OWASP Top 10 is a publicly shared list of 10 most critical risks and vulnerabilities to application security. Since web apps and the programming languages used to create them are constantly evolving, we want to make sure we’re only alerted by the most critical forms of application vulnerabilities and not distracted with non-specific or outdated threats like some in the past.
According to the Open Web Application Security Project, or OWASP, there are 3 new categories in this most recent version of the OWASP Top 10 vulnerabilities in 2021:
As per the OWASP, A new category for 2021 focuses on risks related to design and architectural flaws, with a call for more use of threat modeling, secure design patterns, and reference architectures. As a community we need to move beyond ‘shift-left’ in the coding space to pre-code activities that are critical for the principles of Secure by Design.”
OWASP Top 10 Vulnerabilities 2021
1. Broken Access Control
A flawed access control means no verification of proper access checks to the requested object. Unauthenticated privileged functionality of crucial data and information.
A typical example of access control vulnerabilities could be seen when one forces browsers to target URLs.
E.g. As we know, to gain access to an application’s admin dashboard one needs to have admin access right.
http://appwebsite.com/app/getadmininfo
http://appwebsite.com/app/admin_getadmininfo
In the second URL, the parameter is modified to check access. If unverified, the URL could pave the way to unauthorized access, thanks to ‘broken’ control of access to sensitive data.
2. Cryptographic Failures
When one sneaks into sensitive data information in an application, be ready for serious repercussions. At least UBER drivers are aware of this.
Typical example of sensitive information exposure could be any of the following:
- Session tokens,
- login ID and passwords,
- online transactions, and
- personal details (SSN, Health records) etc.
Any unprivileged access to the victim’s accounts is a serious concern. The practice of using Simple hashes to store sensitive data is to be blamed for.
Coupled with absence of encryption of all sensitive data at rest and cashing, the threat is one of the key OWASP top 10 vulnerabilities.
3. Injection
As injection is an attack on a web application’s database using Structured Query Language (SQL) to gain information or execute actions that normally would require an authenticated user account.
A hacker already has your database, and you only just realized it. This is a pretty alarming situation.
A typical example of SQL injection is when “101 OR 1=1” is passed instead of just “101”.
4. Insecure Design
This newest OWASP Top 10 revision talks about risks related to design and architectural flaws, with recommendations for implementing threat modelling, secure design patterns, and reference architectures – from the very beginning of the design process.
5. Security Misconfiguration
OWASP top 10 security misconfiguration vulnerability is an open invite for an attack on an application with poorly configured permissions on servers.
Default configurations, open ports, privileges, incorrect HTTP headers etc. are some common examples that make an application vulnerable to breach.
NB: XML External Entities (XXE) is not part of Security Misconfiguration now.
OWASP XML External Entities attack is occured when an application parses VML*input. This input could be understood as an external entity (let’s suppose an external drive) that tries to get into an application tapping security flaws in XML parser.
An example of XML external entities attack is when attacker tries to extract data from the server
<?xml version=”1.0″ encoding=”ISO-8859-1″?> <!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM “file:///etc/passwd” >]> <foo>&xxe;</foo>
Also, the server private network is modified by changing the above ENTITY line to
<!ENTITY xxe SYSTEM “https://192.168.1.1/private” >]>
NB: XSS (cross-site scripting) attack now comes under ‘injections’ category.
Affecting many applications, cross-site scripting vulnerability is exploited in the form of malicious Javascript scripts that basically acts to intercept communication between server and a browser.
A common Example of XSS Vulnerabilities is when one tries to create a new post on his WordPress admin dashboard.
Exploiting XSS, a hacker could inject and tamper with the admin URL and force the browser to create a new admin. End result? WordPress posts can be edited/changed or all things bad you can imagine on the dashboard.
6. Vulnerable and Outdated Components
Most web applications are developed using special frameworks that are provided by third parties. The ‘Coding’ world is filled with various open-source components and frameworks to build applications, which means there is a huge number of eyes looking at their source codes for any vulnerabilities.
Unknown application codes may cause unlucky consequences and unwanted situations in the form of accent control breach, SQL injections etc.
7. Identification and Authentication Failures
As the name suggests, as identification and authentication failure vulnerability is exploited by hackers to get the best of improper authentication. It leads to security risks when an attacker gets hold of user information, password recovery, ID sessions and other login credentials.
Brute force is considered to be the key driver of such broken authentication attack attempts in the form of credential stuffing.
A typical example is when an attempt is made in an online shopping URL.
E.g. An online shopping platform has an application that supports URL rewriting, putting session IDs in the URL.
http://shoppingsitexample.com/products/item;jsessionid=2P0OC4KBIWHYDYIBOME1JV?dest=Nike
8. Software and Data Integrity Failures
For software, data integrity failures are becoming increasingly relevant as sensitive information is increasingly stored in databases, where it is at risk of tampering security.
The section analyzes failures related to software updates (insufficient integrity verification), secure CI/CD pipelines, and the need for sufficient data integrity.
OWASP considers insecure deserialization (conversion of byte strings to objects) vulnerability in data integrity failure now because this weakness breaks logic of an application with the help of invalid data.
An insecure deserialization attack example is an RCE attack (Remote Code Execution)
NB: – Insecure Deserialization is now a part of Software and data integrity failure category.
9. Security Logging and Monitoring Failures
A lack of logging in the face of suspicious actions and events can result in growing gaps of time that go unmonitored and allow security breaches to go undetected for longer than they might with better logging in place.
Hacking into a website can be bad, but it’s becoming even worse when web application owners are not monitoring for the identification of suspicious code behavior.
This is where a monitoring system is handy. It will alert you in the event that something happens with your site and instruction on how to address it in a timely manner.
Without having an efficient logging and monitoring process in place, one could be left dealing with the repercussions of a cyber attack without fully understanding what has happened to their system.
Example of Insufficient Logging and Monitoring:
- An attacker or program can scan for users with easily crackable passwords.
- Once this is complete, the attacker only has to try only one of the passwords to login to all accounts with simple passwords.
- The more different passwords are tried, the better it is for the user, because after some time only one false login is left. If an attacker wants to get into more accounts he has to invest more work into that.
10. Server Side Request Forgery (SSRF)
When server-side requests are being made without first validating the user-supplied URL, this is known as Server Side Request Forgery or SSRF attack.
Examples
A web application can be vulnerable to an SSRF attack if it does not validate the remote resource URL supplied by the user.
– A potential remote resource URL could be http://target.example.com/inc/sharefile.asp
– If the web application does not validate the URL, then the user might be able to exploit this to access other internal resources or even internal networks