OWASP TOP 10 LIST
Top 10 as at August 2024. It is liable to change.
OWASP, short for Open Web Application Security Project, is a global nonprofit organization dedicated to improving the security of web applications and software. Every year, OWASP releases a “Top Ten” List. The organization is comprised of a community of security professionals, developers, and experts to focus on identifying, mitigating, and raising awareness about security risks and vulnerabilities that can affect web-based technologies. OWASP's most renowned initiative is the Top Ten Project, which identifies and ranks the most significant web application security risks, offering actionable recommendations for their mitigation. The OWASP mission statement is “to be the global open community that powers secure software through education, tools, and collaboration.” The agenda is to maintain integrity, open, innovative and global. The nonprofit aims to use the combined skills, expertise, resources, and ideas of experts and members across the globe to take tangible action to protect and secure all software. Some projects include: a guide to define security requirements to build secure web applications; developing an industry standard testing framework for web application security.?If your organization is interested in Web application security, then OWASP is the first and most comprehensive site to gain an insight into Web-based controls. It is designed to be an unbiased group focused on the best interests of the technology world as a whole. OWASP aims to provide practical information to organizations all across the world, with the goal of offering helpful security advice to bring about more informed decisions. It aids organizations in being competitive and credible, provides developers with more trust in their work, and protects end users' data by giving techniques for handling their personal information. Since the publication of the first edition in 2003, the OWASP Top 10 has been revised six times – in 2004, 2007, 2010, 2013, 2017, and most recently in 2021. As of the time of this entry, the current top 10 are:?
A01:2021-Broken Access Control: When access controls are broken/ misconfigured, attackers can simply bypass authorization and perform actions they should not be permitted to do. These vulnerabilities allow hackers to gain unauthorized access to applications, view and conduct malicious activities, such as data disclosure, modification, and destruction. Conclusively, broken access control means doors are unintentionally left open, granting unintended permissions. The mitigation for BAC includes logging and monitoring, regular security audits, Role-Based Access Control (RBAC),?Multi-factor authentication (MFA), implement authorization, encrypt passwords, secured session management. High-performance web application firewalls (WAF) and zero-trust network access (ZTNA) solutions can help mitigate access control failures. Be sure that the access control mechanism is appropriately applied, on the server side, on all pages and API endpoints for web applications.?
A02:2021-Cryptographic Failures: Improperly implemented encryption mechanisms, outdated and weak encryption algorithms are the primary cause of this issue. Encoding and Decoding information, ensuring that only an intended recipient can access the original data but when it fails. Sensitive data becomes vulnerable to unauthorized access and potential breaches. A common example is using the default keys or applying weak algorithms which can easily become susceptible by attacker's invasion. This can occur both at rest and in transit over the network. Cryptography is used to protect passwords, credit card numbers, health records, personal information and other sensitive information which are affiliated and covered by organizational standards like PCI Data Security Standards (PCI DSS) or data privacy regulations like the EU General Data Protection Regulation (GDPR). This failure could be mitigated by Encrypt all sensitive data at rest using strong encryption algorithms, protocols, and keys. Encrypt data in transit using secure protocols like TLS and HTTP HSTS. Disable caching for sensitive data. Store passwords using strong, salted hashing functions and implement regular security testing (including code reviews and vulnerability assessments) to identify and fix cryptographic weaknesses.?
A03:2021- Injection:? Attackers inject malicious or invalid data into web applications, tricking or causing them to execute unintended actions that can lead to security breaches. For example, SQL Injection, LDAP Injection, XML Injection and Cross-Site Scripting (XSS). It leads to the improper usage of the design. Web applications that accept user input must properly validate that input before interpreting it. When this is not done properly, attackers can inject code or commands which are then executed and makes the application do something that it was not designed to do. The corrupted data is relayed to the web application through user data submission fields like forms and comment sections.? When non-parameterized queries and Improper permissions and privileges are being used, it is called injection. This could be mitigated if the applications could be automated to distinguish code from data and validate, sanitize, and escape all user inputs. Use a safe API which avoids the use of the interpreter entirely and/or “whitelist” server-side input validation. Injection flaws are easy to discover when conducting a code review and Pen testers are great at flushing them out quickly.?
A04:2021-Insecure Design: This happens when there are design flaws, inadequate design security and privacy-related controls. Architectural flaws due to ineffective risk profiling and assessment before and during software development. Emphasis has been laid on incorporating security considerations from the design phase. Adopting a security-centric design mindset is imminent to mitigate risks and adopt proactive approach to every development. secure design patterns and principles, secure coding practices and testing throughout the development lifecycle would help to mitigate. An insecure design cannot be fixed by proper implementation or configuration. This is because it lacks basic security controls that can effectively protect against important threats.?
A05:2021-Security Misconfiguration: Misconfiguration causes design or configuration flaws. This happens when secure configuration settings are not defined, implemented, or maintained, or they are configured with unnecessary functionality enabled or installed. Also enabling or installing features that are not required, and default admin accounts or passwords. Configurations should be regularly updated, applying patches and security advisories and all systems should have a minimal setup without unnecessary features and components. Many attacks are entirely automated and rely on exploiting default settings to access network and critical data. Operating systems, libraries, and applications be correctly configured and patched in a timely way.?
A06:2021-Vulnerable and Outdated Components: Platform, Framework, and Dependency not being updated or upgraded to the latest version are susceptible to exploitations from attackers. It requires components with known vulnerabilities to be fixed while malicious or stale components should be evaluated for any new security breaches that they may introduce.? For vulnerabilities resulting from unsupported or outdated software, anyone who builds or uses an application without knowing its internal components, their versions, and whether they are updated, is exposed to this category of vulnerabilities. Mitigations can be done by continuously scanning libraries and their dependencies for vulnerable components, use components only from validated sources, and removing affected components. Create an inventory that lists all the connected components in your environment and keeps you up to date on each one’s behavior. Security incidents due to outdated components can tarnish your organization’s reputation and erode trust with users. Develop fallback plans to mitigate vulnerabilities in case an immediate update is not feasible.?
A07:2021-Identification and Authentication Failures: This occurs When an application does have a weak password check, multi-factor authentication, or session timeout feature. when Authentication and session management are flawed, then there are flaws in the security process. Security flaws in these processes can allow attackers to compromise user accounts, identities gain unauthorized access to stage an attack. These failures can result in unauthorized access to sensitive data or critical system functionalities, ranging from weak password policies to mishandling password reset functions or misconfigured multi-factor authentication processes. Mitigation is achieved by Implementing multi-factor authentication, securing session management, and strong password policies. Protect all credentials during storage and transit.?
A08:2021-Software and Data Integrity Failures: When a Malicious code is injected through third-party services or libraries, it tampers with data in transit. Coding or Infrastructure of an application are expected to protect against integrity violations or else there comes an attack. Consider an instance where an application depends on components from untrusted origins like plugins, libraries, or modules sourced from repositories and content delivery networks (CDNs). A vulnerable CI/CD pipeline could lead to unauthorized access, malicious code, or system breach. Attackers can exploit these to gain unauthorized access, write malicious code, and compromise systems. For example, attackers can distribute their malware by injecting software updates with malicious code. Arising from flawed code, malware infections, or inside threats, the repercussions range from corrupted databases to compromised application functionality. Implementing stringent controls is essential to maintaining trustworthy data, bolstering user confidence and system reliability. Ensure integrity checks, digital signatures, and secure software update mechanisms. Validate the integrity of data and software regularly.?
领英推荐
A09:2021-Security Logging and Monitoring Failures: Poor logging and monitoring capabilities mean that incidents are missed, and alerts are not generated, and they could remain unnoticed for long. Examples are denied logins, failed logins, and high value transactions, and application APIs. Threat actors to further attack systems and unfold other malicious behavior. Lack of visibility and insufficient logging and monitoring is detected in most major incident. Threat actors rely on the lack of visibility and monitoring to anonymously perpetuate or launch attacks. This may lead the Organizations may fail to meet compliance requirements, leading to legal and financial repercussions. Establish log retention policies to ensure you retain logs for a sufficient duration for investigative and compliance purposes. Logging and monitoring are critical and vital to help detect active breaches.? Of all the top 10 risks, this one might seem the easiest to mitigate, but it remains a major problem in industry. It often allows attackers to pivot to other systems and expand the scope of their activities.?
A10:2021-Server-Side Request Forgery (SSRF): This happens when a web app fetches a remote resource without validating the user-provided URL. This is achieved by altering the app to send a manipulated request to another location, bypassing Networking security system, VPN, or network ACL safeguards. For some reasons and with the SSRF, firewall or VPN fail to provide enough protection. SSRF attacks are on the rise because modern web applications offer many features that make URL requests.? It is a severe vulnerability wherein an attacker induces the server to make an unwanted request. The risk lies in the server making requests on behalf of the attacker, accessing internal resources usually shielded from external actors. Mitigation used is to Validate and sanitize all user inputs, especially URL parameters. Implement strict access controls and network segmentation to limit the attacker’s ability to interact with the backend infrastructure.?
Conclusion: Web security testing aims to find security vulnerabilities in Web applications and their configuration. The primary target is the application layer, where the HTTP protocol runs. OWASP will assist your organization with risk mitigation, threat modeling, and architectural threat analysis and is thus a valuable resource to network and create relationships with. OWASP establishes an industry standard for code review guidelines and frameworks that give developers documentation for penetration testing best practices. Developers and organizations should prioritize web application security from the initial stages of development and throughout the software development lifecycle. While having detailed reports is crucial to making use of the data that your scanner finds, it is not enough. Scanner should also have the ability to convert vulnerability data into a specific, detailed remediation plan. This proactive approach not only safeguards sensitive data and systems but also fosters trust with users and stakeholders.?
References: