Easy Understanding of Owasp Top 10-2021
What is owasp ?
Owasp is a standard reference guide for security engineers, developers, testers to identify, fix vulnerabilities wrt web application/mobile/Code Review, Which is accepted worldwide.
History of Owasp top 10
Started by Mark Curph in 2003 and gets updated in 2004,2007,2010,2013,2017 and the new version is currently released on Sept 24th, 2021.
Once in every 3–4 years, OWASP categories the standards as per the current attack vectors, Impacts,exploits, CVE,CWE, etc
OWASP TOP 10 2021 non-web vulnerabilities
• Sensitive data exposure
• XML External Entities
• Non-Compliance
• Insecure Deserialization
Why OWASP is Important
It gives Organizations a priority over which risk to focus on and helps us to understand, identify, mitigate and fix vulnerabilities. 2021 focuses on risks related to design and architectural flaws, Threat modeling, secure design patterns.
Key points in 2021 Owasp top 10–2021
· 3 new categories were added
· 4 naming & scoping changes
· Some consolidations in top 10–2021
OWASP TOP 10–2021(Headings) [Read full content for detailed descriptions]
A1: Broken Access Control [Moves from 5th to Top]
A2: Cryptographic Failures [A3 sensitive data exposure]
A3:Injection: [Xss is now a part of injection]
A4:Insecure Design:[New category, focused on threat modeling, secure design patterns]
A5:Security Misconfiguration [XXE is now a part of security misconfigurations]
A6:Vulnerable and Outdated Components[Components using known vulnerabilities]
A7:Identification and Authentication Failures[Broken authentication]
A8:Software and Data Integrity Failures[New, Insecure desterilization]
A9:Security Logging and Monitoring Failures[logging and monitoring]
A10:Server-Side Request Forgery[all the server-side related issues]
Explaining in an understandable format
A1:Broken Access Control:
To gain access to an application`s Admin dashboard [Bypassing logins for gain internal access]
Few easy eg`s:
Acting as a user without being logged in/acting as an admin when logged in as a user.
Metadata manipulation, Vertical Privilege Escalation, Horizontal Privilege Escalation.
Usually occurs when sensitive data is not stored securely. The practice of using Simple hashes to store sensitive data is to be blamed for unprivileged access.
Few easy eg`s: sensitive data on the below`s,
Session tokens,
login ID and passwords,
personal details (SSN, Health records) etc.
Any unprivileged access to the victim’s accounts is a serious concern.
A3:Injection
Happens when a user`s untrusted data(Payload) is inserted to the system, which results in modification of the content or retrieval of sensitive content or execution of unwanted actions.
Few easy eg`s:
XSS
Ldap injection
Command injection
XML injection
SQL injection
Blind injection etc….!!!
A4:Insecure Design:
Talks about the risks related to design, architectural flaw, Also recommends for following threat modeling (Explained in another write up), Secure design patterns.
For easy eg:
1. Password recovery from “Questions and answers” options [which is prohibited by NIST 800–63b, the OWASP ASVS, and the OWASP Top 10.]
Questions and answers cannot be trusted as evidence of identity as more than one person can know the answers, which is why they are prohibited. Such code should be removed and replaced with a more secure design.
2. A cinema chain allows group booking discounts and has a maximum of fifteen attendees before requiring a deposit.
Attackers could threat model this flow and test if they could book six hundred seats and all cinemas at once in a few requests, causing a massive loss of income.
It's just like an Open invite for attackers on applications with poorly built systems
For easy eg:
Default credentials usage
Server version disclosures
Directory listing
Missing appropriate security hardening
Detailed error messages [user enumerations]
A6:Vulnerable and Outdated Components
If the application is using a software/server which is vulnerable, unsupported, out of date especially 3rd parties Special frameworks [open source tools versions]
For easy eg:
OS versions
Application server
DBMS
API`s
Run time environments
A7:Identification and Authentication Failures
When the application is made to run with automated scans for access, data exposure purposes when an application fails to prevent such attacks. usually exploited by hackers to get the best of improper authentication.,
For easy eg:
Weak username and pwd
Brute force attacks
Session fixation attacks
Url rewriting
A8:Software and Data Integrity Failures
The use of critical data or apps without verification of their identity falls under this category. when the identity of the apps or data is not checked or the verification process is not well-rounded (that is, it can be bypassed or validation failure still lets the app run).
For easy eg:
Insecure deserialization
RCE[remote code execution]
A9:Security Logging and Monitoring Failures:
This section is not majorly into vulnerabilities. It's an best practice to have an Eagle eye on the application when it's running on over crowded internet.
When an attack happens absence or failures of this implementation can directly impact visibility, incident alerting, and forensics. Which in turn makes attackers STAY MORE TIME IN OUR NETWORK.
For easy eg:
Alerting mechanisms for the applications/systems
Unauthorized action entry alert on file servers of the apps.
A10:Server-Side Request Forgery
When the application server validates or executes the untrusted user-supplied commands/payloads. [when server executes the unintended actions forced by users]
Which in turn leads to gaining internal services/external services access.
For easy eg:
Vulnerabilities from burp collaborator client
Localhost responding vulnerabilities
Feel free to contact me for any clarification on the above…!!!!
You can ping me on https://www.linkedin.com/in/akash-h-c-4a4090a7/
