The following blog post was written by our friends at AppCheck, where they take a deeper dive into what's included in the latest OWASP Top 10.
OWASP (Open Web Application Security Project) is an organisation providing unbiased information and advice surrounding computer and internet applications.
Every few years the OWASP community come together to review the ten most critical web application security risks (commonly known simply as the “OWASP Top 10”) by analysing vulnerability data spanning hundreds of organisations and over 100,000 real-world applications. This process was most recently performed in 2021 and a new, updated top 10 list was published. The vulnerabilities are assessed by OWASP using several factors such as detectability, exploitability, and potential impact to create the final list.
A01:2021 – “Broken Access Control”
This category of vulnerability covers scenarios where routes/views within the application are not properly protected so that information is inadvertently exposed to unauthorized parties – or to put it another way, users are able to act outside of their intended permissions. The actual causes can vary broadly, but common examples might include being able to access another user’s account or record by changing a “userID” parameter in a URL, in a form of attack known as “Insecure Direct Object Reference” or “Forced Browsing”. There are however dozens of CWEs mapped to this category, including technical vulnerabilities such as Open Redirects, CSRF, and Path Traversal – as well as more simple misapplied permissions on records, pages, data, and services.
A02:2021 – “Cryptographic Failures”
This category includes many failures related to cryptography, which often leads to sensitive data exposure or system compromise. Examples include the use of weak encryption algorithms, weak or default passwords, weak encryption strength, or a simple lack of transport layer protection (e.g., use of HTTP rather than HTTPS).
A03:2021 – “Injection” [including XSS]
Injection attacks are historically one of the most common types of flaws found in web applications. They are usually the result of unfiltered user input being directly included in command executions or database queries on the server.
Cross-site scripting (XSS) is a specific and very common type of injection attack whereby an attacker can inject JavaScript content into an application that runs in a user’s browser. Often thought of as an attack against the users of an application rather than the application itself, some more complicated XSS attacks target the administration and backend systems of an application (2nd order attacks).
A04:2021 – “Insecure Design”
“Insecure Design” is a new category introduced by OWASP in its 2021 update of the Top 10 list. It includes all risks related to design flaws and so it is a very broad category and difficult to summarize succinctly – it includes many “process” weaknesses that cannot be scanned for since they are human processes within an organisation, such as the lack of threat modelling, the lack of secure design patterns and principles, and the lack of standard and secure reference architectures by software development teams.
A05:2021 – “Security Misconfiguration”
While many vulnerabilities are due to underlying code errors, this category relates to the misconfiguration of any layer of the application stack from the operating system or cloud platform up to the individual deployed application layer. It can therefore include inadvertently exposed services or ports, out-of-date or un-patched frameworks or the stack on which the framework sits, default passwords, or verbose error display left enabled on production systems. Often it can be a case of the server administrator failing to change the settings within the stack to harden the security of the setup.
A06:2021 – “Vulnerable and Outdated Components”
Outdated components refer to standard software that is used to support an application, but which has not been updated and is therefore at an “old” version known to contain vulnerabilities. Outdated components can exist at any layer of the software stack, from an unpatched kernel on the host OS, right up to third-party library dependencies referenced in the application codebase in JavaScript served for client-side execution. With the rise of the huge number of 3rd party components freely available on the internet for inclusion in applications, it’s not uncommon for a developer to find a component or library and include it in an application to solve a problem or provide common functionality.
A07:2021 – “Identification and Authentication Failures”
Sometimes authentication can be implemented incorrectly, or an application can contain routes to sensitive data that haven’t been correctly protected by an authentication barrier. In other cases, it can be the session token that is vulnerable either to enumeration or not expiring, this can allow an attacker to guess the session token of another user (e.g., an administrator) and take control of their session to steal data.
A08:2021 – “Software and Data Integrity Failures”
Another new category for 2021, “Software and Data Integrity Failures” focuses on the category of vulnerabilities that relate to making assumptions related to software updates, critical data, and CI/CD pipelines without verifying integrity. Examples include insecure deserialization, in which objects or data that are intended to be immutable can be encoded or serialized by an attacker into a form or structure that an attacker can see and manipulate.
A09:2021 – “Security Logging and Monitoring Failures”
This is a broad category, including whether a system correctly audits security events such as logins and failed logins. It also includes issues such as when logs contain sensitive information.
Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data. Most breach studies show time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.
A10:2021 – “Server-Side Request Forgery” [SSRF]
SSRF is a particular variant of injection attack – SSRF vulnerabilities are those specific attacks in which an untrusted remote party (an attacker) is able (via the malicious payload submitted) to force a server to perform requests on their behalf.
SSRF flaws occur whenever a web application is fetching a remote resource without validating the user-supplied URL. It allows an attacker to coerce the application to send a crafted request to an unexpected destination, even when protected by a firewall, VPN, or another type of network ACL.
Cantarus is a proud AppCheck Partner
If you’d like to know more about AppCheck you can visit their website, or get in touch with us at [email protected] to learn more.
