The 2021 OWASP Top 10

The 2021 OWASP Top 10: Keeping Your Web Applications Secure

In today’s digital age, web applications have become an integral part of our lives. From online shopping to banking, we rely on these applications for various tasks. However, with the increasing dependence on web applications, the risk of cyber threats has also grown. To address these concerns, the Open Web Application Security Project (OWASP) releases a list of the top 10 web application vulnerabilities every 4 years. In this blog post, we will explore the 2021 OWASP Top 10.

What is the OWASP Top 10?

The OWASP Top 10 is a regularly updated list of the most critical web application security risks. It serves as a guide for developers, security professionals, and organizations to understand and address the vulnerabilities that attackers commonly exploit. The list is compiled based on data from various sources, including security companies, independent researchers, and real-world incidents.

The 2021 edition of the OWASP Top 10 includes the following vulnerabilities:

1. Broken Access Control
2. Cryptographic Failures
3. Injection
4. Insecure Design
5. Security Misconfiguration
6. Vulnerable and Outdated Components
7. Identification and Authentication Failures
8. Software and Data Integrity Failures
9. Security Logging and Monitoring Failures
10. Server-Side Request Forgery

The 2017 edition of the OWASP Top 10 includes the following vulnerabilities:

1. Injection
2. Broken Authentication
3. Sensitive Data Exposure
4. XML External Entities (XXE)
5. Broken Access Control
6. Security Misconfiguration
7. Cross-Site Scripting (XSS)
8. Insecure Deserialization
9. Using Components with Known Vulnerabilities
10. Insufficient Logging and Monitoring

Understanding the Top 10 Vulnerabilities

Broken Access Control – A01:2021

Broken access control vulnerabilities enable attackers to bypass authorization mechanisms. Escalate Privileges and gain unauthorized access to sensitive data or privileged functionalities within web applications. Privileges mean what a user is permitted to do. Common privileges include viewing and editing files, or modifying system files.
Privilege escalation happens when a user receives privileges they are not entitled to. These privileges can be used to access private information, delete files, or install unwanted programs such as viruses.

There are two (2) types of privilege escalations

Vertical privilege escalation:

Refers to as privilege elevation, where a lower privilege user or application accesses functions or content reserved for higher privilege users or applications (e.g. Internet Banking users can access site administrative functions or the password for a smartphone can be bypassed.)

Horizontal privilege escalation:

This happens when a normal user accesses functions or content reserved for other normal users (e.g. Internet Banking User A accesses the Internet bank account of User

Cryptographic Failures – A02:2021

Cryptographic failures are problems or mistakes associated with using encryption or other cryptographic methods to protect information such as social security numbers, Credit card information, and more. This error usually occurs due to the developers not following the best practices. Or when security is not implemented in the development process. Sometimes, there might be hidden ways to bypass the encryption altogether, either intentionally left by the developers for some reason or accidentally overlooked.

The following are some causes of Cryptographic failures

• Outdated or deprecated Algorithms are used
• The server certificate and the trust chain were not properly validated
• Data is transmitted in clear text
• Poor Implementation of encryption
• Weaknesses in Keys
• Weaknesses in crypto Keys, such as a failure to implement proper key management or rotation, generating weak crypto keys or re-using them, using default crypto keys.
• Hardcoding practices

Injection – A03:2021

Injection attacks happen when untrusted data is sent to an interpreter as part of a query or command. Injection vulnerabilities, such as SQL Injection and command injection, remain prevalent in web applications. Attackers exploit these vulnerabilities to execute arbitrary code or commands To bypass authentication mechanisms and gain unauthorized access to sensitive data. To mitigate this risk, it is crucial to sanitize and validate user input and use parameterized queries or prepared statements.

Insecure Design – A04:2021

This refers to the vulnerability arising from flaws or weaknesses in the design of a web application, making it susceptible to various security threats. Insecure design can have severe consequences for web applications and their users. It can lead to loss of sensitive information, damage to reputation, data breaches, financial losses, and regulatory compliance violations. Additionally, fixing security issues stemming from insecure design can be complex and costly, requiring significant resources and effort.

One of the factors that contribute to insecure design according to Owasp is a failure to determine what level of security design is required for a system being developed.

The following are important to prevent these flaws

• Secure Design
• Secure development lifecycle
• Threat modeling for critical authentication

Security Misconfiguration – A05:2021

Security misconfiguration occurs when an application or its components are not securely configured. Such as using default settings and opening unnecessary ports. This can lead to various security issues, such as unauthorized access to web applications, sensitive data exposure, or system compromise. To prevent security misconfigurations, it is important to perform regular security audits, follow secure configuration guidelines, disable unnecessary features, and keep software and libraries up to date.

Security misconfigurations can happen in web applications and their environments, due to the following:

Default configurations: Many software components come with default configurations that may not be secure for production environments. Failure to modify these defaults can leave systems vulnerable to attacks.
Unnecessary services: Enabling unnecessary services or features introduces additional attack surfaces that attackers can exploit. Disabling or removing unnecessary services reduces the attack surface and minimizes potential risks.

Missing security patches: Failure to apply security patches and updates in a timely manner leaves systems vulnerable to known security vulnerabilities. Regular patch management and software updates are critical to address security flaws and protect against exploitation.

Weak access controls: Inadequate access controls or permissions can allow unauthorized users to access sensitive resources or perform privileged actions within the application. Implementing proper access controls based on the principle of least privilege is essential to mitigate this risk.

Security misconfigurations can have serious consequences for web applications and their users, including:

Data breaches: Exposure of sensitive information due to misconfigurations can lead to data breaches, compromising the confidentiality and privacy of user data.

Unauthorized access: Misconfigurations may allow attackers to gain unauthorized access to sensitive data, administrative interfaces, or system resources.

System compromise: Attackers can exploit misconfigurations to compromise the integrity and availability of web applications, leading to service disruptions or system compromise.

Compliance violations: Security misconfigurations may result in non-compliance with regulatory requirements and industry standards, leading to legal liabilities and financial penalties.

To mitigate the risk of security misconfigurations, organizations should:

Follow security best practices and hardening guidelines for configuring web applications, servers, databases, and other components.
Regularly audit and review configurations to identify and remediate misconfigurations on time.

Implement automation tools and configuration management practices to ensure consistent and secure configurations across the environment.
Stay informed about security advisories, patches, and updates for software components and promptly apply them to address known vulnerabilities.

Vulnerable and Outdated Components – A06:2021

Vulnerable and Outdated Components Refers to using older or components with known vulnerabilities such as libraries, frameworks, and plugins, exposing web applications to known security risks. Attackers often target outdated or vulnerable components to exploit known security flaws. To prevent such attacks, it is crucial to keep software and libraries up to date, monitor for security advisories, and use vulnerability management tools.

Identification and Authentication Failures – A07:2021

Identification and Authentication Failures Refers to using Weak or poorly implemented authentication mechanisms that leave web applications vulnerable to credential-based attacks, account takeover, and session hijacking. Robust authentication practices, including multi-factor authentication and secure password storage, are essential to mitigate this risk.

Software and Data Integrity Failures – A08:2021

Software and Data Integrity Failures refer to violations of the integrity of software and data within web applications. The failures occur when an organization does not protect against integrity violations of code and its infrastructure. Examples include where an application uses libraries, modules, or plugins from untrusted sources, repositories, and content delivery networks (CDNs). It is important to ensure that both the software code and the data it processes remain accurate, reliable, and trustworthy. The following are essential in preventing Software and Data Integrity Failures according to OWASP.

• Ensure dependencies and libraries are consuming trusted repositories.
• Use digital signatures to verify the integrity of software and data.
• Use a software supply chain security tool to verify that components do not contain known vulnerabilities.
• Implement a review process for code and configuration changes to minimize the chance that malicious code or configuration could be introduced into your software pipeline.

Security Logging and Monitoring Failures – A09:2021

Security logging and monitoring failures occur when web applications fail to effectively capture, analyze, or respond to security events and incidents. These failures may include the following:

• Inadequate logging: Web applications may lack proper logging mechanisms to record critical security events or activities, leading to gaps in the recorded data and hindering incident response efforts.
• Insufficient monitoring: Monitoring systems may not provide real-time alerts or notifications for security incidents or suspicious activities, delaying detection and response to potential threats.
• Failure to follow best practices:
  Organizations may fail to follow security logging and monitoring best practices, such as defining clear logging policies, configuring alerting thresholds, or conducting regular log reviews and analysis
  Lack of correlation and analysis: Logged data may not be adequately analyzed or correlated to identify security trends, anomalies, or indicators of compromise, limiting the effectiveness of monitoring efforts.

How can Security Logging and Monitoring Failures affect web applications?

• Delayed detection of security incidents: Without effective logging and monitoring, security incidents may go undetected for extended periods, allowing attackers to exploit vulnerabilities and escalate their activities.
• Compliance violations: Organizations may fail to comply with regulatory requirements or industry standards that mandate the implementation of effective logging and monitoring controls to protect sensitive data and systems.
  Ineffective incident response: Inadequate logging and monitoring make it challenging to investigate security incidents, identify the root cause of breaches, and take appropriate remedial actions to mitigate the impact.
  

How to Mitigate Security Logging and Monitoring Failures?

To mitigate the risk of security logging and monitoring failures, organizations should:

• Implement comprehensive logging mechanisms to record security-relevant events and activities within web applications and their environments.
• Configure real-time alerting and notification mechanisms to promptly detect and respond to security incidents or suspicious activities.
• Regularly review and analyze logged data to identify security trends, anomalies, or indicators of compromise, enabling proactive threat detection and incident response.
• Follow security logging and monitoring best practices, such as defining clear logging policies, configuring alerting thresholds, and conducting regular log reviews and analysis.

Server-Side Request Forgery – A10:2021

Server-side request Forgery vulnerability occurs when a web application fetches a remote resource without validating the user-supplied URL. This enables an attacker to trick the application into sending a crafted request to an unexpected destination. Servers protected by a firewall, VPN, or additional network access control list (ACL) can be exploited if they accept unverified URLs as user inputs.

Conclusion

The 2021 OWASP Top 10 provides valuable insights into the most critical web application vulnerabilities that organizations need to address. By understanding these vulnerabilities and implementing appropriate security measures, you can significantly reduce the risk of cyber-attacks and protect your web applications and sensitive data. Remember, security is an ongoing process, and staying updated with the latest security practices is crucial in today’s ever-evolving threat landscape.

Next Read

Solving the Owasp Juice Shop Challenges: Owasp Top 10

References

OWASP – OWASP Top 10 – 2021

OWASP Cheat Sheet Series

OWASP Top 10 – Web Application Security Risks

About The Author

Rachel Jasurda

Hi, my name is Rachel; I’m a Cybersecurity Specialist and the founder of Cybersecurity Demystify. I enjoy learning and love helping others learn the easy way. Happy Learning!

See author's posts