The Open Web Application Security Project (OWASP) Top 10 in 2021

The OWASP (Open Web Application Security Project) Top 10 is a widely recognized list of the most critical security risks faced by web applications. It provides valuable guidance to developers, security professionals, and organizations to prioritize and address the most prevalent vulnerabilities. The latest version, as of my knowledge cutoff in September 2021, is OWASP Top 10 2017. Here are the vulnerabilities included in the OWASP Top 10 2017:

1. Injection: This refers to vulnerabilities arising from untrusted data being interpreted as code or commands. It includes SQL, OS, and LDAP injection, where an attacker can manipulate input to execute unauthorized actions.

2. Broken Authentication: Weaknesses in authentication and session management can lead to unauthorized access to user accounts, allowing attackers to compromise identities, passwords, or session tokens.

3. Sensitive Data Exposure: Inadequate protection of sensitive data, such as credit card information or personal details, can expose it to unauthorized access or theft.

4. XML External Entities (XXE): Insecure processing of XML data can lead to external entity expansion attacks, allowing attackers to read local files, perform remote requests, or launch denial-of-service attacks.

5. Broken Access Control: Improper enforcement of access controls can enable attackers to gain unauthorized access to functionality or data, such as modifying other users' data or performing privileged actions.

6. Security Misconfiguration: Security controls and configurations that are not implemented correctly or kept up-to-date can leave vulnerabilities, providing attackers with easy entry points into the system.

7. Cross-Site Scripting (XSS): XSS vulnerabilities occur when untrusted data is included in web pages without proper validation or sanitization, allowing attackers to execute malicious scripts in users' browsers.

8. Insecure Deserialization: Insecure deserialization can lead to remote code execution, replay attacks, and privilege escalation if untrusted data is deserialized without proper validation.

9. Using Components with Known Vulnerabilities: Outdated or vulnerable components, such as libraries, frameworks, or modules, can introduce security weaknesses and make applications susceptible to attacks.

10. Insufficient Logging and Monitoring: Inadequate logging and monitoring can hinder the detection of security incidents, making it difficult to identify and respond to attacks in a timely manner.

It's important to note that the OWASP Top 10 list is periodically updated to reflect the evolving threat landscape. It's recommended to refer to the latest version of the OWASP Top 10 for the most up-to-date information and guidance.

What’s new in the 2021 list?

For the 2021 list, the OWASP added three new categories, made four changes to naming and scoping, and did some consolidation.

1. Broken Access Control (A01:2021)

In the latest edition of the OWASP Top 10 for 2021, there has been a notable change in the rankings. The vulnerability known as broken access control, which involves weaknesses that grant unauthorized access to user accounts, has now risen to the top spot. This vulnerability enables attackers to exploit inadequate access controls and gain unauthorized privileges within the system, either as regular users or even as administrators.

Example: An application allows a primary key to be changed, and when this key is changed to another user’s record, that user’s account can be viewed or modified.

2. Cryptographic Failures (A02:2021)

In the latest revision of the OWASP Top 10, there have been updates to the ranking and naming of vulnerabilities. The entry previously positioned at number 3, previously referred to as "sensitive data exposure," has been renamed to "cryptographic failures." This change reflects a more accurate representation, highlighting cryptographic failures as a root cause rather than a mere symptom. Cryptographic failures encompass situations where critical data, such as social security numbers, is compromised due to flaws in encryption, storage, or transmission mechanisms.

Example: A financial institution fails to adequately protect its sensitive data and becomes an easy target for credit card fraud and identity theft.

3. Injection (A03:2021)

In the latest update of the OWASP Top 10, there have been changes in the ranking and categorization of vulnerabilities. Injection has shifted from its previous position at number 1 to number 3, and cross-site scripting is now considered as part of this category. Code injection, which falls under this category, takes place when an attacker sends malicious data into a web application, aiming to manipulate the application's behavior and perform unintended actions that were not originally intended by its design.

Example: An application uses untrusted data when constructing a vulnerable SQL call.

4. Insecure Design (A04:2021)

Introducing a fresh addition to the OWASP Top 10 for 2021 is the inclusion of a new category called "Insecure Design." This category aims to address the risks associated with design flaws in applications. Recognizing the evolving landscape of security practices, it emphasizes that simply relying on threat modeling, secure design patterns, principles, and reference architectures is no longer sufficient as organizations strive to embrace a "shift left" approach. The Insecure Design category highlights the importance of considering and rectifying design weaknesses early in the development process to ensure more robust and resilient applications.

Example: A movie theater chain that allows group booking discounts requires a deposit for groups of more than 15 people. Attackers threat model this flow to see if they can book hundreds of seats across various theaters in the chain, thereby causing thousands of dollars in lost income.

5. Security Misconfiguration (A05:2021)

In the latest revision of the OWASP Top 10, there have been changes in the categorization and ranking of risks. The previous "External Entities" category has now become part of the "Security Misconfigurations" risk category, which has moved up from its previous position at number 6. Security misconfigurations encompass design or configuration weaknesses that arise from errors or deficiencies in the system's configuration. These vulnerabilities stem from misconfigurations that can occur during setup, deployment, or maintenance of the system, leading to potential security risks if left unaddressed.

Example: A default account and its original password are still enabled, making the system vulnerable to exploit.

6. Vulnerable and Outdated Components (A06:2021)

In the latest version of the OWASP Top 10, there has been a shift in the ranking of this category, moving up from its previous position at number 9. This category focuses on components that present both known and potential security risks, expanding beyond the scope of known vulnerabilities alone. It emphasizes the importance of identifying and addressing components with known vulnerabilities, such as those documented with Common Vulnerabilities and Exposures (CVEs), through timely patching. Additionally, it highlights the need to assess the suitability and associated risks of stagnant or malicious components, considering their viability and potential impact on the security posture of the system.

Example: Due to the volume of components used in development, a development team might not know or understand all the components used in their application, and some of those components might be out-of-date and therefore vulnerable to attack.

7. Identification and Authentication Failures (A07:2021)

Formerly referred to as broken authentication, this entry has descended from its previous rank of number 2 and now encompasses CWEs associated with identification inadequacies. Precisely, flawed implementation of authentication and session management functions enables attackers to exploit passwords, keywords, and sessions, consequently resulting in pilfered user identities and beyond.

Example: A web application allows the use of weak or easy-to-guess passwords (i.e., “password1”).

8. Software and Data Integrity Failures (A08:2021)

Introducing a new addition to the OWASP Top 10 for 2021 is the inclusion of a category dedicated to "Software Integrity and Data Protection." This category addresses the risks associated with software updates, critical data handling, and the use of Continuous Integration/Continuous Deployment (CI/CD) pipelines without proper integrity verification. Additionally, within this category, we find the inclusion of "Insecure Deserialization." Insecure deserialization refers to a vulnerability where flaws in the deserialization process enable attackers to remotely execute code within the targeted system. This addition emphasizes the significance of ensuring the integrity of software updates, protecting critical data, and addressing potential risks associated with insecure deserialization practices.

Example: An application deserializes attacker-supplied hostile objects, opening itself to vulnerability.

9. Security Logging and Monitoring Failures (A09:2021)

In the latest update of the OWASP Top 10, there have been changes to the entry previously referred to as "Insufficient Logging and Monitoring." This entry has now moved up in the rankings from its former position at number 10. Furthermore, it has been expanded to encompass a wider range of failure types. Logging and monitoring activities are crucial aspects that should be regularly conducted on websites. Neglecting these activities exposes a website to heightened vulnerability, making it susceptible to more severe compromising activities. The revised entry underscores the significance of robust logging and monitoring practices as essential components of a comprehensive security strategy.

Example: Events that can be audited, like logins, failed logins, and other important activities, are not logged, leading to a vulnerable application.

10. Server-Side Request Forgery (A10:2021)

In the latest edition of the OWASP Top 10, a noteworthy addition is the introduction of a new category called "Server-Side Request Forgery (SSRF)." This vulnerability arises when a web application fetches a remote resource without properly validating the user-supplied URL. This oversight enables attackers to manipulate the application into sending crafted requests to unexpected destinations, even if the system is shielded by firewalls, VPNs, or additional network access control lists. SSRF attacks are on the rise in terms of severity and frequency, largely due to the widespread use of cloud services and the growing complexity of system architectures. It highlights the pressing need to implement robust defenses against SSRF to safeguard applications and data in today's interconnected and intricate digital landscapes.

Example: If a network architecture is unsegmented, attackers can use connection results or elapsed time to connect or reject SSRF payload connections to map out internal networks and determine if ports are open or closed on internal servers.

-InfoSec Guardian