OWASP has released its draft Top 10 Web Application Security Risks 2021 list with a number of changes from the 2017 list. The list has been maintained by OWASP since its release in 2003 with updates every few years.

In new draft, the OWASP group has added three new categories: ‘Insecure Design’, ‘Software and Data Integrity Failures’, and a group for ‘Server-Side Request Forgery (SSRF)’ attacks.

2017’s ‘XML External Entities (XXE)’ section has been added to 2021’s Security Misconfiguration category, ‘Cross-Site Scripting (XSS)’ has been added to the ‘Injection’ section, and ‘Insecure Deserialization’ is now part of ‘Security Logging and Monitoring Failures’.

OWASP Top 10 for 2021:. Several Renamed

1.A01:2021-Broken Access Control: 34 CWEs. Access control vulnerabilities include privilege escalation, malicious URL modification, access control bypass, CORS misconfiguration, and tampering with primary keys.

2.A02:2021-Cryptographic Failures: 29 CWEs. This includes security failures when data is in transit or at rest, such as the implementation of weak cryptographic algorithms, poor or lax key generation, a failure to implement encryption or to verify certificates, and the transmission of data in cleartext.

3.A03:2021-Injection: 33 CWEs. Common injections impact SQL, NoSQL, OS command, and LDAP, and may be caused by sanitization failures, XSS vulnerabilities, and a lack of protection for file paths.

4.A04:2021-Insecure Design: 40 CWEs. Insecure design elements vary widely, but are generally described by OWASP as “missing or ineffective control design”. Areas of concern include a lack of protection for stored data, logic programming problems, and displaying content that reveals sensitive information.

5.A05:2021-Security Misconfiguration: 20 CWEs. Applications may be considered vulnerable if they lack security hardening, if there are unnecessary features such as a too-open hand when it comes to privileges if default accounts are kept active, and if security features are not configured correctly.

6.A06:2021-Vulnerable and Outdated Components: Three CWEs. This category focuses on client and server-side components, failures to maintain components, out-of-date support systems such as an OS, web servers, or libraries as well as component misconfiguration.

7.A07:2021-Identification and Authentication Failures: 22 CWEs. Security issues include improper authentication, session fixation, certificate mismatches, permitting weak credentials, and a lack of protection against brute-force attacks.

8.A08:2021-Software and Data Integrity Failures: 10 CWEs. Integrity is the focal point of this category, and any failure to do so properly such as the deserialization of untrusted data, or not checking code and updates when pulled from a remote source may be in scope.

9.A09:2021-Security Logging and Monitoring Failures: Four CWEs. Issues that can hamper the analysis of a data breach or other form of attack, including logging problems, failing to record security-relevant information feeds, or only logging data locally come under this category.

10.A10:2021-Server-Side Request Forgery: One CWE. SSRF vulnerabilities occur when a server does not validate user-submitted URLs when they fetch remote resources. OWASP says that the adoption of cloud services and increasingly complex architectures have ramped up the severity of SSRF attacks.