The Open Web Application Security Project (OWASP) released a draft edition of all-new OWASP Top 10 – 2021 Vulnerabilities list on its official website for peer review.
The list contains important changes compare to previous OWASP Top 10 – 2017 vulnerabilities with three new categories included in the list and also position changes.
OWASP also announced that the draft version of Top 2021 web application security threats is published for peer review, translations, comments and suggestions for improvements.
OWASP is a non-profit organization dedicated to providing unbiased, practical information about application security. OWASP Top 10 represents a broad consensus about the most critical security risks to web applications.
Differences between OWASP Top 10-2021 & 2017:
In the new list of OWASP TOP 10-2021 security risks, three new categories were introduced, namely:
A04:2021 – Insecure Design (4th position)
A08:2021 – Software, and Data Integrity Failures (8th position)
A10:2021 – Server-Side Request Forgery (10th position)
The list also includes position, naming and scoping changes of the vulnerabilities when comparing with OWASP Top 10 – 2017 list.
Broken Access Control moves to the top position from the fifth position. Cross-Site Scripting (XSS) has been added to the ‘A03 – Injection’ section, XML External Entities (XXE) risk is now part of the A05 – Security Misconfiguration section and Insecure Deserialization is included in the new A08 – Software, and Data Integrity Failures.
Also, OWASP renamed many categories to match with the latest threat changes.
Here is the official report of the OWASP Team: OWASP Top 10:2021 (DRAFT FOR PEER REVIEW)
OWASP Top 10 – 2021 Vulnerabilities List (Draft Version):
Below is the list of proposed draft version of OWASP TOP 10 – 2021 Vulnerabilities:
A01:2021 – Broken Access Control
A02:2021 – Cryptographic Failures
A03:2021 – Injection
A04:2021 – Insecure Design
A05:2021 – Security Misconfiguration
A06:2021 – Vulnerable and Outdated Components
A07:2021 – Identification and Authentication Failures
A08:2021 – Software and Data Integrity Failures
A09:2021 – Security Logging and Monitoring Failures
A10:2021 – Server-Side Request Forgery
A01:2021 – Broken Access Control: OWASP listed this vulnerability in the 1st position and moved from the 5th position in 2017. They tested 94% of the applications and also mapped 34 CWEs in it.
Applications don’t verify the function level access rights before making that functionality accessible to the user. Basically, applications fail to enforce sufficient authorization to certain actions. This leads to Access control vulnerabilities.
A02:2021 – Cryptographic Failures: Previously called Sensitive Data Exposure, moved to second position from third in 2017 and mapped with 29 CWEs in it.
This vulnerability occurs when data is in transit or rests encrypted with weak cryptographic algorithms, poor key generation or if it’s in clear text that leads to sensitive data exposure.
A03:2021 – Injection: This flaw slides down to 3rd position from 1st position in 2017 list. They tested 94% of the applications and mapped with 33 CWEs in it.
Injection flaws occur when attackers try to inject some malformed data or input (such as SQL queries etc.) via input parameters or data fields to the application/database. These flaws are often found in SQL, LDAP, Xpath, or NoSQL queries, OS commands, XML Parsers, SMTP Headers, program arguments, expression languages, and ORM queries, etc.
A04:2021 – Insecure Design: It’s a new category in the 2021 list related to security threats related to design and architectural flaws such as logical problems in programming, unprotected stored data and displaying contents that reveal sensitive information. It is mapped with 40 CWEs in it.
A05:2021 – Security Misconfiguration: This vulnerability moved up from 6th position in the previous edition, tested with 90% of applications with 20 CWEs mapped in it. OWASP team merged the XML External Entities (XXE) from the 2017 list into this Security misconfiguration category.
This vulnerability arises when the security settings of the web server or application are not configured properly and left with default and insecure values.
A06:2021 – Vulnerable and Outdated Components: This vulnerability moved to six from previous ninth position and was also renamed from “Using Components with Known Vulnerabilities.” The OWASP team said they considered default exploits and impact weights to map its position as there is no enough data.
This flaw generally occurs when the client and server-side components have vulnerable versions, out-of-date support systems and misconfiguration.
A07:2021 – Identification and Authentication Failures: This category previously known as Broken Authentication slipped down from the second position to seven and now also includes identification failures.
This security flaw is related to improper authentication, credential stuffing, session fixation, improper session handling, brute force attacks.
A08:2021 – Software and Data Integrity Failures: A new category introduced in the OWASP Top 10 2021 with merging an Insecure Deserialization from 2017 and ranked as one of the highest weighted impacts from CVE/CVSS data.
The vulnerability focuses on integrity failures of the software updates and critical data when pulled from a remote source.
A09:2021 – Security Logging and Monitoring Failures: This vulnerability moves one up from previous 10th position and renamed from “Insufficient Logging & Monitoring.”
This security threat occurs when critical security events are not logged and current happenings and logged events are not monitored or no proper monitoring system is in place.
A10:2021 – Server-Side Request Forgery: This is a new category in the 2021 list which shows a low incidence rate with above average testing coverage and above-average Exploit and Impact potential ratings. OWASP team said SSRF attacks are increasing due to the adoption of cloud services and complex architectures.
SSRF attacks generally occur when a web application fails to validate the user-submitted URLs while fetching a remote resource.
Check Out | What is OWASP? | Top 10-2017 OWASP Vulnerabilities | Differences between OWASP Top 10-2013 & 2017 | Detail Explanation & Prevention Techniques of Top 10-2017 OWASP Vulnerabilities | Click Here –> Owasp Top 10 – 2017 Vulnerabilities
OWASP Utilize Data Factors for each OWASP TOP 10 – 2021 List:
OWASP generated the new list of Top 2021 vulnerabilities by considering specific data factors by analyzing the threat intel, submitted by several cybersecurity companies. The factors include software and hardware Common Weakness Enumeration (CWE) mapping to a category, weighted exploit, impact and average metrics of a vulnerability, based on CVSSv2 and CVSSv3 scores. They also consider total CVE numbers applicable to a particular type of threat.
The list is based on the investigation of 2 million security records of 144 sources including CVE reports, vendor security news and bug bounty reports.
Previously, for OWASP Top 10 2017, they picked categories based on incidence rate and ranked them based on Exploitability, Detectability and Technical Impact.
But in OWASP Top 10 – 2021, they focused on the use of data for Exploitability and Impact. They refer to OWASP Dependency-Check and extracted the CVSS Exploit, and Impact scores collected by associated CWEs.
OWASP Collected the Largest Application Security Data Set for OWASP TOP 10-2020 List:
The OWASP appreciated the organization such as AppSec Labs, Cobalt.io, GitLab, Veracode, HackerOne, etc. and other anonymous donors for contributing and donating data of over 500,000 applications.
They also added these contributions have collected the largest and most comprehensive application security data set, till now.
OWASP Plans for Final Version of OWASP TOP 10 – 2021 on OWASP’s 20th Anniversary:
With this report, OWASP also gave notice that they published a draft version of the list, not the final version. The team requested data scientists, web designers, translators to peer review their analysis and give their suggestions and improvements which help them to link documents and standards together for final version of the list.
Along with the notice, OWASP also hinted that they will officially release the final version of OWASP Top 2021 vulnerabilities list on the 20th-anniversary event of the organization happening on September 24.
Found this article interesting? Follow DefenseLead on Twitter, Facebook and LinkedIn to read more exclusive content.