OWASP TOP 10-2021: ARRIVAL OF NEW RISKS

OWASP Top 10 is a document which describes the top web application security risks. On its 20th anniversary they released the final version of their revised Top 10 list of the most critical risks to web applications, which includes three new categories, as well as position shifts compared to the previous report, released in 2017.

OWASP is a non profit organization together with thousands of security researchers from the world wide. OWASP finally updated the top 10 risk on 2021, which we are following OWASP Top 10–2017 upto these days. However the new list by the community to align the secure development and application security practices.

Let’s go through the new top 10 update;

Here you can see the changes done in OWASP 2017 and 2021.

So, thre3 new entries are in here and fiv5 vulnerabilities moved upward and tw2 got combined. Broken Access Control has taken the lead as the category with the most serious web application security risks. The category was fifth in the previous version. While compared to any other category Broken Access Control, they had the highest number of occurrences while mapping Common Weakness Enumerations (CWEs).

OWASP Top 10 2021:

A01 : 2021- Broken Access Control

A02 : 2021- Cryptographic Failures

A03 : 2021- Injection

A04 : 2021- Insecure Design [NEW]

A05 : 2021- Security Misconfiguration

A06 : 2021- Vulnerable and outdated components

A07 : 2021- Identification & Authentication Failures

A08 : 2021- Software & Data Integrity Failures [NEW]

A09 : 2021- Security Logging & Monitoring Failures

A10 : 2021- Server Side Request Forgery [NEW]

Let’s Discuss one by one;

A01: 2021- Broken Access Control:

Broken Access Control Defined by OWASP: “Access control, sometimes called authorization, is how a web application grants access to content and functions to some users and not others.”

When authentication and session management are often not implemented correctly, which allows attackers to compromise passwords and session tokens, most commonly in login pages, forgot password etc.

Broken access control vulnerabilities exist when a user can perform an action or access the resources that they are not supposed to be able to access. And allow users to perform the function that should be restricted.

Also vulnerability allows users to perform functions that should be restricted, or lets them access resources that should be protected. So it refers to the flaws in the authorization logic.

And able to escalate privileges and access restricted functionalities.

Examples of broken access control

Allowing any authenticated user to be able to access the administrative page of the application.

Allowing public access to an S3 bucket.

Allowing an authenticated user to access another user’s account details by entering the other user’s ID in the URL. This is also referred to as Insecure Direct Object Reference (or IDOR).

Remediation and prevention

Verify an entity requesting access to protected resources, ensuring that they have sufficient permissions or roles to access the requested resource.

A02 : 2021- Cryptographic Failures

Here comes Cryptographic Failures (previously Sensitive Data Exposure), which often results in the exposure of sensitive data or in system compromise.

The major focus here is on the cryptographic errors which result in sensitive data exposure. Sensitive data is the confidential data or PII which needs to be protected from people with bad intentions. This will result in a major business impact and financial loss.

Examples of cryptographic failures

Storing user passwords as plaintext within a database.

Using the SSLv3 protocol over the TLSv1.2 protocol for HTTPS connections.

Missing certificate verification.

Remediation and prevention

Don’t roll your own algorithm. This is one of the most important things we hear in the security realm, and luckily it makes your life easier. It means you should look to use existing algorithms and implementations that have been appropriately vetted and tested.

A03 : 2021- Injection

Injection now includes Cross-Site Scripting, drops the first one position to the third place.

Oh no.

Injection is the act of sending untrusted user data to the web application as a part of a command or a query. Additional data can be inserted (or injected) into existing data to be interpreted and used by the system. This is known as an injection vulnerability.

Examples of Injection Vulnerability

SQL Injection

LDAP Injection

Command Injection

Cross Site Scripting (XSS)

Template Injection

Remediation and prevention

Use prepared statements to compare the input and the backend code.

Stored Procedure.

Validating all inputs. This should still be performed where possible, but we must acknowledge that it’s becoming increasingly difficult as systems start to have more and more inputs.

Encoding and Escaping Unwanted inputs accordingly.

A04 : 2021- Insecure Design [NEW]

This one is a completely new one in owasp 2021 which they describe on issues related to design of the web applications. . Ensuring security is in from the beginning of the development process will result in a more secure application or feature. Many insecure design flaws can also be attributed to business logic vulnerabilities.

Portswigger says “Business logic vulnerabilities are flaws in the design and implementation of an application that allow an attacker to elicit unintended behavior. This potentially enables attackers to manipulate legitimate functionality to achieve a malicious goal.”

Examples of Insecure Design

Excessive trust in client-side controls

Failing to handle unconventional input (Tampering)

A password reset feature with a flaw that allows anyone to specify which email address the reset email should be sent to.

Etc.

Remediation and prevention

Make sure developers and testers understand the domain that the application serves

Avoid making implicit assumptions about user behavior or the behavior of other parts of the application

Apply threat modeling when planning and designing new requirements.

A05 : 2021- Security Misconfiguration

In the 2017 list this vulnerability was at 6th position. Security Misconfiguration, which now includes XML External Entities (XXE) bugs, landed on the fifth position.

This vulnerability occurs when a system component or a software is misconfigured or default configured, thereafter we are allowing the attackers an opportunity to break through the system. It is mainly due to loopholes left by developers.

Examples of security misconfiguration

Enabling directory listing on a web server.

Disabling authentication on an S3 bucket.

Using a certificate verification configuration that disables all certificate verification.

Remediation and prevention

Make sure you understand the configuration settings of the system or feature.

Do not implement the default configuration.

A06: 2021- Vulnerable and outdated components:

This issue was also there in the 2017 Top 10 list and has secured a better position: #6, while it was on #9 position in 2017 and was named Using Components with Known Vulnerabilities

The component with a known vulnerability could be the operating system itself, the CMS used, the web server, some plugin installed or even a library used by one of these plugins.

Examples.

Running outdated software with well known exploits.

Running your application on an unpatched version of CentOS 6.

Remediation and prevention

The very first step you should take is to understand the applications and use updated versions.

Monitor these components properly.

A07 : 2021- Identification & Authentication Failures

Identification and Authentication Failures (previously Broken Authentication) on the seventh position, When authentication and session management are often not implemented correctly, which allows attackers to compromise passwords and session tokens, most commonly in login pages, forgot password etc.

Examples of identification and authentication failures

Credential Stuffing

Using a JWT for authentication, but not validating the signature of the token.

Not correctly associating an authentication token with the user performing authentication, thereby allowing anyone with a token to authenticate as any user.

Remediation and prevention

Implement multi-factor authentication (MFA)

Generating new random session IDs with high entropy after login protects against hackers. Remember, those session IDs should not be present in the URL and invalidated after logout.

Where possible, use defined authentication protocols and systems such as Security Assertion Markup Language (SAML).

A08 : 2021- Software & Data Integrity Failures [NEW]

The Software and Data Integrity Failures category is related to lack of integrity verification in software updates, critical data, and continuous integration/continuous delivery (CI/CD) pipelines.This vulnerability is a new category in the 2021 list.

Attackers could potentially upload their own updates to be distributed and run on all installations.

Another example is where objects or data are encoded or serialized into a structure that an attacker can see and modify is vulnerable to insecure deserialization.

Ensuring this data has not been tampered with is an important security function, as not doing so could allow attackers to potentially gain full access to the application, service or data.

Examples of Software and Data Integrity Failures

Insecure Deserialization

No integrity checks on transmitting data.

Remediation and prevention

Use digital signatures or similar mechanisms to verify the software or data is from the expected source and has not been altered.

A09 : 2021- Security Logging & Monitoring Failures

It was previously named as Insufficient Logging & Monitoring and was placed at number 10 in the OWSP 2017 list.

Attribution and auditing is an important concept in security. But no chance to prevent security issues completely, but it helps for the investigations and recovery of certain attacks. It is important to monitor logs, especially security-related logs and events, so you are alert to when an attacker is attempting to target the application or service.

Examples

A CSP policy has been created on an application, but the report_uri directive has not been set.

There is no logging on an authentication page of an application.

When an administrator performs an administrative action on an application, this is not logged.

Remediation and prevention

Ensure all security-critical actions are logged to a central location. This log should include who, when and where the action was performed. You should also ensure that these logs are protected against being tampered with as well from being destroyed or lost. Backups are essential. These logs may also need to be retained for compliance reasons, and should actively trigger appropriate alerts and events which are monitored and triaged.

A10 : 2021- Server Side Request Forgery [NEW]

This vulnerability group is newly added to the 2021 list. Server-side request forgery (also known as SSRF) is a web security vulnerability that allows an attacker to induce the server-side application to make HTTP requests to an arbitrary domain of the attacker’s choosing.

SSRF flaws occur whenever a web application is fetching a remote resource without validating the user-supplied URL.

It allows an attacker to access the internal network that can’t be access on public internet.

Examples of SSRF

The system defines users as URIs as opposed to simple IDs, using this URI to access the user’s details.

A system uses a user-supplied URI to access content for a page.

Prevention should be implemented From Network layer and Application layer is input validation.

Do not mitigate SSRF via the use of a deny list or regular expression.

I hope this was informative. You can read more on OWASP

Proposed OWASP top 10 is very awesome.

Thanks for reading.

All the best.

SOURCE: OWASP.ORG, MEDIUM