OWASP Top 10 - 2021

It's just basic explanation of the OWASP Top 10, will update a more detailed view on this soon.

  1. Broken Access Control: When you sign up on a website, usually you have the same privileges and access to the site's content as other users. Only the site's admin or owner can manage all users and modify the site's permissions. But What if a normal user is able to view protected pages, and other user's data or is even able to manage them? Then the access controls are broken. Simply, In this case, restrictions on authenticated users are broken or can be easily bypassed.

  2. Cryptographic Failures: As the name implies, using weak encryption algorithms, and not renewing expired SSL or TLS certificates (Transport Layer Security (TLS) is the successor protocol to SSL) leads to the exposure of sensitive data, it is advised to upgrade to the latest version of TLS for improved security. Or even not using cryptographic algorithms for protecting sensitive information at all. In some cases, an attacker can perform "Man in The Middle Attacks" and will be able to intercept the information exchanged but only if the encryption algorithms are weak, the attacker will be able to read the messages as they could get the secret encryption key or an exploit to it.

  3. Injection: It is one of the most common vulnerabilities to exist today. In simple terms, if the data input by the user or attacker is not properly sanitized, validated, or handled then it can lead to command injection, SQLi, or other types of injection attacks. Some basic examples are: using SQL queries to bypass restrictions on authorization or manipulating the database to reveal complete tables and other information. On the other hand, if the user input contains system commands and is not being sanitized or omitted from the input then they can be run arbitrarily whilst giving the user system access. Some other types of injections are: XSS, LDAP, CRLF, Host Header, etc.

  4. Insecure Design: When a security or developer team doesn't create, or implement a secure design and does not focus on proper threat modeling (identifying security requirements, pinpointing security threats, potential vulnerabilities, vulnerability criticality, and prioritizing remediation threats) before sending the application to production causes an insecure design vulnerability. The need for all this is to prevent known potential attack methods. The funny thing is, without a secure design and knowledge about it, we can't even detect architectural flaws. Another effect is the verbose error messages" which reveal a lot about the server, logs, and other sensitive information.

  5. Security Misconfiguration: When the default security configuration is weak or insecure due to potential exploits, open cloud storage, verbose error messages, and inappropriate HTTP header configurations are not properly manually configured, can lead to security misconfiguration vulnerability. The default WiFi router and gateway passwords are also an example of this vulnerability.

  6. Vulnerable and Outdated Components: This vulnerability occurs usually when web developers or programmers use third-party frameworks and components to save time and effort while building the apps, and they completely rely on them without manually going through the docs or checking for past vulnerabilities and not ensuring that they are up-to-date with the latest security patches.

  7. Identification and Authentication Failures: The core mechanism of every application is authentication and session management. If got bypassed, would allow an attacker to access other user's accounts without knowing the password for their account. Such as being prone to brute force attacks (not implementing rate-limit on tries), weak password policy, or session cookies. Another practical example would be username collision vulnerability.

  8. Software and Data Integrity Failures: While downloading software or receiving any remote file, if got modified in transit or somehow got damaged by a transmission error will lead to failure of integrity. Or can also damage our system and network if malicious. To prevent this we could match the hashes of the file or software after receiving it on our end. Also includes software updates, critical data, and CI/CD pipelines used without verifying the integrity.

  9. Security Logging & Monitoring Failures: Logging and monitoring are some of the must-do activities that should be performed on a website/app frequently and failure to do so leaves a site vulnerable to more severe compromising activities. For example: An attacker gained a foothold on your server and without logging and monitoring, they can stay undetected for a long time compromising further. Or simply not being able to detect any past anomaly will affect the whole production.

  10. SSRF: This vulnerability arises when an attacker can force or manipulate the request of the web application into sending requests on their behalf to arbitrary destinations or the target while having control of the contents of the request itself which can lead to RCE or spoofing attacks. This type of vulnerability often occurs whilst the implementation of third-party services like APIs.

Resources Ahead: Click1, Click2, Click3

Last updated