot of features that you would need for basic word processing, spreadsheets, and creating presentations, although I’m certainly not the type to judge those who don’t. prefer web applications.

Microsoft’s statement to About Chromebooks doesn’t really explain why the company is making the change, although it does say it will allow Chrome OS users to access “extra and premium features.” (It’s worth noting that Chrome OS users can already use Office web apps if they want.) Tofel reports that this change doesn’t mean Office for Android will be phased out for phone users. We have contacted Microsoft to confirm this and will let you know if we have a response.

There is a certain irony in the fact that Microsoft is pushing Chromebook users to avoid using Android apps on their laptops because Windows 11 will support running Android apps. That said, the functionality of Android apps on Chrome OS has long been criticized, and even Google has replaced some of its own apps with PWAs on the platform. Most PWAs are only useful if you have a live internet connection, but that isn’t really the case for apps like Office. Hopefully, Chromebook users will have the option to have an offline experience after the change.


Source link

Misconfigured web apps exposed millions of U.S. personal files online

An incorrect default permission setting exposed personally identifiable information (PII) of more than 30 million U.S. citizens across a few hundred portals, according to cybersecurity researchers.

The UpGuard research team discovered over a thousand lists accessible anonymously on a few hundred portals that included sensitive details such as an individual’s Covid-19 vaccination status, as well as their phone numbers, their home address and social security number (SSN), and more.

Data leaked misconfigured PowerApps portals, which not only allowed public data to be accessed as intended, but also exposed private data without anyone knowing.

“The UpGuard research team can now disclose multiple data breaches resulting from Microsoft PowerApps portals configured to allow public access – a new vector for data exposure,” the researchers say in their leak analysis.

Functionality or configuration error?

The type of information researchers were able to access varied from organization to organization. In total, the researchers managed to admire data from about four dozen entities, including government agencies like Indiana, Maryland, and New York City, and private companies like American Airlines, Ford, JB Hunt, etc.

The researchers believe that the staggering amount of exposure points to a flaw on Microsoft’s part, in that it failed to properly pass the default settings and behavior of the PowerApps platform.

“Our conversations with the entities we notified have suggested the same conclusion: Several government agencies have reported performing security reviews of their applications without identifying this issue, possibly because it has never received enough publicity as a problem. data security concern before, ”the researchers note.

Microsoft initially rejected the UpGuard disclosures because it was “determined that this behavior is considered to be by design.”

However, as UpGuard began to contact affected entities, Microsoft took several steps to help customers avoid inadvertent data leaks. For example, the company has now released a tool to check lists that allow anonymous access and has also changed the default table permissions.


Source link

Everyone’s favorite Microsoft Teams feature is finally here in web apps

You will soon be able to change Microsoft teams After the company announces a welcome update for the web app, make the background whatever you want.

User Video conference The service may blur the background or replace it completely with an image provided by a video conference or phone.

From the entry Microsoft 365 roadmapThis feature is currently under development and will be available to Teams users on the web by September 2021.

The company was started before Fashion set The team allowed multiple users to share the same virtual space (including cafes, meeting rooms, and classrooms) during a video call, but did not provide individual users with the option to a background image for the call. ..

Vague

Not only does this help make Video Hangouts more enjoyable and show a bit of personality and personalization, but you can also use custom backgrounds or video backgrounds to hide your surroundings to protect your privacy.

It’s unclear whether Microsoft will provide users with default image options that they can use as a background, or if there are restrictions on the types of images they can use.

However, the roadmap entry stated that “blurring or replacing the background does not prevent sensitive information from being shown to others in calls or meetings.”

According to the news, Microsoft Teams has finally caught up with some of its big rivals in video calling. Many have provided blurry virtual backgrounds for a while.

Zoom Is one of the first companies to bring this feature to users around the world with filters and virtual backgrounds to help alleviate the plight of video quizzes and catch-ups during a pandemic.

Google meet Shortly thereafter, background images were introduced to the platform in October 2020 and video options were introduced shortly thereafter.

In addition to the new background information, Microsoft also revealed that users of Teams meetings on the web will be available soon. Share audio while screen sharing.. Scheduled for release in October 2021, this feature can be of great help in boosting online conferences, presentations and even music concerts and tuition fees.

  • We’ve put together a list of all the gear you need to do work abroad Usually

Source link Everyone’s favorite Microsoft Teams feature is finally here in web apps


Source link

Your browser workflow is a mess – how to organize web apps in a unified hub

It’s hard not to think of the browser as an operating system in its own right. The clues are all there. On launch, the browser enters a new desktop tab page with shortcuts to your most frequented sites. It has its own list of settings that you can customize, multitasking tips, a marketplace for third-party add-ons, and more. All the attributes of a full-fledged operating system.

Yet our lives on the web still seem too scattered. Some of your files may be on Drop box, while the others are on Google drive. You can take notes on one department and create to-do lists on another. Unlike a traditional operating system, there’s no common thread that holds everything together, and there’s no central dashboard where you can access everything from universal search to a common file system. Just like two decades ago, the browser is still simply a gateway to the Internet and nothing more.

The browser has fundamentally failed to keep up with its times and as more and more people devote their time to it these shortcomings have become more evident than ever. An emerging legion of startups have set out to provide this missing interface between your cloud workflow and the browser.

(Image credit: Laptop Mag)

The move to cloud applications was a step backwards from a human interaction perspective, says Ivan Kanevsk, co-founder and CEO of Slapdash. This service merges your activity and data from many web applications such as Notion and Google Calendar on a unified platform.

“We lost the file system and we lost the benefits of the hard-won interaction design innovations of desktop operating systems,” Kanevsk added, noting that while the web has been a breakthrough overall. positive, it’s missing a layer like Slapdash which can systematize your disparate line. workflow.

When you link your different accounts on Slapdash, it indexes them and lets you search for them all at once. It also lists what you’ve done on those accounts, such as any new appointments you might have created on Google Calendar or a task from Asana.

While Slapdash applies a sense of order to your messy online workflow, an app called Workona Gives you greater control over your endless rows of tabs and the overwhelming abundance of your content each one hosts.

Workona co-founder and CEO Quinn Morgan, however, doesn’t think that simply recreating the paradigms of the traditional operating system will do the trick for a cloud worker. Since there is a wide variety of services that we connect to every day, it is essential that ‘cloud operating system’ tools provide context rather than just dump everything in one place like deep file hierarchies. traditional.

Workona, which has more than 200,000 users, is based on the concept of workspaces. You can sort your active tabs, profiles and windows into dedicated workspaces and hide or launch any of them from your browser with one click. Similar to Slapdash, you also have the ability to search and sift through all your data online in one place.

“Browsers have become an operating system within an operating system,” Morgan told Laptop Mag, “but they lack an organizational structure to suit the way people work on them.”

Apps like Slapdash and Workona don’t try to reinvent the browser. But many others believe that the modern browser is too late to adapt to cloud computing.

(Image credit: Laptop Mag)

Change, a Chromium-based browser, is designed to work around web applications rather than websites. It allows you to pin your online profiles like Slack and Gmail to a sidebar and jump between them as if they were desktop apps. Shift also contains the usual attributes you would expect from a cloud management app, including universal search, multiple accounts, and workspaces.

“The browser was not designed to handle the rapid transition to cloud applications and tools and it ended up in a cluttered mess that we face today,” said Shift CEO Nadia Tatlow. “Most people who have multiple logins for all of their different accounts and apps,” she adds, “now feel a deep sense of overwhelm and what has been dubbed ‘app fatigue’ is something that Shift does. tackles head on. “

Shift is not alone. A range of new browsers have taken radical approaches to meet the needs of users who depend exclusively on web applications for work and play.

(Image credit: Laptop Mag)

A browser called Stack lets you launch web applications in resizable “cards” and arrange them side by side in a way that suits you. For example, you can have Facebook Messenger in a vertical layout, while Gmail is laid out horizontally. You can save these arrangements in “stacks” and access them instantly next time.

Wave box, in addition to these features, tackles tab overload with an intelligent application-to-application link engine. Suppose Trello and Slack are open on Wavebox. When you click on a Trello address in Slack, it doesn’t create a new tab and instead shows that link’s view in the window you already had available on Wavebox, just like a desktop app would behave.

(Image credit: Laptop Mag)

For Stack CEO George Laliashvili, creating a productivity app that lives inside the browser doesn’t make sense as it adds a lot of “unnecessary middlemen”.

“It makes sense that a browser is not just a gateway to the Internet,” Laliashvili told Laptop Mag, “but rather a tool that will help organize and manage the web by consuming some of the external applications.”

The lines between the web and the desktop are blurred than ever. And as one “xkcd” comic sums it up, the operating systems themselves are indistinguishable these days, as many people calculate exclusively through the browser. With features such as the ability to install web applications on cloud-dedicated computers and operating systems such as Google’s Chrome OS gaining ground every year, the role of the navigator is surely overdue for a reshuffle. Whether it stays with its own entity, or whether it builds into the desktop operating system itself (as Microsoft might attempt with Windows 11) that remains to be seen.

“Will web applications become more first-class citizens in a desktop operating system?” ”Said Kanevsk of Slapdash,“ Most likely because the potential gains in the end-user experience are too significant and visceral to be ignored ”.


Source link

Saito & Elrond Network Partner to Power Web Apps & Games

The Elrond Network recently announced a partnership with Saito, the open network used to deliver web3 globally. The partnership will help developers use tokens acceptable on Elrond (like eGold) in web games and applications running on Saito’s P2P network.

With the collaboration, the two companies will make each other interoperable. This will lead Saito users and developers to use Elrond and eGold tokens as crypto in their games and web apps. Users can check out the games on Saito Arcade to get an idea of ​​which games the network will support in the future. After the announcement, developers and marketers quickly researched like Elrond Forecast to understand its implications.

What do companies think of the partnership?

The two platforms have issued official statements regarding the collaboration. Beniamin Mincu (CEO of the Elrond Network) said that any blockchain-based application operating at scale of the internet considers Elrond the ideal backend due to its high throughput. With Saito’s help in improving user performance and an attractive user interface, Elrond developers will enjoy P2P scalability for their upcoming games and web applications.

Richard Parris (co-founder of Saito) said networks complement each other strongly in terms of efficiency, scalability and speed. Additionally, Elrond has an active community and Saito sees the audience as a great incentive to use eGold and additional tokens in apps. The DeFi community has high hopes for integration. Considering the stature of the parties involved, it will provide estimated results.

Saito, the open network used to deliver Web3, recently partnered with Elrond. The integration will allow developers to use eGold and additional tokens to back up web games and applications running on the Saito network. Both companies have shared their joy about the development, and the community is welcoming it as well.

About Elrond

Elrond is an internet-wide blockchain network designed to provide estimated speed and throughput. Elrond achieves this by using a PoS mechanism and Adaptive State Sharding. Thus, it serves a fast, secure and efficient consensus ecosystem. Elrond is able to process 15,000 TPS with a latency of only 6 seconds and minimal cost. This makes the network the cornerstone of a decentralized Internet circuit, accessible worldwide and without borders.

About Saito

Saito is known as an open layer network that serves web3. It allows applications to operate without private APIs, closed infrastructure, and closed plugins. It operates without any owners and funds the nodes that provide user and routing infrastructure for Saito and other blockchains. The entire ecosystem is supported by its new blockchain approach called Saito Consensus.


Source link