As you know, OWASP, a non-profit organization, publishes the most significant web security vulnerabilities for developers’ and cyber security experts’ use once every four years. The latest list of web security vulnerabilities, which is the 2021 version of 2017’s list, was published in September.
At first glance, the significant differences are as follows:
All the changes are as follows:
OWASP’s top 10 vulnerabilities in 2021:
OWASP’s descriptions for its top 10 vulnerabilities:
1. Broken access control:
This vulnerability includes all the vulnerabilities that occur due to deficient or incorrect use of authorization mechanisms. Vulnerabilities such as pages lacking frequent control, bypassing access control due to parameter changes in the delivered requests, and CORS misconfiguration can be shown as examples.
2. Cryptographic failures:
This vulnerability includes the deficiencies related to encryption. Previously known as “Sensitive data exposure”_ a vulnerability including the seizure of critical data by unwanted individuals_ was updated as “Cryptographic failures”.
Any vulnerability originated from the use of the data received from a user without being filtered in a piece of code processed in the backend. XSS vulnerabilities are currently in this category. Additionally, all the injection vulnerabilities such as SQL, NoSQL, OS command, ORM, LDAP, OGNL are here in this category.
4. Insecure design:
A new category of vulnerabilities including the errors in the flow of applications’ design. This category includes the vulnerabilities that occur because of the workflow of the application, not the implementation. Using the date of birth as validation for the I forgot my password screen could be shown as an example.
5. Security misconfiguration:
Hardening, incorrect configuration, using the default password, and leakage of information from error messages are included in this category.
6. Vulnerable and outdated components:
Previously occupying 9th place, “Using components with known vulnerabilities”, was put at 6th place after adding “the use of unsupported software” to its list of vulnerabilities. Especially, when using a framework or third-party components, one must make sure that it doesn’t possess one of the known vulnerabilities and is not outdated.
7. Identification and authentication failures:
Previously occupying the 2nd place as “Broken authentication”, this category includes the vulnerabilities originating from authentication errors. Setting session time-out values incorrectly can be shown as an example for this vulnerability.
8. Software and data integrity failures:
This one is a newly added vulnerability to OWASP’s top 10 web security vulnerabilities. This vulnerability includes all the failures in the data validation of library management systems and continuous integrity/deployment processes. Deserialization vulnerabilities are currently in this category. Additionally, the uploading of malware to conducted updates by seizing the SolarWinds systems, which is a nation-state attack, is shown on their website.
9. Security logging and monitoring failures:
This vulnerability is hard to test; however, implementation failure has huge effects on it. Previously, it used to be at 10th place, but it’s currently at 9th place in OWASP’s 2021 top 10 list. It includes all the failures insufficient logging and monitoring processes.
10. Server-side request forgery
Server-side request forgery is one of the new vulnerabilities on OWASP’s 2021 top 10 list. As an instance for the vulnerabilities that occur by processing the URL value received from the user without undergoing validation on the server-side, giving permission to private IP addresses such as 127.0.0.1 by an application that takes screenshots by connecting to the input URL can be indicated.
Some of the web application vulnerabilities, which are included in OWASP’s 2021 top 10 list, are being scanned by our automatic scan engines; we start scanning the rest of them soon.
You may use our free vulnerability scan engines for your web applications by just registering from here.