The OWASP Top Ten is a widely recognized document that lists the current top ten most critical web application security vulnerabilities. It serves as a guide for organisations to adhere to when developing, testing, and deploying web applications, and whilst being no means an exhaustive list, it provides organisations a priority insight into the most important current risks and vulnerabilities to safeguard against.
The guide is periodically updated in line with the new and emerging threats affecting web applications, as well as re-assessing already established vulnerabilities from previous iterations of the list. For example, Broken Access Control was the fifth highest ranked web application vulnerability in 2017, and has since been elevated to the highest ranked web application vulnerability for the current 2021 list.
It is important to keep an eye on updates to the OWASP Top Ten for web applications as this list will typically get updated every 3 or 4 years, in response to new attacks and new emerging technologies.
The current OWASP Top Ten for web applications is as follows:
A01:2021-Broken Access Control
Put simply, this is to do with making sure access control enforces policy such that users cannot act outside of their intended permissions.
This could be that a user is able to access restricted content or functionality which is not permitted for their permission set, for example a base user of a system is able to access restricted records or elevate their own privileges to be able to work with administrator level functionality. Another example may be that a user can, through manipulating the URL find restricted content and functionality on the file system which is not properly access controlled.
In this category, we are looking at the failures of cryptography to keep data protected in transit and at rest. Information such as financial details, passwords, health and personal records require exemplary protection, especially if that data falls under privacy laws, such as GDPR.
An example of such an issue could be transmission of sensitive data (such as passwords, financial details, etc...) in clear text with no encryption whatsoever. Even when encryption is used, it is important to ensure old, weak or vulnerable cryptographic protocols and algorithms are not used as data could be compromised in transmission. Data also needs to be protected at rest as well as in transit. An example of this could be sensitive information stored on a database. This information should be hashed to protect it in the event of a data breach.
In this case, there are a great many different types of injection attacks that may be possible, including SQL injection or OS command injection. A classic example of an injection attack is the SQL injection variant. Instead of entering a value to a search form, an attacker may be able to enter a coded SQL statement instead which when entered can be used to change the interpretation and meaning of the underlying SQL query executed by the application to produce an attack. For example, the most common SQL injection attacks can force the query to disclose all records instead of the small, permitted subset allowed by the search screen, and in extreme cases, attackers can even be able modify or delete records, invoke stored procedures and even drop database tables.
Quite simply, this covers software vulnerabilities which are due to insecure design regarding security. As the applications have been designed as such, these sort of issues are generally deep rooted and usually require significant re-design and re-coding to remediate, so it is paramount to consider security early in the design. Issues such as poor identification and authorisation mechanisms can allow users to access data / functionality which is not intended for them and non-existent input validation can allow users to enter special characters into fields which can be used in attacks like SQL Injection and Cross-Site Scripting (XSS).
This relates to poorly configured security settings and mismanagement of security controls, leading to vulnerabilities, and can include something as simple as default accounts and their passwords enabled and unchanged on a production web server. Another example could be technical error messages produced by the application inadvertently revealing technical details of the applications, revealing the type and versions of the database being used or other frameworks used in the application, which an attacker can use to craft an attack based on known vulnerabilities against those components.
A06:2021-Vulnerable and Outdated Components
Most applications incorporate and utilise a number of third-party components and frameworks these days, for example frameworks such as Spring and Rails, or libraries such as JUnit or jQuery.
If such components have known vulnerabilities, then attackers can exploit these to gain access to the application, therefore it is important to regularly scan such components for vulnerabilities on a regular basis and use the latest, most secure versions in your software. Software such as SCA (Software Composition Analysis) tools can be used to identify all open-source components in an application and any flag up any associated vulnerabilities.
A07:2021-Identification and Authentication Failures
In order to protect against attacks from outsiders, we need to have a strong means of identifying / authenticating users and ensuring that their user session in the application is secure, time-boxed and not subject to manipulation.
This can be something as simple as ensuring that a user is forced to create a password for the application of sufficient strength, or that the application locks out users after a certain number of incorrect password attempts (to stop brute force attacks on the login page). Once logged in, we must also ensure that the user session is not subject to attack, so typical safeguards against this would be making sure session identifiers were not exposed (either in the URL or through XSS attacks) or making sure the session is invalidated on logout of after a particular expiry time.
A08:2021-Software and Data Integrity Failures
This covers issues and vulnerabilities which can affect the security and integrity of data on systems, which can lead to potential corruption of data on the system, the modification of data on the system by users who are not permitted to, or the entering of malicious strings and code into the application database which may be executed when a user unwittingly accesses that particular record.
A09:2021-Security Logging and Monitoring Failures
The theme for this vulnerability is that if application doesn't have effective logging, alerting and monitoring, it becomes difficult to detect attacks which have happened or which are happening, leaving attackers with more time to operate undetected. As a simple example, mechanisms should be in place to flag up potentially suspicious activities such as multiple incorrect login attempts over a short period of time, or unusual high-value transactions or activity.
A10:2021-Server-Side Request Forgery (SSRF)
A new item on the 2021 list, SSRF is a vulnerability where attackers can manipulate the server-side application into making requests to an unintended location. By manipulating a request to the target application, it may be possible to tamper with external URLs which are in standard application requests to point to and retrieve information from restricted internal or external systems within that organisation.