OWASP

 “Open Web Application Security Project” is abbreviated as OWASP.

 It is a non-profit organization which provides guidance on how to
develop, purchase, and maintain trustworthy and secure software.
 It works as an awareness document.
 OWASP publishes a report every 3-4 years on top 10 vulnerabilities and
how to prevent attack from them.

TOP 10 VULNERABILITIES ACCORDING TO OWASP IN 2021

1. Broken Access Control

It refers to vulnerabilities related to improper enforcement of restrictions on
what authenticated users are allowed to do within an application.
 Lack of User Authentication
 Predictable Resource Location
 Insufficient Access Control Checks

2. Cryptography Failure
Cryptographic Key failures are critical security risks that can break the security
of an application if not properly implemented.
 Weak algorithms and key lengths
 Insecure key management
 Inadequate encryption during data storage and transmission
 3. Injection
It refers to vulnerabilities that occur when untrusted data is sent to an
interpreter as part of a query or command, leading to unexpected and
malicious behavior.
 SQL injection
 Cross site Scripting
 XML Injection

4. Insecure Design
Refers to various security issues resulting from flaws or weaknesses in
the overall design and architecture of a software application.
 Lack of Defense in Depth.
 Inadequate Authentication and Authorization.
 Lack of Secure Communication

5. Security Misconfiguration
Security misconfiguration occurs when an application, server, or framework is
not securely configured.
 Excessive permissions
 Inadequate security settings
 Open ports and services

6. Vulnerable and Outdated Component

Many modern applications rely on third-party libraries, frameworks, and
components. These components may contain security vulnerabilities that can be
exploited by attackers.
 Delayed updates
 Lack of visibility
 Inclusion of vulnerable components
 7. Identification and Authentication Failure
Refers to security vulnerabilities related to issues with user identification,
authentication, and session management in web applications.
 Weak or predictable passwords
 Lack of multi-factor authentication (MFA)
 Credential stuffing

8. Software and Data Integrity Failure

Software and data integrity failures refer to security vulnerabilities that can
lead to unauthorized modification, deletion, or corruption of software or data
within an application.
 Poor data validation.
 Insufficient access controls.
 Lack of integrity checks.

9. Security Logging and Monitoring Failure

They involve recording and analyzing relevant security events to detect and
respond to potential security incidents in a timely manner.
 Failure to monitor logs in real-time.
 No alerting and response mechanisms.
 Insufficient logging

10. Server-side Request forgery

Vulnerability that occurs when an attacker can manipulate a web application's
functionality to make unauthorized requests to internal or external systems on
the server-side.
 Request manipulation
 Access to internal resources
 Indirect exploitation