Top 10 Vulnerabilities by OWASP
Five years after its previous publication, OWASP has today issued its updated list of the top 10 vulnerabilities for organizations in 2021–2022. The 10 widespread vulnerabilities identified by OWASP that are most likely to have an impact on businesses in the upcoming years are explained in this article.
OWASP Top 10: 2021–2022, compared to 2017
A nonprofit organization called OWASP was founded with the purpose of enhancing software security. It is a one-stop shop for those looking for application security failure and practical expertise, as well as businesses, governments, and other international organizations. It presents its own collection of lessons on application security and related topics rather than promoting any commercial services or goods.
Additionally, it embodies the idea of an "open community," in which anybody may take part in online OWASP discussions, projects, and other activities. All of the OWASP's resources, such as online tools, videos, forums, and events, are made available to the general public via its website. Data leaks, shoddy access control, and distributed denial-of-service (DDoS) attacks are all common as a result of the increase in cybercrime. The OWASP Top 10 was created by the OWASP Foundation to aid in avoiding certain security issues. It is an order by assessing the relevance of the 10 most serious security risks to current web apps. The most recent revision to OWASP's "Top 10" list, which was last updated in Q4 of 2021, was made in 2017.
A03:2021-injections expand in scope
Injections are used in the initial modification. When a hacker tries to provide data to a web application, it is known as an "injection attack," and the web program ends up acting inadvertently. These vulnerabilities may involve LDAP (lightweight directory access protocol) injection, SQL, and operating system bugs. The most recent update to the OWASP Top 10 now includes A07:2017 cross-site scripting vulnerability since this weakness is also injectable (XSS).
A05:2021-rising importance of security misconfiguration
This category has climbed in the OWASP Top 10 due to the increase of configuration choices. A04: 2017-XML External Entities starting in 2021 are also included (XXE). An XML input processing client-side software is the target of the XXE attack. When hazardous XML input references to external entities are handled, an XML-External-Entities-Attack occurs. However, this attack only works when the XML parser is broken or badly set up. As a result, A04:2017-XML External Entities (XXE) has been added as a specific kind of misconfiguration to A05:2021-Security Misconfiguration.
The Top 10 OWASP Vulnerabilities for 2022: What Are They?
With revised scope, renamed categories, and consolidation, the Top 10 for 2021 now includes three new categories. Here are the main security flaws to look out for in 2022 to get things going and defend against these dangers:
1. Access control issues
Access control puts tactics into action to stop users from going outside the bounds of the permissions they have been granted. Unauthorized or undesired users may get access to sensitive data, processes, and user privilege settings as a result of access vulnerabilities.
An example of an access control vulnerability is metadata manipulation, which includes tampering with or replaying with a JSON web token (JWT) access control token, or changing cookies or hidden information to increase privileges or exploit JWT invalidation. Another illustration is when the rule of default denial is broken. Everyone has access, but access must only be allowed to certain positions, talents, or users. Attackers may find it easy to gain access to all they want as a result of such flaws. However, by using safe coding techniques and adopting steps like turning off administrator accounts and limits and installing multi-factor authentication, one may prevent insufficient access security mechanisms and identity or password management concerns.
Additional preventative strategies comprise:
- To minimize cross-origin resource sharing, enforce access control methods only once and utilize them throughout the application (CORS).
- Clearly defined application business limits ought to be imposed by domain models.
- Limit user access to controllers and application programming interfaces (API) to lessen the impact of automated attack tools.
- Log access control errors and notify administrators as necessary.
- Model access controls must ensure record ownership rather than providing the user access to create, view, alter, or delete any information.
2. Cryptographic failures
Sensitive data exposure, formerly known as cryptographic failures, moved up one place to position two. The emphasis here is on cryptographic mistakes or lack thereof, which commonly reveal sensitive data; this is more of a symptom than a major cause. The following are common instances of exposed sensitive information:
- Session tokens
- Login credentials and passwords
- Online purchases
- Personal data (switched service network or SSN, health records, etc.)
For instance, automatic database encryption may be used by an application to securely encrypt credit card information. Unfortunately, when this data is read, it is instantly decrypted, making it possible for an attacker to use a SQL injection flaw to extract credit card information in cleartext. The following preventative measures can be taken to minimize these failures:
- To save passwords, you should use strong, salted, adaptive hashing algorithms with a delay factor, such as scrypt, Argon2, PBKDF2, or bcrypt.
- When sharing sensitive data, older protocols like the file transfer protocol (FTP) and simple mail transfer protocol (SMTP) should be avoided.
- It is advisable to use authenticated encryption rather than just utilizing encryption.
- Keys that are generated via cryptographic randomness must be kept in byte arrays. If passwords are used, they must be converted into something akin to a key using a password-based key production process.
A database attack known as injection (also known as SQL injections) targets websites that utilize structured query language (SQL) to collect information or carry out tasks that typically require an authenticated user account. Because these codes are challenging for the software to decipher from its own code, attackers can employ injection attacks to access restricted regions and sensitive information while posing as trusted users. SQL injections, command injections, CRLF injections, LDAP injections, etc. are examples of injections.
94 percent of the applications were checked for injections, with a maximum estimated incidence of 19 percent, an average rate of incidence of 3 percent, and 274,000 incidents. Injection was thus demoted to third on the updated ranking.
Among such preventative strategies are:
- Employing an API that totally avoids the interpreter, provides a parameterized API, or switches to object-relational mapping (ORM) tools is a preferred option.
- It is advised to use server-side validation input that is positive. Special characters are required by several applications, including text fields and APIs for mobile apps.
- It's a wonderful idea to use LIMIT and other SQL limitations inside queries to prevent large amounts of data from being exposed in the event of a SQL injection.
4. Unsafe architecture
This is a new category for 2021 that focuses on design and architectural defects. Reference architectures, threat modeling, and design safety guidelines should all be used more frequently in this area. There are several issues that fall under the broad category of "insecure design," such as "missing or insufficient control design." This does not mean that the other top 10 risk categories are all caused by insecure design.
Insecure implementation differs from insecure design. Even though the design is secure, implementation problems might result in vulnerabilities. On the other hand, if there aren't adequate security measures in place to protect against specific risks, a defective design cannot be made up for by faultless execution. These dangers can be avoided by utilizing the following preventative methods:
- With the help of AppSec experts, set up and apply a secure development lifecycle to assess and create security and privacy measures.
- For important verification, access control, application logic, and crucial flows, threat modeling is suggested.
- User stories should contain terms and controls related to security.
- Another effective preventive strategy is the design-based separation of tenants into distinct groups across all layers.
5. Incorrect security setups
Similar to improperly configured access restrictions, general security setup flaws offer serious risks by giving attackers rapid and simple access to sensitive data and site areas.
90% of applications were examined by OWASP for misconfiguration due to an average incidence rate of 4% and over 208,000 instances of a common weakness enumeration (CWE) in this category. Two significant CWEs are "CWE-16 configuration" and "CWE-611 incorrect limitation of XML external entity reference." Secure installation methods, which include the following, must be utilized to prevent configuration issues:
- A secure environment may be quickly and simply deployed using a methodical reinforcing procedure. Similar environments should be set up for development, quality assurance, and operations, each with its own set of user privileges.
- It is perfect for automating procedures for creating a new safe environment in order to save the required time and effort. Frameworks and features that are not utilized should not be added or uninstalled. The risk of configuration vulnerabilities is reduced by a primary platform devoid of auxiliary features, parts, documentation, or demonstrations.
6. Weak and out-of-date components
Most internet applications are developed using third-party frameworks. Unknown application codes might lead to problematic situations and effects, such SQL injections and accent control violations.
There may be vulnerability-related risks if the application is unreliable, unsupported, or out-of-date. The package consists of the operating system, applications, DBMS, APIs, other components, libraries, and runtime environments. It also contains the application/web server.
Attackers can locate unpatched or incorrectly configured machines using automated methods. For instance, users may find devices that are vulnerable to the Heartbleed issue using the Shodan IoT search engine, which was addressed in April 2014. Several preventative strategies include:
- It is essential to buy parts from reputable vendors using safe payment methods.
- Be on the watch for components and modules that lack functionality or don't offer security updates for previous iterations. If patching is not possible, think about creating virtual patches to monitor, recognize, or protect against the vulnerability.
- Eliminate any extraneous needs, features, components, directories, or documentation.
7. Failures in identification and authentication
Previously known as broken authentication, this category now includes CWEs related to identity issues after falling from second place. Security risks arise when an attacker acquires user data, password recovery, ID sessions, and other login credentials. An identity and authentication failure comprises hackers taking advantage of such vulnerabilities to take advantage of weak authentication, as the name suggests.
These might be indicators of authentication weaknesses if the program allows automated attacks like credential stuffing, when the attacker has access to lists of genuine users and passwords, or predetermined, weaker, and popular passwords like "Password1" or "admin/admin." Consider the following preventative actions to avoid such flaws:
- To prevent automated credential stuffing, brute-force attacks, and the reuse of stolen credentials, multi-factor authentication must be utilized wherever it is practical.
- Password security can be improved by comparing newly created or altered passwords to a database of the 10,000 worst passwords.
- In order to protect password recovery, registrations, and API paths from account enumeration attacks, using the same messages for every outcome is a good idea.
- Installing default login credentials is not recommended, especially for administrative users.
8. Failures in software and data integrity
Data integrity considerations are becoming important for software since more sensitive data is kept in databases that are susceptible to security breaches.
This is a brand-new category that concentrates on taking for granted the reliability of CI/CD processes, critical data, and software upgrades. Applications using add-ons, modules, or repositories from unofficial or content delivery networks (CDNs) are one instance. Unprotected continuous integration/continuous delivery (CI/CD) processes run the risk of unwanted access, system compromise, and malicious code.
Prevention strategies involve:
- To ensure that data or software comes from legitimate sources without being tampered with, one might take precautions like using digital signatures.
- To ensure that components don't include design defects, a security tool for the software supply chains, such as OWASP CycloneDX or OWASP Dependency-Check, may be utilized.
- To protect the integrity of the code throughout setup and deployment processes, it is essential to ensure that the CI/CD workflow includes the requisite segmentation, access control, and parameterization.
- Sending unsigned or unencrypted compilation data to customers who are not trusted is not advised unless integrity checks or a digital signature are in place to detect data duplication or tampering.
9. Failures in security logging and monitoring
A lack of tracking in the presence of suspicious activities and events might extend gaps in time that go unmonitored, allowing security breaches to go unreported for longer than they would with better documentation. This portion of the OWASP Top 10 for 2021 is designed to help with the detection, escalation, and remediation of recent breaches. Without recording and monitoring, it is unlikely that a security breach will be discovered.
This failure was demonstrated by a General Data Protection Regulation (GDPR) issue involving a significant European airline. Over 400,000 customer payments' worth of information were allegedly obtained by hackers who used security holes in payment applications. The airline was penalized by the privacy authorities 20 million pounds for the lost data.
As a precaution against such hacks, users should:
- Check that any issues with authentication, access security, and server-side data validation are documented with enough user information to identify erroneous or fraudulent accounts and preserved for a long enough time to support a delayed thorough investigation.
- Ensure that logs are produced in forms that log management systems can use.
- Develop or use a newer version of NIST 800-61r2 or another approach for incident recovery and response efforts.
- Make that log data is properly encoded to prevent hacker threats or intrusions into the monitoring systems.
10. Server-side request forgery (SSRF)
An above-average testing coverage, a comparatively low incidence rate, and above-average Impact and Exploit scores are among the findings for this category. When server-side queries are made without first checking the user-provided URL, SSRF develops. This enables an attacker to bypass network access control lists, virtual private networks, or firewalls to force an application to send a falsified request to a malicious address (ACL).
With the introduction of new web apps that provide end-users practical functions, fetching a URL has become a common occurrence. As a result, the prevalence of SSRF is rising. Additionally, cloud services and design complexity are contributing to an increase in SSRF intensity. In light of this, the following preventative methods can be used to prevent similar attacks:
- One should divide distant resource access functions into several networks to reduce the impact of SSRF.
- Install network access control rules or "deny by default" firewall settings to prevent all web traffic aside from necessary internal traffic.
- It's wise to be aware of URL correctness to defend against attacks like DNS remapping and "time of check, time of usage" in (TOCTOU) scenarios.
Implementing OWASP's Top 10 Insights
The 2021 update comes with a number of notable improvements over earlier versions. The newly classified category A04:2021-insecure design clearly suggests that security has to be prioritized even during the design phase. The benefits of microservices versus monoliths in terms of security come next. They are not impenetrable, though, as shown by A10:2021-server-side request forgery (SSRF), which calls for extra parameters (A05:2021-security misconfiguration).
Taking OWASP's recommendations into consideration may increase application security against cyberthreats, strengthen network and cloud encryption, increase application success rates, and significantly boost a company's cyber resilience.