Get a free application, infrastructure and malware scan report - Scan Your Website Now

Subscribe to our Newsletter
Try AppTrana WAAP (WAF)

OWASP Top 10 Vulnerabilities in 2021: How to Mitigate Them?

Posted DateFebruary 24, 2022
Posted Time 5   min Read

The OWASP Top 10 is a research-based document that raises awareness among developers, organizations, and security professionals on the most critical security risks facing web applications. The latest is the OWASP Top 10 vulnerabilities 2021, released in September 2021 after a 4-year gap.

In this article, the OWASP Top 10 vulnerabilities 2021 are explained in detail, along with ways to mitigate each.

OWASP Top 10 Vulnerabilities 2021 & Mitigating Them

 

OWASP Top 10 Vulnerabilities

Source: OWASP

1. Broken Access Control 

Broken access control vulnerabilities enable attackers to gain access to user accounts, admin panels, databases, servers, sensitive information, business-critical apps, etc., and let unauthorized users perform privileged functions such as modification or destruction. Broken Access Control has moved to the top of OWASP Top 10 vulnerabilities 2021 since 94% of applications were found to have this vulnerability.

Mitigation:  

  • Adopt a least-privileged approach
  • Build strong access controls using role-based authentication mechanisms
  • Except for public resources, deny default access to functionalities
  • Maintain lean servers by shutting down unnecessary services, deleting inactive and unnecessary accounts
  • In case of multiple access points, disable ones that aren’t necessary
  • Rate limit API and controller access
  • Sensitive data must not be stored in the root
  • Server directory listing must be disabled

2. Cryptographic Failures

Whether at rest or in transit, data contain sensitive information that needs extra protection. This is especially important for organizations falling under the purview of standards like PCI-DSS, GDPR, CCPA, HIPAA, etc. Some examples of cryptographic failures are storing data in plaintext, not using the latest cryptographic algorithms, improper key management, etc.

Mitigation: 

  • Encrypt all data at rest using secure and robust encryption algorithms, keys, and protocols
  • Encrypt all data in transit using the latest, secure protocols like TLS
  • Identify and apply strong security controls on all sensitive data
  • Don’t collect and store sensitive data unless absolutely necessary
  • Don’t cache sensitive data or on data-collecting forms
  • Disable autocomplete on forms
  • Minimize the attack surface
  • Store passwords using robust, adaptive, and proven hashing functions

3. Injection 

Injection vulnerabilities allow attackers to inject malicious/ hostile/ untrusted data/ commands/ queries into the application, leading the interpreter to take actions it is not designed for. For instance, giving access to sensitive data, arbitrary code execution, etc. Some examples of injections are SQL injections, XSS, etc.

Mitigation:  

  • Server-side input validation is a must
  • Use safe APIs to avoid interpreters completely
  • Use intrusion detection systems to spot suspicious behavior
  • Use parameterized queries
  • Use LIMIT and other SQL controls within queries, preventing mass disclosure of records
  • Avoid special characters

4. Insecure Design

Entering the list at #4, this new entrant in the OWASP Top 10 web application vulnerabilities 2021 list focuses on the risks associated with design flaws that lead to poor security controls. It reflects the industry’s growing focus on creating secure-by-design apps.

Mitigation:  

  • Integrate security right into the SDLC stages and leverage robust security practices from the early stages
  • Establish a library of secure design patterns, components, frameworks, etc. that are ready and safe to use for new applications
  • Use threat modeling for designing critical features like access controls, authentication, business logic, key flows, etc.
  • Include security language, concerns, and controls in all user stories
  • Based on exposure and protection needs, divide apps into different tiers and find use and misuse cases for each tier
  • Each level of the app should include plausibility tests

5. Security Misconfiguration

Security misconfiguration, representing a lack of security hardening across the stack, moved up the OWASP Top 10 2021 since 90% of applications had this vulnerability. For example, improper permissions, enabling unnecessary features, default accounts and passwords, misconfigured HTTP headers, verbose error messages, etc.

Mitigation: 

  • Harden app security using fast, easy to deploy processes
  • Use preconfigured templates (with different credentials) to configure development, QA, and production identically
  • Maintain a library of securely configured container images
  • Remove unused features and services and deploy an application with minimal setup
  • Regularly update and patch configurations
  • Use automated workflows to verify secure configurations and detect misconfigurations in any environment. Remediate identified issues instantly.

6. Vulnerable and Outdated Components 

This vulnerability arises from unsupported and outdated components, software, libraries, frameworks, etc. Building or using applications without the latest/ updated versions of components leaves them open to attacks.

Mitigation: 

  • Maintain an updated inventory of all components used in the application with their versions
  • Continuously scan components, libraries, etc. and their dependencies for vulnerabilities
  • Keep all components updated. If patches aren’t immediately available, apply virtual patches
  • Remove unused, legacy, and outdated components, features, and dependencies from apps
  • Use components, software, etc. from official and trustworthy sources

7. Identification and Authentication Failures

Incorrect execution of functions related to user authentication and session management allows users to compromise security keys, passwords, etc. and exploit permissions, assume identities, and so on, permanently or temporarily.  

Mitigation: 

  • Multi-factor authentication is a must
  • Don’t use default credentials, especially for admin privileges
  • Implement a strong password policy
  • Deploy a secure sessions manager that generated time-limited session IDs
  • Monitor failed login attempts and set limits and delays on the same
  • Strengthen registration, credential recovery, and other authentication-related processes

8. Software and Data Integrity Failures

Entering the OWASP Top 10 2021 at #8, this vulnerability highlights the need to verify the integrity of software updates, critical data, and CI/CD pipelines. Given the rise in supply chain attacks and their massive impact, this inclusion has been made. A8: 2017 – Insecure Deserialization vulnerability is now part of this larger category.

Mitigation: 

  • Ensure the legitimacy of software/ data/ programs and its source through digital signature or similar measures
  • Ensure integrity of CI/CD pipeline through strong access controls, proper configuration, and adequate segregation
  • Continuously review code and configurations for modifications
  • Ensure that libraries and dependencies use trusted repositories. You can host an internal, approved, and known repository if your risk profile is higher
  • Unencrypted serialized data must not be delivered to untrustworthy clients, so incorporate integrity checks

9. Security Logging and Monitoring Features

This OWASP Top 10 vulnerability 2021 concerns the application’s weaknesses in detecting and responding to security risks. Given that the time taken to attack detection is 197 days on average, attackers have a long enough window to do their bidding.

Mitigation:

  • Use readily available logging and audit software that helps in instant detection of suspicious activities
  • Ensure the logs are contextual and available in compatible formats for in-depth forensic analysis
  • Enforce security controls that help prevent the tampering of log data

10. Server-Side Request Forgery 

This vulnerability ranked #1 in the OWASP Top 10 Community Survey and was included in the 2021 list. This vulnerability allows users to access data from remote resources based on user-specified, unvalidated URLs. Even firewall/ VPN-protected servers are prone to these vulnerabilities if unvalidated user inputs are accepted.  

Mitigation: 

  • Enforce user-input validation and sanitization
  • Remote resource access functionalities, if any, must be isolated in a separate impact
  • Block unwanted incoming traffic using deny-by-default firewall policies
  • Ensure clients don’t get raw responses
  • Build a positive allow list for port, destination, and URL schema
  • Disallow HTTP redirections

The Way Forward

Indusface’s next-gen, intelligent WAF provides effective protection against the OWASP Top 10 vulnerabilities 2021 and other security threats.

Found this article interesting? Follow Indusface on FacebookTwitter, and LinkedIn to read more exclusive content we post. 

AppTrana WAAP

Indusface
Indusface

Indusface is a leading application security SaaS company that secures critical Web, Mobile, and API applications of 5000+ global customers using its award-winning fully managed platform that integrates web application scanner, web application firewall, DDoS & BOT Mitigation, CDN, and threat intelligence engine.

Share Article:

Join 47000+ Security Leaders

Get weekly tips on blocking ransomware, DDoS and bot attacks and Zero-day threats.

We're committed to your privacy. indusface uses the information you provide to us to contact you about our relevant content, products, and services. You may unsubscribe from these communications at any time. For more information, check out our Privacy Policy.

Related Posts

OWASP API7 2019 Security Misconfiguration
API7:2019 Security Misconfiguration: The What, Sample Exploits, and Prevention Methods

Security misconfigurations are very common security risks, not just in web applications but also in APIs. They have been consistently part of the OWASP Top 10 Web Application Vulnerabilities. They.

Read More
API4:2019 - Lack of Resources & Rate Limiting
API4:2019 – Lack of Resources & Rate Limiting: The What, Sample Exploit, and Prevention Methods

Lack of resources & rate limiting is #4 on the OWASP Top 10 API Security Risks 2019. When the app/ API doesn’t have properly defined limits for API calls and resources that can be triggered, this flaw occurs.

Read More
OWASP API1 2019 – Broken Object Level Authorization
OWASP API1: 2019 – Broken Object Level Authorization

Are you leaving your APIs vulnerable to attacks? OWASP revealed that Broken Object Level Authorization is among the top 10 most critical API security risks list

Read More

AppTrana

Fully Managed SaaS-Based Web Application Security Solution

Get free access to Integrated Application Scanner, Web Application Firewall, DDoS & Bot Mitigation, and CDN for 14 days

Get Started for Free Request a Demo

Gartner

Indusface is the only cloud WAAP (WAF) vendor with 100% Customer Recommendation for 3 consecutive years.

A Customers’ Choice for 2022 and 2023 - Gartner® Peer Insights™

The reviews and ratings are in!