In cyber security, the OWASP Top 10 is a key framework which helps organisations to understand the most common current web application vulnerabilities.
Read our guide to learn more about the key issues to be aware of and how The OWASP Top Ten could help to reduce the risk of web application attacks.
What is the OWASP Top 10?
Recognised by developers and security professionals around the world, the OWASP Top Ten outlines key vulnerabilities which affect web application security. It was created by the Open Web Application Security Project (OWASP), a not-for-profit foundation which supports organisations to improve the security of their web applications. First published in 2003, the Top 10 is updated every three to four years, with the most recent iteration published in September 2021.
The OWASP Top 10 provides a clear hierarchy of the most common web application security issues. This helps companies to identify and address issues according to prevalence, potential impact, method of exploitation by attackers and ease or difficulty of detection.
As stated on the OWASP website, “Using the OWASP Top 10 is perhaps the most effective first step towards changing the software development culture within your organization into one that produces more secure code.”
The current top ten web application security risks identified by OWASP are listed below.
1. Broken access controls
Access management refers to the process through which an application restricts access to data or functionality. Broken access control (BAC) vulnerabilities occur when restrictions on what users are allowed to do are not properly enforced. One example of this is where a user with limited privileges is able to access data that only a high privileged user should be able to access.
While BAC vulnerabilities may not necessarily be exploited by a malicious attacker, they can lead to a serious GDPR breach if one user’s data is unintentionally exposed to another. This issue has now moved to the top of the OWASP list as 94% of applications were tested for some form of broken access control. The list states that “34 Common Weakness Enumerations (CWEs) mapped to Broken Access Control had more occurrences in applications than any other category”.
2. Cryptographic failures
Previously known as ‘Sensitive Data Exposure’, the focus in this issue is on failures related to cryptography. These often lead to sensitive data exposure or system compromise in which data such as user credit card information and session tokens, is left exposed on web applications and APIs. This allows attackers to steal it to undertake identity theft and other crimes. To prevent the exposure of this and other sensitive data, it is essential to protect it using encryption and to ensure that there are no application logic flaws that could permit unauthorised access.
3. Injection flaws
Injection flaws such as SQL, NoSQL, OS, and LDAP injections occur when untrustworthy data is sent to a program as part of a command or query. This allows hostile data from an attacker to trick the program into executing unintended commands, such as providing access to data without proper authorisation. Due to the fact that they are easy to learn and execute, SQL injections are one of the most common techniques used to attack web applications.
Cross-site scripting (XSS) is now part of this category. Cross-site scripting flaws occur whenever an application includes untrustworthy data in a web page without proper validation, or when an application updates a web page with user-supplied data using a browser API which can create HTML or JavaScript. XXS flaws enable attackers to execute scripts that can be used to hijack user sessions, deface websites or redirect users to malicious websites.
4. Insecure Design
With a focus on risks related to design flaws, Insecure Design was added as a new category for 2021. Insecure Design is a wide-ranging category that represents different weaknesses, expressed as “missing or ineffective control design.” Its addition highlights the importance of threat modelling, secure design patterns and principles, and reference architectures. OWASP makes the point that insecure design isn’t the source for all other Top 10 risk categories.
As it states, this is because “There is a difference between insecure design and insecure implementation. We differentiate between design flaws and implementation defects for a reason, they have different root causes and remediation.”
5. Security misconfiguration
With more shifts into highly configurable software, Security Misconfiguration has moved up a place from the previous edition. Security misconfiguration is a very common type of web application vulnerability. It is used to describe insecure default configurations, incomplete configurations and open cloud storage. Even a minor misconfiguration, such as displaying too much information in error messages, can create challenges.Cloud security misconfigurations such as insecure databases and open Amazon S3 buckets are also common.
The former category for XML External Entities (XXE) is now part of this category. An XML External Entity vulnerability is a weakness in the way an application parses XML input. It occurs when an attacker injects XML which contains a reference to an unauthorised external entity and the input is processed by a weakly-configured XML parser. XXE vulnerabilities are often used by attackers to obtain additional technical information about an application – information that is used to conduct Denial-of-Service and other types of attacks.
6. Vulnerable and outdated components
Previously called ‘Using Components with Known Vulnerabilities’, this is a known issue that OWASP highlights as being a challenge to test and assess. It is the only category not to have any Common Vulnerability and Exposures (CVEs) mapped to the included CWEs. Applications and APIs using components with known vulnerabilities may undermine application defences and provide attackers with a point of entry.
Mitigating against such vulnerabilities involves keeping all components used by web applications up to date. This should include the operating system of a web server and the third-party libraries used as part of an application’s code-base.
7. Identification and authentication failures
Previously called ‘Broken Authentication’, this category now includes CWEs that are more related to identification failures. While it is still part of the Top 10, OWASP observes that “the increased availability of standardized frameworks seems to be helping”.Broken authentication is any security issue which affects the log-in mechanism of an application.
Broken authentication gives attackers the freedom to compromise user passwords and session tokens, or to exploit implementation flaws. It can leave systems vulnerable to brute force attacks, where attackers use automated tools to crack user account passwords.
8. Software and data integrity failures
A new category added in 2021, Software and Data Integrity Failures focuses on making assumptions related to software updates, critical data, and CI/CD pipelines without verifying integrity. The category Insecure Deserialization is now a part of this larger category. In programming, serialization involves the conversion of an object into a stream of bytes to store or transmit it to memory, a file or a database.
Deserialization is the reverse of this process, converting bytes back into an object so it can be moved or transferred. This type of vulnerability can occur when applications are performing deserialization on data which isn’t trusted, including data sent from an attacker to an application.
9. Security logging and monitoring failures
Previously called Insufficient Logging & Monitoring, this category has been expanded to include more types of failures. OWASP points out that while it is challenging to test for and isn’t well represented in the CVE/CVSS data, failures in this category can directly impact visibility, incident alerting, and forensics. Insufficient logging and monitoring, combined with missing or ineffective incident response, can lead to serious breaches being missed or action being taken too late.
Unknown exploitation of vulnerabilities can allow attackers to maintain persistence, pivot to other systems, and tamper with, extract and destroy data.
10. Server-side requests forgery
A new addition, Server-Side Request Forgery (SSRF) has been added from the Top 10 community survey. While it is a new addition to the OWASP Top Ten, the data shows a relatively low incidence rate but with above average testing coverage, along with above-average ratings for Exploit and Impact potential. As OWASP outlines,
“SSRF flaws occur whenever a web application is fetching a remote resource without validating the user-supplied URL. It allows an attacker to coerce the application to send a crafted request to an unexpected destination, even when protected by a firewall, VPN, or another type of network access control list (ACL). As modern web applications provide end-users with convenient features, fetching a URL becomes a common scenario. As a result, the incidence of SSRF is increasing. Also, the severity of SSRF is becoming higher due to cloud services and the complexity of architectures.”
Addressing web application security risks
As the OWASP Top Ten highlights, web applications are potentially vulnerable to a wide range of weaknesses. This is why checking for each specific type of vulnerability during the development process is vital.
Application security can be addressed right from the start of the development lifecycle by adopting a Security by Design approach. Organisations are also advised to regularly commission formal, independent web application penetration testing to identify and address new vulnerabilities that may have been missed.
The ongoing changes to the OWASP Top Ten highlight the evolving nature of risk in this area. This is why businesses need to employ a proactive and ongoing approach to address potential vulnerabilities.
OWASP penetration testing from Kroll
Web application testing is among the many security assessment services we offer at Kroll. Our ethical hackers comprehensively test for web application vulnerabilities, including those listed in OWASP’s current Top 10, and deliver the support required to help address them quickly and effectively.
At the end of each OWASP pen test, we provide a detailed report outlining the level of risks posed and the remediation advice required to help address them quickly and effectively.
Our pen testers work closely with you to understand your software application and help scope your requirements. Our CREST-accredited pen testing process is conducted to the highest legal, ethical and technical standards and follows best practice in key areas such as preparation & scoping, assignment execution, post technical delivery and data protection, and we conduct over 100,000 hours of these assessments across the globe every year.