With the bubble of the Internet comes a plethora of flaws and vulnerabilities available at the disposal of threat actors. There’s a popular saying that as long as there is a system to operate, there’ll be a vulnerability waiting to be exploited.
Open Web Application Security Project (OWASP) is an online community which produces articles, tools, technology for web application Security. Chief amongst the numerous publications and resources is its dishing out of a top 10 web vulnerability list called the OWASP Top 10.
OWASP TOP 10
The OWASP Top 10 publication is a form of awareness providing a ranking and remediation guidance for the top 10 most critical web app Security Risk. This report is put together by a team of security experts from all over the world and it goes without saying that it’s recommended that all companies incorporate the report into their processes in order to minimize or mitigate security risks.
A new list has emerged for the year 2021 with the last list published in 2017. This brings back a large number of vulnerabilities as usual but we notice quite a change in ranking of a few flaws and vulnerabilities.
A01:2021 – Broken Access Control
Coming up from number 5 in the 2017 list to number 1 in the 2021 list, the statistics have shown a major occurrence of this flaw. Access control enforces policy such that users cannot act outside of their intended permissions. However with Broken access control, an attacker is able to get access to user accounts. The attacker is able to operate as the user or as an administrator in the system.
A user could change which account he or she is logged in to with the mere change in a part of a URL without any verification. With adequate Pentesting, unintended access control can be detected. Authorization tokens should also be implemented, privileged requests made by users should be validated only with that authorization token being present.
A02:2021-Cryptographic Failures
Making an appearance at number 2 on the 2021 list, cryptographic failures was previously known as Sensitive Data Exposure, which was broad symptom rather than a root cause. Attackers have the opportunity to gain access to data and sell or utilize them for nefarious purposes where there is a failure to protect these set of data.
The renewed focus here is on failures related to cryptography which often leads to sensitive data exposure or system compromise as encryption is usually an appropriate resort towards curbing data exposure.
A03:2021-Injection
Injection goes down to number 3 on this list all the way from number 1 and we also notice the addition of Cross-Site Scripting to this category. Injection takes place where invalid data is sent by an attacker into a web application. The attacker’s intent in doing so is to make the application do something it was not designed to do.
Usage of stored procedure and input validation could go a long way in curbing injection however secure coding should also be put into practice.
A04:2021-Insecure Design
This is a new category for 2021 focusing on risks associated with design flaws. Where proper threat modelling or following of secure design patterns and principles is neglected, it’s quite easy to shoot ourselves in the foot.
A05:2021-Security Misconfiguration
Making a move from number 6 in the last list, this has always been one of the most common vulnerabilities on the list and is usually the result of using default configurations or displaying excessively verbose errors.
Error handling should be a primary focus for a developer. For instance, an application could show a user overly-descriptive errors which may reveal vulnerabilities in the application. This can be mitigated by removing any unused features in the code and ensuring that error messages are more general.
With more shifts into highly configurable software, it’s not surprising to see this category move up. The former category for XML External Entities (XXE) is now part of this category.
A06:2021-Vulnerable and Outdated Components
Moving up from number 9 in 2017. An increasing number of web developers are now using libraries and frameworks in their web applications. Common example include front-end frameworks like React and smaller libraries.
Attackers go in search of vulnerabilities in these components and with a component used on hundreds of thousands of websites, should an attacker find a security hole it could leave hundreds of thousands of sites vulnerable to exploit.
It is the only category not to have any Common Vulnerability and Exposures (CVEs) mapped to the included CWEs
To minimize the risk of running components with known vulnerabilities, developers should remove unused components from their projects, as well as ensuring that they are receiving components from a trusted source and ensuring they are up to date.
A07:2021-Identification and Authentication Failures
Previously know as Broken Authentication, is now sliding down from the second position. Improper implementation of functions related to authentication and session management allow attackers compromise passwords, keywords and sessions.
Although being an integral part of the top 10, the increased availability of standardized frameworks seems to be helping.
A08:2021-Software and Data Integrity Failures
This is another new category in the 2021 list and also includes the Insecure Deserialization in its category. Software and data integrity failures lead to a program either straight up executing the attacker’s code or prying open a backdoor via combined measures.
A09:2021-Security Logging and Monitoring Failures
This was previously Insufficient Logging & Monitoring and moves up from number 10 in the previous list. There is an expansion in this list to include more types of failures. Logging and monitoring are activities that should be done to a website regularly in order to guarantee it is security.
Failures in this category can directly impact visibility, incident alerting, and forensics.
A10:2021-Server-Side Request Forgery
This is the abuse of the functionality of a server causing it to access or manipulate information in the realm of that server that would otherwise not be directly accessible to the attacker.
This category represents the scenario where the security community members are telling us this is important, even though it’s not illustrated in the data at this time.
Due to the importance of Application Security in reducing overall IT risk, the OWASP Top 10 has been adopted or referenced by a large number of government agencies, industry standards bodies, and prominent companies such as Microsoft, PCI Security Standards Council, Citibank, NIST and others. This is the new list for the OWASP Top 10 list for the year 2021 and it’s only expected that organizations put this into consideration as the fight against Cyber Security continues.
Pentesting of Softwares before deployment into the production stage is important and SLYTECH is capable of assisting your organization with all the necessary expertise.
This article was written by Sylvester Uduosa Esq. a Certified Ethical Hacker and founder of SLYTECH Entp. a Cybersecurity firm based in Nigeria which assists companies with Pentesting their networks and security with the sole aim of discovering vulnerabilities before criminals do and saving companies from losses that maybe incurred as a result of such vulnerability.