OWASP Explained: Todays OWASP Top 10
Content
Identification and Authentication Failures, previously known as Broken Authentication, this category now also includes security problems related to user identities. Confirming and verifying user identities, and establishing secure session management, is critical to protect against many types of exploits and attacks. Previously known as broken authentication, this entry has moved down from number 2 and now includes CWEs related to identification failures. Specifically, functions related to authentication and session management, when implemented incorrectly, allow attackers to compromise passwords, keywords, and sessions, which can lead to stolen user identity and more. This category includes security risks related to consuming fake or vulnerable dependencies listed in remote registries or in untrusted locations. (For example, many NPM packages are exploited this way.) This may cause your application to stop downloading and run unsafe dependencies from public repositories because their initial source was modified.
A new category this year, a server-side request forgery (SSRF) can happen when a web application fetches a remote resource without validating the user-supplied URL. This allows an attacker to make the application send a crafted request to an unexpected destination, even when the system is protected by a firewall, VPN, or additional network access control list. The severity and incidence of SSRF attacks are increasing due to cloud services owasp top 10 proactive controls and the increased complexity of architectures. According to the 2021 version of the list, risks like insecure design, Cross-Site Server Forgery (CSSF), and software and data integrity failures are on the rise. Every few years, OWASP revises and publishes its list of the top 10 web application vulnerabilities. The list includes not only the OWASP Top 10 threats but also the potential impact of each vulnerability and how to avoid them.
Server-Side Request Forgery (A10: .
Although this risk is very concerning, you can find a great deal of documentation that will tell you how to protect against it. The Open Web Application Security Project (OWASP) is a nonprofit foundation dedicated to promoting best practices, methodologies, and tools for developing secure and reliable applications. In early 2003, they began publishing a list of the top 10 most common application vulnerabilities based on real incidents and community evaluation. Even simple websites such as personal blogs have a lot of dependencies, plugins, extensions and third party code. Failing to update every piece of software on the backend and frontend of a website will introduce heavy security risks sooner rather than later.
It is vital for any organization to understand the importance of protecting users’ information and privacy. All companies should understand and comply with their local privacy laws as well as any regional ones where they conduct business in. Here we have content like code reviewer check list, etc. of items that really don’t flow in book form but needed to be included to make the code review guide complete. What we can recommend to such smaller businesses is to reach out to MSSPs and find one that covers web application security with Acunetix.
OWASP Top 10 2021
One of the most recent examples was a code injection vulnerability within the very popular Simple 301 Redirects plugin in WordPress. It made it possible for unauthenticated users to inject code that would redirect all website traffic to a malicious domain of the attackers choosing. The vulnerability affected over 300,000 websites and was ranked as a 9.9 on the CVSS scale.
OWASP has recently shared the 2021 OWASP Top 10 where there are three new categories, four categories with naming and scoping changes, and some consolidation within the Top 10. There are 125k records of a CVE mapped to a CWE in the NVD data extracted from OWASP Dependency Check at the time of extract, and there are 241 unique CWEs mapped to a CVE. 62k CWE maps have a CVSSv3 score, which is approximately half of the population in the data set. In CVSSv2, both Exploit and Impact could be up to 10.0, but the formula would knock them down to 60% for Exploit and 40% for Impact. We downloaded OWASP Dependency Check and extracted the CVSS Exploit and Impact scores grouped by related CWEs.
#2: Cryptographic failures
Insecure Design is a category of weaknesses that originate from missing or ineffective security controls. Others do have a secure design, but have implementation flaws that can lead to exploitable vulnerabilities. Previously number 5 on the list, broken access control—a weakness that allows an attacker to gain access to user accounts—moved to number 1 for 2021. The attacker in this context can function as a user or as an administrator in the system. This category has moved up two places since the last time the OWASP list was updated, and it represents risks related to outdated components. Most of the time, outdated components are time dependencies that applications need as part of their deployment or the runtime binary distribution.
