The OWASP also known as Open Web Application Security Project is an online community that produces freely available articles, methodologies, documentation, tools, and technologies in the area of web application security. The Open Web Application Security Project provides free and open source. Keep reading to know about OWASP top 10 Vulnerabilities.
OWASP attacks are techniques that attackers use to exploit vulnerabilities in applications. Attacks are often confused with vulnerabilities, so please try to make sure the attack you’re describing is something an attacker would do, rather than a weakness in the application.
Raed Also: SQL Inner Join meaning and definition
The OWASP Top 10 is a standard document on developer awareness and web application security. It represents a broad consensus on the most critical security risks for web applications.
Here are the OWASP Top 10 Vulnerabilities:
- A01:2021-Broken Access Control moves up from fifth position; 94% of applications were tested for some form of broken access control. The 34 Common Weakness Enumerations (CWE) mapped to Broken Access Control had more occurrences in applications than any other category.
- A02:2021-Cyptographic Failures moves up one position to #2, formerly known as Sensitive Data Exposure, which was a common symptom rather than a root cause. There is renewed emphasis here on cryptography-related failures, which often result in the exposure of sensitive data or system compromise.
- A03:2021-Injection moves down to the third position. 94% of applications were tested for some form of injection, and the 33 CWEs mapped to this category have the second highest occurrence in applications. Cross-site Scripting is now part of this category in this release.
- A04:2021-Unsafe Design is a new category for 2021 focusing on risks related to design flaws. If we really want to “move left” as an industry, it requires more use of threat modeling, secure design patterns and principles, and reference architectures.
- A05:2021-Security Misconfiguration moves from #6 in previous release; 90% of applications were tested for some form of misconfiguration. With further moves into highly configurable software, it’s no wonder this category is moving up. The former category for External XML Entities (XXE) is now part of this category.
- A06:2021-Vulnerable and Outdated Components was previously called Using Components with Known Vulnerabilities and is #2 in the Top 10 Community Survey, but also had enough data to make it into the Top 10 through data analysis. 2017 moves from 9th place and is a known issue that we try to test and risk assess. It is the only category that does not have any Common Vulnerabilities and Exposures (CVEs) mapped to the included CWEs, so default exploit and impact weights of 5.0 are factored into their scores.
- A07:2021-Identification and Authentication Failures was previously Broken Authentication and moves down from second position to now include CWEs that are more related to identification failures. This category is still an integral part of the Top 10, but the increased availability of standardized frameworks seems to be helping.
- A08:2021-Software and Data Integrity Failures is a new category for 2021 that focuses on making assumptions about software updates, critical data, and CI/CD channels without integrity verification. One of the highest weighted impacts of Common Vulnerability and Exposures/Common Vulnerability Scoring System (CVE/CVSS) data mapped to 10 CWEs in this category. Insecure deserialization from 2017 is now part of this larger category.
- A09:2021 – Failure of security logging and monitoring was previously insufficient logging and monitoring and is added from an industry survey (#3), moving up from the previous #10. This category is expanded to include more defect types, is difficult to test, and is not well represented in the CVE/CVSS data. However, failure in this category can directly impact visibility, incident notification, and forensics.
- A10:2021-Server-Side Request Forgery is added from top 10 community research (#1). The data show relatively low incidence rates with above-average testing coverage, along with above-average assessments of abuse potential and impact. This category represents a scenario where members of the security community tell us it’s important, even though it’s not currently represented in the data.