OWASP Top 10 threats list acts as a standard framework document that represents a broad consensus about the most critical security risks to web applications.
Lately, The OWASP group, in an announcement made on 8th September 2021, has released its first draft on upcoming Top 10 OWASP Threats for 2021. The list hasn’t been changed or updated till 2017 until very recently. In the update, the group has added three new categories namely: “insecure design”, “software and data integrity failures”, and a group for ‘Server-Side Request Forgery (SSRF)’ attacks.
2017’s ‘XML External Entities (XXE)’ section has been now added to 2021’s Security Misconfiguration category, ‘Cross-Site Scripting (XSS)’ has been now added to the ‘Injection’ section, and ‘Insecure Deserialization’ is now a part of ‘Security Logging and Monitoring Failures’.
1.A01:2021-Broken Access Control: 34 CWEs. Access control vulnerabilities are inclusive of all the privilege escalation, malicious URL modification, access control bypass, CORS misconfiguration, and interfering with primary keys.
2.A02:2021-Cryptographic Failures: 29 CWEs. This includes all the security failures when data is in transit or at rest, such as the implementation of weak cryptographic algorithms, poor or lax key generation, a failure to implement encryption or to verify certificates, and the transmission of data in clear text.
3.A03:2021-Injection: 33 CWEs. Common injections impact SQL, NoSQL, OS command, and LDAP, and may be caused by sanitization failures, XSS vulnerabilities, and a lack of protection for file paths.
4.A04:2021-Insecure Design: 40 CWEs. Insecure design elements vary widely, but are generally described by OWASP as “missing or ineffective control design”. Areas of concern include an absence of protection for stored data, logic programming problems, and displaying content that discloses sensitive information.
5.A05:2021-Security Misconfiguration: 20 CWEs. Applications may be considered in jeopardy if they lack security solidifying, if there are unnecessary features ? such as a too-open hand when it comes to privileges ? if default accounts are kept active, and if security features are not configured correctly.
6.A06:2021-Vulnerable and Outdated Components: Three CWEs. This categorization focuses on client side and server-side constituent, failures to maintain components, out-of-date support systems – such as an OS, web servers, or libraries – as well as component misconfiguration.
7.A07:2021-Identification and Authentication Failures: 22 CWEs. Security issues include improper authentication, session fixation, certificate mismatches, permitting weak credentials, and a lack of protection against brute-force attacks.
8.A08:2021-Software and Data Integrity Failures: 10 CWEs. Integrity is the focal point of this category, and any failure to do so properly – such as the deserialization of untrusted data, or not checking code and updates when pulled from a remote source – may be in scope.
9.A09:2021-Security Logging and Monitoring Failures: 4 CWEs. Issues that may hinder the analysis of a data breach or other form of attack, together with logging problems, failing to record security-relevant information feeds, or only logging data locally come under this category.
10.A10:2021-Server-Side Request Forgery: 1 CWE. SSRF vulnerabilities occur when a server does not authenticate user-submitted URLs when they pull in remote resources. According to OWASP the adoption of cloud services and even complex architectures have elevated the extremity of SSRF attacks.