Overview of OWASP Top 10 for 2021

The OWASP Top Ten is a list of web application security vulnerabilities, released by the Open Web Application Security Project that “is intended to serve as an educational tool for developers and security professionals.”

There are three new categories, four categories with naming and scoping changes, and some consolidation in the Top 10 for 2021. They’ve changed names when necessary to focus on the root cause over the symptom. They’ve also tried to reduce duplication and overlap by recognizing that some of the items are very close cousins.

The OWASP Top 10 for 2021 consists of six new entries, one renamed entry, and three consolidated entries from the current OWASP Top 10 release. Let’s take a look at each of them.

Broken Access Control

The number one spot in this list goes to the category with the most significant web application security risk. Broken Access Control was previously in fifth place, but it is now adjusting to reflect the fact that this field includes a wide range of threats. The OWASP Top 10 for 2021 adds the following items to the category:

- Brute force attacks

- Circumvention of authentication and authorization

- Impersonation

- Password resets (in context)

The attractiveness of this entry stems from the fact that there are several methods to exploit these flaws, most of which do not require a profound understanding of code. The common denominator that they all share is the lack of protection for end users.

Cryptographic Failures

The new vulnerability takes the place of A3:2017-Sensitive Data Exposure, which was previously ranked at #2. This vulnerability was added to the OWASP Top 10 list in the last update. Cryptographic Failures is about when data protection mechanisms are not used correctly, either when using symmetric encryption with a key that is shared across several components or asymmetric cryptography where private keys are distributed in plain text.

Some of the problems that come up include predictable random number generators, lack of entropy, and predictable keys. This vulnerability can leave an opening for data tampering either in data storage or while it is transferred over the network.

Injection

The first change to the third spot on the list deals with injection attacks, including SQL injections and command injections. This vulnerability has held this spot since 2010 when it was ranked as A6:2010-Security Misconfiguration.

The OWASP Top 10 for 2021 moves the focus away from web application security risk towards business logic flaws where an application can be hacked through database access. They’ve added the following items to the list:

- Parameter manipulation

- Injection flaws via APIs

In some cases, web applications are made vulnerable by a dependency on another system where components of the backend may not be configured as securely as they should be or where insecure components make their way into the application.

Insecure Design Patterns

Insecure Design Patterns has been added to the list to address design issues with an application instead of looking at specific vulnerabilities. The OWASP Top 10 for 2021 defines this vulnerability as:

- Logic flaws from improper logic structures

- Insecure direct object references involving states or actions that a user should not be able to access without proper authentication

- Insecure usage of authentication and session management mechanisms

In many cases, applications have been designed with data protections as an afterthought. In these cases, it is very easy for a security researcher to identify serious flaws that can result in financial loss or identity theft.

Security Misconfiguration

The OWASP Top 10 for 2021 also adjusts the current top slot on their list. Security Misconfiguration was previously ranked at #3, but it has been moved up to the number one spot with the addition of A13:2017-Using Components With Known Vulnerabilities. This vulnerability is defined as:

- Application data in the wrong hands

- Insecure or inconsistently configured cryptographic storage

- Weak security configurations

This vulnerability is a combination of many other vulnerabilities that were previously ranked on the OWASP Top 10 list. It captures all known configuration weaknesses and combines them with some new items such as using components with known vulnerabilities, insufficient attack protection, and insecure SSL/TLS configuration.

Vulnerable and Outdated Components

This year’s list takes on a new vulnerability related to components of an application. This includes insecure use of libraries, frameworks, and third party components used within the application. Some key examples:

- Application components are available on known or default publicly accessible paths

- Components are using outdated/vulnerable components that provide easy access to sensitive data

- Components are not using standard secure coding techniques or weak cryptography standards

If any of these vulnerabilities are identified, it can lead to the same sorts of devastating results that A5:2021-Security Misconfiguration is designed to prevent.

Identification and Authentication Failures

This vulnerability is currently ranked number seven on the Top 10 list, but it’s one that application security professionals need to be aware of moving forward. Identity and authentication failures can be defined as:

- Insufficient identification and authentication mechanisms

- Unreliable identification and authentication mechanisms

- Insecurely stored passwords, password reset tokens, or other insecure forms of identity proofing (e.g. knowledge based)

This vulnerability is generally addressed through the use of multi-factor authentication, which is one of the leading mechanisms in application security.

Software and Data Integrity Failures

The OWASP Top 10 for 2021 assigns A8:2021-Software and Data Integrity Failures to vulnerabilities that are related to the installation of malicious software, data alteration, or data integrity issues.

These issues include things like:

- Hardcoded sensitive information in source code or configuration files

- Interaction with third party components/services

- Untrusted input passed as a parameter to an OS command

- Unvalidated redirects and forwards that ultimately result in sensitive data being sent to a third party or web browser

These vulnerabilities have been seen before, but their prominence hasn’t been able to be determined without the use of automated tools. The OWASP Top 10 for 2021 hopes to bring these issues more to light so they can be addressed properly.

Security Logging and Monitoring Failures

This category captures all security monitoring issues related to application activity, session management, and sensitive data exposure. Some examples of this vulnerability include:

- Application logs that are not properly configured or not enabled

- Failure to log sufficient information about authentication events

- Failure to log sufficient information when a user accesses sensitive data

- No ability to monitor or alert upon anomalous behavior from legitimate users

This vulnerability includes the gaps that have been seen in security logging and monitoring over time. It’s not just a matter of configuration, as sometimes it’s down to an application not being capable of monitoring itself.

Server-Side Request Forgery

This category was initially expected to be named “Insufficient Attack Protection” but it ended up being called Server-Side Request Forgery. This vulnerability captures all known methods of server-side request forgery, which are attacks that utilize the web application as an attack vector.

The OWASP Top 10 for 2021 lists examples of this vulnerability as:

- Injection flaws that allow a malicious user to control or influence the request from the web application to the back end database and vice versa

- Missing authentication and session management controls that render an application vulnerable

- Lack of proper error handling in the web application itself

- Insufficient logging mechanisms that make it difficult to recognize or investigate a request forgery attack

This vulnerability often goes hand-in-hand with A1:2021-Security Misconfiguration and is something that attackers will continue to exploit as they find ways around new security mechanisms.

Conclusion

The OWASP Top 10 has changed many times since it’s inception in 2003, but it still serves as a good benchmark to follow when it comes to application security. The latest version of the list was voted on by OWASP members and will continue to evolve over time.

More information about the 2021 releases can be found here.