OWASP Research: Top 10 Vulnerabilities 2021
The Open Web Application Security Project (OWASP) exposes the most significant web security vulnerabilities once every four years for developers and cyber security specialists. The 2021 version of the 2017 list of online security vulnerabilities was published in September, and it replaces the previous version, according to Security for Everyone.
The primary distinctions between this year's research and the research conducted in 2017 are that there aren't as many of them. Three new vulnerabilities have emerged that did not exist in 2017: Server-Side Request Forgery, Software and Data Integrity Failures, and Insecure Design. These vulnerabilities were not present in 2017.
Additionally, after being renamed Cryptographic Failures, the category of Sensitive Data Exposure was moved up to the second spot. 2017-Injection, which had previously occupied the first position, has fallen to third place. Broken Access Control, which had previously occupied the fifth position, has been promoted to the first position.
However, only one vulnerability, the 2017-Insecure Deserialization vulnerability, which was previously ranked eighth in the top 10, has retained its position in the top 10 despite having its name changed to the more comprehensive 2021-Software and Data Integrity Failures.
Top 10 vulnerabilities as reported by OWASP:
1. Broken access control
It comprises all vulnerabilities that emerge because authorization mechanisms are not used correctly or are used in an insufficient manner. There are several examples of vulnerabilities, such as pages with little or no access control, bypassing access control owing to parameter changes in the sent requests, and CORS misconfiguration, for example.
2. Cryptographic failures
This vulnerability covers encryption failures. It was previously known as Sensitive data exposure, but now it's called Cryptographic failures because it allows unauthorized parties to access critical data.
Vulnerability caused by the use of data obtained from a user without being filtered in backend code processing is referred to as an injection vulnerability. This category presently includes XSS flaws. There are a lot of SQL, NoSQL and OS command injection vulnerabilities in this category as well.
4. Insecure design
Vulnerabilities resulting from incorrect application flow design are included in this new category of vulnerabilities. Vulnerabilities in the application workflow, not in the implementation, fall into this category. As an illustration, the I forgot my password box can ask for your date of birth as verification.
5. Security misconfiguration
Use of the default password and information leakage from error messages are all examples of security misconfigurations that fall into this category.
6. Vulnerable and outdated components
Components with known vulnerabilities previously ranked 9th, but after adding the usage of unsupported software to its list of vulnerabilities, it was relegated to 6th place. A framework or third-party component should not have any known vulnerabilities or be outdated, especially when employing it.
7. Identification and authentication failures
Previously known as Broken authentication, this category now includes vulnerabilities resulting from identification and authentication failures. An example of this issue can be demonstrated by wrongly setting session time-out values.
8. Software and data integrity failures
OWASP's top 10 online security vulnerabilities now include a vulnerability in software and data integrity. Data validation failures and continual integrity/deployment issues in library management systems are all included in this vulnerability. This category presently includes vulnerabilities related to deserialization. Additionally, their website displays evidence of a nation-state-sponsored attack, in which malware was uploaded to live computers by capturing control of the SolarWinds networks.
9. Security logging and monitoring failures
Implementation problems have a significant influence on the security logging and monitoring vulnerability because it is difficult to test. It used to be ranked 10th, but now it's ranked 9th in OWASP's top 10 threats for 2021. Insufficient logging and monitoring failures are included in this report.
10. Server-side request forgery
One of the top ten OWASP vulnerabilities for 2021 is server-side request forgery. Allowing private IP addresses like 127.0.0.1 to take screenshots by connecting to an input URL might be an example of vulnerabilities that occur when the URL value supplied from the user is processed without going through server-side validation.