OWASP Top 10:2021 Vulnerabilities

OWASP Top 10:2021 Vulnerabilities

As you know, OWASP, a non-profit organization, publishes the most significant web security vulnerabilities for developers’ and cyber security experts’ use once every four years. The latest list of web security vulnerabilities, which is the 2021 version of 2017’s list, was published in September.

At first glance, the significant differences are as follows:

 

 

  • The top 10 rankings have entirely changed. Only the “2017-Insecure Deserialization” vulnerability, which was previously at 8th place in the top 10, remained at the same ranking by having its name changed with a more comprehensive one: “2021-Software and Data Integrity Failures”.
  • Three new vulnerabilities have appeared:
  • Insecure Design
  • Software and Data Integrity Failures
  • Server-Side Request Forgery
  • “2017-Injection”, which used to be at 1st place, regressed to 3rd place. “Broken Access Control” previously occupying 5th place, moved to 1st place.
  • “Sensitive Data Exposure” was placed in 2nd place after renaming it “Cryptographic Failures.”


 
All the changes are as follows:
OWASP’s top 10 vulnerabilities in 2021:

  1. Broken access control
  2. Cryptographic failures
  3. Injection
  4. Insecure design
  5. Security misconfiguration
  6. Vulnerable and outdated components
  7. Identification and authentication failures
  8. Software and data integrity failures
  9. Security logging and monitoring failures
  10. Server-side request forgery

OWASP’s descriptions for its top 10 vulnerabilities:
1. Broken access control:
 This vulnerability includes all the vulnerabilities that occur due to deficient or incorrect use of authorization mechanisms. Vulnerabilities such as pages lacking frequent control, bypassing access control due to parameter changes in the delivered requests, and CORS misconfiguration can be shown as examples.

2. Cryptographic failures:
 This vulnerability includes the deficiencies related to encryption. Previously known as “Sensitive data exposure”_ a vulnerability including the seizure of critical data by unwanted individuals_ was updated as “Cryptographic failures”.

3. Injection:
 Any vulnerability originated from the use of the data received from a user without being filtered in a piece of code processed in the backend. XSS vulnerabilities are currently in this category. Additionally, all the injection vulnerabilities such as SQL, NoSQL, OS command, ORM, LDAP, OGNL are here in this category.

4. Insecure design:
 A new category of vulnerabilities including the errors in the flow of applications’ design. This category includes the vulnerabilities that occur because of the workflow of the application, not the implementation. Using the date of birth as validation for the I forgot my password screen could be shown as an example.

5. Security misconfiguration:
 Hardening, incorrect configuration, using the default password, and leakage of information from error messages are included in this category.

6. Vulnerable and outdated components:
 Previously occupying 9th place, “Using components with known vulnerabilities”, was put at 6th place after adding “the use of unsupported software” to its list of vulnerabilities. Especially, when using a framework or third-party components, one must make sure that it doesn’t possess one of the known vulnerabilities and is not outdated.

7. Identification and authentication failures:
 Previously occupying the 2nd place as “Broken authentication”, this category includes the vulnerabilities originating from authentication errors. Setting session time-out values incorrectly can be shown as an example for this vulnerability.

8. Software and data integrity failures:
 This one is a newly added vulnerability to OWASP’s top 10 web security vulnerabilities. This vulnerability includes all the failures in the data validation of library management systems and continuous integrity/deployment processes. Deserialization vulnerabilities are currently in this category. Additionally, the uploading of malware to conducted updates by seizing the SolarWinds systems, which is a nation-state attack, is shown on their website.

9. Security logging and monitoring failures:
 This vulnerability is hard to test; however, implementation failure has huge effects on it. Previously, it used to be at 10th place, but it’s currently at 9th place in OWASP’s 2021 top 10 list. It includes all the failures insufficient logging and monitoring processes.

10. Server-side request forgery
 Server-side request forgery is one of the new vulnerabilities on OWASP’s 2021 top 10 list. As an instance for the vulnerabilities that occur by processing the URL value received from the user without undergoing validation on the server-side, giving permission to private IP addresses such as 127.0.0.1 by an application that takes screenshots by connecting to the input URL can be indicated.

Some of the web application vulnerabilities, which are included in OWASP’s 2021 top 10 list, are being scanned by our automatic scan engines; we start scanning the rest of them soon.

You may use our free vulnerability scan engines for your web applications by just registering from here.

Share: