What are the OWASP Top 10 Risks 2021?

What is OWASP?

The OWASP Top 10 is a list of critical security risks endangering websites and web apps. OWASP Top Ten Web Application Security Risks provides actionable insights that organizations can leverage to strengthen App Sec.

A Deep Dive into Top 10 OWASP Security Risks

A01:2021-Broken Access Control

Access controls are security techniques through which organizations can restrict who gets to access, view, and use data and other digital resources. The 2 key components of access control are

• Authentication – verification of user identity
• Authorization – is the user allowed to perform the action they are attempting.

Failures in implementing these controls lead to broken access controls wherein users get unauthorized access to sensitive information or unauthorized users perform actions that are outside their limits. As per OWASP, 94% of applications have this vulnerability, so it moved up from #5 in 2017 to #1 in the 2021 list.

Common Vulnerabilities

• Violation of the principle of least privileges wherein access is granted to everybody instead of what is necessary to do their job
• Use of default passwords and credentials
• Ability to tamper with URL, API access requests, etc. to bypass access control checks
• Design flaws, bugs, etc. that allow privilege escalation
• Insecure direct object references that allow attackers to view/ modify user accounts
• Metadata manipulation, etc.

Impact

By leveraging broken access controls, attackers can

• Gain unauthorized access to data, systems, networks, applications, business functionalities, etc.
• Use unauthorized access to view, modify or steal sensitive information, records, and databases.
• Change access controls to gain more privileges to orchestrate other attacks.

How to Prevent?

The best way to prevent this critical OWASP Top 10 2022 risk is to strictly enforce the principle of least privileges, where you deny by default except public resources. Further, implement access controls in a secure server-side code or serverless API. This way, attackers will not be able to modify or tamper with access control checks or metadata.

Read further on technical best practices for OWASP Top 10 prevention for broken access controls and other security risks.

A02:2021-Cryptographic Failures

Whether at rest or in transit, data must be encrypted to prevent sensitive data exposure. When there are problems in cryptography or a complete absence of it, it leads to cryptographic failures.

Common Cryptographic Failures

• Data stored in plaintext
• Using old cryptographic algorithms and encryption protocols
• Using default, old, or reused keys
• Unvalidated/ improperly validated server certificates and chain of trust
• Using deprecated cryptographic hash functions, etc.

Impact

Attackers leverage cryptographic failures to

• Access/ exfiltrate sensitive data
• Eavesdrop on corporate communications
• Orchestrate man-in-the-middle attacks, credit card frauds, identity thefts, and phishing attacks, among others

Further, data breaches and sensitive data exposures attract massive penalties and fines for non-compliance.

How to Prevent?

The best way to prevent this security risk is to encrypt everything using robust (and the latest) encryption and hashing protocols. For data in transit, deploy advanced SSL certificates with strong security and technical features like Entrust from Indusface.

A03:2021-Injection

occur when attackers send malicious/ invalid/ hostile inputs to the application to make it perform actions that it is not programmed to take.

One of the most common injections is SQL injection. The SQL injection vulnerability allows attackers to interfere with queries made by the application to the database. Attackers insert malicious SQL statements into the entry field in which the application runs. Other types of injections include cross-site scripting (XSS), CCS injections, code injections, command injections, etc.

Common Vulnerabilities that Enable Injections

• Application accepts/ runs un-sanitized and unvalidated user inputs
• Dynamic queries and non-parameterized calls being used without context-aware parsing
• Hostile data being concatenated or used within ORM search parameters

Impact

This OWASP Top Ten Web Application Security Risk, if successfully exploited, enables attackers to view, modify, delete or exfiltrate data records within databases, take control of the server, redirect traffic to malicious domains, and so on.

How to Prevent?

Sanitization, filtering, and validation of all user inputs across all entry fields are a few effective ways to prevent injections. Intrusion prevention systems such as AppTrana are equipped to detect and prevent malicious user requests and queries from reaching the server or being executed by it.

A04:2021-Insecure Design

Insecure design is a new addition to OWASP Top 10 2021owing to the industry-wide shift towards creating secure-by-design apps. This security risk permeates from design flaws that weaken security controls.

Secure design, when poorly implemented, does create vulnerabilities that attackers can exploit. But insecure design is far more lethal and costly as you are hard-coding security weaknesses into the application. So, even when there is perfect and secure implementation, it cannot make up for design-level flaws, which is why insecure design has made it to the Top 10 OWASP security risks.

Some Factors That Cause the Insecure Design Flaw

• Insecure SDLC practices
• Use of legacy components
• Use of codes, themes, plugins, frameworks, libraries, etc. with known vulnerabilities
• Not testing enough and not testing early
• Coding flaws and misconfigurations
• Lack of business risk profiling
• Flawed business logic

Impact

• Sensitive data exposure
• Web application compromise
• Attacker interference with business logic, etc.

How to Prevent?

Security must be integrated into the early stages of SDLC, and apps need to be continuously scanned and tested for weaknesses. Only secure components must be used to build the application. Intelligent threat modeling and business risk profiling are imperative for effective security.

A05:2021-Security Misconfiguration

Security misconfigurations occur when security controls/ settings of the application are not properly defined, configured, or implemented or are maintained with default values, leaving the application at risk.

Common Vulnerabilities

• Lack of adequate security hardening across the application
• Unnecessary features such as ports, services, pages, accounts, privileges, etc. are enabled/ installed
• Incorrect, incomplete, or outdated security configurations
• Default accounts, passwords, configurations, etc.
• Insecurely configured permissions on cloud services
• Misconfigured HTTPS headers
• Outdated/ unpatched software or components
• Overly informative error messages

Impact

Leveraging this OWASP Top Ten Web Application Security Risk, attackers can gain unauthorized access to your application, functionalities, accounts, and sensitive data or even compromise the entire system.

How to Prevent?

Establish repeatable and continuously updated procedures for hardening security across the stack. Leverage real-time visibility into the application architecture using automated security solutions to identify weaknesses in design and rectify them.

A06:2021-Vulnerable and Outdated Components

Given the need for agility, modern applications often leverage open-source and shared components (libraries, frameworks, OS, database management systems, software modules, etc.). Unpatched, vulnerable, and outdated components are easily exploitable and increase the risks of attacks.

Common Vulnerabilities

• Using components with known vulnerabilities
• Using outdated (patches aren’t released anymore) or incompatible components
• Using components on the client and server-side without knowing their versions
• Improperly configured components
• Not regularly updating components with the latest patches
• Not regularly scanning for vulnerabilities
• Developers not testing the compatibility of libraries (updated, upgraded, or patched)

Impact

This OWASP Top 10 2022 vulnerability leaves the application open to a wide range of cyberattacks and weakens the overall security posture.

How to Prevent?

Continuous scanning for components with known vulnerabilities and instantly applying virtual patches or other remedies using an intelligent security solution like Indusface WAS is the most effective prevention measure. Equally important is maintaining an updated inventory of components and real-time visibility into the security posture.

A07:2021-Identification and Authentication Failures

This OWASP Top 10 security risk occurs when applications incorrectly execute user identification, authentication, or session management functions.

Common Vulnerabilities

• Weak, default, and well-known passwords allowed
• Weakly-hashed and/or plaintext password data stores
• Ineffective/ missing multifactor authentication
• Ineffectively validated session IDs, authentication tokens, etc.
• Weak forgot password/ credential recovery procedures
• Session identifiers exposed in URL/ reused after successful login

Impact

This OWASP Top 10 security risk allows attackers to compromise passwords/ session keys/ session IDs, gain unauthorized access, assume identities, modify permissions, etc.

How to Prevent?

Strictly enforce a strong password policy and multifactor authentication. Using a next-gen WAF combined with an intelligent WAF helps detect and rectify these flaws quickly and effectively.

A08:2021-Software and Data Integrity Failures

A newly added category to the OWASP Top Ten Web Application Security Risks list, software, and data integrity failures relate to code and infrastructure that doesn’t protect against integrity violations.

Common Vulnerabilities

• Faulty assumptions about software updates
• Insecure CI/CD pipelines
• Application depends on libraries, plugins, and modules from untrusted sources, CDNs, repositories, etc.
• Insecure deserialization
• Auto-update functionalities enabled without integrity checks and validation

Impact

Attackers leverage these vulnerabilities to orchestrate targeted attacks such as cache poisoning, code injection, command execution, and denial of services to:

• Spread malware
• Enjoy unauthorized access
• Compromise systems, etc.

How to Prevent?

OWASP Top 10 prevention best practices mandate trusted repositories, incorporation of integrity checks across processes, and rigorous, continuous testing to proactively detect flaws, among others.

A09:2021-Security Logging and Monitoring Failures

Logging and monitoring flaws hinder threat detection efforts. The faster breaches are detected, the lower the damage. In 2021, it took 212 days (7+ months) to identify breaches because breaches are identified by external parties rather than internal processes or monitoring.

Common Vulnerabilities

• Insufficient, unclear, or no logging of auditable events (logins, failed logins, etc.)
• Logs not examined for unusual or suspicious activities
• Storing logs locally
• Real-time monitoring, detection, and alerting systems, response escalation mechanisms, and incident response plans are not in place/ not effective.
• Error and warning messages unclear, inadequate, or not present

Impact

This vulnerability gives attackers ample time to wreak havoc by exfiltrating sensitive data, corrupting databases, spreading malware, etc.

How to Prevent?

Prevent this OWASP top 10 vulnerability by using logging and audit solutions, regular pen-testing, creating audit trails, establishing incident response and recovery plans, etc.

A10:2021-Server-Side Request Forgery

When the application fetches remote resources without validating user inputs, the SSRF vulnerability occurs.

Impact

Attackers can easily bypass firewalls, VPNs, and access control lists, coercing applications to send crafted messages to unexpected destinations. This way, they can access and/or modify resources, plant malware, execute code, compromise systems, etc.

How to Prevent?

Enforcing strict access controls and deny-by-default policies, effective validation of user inputs, network segmentation, and building positive lists are important ways to prevent this OWASP Top 10 risk.

Learn more about OWASP’s Top 10 prevention best practices.

Conclusion

While identifying and mitigating OWASP Top 10 security risks is critical, it is only the bare minimum. Use a next-gen security solution like AppTrana to identify and manage these OWASP Top 10 security risks proactively.  A cutting-edge security solution that keeps your application secure and available.