OWASP Top 10 – 2021 Vulnerabilities

A01:2021 – Broken Access Control:

Description:

This vulnerability generally occurs when the access controls are missing or not implemented properly in the application. This leads to unauthorized access to the application and attackers can disclose sensitive information, modification, alter the data or compromise the whole system.

For example, due to this flaw, an attacker can modify the URL intentionally to gain access to high privileged accounts such as admin account or even access to other user’s accounts also to exploit unauthorized data. Another way, an attack can be performed by tampering the session cookie or token to impersonate and logged in to others user’s sessions.

This vulnerability can also occur in the below scenarios:

• Breaching the principle of least privilege.
• Allow viewing and editing preferences to other users account by giving its unique identifier (insecure direct object references).
• Corrupting metadata, such as tampering access control token, JSON web token or a cookie.
• Unauthorized API access due to CORS misconfiguration and missing access controls for POST, PUT and DELETE.

Prevention Techniques:

• Default should be access deny all, requiring explicit grants to specific roles for access to every function.
• Use Access control lists and role-based authentication mechanisms and minimize CORS usage.
• Implement access control mechanisms throughout the application.
• Disable directory listing if they are not required or set access control request to deny all requests and ensure file metadata (e.g., .git) and backup files are not present within web roots.
• Monitor and log access control failures and alert administrators.
• Allow access to the user on basis of its privilege matrix.
• Do not allow the user to directly call any object from the database.
• For more sensitive functionalities like accessing administrative pages, add additional access restrictions with IP addresses to enforce only users from certain networks are permitted to access the resources, irrespective of their login status. 

A02:2021 – Cryptographic Failures:

Description: 

This vulnerability occurs when data is in transit or rest encrypted with weak cryptographic algorithms, poor key generation or if it’s in clear text that leads to sensitive data exposure.

This weakness is generally caused during the implementation stages of architecture and design of an application.

This vulnerability basically arises due to poorly designed older cryptographic algorithms, improper key management and storage, insecure cryptography, inappropriate ciphers, encryption of wrong data, unencrypted data in the database, developers implementing their own cryptography. 

The attacker can predict the next value if the application generates insecure predictable values in a security sensitive context and then the attacker uses this guess to impersonate another user or access sensitive information.

Typically sensitive information includes Personally Identifiable Information (PII), Credit card information, credentials, etc.

The attacker is so sophisticated that they just don’t need to break the cryptographic algorithm to gain unauthorized access to the application. But finding the registry, databases, and temporary files stored in an insecure manner is enough for them to exploit and also can access data from insecure channels that can decrypt.

Typically, broken cryptography will result in Privacy Violations, Information Theft, Code Theft, Intellectual Property Theft, or Reputational Damage.

Prevention Techniques:

• Categorize data stored, transmitted, or processed by an application. Find which data is confidential as per privacy laws, regular requirements, or business needs.
• Minimize the sensitive data storage in the application and remove the data which is not necessary. Use PCI DSS compliant tokenization or truncation for discarding the data.
• Follow the NIST guidelines on recommended algorithms.
• Data should be encrypted while it is at rest.
• When data is in transit, apply secure protocols such as TLS with forward secrecy (FS) ciphers, secure parameters and cipher prioritization by the server.
• Apply functions or hardware that utilize a hardware-based random number generation for all crypto. Use CryptGenRandom on Windows, or hw_rand() on Linux.
• Prevent exposing the generated random value, store it in a secured database or file.
• Generated random values should be used only once.
• Locate and identify all the sensitive data in the application and encrypt it with a strong algorithm.
• Ensure that sensitive data is authorized to limited people and can be accessed in assigned areas only.
• Patch the application with all the common vulnerabilities and secure it from risk.
• Ensure that sensitive memory location can be overwritten and data should be deleted immediately if it is no longer needed.

A03:2021 – Injection:

Description: 

This vulnerability occurs when the user input is not sanitized, filter, or validated by the application. Then the attackers can attempt to inject certain malformed data or client-side scripts via input parameters that will be executed in the application and can exploit it by modifying the database and execute administration functions.

This attack happens when the malicious data like dynamic queries, non-parameterized calls sent by the attacker are merged with the interpreter like database, template engine, shell, etc.

This vulnerability will lead to attacks such as SQL Injection, Command Injection, XSS Injection, CSS Injection, Header Injection, HTML Injection, etc.

Prevention Techniques:

• The preferred option is to use a safe API, that restricts the use of the interpreter totally or delivers a parameterized interface or migrate to use Object Relational Mapping Tools (ORMs). Note: Even when parameterized, stored procedures can still introduce SQL injection if PL/SQL or T-SQL concatenates queries and data, or executes hostile data with EXECUTE IMMEDIATE or exec().
• Input validation such as Whitelist of user-supplied inputs, but is not a complete defense. OWASP ESAPI has an extensible library of whitelist input parameter routines.
• Character escape should be implemented before passing it to the interpreter.
• Using prepared statements (with parameterized queries) or stored procedures.
• Minimize database privileges to reduce the impact of flaws.
• Web Application Firewalls can also be used to filter out malicious data.
• Database errors should not reveal critical information such as database structures or configuration details and should use customized general error messages.
• Do not run application code/services with database admin/high privileged accounts.
• Keep the database patched and harden the database configuration and OS by disabling unnecessary services and functionality.

A04:2021 – Insecure Design:

Description: 

This vulnerability is related to design and architectural flaws such as logical problems in programming, unprotected stored data and displaying contents that reveal sensitive information. If a proper thread modeling procedure is not implemented and didn’t follow the secure design architecture design and standards, this will lead the vulnerabilities that may be exploited.

For example, missing user inputs bound will be vulnerable for buffer flow attacks, if security controls were never implemented to restrict against specific attacks, or application allows users to access elevated privileged accounts than required.

One of the main factors that contribute to insecure design is the lack of implementing organization risk, security threats in the application, or when it is being developed. This will result to identify what level of the security design is recommended.

Prevention Techniques: 

• Introduce and utilize a Secure Software Development Life Cycle (SSDLC) with cyber security professionals and design application security and privacy related controls.
• Integrate Threat Modeling procedure for identifying what kind of authorization and authentication is layered to it, what type of data is allowed and what kind of malicious data can be injected to bypass it.
• While designing, identify the functionality of the application, configuration and technologies used.
• During the design phase of the software application, check all the possible security design implementations. 
• Developers should utilize the Secure Code Analysis Assessment method in every code check-in/built to scan the code generated for the security threats.
• A security testing policy should be planned for what, when and what to be tested, what tools are required for the security testing.
• Security team should carry out a detailed Security Risk Assessment that includes identification of the security flaws during designing and restricting them into the next phase.
• Differentiate category layers on the application and network layers depending on the vulnerability and protection needs.
• Integrate security related controls in the application wherever it is necessary.

A05:2021 – Security Misconfiguration:

Description:

This vulnerability emerges when the application is missing proper security hardening or permissions that are not configured properly on cloud services, deployed environment, application internal configurations, etc. Misconfiguration can occur at the application level to network level etc. such as webserver, network devices, servers, databases, frameworks, and virtual machines.

Below are the basic vulnerable areas:

• Non-essential services or features that are enabled or installed.
• Default usernames and passwords remain active and unchanged.
• Error messages revealing critical information or stack traces.
• Security headers or directives are not set to secure values.
• Security software applications such as firewall protection, anti-virus are not enabled.
• The security settings in the application frameworks, servers are not set to secure values.
• High privileged access is provided to the users more than the permissible level.
• Software is outdated or not updated.

This vulnerability can give attackers access to data or the functionality of the system and all these flaws could also lead to XXE attack.

Prevention Techniques:

• Development, QA and production environments should be configured identically with different credentials.
• Make sure that no unnecessary features are enabled or installed (ex: ports, services, pages, accounts, privileges). Disable directory listing if they are not necessary or set access control request to deny all requests.
• A process should be set up to review all the permissions.
• An automated process to verify the effectiveness of the configurations and settings in all environments would be much better.
• Sending security directives to clients, e.g. Security Headers.
• Need to keep all software up-to-date and patches in a timely manner including all code libraries.
• Implement the principle of least privilege and provide access to the users with the required privileges.
• Disable administrator interfaces.
• Delete unused pages and user accounts.
• Change default usernames and passwords and use strong and unique passwords for every account.
• Patch or upgrade all XML processors and libraries. Use dependence checkers.
• The safest way to prevent XXE is always to disable DTDs (External Entities) completely.

A06:2021 – Vulnerable and Outdated Components:

Description: 

This vulnerability typically occurs when the client and server-side components have vulnerable versions, out-of-date support systems and misconfiguration. This includes components that directly use as well as nested dependencies.

Developers use components within applications such as frameworks, libraries, and other software modules. These components could be outdated or might have some known and existing vulnerabilities. Organizations can give priority to this issue based on the assets and classification of data.

This vulnerability can be in any components such as OS, web/application server, database, applications, APIs and all components, runtime environments, and libraries. Automated scanners will be useful in identifying this flaw.

Applications will be at risk if it is not fixed or upgrade the outdated platform, frameworks, and dependencies in a risk-based, timely fashion. This generally happens in environments when patching is scheduled for the monthly or quarterly tasks under change control, which leaves organizations open to many days or months of unnecessary exposure to fixed vulnerabilities.

Prevention Techniques:

• Be up-to-date with all the components used in the application and there should be a patch management policy in place.
• Erase unused dependencies, non-essential components, features, files and documentation.
• Identify all components, their versions and monitor the security of these components.
• Stay up-to-date with vulnerability news and scan the application regularly.
• Download the components only from authentic sources and secure links.
• Every organization must ensure that there is an ongoing plan for monitoring, triaging, and applying updates or configuration changes for the lifetime of the application or portfolio.
• Keep an eye on libraries and components that are neglected or didn’t create security patches for older versions. If patching is not feasible, consider deploying a virtual patch to monitor, detect, or protect against the exploited issue.

A07:2021 – Identification and Authentication Failures:

Description: 

This security flaw is related to improper identification, authentication, credential stuffing, improper session handling, brute force attacks. Here attacker uses flaws in authentication and session management functions (ex: exposed accounts, passwords and session ids, etc.) to impersonate/pretend as original users.

This vulnerability also occurs If the application is not able to handle session identifiers when there is a password/email update request, or after logout, during inactivity, or the user re-logins.

These defects could be in areas such as logout, password management, timeouts, remember me, secret questions, account updates, etc. So, an attacker can use any of these security loopholes to attack an application. Attackers have to gain access to only a few accounts, or just one admin account to compromise the system and breach confidential data.

Below are the basic vulnerable areas:

• Missing or Ineffective Multi-factor Authentication.
• User credentials are not protected when stored using hashing or encryption.
• Credentials can be guessed or overwritten through weak account management functions (e.g.:  Account creation, change password, recover password, weak session ids, predictable credentials like admin, etc).
• Ensure registration, credential recovery, and API pathways are hardened against account enumeration attacks by using the same messages for all outcomes.
• Session IDs are exposed in URLs (ex: URL rewriting).
• Session ids are vulnerable to session fixation attacks.
• Session IDs don’t timeout, or user session or authentication tokens, particularly single sign-on tokens are not invalidated properly during timeout.
• Session IDs are not rotated after successful login.
• Passwords, session ids and other credentials sent over unencrypted channels.

Prevention Techniques:

• Enforce a strong password policy and all passwords should be stored in hashed or encrypted form to protect from exposure. Hashed form is preferred as it is not reversible.
• Implemented multi-factor authentication to defend against attacks such as brute force, credential stuffing.
• Account Lockout policy should be enabled and also CAPTCHA can be used for multiple login attempts.
• Integrate weak password checks, such as testing new or changed passwords against a list of the top 10000 worst passwords.
• Secure and HTTP Only cookies – Set the secure flag on a cookie so that the browser will prevent the transmission of a cookie over an unencrypted channel.
• Using the HttpOnly flag helps mitigate the risk of client-side script accessing the protected cookie (if the browser supports it).
• Protecting Credentials in Transit – The only effective technique is to encrypt the entire login transactions using SSL.
• Session ID Protection -– Ideally, a user’s entire session should be protected via SSL. If this is done, then the session ID (e.g., session cookie) cannot be grabbed off the network, which is the biggest risk of exposure for a session ID.
• Browser Caching – Authentication and session data should never be submitted as part of a GET request, but POST request should always be used instead. Authentication pages should be marked with all varieties of the no cache tag to prevent someone from using the back button in a user’s browser to backup to the login page and resubmit the previously typed in credentials.
• Re-Authentication process for some critical communications.
• Session tokens should be expired on the server and be destroyed when a browser is closed.
• Strong effort should also be made to prevent XSS vulnerability which can be used to steal session ids.

A08:2021 – Software and Data Integrity Failures:

Description: 

The vulnerability focuses on integrity failures of the software updates and critical data when pulled from a remote source. Basically, the use of critical data or application without authenticating or verifying their identity comes under this vulnerability. 

Software & Integrity Failures focus on presumptions related to software updates, sensitive information, insecure CI/CD pipelines, insecure code or infrastructure.

Due to this integrity violation or failure, the application can bypass or validate unauthorized users, an attacker can inject malicious code that leads to full system compromise.

For example, many applications come with auto-update functionality, where users download the updates without sufficient integrity verification. Another example, when the data is serialized into an environment that an attacker can view and crafts a malicious code in serialized object or request and sent it to the application and this code will be executed when it is deserialized. This leads to Insecure Deserialization.

Prevention Techniques: 

• Verify the application or data is digitally signed or using the same procedure for the remote data source and has not been tampered or altered.
• Secure CI/CD pipelines by checking that it has a proper configuration, access control and integrity of code processing through develop and deploy stages.
• Implement integrity check or digital signature during serialization of data in order to restrict insecure serialized data not transmit to untrusted users.
• Audit and review the code and its process, configuration changes before it is used in the production.
• Integrate VAPT (Vulnerability Assessment and Penetration Testing) procedure to application development to ensure high security level.
• Use application supply chain security tools, such as OWASP Dependency Check, OWASP CycloneDX to identify components that doesn’t contain known vulnerabilities.

A09:2021 – Security Logging and Monitoring Failures:

Description:

Security Logging and Monitoring Failures means that critical security incidents are not logged and logged events are not monitored or no proper monitoring system is in place. Due to this, it is very difficult to identify and detect vulnerabilities and breaches in the application.

This vulnerability can occur in the below scenarios:

• System/application events, such as logins, failed logins, and high-value transactions are not logged.
• Warnings and errors don’t generate sufficient logs to alert.
• Application and API logs are not monitored for suspicious activity.
• Applications are not intelligent enough to identify and alert the administrator when an attack happens.
• Logs are stored locally and not backed up. Attackers will try to delete the logs to hide their activities.
• Lack of skilled security analysts to analyze the logs.

Prevention Techniques:

• Make sure that all login, access control failures, and server-side input validation failures can be logged with sufficient user context to identify suspicious or malicious accounts, and stored for later Forensic Analysis.
• Make sure that logs are generated in a format that can be easily read by centralized log management solutions.
• High-valued transactions are logged, monitored and should have an audit trail with integrity controls to prevent tampering or deletion, such as append-only database tables or similar.
• Establish a 24/7 team of skilled security analysts to monitor suspicious events and respond in a timely fashion.
• Implement an incident response team and prepare a recovery plan.
• There are a number of open source and commercial intrusion detection tools and frameworks that can help to automate the monitoring of your system.

A10:2021 – Server-Side Request Forgery: 

Description: 

Server-Side Request Forgery (SSRF) attacks generally occur when a web application fails to validate the user-submitted URLs while fetching a remote resource.

It allows the malicious attacker to make server issues mostly HTTP requests on its behalf, allowing them unauthorized access to internal and external services that enable them to send sensitive information, perform port scanning on the network, etc.

For example, the application sending GET/POST requests to the given webhook URL or an application revealing a preview of the URLs.

This vulnerability is so risky that is exploited even there is firewall protection or VPN or any other network access control list. 

SSRF attacks are increasing due to the complexity of architecture and high usage of cloud services where modern applications supplying users with suitable features, fetching a URL becomes a normal synopsis.

Prevention Techniques:

• All user-supplied input data should be properly validated and sanitized.
• Maintain whitelist and blacklist of URLs that are allowed or disallowed in the application.
• Implement ‘deny by default’ firewall policies or network access controls to block unwanted traffic to the application.
• Disallowed HTTP redirections and restricts sending raw responses to users.
• Enforce strict remote resource access by segmenting functionality access in separate networks.
• Avoid URL consistency which leads to attacks such as DNS rebinding or TOCTOU race conditions.
• Integrate network encryption such as VPNs on individual systems for frontend with dedicated and manageable user groups.